The following updates has been released for Gentoo Linux:
GLSA 201804-03 : Poppler: Multiple vulnerabilities:
GLSA 201804-04 : cURL: Multiple vulnerabilities
GLSA 201804-05 : ISC DHCP: Multiple vulnerabilities
GLSA 201804-06 : mailx: Multiple vulnerabilities
GLSA 201804-07 : libvirt: Multiple vulnerabilities
GLSA 201804-08 : QEMU: Multiple vulnerabilities
GLSA 201804-09 : SPICE VDAgent: Arbitrary command injection
GLSA 201804-03 : Poppler: Multiple vulnerabilities:
GLSA 201804-04 : cURL: Multiple vulnerabilities
GLSA 201804-05 : ISC DHCP: Multiple vulnerabilities
GLSA 201804-06 : mailx: Multiple vulnerabilities
GLSA 201804-07 : libvirt: Multiple vulnerabilities
GLSA 201804-08 : QEMU: Multiple vulnerabilities
GLSA 201804-09 : SPICE VDAgent: Arbitrary command injection
GLSA 201804-03 : Poppler: Multiple vulnerabilities:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #644388, #645868
ID: 201804-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Poppler, the worst of which
could allow a Denial of Service.
Background
==========
Poppler is a PDF rendering library based on the xpdf-3.0 code base.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/poppler < 0.61.1 >= 0.61.1
Description
===========
Multiple vulnerabilities have been discovered in Poppler. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker, by enticing a user to open a specially crafted PDF,
could cause a Denial of Service condition or have other unspecified
impacts.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Poppler users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.61.1"
References
==========
[ 1 ] CVE-2017-1000456
https://nvd.nist.gov/vuln/detail/CVE-2017-1000456
[ 2 ] CVE-2017-14975
https://nvd.nist.gov/vuln/detail/CVE-2017-14975
[ 3 ] CVE-2017-14976
https://nvd.nist.gov/vuln/detail/CVE-2017-14976
[ 4 ] CVE-2017-14977
https://nvd.nist.gov/vuln/detail/CVE-2017-14977
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-03
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
GLSA 201804-04 : cURL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #645698, #650056
ID: 201804-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in cURL, the worst of which
could result in a Denial of Service condition.
Background
==========
A command line tool and library for transferring data with URLs.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.59.0 >= 7.59.0
Description
===========
Multiple vulnerabilities have been discovered in cURL. Please review
the CVE identifiers referenced below for details.
Impact
======
Remote attackers could cause a Denial of Service condition, obtain
sensitive information, or have other unspecified impacts.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.59.0"
References
==========
[ 1 ] CVE-2018-1000005
https://nvd.nist.gov/vuln/detail/CVE-2018-1000005
[ 2 ] CVE-2018-1000007
https://nvd.nist.gov/vuln/detail/CVE-2018-1000007
[ 3 ] CVE-2018-1000120
https://nvd.nist.gov/vuln/detail/CVE-2018-1000120
[ 4 ] CVE-2018-1000121
https://nvd.nist.gov/vuln/detail/CVE-2018-1000121
[ 5 ] CVE-2018-1000122
https://nvd.nist.gov/vuln/detail/CVE-2018-1000122
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
GLSA 201804-05 : ISC DHCP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: ISC DHCP: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #644708, #649010
ID: 201804-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in ISC DHCP, the worst of
which could allow for the remote execution of arbitrary code.
Background
==========
ISC DHCP is a Dynamic Host Configuration Protocol (DHCP) client/server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/dhcp < 4.3.6_p1 >= 4.3.6_p1
Description
===========
Multiple vulnerabilities have been discovered in ISC DHCP. Please
review the CVE identifiers referenced below for details.
Impact
======
Remote attackers could execute arbitrary code, cause a Denial of
Service condition, or have other unspecified impacts.
Workaround
==========
There are no known workarounds at this time for CVE-2018-5732 or
CVE-2018-5733.
In accordance with upstream documentation, the recommended workaround
for CVE-2017-3144 is, "to disallow access to the OMAPI control port
from unauthorized clients (in accordance with best practices for server
operation)."
Resolution
==========
All DHCP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.3.6_p1"
References
==========
[ 1 ] CVE-2017-3144
https://nvd.nist.gov/vuln/detail/CVE-2017-3144
[ 2 ] CVE-2018-5732
https://nvd.nist.gov/vuln/detail/CVE-2018-5732
[ 3 ] CVE-2018-5733
https://nvd.nist.gov/vuln/detail/CVE-2018-5733
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
GLSA 201804-06 : mailx: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: mailx: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #533208
ID: 201804-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities were discovered in mailx, the worst of which
may allow a remote attacker to execute arbitrary commands.
Background
==========
A utility program for sending and receiving mail, also known as a Mail
User Agent program.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mail-client/mailx < 8.1.2.20160123 >= 8.1.2.20160123
Description
===========
Multiple vulnerabilities have been discovered in mailx. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could execute arbitrary commands.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mailx users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/mailx-8.1.2.20160123"
References
==========
[ 1 ] CVE-2004-2771
https://nvd.nist.gov/vuln/detail/CVE-2004-2771
[ 2 ] CVE-2014-7844
https://nvd.nist.gov/vuln/detail/CVE-2014-7844
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-06
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
GLSA 201804-07 : libvirt: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libvirt: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #647338, #650018
ID: 201804-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in libvirt, the worst of
which may result in the execution of arbitrary commands.
Background
==========
libvirt is a C toolkit for manipulating virtual machines.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/libvirt < 4.1.0 >= 4.1.0
Description
===========
Multiple vulnerabilities have been discovered in libvirt. Please review
the CVE identifiers referenced below for details.
Impact
======
A local privileged attacker could execute arbitrary commands or cause a
Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libvirt users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/libvirt-4.1.0"
References
==========
[ 1 ] CVE-2018-5748
https://nvd.nist.gov/vuln/detail/CVE-2018-5748
[ 2 ] CVE-2018-6764
https://nvd.nist.gov/vuln/detail/CVE-2018-6764
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
GLSA 201804-08 : QEMU: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: QEMU: Multiple vulnerabilities
Date: April 08, 2018
Bugs: #629348, #638506, #643432, #646814, #649616
ID: 201804-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in QEMU, the worst of which
may allow an attacker to execute arbitrary code.
Background
==========
QEMU is a generic and open source machine emulator and virtualizer.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/qemu < 2.11.1-r1 >= 2.11.1-r1
Description
===========
Multiple vulnerabilities have been discovered in QEMU. Please review
the CVE identifiers referenced below for details.
Impact
======
An attacker could execute arbitrary code, cause a Denial of Service
condition, or obtain sensitive information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All QEMU users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.11.1-r1"
References
==========
[ 1 ] CVE-2017-13672
https://nvd.nist.gov/vuln/detail/CVE-2017-13672
[ 2 ] CVE-2017-15124
https://nvd.nist.gov/vuln/detail/CVE-2017-15124
[ 3 ] CVE-2017-16845
https://nvd.nist.gov/vuln/detail/CVE-2017-16845
[ 4 ] CVE-2017-17381
https://nvd.nist.gov/vuln/detail/CVE-2017-17381
[ 5 ] CVE-2017-18030
https://nvd.nist.gov/vuln/detail/CVE-2017-18030
[ 6 ] CVE-2017-18043
https://nvd.nist.gov/vuln/detail/CVE-2017-18043
[ 7 ] CVE-2017-5715
https://nvd.nist.gov/vuln/detail/CVE-2017-5715
[ 8 ] CVE-2018-5683
https://nvd.nist.gov/vuln/detail/CVE-2018-5683
[ 9 ] CVE-2018-5748
https://nvd.nist.gov/vuln/detail/CVE-2018-5748
[ 10 ] CVE-2018-7550
https://nvd.nist.gov/vuln/detail/CVE-2018-7550
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-08
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
GLSA 201804-09 : SPICE VDAgent: Arbitrary command injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201804-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: SPICE VDAgent: Arbitrary command injection
Date: April 08, 2018
Bugs: #650020
ID: 201804-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in SPICE VDAgent could allow local attackers to execute
arbitrary commands.
Background
==========
Provides a complete open source solution for remote access to virtual
machines in a seamless way so you can play videos, record audio, share
USB devices and share folders without complications.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/spice-vdagent
< 0.17.0_p20180319 >= 0.17.0_p20180319
Description
===========
SPICE VDAgent does not properly escape save directory before passing to
shell.
Impact
======
A local attacker could execute arbitrary commands.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All SPICE VDAgent users should upgrade to the latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/spice-vdagent-0.17.0_p20180319"
References
==========
[ 1 ] CVE-2017-15108
https://nvd.nist.gov/vuln/detail/CVE-2017-15108
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201804-09
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
