Gentoo Linux Security Advisory 202310-1 - Multiple vulnerabilities have been discovered in ClamAV, the worst of which could result in remote code execution. Versions greater than or equal to 0.103.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ClamAV: Multiple Vulnerabilities  
     Date: October 01, 2023  
     Bugs: #831083, #842813, #894672  
       ID: 202310-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in ClamAV, the worst of  
which could result in remote code execution.

Background  
==========

ClamAV is a GPL virus scanner.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
app-antivirus/clamav  < 0.103.7     >= 0.103.7

Description  
===========

Multiple vulnerabilities have been discovered in ClamAV. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All ClamAV users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.103.7"

References  
==========

[ 1 ] CVE-2022-20698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20698  
[ 2 ] CVE-2022-20770  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20770  
[ 3 ] CVE-2022-20771  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20771  
[ 4 ] CVE-2022-20785  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20785  
[ 5 ] CVE-2022-20792  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20792  
[ 6 ] CVE-2022-20796  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20796  
[ 7 ] CVE-2022-20803  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20803  
[ 8 ] CVE-2023-20032  
      https://nvd.nist.gov/vuln/detail/CVE-2023-20032  
[ 9 ] CVE-2023-20052  
      https://nvd.nist.gov/vuln/detail/CVE-2023-20052

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-01

Debian Linux Security Advisory 5512-1 - Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5512-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 02, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : exim4CVE ID         : CVE-2023-42114 CVE-2023-42115 CVE-2023-42116Several vulnerabilities were discovered in Exim, a mail transport agent,which could result in remote code execution if the EXTERNAL or SPA/NTLMauthenticators are used.For the oldstable distribution (bullseye), these problems have been fixedin version 4.94.2-7+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 4.96-15+deb12u2.We recommend that you upgrade your exim4 packages.For the detailed security status of exim4 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/exim4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUa1ApfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TGThAAlhXEHvEOP7MfFaNN2Nh6Dl6wtFkPjYKB7wljZajtIkmk7IgsxREOMDC+In+344UwfMJyZB49uvO15EV1dcHwUlOAIaDrFMN4SyMVWP+OllFEDMnexQ0+UyuPm0AGMdvokXQq+5tgaRjP7ThOVM0z3+hbPzRr4tQi2tjB/0k1/p9vC4aDJuuf1i8MiVDvtF4s38zlB1f6oCezulgb+wd53VGjL6vk8nzCxWe6RNtpsxzZGdRnA30tDGaBPvdMSbDEcx85U7DViAtXzVvJe+1IdSTBxu8rrUqR9Md1V1zLf8PPyblENwZlc/zJ9ad+EuQnYwsiYUnE72pFYO1mR0b8aE7W8V1t96ijOr323oCN2aWI4HWiteEHcGt8UlE9CT1OG+c5caf7s0L984wEigJxYzc9gTtjX1Y5kh2CAjmvjxPO3v+jRQkPqP9i/x/ax0IvXXeffEUtru1qFscXsgsNru53yRHoGGCo1vwNNwBLuNyD48yFukNFc8rxKK+fjJrCOeSuM21k97T86k9B6sA26IFz/eQJtPXrSC6lzyU75RBWmbPrjEsnqv7GsGUtz1RLLqELhorv+u2SChWsxHMd5rOsZ46bDGoIe+SW7A568blD5P/fv36HYPPXPjFRU7XLS7SUE08cxMUkLHJWMJ/fwIIyEtjoL26oW7r60ITaljg==+Ajg-----END PGP SIGNATURE-----

Debian Security Advisory 5512-1

Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5511-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 01, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : mosquitto  
CVE ID         : CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366  
                 CVE-2021-41039  
Debian Bug     : 993400 1001028

Several security vulnerabilities have been discovered in mosquitto, a MQTT  
compatible message broker, which may be abused for a denial of service attack.

CVE-2021-34434

    In Eclipse Mosquitto when using the dynamic security plugin, if the ability  
    for a client to make subscriptions on a topic is revoked when a durable  
    client is offline, then existing subscriptions for that client are not  
    revoked.

CVE-2023-0809

    Fix excessive memory being allocated based on malicious initial packets  
    that are not CONNECT packets.

CVE-2023-3592

    Fix memory leak when clients send v5 CONNECT packets with a will message  
    that contains invalid property types.

CVE-2023-28366

    The broker in Eclipse Mosquitto has a memory leak that can be abused  
    remotely when a client sends many QoS 2 messages with duplicate message  
    IDs, and fails to respond to PUBREC commands. This occurs because of  
    mishandling of EAGAIN from the libc send function.

Additionally CVE-2021-41039 has been fixed for Debian 11 "Bullseye".

CVE-2021-41039

    An MQTT v5 client connecting with a large number of user-property  
    properties could cause excessive CPU usage, leading to a loss of  
    performance and possible denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.0.11-1+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.0.11-1.2+deb12u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUZx+xfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTgyhAAwGXTLpeJ0n2FCmZdkhOJCz8qgD4nesLMKGnNH4bq0RWgunDe7CSagvMo  
YG83i4+S0xuH0BLL+5Ytu5Y4MTU9cMJXLaOYL0ivomtjQKilS4aoJQ9ps4bfZPff  
ChsFYi2IUB3VZlNaS8yLIh9Rm8630P51Te9jXTktMwvj8SDalt+HRchR2V5sAsK0  
G8fwSgAP4eIUb3xRWJNrHUXSRgiJpHIeWW8WIo9c0V7Tks/rIoYgXNQiQow1Hde5  
B6k8yHk2xwoXOMoTenY9xrrdY9HZuUqVe9qayl+AMREYmcNPmZvZDpMjUSxdOMdp  
JP/YD6nKp92DNlZG82k/45nWFLogAPQUC2SupaUrPQRJ99xDzlby4KkGt95rKMXE  
4tuc0sqR4EM2v9zhp9jmkIAVzQyBf3vVZNu5yyug0+7/jT/fwh/wFW3B3TTFYH4m  
lD3+9i1NPKt3hdBfZKryWDqmYV+86vvGLVPj5AzNF/JEj9wuFC5DzU44M09Qk2rO  
J0FWk0nKg6SznG5zY8k+L+tcpMYg+RoD/kJXZP+OuvSLUcnYw2NWYcW3sDccO/zI  
cVvIWDmnjei4D3VMkATnkHe7HCqO+bX4nvvytgPxj1WhZ17MIGqs7qRJbCEblDRd  
GZAIo0EWhmsZsEwRaXr7II/0qxOJ2EeXiFsbyYzWQCVOknmnzOI=  
=luvt  
-----END PGP SIGNATURE-----

Debian Security Advisory 5511-1

Gentoo Linux Security Advisory 202309-17 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions greater than or equal to 113.0.5672.126 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #893660, #904252, #904394, #904560, #905297, #905620, #905883, #906586  
       ID: 202309-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Chromium and its  
derivatives, the worst of which could result in remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your  
devices.

Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 113.0.5672.126  >= 113.0.5672.126  
www-client/chromium-bin    < 113.0.5672.126  Vulnerable!  
www-client/google-chrome   < 113.0.5672.126  >= 113.0.5672.126  
www-client/microsoft-edge  < 113.0.1774.50   >= 113.0.1774.50

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-113.0.5672.126"

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-113.0.5672.126"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-113.0.1774.50"

Gentoo has discontinued support for www-client/chromium-bin. Users  
should unmerge it in favor of the above alternatives:

  # emerge --ask --depclean --verbose "www-client/chromium-bin"

References  
==========

[ 1 ] CVE-2023-0696  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0696  
[ 2 ] CVE-2023-0697  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0697  
[ 3 ] CVE-2023-0698  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0698  
[ 4 ] CVE-2023-0699  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0699  
[ 5 ] CVE-2023-0700  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0700  
[ 6 ] CVE-2023-0701  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0701  
[ 7 ] CVE-2023-0702  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0702  
[ 8 ] CVE-2023-0703  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0703  
[ 9 ] CVE-2023-0704  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0704  
[ 10 ] CVE-2023-0705  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0705  
[ 11 ] CVE-2023-0927  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0927  
[ 12 ] CVE-2023-0928  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0928  
[ 13 ] CVE-2023-0929  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0929  
[ 14 ] CVE-2023-0930  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0930  
[ 15 ] CVE-2023-0931  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0931  
[ 16 ] CVE-2023-0932  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0932  
[ 17 ] CVE-2023-0933  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0933  
[ 18 ] CVE-2023-0941  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0941  
[ 19 ] CVE-2023-1528  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1528  
[ 20 ] CVE-2023-1529  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1529  
[ 21 ] CVE-2023-1530  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1530  
[ 22 ] CVE-2023-1531  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1531  
[ 23 ] CVE-2023-1532  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1532  
[ 24 ] CVE-2023-1533  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1533  
[ 25 ] CVE-2023-1534  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1534  
[ 26 ] CVE-2023-1810  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1810  
[ 27 ] CVE-2023-1811  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1811  
[ 28 ] CVE-2023-1812  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1812  
[ 29 ] CVE-2023-1813  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1813  
[ 30 ] CVE-2023-1814  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1814  
[ 31 ] CVE-2023-1815  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1815  
[ 32 ] CVE-2023-1816  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1816  
[ 33 ] CVE-2023-1817  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1817  
[ 34 ] CVE-2023-1818  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1818  
[ 35 ] CVE-2023-1819  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1819  
[ 36 ] CVE-2023-1820  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1820  
[ 37 ] CVE-2023-1821  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1821  
[ 38 ] CVE-2023-1822  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1822  
[ 39 ] CVE-2023-1823  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1823  
[ 40 ] CVE-2023-2033  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2033  
[ 41 ] CVE-2023-2133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2133  
[ 42 ] CVE-2023-2134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2134  
[ 43 ] CVE-2023-2135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2135  
[ 44 ] CVE-2023-2136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2136  
[ 45 ] CVE-2023-2137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2137  
[ 46 ] CVE-2023-2459  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2459  
[ 47 ] CVE-2023-2460  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2460  
[ 48 ] CVE-2023-2461  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2461  
[ 49 ] CVE-2023-2462  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2462  
[ 50 ] CVE-2023-2463  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2463  
[ 51 ] CVE-2023-2464  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2464  
[ 52 ] CVE-2023-2465  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2465  
[ 53 ] CVE-2023-2466  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2466  
[ 54 ] CVE-2023-2467  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2467  
[ 55 ] CVE-2023-2468  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2468  
[ 56 ] CVE-2023-2721  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2721  
[ 57 ] CVE-2023-2722  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2722  
[ 58 ] CVE-2023-2723  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2723  
[ 59 ] CVE-2023-2724  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2724  
[ 60 ] CVE-2023-2725  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2725  
[ 61 ] CVE-2023-2726  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2726  
[ 62 ] CVE-2023-21720  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21720  
[ 63 ] CVE-2023-21794  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21794  
[ 64 ] CVE-2023-23374  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23374  
[ 65 ] CVE-2023-28261  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28261  
[ 66 ] CVE-2023-28286  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28286  
[ 67 ] CVE-2023-29334  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29334  
[ 68 ] CVE-2023-29350  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29350  
[ 69 ] CVE-2023-29354  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29354

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-17

Gentoo Linux Security Advisory 202309-16 - Multiple vulnerabilities have been discovered in wpa_supplicant and hostapd, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: wpa_supplicant, hostapd: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #768759, #780135, #780138, #831332  
       ID: 202309-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in wpa_supplicant and  
hostapd, the worst of which could result in arbitrary code execution.

Background  
==========

wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE  
802.11i / RSN). hostapd is a user space daemon for access point and  
authentication servers.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
net-wireless/hostapd         < 2.10        >= 2.10  
net-wireless/wpa_supplicant  < 2.10        >= 2.10

Description  
===========

Multiple vulnerabilities have been discovered in hostapd and  
wpa_supplicant. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All wpa_supplicant users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/wpa_supplicant-2.10"

All hostapd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.10"

References  
==========

[ 1 ] CVE-2021-30004  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30004  
[ 2 ] CVE-2022-23303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23303  
[ 3 ] CVE-2022-23304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-16

Debian Linux Security Advisory 5510-1 - Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5510-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libvpxCVE ID         : CVE-2023-5217Debian Bug     : 1053182Clement Lecigne discovered a heap-based buffer overflow in libvpx, amultimedia library for the VP8 and VP9 video codecs, which may result inthe execution of arbitrary code if a specially crafted VP8 media streamis processed.For the oldstable distribution (bullseye), this problem has been fixedin version 1.9.0-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.12.0-1+deb12u1.We recommend that you upgrade your libvpx packages.For the detailed security status of libvpx please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libvpxFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUXPQxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RFDA/9GmZkMOfqEBNeItASvUeQAbPu9w7hh/Ah/Ox9gSFZMvD5QmGTs6Zp8lZYTmOKS2Ls1rgQnfM/c+dm6Le4H9e+EtGYvLI0P6KjIk3T+rA+55os3WoUE99KJsZrj0AZM0jsmaQVuV1MbJIJSGo6a49qRkSIF4eS7/rws8xImu73EgcPQiWep70kF8/idqnYYqFEKJwT3Oxp2h4zYLM8Jqt8ji4caTHle20rcQ1tdOBCcqDWH87aNk1kqhWELe281K7sDVYlpyIGSZRsvHbTusESlvp+92sRIQPRDdpMMkSgACBDcHpfCHiJDofDDn+6Z4zA5XRxHOKlHvYvrg9lDSA1eu9V7oaR2YoBRfIcwd4HxB535FjJRNDGtt+0thJnuv+zjiA2yK/GTBju52q+96qGcXhPrGOZiQeth4SdxVnK3FKc3lB6HbMgs4ZERZNhs7AJ4I7pnyX6d8Zux3kPjejrdvBOFT8L+gNYzYn0tkcKHdpK2Xj0OMKboDLFxw26i8GgNb9RUht6Seb1dk2bnel2fJ+rqgxkltpVuTIFjQ942YtHm/a9xj6FLK3D6CtX1masIZ53uo51k2qWAGJWUqovasIQQHBUeOHgFHw+lHNHNlSsiblu6xc9y4B42vpozR449Q3volOr7t7oWv/pmsqrd48ByYXj7NESzD/bm4uOo9E==NrxQ-----END PGP SIGNATURE-----

Debian Security Advisory 5510-1

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

jSQL Injection 0.93

Gentoo Linux Security Advisory 202309-15 - Multiple vulnerabilities have been found in GNU Binutils, the worst of which could result in denial of service. Versions greater than or equal to 2.40 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GNU Binutils: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #866713, #867937, #903893  
       ID: 202309-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in GNU Binutils, the worst of  
which could result in denial of service.

Background  
==========

The GNU Binutils are a collection of tools to create, modify and analyse  
binary files. Many of the files use BFD, the Binary File Descriptor  
library, to do low-level manipulation.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
sys-devel/binutils  < 2.40        >= 2.40

Description  
===========

Multiple vulnerabilities have been discovered in GNU Binutils. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GNU Binutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.40"

References  
==========

[ 1 ] CVE-2022-4285  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4285  
[ 2 ] CVE-2022-38126  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38126  
[ 3 ] CVE-2022-38127  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38127  
[ 4 ] CVE-2022-38128  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38128  
[ 5 ] CVE-2022-38533  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38533  
[ 6 ] CVE-2023-1579  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1579  
[ 7 ] CVE-2023-1972  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1972

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-15

Debian Linux Security Advisory 5509-1 - A buffer overflow in VP8 media stream processing has been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5509-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-5217A buffer overflow in VP8 media stream processing has been found in theMozilla Firefox web browser, which could potentially result in theexecution of arbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 115.3.1esr-1~deb11u1.For the stable distribution (bookworm), this problem will be fixedvia the libvpx source package, Firefox ESR in Bookworm links dynamicallyagainst libvpx.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUXDYAACgkQEMKTtsN8TjbJSRAAsv7xfSOoUGua0jPwrm84IUtEhshl1L3KhatogD2HbIIVZzDOBjcpR4oQwXGtLUjJJTnwZPwey9tNQQAzIBtPA+u/0Eow2eeUyqtUSEIqBUImdMH6m8GYqQ+ZuGdyvSa+IvbffJqPf4LzzCIZoxo9qQyz6F6K0xQ6c0kv2CCRYpDQHAgP4/E/VNfdOGhoTYhgRinAjeVY/I91hxfYm4783EMoc7L7vXgjOWxXNiPllmAIddCKlIdtgW02fq0lsqOljRfPYsAbc9xe1aVZlCVi+6nJj/jDxhqENn4XLAVJYdZr6W8hevQLADGuwzrTyACeusDaSHdW64X15TDnY8z5wOP/Vj4T9CpRhkQ396fn1eq+x4HF/iUim4ofpDBtb1xa/jAT+OuejqATdku8XvNzZ4l6KkJ7PuotMHvIXxsduNtesPmPUvFWeprCumojh6SbVhlf8YnM6c0c6spMyp3nKqHS59vDkzhKYbz50eFnNw0/q3OvZHndXZOiEjMxCR2GcElaejC8MAei4NuZm57VM5sfSqAUOCOZ1RJNRwsP6HkohmKNfklryjDjBMNudjRuPjVYX6d3Qoi1krDszjvRa+ui6ZljoKrKQFLg2SDEhbxt9akey/ZBr1lqEYNj6QubPNMlkVHYySVcv+IsEK2yww2S9CmCifLrKbNeOoE9o6I==CrEb-----END PGP SIGNATURE-----

Debian Security Advisory 5509-1

Debian Linux Security Advisory 5508-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5508-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5186 CVE-2023-5187 CVE-2023-5217Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 117.0.5938.132-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 117.0.5938.132-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUXDXcACgkQEMKTtsN8TjaQhhAAq9gEaLM0MplRerbQ0xg7lYNIiyCwlFBVM7VgHRIrE13c3T0twkB1JNOuv+5IVyej3L5AITp5VZsQSf1IcYVydf2ABEo/3qU3SEpAg/P/ZLR8ODQA/VGoUXiBRDSr2EwFFmNFNUCIbpea9OqBpxMCsCQkd7fTbcK4GpvSZby9ZnNkSu6o9ZBCoA1BqFsHElijcwvdx7x/+OLtFHT/2NDArgsDHt/1QvocsdxyXVHgbCZ3MVNo2uG1uWaNNsPzoOF5oMe732jTuAFs06/q3e7N7zOyBn13thxGEgSoUS9LA7Ow5kbAU7JGC24nbdEwb2iN69sGPt2N7C8VfPdZQeIpg2SV+3ZOKqKSRdozgUZA52+WEhwqV2TNDlrdcCRqfmW/aRQEEvogs9NolejtkajTR3th99aN0KKDqHR66Syzb7SNggOoXpH8bCi83WvoZKHPh1UjJeaVDDBb3RyioTg9HUfddDicxJoYFmAwSjVuD4LR6leW/q0zP+aUeCBUXVVIU2XMSmiegrrnzAF+oNGVpj2ATn4ecoB+N/6sS9Hg+0FdpoeY9nB1PIRkccP0sURvabZBoyExknsQPdLb3GxmvOXBRmM2Gbup76HrSNmkmgGXbsUEfeUBmPwsqiEceUn4yVSkIv/2LDHZN5hWk9MO+u3qnaT4xiXS5Y2vq6KP89M==nMGQ-----END PGP SIGNATURE-----

Tag

#linux