[ GLSA 202501-10 ] Mozilla Firefox: Multiple Vulnerabilities
[ GLSA 202501-09 ] QtWebEngine: Multiple Vulnerabilities
[ GLSA 202501-08 ] Qt: Buffer Overflow
[ GLSA 202501-07 ] libgsf: Multiple Vulnerabilities
[ GLSA 202501-06 ] GPL Ghostscript: Multiple Vulnerabilities
[ GLSA 202501-05 ] libuv: Hostname Truncation
[ GLSA 202501-04 ] Yubico pam-u2f: Partial Authentication Bypass
[ GLSA 202501-10 ] Mozilla Firefox: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Mozilla Firefox: Multiple Vulnerabilities
Date: January 23, 2025
Bugs: #942469, #945050, #948113
ID: 202501-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Mozilla Firefox, the
worst of which can lead to arbitrary code execution.
Background
==========
Mozilla Firefox is a popular open-source web browser from the Mozilla
project.
Affected packages
=================
Package Vulnerable Unaffected
---------------------- ------------- --------------
www-client/firefox < 128.6.0:esr >= 128.6.0:esr
< 134.0:rapid >= 134.0:rapid
www-client/firefox-bin < 128.6.0:esr >= 128.6.0:esr
< 134.0:rapid >= 134.0:rapid
Description
===========
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Mozilla Firefox users should upgrade to the latest version in their
release channel:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-134.0:rapid"
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-128.6.0:esr"
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-134.0:rapid"
# emerge --ask --oneshot --verbose ">=www-client/firefox-128.6.0:esr"
References
==========
[ 1 ] CVE-2024-10458
https://nvd.nist.gov/vuln/detail/CVE-2024-10458
[ 2 ] CVE-2024-10459
https://nvd.nist.gov/vuln/detail/CVE-2024-10459
[ 3 ] CVE-2024-10460
https://nvd.nist.gov/vuln/detail/CVE-2024-10460
[ 4 ] CVE-2024-10461
https://nvd.nist.gov/vuln/detail/CVE-2024-10461
[ 5 ] CVE-2024-10462
https://nvd.nist.gov/vuln/detail/CVE-2024-10462
[ 6 ] CVE-2024-10463
https://nvd.nist.gov/vuln/detail/CVE-2024-10463
[ 7 ] CVE-2024-10464
https://nvd.nist.gov/vuln/detail/CVE-2024-10464
[ 8 ] CVE-2024-10465
https://nvd.nist.gov/vuln/detail/CVE-2024-10465
[ 9 ] CVE-2024-10466
https://nvd.nist.gov/vuln/detail/CVE-2024-10466
[ 10 ] CVE-2024-10467
https://nvd.nist.gov/vuln/detail/CVE-2024-10467
[ 11 ] CVE-2024-10468
https://nvd.nist.gov/vuln/detail/CVE-2024-10468
[ 12 ] CVE-2024-11692
https://nvd.nist.gov/vuln/detail/CVE-2024-11692
[ 13 ] CVE-2024-11694
https://nvd.nist.gov/vuln/detail/CVE-2024-11694
[ 14 ] CVE-2024-11695
https://nvd.nist.gov/vuln/detail/CVE-2024-11695
[ 15 ] CVE-2024-11696
https://nvd.nist.gov/vuln/detail/CVE-2024-11696
[ 16 ] CVE-2024-11697
https://nvd.nist.gov/vuln/detail/CVE-2024-11697
[ 17 ] CVE-2024-11699
https://nvd.nist.gov/vuln/detail/CVE-2024-11699
[ 18 ] CVE-2024-11700
https://nvd.nist.gov/vuln/detail/CVE-2024-11700
[ 19 ] CVE-2024-11701
https://nvd.nist.gov/vuln/detail/CVE-2024-11701
[ 20 ] CVE-2024-11704
https://nvd.nist.gov/vuln/detail/CVE-2024-11704
[ 21 ] CVE-2024-11705
https://nvd.nist.gov/vuln/detail/CVE-2024-11705
[ 22 ] CVE-2024-11706
https://nvd.nist.gov/vuln/detail/CVE-2024-11706
[ 23 ] CVE-2024-11708
https://nvd.nist.gov/vuln/detail/CVE-2024-11708
[ 24 ] CVE-2025-0237
https://nvd.nist.gov/vuln/detail/CVE-2025-0237
[ 25 ] CVE-2025-0238
https://nvd.nist.gov/vuln/detail/CVE-2025-0238
[ 26 ] CVE-2025-0239
https://nvd.nist.gov/vuln/detail/CVE-2025-0239
[ 27 ] CVE-2025-0240
https://nvd.nist.gov/vuln/detail/CVE-2025-0240
[ 28 ] CVE-2025-0241
https://nvd.nist.gov/vuln/detail/CVE-2025-0241
[ 29 ] CVE-2025-0242
https://nvd.nist.gov/vuln/detail/CVE-2025-0242
[ 30 ] CVE-2025-0243
https://nvd.nist.gov/vuln/detail/CVE-2025-0243
[ 31 ] CVE-2025-0247
https://nvd.nist.gov/vuln/detail/CVE-2025-0247
[ 32 ] MFSA2024-55
[ 33 ] MFSA2024-56
[ 34 ] MFSA2024-57
[ 35 ] MFSA2024-58
[ 36 ] MFSA2024-59
[ 37 ] MFSA2024-63
[ 38 ] MFSA2024-64
[ 39 ] MFSA2024-65
[ 40 ] MFSA2024-67
[ 41 ] MFSA2024-68
[ 42 ] MFSA2025-01
[ 43 ] MFSA2025-02
[ 44 ] MFSA2025-05
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202501-09 ] QtWebEngine: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: QtWebEngine: Multiple Vulnerabilities
Date: January 23, 2025
Bugs: #944807
ID: 202501-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in QtWebEngine, the worst
of which could lead to arbitrary code execution.
Background
==========
QtWebEngine is a library for rendering dynamic web content in Qt5 and
Qt6 C++ and QML applications.
Affected packages
=================
Package Vulnerable Unaffected
------------------ ------------------- --------------------
dev-qt/qtwebengine < 5.15.16_p20241115 >= 5.15.16_p20241115
Description
===========
Multiple vulnerabilities have been discovered in QtWebEngine. Please
review the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All QtWebEngine users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.16_p20241115"
References
==========
[ 1 ] CVE-2024-4058
https://nvd.nist.gov/vuln/detail/CVE-2024-4058
[ 2 ] CVE-2024-4059
https://nvd.nist.gov/vuln/detail/CVE-2024-4059
[ 3 ] CVE-2024-4060
https://nvd.nist.gov/vuln/detail/CVE-2024-4060
[ 4 ] CVE-2024-4558
https://nvd.nist.gov/vuln/detail/CVE-2024-4558
[ 5 ] CVE-2024-4559
https://nvd.nist.gov/vuln/detail/CVE-2024-4559
[ 6 ] CVE-2024-4761
https://nvd.nist.gov/vuln/detail/CVE-2024-4761
[ 7 ] CVE-2024-5157
https://nvd.nist.gov/vuln/detail/CVE-2024-5157
[ 8 ] CVE-2024-5158
https://nvd.nist.gov/vuln/detail/CVE-2024-5158
[ 9 ] CVE-2024-5159
https://nvd.nist.gov/vuln/detail/CVE-2024-5159
[ 10 ] CVE-2024-5160
https://nvd.nist.gov/vuln/detail/CVE-2024-5160
[ 11 ] CVE-2024-5830
https://nvd.nist.gov/vuln/detail/CVE-2024-5830
[ 12 ] CVE-2024-5831
https://nvd.nist.gov/vuln/detail/CVE-2024-5831
[ 13 ] CVE-2024-5832
https://nvd.nist.gov/vuln/detail/CVE-2024-5832
[ 14 ] CVE-2024-5833
https://nvd.nist.gov/vuln/detail/CVE-2024-5833
[ 15 ] CVE-2024-5834
https://nvd.nist.gov/vuln/detail/CVE-2024-5834
[ 16 ] CVE-2024-5835
https://nvd.nist.gov/vuln/detail/CVE-2024-5835
[ 17 ] CVE-2024-5836
https://nvd.nist.gov/vuln/detail/CVE-2024-5836
[ 18 ] CVE-2024-5837
https://nvd.nist.gov/vuln/detail/CVE-2024-5837
[ 19 ] CVE-2024-5838
https://nvd.nist.gov/vuln/detail/CVE-2024-5838
[ 20 ] CVE-2024-5839
https://nvd.nist.gov/vuln/detail/CVE-2024-5839
[ 21 ] CVE-2024-5840
https://nvd.nist.gov/vuln/detail/CVE-2024-5840
[ 22 ] CVE-2024-5841
https://nvd.nist.gov/vuln/detail/CVE-2024-5841
[ 23 ] CVE-2024-5842
https://nvd.nist.gov/vuln/detail/CVE-2024-5842
[ 24 ] CVE-2024-5843
https://nvd.nist.gov/vuln/detail/CVE-2024-5843
[ 25 ] CVE-2024-5844
https://nvd.nist.gov/vuln/detail/CVE-2024-5844
[ 26 ] CVE-2024-5845
https://nvd.nist.gov/vuln/detail/CVE-2024-5845
[ 27 ] CVE-2024-5846
https://nvd.nist.gov/vuln/detail/CVE-2024-5846
[ 28 ] CVE-2024-5847
https://nvd.nist.gov/vuln/detail/CVE-2024-5847
[ 29 ] CVE-2024-6290
https://nvd.nist.gov/vuln/detail/CVE-2024-6290
[ 30 ] CVE-2024-6291
https://nvd.nist.gov/vuln/detail/CVE-2024-6291
[ 31 ] CVE-2024-6292
https://nvd.nist.gov/vuln/detail/CVE-2024-6292
[ 32 ] CVE-2024-6293
https://nvd.nist.gov/vuln/detail/CVE-2024-6293
[ 33 ] CVE-2024-6988
https://nvd.nist.gov/vuln/detail/CVE-2024-6988
[ 34 ] CVE-2024-6989
https://nvd.nist.gov/vuln/detail/CVE-2024-6989
[ 35 ] CVE-2024-6991
https://nvd.nist.gov/vuln/detail/CVE-2024-6991
[ 36 ] CVE-2024-6994
https://nvd.nist.gov/vuln/detail/CVE-2024-6994
[ 37 ] CVE-2024-6995
https://nvd.nist.gov/vuln/detail/CVE-2024-6995
[ 38 ] CVE-2024-6996
https://nvd.nist.gov/vuln/detail/CVE-2024-6996
[ 39 ] CVE-2024-6997
https://nvd.nist.gov/vuln/detail/CVE-2024-6997
[ 40 ] CVE-2024-6998
https://nvd.nist.gov/vuln/detail/CVE-2024-6998
[ 41 ] CVE-2024-6999
https://nvd.nist.gov/vuln/detail/CVE-2024-6999
[ 42 ] CVE-2024-7000
https://nvd.nist.gov/vuln/detail/CVE-2024-7000
[ 43 ] CVE-2024-7001
https://nvd.nist.gov/vuln/detail/CVE-2024-7001
[ 44 ] CVE-2024-7003
https://nvd.nist.gov/vuln/detail/CVE-2024-7003
[ 45 ] CVE-2024-7004
https://nvd.nist.gov/vuln/detail/CVE-2024-7004
[ 46 ] CVE-2024-7005
https://nvd.nist.gov/vuln/detail/CVE-2024-7005
[ 47 ] CVE-2024-7532
https://nvd.nist.gov/vuln/detail/CVE-2024-7532
[ 48 ] CVE-2024-7533
https://nvd.nist.gov/vuln/detail/CVE-2024-7533
[ 49 ] CVE-2024-7534
https://nvd.nist.gov/vuln/detail/CVE-2024-7534
[ 50 ] CVE-2024-7535
https://nvd.nist.gov/vuln/detail/CVE-2024-7535
[ 51 ] CVE-2024-7536
https://nvd.nist.gov/vuln/detail/CVE-2024-7536
[ 52 ] CVE-2024-7550
https://nvd.nist.gov/vuln/detail/CVE-2024-7550
[ 53 ] CVE-2024-7964
https://nvd.nist.gov/vuln/detail/CVE-2024-7964
[ 54 ] CVE-2024-7965
https://nvd.nist.gov/vuln/detail/CVE-2024-7965
[ 55 ] CVE-2024-7966
https://nvd.nist.gov/vuln/detail/CVE-2024-7966
[ 56 ] CVE-2024-7967
https://nvd.nist.gov/vuln/detail/CVE-2024-7967
[ 57 ] CVE-2024-7968
https://nvd.nist.gov/vuln/detail/CVE-2024-7968
[ 58 ] CVE-2024-7969
https://nvd.nist.gov/vuln/detail/CVE-2024-7969
[ 59 ] CVE-2024-7971
https://nvd.nist.gov/vuln/detail/CVE-2024-7971
[ 60 ] CVE-2024-7972
https://nvd.nist.gov/vuln/detail/CVE-2024-7972
[ 61 ] CVE-2024-7973
https://nvd.nist.gov/vuln/detail/CVE-2024-7973
[ 62 ] CVE-2024-7974
https://nvd.nist.gov/vuln/detail/CVE-2024-7974
[ 63 ] CVE-2024-7975
https://nvd.nist.gov/vuln/detail/CVE-2024-7975
[ 64 ] CVE-2024-7976
https://nvd.nist.gov/vuln/detail/CVE-2024-7976
[ 65 ] CVE-2024-7977
https://nvd.nist.gov/vuln/detail/CVE-2024-7977
[ 66 ] CVE-2024-7978
https://nvd.nist.gov/vuln/detail/CVE-2024-7978
[ 67 ] CVE-2024-7979
https://nvd.nist.gov/vuln/detail/CVE-2024-7979
[ 68 ] CVE-2024-7980
https://nvd.nist.gov/vuln/detail/CVE-2024-7980
[ 69 ] CVE-2024-7981
https://nvd.nist.gov/vuln/detail/CVE-2024-7981
[ 70 ] CVE-2024-8033
https://nvd.nist.gov/vuln/detail/CVE-2024-8033
[ 71 ] CVE-2024-8034
https://nvd.nist.gov/vuln/detail/CVE-2024-8034
[ 72 ] CVE-2024-8035
https://nvd.nist.gov/vuln/detail/CVE-2024-8035
[ 73 ] CVE-2024-8193
https://nvd.nist.gov/vuln/detail/CVE-2024-8193
[ 74 ] CVE-2024-8194
https://nvd.nist.gov/vuln/detail/CVE-2024-8194
[ 75 ] CVE-2024-8198
https://nvd.nist.gov/vuln/detail/CVE-2024-8198
[ 76 ] CVE-2024-8636
https://nvd.nist.gov/vuln/detail/CVE-2024-8636
[ 77 ] CVE-2024-8637
https://nvd.nist.gov/vuln/detail/CVE-2024-8637
[ 78 ] CVE-2024-8638
https://nvd.nist.gov/vuln/detail/CVE-2024-8638
[ 79 ] CVE-2024-8639
https://nvd.nist.gov/vuln/detail/CVE-2024-8639
[ 80 ] CVE-2024-9120
https://nvd.nist.gov/vuln/detail/CVE-2024-9120
[ 81 ] CVE-2024-9121
https://nvd.nist.gov/vuln/detail/CVE-2024-9121
[ 82 ] CVE-2024-9122
https://nvd.nist.gov/vuln/detail/CVE-2024-9122
[ 83 ] CVE-2024-9123
https://nvd.nist.gov/vuln/detail/CVE-2024-9123
[ 84 ] CVE-2024-9602
https://nvd.nist.gov/vuln/detail/CVE-2024-9602
[ 85 ] CVE-2024-9603
https://nvd.nist.gov/vuln/detail/CVE-2024-9603
[ 86 ] CVE-2024-10229
https://nvd.nist.gov/vuln/detail/CVE-2024-10229
[ 87 ] CVE-2024-10230
https://nvd.nist.gov/vuln/detail/CVE-2024-10230
[ 88 ] CVE-2024-10231
https://nvd.nist.gov/vuln/detail/CVE-2024-10231
[ 89 ] CVE-2024-10826
https://nvd.nist.gov/vuln/detail/CVE-2024-10826
[ 90 ] CVE-2024-10827
https://nvd.nist.gov/vuln/detail/CVE-2024-10827
[ 91 ] CVE-2024-45490
https://nvd.nist.gov/vuln/detail/CVE-2024-45490
[ 92 ] CVE-2024-45491
https://nvd.nist.gov/vuln/detail/CVE-2024-45491
[ 93 ] CVE-2024-45492
https://nvd.nist.gov/vuln/detail/CVE-2024-45492
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-09
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202501-08 ] Qt: Buffer Overflow
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Qt: Buffer Overflow
Date: January 23, 2025
Bugs: #911790
ID: 202501-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Qt, where a buffer overflow can
lead to denial of service.
Background
==========
Qt is a cross-platform application development framework.
Affected packages
=================
Package Vulnerable Unaffected
------------- ------------ -------------
dev-qt/qtbase < 6.5.2 >= 6.5.2
dev-qt/qtcore < 5.15.10-r1 >= 5.15.10-r1
Description
===========
When given specifically crafted data then QXmlStreamReader can end up
causing a buffer overflow and subsequently a crash or freeze or get out
of memory on recursive entity expansion, with DTD tokens in XML body.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Qt users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.15.10-r1"
# emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.5.2"
References
==========
[ 1 ] CVE-2023-37369
https://nvd.nist.gov/vuln/detail/CVE-2023-37369
[ 2 ] CVE-2023-38197
https://nvd.nist.gov/vuln/detail/CVE-2023-38197
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-08
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202501-07 ] libgsf: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: libgsf: Multiple Vulnerabilities
Date: January 23, 2025
Bugs: #940777
ID: 202501-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in libgsf, the worst of
which can lead to arbitrary code execution.
Background
==========
The GNOME Structured File Library is an I/O library that can read and
write common file types and handle structured formats that provide file-
system-in-a-file semantics.
Affected packages
=================
Package Vulnerable Unaffected
------------------ ------------ ------------
gnome-extra/libgsf < 1.14.53 >= 1.14.53
Description
===========
Multiple vulnerabilities have been discovered in libgsf. Please review
the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libgsf users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-extra/libgsf-1.14.53"
References
==========
[ 1 ] CVE-2024-36474
https://nvd.nist.gov/vuln/detail/CVE-2024-36474
[ 2 ] CVE-2024-42415
https://nvd.nist.gov/vuln/detail/CVE-2024-42415
[ 3 ] TALOS-2024-2068
[ 4 ] TALOS-2024-2069
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-07
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202501-06 ] GPL Ghostscript: Multiple Vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: GPL Ghostscript: Multiple Vulnerabilities
Date: January 23, 2025
Bugs: #942639
ID: 202501-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in GPL Ghostscript, the
worst of which could lead to arbitrary code execution.
Background
==========
Ghostscript is an interpreter for the PostScript language and for PDF.
Affected packages
=================
Package Vulnerable Unaffected
------------------------ ------------ ------------
app-text/ghostscript-gpl < 10.04.0 >= 10.04.0
Description
===========
Multiple vulnerabilities have been discovered in GPL Ghostscript. Please
review the CVE identifiers referenced below for details.
Impact
======
Please review the referenced CVE identifiers for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GPL Ghostscript users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.04.0"
References
==========
[ 1 ] CVE-2024-46951
https://nvd.nist.gov/vuln/detail/CVE-2024-46951
[ 2 ] CVE-2024-46952
https://nvd.nist.gov/vuln/detail/CVE-2024-46952
[ 3 ] CVE-2024-46953
https://nvd.nist.gov/vuln/detail/CVE-2024-46953
[ 4 ] CVE-2024-46954
https://nvd.nist.gov/vuln/detail/CVE-2024-46954
[ 5 ] CVE-2024-46955
https://nvd.nist.gov/vuln/detail/CVE-2024-46955
[ 6 ] CVE-2024-46956
https://nvd.nist.gov/vuln/detail/CVE-2024-46956
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-06
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202501-05 ] libuv: Hostname Truncation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libuv: Hostname Truncation
Date: January 23, 2025
Bugs: #924127
ID: 202501-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in libuv, where hostname truncation
can lead to attacker-controlled lookups.
Background
==========
libuv is a multi-platform support library with a focus on asynchronous
I/O.
Affected packages
=================
Package Vulnerable Unaffected
-------------- ------------ ------------
dev-libs/libuv < 1.48.0 >= 1.48.0
Description
===========
Multiple vulnerabilities have been discovered in libuv. Please review
the CVE identifiers referenced below for details.
Impact
======
The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates
hostnames to 256 characters before calling getaddrinfo. This behavior
can be exploited to create addresses like 0x00007f000001, which are
considered valid by getaddrinfo and could allow an attacker to craft
payloads that resolve to unintended IP addresses, bypassing developer
checks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libuv users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0"
References
==========
[ 1 ] CVE-2024-24806
https://nvd.nist.gov/vuln/detail/CVE-2024-24806
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
[ GLSA 202501-04 ] Yubico pam-u2f: Partial Authentication Bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Yubico pam-u2f: Partial Authentication Bypass
Date: January 23, 2025
Bugs: #948201
ID: 202501-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Yubico pam-u2f, which can lead to
a partial authentication bypass.
Background
==========
Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.
Affected packages
=================
Package Vulnerable Unaffected
---------------- ------------ ------------
sys-auth/pam_u2f < 1.3.2 >= 1.3.2
Description
===========
Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please
review the CVE identifiers referenced below for details.
Impact
======
Depending on specific settings and usage scenarios the result of the
pam-u2f module may be altered or ignored.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Yubico pam-u2f users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2"
References
==========
[ 1 ] CVE-2025-23013
https://nvd.nist.gov/vuln/detail/CVE-2025-23013
[ 2 ] YSA-2025-01
https://www.yubico.com/support/security-advisories/YSA-2025-01
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5