Gentoo Linux Security Advisory 202402-23 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 121.0.6167.139 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #922062, #922340, #922903, #923370  
       ID: 202402-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives, the worst of which can lead to remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web. Google  
Chrome is one fast, simple, and secure browser for all your devices.  
Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 121.0.6167.139  >= 121.0.6167.139  
www-client/google-chrome   < 121.0.6167.139  >= 121.0.6167.139  
www-client/microsoft-edge  < 121.0.2277.83   >= 121.0.2277.83

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-121.0.6167.139"

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-121.0.6167.139"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-121.0.2277.83"

References  
==========

[ 1 ] CVE-2024-0333  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0333  
[ 2 ] CVE-2024-0517  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0517  
[ 3 ] CVE-2024-0518  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0518  
[ 4 ] CVE-2024-0519  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0519  
[ 5 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 6 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 7 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 8 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 9 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 10 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 11 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 12 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 13 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 14 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 15 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 16 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 17 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 18 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-23

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-23

Gentoo Linux Security Advisory 202402-22 - Multiple vulnerabilities have been discovered in intel-microcode, the worst of which can lead to privilege escalation. Versions greater than or equal to 20230214_p20230212 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-22  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: intel-microcode: Multiple Vulnerabilities  
     Date: February 19, 2024  
     Bugs: #832985, #894474  
       ID: 202402-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in intel-microcode, the  
worst of which can lead to privilege escalation.

Background  
==========

Intel IA32/IA64 microcode update data.

Affected packages  
=================

Package                       Vulnerable            Unaffected  
----------------------------  --------------------  ---------------------  
sys-firmware/intel-microcode  < 20230214_p20230212  >= 20230214_p20230212

Description  
===========

Multiple vulnerabilities have been discovered in NVIDIA Drivers. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All intel-microcode users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-firmware/intel-microcode-20230214_p20230212"

References  
==========

[ 1 ] CVE-2021-0127  
      https://nvd.nist.gov/vuln/detail/CVE-2021-0127  
[ 2 ] CVE-2021-0146  
      https://nvd.nist.gov/vuln/detail/CVE-2021-0146

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-22

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-22

By Waqas
One in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act, NCA has revealed.
This is a post from HackRead.com Read the original post: 1 in 5 Youth Engage in Cybercrime, NCA Finds

A recent report by the National Crime Agency (NCA) has revealed a disturbing trend: one in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act. This raises serious concerns about the increasing prevalence of cybercrime among young people and stresses the urgent need for greater awareness and education.

The report, based on a comprehensive survey, highlights several concerning online behaviours, including:

*   **Unauthorized access to computer systems or data:** This encompasses hacking into someone else’s account, downloading illegal software, or accessing restricted information.
*   **Cyberbullying and harassment:** Online harassment and bullying can have severe consequences for both the victim and the perpetrator, inflicting emotional distress and potentially leading to real-world harm.
*   **Copyright infringement:** Downloading or sharing copyrighted material without permission, such as music, movies, or software, is illegal and can have legal repercussions.
*   **Online gaming offenses:** This encompasses activities like making in-game purchases without permission, using cheats or hacks to gain an unfair advantage, or engaging in distributed denial-of-service (DDoS) attacks that disrupt online services.

The NCA emphasizes that many children may unknowingly engage in these activities, unaware of the legal implications and potential consequences. This underlines the critical need for open communication between parents, educators, and children about online safety and responsible behaviour.

The report also stresses the importance of proactive education and awareness campaigns targeted at both children and adults. Educating young people about cybercrime, its various forms, and the legal ramifications associated with it can significantly deter them from engaging in risky online behaviour.

Furthermore, the NCA advocates for promoting positive alternatives to encourage children to engage in safe and productive online activities. This can involve fostering their interest in educational resources, creative pursuits, and responsible online communities.

While the report paints a concerning picture, it is crucial to remember that not all online activity by children is illegal. It is essential to distinguish between harmless exploration and deliberate malicious intent based on the specific details and context surrounding each case.

> _“Many young people are getting involved in cybercrime without realising that they are breaking the law. Our message to these teenagers is simple – don’t play games with your future. Whether you engage in this behaviour knowingly or without realising, you are committing an offence – and could face serious consequences for your actions.”_
> 
> _“We’d encourage any concerned parents and teachers to speak to young people with an interest in tech, help them understand the dangers, and highlight the many rewarding and varied careers available to them. Our Cyber Choices team are here to help children, teachers and parents with advice and guidance.”_
> 
> Paul Foster – NCA Deputy Director and Head of the National Cyber Crime Unit

The NCA’s report should be a wake-up call, urging parents, educators, and policymakers to work collaboratively to address the growing issue of cybercrime among young people. By fostering open communication, promoting education and awareness, and encouraging responsible online behaviour, we can create a safer and more positive digital environment for future generations.

_**Editor’s Note:** We must have open and honest conversations with young people about their online activities. We need to educate them about the potential risks and consequences of their actions and equip them with the knowledge and skills to navigate the online world safely and responsibly._

1.  **Kids breach and bypass Linux Mint screensaver lock**
2.  **Snapchat Safety for Parents: How to Safeguard Your Child**
3.  **13-year-old student arrested for hacking school computers**
4.  **Utilizing Programmatic Advertising to Locate Abducted Children**
5.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**

1 in 5 Youth Engage in Cybercrime, NCA Finds

Gentoo Linux Security Advisory 202402-20 - A vulnerability has been discovered in Thunar which may lead to arbitrary code execution Versions greater than or equal to 4.17.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Thunar: Arbitrary Code Execution  
     Date: February 18, 2024  
     Bugs: #789396  
       ID: 202402-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Thunar which may lead to  
arbitrary code execution

Background  
==========

Thunar is a modern file manager for the Xfce Desktop Environment. Thunar  
has been designed from the ground up to be fast and easy to use. Its  
user interface is clean and intuitive and does not include any confusing  
or useless options by default. Thunar starts up quickly and navigating  
through files and folders is fast and responsive.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
xfce-base/thunar  < 4.17.3      >= 4.17.3

Description  
===========

A vulnerability has been discovered in Thunar. Please review the CVE  
identifier referenced below for details.

Impact  
======

When called with a regular file as command line argument, Thunar  
would delegate to some other program without user confirmation  
based on the file type. This could be exploited to trigger code  
execution in a chain of vulnerabilities.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Thunar users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=xfce-base/thunar-4.17.3"

References  
==========

[ 1 ] CVE-2021-32563  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32563

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-20

Gentoo Linux Security Advisory 202402-19 - A vulnerability has been discovered in libcaca which can lead to arbitrary code execution. Versions greater than or equal to 0.99_beta19-r4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libcaca: Arbitary Code Execution  
     Date: February 18, 2024  
     Bugs: #772317  
       ID: 202402-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in libcaca which can lead to  
arbitrary code execution.

Background  
==========

libcaca is a library that creates colored ASCII-art graphics.

Affected packages  
=================

Package             Vulnerable        Unaffected  
------------------  ----------------  -----------------  
media-libs/libcaca  < 0.99_beta19-r4  >= 0.99_beta19-r4

Description  
===========

A vulnerability has been discovered in libcaca. Please review the CVE  
identifier referenced below for details.

Impact  
======

A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c  
may lead to local execution of arbitrary code in the user context.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libcaca users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libcaca-0.99_beta19-r4"

References  
==========

[ 1 ] CVE-2021-3410  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3410

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-19

Gentoo Linux Security Advisory 202402-18 - Multiple vulnerabilities have been discovered in Exim, the worst of which can lead to remote code execution. Versions greater than or equal to 4.97.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Exim: Multiple Vulnerabilities  
     Date: February 18, 2024  
     Bugs: #914923, #921520  
       ID: 202402-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Exim, the worst of  
which can lead to remote code execution.

Background  
==========

Exim is a message transfer agent (MTA) designed to be a a highly  
configurable, drop-in replacement for sendmail.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
mail-mta/exim  < 4.97.1      >= 4.97.1

Description  
===========

Multiple vulnerabilities have been discovered in Exim. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Exim users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.97.1"

References  
==========

[ 1 ] CVE-2023-42114  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42114  
[ 2 ] CVE-2023-42115  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42115  
[ 3 ] CVE-2023-42116  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42116  
[ 4 ] CVE-2023-42117  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42117  
[ 5 ] CVE-2023-42119  
      https://nvd.nist.gov/vuln/detail/CVE-2023-42119  
[ 6 ] CVE-2023-51766  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51766  
[ 7 ] ZDI-CAN-17433  
[ 8 ] ZDI-CAN-17434  
[ 9 ] ZDI-CAN-17515  
[ 10 ] ZDI-CAN-17554  
[ 11 ] ZDI-CAN-17643

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-18

Gentoo Linux Security Advisory 202402-17 - Multiple vulnerabilities have been discovered in CUPS, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 2.4.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: CUPS: Multiple Vulnerabilities  
     Date: February 18, 2024  
     Bugs: #847625, #907675, #909018, #914781  
       ID: 202402-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in CUPS, the worst of  
which can lead to arbitrary code execution.

Background  
==========

CUPS, the Common Unix Printing System, is a full-featured print server.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
net-print/cups  < 2.4.7       >= 2.4.7

Description  
===========

Multiple vulnerabilities have been discovered in CUPS. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All CUPS users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-print/cups-2.4.7"

References  
==========

[ 1 ] CVE-2022-26691  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26691  
[ 2 ] CVE-2023-4504  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4504  
[ 3 ] CVE-2023-32324  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32324  
[ 4 ] CVE-2023-34241  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34241

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-17

Gentoo Linux Security Advisory 202402-16 - Multiple vulnerabilities have been discovered in Apache Log4j, the worst of which can lead to remote code execution. Versions less than or equal to 1.2.17 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache Log4j: Multiple Vulnerabilities  
     Date: February 18, 2024  
     Bugs: #719146  
       ID: 202402-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Apache Log4j, the worst  
of which can lead to remote code execution.

Background  
==========

Log4j is a Java logging framework that supports various use cases with a  
rich set of components, a separate API, and a performance-optimized  
implementation.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-java/log4j  <= 1.2.17     Vulnerable!

Description  
===========

Multiple vulnerabilities hav been discovered in Apache Log4j. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for log4j. We recommend that users  
unmerge it:

  # emerge --ask --depclean "dev-java/log4j"

References  
==========

[ 1 ] CVE-2019-17571  
      https://nvd.nist.gov/vuln/detail/CVE-2019-17571  
[ 2 ] CVE-2020-9488  
      https://nvd.nist.gov/vuln/detail/CVE-2020-9488  
[ 3 ] CVE-2020-9493  
      https://nvd.nist.gov/vuln/detail/CVE-2020-9493  
[ 4 ] CVE-2022-23302  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23302  
[ 5 ] CVE-2022-23305  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23305

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-16

Gentoo Linux Security Advisory 202402-15 - A vulnerability has been discovered in e2fsprogs which can lead to arbitrary code execution. Versions greater than or equal to 1.46.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202402-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: e2fsprogs: Arbitrary Code Execution  
     Date: February 18, 2024  
     Bugs: #838388  
       ID: 202402-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in e2fsprogs which can lead to  
arbitrary code execution.

Background  
==========

e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4  
file systems.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-fs/e2fsprogs  < 1.46.6      >= 1.46.6

Description  
===========

Multiple vulnerabilities have been discovered in e2fsprogs. Please  
review the CVE identifiers referenced below for details.

Impact  
======

An out-of-bounds read/write vulnerability was found in e2fsprogs. This  
issue leads to a segmentation fault and possibly arbitrary code  
execution via a specially crafted filesystem.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All e2fsprogs users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.46.6"

References  
==========

[ 1 ] CVE-2022-1304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202402-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202402-15

Red Hat Security Advisory 2024-0851-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0851.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch security updateAdvisory ID:        RHSA-2024:0851-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0851Issue date:         2024-02-15Revision:           03CVE Names:          CVE-2023-4921====================================================================Summary: An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.Security Fix(es):* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4921References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2245514https://bugzilla.redhat.com/show_bug.cgi?id=2253908

Tag

#linux