Patch takes a patch file containing a difference listing produced by the + diff program and applies those differences to one or more original files, + producing patched versions. +
+Due to a flaw in Patch, the application can enter an infinite loop when + processing a specially crafted diff file. +
+A local attacker could pass a specially crafted diff file to Patch, + possibly resulting in a Denial of Service condition. +
+There is no known workaround at this time.
+All patch users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-devel/patch-2.7.4"
+
+
+ Nghttp2 is an implementation of HTTP/2 and its header compression + algorithm HPACK in C. +
+Nghttpd, nghttp, and libnghttp2_asio applications do not limit the + memory usage for the incoming HTTP header field. If a peer sends a + specially crafted HTTP/2 HEADERS frame and CONTINUATION frame, they will + crash with an out of memory error. +
+A remote attacker could possibly cause a Denial of Service condition.
+There is no known workaround at this time.
+All nghttp2 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.7.1"
+
+ util-linux is a suite of Linux programs including mount and umount, + programs used to mount and unmount filesystems. +
+A command injection flaw was discovered in util-linux’s “blkid” + utility. It uses caching files (/dev/.blkid.tab or /run/blkid/blkid.tab) + to store info about the UUID, LABEL etc. it finds on certain devices. + However, it does not strip ‘”’ character, so it can be confused to + build variable names containing shell metacharacters, which it would + usually encode inside the value. +
+A local attacker could create a specially crafted partition label + containing arbitrary code which would get executed when the “blkid” + utility processes that value. +
+There is no known workaround at this time.
+All util-linux users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.26"
+
+ Open-source implementation of the ARJ archiver.
+Multiple vulnerabilities have been discovered in ARJ. Please review the + CVE identifiers referenced below for details. +
+An attacker, using a specially crafted ARJ archive, could possibly + execute arbitrary code with the privileges of the process, or cause a + Denial of Service condition. +
+There is no known workaround at this time.
+All ARJ users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-arch/arj-3.10.22-r5"
+
+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +
+Multiple vulnerabilities have been discovered in OpenSSL. Please review + the CVE identifiers and the International Association for Cryptologic + Research’s (IACR) paper, “Make Sure DSA Signing Exponentiations + Really are Constant-Time” for further details. +
+Remote attackers could cause a Denial of Service condition or have other + unspecified impacts. Additionally, a time based side-channel attack may + allow a local attacker to recover a private DSA key. +
+There is no known workaround at this time.
+All OpenSSL users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2j"
+
+ This HTTP extension aims to provide a convenient and powerful + set of functionality for one of PHPs major applications. +
+A buffer overflow can be triggered in the URL parsing functions of the + PECL HTTP extension. This allows overflowing + a buffer with data originating from an arbitrary HTTP request. +
+A remote attacker, through a specially crafted URI, could possibly + execute arbitrary code with the privileges of the process. +
+There is no known workaround at this time.
+All PECL HTTP users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-php/pecl-http-2.5.6"
+
+ OpenSSH is a complete SSH protocol implementation that includes SFTP + client and server support. +
+Multiple vulnerabilities have been discovered in OpenSSH. Please review + the CVE identifiers referenced below for details. +
+Remote attackers could cause Denial of Service and conduct user + enumeration. +
+There is no known workaround at this time.
+All OpenSSH users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.3_p1-r7"
+
+ Mercurial is a distributed source control management system.
+Multiple vulnerabilities have been discovered in Mercurial. Please + review the CVE identifier and bug reports referenced for details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process. +
+There is no known workaround at this time.
+All mercurial users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-vcs/mercurial-3.8.4"
+
+
+