Gentoo 2478 Published by

The following updates has been released for Gentoo Linux:

GLSA 201904-01 : Cairo: Denial of Service
GLSA 201904-02 : Libical: Multiple vulnerabilities
GLSA 201904-03 : Unbound: Multiple vulnerabilities
GLSA 201904-04 : Poppler: Multiple vulnerabilities
GLSA 201904-05 : BURP: Root privilege escalation
GLSA 201904-06 : GlusterFS: Multiple Vulnerabilities
GLSA 201904-07 : Mozilla Thunderbird and Firefox: Multiple vulnerabilities
GLSA 201904-08 : Subversion: Denial of Service



GLSA 201904-01 : Cairo: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Cairo: Denial of Service
Date: April 02, 2019
Bugs: #596756, #625636, #672908
ID: 201904-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in Cairo, the worst of which could
cause a Denial of Service condition.

Background
==========

Cairo is a 2D vector graphics library with cross-device output support.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 x11-libs/cairo < 1.16.0-r3 >= 1.16.0-r3

Description
===========

Multiple vulnerabilities have been discovered in Cairo. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Cairo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.16.0-r2"

References
==========

[ 1 ] CVE-2016-9082
https://nvd.nist.gov/vuln/detail/CVE-2016-9082
[ 2 ] CVE-2017-9814
https://nvd.nist.gov/vuln/detail/CVE-2017-9814

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-01

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-02 : Libical: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Libical: Multiple vulnerabilities
Date: April 02, 2019
Bugs: #587572, #587574
ID: 201904-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Libical, the worst of which
could result in a Denial of Service condition.

Background
==========

An Open Source implementation of the iCalendar protocols and protocol
data units.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libical < 3.0.0 >= 3.0.0

Description
===========

Multiple vulnerabilities have been discovered in Libical. Please review
the referenced CVE identifiers for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Libical users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libical-3.0.0"

References
==========

[ 1 ] CVE-2016-5823
https://nvd.nist.gov/vuln/detail/CVE-2016-5823
[ 2 ] CVE-2016-5824
https://nvd.nist.gov/vuln/detail/CVE-2016-5824

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-02

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-03 : Unbound: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Unbound: Multiple vulnerabilities
Date: April 02, 2019
Bugs: #641042, #677054
ID: 201904-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Unbound, the worst of which
could lead to privilege escalation.

Background
==========

Unbound is a validating, recursive, and caching DNS resolver.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-dns/unbound < 1.8.3 >= 1.8.3

Description
===========

Multiple vulnerabilities have been discovered in Unbound. Please review
the referenced bugs for details.

Impact
======

Please review the referenced bugs for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Unbound users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/unbound-1.8.3"

References
==========


Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-04 : Poppler: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: April 02, 2019
Bugs: #659828, #670880
ID: 201904-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Poppler, the worst of which
could allow a Denial of Service.

Background
==========

Poppler is a PDF rendering library based on the xpdf-3.0 code base.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.70.0 >= 0.70.0

Description
===========

Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Poppler users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.70.0"

References
==========

[ 1 ] CVE-2018-19149
https://nvd.nist.gov/vuln/detail/CVE-2018-19149

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-05 : BURP: Root privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: BURP: Root privilege escalation
Date: April 02, 2019
Bugs: #641842
ID: 201904-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability was discovered in Gentoo's ebuild for BURP which could
lead to root privilege escalation.

Background
==========

A network backup and restore program.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-backup/burp < 2.1.32-r1 >= 2.1.32-r1

Description
===========

It was discovered that Gentoo’s BURP ebuild does not properly set
permissions or place the pid file in a safe directory. Additionally,
the first set of patches did not completely address this. As such, a
revision has been made available that addresses all concerns of the
initial report.

Impact
======

A local attacker could escalate privileges.

Workaround
==========

Users should ensure the proper permissions are set as discussed in the
referenced bugs.

Resolution
==========

All BURP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-backup/burp-2.1.32-r1"

References
==========

[ 1 ] CVE-2017-18285
https://nvd.nist.gov/vuln/detail/CVE-2017-18285

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-06 : GlusterFS: Multiple Vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: GlusterFS: Multiple Vulnerabilities
Date: April 02, 2019
Bugs: #653070, #658606, #664336, #670088
ID: 201904-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in GlusterFS, the worst of
which could result in the execution of arbitrary code.

Background
==========

A free and open source software scalable network filesystem.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-cluster/glusterfs < 4.1.8 >= 4.1.8

Description
===========

Multiple vulnerabilities have been discovered in GlusterFS. Please
review the referenced CVE identifiers for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GlusterFS users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/glusterfs-4.1.8"

References
==========

[ 1 ] CVE-2018-10841
https://nvd.nist.gov/vuln/detail/CVE-2018-10841
[ 2 ] CVE-2018-1088
https://nvd.nist.gov/vuln/detail/CVE-2018-1088
[ 3 ] CVE-2018-10904
https://nvd.nist.gov/vuln/detail/CVE-2018-10904
[ 4 ] CVE-2018-10907
https://nvd.nist.gov/vuln/detail/CVE-2018-10907
[ 5 ] CVE-2018-10911
https://nvd.nist.gov/vuln/detail/CVE-2018-10911
[ 6 ] CVE-2018-10913
https://nvd.nist.gov/vuln/detail/CVE-2018-10913
[ 7 ] CVE-2018-10914
https://nvd.nist.gov/vuln/detail/CVE-2018-10914
[ 8 ] CVE-2018-10923
https://nvd.nist.gov/vuln/detail/CVE-2018-10923
[ 9 ] CVE-2018-10924
https://nvd.nist.gov/vuln/detail/CVE-2018-10924
[ 10 ] CVE-2018-10926
https://nvd.nist.gov/vuln/detail/CVE-2018-10926
[ 11 ] CVE-2018-10927
https://nvd.nist.gov/vuln/detail/CVE-2018-10927
[ 12 ] CVE-2018-10928
https://nvd.nist.gov/vuln/detail/CVE-2018-10928
[ 13 ] CVE-2018-10929
https://nvd.nist.gov/vuln/detail/CVE-2018-10929
[ 14 ] CVE-2018-10930
https://nvd.nist.gov/vuln/detail/CVE-2018-10930
[ 15 ] CVE-2018-14651
https://nvd.nist.gov/vuln/detail/CVE-2018-14651
[ 16 ] CVE-2018-14652
https://nvd.nist.gov/vuln/detail/CVE-2018-14652
[ 17 ] CVE-2018-14653
https://nvd.nist.gov/vuln/detail/CVE-2018-14653
[ 18 ] CVE-2018-14654
https://nvd.nist.gov/vuln/detail/CVE-2018-14654
[ 19 ] CVE-2018-14659
https://nvd.nist.gov/vuln/detail/CVE-2018-14659
[ 20 ] CVE-2018-14660
https://nvd.nist.gov/vuln/detail/CVE-2018-14660
[ 21 ] CVE-2018-14661
https://nvd.nist.gov/vuln/detail/CVE-2018-14661

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-07 : Mozilla Thunderbird and Firefox: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Mozilla Thunderbird and Firefox: Multiple vulnerabilities
Date: April 02, 2019
Bugs: #676954, #678072, #681834, #681836
ID: 201904-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Mozilla Thunderbird and
Firefox, the worst of which could lead to the execution of arbitrary
code.

Background
==========

Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.
Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mail-client/thunderbird < 60.6.1 >= 60.6.1
2 mail-client/thunderbird-bin
< 60.6.1 >= 60.6.1
3 www-client/firefox < 60.6.1 >= 60.6.1
4 www-client/firefox-bin < 60.6.1 >= 60.6.1
-------------------------------------------------------------------
4 affected packages

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird
and Firefox. Please review the referenced Mozilla Foundation Security
Advisories and CVE identifiers below for details.

Impact
======

Please review the referenced Mozilla Foundation Security Advisories and
CVE identifiers below for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Thunderbird users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-60.6.1"

All Thunderbird bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-60.6.1"

All Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-60.6.1"

All Firefox bin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-60.6.1"

References
==========

[ 1 ] CVE-2016-5824
https://nvd.nist.gov/vuln/detail/CVE-2016-5824
[ 2 ] CVE-2018-18335
https://nvd.nist.gov/vuln/detail/CVE-2018-18335
[ 3 ] CVE-2018-18356
https://nvd.nist.gov/vuln/detail/CVE-2018-18356
[ 4 ] CVE-2018-18500
https://nvd.nist.gov/vuln/detail/CVE-2018-18500
[ 5 ] CVE-2018-18501
https://nvd.nist.gov/vuln/detail/CVE-2018-18501
[ 6 ] CVE-2018-18505
https://nvd.nist.gov/vuln/detail/CVE-2018-18505
[ 7 ] CVE-2018-18506
https://nvd.nist.gov/vuln/detail/CVE-2018-18506
[ 8 ] CVE-2018-18509
https://nvd.nist.gov/vuln/detail/CVE-2018-18509
[ 9 ] CVE-2018-18512
https://nvd.nist.gov/vuln/detail/CVE-2018-18512
[ 10 ] CVE-2018-18513
https://nvd.nist.gov/vuln/detail/CVE-2018-18513
[ 11 ] CVE-2019-5785
https://nvd.nist.gov/vuln/detail/CVE-2019-5785
[ 12 ] CVE-2019-9788
https://nvd.nist.gov/vuln/detail/CVE-2019-9788
[ 13 ] CVE-2019-9790
https://nvd.nist.gov/vuln/detail/CVE-2019-9790
[ 14 ] CVE-2019-9791
https://nvd.nist.gov/vuln/detail/CVE-2019-9791
[ 15 ] CVE-2019-9792
https://nvd.nist.gov/vuln/detail/CVE-2019-9792
[ 16 ] CVE-2019-9793
https://nvd.nist.gov/vuln/detail/CVE-2019-9793
[ 17 ] CVE-2019-9795
https://nvd.nist.gov/vuln/detail/CVE-2019-9795
[ 18 ] CVE-2019-9796
https://nvd.nist.gov/vuln/detail/CVE-2019-9796
[ 19 ] CVE-2019-9810
https://nvd.nist.gov/vuln/detail/CVE-2019-9810
[ 20 ] CVE-2019-9813
https://nvd.nist.gov/vuln/detail/CVE-2019-9813

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



GLSA 201904-08 : Subversion: Denial of Service

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201904-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Subversion: Denial of Service
Date: April 02, 2019
Bugs: #676094
ID: 201904-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Subversion could lead to a Denial of Service
condition.

Background
==========

Subversion is a version control system intended to eventually replace
CVS. Like CVS, it has an optional client-server architecture (where the
server can be an Apache server running mod_svn, or an ssh program as in
CVS’s :ext: method). In addition to supporting the features found in
CVS, Subversion also provides support for moving and copying files and
directories.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/subversion < 1.10.4 >= 1.10.4

Description
===========

A vulnerability was discovered in Subversion's mod_dav_svn, that could
lead to a Denial of Service Condition.

Impact
======

An attacker could cause a possible enial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Subversion users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.10.4"

References
==========

[ 1 ] CVE-2018-11803
https://nvd.nist.gov/vuln/detail/CVE-2018-11803

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201904-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2019 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5