Gentoo 2478 Published by

7 security updates has been released for Gentoo Linux



[gentoo-announce] [ GLSA 201110-07 ] vsftpd: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: vsftpd: Denial of Service
Date: October 10, 2011
Bugs: #357001
ID: 201110-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A Denial of Service vulnerability was found in vsftpd.

Background
==========

vsftpd is a very secure FTP daemon written with speed, size and
security in mind.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-ftp/vsftpd < 2.3.4 >= 2.3.4

Description
===========

A Denial of Service vulnerability was discovered in vsftpd. Please
review the CVE identifier referenced below for details.

Impact
======

A remote authenticated attacker could cause a Denial of Service.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All vsftpd users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/vsftpd-2.3.4"

References
==========

[ 1 ] CVE-2011-0762
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0762

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-07.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[gentoo-announce] [ GLSA 201110-05 ] GnuTLS: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GnuTLS: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #281224, #292025
ID: 201110-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in GnuTLS, allowing for easier
man-in-the-middle attacks.

Background
==========

GnuTLS is an Open Source implementation of the TLS 1.2 and SSL 3.0
protocols.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/gnutls < 2.10.0 >= 2.10.0

Description
===========

Multiple vulnerabilities have been discovered in GnuTLS. Please review
the CVE identifiers referenced below for details.

Impact
======

An attacker could perform man-in-the-middle attacks to spoof arbitrary
SSL servers via a crafted certificate issued by a legitimate
Certification Authority or to inject an arbitrary amount of chosen
plaintext into the beginning of the application protocol stream,
allowing for further exploitation.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GnuTLS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/gnutls-2.10.0"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since August 6, 2010. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2009-2730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2730
[ 2 ] CVE-2009-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[gentoo-announce] [ GLSA 201110-06 ] PHP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: PHP: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #306939, #332039, #340807, #350908, #355399, #358791,
#358975, #369071, #372745, #373965, #380261
ID: 201110-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in PHP, the worst of which leading
to remote execution of arbitrary code.

Background
==========

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/php < 5.3.8 >= 5.3.8

Description
===========

Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.

Impact
======

A context-dependent attacker could execute arbitrary code, obtain
sensitive information from process memory, bypass intended access
restrictions, or cause a Denial of Service in various ways.

A remote attacker could cause a Denial of Service in various ways,
bypass spam detections, or bypass open_basedir restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PHP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.8"

References
==========

[ 1 ] CVE-2006-7243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7243
[ 2 ] CVE-2009-5016
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5016
[ 3 ] CVE-2010-1128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1128
[ 4 ] CVE-2010-1129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1129
[ 5 ] CVE-2010-1130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1130
[ 6 ] CVE-2010-1860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1860
[ 7 ] CVE-2010-1861
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1861
[ 8 ] CVE-2010-1862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1862
[ 9 ] CVE-2010-1864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1864
[ 10 ] CVE-2010-1866
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1866
[ 11 ] CVE-2010-1868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1868
[ 12 ] CVE-2010-1914
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1914
[ 13 ] CVE-2010-1915
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1915
[ 14 ] CVE-2010-1917
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1917
[ 15 ] CVE-2010-2093
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2093
[ 16 ] CVE-2010-2094
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2094
[ 17 ] CVE-2010-2097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2097
[ 18 ] CVE-2010-2100
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2100
[ 19 ] CVE-2010-2101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2101
[ 20 ] CVE-2010-2190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2190
[ 21 ] CVE-2010-2191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2191
[ 22 ] CVE-2010-2225
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2225
[ 23 ] CVE-2010-2484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2484
[ 24 ] CVE-2010-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2531
[ 25 ] CVE-2010-2950
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2950
[ 26 ] CVE-2010-3062
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3062
[ 27 ] CVE-2010-3063
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3063
[ 28 ] CVE-2010-3064
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3064
[ 29 ] CVE-2010-3065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3065
[ 30 ] CVE-2010-3436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3436
[ 31 ] CVE-2010-3709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709
[ 32 ] CVE-2010-3709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709
[ 33 ] CVE-2010-3710
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710
[ 34 ] CVE-2010-3710
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710
[ 35 ] CVE-2010-3870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3870
[ 36 ] CVE-2010-4150
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4150
[ 37 ] CVE-2010-4409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4409
[ 38 ] CVE-2010-4645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4645
[ 39 ] CVE-2010-4697
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4697
[ 40 ] CVE-2010-4698
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4698
[ 41 ] CVE-2010-4699
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4699
[ 42 ] CVE-2010-4700
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4700
[ 43 ] CVE-2011-0420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0420
[ 44 ] CVE-2011-0421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0421
[ 45 ] CVE-2011-0708
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0708
[ 46 ] CVE-2011-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0752
[ 47 ] CVE-2011-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0753
[ 48 ] CVE-2011-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0755
[ 49 ] CVE-2011-1092
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1092
[ 50 ] CVE-2011-1148
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1148
[ 51 ] CVE-2011-1153
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1153
[ 52 ] CVE-2011-1464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1464
[ 53 ] CVE-2011-1466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1466
[ 54 ] CVE-2011-1467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1467
[ 55 ] CVE-2011-1468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1468
[ 56 ] CVE-2011-1469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1469
[ 57 ] CVE-2011-1470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1470
[ 58 ] CVE-2011-1471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1471
[ 59 ] CVE-2011-1657
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1657
[ 60 ] CVE-2011-1938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1938
[ 61 ] CVE-2011-2202
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2202
[ 62 ] CVE-2011-2483
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483
[ 63 ] CVE-2011-3182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182
[ 64 ] CVE-2011-3189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3189
[ 65 ] CVE-2011-3267
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267
[ 66 ] CVE-2011-3268
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[gentoo-announce] [ GLSA 201110-03 ] Bugzilla: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Bugzilla: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #352781, #380255, #386203
ID: 201110-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in Bugzilla, the worst of which
leading to privilege escalation.

Background
==========

Bugzilla is the bug-tracking system from the Mozilla project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/bugzilla < 3.6.6 >= 3.6.6

Description
===========

Multiple vulnerabilities have been discovered in Bugzilla. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could conduct cross-site scripting attacks, conduct
script insertion and spoofing attacks, hijack the authentication of
arbitrary users, inject arbitrary HTTP headers, obtain access to
arbitrary accounts, disclose the existence of confidential groups and
its names, or inject arbitrary e-mail headers.

A local attacker could disclose the contents of temporarfy files for
uploaded attachments.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Bugzilla users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/bugzilla-3.6.6"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since August 27, 2011. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2010-2761
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2761
[ 2 ] CVE-2010-3172
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3172
[ 3 ] CVE-2010-3764
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3764
[ 4 ] CVE-2010-4411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4411
[ 5 ] CVE-2010-4567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4567
[ 6 ] CVE-2010-4568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4568
[ 7 ] CVE-2010-4569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4569
[ 8 ] CVE-2010-4570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4570
[ 9 ] CVE-2010-4572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4572
[ 10 ] CVE-2011-0046
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0046
[ 11 ] CVE-2011-0048
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0048
[ 12 ] CVE-2011-2379
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2379
[ 13 ] CVE-2011-2380
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2380
[ 14 ] CVE-2011-2381
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2381
[ 15 ] CVE-2011-2976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2976
[ 16 ] CVE-2011-2977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2977
[ 17 ] CVE-2011-2978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2978
[ 18 ] CVE-2011-2979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2979

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[gentoo-announce] [ GLSA 201110-04 ] Dovecot: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Dovecot: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #286844, #293954, #314533, #368653
ID: 201110-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in Dovecot, the worst of which
allowing for remote execution of arbitrary code.

Background
==========

Dovecot is an IMAP and POP3 server written with security primarily in
mind.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/dovecot < 2.0.13 *>= 1.2.17
>= 2.0.13

Description
===========

Multiple vulnerabilities have been discovered in Dovecot. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could exploit these vulnerabilities to cause the
remote execution of arbitrary code, or a Denial of Service condition,
to conduct directory traversal attacks, corrupt data, or disclose
information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Dovecot 1 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"

All Dovecot 2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since May 28, 2011. It is likely that your system is already
no longer affected by this issue.

References
==========

[ 1 ] CVE-2009-3235
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235
[ 2 ] CVE-2009-3897
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897
[ 3 ] CVE-2010-0745
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745
[ 4 ] CVE-2010-3304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304
[ 5 ] CVE-2010-3706
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706
[ 6 ] CVE-2010-3707
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707
[ 7 ] CVE-2010-3779
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779
[ 8 ] CVE-2010-3780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780
[ 9 ] CVE-2011-1929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929
[ 10 ] CVE-2011-2166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166
[ 11 ] CVE-2011-2167
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[gentoo-announce] [ GLSA 201110-04 ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Dovecot: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #286844, #293954, #314533, #368653
ID: 201110-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in Dovecot, the worst of which
allowing for remote execution of arbitrary code.

Background
==========

Dovecot is an IMAP and POP3 server written with security primarily in
mind.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/dovecot < 2.0.13 *>= 1.2.17
>= 2.0.13

Description
===========

Multiple vulnerabilities have been discovered in Dovecot. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could exploit these vulnerabilities to cause the
remote execution of arbitrary code, or a Denial of Service condition,
to conduct directory traversal attacks, corrupt data, or disclose
information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Dovecot 1 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-1.2.17"

All Dovecot 2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.0.13"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since May 28, 2011. It is likely that your system is already
no longer affected by this issue.

References
==========

[ 1 ] CVE-2009-3235
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3235
[ 2 ] CVE-2009-3897
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3897
[ 3 ] CVE-2010-0745
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0745
[ 4 ] CVE-2010-3304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3304
[ 5 ] CVE-2010-3706
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3706
[ 6 ] CVE-2010-3707
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3707
[ 7 ] CVE-2010-3779
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3779
[ 8 ] CVE-2010-3780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3780
[ 9 ] CVE-2011-1929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1929
[ 10 ] CVE-2011-2166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2166
[ 11 ] CVE-2011-2167
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2167

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[gentoo-announce] [ GLSA 201110-03 ]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 21f5d5f72
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Bugzilla: Multiple vulnerabilities
Date: October 09, 2011
Bugs: #352781, #380255, #386203
ID: 21f5d5f72

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in Bugzilla, the worst of which
leading to privilege escalation.

Background
==========

Bugzilla is the bug-tracking system from the Mozilla project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/bugzilla < 3.6.6 >= 3.6.6

Description
===========

Multiple vulnerabilities have been discovered in Bugzilla. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker could conduct cross-site scripting attacks, conduct
script insertion and spoofing attacks, hijack the authentication of
arbitrary users, inject arbitrary HTTP headers, obtain access to
arbitrary accounts, disclose the existence of confidential groups and
its names, or inject arbitrary e-mail headers.

A local attacker could disclose the contents of temporarfy files for
uploaded attachments.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Bugzilla users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/bugzilla-3.6.6"

NOTE: This is a legacy GLSA. Updates for all affected architectures are
available since August 27, 2011. It is likely that your system is
already no longer affected by this issue.

References
==========

[ 1 ] CVE-2010-2761
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2761
[ 2 ] CVE-2010-3172
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3172
[ 3 ] CVE-2010-3764
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3764
[ 4 ] CVE-2010-4411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4411
[ 5 ] CVE-2010-4567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4567
[ 6 ] CVE-2010-4568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4568
[ 7 ] CVE-2010-4569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4569
[ 8 ] CVE-2010-4570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4570
[ 9 ] CVE-2010-4572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4572
[ 10 ] CVE-2011-0046
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0046
[ 11 ] CVE-2011-0048
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0048
[ 12 ] CVE-2011-2379
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2379
[ 13 ] CVE-2011-2380
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2380
[ 14 ] CVE-2011-2381
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2381
[ 15 ] CVE-2011-2976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2976
[ 16 ] CVE-2011-2977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2977
[ 17 ] CVE-2011-2978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2978
[ 18 ] CVE-2011-2979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2979

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-21f5d5f72.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5