Gentoo 2478 Published by

The following updates for Gentoo Linux has been released:

[ GLSA 201502-03 ] BIND: Multiple Vulnerabilities
[ GLSA 201502-04 ] MediaWiki: Multiple vulnerabilities
[ GLSA 201502-05 ] tcpdump: Multiple vulnerabilities
[ GLSA 201502-06 ] nginx: Information disclosure
[ GLSA 201502-07 ] libevent: User-assisted execution of arbitrary code
[ GLSA 201502-08 ] Libav: Multiple vulnerabilities
[ GLSA 201502-09 ] Antiword: User-assisted execution of arbitrary code



[ GLSA 201502-03 ] BIND: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: BIND: Multiple Vulnerabilities
Date: February 07, 2015
Bugs: #531998
ID: 201502-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in BIND, allowing remote
attackers to cause a
denial of service condition.

Background
==========

BIND (Berkeley Internet Name Domain) is a Name Server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/bind < 9.10.1_p1 >= 9.10.1_p1

Description
===========

Multiple vulnerabilities have been discovered in BIND. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker can cause a denial of service condition by the lack
of GeoIP databases, or via a large or infinite number of referrals.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All bind users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/bind-9.10.1_p1"

References
==========

[ 1 ] CVE-2014-3214
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3214
[ 2 ] CVE-2014-8500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8500
[ 3 ] CVE-2014-8680
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8680

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201502-04 ] MediaWiki: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: MediaWiki: Multiple vulnerabilities
Date: February 07, 2015
Bugs: #498064, #499632, #503012, #506018, #515138, #518608,
#523852, #524364, #532920
ID: 201502-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in MediaWiki, the worst of
which may allow remote attackers to execute arbitrary code.

Background
==========

MediaWiki is a collaborative editing software used by large projects
such as Wikipedia.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/mediawiki < 1.23.8 >= 1.23.8
*>= 1.22.15
*>= 1.19.23

Description
===========

Multiple vulnerabilities have been discovered in MediaWiki. Please
review the CVE identifiers and MediaWiki announcement referenced below
for details.

Impact
======

A remote attacker may be able to execute arbitrary code with the
privileges of the process, create a Denial of Service condition, obtain
sensitive information, bypass security restrictions, and inject
arbitrary web script or HTML.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MediaWiki 1.23 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.23.8"

All MediaWiki 1.22 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.22.15"

All MediaWiki 1.19 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/mediawiki-1.19.23"

References
==========

[ 1 ] CVE-2013-6451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6451
[ 2 ] CVE-2013-6452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6452
[ 3 ] CVE-2013-6453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6453
[ 4 ] CVE-2013-6454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6454
[ 5 ] CVE-2013-6472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6472
[ 6 ] CVE-2014-1610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1610
[ 7 ] CVE-2014-2242
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2242
[ 8 ] CVE-2014-2243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2243
[ 9 ] CVE-2014-2244
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2244
[ 10 ] CVE-2014-2665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2665
[ 11 ] CVE-2014-2853
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2853
[ 12 ] CVE-2014-5241
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5241
[ 13 ] CVE-2014-5242
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5242
[ 14 ] CVE-2014-5243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5243
[ 15 ] CVE-2014-7199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7199
[ 16 ] CVE-2014-7295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7295
[ 17 ] CVE-2014-9276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9276
[ 18 ] CVE-2014-9277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9277
[ 19 ] CVE-2014-9475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9475
[ 20 ] CVE-2014-9476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9476
[ 21 ] CVE-2014-9477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9477
[ 22 ] CVE-2014-9478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9478
[ 23 ] CVE-2014-9479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9479
[ 24 ] CVE-2014-9480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9480
[ 25 ] CVE-2014-9481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9481
[ 26 ] CVE-2014-9487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9487
[ 27 ] CVE-2014-9507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9507
[ 28 ] MediaWiki Security and Maintenance Releases: 1.19.17, 1.21.11,
1.22.8 and 1.23.1

https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-June/000155.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-04.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201502-05 ] tcpdump: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: tcpdump: Multiple vulnerabilities
Date: February 07, 2015
Bugs: #534660
ID: 201502-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities in tcpdump could result in execution of
arbitrary code or Denial of Service.

Background
==========

tcpdump is a tool for capturing and inspecting network traffic.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/tcpdump < 4.6.2-r1 >= 4.6.2-r1

Description
===========

Multiple vulnerabilities have been discovered in tcpdump:

* The olsr_print function function contains an integer underflow error
(CVE-2014-8767)
* The geonet_print function function contains multiple integer
underflow errors (CVE-2014-8768)
* The decoder for the Ad hoc On-Demand Distance Vector protocol
contains an out-of-bounds memory access error (CVE-2014-8769)
* The ppp_hdlc function contains a buffer overflow error
(CVE-2014-9140)

Impact
======

A remote attacker may be able to send a specially crafted packet,
possibly resulting in execution of arbitrary code or a Denial of
Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All tcpdump users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/tcpdump-4.6.2-r1"

References
==========

[ 1 ] CVE-2014-8767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8767
[ 2 ] CVE-2014-8768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8768
[ 3 ] CVE-2014-8769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8769
[ 4 ] CVE-2014-9140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9140

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



[ GLSA 201502-06 ] nginx: Information disclosure


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: nginx: Information disclosure
Date: February 07, 2015
Bugs: #522994
ID: 201502-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An SSL session fixation vulnerability in nginx may allow remote
attackers to obtain sensitive information.

Background
==========

nginx is a robust, small, and high performance HTTP and reverse proxy
server.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/nginx < 1.7.6 >= 1.7.6

Description
===========

An SSL session fixation vulnerability has been found in nginx when
multiple servers use the same shared ssl_session_cache or
ssl_session_ticket_key.

Impact
======

A remote attacker may be able to obtain sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All nginx users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-1.7.6"

References
==========

[ 1 ] CVE-2014-3616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3616

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201502-07 ] libevent: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: libevent: User-assisted execution of arbitrary code
Date: February 07, 2015
Bugs: #535774
ID: 201502-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple integer overflow errors in libevent could result in execution
of arbitrary code or Denial of Service.

Background
==========

libevent is a library to execute a function when a specific event
occurs on a file descriptor.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libevent < 2.0.22 >= 2.0.22

Description
===========

Multiple integer overflow errors in libevent could cause a heap-based
buffer overflow.

Impact
======

A context-dependent attacker could cause an application linked against
libevent to pass an excessively long input through evbuffer, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All libevent users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libevent-2.0.22"

References
==========

[ 1 ] CVE-2014-6272
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6272

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-07.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201502-08 ] Libav: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Libav: Multiple vulnerabilities
Date: February 07, 2015
Bugs: #492582, #515234, #531832
ID: 201502-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Libav, allowing attackers
to execute arbitrary code or cause Denial of Service.

Background
==========

Libav is a complete solution to record, convert and stream audio and
video.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-video/libav < 9.17 >= 9.17

Description
===========

Multiple vulnerabilities have been discovered in Libav. Please review
the CVE identifiers referenced below for details.

Impact
======

A remote attacker could entice a user to open a specially crafted media
file in an application linked against Libav, possibly resulting in
execution of arbitrary code with the privileges of the application or a
Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Libav users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/libav-9.17"

References
==========

[ 1 ] CVE-2011-3934
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3934
[ 2 ] CVE-2011-3935
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3935
[ 3 ] CVE-2011-3946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3946
[ 4 ] CVE-2013-0848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0848
[ 5 ] CVE-2013-0851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0851
[ 6 ] CVE-2013-0852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0852
[ 7 ] CVE-2013-0860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0860
[ 8 ] CVE-2013-0868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0868
[ 9 ] CVE-2013-3672
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3672
[ 10 ] CVE-2013-3674
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3674
[ 11 ] CVE-2014-4609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4609
[ 12 ] Libav News November 2, 2013
https://libav.org/news.html#0.8.9

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5




[ GLSA 201502-09 ] Antiword: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201502-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Antiword: User-assisted execution of arbitrary code
Date: February 07, 2015
Bugs: #531404
ID: 201502-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow vulnerability in Antiword could result in execution
of arbitrary code or Denial of Service.

Background
==========

Antiword is a free MS Word reader.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/antiword < 0.37-r1 >= 0.37-r1

Description
===========

A buffer overflow vulnerability has been found in wordole.c in
Antiword.

Impact
======

A remote attacker could entice a user to open a specially crafted
document using Antiword, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service
condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Antiword users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/antiword-0.37-r1"

References
==========

[ 1 ] CVE-2014-8123
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8123

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201502-09.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5