PostgreSQL is an open source object-relational database management - system. + system.
LZO is an extremely fast compression and decompression library
+LZO is vulnerable to an integer overflow condition in the + “lzo1x_decompress_safe” function which could result in a possible + buffer overrun when processing maliciously crafted compressed input data. +
+A remote attacker could send specially crafted compressed input data + possibly resulting in a Denial of Service condition or arbitrary code + execution. +
+ +There is no known workaround at this time.
+All LZO users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/lzo-2.08"
+
+
+ Mozilla Firefox is a cross-platform web browser from Mozilla. The + Mozilla Thunderbird mail client is a redesign of the Mozilla Mail + component. The goal is to produce a cross-platform stand-alone mail + application using XUL (XML User Interface Language). +
+Multiple vulnerabilities have been discovered in Mozilla Firefox and + Thunderbird. Please review the CVE identifiers referenced below for + details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition via + multiple vectors. +
+There is no known workaround at this time.
+All Firefox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-45.6.0"
+
+
+ All Firefox-bin users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-45.6.0"
+
+
+ All Thunderbird users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-45.6.0"
+
+
+ All Thunderbird-bin users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=mail-client/thunderbird-bin-45.6.0"
+
+ The TIFF library contains encoding and decoding routines for the Tag + Image File Format. It is called by numerous programs, including GNOME and + KDE applications, to interpret TIFF images. +
+Multiple vulnerabilities have been discovered in libTIFF. Please review + the CVE identifier and bug reports referenced for details. +
+A remote attacker could entice a user to process a specially crafted + image file, possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. +
+There is no known workaround at this time.
+All libTIFF users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.7"
+
+ The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. +
+Multiple vulnerabilities have been discovered in Adobe Flash Player. + Please review the CVE identifiers referenced below for details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process or bypass security restrictions. +
+There is no known workaround at this time.
+All Adobe Flash Player users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=www-plugins/adobe-flash-24.0.0.186"
+
+
+ Python is an interpreted, interactive, object-oriented programming + language. +
+Multiple vulnerabilities have been discovered in Python. Please review + the CVE identifiers referenced below for details. +
+A remote attacker could entice a user to open a specially crafted index + file using Python’s dumbdbm module, possibly resulting in execution of + arbitrary code with the privileges of the process. +
+ +A remote attacker could entice a user to process a specially crafted + input stream using Python’s zipimporter module, possibly allowing + attackers to cause unspecified impact. +
+ +A man in the middle attacker could strip out the STARTTLS command + without generating an exception on the Python SMTP client application, + preventing the establishment of the TLS layer. +
+There is no known workaround at this time.
+All Python 2 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.12:2.7"
+
+
+ All Python 3 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/python-3.4.5:3.4"
+
+ NTFS-3G is a stable, full-featured, read-write NTFS driver for various + operating systems. +
+NTFS-3G is affected by the same vulnerability as reported in “GLSA + 201603-04” when the bundled fuse-lite implementation is used. +
+A local user could gain root privileges.
+There is no known workaround at this time. However, on Gentoo when the + “external-fuse” USE flag is set or the “suid” USE flag is not set + then NTFS-3G is not affected. Both of these cases are the default + configuration. +
+All NTFS-3G users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2016.2.22"
+
+ D-Bus is a message bus system, a simple way for applications to talk to + one another. +
+It was discovered that D-Bus incorrectly handles certain format strings.
+ +The impact of this new vulnerability is believed to not be exploitable + if D-Bus is patched against CVE-2015-0245. The previous vulnerability + (CVE-2015-0245) was addressed in GLSA-201503-02 referenced below. +
+A local attacker could cause a Denial of Service condition or possibly + execute arbitrary code. +
+The vulnerable D-Bus interface is intended only for use by systemd + running as root. +
+ +The administrator can install a policy which denies sending from + org.freedesktop.systemd1.Activator” to D-Bus. This will prevent + non-root attackers from reaching the interface in order to exercise this + flaw. +
+All D-Bus users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/dbus-1.10.12"
+
+ Expat is a set of XML parsing libraries.
+Multiple vulnerabilities have been discovered in Expat. Please review + the CVE identifiers referenced below for details. +
+A remote attacker, by enticing a user to process a specially crafted XML + file, could execute arbitrary code with the privileges of the process or + cause a Denial of Service condition. This attack could also be used + against automated systems that arbitrarily process XML files. +
+There is no known workaround at this time.
+All Expat users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/expat-2.2.0-r1"
+
+ nginx is a robust, small, and high performance HTTP and reverse proxy + server. +
+It was discovered that Gentoo’s default NGINX installation applied + similar problematic permissions on “/var/log/nginx” as Debian + (DSA-3701) and is therefore vulnerable to the same attack described in + CVE-2016-1247. +
+A local attacker, who either is already NGINX’s system user or belongs + to NGINX’s group, could potentially escalate privileges. +
+Ensure that no untrusted user can create files in directories which are + used by NGINX (or an NGINX vhost) to store log files. +
+All NGINX users should upgrade to the latest ebuild revision:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.10.2-r3"
+
+ Botan (Japanese for peony) is a cryptography library written in C++11.
+Multiple vulnerabilities have been discovered in Botan. Please review + the CVE identifiers referenced below for details. +
+A remote attacker might obtain ECDSA secret keys via a timing + side-channel attack or could possibly bypass TLS policy. +
+There is no known workaround at this time.
+All Botan users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/botan-1.10.13"
+
+ PgBouncer is a lightweight connection pooler for PostgreSQL.
+Multiple vulnerabilities have been discovered in PgBouncer. Please + review the CVE identifiers referenced below for details. +
+A remote attacker might send a specially crafted package possibly + resulting in a Denial of Service condition. Furthermore, a remote + attacker might bypass authentication in configurations using the + “auth_user” feature. +
+There is no known workaround at this time.
+All PgBouncer users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/pgbouncer-1.7.2"
+
+ phpBB is an Open Source bulletin board package.
+Multiple vulnerabilities have been discovered in phpBB. Please review + the CVE identifiers referenced below for details. +
+A remote attacker may be able to change settings, inject arbitrary web + script or HTML, or conduct cross-site request forgery (CSRF) attacks. +
+There is no known workaround at this time.
+Gentoo Security support has been discontinued due to phpBB being dropped + to unstable. As such, we recommend that users unmerge phpBB: +
+ +
+ # emerge --unmerge "www-apps/phpBB"
+
+
+ NOTE: Users could alternatively upgrade to + “>=www-apps/phpBB-3.1.10”, however, these packages are not + currently marked stable. +
+BIND (Berkeley Internet Name Domain) is a Name Server.
+A defect in BIND’s handling of responses containing a DNAME answer can + cause a resolver to exit after encountering an assertion failure in db.c + or resolver.c. +
+A remote attacker could send a specially crafted DNS request to the BIND + resolver possibly resulting in a Denial of Service condition. +
+There is no known workaround at this time.
+All BIND users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-dns/bind-9.10.4_p4"
+
+ 7-Zip is an open-source file archiver, an application used primarily to + compress files. 7-Zip uses its own 7z archive format, but can read and + write several other archive formats. +
+Multiple vulnerabilities have been discovered in 7-Zip. Please review + the CVE identifiers referenced below for details. +
+A remote attacker could entice a user to open a specially crafted + archive file possibly resulting in execution of arbitrary code with the + privileges of the process or a Denial of Service condition. +
+There is no known workaround at this time.
+All 7-Zip users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-arch/p7zip-16.02-r1"
+
+ c-ares is a C library for asynchronous DNS requests (including name + resolves). +
+A hostname with an escaped trailing dot (such as “hello\.”) would + have its size calculated incorrectly leading to a single byte written + beyond the end of a buffer on the heap. +
+A remote attacker, able to provide a specially crafted hostname to an + application using c-ares, could potentially cause a Denial of Service + condition. +
+There is no known workaround at this time.
+All c-ares users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.12.0"
+
+ Vim is an efficient, highly configurable improved version of the classic + ‘vi’ text editor. gVim is the GUI version of Vim. +
+Vim and gVim do not properly validate values for the ‘filetype’, + ‘syntax’, and ‘keymap’ options. +
+A remote attacker could entice a user to open a specially crafted file + using Vim/gVim with certain modeline options enabled possibly resulting + in execution of arbitrary code with the privileges of the process. +
+Disabling modeline support in .vimrc by adding “set nomodeline” will + prevent exploitation of this flaw. By default, modeline is enabled for + ordinary users but disabled for root. +
+All Vim users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-editors/vim-8.0.0106"
+
+
+ All gVim users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-editors/gvim-8.0.0106"
+
+ vzctl is a set of control tools for the OpenVZ server virtualization + solution. +
+It was discovered that vzctl determined the virtual environment (VE) + layout based on the presence of root.hdd/DiskDescriptor.xml in the VE + private directory. This allows local simfs container (CT) root users to + change the root password for arbitrary ploop containers. This is + demonstrated by a symlink attack on the ploop container root.hdd file + which can then be used to access a control panel. +
+An attacker with root privileges, in a simfs-based container, could gain + control over ploop-based containers. +
+There is no known workaround at this time.
+All vzctl users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-cluster/vzctl-4.9.4"
+
+ flex is a programming tool used to generate scanners (programs which + recognize lexical patterns in text). +
+A heap-based buffer overflow in the yy_get_next_buffer function in Flex + might allow context-dependent attackers to cause a denial of service or + possibly execute arbitrary code via vectors involving num_to_read. +
+Context-dependent attackers could cause a Denial of Service condition or + possibly execute arbitrary code with the privileges of the process. +
+There is no known workaround at this time.
+All flex users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-devel/flex-2.6.1"
+
+
+ Packages which depend on flex may need to be recompiled. Tools such as + qdepends (included in app-portage/portage-utils) may assist in + identifying these packages: +
+ +
+ # emerge --oneshot --ask --verbose $(qdepends -CQ sys-devel/flex | sed
+ 's/^/=/')
+
+ phpMyAdmin is a web-based management tool for MySQL databases.
+Multiple vulnerabilities have been discovered in phpMyAdmin. Please + review the CVE identifiers referenced below for details. +
+A authenticated remote attacker could exploit these vulnerabilities to + execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site + Scripting attacks. +
+ +In certain configurations, an unauthenticated remote attacker could + cause a Denial of Service condition. +
+There is no known workaround at this time.
+All phpMyAdmin users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-4.6.5.1"
+
+