Exploit the possiblities

Gentoo Linux Security Advisory 201412-09

Gentoo Linux Security Advisory 201412-09
Posted Dec 12, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201412-9 - This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution.

tags | advisory, remote, local, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2007-4370, CVE-2009-4023, CVE-2009-4111, CVE-2010-0778, CVE-2010-1780, CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787, CVE-2010-1788, CVE-2010-1790, CVE-2010-1791, CVE-2010-1792, CVE-2010-1793, CVE-2010-1807, CVE-2010-1812, CVE-2010-1814, CVE-2010-1815, CVE-2010-2526, CVE-2010-2901, CVE-2010-3255, CVE-2010-3257, CVE-2010-3259, CVE-2010-3362, CVE-2010-3374, CVE-2010-3389
MD5 | 5de625ecb7d701f9241000db847c2115

Gentoo Linux Security Advisory 201412-09

Change Mirror Download
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Multiple packages, Multiple vulnerabilities fixed in 2011
Date: December 11, 2014
Bugs: #194151, #294253, #294256, #334087, #344059, #346897,
#350598, #352608, #354209, #355207, #356893, #358611,
#358785, #358789, #360891, #361397, #362185, #366697,
#366699, #369069, #370839, #372971, #376793, #381169,
#386321, #386361
ID: 201412-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

This GLSA contains notification of vulnerabilities found in several
Gentoo packages which have been fixed prior to January 1, 2012. The
worst of these vulnerabilities could lead to local privilege escalation
and remote code execution. Please see the package list and CVE
identifiers below for more information.

Background
==========

For more information on the packages listed in this GLSA, please see
their homepage referenced in the ebuild.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable!
2 media-libs/fmod < 4.38.00 >= 4.38.00
3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0
4 sys-fs/lvm2 < 2.02.72 >= 2.02.72
5 app-office/gnucash < 2.4.4 >= 2.4.4
6 media-libs/xine-lib < 1.1.19 >= 1.1.19
7 media-sound/lastfmplayer
< 1.5.4.26862-r3 >= 1.5.4.26862-r3
8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7
9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3
10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1
11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1
12 sys-cluster/resource-agents
< 1.0.4-r1 >= 1.0.4-r1
13 net-misc/mrouted < 3.9.5 >= 3.9.5
14 net-misc/rsync < 3.0.8 >= 3.0.8
15 dev-libs/xmlsec < 1.2.17 >= 1.2.17
16 x11-apps/xrdb < 1.0.9 >= 1.0.9
17 net-misc/vino < 2.32.2 >= 2.32.2
18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1
19 app-admin/syslog-ng < 3.2.4 >= 3.2.4
20 net-analyzer/sflowtool < 3.20 >= 3.20
21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3
22 net-libs/libsoup < 2.34.3 >= 2.34.3
23 app-misc/ca-certificates
< 20110502-r1 >= 20110502-r1
24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1
25 dev-util/qt-creator < 2.1.0 >= 2.1.0
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
25 affected packages

Description
===========

Vulnerabilities have been discovered in the packages listed below.
Please review the CVE identifiers in the Reference section for details.

* FMOD Studio
* PEAR Mail
* LVM2
* GnuCash
* xine-lib
* Last.fm Scrobbler
* WebKitGTK+
* shadow tool suite
* PEAR
* unixODBC
* Resource Agents
* mrouted
* rsync
* XML Security Library
* xrdb
* Vino
* OProfile
* syslog-ng
* sFlow Toolkit
* GNOME Display Manager
* libsoup
* CA Certificates
* Gitolite
* QtCreator
* Racer

Impact
======

A context-dependent attacker may be able to gain escalated privileges,
execute arbitrary code, cause Denial of Service, obtain sensitive
information, or otherwise bypass security restrictions.

Workaround
==========

There are no known workarounds at this time.

Resolution
==========

All FMOD Studio users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"

All PEAR Mail users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"

All LVM2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"

All GnuCash users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"

All xine-lib users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"

All Last.fm Scrobbler users should upgrade to the latest version:

# emerge --sync
# emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3"

All WebKitGTK+ users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"

All shadow tool suite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"

All PEAR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"

All unixODBC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"

All Resource Agents users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1"

All mrouted users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"

All rsync users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"

All XML Security Library users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"

All xrdb users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"

All Vino users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"

All OProfile users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"

All syslog-ng users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"

All sFlow Toolkit users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"

All GNOME Display Manager users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"

All libsoup users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"

All CA Certificates users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1"

All Gitolite users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"

All QtCreator users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"

Gentoo has discontinued support for Racer. We recommend that users
unmerge Racer:

# emerge --unmerge "games-sports/racer-bin"

NOTE: This is a legacy GLSA. Updates for all affected architectures
have been available since 2012. It is likely that your system is
already no longer affected by these issues.

References
==========

[ 1 ] CVE-2007-4370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370
[ 2 ] CVE-2009-4023
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023
[ 3 ] CVE-2009-4111
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111
[ 4 ] CVE-2010-0778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778
[ 5 ] CVE-2010-1780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780
[ 6 ] CVE-2010-1782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782
[ 7 ] CVE-2010-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783
[ 8 ] CVE-2010-1784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784
[ 9 ] CVE-2010-1785
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785
[ 10 ] CVE-2010-1786
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786
[ 11 ] CVE-2010-1787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787
[ 12 ] CVE-2010-1788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788
[ 13 ] CVE-2010-1790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790
[ 14 ] CVE-2010-1791
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791
[ 15 ] CVE-2010-1792
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792
[ 16 ] CVE-2010-1793
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793
[ 17 ] CVE-2010-1807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807
[ 18 ] CVE-2010-1812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812
[ 19 ] CVE-2010-1814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814
[ 20 ] CVE-2010-1815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815
[ 21 ] CVE-2010-2526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526
[ 22 ] CVE-2010-2901
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901
[ 23 ] CVE-2010-3255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255
[ 24 ] CVE-2010-3257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257
[ 25 ] CVE-2010-3259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259
[ 26 ] CVE-2010-3362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362
[ 27 ] CVE-2010-3374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374
[ 28 ] CVE-2010-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389
[ 29 ] CVE-2010-3812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812
[ 30 ] CVE-2010-3813
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813
[ 31 ] CVE-2010-3999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999
[ 32 ] CVE-2010-4042
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042
[ 33 ] CVE-2010-4197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197
[ 34 ] CVE-2010-4198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198
[ 35 ] CVE-2010-4204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204
[ 36 ] CVE-2010-4206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206
[ 37 ] CVE-2010-4492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492
[ 38 ] CVE-2010-4493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493
[ 39 ] CVE-2010-4577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577
[ 40 ] CVE-2010-4578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578
[ 41 ] CVE-2011-0007
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007
[ 42 ] CVE-2011-0465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465
[ 43 ] CVE-2011-0482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482
[ 44 ] CVE-2011-0721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721
[ 45 ] CVE-2011-0727
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727
[ 46 ] CVE-2011-0904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904
[ 47 ] CVE-2011-0905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905
[ 48 ] CVE-2011-1072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072
[ 49 ] CVE-2011-1097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097
[ 50 ] CVE-2011-1144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144
[ 51 ] CVE-2011-1425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425
[ 52 ] CVE-2011-1572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572
[ 53 ] CVE-2011-1760
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760
[ 54 ] CVE-2011-1951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951
[ 55 ] CVE-2011-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471
[ 56 ] CVE-2011-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472
[ 57 ] CVE-2011-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473
[ 58 ] CVE-2011-2524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524
[ 59 ] CVE-2011-3365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365
[ 60 ] CVE-2011-3366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366
[ 61 ] CVE-2011-3367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201412-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close