The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-34069

**Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain**

High severity GitHub Reviewed Published May 5, 2024 in pallets/werkzeug

**Package**

pip Werkzeug (pip)

**Affected versions**

< 3.0.3

**Description**

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

**References**

*   GHSA-2g68-c3qc-8985
*   pallets/werkzeug@3386395

Published to the GitHub Advisory Database

May 6, 2024

GHSA-2g68-c3qc-8985: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

Gentoo Linux Security Advisory 202405-16 - A vulnerability has been discovered in Apache Commons BCEL, which can lead to remote code execution. Versions greater than or equal to 6.6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache Commons BCEL: Remote Code Execution  
     Date: May 05, 2024  
     Bugs: #880447  
       ID: 202405-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Apache Commons BCEL, which can  
lead to remote code execution.

Background  
=========  
The Byte Code Engineering Library (Apache Commons BCEL™) is intended to  
give users a convenient way to analyze, create, and manipulate (binary)  
Java class files (those ending with .class).

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-java/bcel  < 6.6.0       >= 6.6.0

Description  
==========  
A vulnerability has been discovered in U-Boot tools. Please review the  
CVE identifier referenced below for details.

Impact  
=====  
Please review the referenced CVE identifier for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Apache Commons BCEL users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-java/bcel-6.6.0"

References  
=========  
[ 1 ] CVE-2022-34169  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34169  
[ 2 ] CVE-2022-42920  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42920

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-16

Gentoo Linux Security Advisory 202405-15 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to remote code execution. Versions greater than or equal to 115.8.0:esr are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Firefox: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #925122  
       ID: 202405-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Mozilla Firefox, the  
worst of which can lead to remote code execution.

Background  
=========  
Mozilla Firefox is a popular open-source web browser from the Mozilla  
project.

Affected packages  
================  
Package                 Vulnerable     Unaffected  
----------------------  -------------  --------------  
www-client/firefox      < 115.8.0:esr  >= 115.8.0:esr  
                                       >= 123.0:rapid  
                        < 123.0        >= 123.0  
www-client/firefox-bin  < 115.8.0:esr  >= 115.8.0:esr  
                                       >= 123.0:rapid  
                        < 123.0        >= 123.0

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Firefox. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Firefox rapid release users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-123.0"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-123.0"

All Mozilla Firefox ESR users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.8.0:esr"

All Mozilla Firefox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/firefox-115.8.0:esr"

References  
=========  
[ 1 ] CVE-2024-1546  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1546  
[ 2 ] CVE-2024-1547  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1547  
[ 3 ] CVE-2024-1548  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1548  
[ 4 ] CVE-2024-1549  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1549  
[ 5 ] CVE-2024-1550  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1550  
[ 6 ] CVE-2024-1551  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1551  
[ 7 ] CVE-2024-1552  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1552  
[ 8 ] CVE-2024-1553  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1553  
[ 9 ] CVE-2024-1554  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1554  
[ 10 ] CVE-2024-1555  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1555  
[ 11 ] CVE-2024-1556  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1556  
[ 12 ] CVE-2024-1557  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1557

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-15

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-15

Gentoo Linux Security Advisory 202405-14 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.13_p20240322 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #927746  
       ID: 202405-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.13_p20240322  >= 5.15.13_p20240322

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.13_p20240322"

References  
=========  
[ 1 ] CVE-2024-0804  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0804  
[ 2 ] CVE-2024-0805  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0805  
[ 3 ] CVE-2024-0806  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0806  
[ 4 ] CVE-2024-0807  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0807  
[ 5 ] CVE-2024-0808  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0808  
[ 6 ] CVE-2024-0809  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0809  
[ 7 ] CVE-2024-0810  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0810  
[ 8 ] CVE-2024-0811  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0811  
[ 9 ] CVE-2024-0812  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0812  
[ 10 ] CVE-2024-0813  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0813  
[ 11 ] CVE-2024-0814  
      https://nvd.nist.gov/vuln/detail/CVE-2024-0814  
[ 12 ] CVE-2024-1059  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1059  
[ 13 ] CVE-2024-1060  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1060  
[ 14 ] CVE-2024-1077  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1077  
[ 15 ] CVE-2024-1283  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1283  
[ 16 ] CVE-2024-1284  
      https://nvd.nist.gov/vuln/detail/CVE-2024-1284

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-14

Gentoo Linux Security Advisory 202405-13 - A vulnerability has been discovered in borgmatic, which can lead to shell injection. Versions greater than or equal to 1.8.8 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: borgmatic: Shell Injection  
     Date: May 05, 2024  
     Bugs: #924892  
       ID: 202405-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in borgmatic, which can lead to  
shell injection.

Background  
=========  
borgmatic is simple, configuration-driven backup software for servers  
and workstations.

Affected packages  
================  
Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
app-backup/borgmatic  < 1.8.8       >= 1.8.8

Description  
==========  
Prevent shell injection attacks within the PostgreSQL hook, the MongoDB  
hook, the SQLite hook, the "borgmatic borg" action, and command hook  
variable/constant interpolation.

Impact  
=====  
Shell injection may be used in several borgmatic backends to execute  
arbitrary code.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All borgmatic users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-backup/borgmatic-1.8.8"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-13

Gentoo Linux Security Advisory 202405-12 - Multiple vulnerabilities have been discovered in Pillow, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 10.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pillow: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #889594, #903664, #916907, #922577  
       ID: 202405-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Pillow, the worst of  
which can lead to arbitrary code execution.

Background  
=========  
The friendly PIL fork.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-python/pillow  < 10.2.0      >= 10.2.0

Description  
==========  
Multiple vulnerabilities have been discovered in Pillow. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pillow users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/pillow-10.2.0"

References  
=========  
[ 1 ] CVE-2023-44271  
      https://nvd.nist.gov/vuln/detail/CVE-2023-44271  
[ 2 ] CVE-2023-50447  
      https://nvd.nist.gov/vuln/detail/CVE-2023-50447

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-12

Gentoo Linux Security Advisory 202405-11 - Multiple vulnerabilities have been discovered in MIT krb5, the worst of which could lead to remote code execution. Versions greater than or equal to 1.21.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MIT krb5: Multiple Vulnerabilities  
     Date: May 05, 2024  
     Bugs: #803434, #809845, #879875, #917464  
       ID: 202405-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in MIT krb5, the worst of  
which could lead to remote code execution.

Background  
=========  
MIT krb5 is the free implementation of the Kerberos network  
authentication protocol by the Massachusetts Institute of Technology.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
app-crypt/mit-krb5  < 1.21.2      >= 1.21.2

Description  
==========  
Multiple vulnerabilities have been discovered in MIT krb5. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MIT krb5 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.21.2"

References  
=========  
[ 1 ] CVE-2021-36222  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36222  
[ 2 ] CVE-2021-37750  
      https://nvd.nist.gov/vuln/detail/CVE-2021-37750  
[ 3 ] CVE-2022-42898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42898  
[ 4 ] CVE-2023-36054  
      https://nvd.nist.gov/vuln/detail/CVE-2023-36054  
[ 5 ] CVE-2023-39975  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39975

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-11

Gentoo Linux Security Advisory 202405-10 - A vulnerability has been discovered in Setuptools, which can lead to denial of service. Versions greater than or equal to 65.5.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Setuptools: Denial of Service  
     Date: May 05, 2024  
     Bugs: #879813  
       ID: 202405-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Setuptools, which can lead to  
denial of service.

Background  
=========  
Setuptools is a manager for Python packages.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
dev-python/setuptools  < 65.5.1      >= 65.5.1

Description  
==========  
A vulnerability has been discovered in Setuptools. See the impact field.

Impact  
=====  
An inefficiency in a regular expression may end in a denial of service  
if an user is fetching malicious HTML from a package in PyPI or a custom  
PackageIndex page.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Setuptools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-python/setuptools-65.5.1"

References  
=========  
[ 1 ] CVE-2022-40897  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40897

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-10

Gentoo Linux Security Advisory 202405-9 - Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib, the worst of which could allow user-assisted remote code execution. Versions greater than or equal to 23.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: MediaInfo, MediaInfoLib: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #778992, #836564, #875374, #917612  
       ID: 202405-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in MediaInfo and MediaInfoLib,  
the worst of which could allow user-assisted remote code execution.

Background  
=========  
MediaInfo supplies technical and tag information about media files.  
MediaInfoLib contains MediaInfo libraries.

Affected packages  
================  
Package                  Vulnerable    Unaffected  
-----------------------  ------------  ------------  
media-libs/libmediainfo  < 23.10       >= 23.10  
media-video/mediainfo    < 23.10       >= 23.10

Description  
==========  
Multiple vulnerabilities have been discovered in MediaInfo and  
MediaInfoLib. Please review the CVE identifiers referenced below for  
details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MediaInfo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/mediainfo-23.10"

All MediaInfolib users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libmediainfo-23.10"

References  
=========

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202405-09

Gentoo Linux Security Advisory 202405-8 - Multiple vulnerabilities have been discovered in strongSwan, the worst of which could possibly lead to remote code execution. Versions greater than or equal to 5.9.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202405-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: strongSwan: Multiple Vulnerabilities  
     Date: May 04, 2024  
     Bugs: #818841, #832460, #878887, #899964  
       ID: 202405-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in strongSwan, the worst  
of which could possibly lead to remote code execution.

Background  
=========  
strongSwan is an IPSec implementation for Linux.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-vpn/strongswan  < 5.9.10      >= 5.9.10

Description  
==========  
Multiple vulnerabilities have been discovered in strongSwan. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All strongSwan users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-vpn/strongswan-5.9.10"

References  
=========  
[ 1 ] CVE-2021-41991  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41991  
[ 2 ] CVE-2021-45079  
      https://nvd.nist.gov/vuln/detail/CVE-2021-45079  
[ 3 ] CVE-2022-40617  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40617  
[ 4 ] CVE-2023-26463  
      https://nvd.nist.gov/vuln/detail/CVE-2023-26463

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202405-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac