Newsbeuter is a RSS/Atom feed reader for the text console.
+ +Newsbeuter does not properly escape shell meta-characters in an RSS item + with a media enclosure in the podcast playback function of Podbeuter. +
+A remote attacker, by enticing a user to open a feed with a specially + crafted media enclosure, could possibly execute arbitrary shell commands + with the privileges of the user running the application. +
+There is no known workaround at this time.
+Gentoo has discontinued support for Newsbeuter and recommends that users + unmerge the package: +
+ +
+ # emerge --unmerge "net-news/newsbeuter"
+
+
+ Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +
+ +Google Chrome is one fast, simple, and secure browser for all your + devices. +
+ +Multiple vulnerabilities have been discovered in Chromium and Google + Chrome. Please review the referenced CVE identifiers and Google Chrome + Releases for details. +
+ +A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, bypass + content security controls, or conduct URL spoofing. +
+There is no known workaround at this time.
+All Chromium users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=www-client/chromium-65.0.3325.146"
+
+
+ All Google Chrome users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=www-client/google-chrome-65.0.3325.146"
+
+
+ Java Platform, Standard Edition (Java SE) lets you develop and deploy + Java applications on desktops and servers, as well as in today’s + demanding embedded environments. Java offers the rich user interface, + performance, versatility, portability, and security that today’s + applications require. +
+ +Multiple vulnerabilities have been discovered in Oracle’s Java SE. + Please review the referenced CVE identifiers for details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process, gain access to information, or cause a Denial + of Service condition. +
+There is no known workaround at this time.
+All Oracle JDK users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=dev-java/oracle-jdk-bin-1.8.0.162:1.8"
+
+
+ All Oracle JRE users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=dev-java/oracle-jre-bin-1.8.0.162:1.8"
+
+
+ JabberD 2.x is an open source Jabber server written in C.
+Multiple vulnerabilities have been discovered in Gentoo’s JabberD 2.x + ebuild. Please review the referenced CVE identifiers for details. +
+ +An attacker could possibly escalate privileges by owning system binaries + in trusted locations, cause a Denial of Service condition by manipulating + the PID file from jabberd2 services, bypass security via SASL ANONYMOUS + connections or have other unspecified impacts. +
+There is no known workaround at this time.
+Gentoo has discontinued support for JabberD 2.x and recommends that + users unmerge the package: +
+ +
+ # emerge --unmerge "net-im/jabberd2"
+
+
+ As an alternative, users may want to upgrade their systems to use + net-im/prosody instead of net-im/jabberd2. +
+ +The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. +
+Multiple vulnerabilities have been discovered in Adobe Flash Player. + Please review the CVE identifiers referenced below for details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process or bypass security restrictions. +
+There is no known workaround at this time.
+All Adobe Flash Player users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=www-plugins/adobe-flash-29.0.0.113"
+
+
+ KDE Plasma workspace is a widget based desktop environment designed to + be fast and efficient. +
+Multiple vulnerabilities have been discovered in KDE Plasma Workspaces. + Please review the referenced CVE identifiers for details. +
+ +An attacker could execute arbitrary commands via specially crafted thumb + drive’s volume labels or obtain sensitive information via specially + crafted notifications. +
+Users should mount removable devices with Dolphin instead of the device + notifier. +
+ +Users should disable notifications.
+All KDE Plasma Workspace users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=kde-plasma/plasma-workspace-5.11.5-r1"
+
+
+ collectd is a daemon which collects system and application performance + metrics periodically and provides mechanisms to store the values in a + variety of ways, for example in RRD files. +
+Multiple vulnerabilities have been found in Gentoo’s collectd package. + Please review the referenced CVE identifiers and bug entries for details. +
+A local attacker, who either is already collectd’s system user or + belongs to collectd’s group, could potentially gain root privileges and + cause a Denial of Service condition. +
+ +Remote attackers could cause a Denial of Service condition via specially + crafted SNMP responses. +
+There is no known workaround at this time.
+All collectd users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-admin/collectd-5.7.2-r1"
+
+
+ WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, from hybrid + HTML/CSS applications to full-fledged web browsers. +
+Multiple vulnerabilities have been discovered in WebKitGTK+. Please + review the referenced CVE identifiers for details. +
+An attacker could execute arbitrary commands via maliciously crafted web + content. +
+There is no known workaround at this time.
+All WebKitGTK+ users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.18.6"
+
+ BusyBox is a set of tools for embedded systems and is a replacement for + GNU Coreutils. +
+Multiple vulnerabilities have been discovered in BusyBox. Please review + the CVE identifiers referenced below for details. +
+A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, or have + other unspecified impacts. +
+There is no known workaround at this time.
+All BusyBox users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.28.0"
+
+ PLIB includes sound effects, music, a complete 3D engine, font + rendering, a simple Windowing library, a game scripting language, a GUI, + networking, 3D math library and a collection of handy utility functions. +
+A stack-based buffer overflow within the error function of + ssg/ssgParser.cxx was discovered in PLIB. +
+A remote attacker, by enticing a user to open a specially crafted 3d + model file, could possibly execute arbitrary code with the privileges of + the process. +
+There is no known workaround at this time.
+All PLIB users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=media-libs/plib-1.8.5-r1"
+
+ Mozilla Thunderbird is a popular open-source email client from the + Mozilla project. +
+Multiple vulnerabilities have been discovered in Mozilla Thunderbird. + Please review the referenced Mozilla Foundation Security Advisories and + CVE identifiers below for details. +
+ +A remote attacker may be able to execute arbitrary code, cause a Denial + of Service condition, obtain sensitive information, conduct URL + hijacking, or conduct cross-site scripting (XSS). +
+There is no known workaround at this time.
+All Thunderbird users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-52.6.0"
+
+
+ All Thunderbird binary users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=mail-client/thunderbird-bin-52.6.0"
+
+ libxslt is the XSLT C library developed for the GNOME project. XSLT is + an XML language to define transformations for XML. +
+Multiple vulnerabilities have been discovered in libxslt. Please review + the CVE identifiers referenced below for details. +
+A remote attacker, via a crafted HTML page, could possibly execute + arbitrary code, cause a Denial of Service condition or leak information. +
+There is no known workaround at this time.
+All libxslt users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.30"
+
+ glibc is a package that contains the GNU C library.
+Multiple vulnerabilities have been discovered in glibc. Please review + the CVE identifiers referenced below for details. +
+An attacker could possibly execute arbitrary code, escalate privileges, + cause a Denial of Service condition, or have other unspecified impacts. +
+There is no known workaround at this time.
+All glibc users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.25-r11"
+
+