GLSA 201412-09: Multiple packages, Multiple vulnerabilities fixed in 2011
Опасность: | высокая |
Заголовок: | Multiple packages, Multiple vulnerabilities fixed in 2011 |
Дата: | 11.12.2014 |
Ошибки: |
|
ID: | 201412-09 |
Сводка
This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE identifiers below for more information.Назначение
For more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild.
Уязвимые пакеты
Пакет | Уязвимый | Нетронутый | Архитектура(ы) |
---|---|---|---|
games-sports/racer-bin | >= 0.5.0-r1 | All supported architectures | |
media-libs/fmod | < 4.38.00 | >= 4.38.00 | All supported architectures |
dev-php/PEAR-Mail | < 1.2.0 | >= 1.2.0 | All supported architectures |
sys-fs/lvm2 | < 2.02.72 | >= 2.02.72 | All supported architectures |
app-office/gnucash | < 2.4.4 | >= 2.4.4 | All supported architectures |
media-libs/xine-lib | < 1.1.19 | >= 1.1.19 | All supported architectures |
media-sound/lastfmplayer | < 1.5.4.26862-r3 | >= 1.5.4.26862-r3 | All supported architectures |
net-libs/webkit-gtk | < 1.2.7 | >= 1.2.7 | All supported architectures |
sys-apps/shadow | < 4.1.4.3 | >= 4.1.4.3 | All supported architectures |
dev-php/PEAR-PEAR | < 1.9.2-r1 | >= 1.9.2-r1 | All supported architectures |
dev-db/unixODBC | < 2.3.0-r1 | >= 2.3.0-r1 | All supported architectures |
sys-cluster/resource-agents | < 1.0.4-r1 | >= 1.0.4-r1 | All supported architectures |
net-misc/mrouted | < 3.9.5 | >= 3.9.5 | All supported architectures |
net-misc/rsync | < 3.0.8 | >= 3.0.8 | All supported architectures |
dev-libs/xmlsec | < 1.2.17 | >= 1.2.17 | All supported architectures |
x11-apps/xrdb | < 1.0.9 | >= 1.0.9 | All supported architectures |
net-misc/vino | < 2.32.2 | >= 2.32.2 | All supported architectures |
dev-util/oprofile | < 0.9.6-r1 | >= 0.9.6-r1 | All supported architectures |
app-admin/syslog-ng | < 3.2.4 | >= 3.2.4 | All supported architectures |
net-analyzer/sflowtool | < 3.20 | >= 3.20 | All supported architectures |
gnome-base/gdm | < 3.8.4-r3 | >= 3.8.4-r3 | All supported architectures |
net-libs/libsoup | < 2.34.3 | >= 2.34.3 | All supported architectures |
app-misc/ca-certificates | < 20110502-r1 | >= 20110502-r1 | All supported architectures |
dev-vcs/gitolite | < 1.5.9.1 | >= 1.5.9.1 | All supported architectures |
dev-util/qt-creator | < 2.1.0 | >= 2.1.0 | All supported architectures |
Описание
Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details.
- FMOD Studio
- PEAR Mail
- LVM2
- GnuCash
- xine-lib
- Last.fm Scrobbler
- WebKitGTK+
- shadow tool suite
- PEAR
- unixODBC
- Resource Agents
- mrouted
- rsync
- XML Security Library
- xrdb
- Vino
- OProfile
- syslog-ng
- sFlow Toolkit
- GNOME Display Manager
- libsoup
- CA Certificates
- Gitolite
- QtCreator
- Racer
Воздействие
A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions.
Обход
There are no known workarounds at this time.
Решение
All FMOD Studio users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
All PEAR Mail users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
All LVM2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
All GnuCash users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
All xine-lib users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
All Last.fm Scrobbler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=media-sound/lastfmplayer-1.5.4.26862-r3"
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
All shadow tool suite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
All PEAR users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
All unixODBC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
All Resource Agents users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=sys-cluster/resource-agents-1.0.4-r1"
All mrouted users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
All rsync users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
All XML Security Library users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
All xrdb users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
All Vino users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
All OProfile users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
All syslog-ng users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
All sFlow Toolkit users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
All GNOME Display Manager users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
All libsoup users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
All CA Certificates users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=app-misc/ca-certificates-20110502-r1"
All Gitolite users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
All QtCreator users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
Gentoo has discontinued support for Racer. We recommend that users unmerge Racer:
# emerge --unmerge "games-sports/racer-bin"
NOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2012. It is likely that your system is already no longer affected by these issues.
Ссылки
CVE-2007-4370 CVE-2009-4023 CVE-2009-4111 CVE-2010-0778 CVE-2010-1780 CVE-2010-1782 CVE-2010-1783 CVE-2010-1784 CVE-2010-1785 CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790 CVE-2010-1791 CVE-2010-1792 CVE-2010-1793 CVE-2010-1807 CVE-2010-1812 CVE-2010-1814 CVE-2010-1815 CVE-2010-2526 CVE-2010-2901 CVE-2010-3255 CVE-2010-3257 CVE-2010-3259 CVE-2010-3362 CVE-2010-3374 CVE-2010-3389 CVE-2010-3812 CVE-2010-3813 CVE-2010-3999 CVE-2010-4042 CVE-2010-4197 CVE-2010-4198 CVE-2010-4204 CVE-2010-4206 CVE-2010-4492 CVE-2010-4493 CVE-2010-4577 CVE-2010-4578 CVE-2011-0007 CVE-2011-0465 CVE-2011-0482 CVE-2011-0721 CVE-2011-0727 CVE-2011-0904 CVE-2011-0905 CVE-2011-1072 CVE-2011-1097 CVE-2011-1144 CVE-2011-1425 CVE-2011-1572 CVE-2011-1760 CVE-2011-1951 CVE-2011-2471 CVE-2011-2472 CVE-2011-2473 CVE-2011-2524 CVE-2011-3365 CVE-2011-3366 CVE-2011-3367
Наличие
Этот GLSA и любые обновления для нее доступны для просмотра на сайте Gentoo Security:
Опасения?
Безопасность является одной из главных задач Gentoo Linux и первостепенное значение обеспечить конфиденциальность и безопасность машин наших пользователей. Любые соображения безопасности должны быть адресованы security@gentoo.org или в качестве альтернативы, вы можете сообщить об ошибке на https://bugs.gentoo.org.
Лицензия
Copyright 2010 Gentoo Foundation, Inc; текст ссылки принадлежит его владельцу(ам). Содержание этого документа распространяется на условиях лицензии Creative Commons - Attribution / Share Alike.