Gentoo 2495 Published by

The following updates have been released for Gentoo Linux:

[ GLSA 202405-16 ] Apache Commons BCEL: Remote Code Execution
[ GLSA 202405-15 ] Mozilla Firefox: Multiple Vulnerabilities
[ GLSA 202405-14 ] QtWebEngine: Multiple Vulnerabilities
[ GLSA 202405-13 ] borgmatic: Shell Injection
[ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities
[ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities
[ GLSA 202405-10 ] Setuptools: Denial of Service




[ GLSA 202405-16 ] Apache Commons BCEL: Remote Code Execution


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Apache Commons BCEL: Remote Code Execution
Date: May 05, 2024
Bugs: #880447
ID: 202405-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Apache Commons BCEL, which can
lead to remote code execution.

Background
==========

The Byte Code Engineering Library (Apache Commons BCEL:tm:) is intended to
give users a convenient way to analyze, create, and manipulate (binary)
Java class files (those ending with .class).

Affected packages
=================

Package Vulnerable Unaffected
------------- ------------ ------------
dev-java/bcel < 6.6.0 >= 6.6.0

Description
===========

A vulnerability has been discovered in U-Boot tools. Please review the
CVE identifier referenced below for details.

Impact
======

Please review the referenced CVE identifier for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Apache Commons BCEL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/bcel-6.6.0"

References
==========

[ 1 ] CVE-2022-34169
https://nvd.nist.gov/vuln/detail/CVE-2022-34169
[ 2 ] CVE-2022-42920
https://nvd.nist.gov/vuln/detail/CVE-2022-42920

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-15 ] Mozilla Firefox: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Mozilla Firefox: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #925122
ID: 202405-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Mozilla Firefox, the
worst of which can lead to remote code execution.

Background
==========

Mozilla Firefox is a popular open-source web browser from the Mozilla
project.

Affected packages
=================

Package Vulnerable Unaffected
---------------------- ------------- --------------
www-client/firefox < 115.8.0:esr >= 115.8.0:esr
>= 123.0:rapid
< 123.0 >= 123.0
www-client/firefox-bin < 115.8.0:esr >= 115.8.0:esr
>= 123.0:rapid
< 123.0 >= 123.0

Description
===========

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Firefox rapid release users should upgrade to the latest
version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-123.0"

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-123.0"

All Mozilla Firefox ESR users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.8.0:esr"

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-115.8.0:esr"

References
==========

[ 1 ] CVE-2024-1546
https://nvd.nist.gov/vuln/detail/CVE-2024-1546
[ 2 ] CVE-2024-1547
https://nvd.nist.gov/vuln/detail/CVE-2024-1547
[ 3 ] CVE-2024-1548
https://nvd.nist.gov/vuln/detail/CVE-2024-1548
[ 4 ] CVE-2024-1549
https://nvd.nist.gov/vuln/detail/CVE-2024-1549
[ 5 ] CVE-2024-1550
https://nvd.nist.gov/vuln/detail/CVE-2024-1550
[ 6 ] CVE-2024-1551
https://nvd.nist.gov/vuln/detail/CVE-2024-1551
[ 7 ] CVE-2024-1552
https://nvd.nist.gov/vuln/detail/CVE-2024-1552
[ 8 ] CVE-2024-1553
https://nvd.nist.gov/vuln/detail/CVE-2024-1553
[ 9 ] CVE-2024-1554
https://nvd.nist.gov/vuln/detail/CVE-2024-1554
[ 10 ] CVE-2024-1555
https://nvd.nist.gov/vuln/detail/CVE-2024-1555
[ 11 ] CVE-2024-1556
https://nvd.nist.gov/vuln/detail/CVE-2024-1556
[ 12 ] CVE-2024-1557
https://nvd.nist.gov/vuln/detail/CVE-2024-1557

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-15

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-14 ] QtWebEngine: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: QtWebEngine: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #927746
ID: 202405-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in QtWebEngine, the worst
of which could lead to remote code execution.

Background
==========

QtWebEngine is a library for rendering dynamic web content in Qt5 and
Qt6 C++ and QML applications.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------------- --------------------
dev-qt/qtwebengine < 5.15.13_p20240322 >= 5.15.13_p20240322

Description
===========

Multiple vulnerabilities have been discovered in QtWebEngine. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All QtWebEngine users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.13_p20240322"

References
==========

[ 1 ] CVE-2024-0804
https://nvd.nist.gov/vuln/detail/CVE-2024-0804
[ 2 ] CVE-2024-0805
https://nvd.nist.gov/vuln/detail/CVE-2024-0805
[ 3 ] CVE-2024-0806
https://nvd.nist.gov/vuln/detail/CVE-2024-0806
[ 4 ] CVE-2024-0807
https://nvd.nist.gov/vuln/detail/CVE-2024-0807
[ 5 ] CVE-2024-0808
https://nvd.nist.gov/vuln/detail/CVE-2024-0808
[ 6 ] CVE-2024-0809
https://nvd.nist.gov/vuln/detail/CVE-2024-0809
[ 7 ] CVE-2024-0810
https://nvd.nist.gov/vuln/detail/CVE-2024-0810
[ 8 ] CVE-2024-0811
https://nvd.nist.gov/vuln/detail/CVE-2024-0811
[ 9 ] CVE-2024-0812
https://nvd.nist.gov/vuln/detail/CVE-2024-0812
[ 10 ] CVE-2024-0813
https://nvd.nist.gov/vuln/detail/CVE-2024-0813
[ 11 ] CVE-2024-0814
https://nvd.nist.gov/vuln/detail/CVE-2024-0814
[ 12 ] CVE-2024-1059
https://nvd.nist.gov/vuln/detail/CVE-2024-1059
[ 13 ] CVE-2024-1060
https://nvd.nist.gov/vuln/detail/CVE-2024-1060
[ 14 ] CVE-2024-1077
https://nvd.nist.gov/vuln/detail/CVE-2024-1077
[ 15 ] CVE-2024-1283
https://nvd.nist.gov/vuln/detail/CVE-2024-1283
[ 16 ] CVE-2024-1284
https://nvd.nist.gov/vuln/detail/CVE-2024-1284

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-14

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-13 ] borgmatic: Shell Injection


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: borgmatic: Shell Injection
Date: May 05, 2024
Bugs: #924892
ID: 202405-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in borgmatic, which can lead to
shell injection.

Background
==========

borgmatic is simple, configuration-driven backup software for servers
and workstations.

Affected packages
=================

Package Vulnerable Unaffected
-------------------- ------------ ------------
app-backup/borgmatic < 1.8.8 >= 1.8.8

Description
===========

Prevent shell injection attacks within the PostgreSQL hook, the MongoDB
hook, the SQLite hook, the "borgmatic borg" action, and command hook
variable/constant interpolation.

Impact
======

Shell injection may be used in several borgmatic backends to execute
arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All borgmatic users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8"

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-12 ] Pillow: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: Pillow: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #889594, #903664, #916907, #922577
ID: 202405-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Pillow, the worst of
which can lead to arbitrary code execution.

Background
==========

The friendly PIL fork.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
dev-python/pillow < 10.2.0 >= 10.2.0

Description
===========

Multiple vulnerabilities have been discovered in Pillow. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Pillow users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pillow-10.2.0"

References
==========

[ 1 ] CVE-2023-44271
https://nvd.nist.gov/vuln/detail/CVE-2023-44271
[ 2 ] CVE-2023-50447
https://nvd.nist.gov/vuln/detail/CVE-2023-50447

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-11 ] MIT krb5: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: MIT krb5: Multiple Vulnerabilities
Date: May 05, 2024
Bugs: #803434, #809845, #879875, #917464
ID: 202405-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in MIT krb5, the worst of
which could lead to remote code execution.

Background
==========

MIT krb5 is the free implementation of the Kerberos network
authentication protocol by the Massachusetts Institute of Technology.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
app-crypt/mit-krb5 < 1.21.2 >= 1.21.2

Description
===========

Multiple vulnerabilities have been discovered in MIT krb5. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MIT krb5 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.21.2"

References
==========

[ 1 ] CVE-2021-36222
https://nvd.nist.gov/vuln/detail/CVE-2021-36222
[ 2 ] CVE-2021-37750
https://nvd.nist.gov/vuln/detail/CVE-2021-37750
[ 3 ] CVE-2022-42898
https://nvd.nist.gov/vuln/detail/CVE-2022-42898
[ 4 ] CVE-2023-36054
https://nvd.nist.gov/vuln/detail/CVE-2023-36054
[ 5 ] CVE-2023-39975
https://nvd.nist.gov/vuln/detail/CVE-2023-39975

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202405-10 ] Setuptools: Denial of Service


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202405-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Setuptools: Denial of Service
Date: May 05, 2024
Bugs: #879813
ID: 202405-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Setuptools, which can lead to
denial of service.

Background
==========

Setuptools is a manager for Python packages.

Affected packages
=================

Package Vulnerable Unaffected
--------------------- ------------ ------------
dev-python/setuptools < 65.5.1 >= 65.5.1

Description
===========

A vulnerability has been discovered in Setuptools. See the impact field.

Impact
======

An inefficiency in a regular expression may end in a denial of service
if an user is fetching malicious HTML from a package in PyPI or a custom
PackageIndex page.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Setuptools users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/setuptools-65.5.1"

References
==========

[ 1 ] CVE-2022-40897
https://nvd.nist.gov/vuln/detail/CVE-2022-40897

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202405-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5