Gentoo: GLSA-201412-09: Multiple packages, Multiple vulnerabilities fixed in 2011

    Date11 Dec 2014
    CategoryGentoo
    49
    Posted ByLinuxSecurity Advisories
    This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE [More...]
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory                           GLSA 201412-09
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
     Severity: High
        Title: Multiple packages, Multiple vulnerabilities fixed in 2011
         Date: December 11, 2014
         Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
               #350598, #352608, #354209, #355207, #356893, #358611,
               #358785, #358789, #360891, #361397, #362185, #366697,
               #366699, #369069, #370839, #372971, #376793, #381169,
               #386321, #386361
           ID: 201412-09
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    Synopsis
    ========
    
    This GLSA contains notification of vulnerabilities found in several
    Gentoo packages which have been fixed prior to January 1, 2012. The
    worst of these vulnerabilities could lead to local privilege escalation
    and remote code execution. Please see the package list and CVE
    identifiers below for more information.
    
    Background
    ==========
    
    For more information on the packages listed in this GLSA, please see
    their homepage referenced in the ebuild.
    
    Affected packages
    =================
    
        -------------------------------------------------------------------
         Package              /     Vulnerable     /            Unaffected
        -------------------------------------------------------------------
      1  games-sports/racer-bin     >= 0.5.0-r1                Vulnerable!
      2  media-libs/fmod             < 4.38.00                 >= 4.38.00
      3  dev-php/PEAR-Mail            < 1.2.0                    >= 1.2.0
      4  sys-fs/lvm2                 < 2.02.72                 >= 2.02.72
      5  app-office/gnucash           < 2.4.4                    >= 2.4.4
      6  media-libs/xine-lib          < 1.1.19                  >= 1.1.19
      7  media-sound/lastfmplayer
                                  < 1.5.4.26862-r3      >= 1.5.4.26862-r3
      8  net-libs/webkit-gtk          < 1.2.7                    >= 1.2.7
      9  sys-apps/shadow             < 4.1.4.3                 >= 4.1.4.3
     10  dev-php/PEAR-PEAR           < 1.9.2-r1               >= 1.9.2-r1
     11  dev-db/unixODBC             < 2.3.0-r1               >= 2.3.0-r1
     12  sys-cluster/resource-agents
                                     < 1.0.4-r1               >= 1.0.4-r1
     13  net-misc/mrouted             < 3.9.5                    >= 3.9.5
     14  net-misc/rsync               < 3.0.8                    >= 3.0.8
     15  dev-libs/xmlsec              < 1.2.17                  >= 1.2.17
     16  x11-apps/xrdb                < 1.0.9                    >= 1.0.9
     17  net-misc/vino                < 2.32.2                  >= 2.32.2
     18  dev-util/oprofile           < 0.9.6-r1               >= 0.9.6-r1
     19  app-admin/syslog-ng          < 3.2.4                    >= 3.2.4
     20  net-analyzer/sflowtool        < 3.20                     >= 3.20
     21  gnome-base/gdm              < 3.8.4-r3               >= 3.8.4-r3
     22  net-libs/libsoup             < 2.34.3                  >= 2.34.3
     23  app-misc/ca-certificates
                                   < 20110502-r1           >= 20110502-r1
     24  dev-vcs/gitolite            < 1.5.9.1                 >= 1.5.9.1
     25  dev-util/qt-creator          < 2.1.0                    >= 2.1.0
        -------------------------------------------------------------------
         NOTE: Certain packages are still vulnerable. Users should migrate
               to another package if one is available or wait for the
               existing packages to be marked stable by their
               architecture maintainers.
        -------------------------------------------------------------------
         25 affected packages
    
    Description
    ===========
    
    Vulnerabilities have been discovered in the packages listed below.
    Please review the CVE identifiers in the Reference section for details.
    
    * FMOD Studio
    * PEAR Mail
    * LVM2
    * GnuCash
    * xine-lib
    * Last.fm Scrobbler
    * WebKitGTK+
    * shadow tool suite
    * PEAR
    * unixODBC
    * Resource Agents
    * mrouted
    * rsync
    * XML Security Library
    * xrdb
    * Vino
    * OProfile
    * syslog-ng
    * sFlow Toolkit
    * GNOME Display Manager
    * libsoup
    * CA Certificates
    * Gitolite
    * QtCreator
    * Racer
    
    Impact
    ======
    
    A context-dependent attacker may be able to gain escalated privileges,
    execute arbitrary code, cause Denial of Service, obtain sensitive
    information, or otherwise bypass security restrictions.
    
    Workaround
    ==========
    
    There are no known workarounds at this time.
    
    Resolution
    ==========
    
    All FMOD Studio users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
    
    All PEAR Mail users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
    
    All LVM2 users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
    
    All GnuCash users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
    
    All xine-lib users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
    
    All Last.fm Scrobbler users should upgrade to the latest version:
    
      # emerge --sync
      # emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3"
    
    All WebKitGTK+ users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
    
    All shadow tool suite users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
    
    All PEAR users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
    
    All unixODBC users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
    
    All Resource Agents users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1"
    
    All mrouted users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
    
    All rsync users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
    
    All XML Security Library users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
    
    All xrdb users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
    
    All Vino users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
    
    All OProfile users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
    
    All syslog-ng users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
    
    All sFlow Toolkit users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
    
    All GNOME Display Manager users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
    
    All libsoup users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
    
    All CA Certificates users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1"
    
    All Gitolite users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
    
    All QtCreator users should upgrade to the latest version:
    
      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
    
    Gentoo has discontinued support for Racer. We recommend that users
    unmerge Racer:
    
      # emerge --unmerge "games-sports/racer-bin"
    
    NOTE: This is a legacy GLSA. Updates for all affected architectures
    have been available since 2012. It is likely that your system is
    already no longer affected by these issues.
    
    References
    ==========
    
    [  1 ] CVE-2007-4370
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
    [  2 ] CVE-2009-4023
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
    [  3 ] CVE-2009-4111
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
    [  4 ] CVE-2010-0778
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
    [  5 ] CVE-2010-1780
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
    [  6 ] CVE-2010-1782
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
    [  7 ] CVE-2010-1783
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
    [  8 ] CVE-2010-1784
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
    [  9 ] CVE-2010-1785
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
    [ 10 ] CVE-2010-1786
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
    [ 11 ] CVE-2010-1787
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
    [ 12 ] CVE-2010-1788
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
    [ 13 ] CVE-2010-1790
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
    [ 14 ] CVE-2010-1791
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
    [ 15 ] CVE-2010-1792
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
    [ 16 ] CVE-2010-1793
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
    [ 17 ] CVE-2010-1807
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
    [ 18 ] CVE-2010-1812
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
    [ 19 ] CVE-2010-1814
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
    [ 20 ] CVE-2010-1815
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
    [ 21 ] CVE-2010-2526
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
    [ 22 ] CVE-2010-2901
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
    [ 23 ] CVE-2010-3255
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
    [ 24 ] CVE-2010-3257
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
    [ 25 ] CVE-2010-3259
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
    [ 26 ] CVE-2010-3362
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
    [ 27 ] CVE-2010-3374
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
    [ 28 ] CVE-2010-3389
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
    [ 29 ] CVE-2010-3812
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
    [ 30 ] CVE-2010-3813
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
    [ 31 ] CVE-2010-3999
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
    [ 32 ] CVE-2010-4042
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
    [ 33 ] CVE-2010-4197
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
    [ 34 ] CVE-2010-4198
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
    [ 35 ] CVE-2010-4204
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
    [ 36 ] CVE-2010-4206
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
    [ 37 ] CVE-2010-4492
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
    [ 38 ] CVE-2010-4493
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
    [ 39 ] CVE-2010-4577
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
    [ 40 ] CVE-2010-4578
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
    [ 41 ] CVE-2011-0007
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
    [ 42 ] CVE-2011-0465
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
    [ 43 ] CVE-2011-0482
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
    [ 44 ] CVE-2011-0721
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
    [ 45 ] CVE-2011-0727
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
    [ 46 ] CVE-2011-0904
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
    [ 47 ] CVE-2011-0905
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
    [ 48 ] CVE-2011-1072
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
    [ 49 ] CVE-2011-1097
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
    [ 50 ] CVE-2011-1144
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
    [ 51 ] CVE-2011-1425
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
    [ 52 ] CVE-2011-1572
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
    [ 53 ] CVE-2011-1760
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
    [ 54 ] CVE-2011-1951
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
    [ 55 ] CVE-2011-2471
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
    [ 56 ] CVE-2011-2472
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
    [ 57 ] CVE-2011-2473
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
    [ 58 ] CVE-2011-2524
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
    [ 59 ] CVE-2011-3365
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
    [ 60 ] CVE-2011-3366
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
    [ 61 ] CVE-2011-3367
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367
    
    Availability
    ============
    
    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:
    
     http://security.gentoo.org/glsa/glsa-201412-09.xml
    
    Concerns?
    =========
    
    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to
    This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at
    https://bugs.gentoo.org.
    
    License
    =======
    
    Copyright 2014 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).
    
    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.
    
    http://creativecommons.org/licenses/by-sa/2.5
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.