Gentoo 2478 Published by

The following updates has been released for Gentoo Linux:

GLSA 201710-01 : RubyGems: Multiple vulnerabilities
GLSA 201710-02 : file: Stack-based buffer overflow
GLSA 201710-03 : ICU: Multiple vulnerabilities
GLSA 201710-04 : sudo: Privilege escalation
GLSA 201710-05 : Munin: Arbitrary file write
GLSA 201710-06 : PostgreSQL: Multiple vulnerabilities
GLSA 201710-07 : OCaml: Privilege escalation
GLSA 201710-08 : Pacemaker: Multiple vulnerabilities
GLSA 201710-09 : PCRE2: Multiple vulnerabilities



GLSA 201710-01 : RubyGems: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: RubyGems: Multiple vulnerabilities
Date: October 08, 2017
Bugs: #629230
ID: 201710-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in RubyGems, the worst of which
allows execution of arbitrary code.

Background
==========

RubyGems is a sophisticated package manager for Ruby.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/rubygems < 2.6.13 >= 2.6.13

Description
===========

Multiple vulnerabilities have been discovered in RubyGems. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker, by enticing a user to install a specially crafted
gem, could possibly execute arbitrary code with the privileges of the
process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All RubyGems users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rubygems-2.6.13"

References
==========

[ 1 ] CVE-2017-0899
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0899
[ 2 ] CVE-2017-0900
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0900
[ 3 ] CVE-2017-0901
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0901
[ 4 ] CVE-2017-0902
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0902

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-01

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-02 : file: Stack-based buffer overflow

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: file: Stack-based buffer overflow
Date: October 08, 2017
Bugs: #629872
ID: 201710-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A stack-based buffer overflow was found in file, possibly resulting in
the execution of arbitrary code.

Background
==========

file is a utility that guesses a file format by scanning binary data
for patterns.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/file < 5.32 >= 5.32

Description
===========

An issue discovered in file allows attackers to write 20 bytes to the
stack buffer via a specially crafted .notes section.

Impact
======

A remote attacker, by using a specially crafted .notes section in an
ELF binary, could execute arbitrary code or cause a Denial of Service
condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All file users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/file-5.32"

References
==========

[ 1 ] CVE-2017-1000249
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000249

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-02

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-03 : ICU: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: ICU: Multiple vulnerabilities
Date: October 08, 2017
Bugs: #616468
ID: 201710-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in ICU, the worst of which
could allow remote code execution.

Background
==========

ICU is a mature, widely used set of C/C++ and Java libraries providing
Unicode and Globalization support for software applications.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/icu < 58.2-r1 >= 58.2-r1

Description
===========

Multiple vulnerabilities have been discovered in ICU. Please review the
referenced CVE identifiers for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All ICU users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/icu-58.2-r1"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2017-7867
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7867
[ 2 ] CVE-2017-7868
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7868

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-03

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-04 : sudo: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: sudo: Privilege escalation
Date: October 08, 2017
Bugs: #620482
ID: 201710-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in sudo allows local users to gain root privileges.

Background
==========

sudo (su “do”) allows a system administrator to delegate authority to
give certain users (or groups of users) the ability to run some (or
all) commands as root or another user while providing an audit trail of
the commands and their arguments.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/sudo < 1.8.20_p2 >= 1.8.20_p2

Description
===========

The fix present in app-admin/sudo-1.8.20_p1 (GLSA 201705-15) was
incomplete as it did not address the problem of a command with a
newline in the name.

Impact
======

A local attacker could execute arbitrary code with root privileges.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All sudo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.20_p2"

References
==========

[ 1 ] CVE-2017-1000368
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000368
[ 2 ] GLSA 201705-15
https://security.gentoo.org/glsa/201705-15

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-05 : Munin: Arbitrary file write

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Munin: Arbitrary file write
Date: October 08, 2017
Bugs: #610602
ID: 201710-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Munin allows local attackers to overwrite any file
accessible to the www-data user.

Background
==========

Munin is an open source server monitoring tool.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-analyzer/munin < 2.0.33 >= 2.0.33

Description
===========

When Munin is compiled with CGI graphics enabled then the files
accessible to the www-data user can be overwritten.

Impact
======

A local attacker, by setting multiple upper_limit GET parameters, could
overwrite files accessible to the www-user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Munin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/munin-2.0.33"

References
==========

[ 1 ] CVE-2017-6188
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6188

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-06 : PostgreSQL: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PostgreSQL: Multiple vulnerabilities
Date: October 08, 2017
Bugs: #618462, #627462
ID: 201710-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in PostgreSQL, the worst of
which could result in privilege escalation.

Background
==========

PostgreSQL is an open source object-relational database management
system.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/postgresql < 9.6.4 >= 9.6.4:9.6
>= 9.5.8:9.5
>= 9.4.13:9.4
>= 9.3.18:9.3
>= 9.2.22:9.2

Description
===========

Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could escalate privileges, cause a Denial of Service
condition, obtain passwords, cause a loss in information, or obtain
sensitive information.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PostgreSQL 9.6.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.6.4"

All PostgreSQL 9.5.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.5.8"

All PostgreSQL 9.4.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.4.13"

All PostgreSQL 9.3.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.3.18"

All PostgreSQL 9.2.x users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-9.2.22"

References
==========

[ 1 ] CVE-2017-7484
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7484
[ 2 ] CVE-2017-7485
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7485
[ 3 ] CVE-2017-7486
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7486
[ 4 ] CVE-2017-7546
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7546
[ 5 ] CVE-2017-7547
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7547
[ 6 ] CVE-2017-7548
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7548

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-07 : OCaml: Privilege escalation

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: OCaml: Privilege escalation
Date: October 08, 2017
Bugs: #622544
ID: 201710-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in OCaml may allow local users to gain root privileges.

Background
==========

OCaml is a high-level, strongly-typed, functional, and object-oriented
programming language from the ML family of languages.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/ocaml < 4.04.2 >= 4.04.2

Description
===========

A bad sanitization of environment variables: CAML_CPLUGINS,
CAML_NATIVE_CPLUGINS and CAML_BYTE_CPLUGINS in the OCaml compiler
allows the execution of raised privileges via external code.

Impact
======

A local attacker, by using specially crafted environment variables,
could possibly escalate privileges to the root group.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All OCaml users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/ocaml-4.04.2"

References
==========

[ 1 ] CVE-2017-9772
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9772

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-08 : Pacemaker: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Pacemaker: Multiple vulnerabilities
Date: October 08, 2017
Bugs: #546550, #599194
ID: 201710-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Pacemaker, the worst of
which could result in the execution of arbitrary code.

Background
==========

Pacemaker is an Open Source, High Availability resource manager
suitable for both small and large clusters.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-cluster/pacemaker < 1.1.16 >= 1.1.16

Description
===========

Multiple vulnerabilities have been discovered in Pacemaker. Please
review the referenced CVE identifiers for details.

Impact
======

A remote attacker could execute arbitrary code or a local attacker
could escalate privileges.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Pacemaker users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-cluster/pacemaker-1.1.16 "

References
==========

[ 1 ] CVE-2015-1867
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1867
[ 2 ] CVE-2016-7035
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7035

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


GLSA 201710-09 : PCRE2: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201710-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PCRE2: Multiple vulnerabilities
Date: October 08, 2017
Bugs: #614050, #617942, #617944
ID: 201710-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in PCRE2, the worst of which
may allow remote attackers to execute arbitrary code.

Background
==========

PCRE2 is a project based on PCRE (Perl Compatible Regular Expressions)
which has a new and revised API.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/libpcre2 < 10.30 >= 10.30

Description
===========

Multiple vulnerabilities have been discovered in PCRE2. Please review
the referenced CVE identifiers for details.

Impact
======

A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or have
other unspecified impacts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PCRE2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libpcre2-10.30"

Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.

References
==========

[ 1 ] CVE-2017-7186
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7186
[ 2 ] CVE-2017-8399
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8399
[ 3 ] CVE-2017-8786
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8786

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-09

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5