PHP is an open source general-purpose scripting language that is + especially suited for web development. +
+A underflow in env_path_info in PHP-FPM under certain configurations can + be exploited to gain remote code execution. +
+A remote attacker, by sending special crafted HTTP requests, could + possibly execute arbitrary code with the privileges of the process, or + cause a Denial of Service condition. +
+If patching is not feasible, the suggested workaround is to include + checks to verify whether or not a file exists before passing to PHP. +
+All PHP 5.6 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-5.6.40-r7"
+
+
+ All PHP 7.1 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-7.1.33"
+
+
+ All PHP 7.2 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-7.2.24"
+
+
+ All PHP 7.3 users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-lang/php-7.3.11"
+
+
+ OpenSSH is a complete SSH protocol implementation that includes SFTP + client and server support. +
+OpenSSH, when built with “xmss” USE flag enabled, has a + pre-authentication integer overflow if a client or server is configured + to use a crafted XMSS key. +
+ +NOTE: This USE flag is disabled by default!
+A remote attacker could connect to a vulnerable OpenSSH server using a + special crafted XMSS key possibly resulting in execution of arbitrary + code with the privileges of the process or a Denial of Service condition. +
+Disable XMSS key type.
+All OpenSSH users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=net-misc/openssh/openssh-8.0_p1-r4"
+
+ BOOTP and DHCP client for automatic IP configuration.
+It was discovered that there was an arbitrary code execution + vulnerability in the pump DHCP/BOOTP client. +
+A remote attacker, by enticing a user to connect to a malicious server, + could cause the execution of arbitrary code with the privileges of the + user running pump DHCP/BOOTP client. +
+There is no known workaround at this time.
+Gentoo has discontinued support for pump. We recommend that users + unmerge pump: +
+ +
+ # emerge --unmerge "net-misc/pump"
+
+ Oniguruma is a regular expression library.
+Multiple vulnerabilities have been discovered in Oniguruma. Please + review the CVE identifiers referenced below for details. +
+A remote attacker, by enticing a user to process a specially crafted + string using an application linked against Oniguruma, could possibly + execute arbitrary code with the privileges of the process or cause a + Denial of Service condition. +
+There is no known workaround at this time.
+All Oniguruma users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/oniguruma-6.9.3"
+
+ OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer + (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general + purpose cryptography library. +
+Multiple vulnerabilities have been discovered in OpenSSL. Please review + the CVE identifiers referenced below for details. +
+Please review the referenced CVE identifiers for details.
+There is no known workaround at this time.
+All OpenSSL users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2t"
+
+