Gentoo Project

Proxy Maintainers

Security Bug Reports

• app-arch/lrzip: invalid memory read in lzo1x_decompress

  682270 - Assigned to Gentoo Security
• <mail-mta/sendmail-8.18.1-r1: Possibly inadequate key sizes for RSA

  715470 - Assigned to Gentoo Security
• <mail-mta/sendmail-8.16.1: Reconnections may not use STARTTLS

  730890 - Assigned to Gentoo Security
• dev-libs/keystone: multiple vulnerabilities (CVE-2020-{36404,36405})

  799785 - Assigned to Gentoo Security
• <net-irc/weechat-3.3: Websocket vulnerability in relay plugin

  811603 - Assigned to Gentoo Security
• <net-ftp/atftp-0.7.5: multiple vulnerabilities

  813079 - Assigned to Gentoo Security
• <dev-libs/libbpf-0.7.0: multiple vulnerabilities

  830368 - Assigned to Gentoo Security
• <media-libs/openjpeg-2.5.2: Heap-buffer-overflow in color.c:379:42 in sycc420_to_rgb

  832007 - Assigned to Gentoo Security
• <net-irc/atheme-services-7.2.12: authentication bypass with >=net-irc/inspircd-3

  832400 - Assigned to Gentoo Security
• <app-arch/lrzip-0.650: Multiple vulnerabilities

  834456 - Assigned to Gentoo Security
• <net-irc/weechat-3.4.1: SSL verification vulnerability

  835133 - Assigned to Gentoo Security
• net-p2p/go-ethereum: multiple vulnerabilities

  835610 - Assigned to Gentoo Security
• <app-containers/crun-1.4.4: "exec does not set inheritable capabilities"

  835976 - Assigned to Gentoo Security
• dev-libs/stb: reachable assertion in stbi__create_png_image_raw

  836241 - Assigned to Gentoo Security
• app-arch/lrzip: DoS via invalid arithmetic shifts

  856055 - Assigned to Gentoo Security
• <www-servers/caddy-2.5.2: oob read allows for DoS

  860147 - Assigned to Gentoo Security
• <app-benchmarks/hyperfine-1.19.0: 'cargo audit' reports one or more bundled CRATES as vulnerable

  863998 - Assigned to Gentoo Security
• app-shells/nushell: 'cargo audit' reports one or more bundled CRATES as vulnerable

  864031 - Assigned to Gentoo Security
• <media-gfx/blender-3.3.0: multiple vulnerabilities

  865525 - Assigned to Gentoo Security
• <app-backup/amanda-3.5.4: multiple vulnerabilities

  870037 - Assigned to Gentoo Security
• <www-servers/varnish-7.1.2: multiple vulnerabilities

  880627 - Assigned to Gentoo Security
• <app-metrics/node_exporter-1.5.0: basic authentication bypass

  883653 - Assigned to Gentoo Security
• app-containers/buildah: multiple vulnerabilities

  884859 - Assigned to Gentoo Security
• <app-text/mupdf-1.11: multiple vulnerabilities

  886009 - Assigned to Gentoo Security
• <net-libs/libvncserver-0.9.14: multiple vulnerabilities

  887067 - Assigned to Gentoo Security
• <app-arch/upx-4.0.1-r1 <app-arch/upx-bin-4.0.2: multiple vulnerabilities

  890616 - Assigned to Gentoo Security
• <app-crypt/tpm2-tss-3.2.2: Buffer Overflow in TSS2_RC_Decode

  891519 - Assigned to Gentoo Security
• <media-libs/assimp-5.2.5-r1: heap use after free

  891787 - Assigned to Gentoo Security
• <net-dns/knot-resolver-5.6.0: DoS via many TCP connections

  897928 - Assigned to Gentoo Security
• <dev-libs/libtpms-0.9.6: Out-of-bounds access

  898504 - Assigned to Gentoo Security
• app-admin/doas: vulnerable to privilege escalation via TIOCSTI/TIOCLINUX command injection

  901393 - Assigned to Gentoo Security
• <app-arch/upx-4.0.2 <app-arch/upx-bin-4.0.2: multiple vulnerabilities

  903139 - Assigned to Gentoo Security
• <net-misc/frr-8.4.1: DoS vulnerability via reachable assertion

  903757 - Assigned to Gentoo Security
• media-libs/libjxl: multiple vulnerabilities

  905094 - Assigned to Gentoo Security
• <net-libs/libsignal-protocol-c-2.3.3-r1: unsigned integer overflow in bundled protobuf-c

  905098 - Assigned to Gentoo Security
• net-dns/coredns: multiple vulnerabilities

  905301 - Assigned to Gentoo Security
• media-libs/libjxl: assertion failure

  905393 - Assigned to Gentoo Security
• <app-admin/filebeat-7.17.16: credential leakage into logs

  905879 - Assigned to Gentoo Security
• <net-misc/frr-8.4.1: multiple vulnerabilities

  905882 - Assigned to Gentoo Security
• <media-libs/opencv-4.8.0: multiple vulnerabilities

  906106 - Assigned to Gentoo Security
• <net-misc/frr-9.0: multiple vulnerabilities

  906116 - Assigned to Gentoo Security
• <media-libs/openexr-3.1.11: oss-fuzz stack buffer overread

  908257 - Assigned to Gentoo Security
• <media-libs/libjxl-0.8.2: integer underflow leading to infinite loop

  908520 - Assigned to Gentoo Security
• <net-libs/rabbitmq-c-0.13.0: credentials passed on command line

  908818 - Assigned to Gentoo Security
• <net-vpn/i2p-2.3.0: Eepsite deanonymization attack

  911550 - Assigned to Gentoo Security
• <net-misc/frr-9.0.4: multiple vulnerabilities

  913242 - Assigned to Gentoo Security
• <app-backup/borgbackup-1.2.6: Archive spoofing vulnerability

  913407 - Assigned to Gentoo Security
• <net-proxy/squid-6.5: multiple vulnerabilities

  916334 - Assigned to Gentoo Security
• <media-libs/openexr-3.1.12: oss fuzz issues

  916514 - Assigned to Gentoo Security
• <net-misc/frr-9.0.2: multiple vulnerabilities

  916902 - Assigned to Gentoo Security
• <net-misc/croc-10.0.12: multiple vulnerabilities

  918091 - Assigned to Gentoo Security
• <www-servers/caddy-2.7.5: http/2 rapid reset vulnerability

  918413 - Assigned to Gentoo Security
• <www-servers/varnish-7.5.0: http/2 rapid reset vulnerability

  918416 - Assigned to Gentoo Security
• <net-dns/knot-resolver-5.7.0: DoS via TCP reconnections (again)

  918587 - Assigned to Gentoo Security
• dev-libs/stb: multiple vulnerabilities

  918679 - Assigned to Gentoo Security
• <app-shells/fish-3.7.0: command substitution output can trigger shell expansion

  919488 - Assigned to Gentoo Security
• <net-proxy/squid-6.6: Denial of Service in HTTP Request parsing

  920101 - Assigned to Gentoo Security
• <mail-mta/sendmail-8.18.1: smtp smuggling

  921521 - Assigned to Gentoo Security
• <net-dns/knot-resolver-5.7.1: "KeyTrap" DNS DoS vulnerability

  924459 - Assigned to Gentoo Security
• <www-apps/gitea-1.21.5: allows anonymous container access if RequireSignInView is enabled

  925023 - Assigned to Gentoo Security
• <net-p2p/kubo-0.29.0-r1: executes downloaded binaries without verification

  930853 - Assigned to Gentoo Security
• <app-crypt/tpm2-tss-4.0.2: Unchecked magic number in verify quote

  931055 - Assigned to Gentoo Security
• <app-crypt/tpm2-tools-5.6.1: Missing comparison of PCR selection and uncheck magic number in verify quote

  931056 - Assigned to Gentoo Security
• <dev-python/flask-cors-4.0.1: log injection when the log level is set to debug

  931228 - Assigned to Gentoo Security
• <app-containers/skopeo-1.15.1: unexpected authenticated registry accesses

  932453 - Assigned to Gentoo Security
• <app-containers/podman-5.0.3: unexpected authenticated registry access

  936573 - Assigned to Gentoo Security
• <media-libs/assimp-5.4.2: heap-based buffer overflow

  936586 - Assigned to Gentoo Security
• <app-editors/vim-9.1.0794: multiple vulnerabilities

  937126 - Assigned to Gentoo Security
• <net-proxy/squid-6.10: buffer underflow in ESI

  938814 - Assigned to Gentoo Security
• <app-emulation/xen-4.18.4_pre0: Deadlock in vlapic_error()

  940632 - Assigned to Gentoo Security
• <app-containers/podman-5.2.4: improper input validation

  941217 - Assigned to Gentoo Security
• <app-containers/containers-common-0.60.4: improper file path handling when FIPS mode is enabled

  941218 - Assigned to Gentoo Security
• <app-containers/podman-5.2.5: symlink traversal can result in denial of service via OOM

  942556 - Assigned to Gentoo Security
• <app-containers/buildah-1.37.5; symlink traversal can result in denial of service via OOM

  942557 - Assigned to Gentoo Security
• <app-containers/containers-storage-1.55.1: symlink traversal can result in denial of service via OOM

  942559 - Assigned to Gentoo Security
• <net-fs/openafs-1.8.13: multiple vulnerabilities

  943361 - Assigned to Gentoo Security
• <app-emulation/xen-4.18.4_pre1: multiple vulnerabilities

  944489 - Assigned to Tomáš Mózes
• <dev-java/json-smart-2.5.1: possible stack overflow

  947204 - Assigned to Gentoo Security
• <app-editors/vim-9.1.1436: heap-buffer-overflow when switching buffers in visual mode

  947924 - Assigned to Gentoo Security
• <www-servers/nginx-1.26.3: SNI allowed to reuse SSL sessions in a different virtual server

  949354 - Assigned to Gentoo Security
• dev-libs/olm: multiple vulnerabilities

  951441 - Assigned to Gentoo Security
• <www-apps/icingaweb2-module-director-1.11.4: Rest API endpoints accessible to restricted users

  953028 - Assigned to Gentoo Security
• <dev-cpp/abseil-cpp-20250127.1: potential integer overflow in hash container create/resize

  953451 - Assigned to Gentoo Security
• <net-dns/dnsdist-1.9.9: vulnerability to CVE-2025-30194 (DOS via crafted DoH exchange)

  955071 - Assigned to Gentoo Security
• <net-dns/dnsdist-1.9.10: DOS via crafted TCP exchange

  956344 - Assigned to Gentoo Security
• <net-analyzer/wireshark-4.4.7: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  957157 - Assigned to Gentoo Security
• <dev-libs/libtpms-0.10.1: Out-of-bound access in HMAC Signing

  957795 - Assigned to Gentoo Security
• <media-libs/libavif-1.3.0: integer and resultant buffer overflow

  958975 - Assigned to Gentoo Security
• <www-servers/varnish-7.7.1: Multiple vulnerabilities

  959302 - Assigned to Gentoo Security
• <www-apps/icingadb-web-1.2.2: Exposure of Sensitive Information to an Unauthorized User of Icinga Dependency Views

  960512 - Assigned to Gentoo Security
• <net-dns/dnsdist-1.9.11: DoS in HTTP/2 due to client triggered stream reset

  962197 - Assigned to Gentoo Security
• <www-apps/redmine-6.0.7: multiple vulnerabilities

  963180 - Assigned to Gentoo Security
• <net-analyzer/wireshark-4.4.10: MONGO dissector infinite loop

  963972 - Assigned to Gentoo Security
• <www-servers/varnish-7.7.3: HTTP/2 MadeYouReset vulnerability

  964043 - Assigned to Gentoo Security
• app-emulation/xen: Incorrect removal of permissions on PCI device unplug

  965263 - Assigned to Gentoo Security
• <net-vpn/strongswan-6.0.3: buffer overflow and potential RCE with useflag eap

  965550 - Assigned to Gentoo Security
• <net-proxy/squid-6.14-r1: multiple vulnerabilities

  965708 - Assigned to Gentoo Security
• <app-containers/podman-5.7.0: runc container escape and denial of service due to arbitrary write gadgets and procfs write redirects

  965982 - Assigned to Gentoo Security
• <net-irc/weechat-4.7.2: multiple vulnerabilities

  966398 - Assigned to Gentoo Security
• <www-servers/nginx-1.28.1: (CVE-2025-53859) Processing of a specially crafted login/password in ngx_mail_smtp_module might cause worker process memory disclosure

  967910 - Assigned to Gentoo Security
• <dev-libs/libtpms-0.10.2: Return of wrong initialization vector when certain symmetric ciphers are used

  968286 - Assigned to Gentoo Security
• <media-gfx/gimp-{2.10.38-r4,3.0.6}: multiple vulnerabilities

  969286 - Assigned to Gentoo Security
• <media-gfx/gimp-{2.10.38-r4,3.0.8}: multiple vulnerabilities

  969287 - Assigned to Gentoo Security
• dev-libs/quickjs-ng: Multiple vulnerabilities

  969863 - Assigned to Gentoo Security
• <media-libs/libjxl-0.11.2: Multiple vulnerabilities

  969884 - Assigned to Gentoo Security
• <net-analyzer/wireshark-4.6.4: Multiple vulnerabilities

  970622 - Assigned to Gentoo Security
• app-editors/vim: Multiple vulnerabilities

  970675 - Assigned to Gentoo Security
• <x11-terms/ghostty-1.3.0: Arbitrary command execution via control characters in paste and drag-and-drop operations

  971089 - Assigned to Gentoo Security