Gentoo Linux Security Advisory 202305-23 - Multiple vulnerabilities have been discovered in Lua, the worst of which could result in arbitrary code execution.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-23  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Lua: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #837521, #831053, #520480  
       ID: 202305-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Lua, the worst of which  
could result in arbitrary code execution.

Background  
==========

Lua is a powerful, efficient, lightweight, embeddable scripting  
language. It supports procedural programming, object-oriented  
programming, functional programming, data-driven programming, and data  
description.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
    dev-lang/lua:0                  *  
    dev-lang/lua:5.1        <5.1.5-r200:5.1    >=5.1.5-r200:5.1  
    dev-lang/lua:5.2        <5.2.3:5.2         >=5.2.3:5.2  
    dev-lang/lua:5.4        <5.4.4-r103:5.4    >=5.4.4-r103:5.4

    Description  
===========

Multiple vulnerabilities have been discovered in Lua. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Lua 5.1 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-lang/lua-5.1.5-r200"

All Lua 5.3 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-lang/lua-5.2.3"

All Lua 5.4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-lang/lua-5.4.4-r103"

References  
==========

[ 1 ] CVE-2014-5461  
      https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5461  
[ 2 ] CVE-2021-44647  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44647  
[ 3 ] CVE-2022-28805  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28805

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-23

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-23

The Databricks Platform as of 2023-01-26 suffered from a cluster isolation bypass vulnerability through insecure defaults and shared storage.

Databricks Platform Cluster Isolation Bypass

Gentoo Linux Security Advisory 202305-22 - Multiple vulnerabilities have been discovered in ISC DHCP, the worst of which could result in denial of service. Versions less than 4.4.3_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-22  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ISC DHCP: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #875521, #792324  
       ID: 202305-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in ISC DHCP, the worst of  
which could result in denial of service.

Background  
==========

ISC DHCP is ISC's reference implementation of all aspects of the Dynamic  
Host Configuration Protocol.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/dhcp              < 4.4.3_p1                >= 4.4.3_p1

Description  
===========

Multiple vulnerabilities have been discovered in ISC DHCP. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All ISC DHCP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.4.3_p1"

References  
==========

[ 1 ] CVE-2021-25217  
      https://nvd.nist.gov/vuln/detail/CVE-2021-25217  
[ 2 ] CVE-2022-2928  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2928  
[ 3 ] CVE-2022-2929  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2929

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-22

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-22

Gentoo Linux Security Advisory 202305-20 - A buffer overflow vulnerability has been discovered in libapreq2 which could result in denial of service. Versions less than 2.17 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: libapreq2: Buffer Overflow  
     Date: May 03, 2023  
     Bugs: #866536  
       ID: 202305-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A buffer overflow vulnerability has been discovered in libapreq2 which  
could result in denial of service.

Background  
==========

libapreq is a shared library with associated modules for manipulating  
client request data via the Apache API.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-apache/libapreq2       < 2.17                        >= 2.17

Description  
===========

TODO

Impact  
======

An attacker could submit a crafted multipart form to trigger the buffer  
overflow and cause a denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libapreq2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apache/libapreq2-2.17"

References  
==========

[ 1 ] CVE-2022-22728  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22728

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-20

Gentoo Linux Security Advisory 202305-19 - A vulnerability has been discovered in Firejail which could result in local root privilege escalation.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Firejail: Local Privilege Escalation  
     Date: May 03, 2023  
     Bugs: #850748  
       ID: 202305-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Firejail which could result in  
local root privilege escalation.

Background  
==========

A SUID program that reduces the risk of security breaches by restricting  
the running environment of untrusted applications using Linux namespaces  
and seccomp-bpf.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
Traceback (most recent call last):  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 326, in generate_mail_table  
    return self._generate_mail_table()  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 297, in _generate_mail_table  
    vuln.range_types_rev[vuln.pkg_range], vuln.version  
KeyError: None

Description  
===========

Firejail does not sufficiently validate the user's environment prior to  
using it as the root user when using the --join command line option.

Impact  
======

An unprivileged user can exploit this vulnerability to achieve local  
root privileges.

Workaround  
==========

System administrators can mitigate this vulnerability via adding either  
"force-nonewprivs yes" or "join no" to the Firejail configuration file  
in /etc/firejail/firejail.config.

Resolution  
==========

Gentoo has discontinued support for sys-apps/firejail-lts. Users should  
unmerge it in favor of sys-apps/firejail:

  # emerge --ask --depclean --verbose "sys-apps/firejail-lts"  
  # emerge --ask --verbose "sys-apps/firejail"

All Firejail users should upgrade to the latest version:

  # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.70"

References  
==========

[ 1 ] CVE-2022-31214  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31214

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-19

Gentoo Linux Security Advisory 202305-18 - Multiple vulnerabilities have been found in libsdl2, the worst of which could result in arbitrary code execution. Versions less than 2.26.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsdl2: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #836665, #890614  
       ID: 202305-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libsdl2, the worst of which  
could result in arbitrary code execution.

Background  
==========

Simple DirectMedia Layer is a cross-platform development library  
designed to provide low level access to audio, keyboard, mouse,  
joystick, and graphics hardware via OpenGL and Direct3D.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/libsdl2         < 2.26.0                    >= 2.26.0

Description  
===========

Multiple vulnerabilities have been discovered in libsdl2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libsdl2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsdl2-2.26.0"

References  
==========

[ 1 ] CVE-2021-33657  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33657  
[ 2 ] CVE-2022-4743  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4743

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-18

Gentoo Linux Security Advisory 202305-17 - Multiple vulnerabilities have been found in libsdl, the worst of which could result in arbitrary code execution. Versions less than 1.2.15_p20221201>= are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsdl: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #692388, #836665, #861809  
       ID: 202305-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in libsdl, the worst of which  
could result in arbitrary code execution.

Background  
==========

Simple DirectMedia Layer is a cross-platform development library  
designed to provide low level access to audio, keyboard, mouse,  
joystick, and graphics hardware via OpenGL and Direct3D.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  media-libs/libsdl          < 1.2.15_p20221201>= 1.2.15_p20221201

Description  
===========

Multiple vulnerabilities have been discovered in SDL. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libsdl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsdl-1.2.15_p20221201"

References  
==========

[ 1 ] CVE-2019-7572  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7572  
[ 2 ] CVE-2019-7573  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7573  
[ 3 ] CVE-2019-7574  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7574  
[ 4 ] CVE-2019-7575  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7575  
[ 5 ] CVE-2019-7576  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7576  
[ 6 ] CVE-2019-7577  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7577  
[ 7 ] CVE-2019-7578  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7578  
[ 8 ] CVE-2019-7635  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7635  
[ 9 ] CVE-2019-7636  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7636  
[ 10 ] CVE-2019-7638  
      https://nvd.nist.gov/vuln/detail/CVE-2019-7638  
[ 11 ] CVE-2019-13616  
      https://nvd.nist.gov/vuln/detail/CVE-2019-13616  
[ 12 ] CVE-2021-33657  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33657  
[ 13 ] CVE-2022-34568  
      https://nvd.nist.gov/vuln/detail/CVE-2022-34568

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-17

Gentoo Linux Security Advisory 202305-16 - Multiple vulnerabilities have been found in Vim, the worst of which could result in denial of service. Versions less than 9.0.1157 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Vim, gVim: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #851231, #861092, #869359, #879257, #883681, #889730  
       ID: 202305-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Vim, the worst of which  
could result in denial of service.

Background  
==========

Vim is an efficient, highly configurable improved version of the classic  
‘vi’ text editor. gVim is the GUI version of Vim.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-editors/gvim           < 9.0.1157                >= 9.0.1157  
  2  app-editors/vim            < 9.0.1157                >= 9.0.1157  
  3  app-editors/vim-core       < 9.0.1157                >= 9.0.1157

Description  
===========

Multiple vulnerabilities have been discovered in Vim, gVim. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Vim users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/vim-9.0.1157"

All gVim users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/gvim-9.0.1157"

All vim-core users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/vim-core-9.0.1157"

References  
==========

[ 1 ] CVE-2022-1154  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1154  
[ 2 ] CVE-2022-1160  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1160  
[ 3 ] CVE-2022-1381  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1381  
[ 4 ] CVE-2022-1420  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1420  
[ 5 ] CVE-2022-1616  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1616  
[ 6 ] CVE-2022-1619  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1619  
[ 7 ] CVE-2022-1620  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1620  
[ 8 ] CVE-2022-1621  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1621  
[ 9 ] CVE-2022-1629  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1629  
[ 10 ] CVE-2022-1674  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1674  
[ 11 ] CVE-2022-1720  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1720  
[ 12 ] CVE-2022-1725  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1725  
[ 13 ] CVE-2022-1733  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1733  
[ 14 ] CVE-2022-1735  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1735  
[ 15 ] CVE-2022-1769  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1769  
[ 16 ] CVE-2022-1771  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1771  
[ 17 ] CVE-2022-1785  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1785  
[ 18 ] CVE-2022-1796  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1796  
[ 19 ] CVE-2022-1851  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1851  
[ 20 ] CVE-2022-1886  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1886  
[ 21 ] CVE-2022-1897  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1897  
[ 22 ] CVE-2022-1898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1898  
[ 23 ] CVE-2022-1927  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1927  
[ 24 ] CVE-2022-1942  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1942  
[ 25 ] CVE-2022-1968  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1968  
[ 26 ] CVE-2022-2000  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2000  
[ 27 ] CVE-2022-2042  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2042  
[ 28 ] CVE-2022-2124  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2124  
[ 29 ] CVE-2022-2125  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2125  
[ 30 ] CVE-2022-2126  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2126  
[ 31 ] CVE-2022-2129  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2129  
[ 32 ] CVE-2022-2175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2175  
[ 33 ] CVE-2022-2182  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2182  
[ 34 ] CVE-2022-2183  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2183  
[ 35 ] CVE-2022-2206  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2206  
[ 36 ] CVE-2022-2207  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2207  
[ 37 ] CVE-2022-2208  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2208  
[ 38 ] CVE-2022-2210  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2210  
[ 39 ] CVE-2022-2231  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2231  
[ 40 ] CVE-2022-2257  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2257  
[ 41 ] CVE-2022-2264  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2264  
[ 42 ] CVE-2022-2284  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2284  
[ 43 ] CVE-2022-2285  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2285  
[ 44 ] CVE-2022-2286  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2286  
[ 45 ] CVE-2022-2287  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2287  
[ 46 ] CVE-2022-2288  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2288  
[ 47 ] CVE-2022-2289  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2289  
[ 48 ] CVE-2022-2304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2304  
[ 49 ] CVE-2022-2343  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2343  
[ 50 ] CVE-2022-2344  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2344  
[ 51 ] CVE-2022-2345  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2345  
[ 52 ] CVE-2022-2522  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2522  
[ 53 ] CVE-2022-2816  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2816  
[ 54 ] CVE-2022-2817  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2817  
[ 55 ] CVE-2022-2819  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2819  
[ 56 ] CVE-2022-2845  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2845  
[ 57 ] CVE-2022-2849  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2849  
[ 58 ] CVE-2022-2862  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2862  
[ 59 ] CVE-2022-2874  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2874  
[ 60 ] CVE-2022-2889  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2889  
[ 61 ] CVE-2022-2923  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2923  
[ 62 ] CVE-2022-2946  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2946  
[ 63 ] CVE-2022-2980  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2980  
[ 64 ] CVE-2022-2982  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2982  
[ 65 ] CVE-2022-3016  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3016  
[ 66 ] CVE-2022-3099  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3099  
[ 67 ] CVE-2022-3134  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3134  
[ 68 ] CVE-2022-3153  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3153  
[ 69 ] CVE-2022-3234  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3234  
[ 70 ] CVE-2022-3235  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3235  
[ 71 ] CVE-2022-3256  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3256  
[ 72 ] CVE-2022-3278  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3278  
[ 73 ] CVE-2022-3296  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3296  
[ 74 ] CVE-2022-3297  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3297  
[ 75 ] CVE-2022-3324  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3324  
[ 76 ] CVE-2022-3352  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3352  
[ 77 ] CVE-2022-3491  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3491  
[ 78 ] CVE-2022-3520  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3520  
[ 79 ] CVE-2022-3591  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3591  
[ 80 ] CVE-2022-3705  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3705  
[ 81 ] CVE-2022-4141  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4141  
[ 82 ] CVE-2022-4292  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4292  
[ 83 ] CVE-2022-4293  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4293  
[ 84 ] CVE-2022-47024  
      https://nvd.nist.gov/vuln/detail/CVE-2022-47024  
[ 85 ] CVE-2023-0049  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0049  
[ 86 ] CVE-2023-0051  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0051  
[ 87 ] CVE-2023-0054  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0054

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-16

Gentoo Linux Security Advisory 202305-15 - Multiple vulnerabilities have been discovered in systemd, the worst of which could result in denial of service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: systemd: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #880547, #830967  
       ID: 202305-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in systemd, the worst of  
which could result in denial of service.

Background  
==========

A system and service manager.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
Traceback (most recent call last):  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 326, in generate_mail_table  
    return self._generate_mail_table()  
  File "/usr/local/lib/python3.9/site-packages/glsamaker/models/glsa.py", line 297, in _generate_mail_table  
    vuln.range_types_rev[vuln.pkg_range], vuln.version  
KeyError: None

Description  
===========

Multiple vulnerabilities have been discovered in systemd. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All systemd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/systemd-251.3"

All systemd-utils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/systemd-utils-251.3"

Gentoo has discontinued support for sys-apps/systemd-tmpfiles, sys-  
boot/systemd-boot, and sys-fs/udev. See the 2022-04-19-systemd-utils  
news item. Users should unmerge it in favor of sys-apps/systemd-utils on  
non-systemd systems:

  # emerge --ask --depclean --verbose "sys-apps/systemd-tmpfiles" "sys-boot/systemd-boot" "sys-fs/udev"  
  # emerge --ask --verbose --oneshot ">=sys-apps/systemd-utils-251.3"

References  
==========

[ 1 ] CVE-2021-3997  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3997  
[ 2 ] CVE-2022-3821  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3821

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-15

Gentoo Linux Security Advisory 202305-14 - A vulnerability has been discovered in uptimed which could result in root privilege escalation. Versions less than 0.4.6-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: uptimed: Root Privilege Escalation  
     Date: May 03, 2023  
     Bugs: #630810  
       ID: 202305-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in uptimed which could result in  
root privilege escalation.

Background  
==========

uptimed is a system uptime record daemon that keeps track of your  
highest uptimes.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-misc/uptimed           < 0.4.6-r1                >= 0.4.6-r1

Description  
===========

Via unnecessary file ownership modifications in the pkg_postinst ebuild  
phase, the uptimed user could change arbitrary files to be owned by the  
uptimed user at emerge-time.

Impact  
======

The uptimed user could achieve root privileges when the uptimed package  
is emerged.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All uptimed users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-misc/uptimed-0.4.6-r1"

References  
==========

[ 1 ] CVE-2020-36657  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36657

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-14

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#mac