From e59dd171743e46a9d9123c3b57139b38a516dabc Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Sun, 11 Dec 2016 17:23:41 -0800
Subject: [PATCH] bump(metadata/glsa): sync with upstream

---
 .../metadata/glsa/glsa-201612-20.xml          | 52 +++++++++++++
 .../metadata/glsa/glsa-201612-21.xml          | 55 ++++++++++++++
 .../metadata/glsa/glsa-201612-22.xml          | 51 +++++++++++++
 .../metadata/glsa/glsa-201612-23.xml          | 56 ++++++++++++++
 .../metadata/glsa/glsa-201612-24.xml          | 60 +++++++++++++++
 .../metadata/glsa/glsa-201612-25.xml          | 54 +++++++++++++
 .../metadata/glsa/glsa-201612-26.xml          | 61 +++++++++++++++
 .../metadata/glsa/glsa-201612-27.xml          | 75 +++++++++++++++++++
 .../metadata/glsa/glsa-201612-28.xml          | 46 ++++++++++++
 .../metadata/glsa/glsa-201612-29.xml          | 51 +++++++++++++
 .../metadata/glsa/glsa-201612-30.xml          | 54 +++++++++++++
 .../metadata/glsa/glsa-201612-31.xml          | 53 +++++++++++++
 .../metadata/glsa/timestamp.chk               |  2 +-
 13 files changed, 669 insertions(+), 1 deletion(-)
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-20.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-21.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-22.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-23.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-24.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-25.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-26.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-27.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-28.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-29.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-30.xml
 create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-31.xml

diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-20.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-20.xml
new file mode 100644
index 0000000000..cc31888da5
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-20.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-20">
+  <title>jq: Buffer overflow</title>
+  <synopsis>A buffer overflow in jq might allow remote attackers to execute
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">jq</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>580606</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-misc/jq" auto="yes" arch="*">
+      <unaffected range="ge">1.5-r2</unaffected>
+      <vulnerable range="lt">1.5-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>jq is a lightweight and flexible command-line JSON processor.</p>
+  </background>
+  <description>
+    <p>An off-by-one error was discovered in the tokenadd function in
+      jv_parse.c which triggers a heap-based buffer overflow.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could trick a victim into processing a specially
+      crafted JSON file, possibly resulting in the execution of arbitrary code
+      with the privileges of the process.  Additionally, a remote attacker
+      could cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All jq users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-misc/jq-1.5-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863">
+      CVE-2015-8863
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Tue, 29 Nov 2016 20:07:39 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:09:23 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-21.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-21.xml
new file mode 100644
index 0000000000..1e5603e1a4
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-21.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-21">
+  <title>SQLite: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities were found in SQLite, the worst of which
+    may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">sqlite</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>549258</bug>
+  <bug>574420</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-db/sqlite" auto="yes" arch="*">
+      <unaffected range="ge">3.11.1</unaffected>
+      <vulnerable range="lt">3.11.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>SQLite is a C library that implements an SQL database engine.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in SQLite. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All sqlite users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-db/sqlite-3.11.1"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7036">
+      CVE-2015-7036
+    </uri>
+    <uri link="http://blog.fuzzing-project.org/10-Two-invalid-read-errors-heap-overflows-in-SQLite-TFPA-0062015.html">
+      Two invalid read errors / heap overflows in SQLite (TFPA 006/2015)
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Tue, 29 Nov 2016 20:57:30 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:10:39 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-22.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-22.xml
new file mode 100644
index 0000000000..b0c9f471fa
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-22.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-22">
+  <title>Coreutils: Arbitrary code execution</title>
+  <synopsis>A vulnerability in Coreutils could lead to the execution of
+    arbitrary code or a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">coreutils</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>530514</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="sys-apps/coreutils" auto="yes" arch="*">
+      <unaffected range="ge">8.23</unaffected>
+      <vulnerable range="lt">8.23</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The GNU Core Utilities are the basic file, shell and text manipulation
+      utilities of the GNU operating system.
+    </p>
+  </background>
+  <description>
+    <p>A memory corruption flaw in GNU Coreutils’ parse_datetime function was
+      reported. Applications using parse_datetime(), such as touch or date, may
+      accepted untrusted input.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Coreutils users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-apps/coreutils-8.23"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9471">CVE-2014-9471</uri>
+  </references>
+  <metadata tag="requester" timestamp="Sun, 27 Nov 2016 06:48:53 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:11:59 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-23.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-23.xml
new file mode 100644
index 0000000000..aba9f4d1e4
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-23.xml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-23">
+  <title>socat: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in socat, the worst of
+    which may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">socat</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>573602</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/socat" auto="yes" arch="*">
+      <unaffected range="ge">1.7.3.1</unaffected>
+      <vulnerable range="lt">1.7.3.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>socat is a multipurpose bidirectional relay, similar to netcat.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in socat. Please review
+      the references below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, or obtain confidential information.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All socat users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/socat-1.7.3.1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2217">
+      CVE-2016-2217
+    </uri>
+    <uri link="http://www.dest-unreach.org/socat/contrib/socat-secadv7.html">
+      Socat security advisory 7
+    </uri>
+    <uri link="http://www.dest-unreach.org/socat/contrib/socat-secadv8.html">
+      Socat security advisory 8
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Tue, 29 Nov 2016 20:50:25 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:12:54 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-24.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-24.xml
new file mode 100644
index 0000000000..04ef17ed62
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-24.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-24">
+  <title>Binutils: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities were found in Binutils, the worst of which
+    may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">binutils</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>526626</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="sys-devel/binutils" auto="yes" arch="*">
+      <unaffected range="ge">2.25</unaffected>
+      <vulnerable range="lt">2.25</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The GNU Binutils are a collection of tools to create, modify and analyse
+      binary files. Many of the files use BFD, the Binary File Descriptor
+      library, to do low-level manipulation.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Binutils. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to open a specially crafted file,
+      possibly resulting in execution of arbitrary code with the privileges of
+      the process, cause a Denial of Service condition, or overwrite arbitrary
+      files.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Binutils users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.25"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8484">CVE-2014-8484</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8485">CVE-2014-8485</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8501">CVE-2014-8501</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8502">CVE-2014-8502</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8503">CVE-2014-8503</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8504">CVE-2014-8504</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8737">CVE-2014-8737</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8738">CVE-2014-8738</uri>
+  </references>
+  <metadata tag="requester" timestamp="Fri, 25 Nov 2016 00:21:44 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:14:11 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-25.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-25.xml
new file mode 100644
index 0000000000..72a1e6bee7
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-25.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-25">
+  <title>CrackLib: Buffer overflow</title>
+  <synopsis>A vulnerability in CrackLib could lead to the execution of
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">cracklib</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>591456</bug>
+  <access>local</access>
+  <affected>
+    <package name="sys-libs/cracklib" auto="yes" arch="*">
+      <unaffected range="ge">2.9.6-r1</unaffected>
+      <vulnerable range="lt">2.9.6-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>CrackLib is a library used to enforce strong passwords by comparing user
+      selected passwords to words in chosen word lists.
+    </p>
+  </background>
+  <description>
+    <p>A stack-based buffer overflow was discovered in the FascistGecosUser
+      function of lib/fascist.c.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local attacker could set a specially crafted GECOS field value in
+      “/etc/passwd”; possibly resulting in the execution of arbitrary code
+      with the privileges of the process, a Denial of Service condition, or the
+      escalation of privileges.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All CrackLib users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-libs/cracklib-2.9.6-r1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6318">CVE-2016-6318</uri>
+  </references>
+  <metadata tag="requester" timestamp="Thu, 31 Dec 2015 02:46:03 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:55:10 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-26.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-26.xml
new file mode 100644
index 0000000000..29273b9b9f
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-26.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-26">
+  <title>OpenJPEG: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in OpenJPEG, the worst of
+    which may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">openjpeg</product>
+  <announced>December 08, 2016</announced>
+  <revised>December 08, 2016: 1</revised>
+  <bug>560632</bug>
+  <bug>572430</bug>
+  <bug>577608</bug>
+  <bug>594740</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-libs/openjpeg" auto="yes" arch="*">
+      <unaffected range="ge">2.1.1_p20160922</unaffected>
+      <unaffected range="rge">1.5.2</unaffected>
+      <vulnerable range="lt">2.1.1_p20160922</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenJPEG is an open-source JPEG 2000 library.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OpenJPEG. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to open a specially crafted JPEG
+      file, possibly resulting in execution of arbitrary code or a Denial of
+      Service condition. Furthermore, a remote attacker may be able to obtain
+      sensitive information.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenJPEG 2 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=media-libs/openjpeg-2.1.1_p20160922:2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8871">CVE-2015-8871</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1923">CVE-2016-1923</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1924">CVE-2016-1924</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3181">CVE-2016-3181</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3182">CVE-2016-3182</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3183">CVE-2016-3183</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7445">CVE-2016-7445</uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 07 Dec 2016 23:52:17 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:55:57 +0000">whissi</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-27.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-27.xml
new file mode 100644
index 0000000000..f4fd7f646d
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-27.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-27">
+  <title>VirtualBox: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst
+    of which allows local users to escalate privileges.
+  </synopsis>
+  <product type="ebuild">virtualbox</product>
+  <announced>December 11, 2016</announced>
+  <revised>December 11, 2016: 2</revised>
+  <bug>505274</bug>
+  <bug>537218</bug>
+  <bug>550964</bug>
+  <access>local</access>
+  <affected>
+    <package name="app-emulation/virtualbox" auto="yes" arch="*">
+      <unaffected range="ge">4.3.28</unaffected>
+      <vulnerable range="lt">4.3.28</vulnerable>
+    </package>
+    <package name="app-emulation/virtualbox-bin" auto="yes" arch="*">
+      <unaffected range="ge">4.3.28</unaffected>
+      <vulnerable range="lt">4.3.28</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>VirtualBox is a powerful virtualization product from Oracle.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in VirtualBox. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Local attackers could cause a Denial of Service condition, execute
+      arbitrary code, or escalate their privileges.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All VirtualBox users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-4.3.28"
+    </code>
+    
+    <p>All VirtualBox-bin users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=app-emulation/virtualbox-bin-4.3.28"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0981">CVE-2014-0981</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0983">CVE-2014-0983</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6588">CVE-2014-6588</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6589">CVE-2014-6589</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6590">CVE-2014-6590</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6595">CVE-2014-6595</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0377">CVE-2015-0377</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0418">CVE-2015-0418</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0427">CVE-2015-0427</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456">CVE-2015-3456</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5608">CVE-2016-5608</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5610">CVE-2016-5610</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5611">CVE-2016-5611</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5613">CVE-2016-5613</uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:13:06 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:42:01 +0000">b-man</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-28.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-28.xml
new file mode 100644
index 0000000000..6b944e4c30
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-28.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-28">
+  <title>Docker: Privilege escalation</title>
+  <synopsis>A vulnerability in Docker could lead to the escalation of
+    privileges.
+  </synopsis>
+  <product type="ebuild"></product>
+  <announced>December 11, 2016</announced>
+  <revised>December 11, 2016: 1</revised>
+  <bug>581236</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-emulation/docker" auto="yes" arch="*">
+      <unaffected range="ge">1.11.0</unaffected>
+      <vulnerable range="lt">1.11.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Docker is the world’s leading software containerization platform.</p>
+  </background>
+  <description>
+    <p>Docker does not properly distinguish between numeric UIDs and string
+      usernames.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Local attackers could possibly escalate their privileges.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Docker users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/docker-1.11.0"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3697">CVE-2016-3697</uri>
+  </references>
+  <metadata tag="requester" timestamp="Sat, 26 Nov 2016 00:31:47 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:40:37 +0000">b-man</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-29.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-29.xml
new file mode 100644
index 0000000000..a5f95961fb
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-29.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-29">
+  <title>libmms: Remote execution of arbitrary code</title>
+  <synopsis>A heap-based buffer overflow vulnerability in libmms might allow
+    remote attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">libmms</product>
+  <announced>December 11, 2016</announced>
+  <revised>December 11, 2016: 1</revised>
+  <bug>507822</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-libs/libmms" auto="yes" arch="*">
+      <unaffected range="ge">0.6.4</unaffected>
+      <vulnerable range="lt">0.6.4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>libmms is a library for downloading (streaming) media files using the
+      mmst and mmsh protocols.
+    </p>
+  </background>
+  <description>
+    <p>A heap-based buffer overflow was discovered in the get_answer function
+      within mmsh.c of libmms.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker might send a specially crafted MMS over HTTP (MMSH)
+      response, possibly resulting in the remote execution of arbitrary code
+      with the privileges of the process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All libmms users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-libs/libmms-0.6.4"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2892">CVE-2014-2892</uri>
+  </references>
+  <metadata tag="requester" timestamp="Sun, 27 Nov 2016 10:19:34 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:47:07 +0000">b-man</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-30.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-30.xml
new file mode 100644
index 0000000000..f64bf35d55
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-30.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-30">
+  <title>SoX: User-assisted execution of arbitrary code</title>
+  <synopsis>Multiple heap overflows in SoX may allow remote attackers to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">sox</product>
+  <announced>December 11, 2016</announced>
+  <revised>December 11, 2016: 1</revised>
+  <bug>533296</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-sound/sox" auto="yes" arch="*">
+      <unaffected range="ge">14.4.2</unaffected>
+      <vulnerable range="lt">14.4.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>SoX is a command line utility that can convert various formats of
+      computer audio files in to other formats.
+    </p>
+  </background>
+  <description>
+    <p>A heap-based buffer overflow can be triggered when processing a
+      malicious NIST Sphere or WAV audio file.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could coerce the victim to run SoX against their
+      malicious file. This may be leveraged by an attacker to gain control of
+      program execution with the privileges of the user.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All SoX users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-sound/sox-14.4.2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145">
+      CVE-2014-8145
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:47:17 +0000">whissi</metadata>
+  <metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:50:03 +0000">b-man</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-31.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-31.xml
new file mode 100644
index 0000000000..3328cc0df4
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-31.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201612-31">
+  <title>exFAT: Multiple vulnerabilities</title>
+  <synopsis>Two vulnerabilities have been found in exFAT allowing remote
+    attackers to execute arbitrary code or cause Denial of Service.
+  </synopsis>
+  <product type="ebuild"></product>
+  <announced>December 12, 2016</announced>
+  <revised>December 12, 2016: 1</revised>
+  <bug>563936</bug>
+  <access>remote</access>
+  <affected>
+    <package name="sys-fs/exfat-utils" auto="yes" arch="*">
+      <unaffected range="ge">1.2.1</unaffected>
+      <vulnerable range="lt">1.2.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>A full-featured exFAT file system implementation for Unix-like systems.</p>
+  </background>
+  <description>
+    <p>Two vulnerabilities were found in exFAT. A malformed input can cause a
+      write heap overflow or cause an endless loop.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Remote attackers could execute arbitrary code or cause Denial of
+      Service.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All exFAT users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-fs/exfat-utils-1.2.1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8026">CVE-2015-8026</uri>
+    <uri link="http://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html">
+      Heap overflow and endless loop in exfatfsck / exfat-utils
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Thu, 31 Dec 2015 02:26:18 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Mon, 12 Dec 2016 00:14:52 +0000">b-man</metadata>
+</glsa>
diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
index 92f073798b..09cda85a2c 100644
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Wed, 07 Dec 2016 18:13:28 +0000
+Mon, 12 Dec 2016 00:43:15 +0000