Security
Security
This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE identifiers below for more information.
| Package | games-sports/racer-bin on all architectures |
|---|---|
| Affected versions | >= 0.5.0-r1 |
| Unaffected versions |
| Package | media-libs/fmod on all architectures |
|---|---|
| Affected versions | < 4.38.00 |
| Unaffected versions | >= 4.38.00 |
| Package | dev-php/PEAR-Mail on all architectures |
|---|---|
| Affected versions | < 1.2.0 |
| Unaffected versions | >= 1.2.0 |
| Package | sys-fs/lvm2 on all architectures |
|---|---|
| Affected versions | < 2.02.72 |
| Unaffected versions | >= 2.02.72 |
| Package | app-office/gnucash on all architectures |
|---|---|
| Affected versions | < 2.4.4 |
| Unaffected versions | >= 2.4.4 |
| Package | media-libs/xine-lib on all architectures |
|---|---|
| Affected versions | < 1.1.19 |
| Unaffected versions | >= 1.1.19 |
| Package | media-sound/lastfmplayer on all architectures |
|---|---|
| Affected versions | < 1.5.4.26862-r3 |
| Unaffected versions | >= 1.5.4.26862-r3 |
| Package | net-libs/webkit-gtk on all architectures |
|---|---|
| Affected versions | < 1.2.7 |
| Unaffected versions | >= 1.2.7 |
| Package | sys-apps/shadow on all architectures |
|---|---|
| Affected versions | < 4.1.4.3 |
| Unaffected versions | >= 4.1.4.3 |
| Package | dev-php/PEAR-PEAR on all architectures |
|---|---|
| Affected versions | < 1.9.2-r1 |
| Unaffected versions | >= 1.9.2-r1 |
| Package | dev-db/unixODBC on all architectures |
|---|---|
| Affected versions | < 2.3.0-r1 |
| Unaffected versions | >= 2.3.0-r1 |
| Package | sys-cluster/resource-agents on all architectures |
|---|---|
| Affected versions | < 1.0.4-r1 |
| Unaffected versions | >= 1.0.4-r1 |
| Package | net-misc/mrouted on all architectures |
|---|---|
| Affected versions | < 3.9.5 |
| Unaffected versions | >= 3.9.5 |
| Package | net-misc/rsync on all architectures |
|---|---|
| Affected versions | < 3.0.8 |
| Unaffected versions | >= 3.0.8 |
| Package | dev-libs/xmlsec on all architectures |
|---|---|
| Affected versions | < 1.2.17 |
| Unaffected versions | >= 1.2.17 |
| Package | x11-apps/xrdb on all architectures |
|---|---|
| Affected versions | < 1.0.9 |
| Unaffected versions | >= 1.0.9 |
| Package | net-misc/vino on all architectures |
|---|---|
| Affected versions | < 2.32.2 |
| Unaffected versions | >= 2.32.2 |
| Package | dev-util/oprofile on all architectures |
|---|---|
| Affected versions | < 0.9.6-r1 |
| Unaffected versions | >= 0.9.6-r1 |
| Package | app-admin/syslog-ng on all architectures |
|---|---|
| Affected versions | < 3.2.4 |
| Unaffected versions | >= 3.2.4 |
| Package | net-analyzer/sflowtool on all architectures |
|---|---|
| Affected versions | < 3.20 |
| Unaffected versions | >= 3.20 |
| Package | gnome-base/gdm on all architectures |
|---|---|
| Affected versions | < 3.8.4-r3 |
| Unaffected versions | >= 3.8.4-r3 |
| Package | net-libs/libsoup on all architectures |
|---|---|
| Affected versions | < 2.34.3 |
| Unaffected versions | >= 2.34.3 |
| Package | app-misc/ca-certificates on all architectures |
|---|---|
| Affected versions | < 20110502-r1 |
| Unaffected versions | >= 20110502-r1 |
| Package | dev-vcs/gitolite on all architectures |
|---|---|
| Affected versions | < 1.5.9.1 |
| Unaffected versions | >= 1.5.9.1 |
| Package | dev-util/qt-creator on all architectures |
|---|---|
| Affected versions | < 2.1.0 |
| Unaffected versions | >= 2.1.0 |
For more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild.
Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details.
A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions.
There are no known workarounds at this time.
All FMOD Studio users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00"
All PEAR Mail users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0"
All LVM2 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72"
All GnuCash users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4"
All xine-lib users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19"
All Last.fm Scrobbler users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=media-sound/lastfmplayer-1.5.4.26862-r3"
All WebKitGTK+ users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7"
All shadow tool suite users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3"
All PEAR users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1"
All unixODBC users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1"
All Resource Agents users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-cluster/resource-agents-1.0.4-r1"
All mrouted users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5"
All rsync users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8"
All XML Security Library users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17"
All xrdb users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9"
All Vino users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2"
All OProfile users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1"
All syslog-ng users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4"
All sFlow Toolkit users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20"
All GNOME Display Manager users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3"
All libsoup users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3"
All CA Certificates users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-misc/ca-certificates-20110502-r1"
All Gitolite users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1"
All QtCreator users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0"
Gentoo has discontinued support for Racer. We recommend that users unmerge Racer:
# emerge --unmerge "games-sports/racer-bin"
NOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2012. It is likely that your system is already no longer affected by these issues.
Release date
December 11, 2014
Latest revision
December 11, 2014: 2
Severity
high
Exploitable
local, remote
Bugzilla entries