4 Gentoo Security Updates
Posted on: 10/19/2012 09:53 AM

The following updates has been released for Gentoo Linux: [ GLSA 201210-01 ] w3m: SSL spoofing vulnerability, [ GLSA 201210-02 ] MoinMoin: Multiple vulnerabilities, [ GLSA 201210-04 ] qemu-kvm: Multiple vulnerabilities, and [ GLSA 201210-03 ] rdesktop: Directory Traversal

[ GLSA 201210-01 ] w3m: SSL spoofing vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201210-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: w3m: SSL spoofing vulnerability
Date: October 18, 2012
Bugs: #325431
ID: 201210-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An error in the hostname matching of w3m might enable remote attackers
to conduct man-in-the-middle attacks.

Background
==========

w3m is a text based WWW browser.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/w3m < 0.5.2-r4 >= 0.5.2-r4

Description
===========

A SSL spoofing vulnerability has been discovered in w3m. Please review
the CVE identifier referenced below for details.

Impact
======

A remote attacker might employ a specially crafted certificate to
conduct man-in-the-middle attacks on SSL connections made using w3m.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All w3m users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/w3m-0.5.2-r4"

References
==========

[ 1 ] CVE-2010-2074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2074

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201210-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201210-02 ] MoinMoin: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201210-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MoinMoin: Multiple vulnerabilities
Date: October 18, 2012
Bugs: #305663, #339295
ID: 201210-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MoinMoin, the worst of
which allowing for injection of arbitrary web script or HTML.

Background
==========

MoinMoin is a Python WikiEngine.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/moinmoin < 1.9.4 >= 1.9.4

Description
===========

Multiple vulnerabilities have been discovered in MoinMoin. Please
review the CVE identifiers referenced below for details.

Impact
======

These vulnerabilities in MoinMoin allow remote users to inject
arbitrary web script or HTML, to obtain sensitive information and to
bypass the textcha protection mechanism. There are several other
unknown impacts and attack vectors.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MoinMoin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/moinmoin-1.9.4"

References
==========

[ 1 ] CVE-2010-0668
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0668
[ 2 ] CVE-2010-0669
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0669
[ 3 ] CVE-2010-0717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0717
[ 4 ] CVE-2010-0828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0828
[ 5 ] CVE-2010-1238
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1238
[ 6 ] CVE-2010-2487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2487
[ 7 ] CVE-2010-2969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2969
[ 8 ] CVE-2010-2970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2970
[ 9 ] CVE-2011-1058
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1058

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201210-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201210-04 ] qemu-kvm: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201210-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: qemu-kvm: Multiple vulnerabilities
Date: October 18, 2012
Bugs: #364889, #365259, #372411, #373997, #400595, #430456
ID: 201210-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in qemu-kvm, allowing attackers to
execute arbitrary code.

Background
==========

qemu-kvm provides QEMU and Kernel-based Virtual Machine userland tools.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/qemu-kvm < 1.1.1-r1 >= 1.1.1-r1

Description
===========

Multiple vulnerabilities have been discovered in qemu-kvm. Please
review the CVE identifiers referenced below for details.

Impact
======

These vulnerabilities allow a remote attacker to cause a Denial of
Service condition on the host server or qemu process, might allow for
arbitrary code execution or a symlink attack when qemu-kvm is in
snapshot mode.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All qemu-kvm users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=app-emulation/qemu-kvm-1.1.1-r1"

References
==========

[ 1 ] CVE-2011-1750
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1750
[ 2 ] CVE-2011-1751
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1751
[ 3 ] CVE-2011-2212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2212
[ 4 ] CVE-2011-2512
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2512
[ 5 ] CVE-2012-0029
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0029
[ 6 ] CVE-2012-2652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2652

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201210-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201210-03 ] rdesktop: Directory Traversal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201210-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: rdesktop: Directory Traversal
Date: October 18, 2012
Bugs: #364191
ID: 201210-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability which allows a remote attacking server to read or
overwrite arbitrary files has been found in rdesktop.

Background
==========

rdesktop is a Remote Desktop Protocol (RDP) Client.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/rdesktop < 1.7.0 >= 1.7.0

Description
===========

A vulnerability has been discovered in rdesktop. Please review the CVE
identifier referenced below for details.

Impact
======

Remote RDP servers may be able to read or overwrite arbitrary files via
a .. (dot dot) in a pathname.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All rdesktop users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rdesktop-1.7.0"

References
==========

[ 1 ] CVE-2011-1595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1595

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201210-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5








Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/4_gentoo_security_updates.html)