containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification.
+Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All containerd users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.19"
+
+ Mozilla Firefox is a popular open-source web browser from the Mozilla project.
+Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Mozilla Firefox binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-127.0:rapid"
+
+
+ All Mozilla Firefox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-127.0:rapid"
+
+
+ All Mozilla Firefox ESR users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-115.12.0:esr"
+
+
+ All Mozilla Firefox ESR binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.12.0:esr"
+
+ The X PixMap image format is an extension of the monochrome X BitMap format specified in the X protocol, and is commonly used in traditional X applications.
+Multiple vulnerabilities have been discovered in libXpm. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All libXpm users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-libs/libXpm-3.5.17"
+
+ Levenshtein is a Python extension for computing string edit distances and similarities.
+Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution.
+Fixed handling of numerous possible wraparounds in calculating the size of memory allocations; incorrect handling of which could cause denial of service or even possible remote code execution.
+There is no known workaround at this time.
+All Levenshtein users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/Levenshtein-0.12.1"
+
+ Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.
+Multiple vulnerabilities have been discovered in Redis. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Redis users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4"
+
+ PostgreSQL is an open source object-relational database management system.
+Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All PostgreSQL users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.3-r1:16"
+
+
+ Or update an older slot if that is still in use.
+Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.
+Multiple vulnerabilities have been discovered in Go. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Go users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3"
+
+
+ Due to Go programs typically being statically compiled, Go users should also recompile the reverse dependencies of the Go language to ensure statically linked programs are remediated:
+ +
+ # emerge --ask --oneshot --verbose @golang-rebuild
+
+ json-c is a JSON implementation in C.
+Please review the CVE identifier referenced below for details.
+A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.
+There is no known workaround at this time.
+All json-c users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16"
+
+ Cairo is a 2D vector graphics library with cross-device output support.
+Multiple vulnerabilities have been discovered in Cairo. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Cairo users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0"
+
+ Nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C.
+Multiple vulnerabilities have been discovered in nghttp2. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All nghttp2 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0"
+
+ aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
+Multiple vulnerabilities have been discovered in aiohttp. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All aiohttp users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/aiohttp-3.9.4"
+
+ Bitcoin Core consists of both "full-node" software for fully validating the blockchain as well as a bitcoin wallet.
+Please review the CVE identifier referenced below for details.
+Bitcoin Core, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.
+There is no known workaround at this time.
+All Bitcoin users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-p2p/bitcoind-25.0"
+
+ Nokogiri is an HTML, XML, SAX, and Reader parser.
+A denial of service vulnerability has been discovered in Nokogiri. Please review the CVE identifier referenced below for details.
+Nokogiri fails to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
+Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
+All Nokogiri users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"
+
+ Librsvg is a library to render SVG files using cairo as a rendering engine.
+A directory traversal problem in the URL decoder of librsvg could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
+Please review the referenced CVE identifier for details.
+There is no known workaround at this time.
+All Librsvg users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=gnome-base/librsvg-2.56.3"
+
+ Percona XtraBackup is a complete and open source online backup solution for all versions of MySQL.
+Multiple vulnerabilities have been discovered in Percona XtraBackup. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Percona XtraBackup users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/percona-xtrabackup-8.0.29.22"
+
+
+ Gentoo has discontinued support for the binary package. Users should remove this from their system:
+ +
+ # emerge --sync
+ # emerge --ask --verbose --depclean "dev-db/percona-xtrabackup-bin"
+
+ re2c is a tool for generating C-based recognizers from regular expressions.
+Please review the CVE identifier referenced below for details.
+Please review the CVE identifier referenced below for details.
+There is no known workaround at this time.
+All re2c users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-util/re2c-2.0"
+
+ Default file manager for the GNOME desktop
+Please review the CVE identifier referenced below for details.
+GNOME Nautilus allows a NULL pointer dereference and get_basename application crash via a pasted ZIP archive.
+There is no known workaround at this time.
+All Nautilus users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=gnome-base/nautilus-44.0"
+
+ QEMU is a generic and open source machine emulator and virtualizer.
+Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All QEMU users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-emulation/qemu-8.0.0"
+
+ Free software emulation of curses in System V.
+Multiple vulnerabilities have been discovered in ncurses. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All ncurses users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-6.4_p20230408"
+ # emerge --ask --oneshot --verbose ">=sys-libs/ncurses-compat-6.4_p20240330"
+
+ Open h.265 video codec implementation.
+Multiple vulnerabilities have been discovered in libde265. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All libde265 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/libde265-1.0.11"
+
+ GPAC is an implementation of the MPEG-4 Systems standard developed from scratch in ANSI C.
+Multiple vulnerabilities have been discovered in GPAC. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All GPAC users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-video/gpac-2.2.0"
+
+ Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.
+Multiple vulnerabilities have been discovered in Bundler. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Bundler users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-ruby/bundler-2.2.33"
+
+ The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software.
+Multiple vulnerabilities have been discovered in GnuPG. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All GnuPG users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-2.4.4"
+
+ Ruby on Rails is a free web framework used to develop database-driven web applications.
+Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details.
+When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. + +Impacted Active Record models will look something like this: + +class User < ApplicationRecord + serialize :options # Vulnerable: Uses YAML for serialization + serialize :values, Array # Vulnerable: Uses YAML for serialization + serialize :values, JSON # Not vulnerable +end + +The released versions change the default YAML deserializer to use YAML.safe_load, which prevents deserialization of possibly dangerous objects. This may introduce backwards compatibility issues with existing data.
+There is no known workaround at this time.
+All Ruby on Rails users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-ruby/rails-6.1.6.1:6.1"
+ # emerge --ask --oneshot --verbose ">=dev-ruby/rails-7.0.3.1:7.0"
+
+ runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.
+Multiple vulnerabilities have been discovered in runc. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All runc users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-containers/runc-1.1.12"
+
+ matio is a library for reading and writing matlab files.
+Multiple vulnerabilities have been discovered in matio. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All matio users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sci-libs/matio-1.5.22"
+
+ The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
+In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.
+In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.
+There is no known workaround at this time.
+All AFLplusplus users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-forensics/aflplusplus-4.06c"
+
+ rsyslog is an enhanced multi-threaded syslogd with database support and more.
+Multiple vulnerabilities have been discovered in rsyslog. Please review the CVE identifiers referenced below for details.
+Modules for TCP syslog reception have a heap buffer overflow when octet-counted framing is used. The attacker can corrupt heap values, leading to data integrity issues and availability impact. Remote code execution is unlikely to happen but not impossible.
+There is no known workaround at this time.
+All rsyslog users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-admin/rsyslog-8.2206.0"
+
+ A lightweight PDF, XPS, and E-book viewer.
+Multiple vulnerabilities have been discovered in MuPDF. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All MuPDF users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-text/mupdf-1.20.0"
+
+ Debian package management system.
+Please review the CVE indentifier referenced below for details.
+Dpkg::Source::Archive in dpkg, the Debian package management system, is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.
+There is no known workaround at this time.
+All dpkg users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-arch/dpkg-1.20.9-r1"
+
+ Google's Protocol Buffers are an extensible mechanism for serializing structured data.
+A vulnerability has been discovered in protobuf and protobuf-python. Please review the CVE identifiers referenced below for details.
+A parsing vulnerability for the MessageSet type can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input.
+There is no known workaround at this time.
+All protobuf and protobuf-python users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-3.20.3"
+ # emerge --ask --oneshot --verbose ">=dev-python/protobuf-python-3.19.6"
+
+ PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.
+Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All PHP users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.29:8.1"
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.20:8.2"
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.8:8.3"
+
+
+ Support for older version has been discontinued:
+ +
+ # emerge --ask --verbose --depclean "<dev-lang/php-8.1"
+
+ protobuf-c is a protocol buffers implementation in C.
+Multiple denial of service vulnerabilities have been discovered in protobuf-c.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All protobuf-c users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-c-1.4.1"
+
+