Gentoo 2513 Published by

The following security updates are available for Gentoo Linux:

[ GLSA 202408-13 ] Nokogiri: Denial of Service
[ GLSA 202408-05 ] Redis: Multiple Vulnerabilities
[ GLSA 202408-12 ] Bitcoin: Denial of Service
[ GLSA 202408-11 ] aiohttp: Multiple Vulnerabilities
[ GLSA 202408-10 ] nghttp2: Multiple Vulnerabilities
[ GLSA 202408-09 ] Cairo: Multiple Vulnerabilities
[ GLSA 202408-08 ] json-c: Buffer Overflow
[ GLSA 202408-07 ] Go: Multiple Vulnerabilities
[ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities
[ GLSA 202408-04 ] Levenshtein: Remote Code Execution




[ GLSA 202408-13 ] Nokogiri: Denial of Service


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Nokogiri: Denial of Service
Date: August 07, 2024
Bugs: #884863
ID: 202408-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Nokogiri, which can lead to a
denial of service.

Background
==========

Nokogiri is an HTML, XML, SAX, and Reader parser.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------ ------------
dev-ruby/nokogiri < 1.13.10 >= 1.13.10

Description
===========

A denial of service vulnerability has been discovered in Nokogiri.
Please review the CVE identifier referenced below for details.

Impact
======

Nokogiri fails to check the return value from `xmlTextReaderExpand` in
the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a
null pointer exception when invalid markup is being parsed. For
applications using `XML::Reader` to parse untrusted inputs, this may
potentially be a vector for a denial of service attack.

Workaround
==========

Users may be able to search their code for calls to either
`XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if
they are affected.

Resolution
==========

All Nokogiri users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"

References
==========

[ 1 ] CVE-2022-23476
https://nvd.nist.gov/vuln/detail/CVE-2022-23476

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-13

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-05 ] Redis: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Redis: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #891169, #898464, #902501, #904486, #910191, #913741, #915989, #921662
ID: 202408-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Redis, the worst of
which may lead to a denial of service or possible remote code execution.

Background
==========

Redis is an open source (BSD licensed), in-memory data structure store,
used as a database, cache and message broker.

Affected packages
=================

Package Vulnerable Unaffected
------------ ------------ ------------
dev-db/redis < 7.2.4 >= 7.2.4

Description
===========

Multiple vulnerabilities have been discovered in Redis. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Redis users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4"

References
==========

[ 1 ] CVE-2022-24834
https://nvd.nist.gov/vuln/detail/CVE-2022-24834
[ 2 ] CVE-2022-35977
https://nvd.nist.gov/vuln/detail/CVE-2022-35977
[ 3 ] CVE-2022-36021
https://nvd.nist.gov/vuln/detail/CVE-2022-36021
[ 4 ] CVE-2023-22458
https://nvd.nist.gov/vuln/detail/CVE-2023-22458
[ 5 ] CVE-2023-25155
https://nvd.nist.gov/vuln/detail/CVE-2023-25155
[ 6 ] CVE-2023-28425
https://nvd.nist.gov/vuln/detail/CVE-2023-28425
[ 7 ] CVE-2023-28856
https://nvd.nist.gov/vuln/detail/CVE-2023-28856
[ 8 ] CVE-2023-36824
https://nvd.nist.gov/vuln/detail/CVE-2023-36824
[ 9 ] CVE-2023-41053
https://nvd.nist.gov/vuln/detail/CVE-2023-41053
[ 10 ] CVE-2023-41056
https://nvd.nist.gov/vuln/detail/CVE-2023-41056
[ 11 ] CVE-2023-45145
https://nvd.nist.gov/vuln/detail/CVE-2023-45145

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-05

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-12 ] Bitcoin: Denial of Service


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Bitcoin: Denial of Service
Date: August 07, 2024
Bugs: #908084
ID: 202408-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Bitcoin, which can lead to a
denial of service.

Background
==========

Bitcoin Core consists of both "full-node" software for fully validating
the blockchain as well as a bitcoin wallet.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
net-p2p/bitcoind < 25.0 >= 25.0

Description
===========

Please review the CVE identifier referenced below for details.

Impact
======

Bitcoin Core, when debug mode is not used, allows attackers to cause a
denial of service (CPU consumption) because draining the inventory-to-
send queue is inefficient, as exploited in the wild in May 2023.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Bitcoin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0"

References
==========

[ 1 ] CVE-2023-33297
https://nvd.nist.gov/vuln/detail/CVE-2023-33297

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-12

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-11 ] aiohttp: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: aiohttp: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #918541, #918968, #931097
ID: 202408-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in aiohttp, the worst of
which could lead to service compromise.

Background
==========

aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python.

Affected packages
=================

Package Vulnerable Unaffected
------------------ ------------ ------------
dev-python/aiohttp < 3.9.4 >= 3.9.4

Description
===========

Multiple vulnerabilities have been discovered in aiohttp. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All aiohttp users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4"

References
==========

[ 1 ] CVE-2023-47641
https://nvd.nist.gov/vuln/detail/CVE-2023-47641
[ 2 ] CVE-2023-49082
https://nvd.nist.gov/vuln/detail/CVE-2023-49082
[ 3 ] CVE-2024-30251
https://nvd.nist.gov/vuln/detail/CVE-2024-30251

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-11

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-10 ] nghttp2: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: nghttp2: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #915554, #928541
ID: 202408-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in nghttp2, the worst of
which could lead to a denial of service.

Background
==========

Nghttp2 is an implementation of HTTP/2 and its header compression
algorithm HPACK in C.

Affected packages
=================

Package Vulnerable Unaffected
---------------- ------------ ------------
net-libs/nghttp2 < 1.61.0 >= 1.61.0

Description
===========

Multiple vulnerabilities have been discovered in nghttp2. Please review
the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All nghttp2 users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0"

References
==========

[ 1 ] CVE-2023-44487
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
[ 2 ] CVE-2024-28182
https://nvd.nist.gov/vuln/detail/CVE-2024-28182

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-10

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-09 ] Cairo: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Cairo: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #717778
ID: 202408-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been discovered in Cairo, the worst of
which a denial of service.

Background
=========
Cairo is a 2D vector graphics library with cross-device output support.

Affected packages
================
Package Vulnerable Unaffected
-------------- ------------ ------------
x11-libs/cairo < 1.18.0 >= 1.18.0

Description
==========
Multiple vulnerabilities have been discovered in Cairo. Please review
the CVE identifiers referenced below for details.

Impact
=====
Please review the referenced CVE identifiers for details.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All Cairo users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0"

References
=========
[ 1 ] CVE-2019-6461
https://nvd.nist.gov/vuln/detail/CVE-2019-6461
[ 2 ] CVE-2019-6462
https://nvd.nist.gov/vuln/detail/CVE-2019-6462

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-09

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
======
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-08 ] json-c: Buffer Overflow


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: json-c: Buffer Overflow
Date: August 07, 2024
Bugs: #918555
ID: 202408-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in json-c, which can lead to a stack
buffer overflow.

Background
==========

json-c is a JSON implementation in C.

Affected packages
=================

Package Vulnerable Unaffected
--------------- ------------ ------------
dev-libs/json-c < 0.16 >= 0.16

Description
===========

Please review the CVE identifier referenced below for details.

Impact
======

A stack-buffer-overflow exists in the auxiliary sample program
json_parse which is located in the function parseit.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All json-c users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16"

References
==========

[ 1 ] CVE-2021-32292
https://nvd.nist.gov/vuln/detail/CVE-2021-32292

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-08

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-07 ] Go: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Go: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #906043, #919310, #926530, #928539, #931602
ID: 202408-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Go, the worst of which
could lead to information leakage or a denial of service.

Background
==========

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

Affected packages
=================

Package Vulnerable Unaffected
----------- ------------ ------------
dev-lang/go < 1.22.3 >= 1.22.3

Description
===========

Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Go users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3"

Due to Go programs typically being statically compiled, Go users should
also recompile the reverse dependencies of the Go language to ensure
statically linked programs are remediated:

# emerge --ask --oneshot --verbose @golang-rebuild

References
==========

[ 1 ] CVE-2023-24539
https://nvd.nist.gov/vuln/detail/CVE-2023-24539
[ 2 ] CVE-2023-24540
https://nvd.nist.gov/vuln/detail/CVE-2023-24540
[ 3 ] CVE-2023-29400
https://nvd.nist.gov/vuln/detail/CVE-2023-29400
[ 4 ] CVE-2023-39326
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
[ 5 ] CVE-2023-45283
https://nvd.nist.gov/vuln/detail/CVE-2023-45283
[ 6 ] CVE-2023-45285
https://nvd.nist.gov/vuln/detail/CVE-2023-45285
[ 7 ] CVE-2023-45288
https://nvd.nist.gov/vuln/detail/CVE-2023-45288
[ 8 ] CVE-2023-45289
https://nvd.nist.gov/vuln/detail/CVE-2023-45289
[ 9 ] CVE-2023-45290
https://nvd.nist.gov/vuln/detail/CVE-2023-45290
[ 10 ] CVE-2024-24783
https://nvd.nist.gov/vuln/detail/CVE-2024-24783
[ 11 ] CVE-2024-24784
https://nvd.nist.gov/vuln/detail/CVE-2024-24784
[ 12 ] CVE-2024-24785
https://nvd.nist.gov/vuln/detail/CVE-2024-24785
[ 13 ] CVE-2024-24788
https://nvd.nist.gov/vuln/detail/CVE-2024-24788

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-07

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: PostgreSQL: Multiple Vulnerabilities
Date: August 07, 2024
Bugs: #903193, #912251, #917153, #924110, #931849
ID: 202408-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in PostgreSQL, the worst
of which could lead to privilege escalation or denial of service.

Background
==========

PostgreSQL is an open source object-relational database management
system.

Affected packages
=================

Package Vulnerable Unaffected
----------------- ------------- --------------
dev-db/postgresql < 12.19:12 >= 12.19:12
< 13.14:13 >= 13.14:13
< 14.12-r1:14 >= 14.12-r1:14
< 15.7-r1:15 >= 15.7-r1:15
< 16.3-r1:16 >= 16.3-r1:16
< 12 >= 12.19

Description
===========

Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the CVE identifiers referenced below for details.

Impact
======

Please review the referenced CVE identifiers for details.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PostgreSQL users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.3-r1:16"

Or update an older slot if that is still in use.

References
==========

[ 1 ] CVE-2023-5868
https://nvd.nist.gov/vuln/detail/CVE-2023-5868
[ 2 ] CVE-2023-5869
https://nvd.nist.gov/vuln/detail/CVE-2023-5869
[ 3 ] CVE-2023-5870
https://nvd.nist.gov/vuln/detail/CVE-2023-5870
[ 4 ] CVE-2024-0985
https://nvd.nist.gov/vuln/detail/CVE-2024-0985
[ 5 ] CVE-2024-4317
https://nvd.nist.gov/vuln/detail/CVE-2024-4317

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-06

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5



[ GLSA 202408-04 ] Levenshtein: Remote Code Execution


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202408-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: Normal
Title: Levenshtein: Remote Code Execution
Date: August 07, 2024
Bugs: #766009
ID: 202408-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in Levenshtein, which could lead to
a remote code execution.

Background
==========

Levenshtein is a Python extension for computing string edit distances
and similarities.

Affected packages
=================

Package Vulnerable Unaffected
---------------------- ------------ ------------
dev-python/Levenshtein < 0.12.1 >= 0.12.1

Description
===========

Fixed handling of numerous possible wraparounds in calculating the size
of memory allocations; incorrect handling of which could cause denial of
service or even possible remote code execution.

Impact
======

Fixed handling of numerous possible wraparounds in calculating the size
of memory allocations; incorrect handling of which could cause denial of
service or even possible remote code execution.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Levenshtein users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/Levenshtein-0.12.1"

References
==========

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202408-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5