Twenty Year Anniversary

Gentoo Linux Security Advisory 201412-09

Gentoo Linux Security Advisory 201412-09
Posted Dec 12, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201412-9 - This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution.

tags | advisory, remote, local, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2007-4370, CVE-2009-4023, CVE-2009-4111, CVE-2010-0778, CVE-2010-1780, CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787, CVE-2010-1788, CVE-2010-1790, CVE-2010-1791, CVE-2010-1792, CVE-2010-1793, CVE-2010-1807, CVE-2010-1812, CVE-2010-1814, CVE-2010-1815, CVE-2010-2526, CVE-2010-2901, CVE-2010-3255, CVE-2010-3257, CVE-2010-3259, CVE-2010-3362, CVE-2010-3374, CVE-2010-3389
MD5 | 5de625ecb7d701f9241000db847c2115

Gentoo Linux Security Advisory 201412-09

Change Mirror Download
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2011
Date: December 11, 2014
Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
#350598, #352608, #354209, #355207, #356893, #358611,
#358785, #358789, #360891, #361397, #362185, #366697,
#366699, #369069, #370839, #372971, #376793, #381169,
#386321, #386361
ID: 201412-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2012. The
worst of these vulnerabilities could lead to local privilege escalation
and remote code execution. Please see the package list and CVE
identifiers below for more information.

Background
==========

For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable!
2 media-libs/fmod < 4.38.00 >= 4.38.00
3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0
4 sys-fs/lvm2 < 2.02.72 >= 2.02.72
5 app-office/gnucash < 2.4.4 >= 2.4.4
6 media-libs/xine-lib < 1.1.19 >= 1.1.19
7 media-sound/lastfmplayer
< 1.5.4.26862-r3 >= 1.5.4.26862-r3
8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7
9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3
10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1
11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1
12 sys-cluster/resource-agents
< 1.0.4-r1 >= 1.0.4-r1
13 net-misc/mrouted < 3.9.5 >= 3.9.5
14 net-misc/rsync < 3.0.8 >= 3.0.8
15 dev-libs/xmlsec < 1.2.17 >= 1.2.17
16 x11-apps/xrdb < 1.0.9 >= 1.0.9
17 net-misc/vino < 2.32.2 >= 2.32.2
18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1
19 app-admin/syslog-ng < 3.2.4 >= 3.2.4
20 net-analyzer/sflowtool < 3.20 >= 3.20
21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3
22 net-libs/libsoup < 2.34.3 >= 2.34.3
23 app-misc/ca-certificates
< 20110502-r1 >= 20110502-r1
24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1
25 dev-util/qt-creator < 2.1.0 >= 2.1.0
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
25 affected packages

Description
===========

Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.

* FMOD Studio
* PEAR Mail
* LVM2
* GnuCash
* xine-lib
* Last.fm Scrobbler
* WebKitGTK+
* shadow tool suite
* PEAR
* unixODBC
* Resource Agents
* mrouted
* rsync
* XML Security Library
* xrdb
* Vino
* OProfile
* syslog-ng
* sFlow Toolkit
* GNOME Display Manager
* libsoup
* CA Certificates
* Gitolite
* QtCreator
* Racer

Impact
======

A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.

Workaround
==========

There are no known workarounds at this time.

Resolution
==========

All FMOD Studio users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"

All PEAR Mail users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"

All LVM2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"

All GnuCash users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"

All xine-lib users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"

All Last.fm Scrobbler users should upgrade to the latest version:

# emerge --sync
# emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3"

All WebKitGTK+ users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"

All shadow tool suite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"

All PEAR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"

All unixODBC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"

All Resource Agents users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1"

All mrouted users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"

All rsync users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"

All XML Security Library users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"

All xrdb users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"

All Vino users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"

All OProfile users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"

All syslog-ng users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"

All sFlow Toolkit users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"

All GNOME Display Manager users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"

All libsoup users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"

All CA Certificates users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1"

All Gitolite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"

All QtCreator users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"

Gentoo has discontinued support for Racer. We recommend that users
unmerge Racer:

# emerge --unmerge "games-sports/racer-bin"

NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2012. It is likely that your system is
already no longer affected by these issues.

References
==========

[ 1 ] CVE-2007-4370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
[ 2 ] CVE-2009-4023
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
[ 3 ] CVE-2009-4111
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
[ 4 ] CVE-2010-0778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
[ 5 ] CVE-2010-1780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
[ 6 ] CVE-2010-1782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
[ 7 ] CVE-2010-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
[ 8 ] CVE-2010-1784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
[ 9 ] CVE-2010-1785
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
[ 10 ] CVE-2010-1786
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
[ 11 ] CVE-2010-1787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
[ 12 ] CVE-2010-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
[ 13 ] CVE-2010-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
[ 14 ] CVE-2010-1791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
[ 15 ] CVE-2010-1792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
[ 16 ] CVE-2010-1793
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
[ 17 ] CVE-2010-1807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
[ 18 ] CVE-2010-1812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
[ 19 ] CVE-2010-1814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
[ 20 ] CVE-2010-1815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
[ 21 ] CVE-2010-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
[ 22 ] CVE-2010-2901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
[ 23 ] CVE-2010-3255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
[ 24 ] CVE-2010-3257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
[ 25 ] CVE-2010-3259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
[ 26 ] CVE-2010-3362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
[ 27 ] CVE-2010-3374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
[ 28 ] CVE-2010-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
[ 29 ] CVE-2010-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
[ 30 ] CVE-2010-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
[ 31 ] CVE-2010-3999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
[ 32 ] CVE-2010-4042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
[ 33 ] CVE-2010-4197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
[ 34 ] CVE-2010-4198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
[ 35 ] CVE-2010-4204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
[ 36 ] CVE-2010-4206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
[ 37 ] CVE-2010-4492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
[ 38 ] CVE-2010-4493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
[ 39 ] CVE-2010-4577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
[ 40 ] CVE-2010-4578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
[ 41 ] CVE-2011-0007
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
[ 42 ] CVE-2011-0465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
[ 43 ] CVE-2011-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
[ 44 ] CVE-2011-0721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
[ 45 ] CVE-2011-0727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
[ 46 ] CVE-2011-0904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
[ 47 ] CVE-2011-0905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
[ 48 ] CVE-2011-1072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
[ 49 ] CVE-2011-1097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
[ 50 ] CVE-2011-1144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
[ 51 ] CVE-2011-1425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
[ 52 ] CVE-2011-1572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
[ 53 ] CVE-2011-1760
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
[ 54 ] CVE-2011-1951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
[ 55 ] CVE-2011-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
[ 56 ] CVE-2011-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
[ 57 ] CVE-2011-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
[ 58 ] CVE-2011-2524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
[ 59 ] CVE-2011-3365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
[ 60 ] CVE-2011-3366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
[ 61 ] CVE-2011-3367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    2 Files
  • 24
    Jun 24th
    1 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close