cURL is a tool and libcurl is a library for transferring data with URL + syntax. +
+cURL and applications linked against libcurl support “OCSP + stapling”, also known as the TLS Certificate Status Request extension + (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use + this feature, it uses that TLS extension to ask for a fresh proof of the + server’s certificate’s validity. If the server doesn’t support the + extension, or fails to provide said proof, cURL is expected to return an + error. + Due to a coding mistake, the code that checks for a test success or + failure, ends up always thinking there’s valid proof, even when there + is none or if the server doesn’t support the TLS extension in question. +
+Due to the error, a user maybe does not detect when a server’s + certificate goes invalid or otherwise be mislead that the server is in a + better shape than it is in reality. +
+There is no known workaround at this time.
+All cURL users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/curl-7.53.0"
+
+
+ A library that provides Abstract Syntax Notation One (ASN.1, as + specified by the X.680 ITU-T recommendation) parsing and structures + management, and Distinguished Encoding Rules (DER, as per X.690) encoding + and decoding functions. +
+Libtasn1 does not correctly handle certain malformed DER certificates.
+A remote attacker could entice a user or automated system to process a + specially crafted certificate using Libtasn1, resulting in a Denial of + Service condition. +
+There is no known workaround at this time.
+All Libtasn1 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-4.8"
+
+ Deluge is a BitTorrent client.
+A CSRF vulnerability was discovered in the web UI of Deluge.
+A remote attacker could entice a user currently logged in into Deluge + web UI to visit a malicious web page which uses forged requests to make + Deluge download and install a Deluge plug-in provided by the attacker. + The plug-in can then execute arbitrary code as the user running Deluge. +
+There is no known workaround at this time.
+All Deluge users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-p2p/deluge-1.3.14"
+
+
+ Xen is a bare-metal hypervisor.
+In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine + cirrus_bitblt_cputovideo fails to check wethehr the specified memory + region is safe. +
+A local attacker could potentially execute arbitrary code with + privileges of Xen (QEMU) process on the host, gain privileges on the host + system, or cause a Denial of Service condition. +
+Running guests in Paravirtualization (PV) mode, or running guests in + Hardware-assisted virtualizion (HVM) utilizing stub domains mitigate + the issue. +
+ +Running HVM guests with the device model in a stubdomain will mitigate + the issue. +
+ +Changing the video card emulation to stdvga (stdvga=1, vga=”stdvga”, + in the xl domain configuration) will avoid the vulnerability. +
+All Xen Tools users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=app-emulation/xen-tools-4.7.1-r8"
+
+
+