The following updates has been released for Gentoo Linux:
[ GLSA 201509-01 ] NTP: Multiple vulnerablities
[ GLSA 201509-02 ] cURL: Multiple vulnerabilities
[ GLSA 201509-03 ] Cacti: Multiple vulnerabilities
[ GLSA 201509-04 ] libtasn1: Multiple vulnerabilities
[ GLSA 201509-05 ] NetworkManager: Denial of Service
[ GLSA 201509-06 ] Git: Arbitrary command execution
[ GLSA 201509-07 ] Adobe Flash Player: Multiple vulnerabilities
[ GLSA 201509-01 ] NTP: Multiple vulnerablities
[ GLSA 201509-02 ] cURL: Multiple vulnerabilities
[ GLSA 201509-03 ] Cacti: Multiple vulnerabilities
[ GLSA 201509-04 ] libtasn1: Multiple vulnerabilities
[ GLSA 201509-05 ] NetworkManager: Denial of Service
[ GLSA 201509-06 ] Git: Arbitrary command execution
[ GLSA 201509-07 ] Adobe Flash Player: Multiple vulnerabilities
[ GLSA 201509-01 ] NTP: Multiple vulnerablities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: NTP: Multiple vulnerablities
Date: September 24, 2015
Bugs: #545836, #553682
ID: 201509-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in NTP, the worst of which
could lead to arbitrary code execution.
Background
==========
NTP contains software for the Network Time Protocol.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8_p3 >= 4.2.8_p3
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p3"
References
==========
[ 1 ] CVE-2015-1798
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1798
[ 2 ] CVE-2015-1799
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1799
[ 3 ] CVE-2015-5146
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5146
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-01
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201509-02 ] cURL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: September 24, 2015
Bugs: #547376, #552618
ID: 201509-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in cURL, the worst of which
can allow remote attackers to cause Denial of Service condition.
Background
==========
cURL is a tool and libcurl is a library for transferring data with URL
syntax.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.43.0 >= 7.43.0
Description
===========
Multiple vulnerabilities have been discovered in cURL. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly obtain sensitive information, or cause
a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.43.0"
References
==========
[ 1 ] CVE-2015-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3143
[ 2 ] CVE-2015-3144
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3144
[ 3 ] CVE-2015-3145
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3145
[ 4 ] CVE-2015-3148
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3148
[ 5 ] CVE-2015-3236
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3236
[ 6 ] CVE-2015-3237
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3237
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-02
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201509-03 ] Cacti: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Cacti: Multiple vulnerabilities
Date: September 24, 2015
Bugs: #506356, #515108, #554758
ID: 201509-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Cacti, the worst of which
could lead to arbitrary code execution.
Background
==========
Cacti is a complete frontend to rrdtool
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/cacti < 0.8.8d >= 0.8.8d
Description
===========
Multiple vulnerabilities have been discovered in cacti. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Cacti users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.8d"
References
==========
[ 1 ] CVE-2014-2326
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2326
[ 2 ] CVE-2014-2327
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2327
[ 3 ] CVE-2014-2328
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2328
[ 4 ] CVE-2014-2708
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2708
[ 5 ] CVE-2014-2709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2709
[ 6 ] CVE-2014-4002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4002
[ 7 ] CVE-2014-5025
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5025
[ 8 ] CVE-2014-5026
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5026
[ 9 ] CVE-2015-2967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2967
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-03
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201509-04 ] libtasn1: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libtasn1: Multiple vulnerabilities
Date: September 24, 2015
Bugs: #544922, #548252
ID: 201509-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in libtasn1, the worst of
which could lead to arbitrary code execution.
Background
==========
libtasn1 is an ASN.1 library
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libtasn1 < 1.4.5 >= 1.4.5
Description
===========
Multiple vulnerabilities have been discovered in libtasn1. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libtasn1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-1.4.5"
References
==========
[ 1 ] CVE-2015-2806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2806
[ 2 ] CVE-2015-3622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3622
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201509-05 ] NetworkManager: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: NetworkManager: Denial of Service
Date: September 24, 2015
Bugs: #545980
ID: 201509-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Improper handling of Router Advertisements in NetworkManager could
cause a Denial of Service condition in IPv6 network stacks.
Background
==========
NetworkManager is an universal network configuration daemon for
laptops, desktops, servers and virtualization hosts.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/networkmanager < 1.0.2 >= 1.0.2
Description
===========
IPv6 Neighbour Discovery ICMP broadcast containing a non-route with a
low hop limit causes a Denial of Service by lowering the hop limit on
existing IPv6 routes in NetworkManager.
Impact
======
A remote attacker on the same network segment could cause a Denial of
Service condition in NetworkManager
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All NetworkManager users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/networkmanager-1.0.2"
References
==========
[ 1 ] CVE-2015-2924
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2924
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201509-06 ] Git: Arbitrary command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Git: Arbitrary command execution
Date: September 24, 2015
Bugs: #532984
ID: 201509-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An attacker could execute arbitrary commands via Git repositories in a
case-insensitive or case-normalizing filesystem.
Background
==========
Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/git < 2.0.5 *>= 1.8.5.6
*>= 1.9.5
>= 2.0.5
Description
===========
A vulnerability in Git causing Git-compatible clients that access
case-insensitive or case-normalizing filesystems to overwrite the
.git/config when cloning or checking out a repository, leading to
execution of arbitrary commands.
Impact
======
An attacker can execute arbitrary commands on a client machine that
clones a crafted malicious Git tree.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Git 1.8.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-1.8.5.6"
All Git 1.9.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-1.9.5"
All Git 2.0.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-2.0.5"
References
==========
[ 1 ] CVE-2014-9390
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-06
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
[ GLSA 201509-07 ] Adobe Flash Player: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201509-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
Date: September 25, 2015
Bugs: #561076
ID: 201509-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which allows remote attackers to execute arbitrary code.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-plugins/adobe-flash < 11.2.202.521 >= 11.2.202.521
Description
===========
Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.521"
References
==========
[ 1 ] CVE-2015-5567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5567
[ 2 ] CVE-2015-5568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5568
[ 3 ] CVE-2015-5570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5570
[ 4 ] CVE-2015-5571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5571
[ 5 ] CVE-2015-5572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5572
[ 6 ] CVE-2015-5573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5573
[ 7 ] CVE-2015-5574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5574
[ 8 ] CVE-2015-5575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5575
[ 9 ] CVE-2015-5576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5576
[ 10 ] CVE-2015-5577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5577
[ 11 ] CVE-2015-5578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5578
[ 12 ] CVE-2015-5579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5579
[ 13 ] CVE-2015-5580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5580
[ 14 ] CVE-2015-5581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5581
[ 15 ] CVE-2015-5582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5582
[ 16 ] CVE-2015-5584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5584
[ 17 ] CVE-2015-5587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5587
[ 18 ] CVE-2015-5588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5588
[ 19 ] CVE-2015-6676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6676
[ 20 ] CVE-2015-6677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6677
[ 21 ] CVE-2015-6678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6678
[ 22 ] CVE-2015-6679
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6679
[ 23 ] CVE-2015-6680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6680
[ 24 ] CVE-2015-6681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6681
[ 25 ] CVE-2015-6682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6682
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201509-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
