Explore top 10 tips to secure your open-source projects now. Read More
×
A vulnerability has been discovered in XZ Utils, which could lead to denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202504-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: XZ Utils: Use after free Date: April 05, 2025 Bugs: #953086 ID: 202504-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in XZ Utils, which could lead to denial of service. Background ========== XZ Utils is free general-purpose data compression software with a high compression ratio. Affected packages ================= Package Vulnerable Unaffected ----------------- ------------ ------------ app-arch/xz-utils < 5.6.4-r1 > = 5.6.4-r1 Description =========== A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details. Impact ====== The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. It's unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default. Workaround ========== There is no known workaround at this time. Resolution ========== All XZ utils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =app-arch/xz-utils-5.6.4-r1" References ========== [ 1 ] CVE-2025-31115 https://nvd.nist.gov/vuln/detail/CVE-2025-31115 Availability ============ This GLSA and any updates to it are available forviewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202504-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Multiple vulnerabilities have been found in OpenSSH, the worst of which could allow a remote attacker to gain unauthorized access.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202502-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSH: Multiple Vulnerabilities Date: February 18, 2025 Bugs: #949904 ID: 202502-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in OpenSSH, the worst of which could allow a remote attacker to gain unauthorized access. Background ========== OpenSSH is a free application suite consisting of server and clients that replace tools like telnet, rlogin, rcp and ftp with more secure versions offering additional functionality. Affected packages ================= Package Vulnerable Unaffected ---------------- ------------ ------------ net-misc/openssh < 9.9_p2 > = 9.9_p2 Description =========== Multiple vulnerabilities have been discovered in OpenSSH. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSH users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-misc/openssh-9.9_p2" References ========== [ 1 ] CVE-2025-26465 https://nvd.nist.gov/vuln/detail/CVE-2025-26465 [ 2 ] CVE-2025-26466 https://nvd.nist.gov/vuln/detail/CVE-2025-26466 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202502-01 Concerns? ========= Securityis a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Qt: Buffer Overflow Date: January 23, 2025 Bugs: #911790 ID: 202501-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service. Background ========== Qt is a cross-platform application development framework. Affected packages ================= Package Vulnerable Unaffected ------------- ------------ ------------- dev-qt/qtbase < 6.5.2 > = 6.5.2 dev-qt/qtcore < 5.15.10-r1 > = 5.15.10-r1 Description =========== When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash or freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Qt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-qt/qtcore-5.15.10-r1" # emerge --ask --oneshot --verbose "> =dev-qt/qtbase-6.5.2" References ========== [ 1 ] CVE-2023-37369 https://nvd.nist.gov/vuln/detail/CVE-2023-37369 [ 2 ] CVE-2023-38197 https://nvd.nist.gov/vuln/detail/CVE-2023-38197 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-08 Concerns? ========= Security is a primary focus ofGentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libuv: Hostname Truncation Date: January 23, 2025 Bugs: #924127 ID: 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups. Background ========== libuv is a multi-platform support library with a focus on asynchronous I/O. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-libs/libuv < 1.48.0 > = 1.48.0 Description =========== Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details. Impact ====== The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. Workaround ========== There is no known workaround at this time. Resolution ========== All libuv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libuv-1.48.0" References ========== [ 1 ] CVE-2024-24806 https://nvd.nist.gov/vuln/detail/CVE-2024-24806 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
A vulnerability has been discovered in EditorConfig Core C library, which may lead to arbitrary code execution.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202411-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: EditorConfig core C library: arbitrary stack write Date: November 06, 2024 Bugs: #905308 ID: 202411-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in EditorConfig Core C library, which may lead to arbitrary code execution. Background ========== EditorConfig core library written in C (for use by plugins supporting EditorConfig parsing) Affected packages ================= Package Vulnerable Unaffected ---------------------------- ------------ ------------ app-text/editorconfig-core-c < 0.12.6 > = 0.12.6 Description =========== A vulnerability has been discovered in EditorConfig Core C library. Please review the CVE identifier referenced below for details. Impact ====== Please review the referenced CVE identifier for details. Workaround ========== There is no known workaround at this time. Resolution ========== All EditorConfig core C library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =app-text/editorconfig-core-c-0.12.6" References ========== [ 1 ] CVE-2023-0341 https://nvd.nist.gov/vuln/detail/CVE-2023-0341 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202411-04 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is ofutmost importance to us. Any security concerns should be addressed to
Multiple vulnerabilities have been found in yt-dlp, the worst of which could result in arbitrary code execution.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: yt-dlp: Multiple Vulnerabilities Date: September 28, 2024 Bugs: #909780, #917355, #935316 ID: 202409-30 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in yt-dlp, the worst of which could result in arbitrary code execution. Background ========== yt-dlp is a youtube-dl fork with additional features and fixes. Affected packages ================= Package Vulnerable Unaffected --------------- ------------ ------------- net-misc/yt-dlp < 2024.07.01 > = 2024.07.01 Description =========== Multiple vulnerabilities have been found in yt-dlp. Please review the referenced CVE identifiers for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All yt-dlp users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-misc/yt-dlp-2024.07.01" References ========== [ 1 ] CVE-2023-35934 https://nvd.nist.gov/vuln/detail/CVE-2023-35934 [ 2 ] CVE-2023-46121 https://nvd.nist.gov/vuln/detail/CVE-2023-46121 [ 3 ] CVE-2024-38519 https://nvd.nist.gov/vuln/detail/CVE-2024-38519 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-30 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentialityand security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Xpdf: Multiple Vulnerabilities Date: September 25, 2024 Bugs: #845027, #908037, #936407 ID: 202409-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Background ========== Xpdf is an X viewer for PDF files. Affected packages ================= Package Vulnerable Unaffected ------------- ------------ ------------ app-text/xpdf < 4.05 > = 4.05 Description =========== Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Xpdf users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =app-text/xpdf-4.05" References ========== [ 1 ] CVE-2018-7453 https://nvd.nist.gov/vuln/detail/CVE-2018-7453 [ 2 ] CVE-2018-16369 https://nvd.nist.gov/vuln/detail/CVE-2018-16369 [ 3 ] CVE-2022-30524 https://nvd.nist.gov/vuln/detail/CVE-2022-30524 [ 4 ] CVE-2022-30775 https://nvd.nist.gov/vuln/detail/CVE-2022-30775 [ 5 ] CVE-2022-33108 https://nvd.nist.gov/vuln/detail/CVE-2022-33108 [ 6 ] CVE-2022-36561 https://nvd.nist.gov/vuln/detail/CVE-2022-36561 [ 7 ] CVE-2022-38222 https://nvd.nist.gov/vuln/detail/CVE-2022-38222 [ 8 ] CVE-2022-38334 https://nvd.nist.gov/vuln/detail/CVE-2022-38334 [ 9 ] CVE-2022-38928 https://nvd.nist.gov/vuln/detail/CVE-2022-38928 [ 10 ] CVE-2022-41842 https://nvd.nist.gov/vuln/detail/CVE-2022-41842 [ 11 ] CVE-2022-41843 https://nvd.nist.gov/vuln/detail/CVE-2022-41843 [ 12 ] CVE-2022-41844 https://nvd.nist.gov/vuln/detail/CVE-2022-41844 [ 13 ] CVE-2022-43071 https://nvd.nist.gov/vuln/detail/CVE-2022-43071 [ 14 ] CVE-2022-43295 https://nvd.nist.gov/vuln/detail/CVE-2022-43295 [ 15 ] CVE-2022-45586 https://nvd.nist.gov/vuln/detail/CVE-2022-45586 [ 16 ] CVE-2022-45587 https://nvd.nist.gov/vuln/detail/CVE-2022-45587 [ 17 ] CVE-2023-2662 https://nvd.nist.gov/vuln/detail/CVE-2023-2662 [ 18 ] CVE-2023-2663 https://nvd.nist.gov/vuln/detail/CVE-2023-2663 [ 19 ] CVE-2023-2664 https://nvd.nist.gov/vuln/detail/CVE-2023-2664 [ 20 ] CVE-2023-3044 https://nvd.nist.gov/vuln/detail/CVE-2023-3044 [ 21 ] CVE-2023-3436 https://nvd.nist.gov/vuln/detail/CVE-2023-3436 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-25 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
A vulnerability has been found in ZNC which could result in remote code execution.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202409-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ZNC: Remote Code Execution Date: September 24, 2024 Bugs: #935422 ID: 202409-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been found in ZNC which could result in remote code execution. Background ========== ZNC is an advanced IRC bouncer. Affected packages ================= Package Vulnerable Unaffected ----------- ------------ ------------ net-irc/znc < 1.9.1 > = 1.9.1 Description =========== ZNC's modtcl could allow for remote code execution via a KICK. Impact ====== A vulnerable ZNC with the modtcl module loaded could be exploited for remote code execution. Workaround ========== Unload the mod_tcl module. Resolution ========== All ZNC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-irc/znc-1.9.1" References ========== [ 1 ] CVE-2024-39844 https://nvd.nist.gov/vuln/detail/CVE-2024-39844 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202409-23 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Get the latest Linux and open source security news straight to your inbox.