glibc is a package that contains the GNU C library.
+Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All glibc users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.38-r10"
+
+ SDDM is a modern display manager for X11 and Wayland sessions aiming to be fast, simple and beautiful. It uses modern technologies like QtQuick, which in turn gives the designer the ability to create smooth, animated user interfaces.
+A vulnerability has been discovered in SDDM. Please review the CVE identifier referenced below for details.
+SDDM passes the -auth and -displayfd command line arguments when +starting the Xserver. It then waits for the display number to be +received from the Xserver via the `displayfd`, before the Xauthority +file specified via the `-auth` parameter is actually written. This +results in a race condition, creating a time window in which no valid +Xauthority file is existing while the Xserver is already running. + +The X.Org server, when encountering a non-existing, empty or +corrupt/incomplete Xauthority file, will grant any connecting client +access to the Xorg display. A local unprivileged attacker can thus +create an unauthorized connection to the Xserver and grab e.g. keyboard +input events from other legitimate users accessing the Xserver.
+There is no known workaround at this time.
+All SDDM users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=x11-misc/sddm-0.18.1-r6"
+
+ QtGui is a module for the Qt toolkit.
+Multiple vulnerabilities have been discovered in QtGui. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All QtGui users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.15.9-r1"
+
+ The GNAT Ada Suite is an Ada development environment.
+A vulnerability has been discovered in GNAT Ada Suite. Please review the CVE identifier referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+Gentoo has discontinued support for GNAT Ada Suite. We recommend that users unmerge it:
+ +
+ # emerge --ask --depclean "dev-ada/gnat-suite-bin"
+
+ Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.
+Multiple vulnerabilities have been discovered in Microsoft Edge. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Microsoft Edge users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-120.0.2210.61"
+
+ FreeType is a high-quality and portable font engine.
+Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All FreeType users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/freetype-2.13.0"
+
+ Xen is a bare-metal hypervisor.
+Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Xen users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.16.6_pre1"
+
+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.
+Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All OpenSSL users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/openssl-3.0.10"
+
+ Wireshark is a versatile network protocol analyzer.
+Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Wireshark users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-4.0.11"
+
+ The NBD Tools are the Network Block Device utilities allowing one to use remote block devices over a TCP/IP network. It includes a userland NBD server.
+Multiple vulnerabilities have been discovered in NBD Tools. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All NBD Tools users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-block/nbd-3.24"
+
+ libxml2 is the XML C parser and toolkit developed for the GNOME project.
+Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All libxml2 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.12.5"
+
+
+ If you cannot update to libxml2-2.12 yet you can update to the latest 2.11 version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.11.7 =dev-libs/libxml2-2.11*"
+
+ The GNU Tar program provides the ability to create tar archives, as well as various other kinds of manipulation.
+A vulnerability have been discovered in GNU Tar. Please review the CVE identifier referenced below for details.
+GNU Tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs via a V7 archive in which mtime has approximately 11 whitespace characters.
+There is no known workaround at this time.
+All GNU Tar users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-arch/tar-1.34-r3"
+
+ An updated version of Cisco's TACACS+ server.
+A vulnerabilitiy has been discovered in TACACS+. Please review the CVE identifier referenced below for details.
+A lack of input validation exists in tac_plus which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.
+There is no known workaround at this time.
+Gentoo has discontinued support for TACACS+. We recommend that users unmerge it:
+ +
+ # emerge --ask --depclean "net-nds/tac_plus"
+
+ QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications.
+Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All QtWebEngine users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.12_p20240122"
+
+ e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 file systems.
+Multiple vulnerabilities have been discovered in e2fsprogs. Please review the CVE identifiers referenced below for details.
+An out-of-bounds read/write vulnerability was found in e2fsprogs. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.
+There is no known workaround at this time.
+All e2fsprogs users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.46.6"
+
+ Log4j is a Java logging framework that supports various use cases with a rich set of components, a separate API, and a performance-optimized implementation.
+Multiple vulnerabilities hav been discovered in Apache Log4j. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+Gentoo has discontinued support for log4j. We recommend that users unmerge it:
+ +
+ # emerge --ask --depclean "dev-java/log4j"
+
+ CUPS, the Common Unix Printing System, is a full-featured print server.
+Multiple vulnerabilities have been discovered in CUPS. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All CUPS users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-print/cups-2.4.7"
+
+ Exim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail.
+Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Exim users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.97.1"
+
+ libcaca is a library that creates colored ASCII-art graphics.
+A vulnerability has been discovered in libcaca. Please review the CVE identifier referenced below for details.
+A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.
+There is no known workaround at this time.
+All libcaca users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/libcaca-0.99_beta19-r4"
+
+ Thunar is a modern file manager for the Xfce Desktop Environment. Thunar has been designed from the ground up to be fast and easy to use. Its user interface is clean and intuitive and does not include any confusing or useless options by default. Thunar starts up quickly and navigating through files and folders is fast and responsive.
+A vulnerability has been discovered in Thunar. Please review the CVE identifier referenced below for details.
+When called with a regular file as command line argument, Thunar +would delegate to some other program without user confirmation +based on the file type. This could be exploited to trigger code +execution in a chain of vulnerabilities.
+There is no known workaround at this time.
+All Thunar users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=xfce-base/thunar-4.17.3"
+
+ QtNetwork provides a set of APIs for programming applications that use TCP/IP. It is part of the Qt framework.
+Multiple vulnerabilities have been discovered in QtNetwork. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Qt 5 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtnetwork-5.15.12-r1"
+
+
+ All Qt 6 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.6.1-r2"
+
+ Intel IA32/IA64 microcode update data.
+Multiple vulnerabilities have been discovered in NVIDIA Drivers. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All intel-microcode users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-firmware/intel-microcode-20230214_p20230212"
+
+ Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. Google Chrome is one fast, simple, and secure browser for all your devices. Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.
+Multiple vulnerabilities have been discovered in Chromium and its derivatives. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Google Chrome users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/google-chrome-121.0.6167.139"
+
+
+ All Chromium users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/chromium-121.0.6167.139"
+
+
+ All Microsoft Edge users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-121.0.2277.83"
+
+ The Seamonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the ‘Mozilla Application Suite’.
+Multiple vulnerabilities have been discovered in Seamonkey. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Seamonkey users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.53.10.2"
+
+ Mozilla Thunderbird is a popular open-source email client from the Mozilla project.
+Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Mozilla Thunderbird binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.7.0"
+
+
+ All Mozilla Thunderbird users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.7.0"
+
+ Mozilla Firefox is a popular open-source web browser from the Mozilla project.
+Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Mozilla Firefox ESR users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-115.7.0:esr"
+
+
+ All Mozilla Firefox ESR binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.7.0:esr"
+
+
+ All Mozilla Firefox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-122.0:rapid"
+
+
+ All Mozilla Firefox binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-122.0:rapid"
+
+ Glade is a RAD tool to enable quick & easy development of user interfaces for the GTK+ toolkit (Version 3 only) and the GNOME desktop environment.
+A vulnerability has been found in Glade which can lead to a denial of service when working with specific glade files.
+A crafted file may lead to crashes in Glade.
+There is no known workaround at this time.
+All Glade users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-util/glade-3.38.2"
+
+ Samba is a suite of SMB and CIFS client/server programs.
+Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Samba users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-fs/samba-4.18.9"
+
+ LibreOffice is a powerful office suite; its clean interface and powerful tools let you unleash your creativity and grow your productivity.
+Multiple vulnerabilities have been discovered in LibreOffice. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All LibreOffice binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-office/libreoffice-bin-7.5.9.2"
+
+
+ All LibreOffice users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-office/libreoffice-7.5.9.2"
+
+ Glances is an open-source system cross-platform monitoring tool. It allows real-time monitoring of various aspects of your system such as CPU, memory, disk, network usage etc.
+A vulnerability in XML parsing may lead to a variety of XML attacks.
+A vulnerability in XML parsing may lead to a variety of XML attacks.
+There is no known workaround at this time.
+All Glances users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-process/glances-3.1.7"
+
+ GNU Aspell is a popular spell-checker. Dictionaries are available for many languages.
+Multiple vulnerabilities have been discovered in GNU Aspell. Please review the CVE identifiers referenced below for details.
+GNU Aspell has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list)
+There is no known workaround at this time.
+All aspell users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-text/aspell-0.60.8-r3"
+
+ btrbk is a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations.
+A vulnerability has been discovered in btrbk. Please review the CVE identifier referenced below for details.
+Specialy crafted commands may be executed without being propely checked. Applies to remote hosts filtering ssh commands using ssh_filter_btrbk.sh in authorized_keys.
+There is no known workaround at this time.
+All btrbk users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-backup/btrbk-0.31.2"
+
+ PyYAML is a YAML parser and emitter for Python.
+A vulnerability has been discovered in PyYAML. Please review the CVE identifier referenced below for details.
+A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
+There is no known workaround at this time.
+All PyYAML users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/pyyaml-5.4"
+
+ Tox is easy-to-use software that connects you with friends and family without anyone else listening in.
+A vulnerability has been discovered in btrbk. Please review the CVE identifier referenced below for details.
+A stack-based buffer overflow allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.
+There is no known workaround at this time.
+All Tox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/tox-0.2.13"
+
+ Blender is a 3D Creation/Animation/Publishing System.
+Multiple vulnerabilities have been discovered in Blender. Please review the CVE identifiers referenced below for details.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All Blender users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-gfx/blender-3.1.0"
+
+ UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python 3.8+.
+Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's `json` module does, preserving them in the parsed output.
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All UltraJSON users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-python/ujson-5.4.0"
+
+ XZ Utils is free general-purpose data compression software with a high compression ratio.
+A backdoor has been discovered in XZ utils. Please review the CVE identifier referenced below for details.
+Our current understanding of the backdoor is that is does not affect Gentoo systems, because + +1. the backdoor only appears to be included on specific systems and Gentoo does not qualify; +2. the backdoor as it is currently understood targets OpenSSH patched to work with systemd-notify support. Gentoo does not support or include these patches; + +Analysis is still ongoing, however, and additional vectors may still be identified. For this reason we are still issuing this advisory as if that will be the case.
+There is no known workaround at this time.
+All XZ utils users should downgrade to the latest version before the backdoor was introduced:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "<app-arch/xz-utils-5.6.0"
+
+