Dropbear is a relatively small SSH server and client.
+A CRLF injection vulnerability in Dropbear SSH allows remote + authenticated users to bypass intended shell-command restrictions via + crafted X11 forwarding data. +
+A remote authenticated user could execute arbitrary code with the + privileges of the process. +
+There is no known workaround at this time.
+All Dropbear users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2016.73"
+
+ Commons-beanutils provides easy-to-use wrappers around Reflection and + Introspection APIs +
+Apache Commons BeanUtils does not suppress the class property, which + allows for the manipulation of the ClassLoader. +
+Remote attackers could potentially execute arbitrary code with the + privileges of the process. +
+There is no known workaround at this time.
+All Commons BeanUtils users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose
+ ">=dev-java/commons-beanutils-1.9.2"
+
+
+ Varnish is a web application accelerator.
+Varnish fails to properly validate input from HTTP headers, and does not + deny requests with multiple Content-Length headers. +
+Remote attackers could conduct an HTTP response splitting attack, which + may further enable them to conduct Cross-Site Scripting (XSS), Cache + Poisoning, Defacement, and Page Hijacking. +
+There is no known workaround at this time.
+All Varnish users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-servers/varnish-3.0.7"
+
+ Bugzilla is the bug-tracking system from the Mozilla project.
+Multiple vulnerabilities have been discovered in Bugzilla. Please review + the CVE identifiers referenced below for details. +
+Privileged account holders could execute system level commands, and the + new user process could be exploited to allow for the escalation of + privileges. +
+There is no known workaround at this time.
+All Bugzilla 4.x users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-4.4.12"
+
+
+ All Bugzilla 5.x users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-5.0.3"
+
+ Exim is a message transfer agent (MTA) designed to be a a highly + configurable, drop-in replacement for sendmail. +
+Vulnerabilities have been discovered in Exim’s implementation of + set-uid root and when using ‘perl_startup’. These vulnerabilities + require a user account on the Exim server and a configuration that does + lookups against files to which the user has edit access. +
+A local attacker could possibly execute arbitrary code with the + privileges of the process, or escalate privileges. +
+There is no known workaround at this time.
+All Exim users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.87"
+
+ This library provides useful functions commonly found on BSD systems, + and lacking on others like GNU systems, thus making it easier to port + projects with strong BSD origins, without needing to embed the same code + over and over again on each project. +
+libbsd contains a buffer overflow in the fgetwln() function. An if + statement, which is responsible for checking the necessity to reallocate + memory in the target buffer, is off by one therefore an out of bounds + write occurs. +
+Remote attackers could potentially execute arbitrary code with the + privileges of the process. +
+There is no known workaround at this time.
+All libbsd users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --verbose --oneshot ">=dev-libs/libbsd-0.8.2"
+
+ Ansible is a radically simple IT automation platform.
+The create_script function in the lxc_container module of Ansible uses + predictable temporary file names, making it vulnerable to a symlink + attack. +
+Local attackers could write arbitrary files or gain escalated privileges + within the container. +
+There is no known workaround at this time.
+All Ansible 1.9.x users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-admin/ansible-1.9.6"
+
+
+ All Ansible 2.0.2.x users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.0.2.0-r1"
+
+ NTP contains software for the Network Time Protocol.
+Multiple vulnerabilities have been discovered in NTP. Please review the + CVE identifiers referenced below for details. +
+A remote attacker could possibly cause a Denial of Service condition.
+There is no known workaround at this time.
+All NTP users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p8"
+
+ The ethernet monitor program; for keeping track of ethernet/ip address + pairings. +
+Arpwatch does not properly drop supplementary groups.
+Attackers, if able to exploit arpwatch, could escalate privileges + outside of the running process. +
+There is no known workaround at this time.
+All arpwatch users should upgrade to the latest version:
+ +
+ # emerge --sync
+ # emerge --ask --verbose --oneshot ">=net-analyzer/arpwatch-2.1.15-r8"
+
+