The following updates has been released for Gentoo Linux:
[ GLSA 201405-02 ] libSRTP: Denial of Service
[ GLSA 201405-03 ] WeeChat: Multiple vulnerabilities
[ GLSA 201405-04 ] Adobe Flash Player: Multiple vulnerabilities
[ GLSA 201405-05 ] Asterisk: Denial of Service
[ GLSA 201405-02 ] libSRTP: Denial of Service
[ GLSA 201405-03 ] WeeChat: Multiple vulnerabilities
[ GLSA 201405-04 ] Adobe Flash Player: Multiple vulnerabilities
[ GLSA 201405-05 ] Asterisk: Denial of Service
[ GLSA 201405-02 ] libSRTP: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201405-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libSRTP: Denial of Service
Date: May 03, 2014
Bugs: #472302
ID: 201405-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in libSRTP can result in a Denial of Service condition.
Background
==========
libSRTP is an Open-source implementation of the Secure Real-time
Transport Protocol.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-libs/libsrtp < 1.4.4_p20121108-r1>= 1.4.4_p20121108-r1
Description
===========
A flaw was found in how the crypto_policy_set_from_profile_for_rtp()
function applies cryptographic profiles to an srtp_policy in libSRTP.
Impact
======
A remote attacker could exploit this vulnerability to crash an
application linked against libSRTP, resulting in Denial of Service.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libSRTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=net-libs/libsrtp-1.4.4_p20121108-r1"
References
==========
[ 1 ] CVE-2013-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2139
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201405-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201405-03 ] WeeChat: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201405-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: WeeChat: Multiple vulnerabilities
Date: May 03, 2014
Bugs: #442600
ID: 201405-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Two vulnerabilities have been found in WeeChat, the worst of which may
allow execution of arbitrary code.
Background
==========
Wee Enhanced Environment for Chat (WeeChat) is a light and extensible
console IRC client.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-irc/weechat < 0.3.9.2 >= 0.3.9.2
Description
===========
Two vulnerabilities have been discovered in WeeChat:
* The hook_process() function does not properly handle shell expansions
(CVE-2012-5534).
* WeeChat does not properly decode colors which could cause a
heap-based buffer overflow (CVE-2012-5854).
Impact
======
A remote attacker could entice a user to open a specially crafted
script or send messages with specially crafted colors, possibly
resulting in execution of arbitrary code with the privileges of the
process, or a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All WeeChat users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/weechat-0.3.9.2"
References
==========
[ 1 ] CVE-2012-5534
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5534
[ 2 ] CVE-2012-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5854
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201405-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201405-04 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201405-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
Date: May 03, 2014
Bugs: #501960, #504286, #507176, #508986
ID: 201405-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which could result in execution of arbitrary code.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-plugins/adobe-flash < 11.2.202.356 >= 11.2.202.356
Description
===========
Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted SWF
file using Adobe Flash Player, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of
Service condition. Furthermore, a remote attacker may be able to bypass
the Same Origin Policy or read the clipboard via unspecified vectors.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.356"
References
==========
[ 1 ] CVE-2014-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498
[ 2 ] CVE-2014-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499
[ 3 ] CVE-2014-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502
[ 4 ] CVE-2014-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0503
[ 5 ] CVE-2014-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0504
[ 6 ] CVE-2014-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0506
[ 7 ] CVE-2014-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507
[ 8 ] CVE-2014-0508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508
[ 9 ] CVE-2014-0509
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509
[ 10 ] CVE-2014-0515
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0515
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201405-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201405-05 ] Asterisk: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201405-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Asterisk: Denial of Service
Date: May 03, 2014
Bugs: #504180
ID: 201405-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple buffer overflows in Asterisk might allow remote attackers to
cause a Denial of Service condition.
Background
==========
Asterisk is an open source telephony engine and toolkit.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/asterisk < 11.8.1 *>= 1.8.26.1
>= 11.8.1
Description
===========
Multiple vulnerabilities have been discovered in Asterisk. Please
review the CVE identifiers and Asterisk Project Security Advisories
referenced below for details.
Impact
======
A remote attacker could possibly cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Asterisk 11.* users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-11.8.1"
All Asterisk 1.8.* users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.26.1"
References
==========
[ 1 ] AST-2014-001
http://downloads.asterisk.org/pub/security/AST-2014-001.pdf
[ 2 ] AST-2014-002
http://downloads.asterisk.org/pub/security/AST-2014-002.pdf
[ 3 ] AST-2014-003
http://downloads.asterisk.org/pub/security/AST-2014-003.pdf
[ 4 ] AST-2014-004
http://downloads.asterisk.org/pub/security/AST-2014-004.pdf
[ 5 ] CVE-2014-2286
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2286
[ 6 ] CVE-2014-2287
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2287
[ 7 ] CVE-2014-2288
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2288
[ 8 ] CVE-2014-2289
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2289
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201405-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
