mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 10:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #496 from dm0-/glsa

Browse Source 
Sync GLSAs
This commit is contained in:
David Michael 2016-12-12 11:48:02 -08:00 committed by GitHub
commit 05308d8fbc
13 changed files with 669 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-20.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-20">
<title>jq: Buffer overflow</title>
<synopsis>A buffer overflow in jq might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">jq</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>580606</bug>
<access>remote</access>
<affected>
<package name="app-misc/jq" auto="yes" arch="*">
<unaffected range="ge">1.5-r2</unaffected>
<vulnerable range="lt">1.5-r2</vulnerable>
</package>
</affected>
<background>
<p>jq is a lightweight and flexible command-line JSON processor.</p>
</background>
<description>
<p>An off-by-one error was discovered in the tokenadd function in
jv_parse.c which triggers a heap-based buffer overflow.
</p>
</description>
<impact type="normal">
<p>A remote attacker could trick a victim into processing a specially
crafted JSON file, possibly resulting in the execution of arbitrary code
with the privileges of the process. Additionally, a remote attacker
could cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All jq users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-misc/jq-1.5-r2"
</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863">
CVE-2015-8863
</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 20:07:39 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:09:23 +0000">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-21.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-21">
<title>SQLite: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities were found in SQLite, the worst of which
may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">sqlite</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>549258</bug>
<bug>574420</bug>
<access>remote</access>
<affected>
<package name="dev-db/sqlite" auto="yes" arch="*">
<unaffected range="ge">3.11.1</unaffected>
<vulnerable range="lt">3.11.1</vulnerable>
</package>
</affected>
<background>
<p>SQLite is a C library that implements an SQL database engine.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in SQLite. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All sqlite users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/sqlite-3.11.1"
</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7036">
CVE-2015-7036
</uri>
<uri link="http://blog.fuzzing-project.org/10-Two-invalid-read-errors-heap-overflows-in-SQLite-TFPA-0062015.html">
Two invalid read errors / heap overflows in SQLite (TFPA 006/2015)
</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 20:57:30 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:10:39 +0000">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-22.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-22">
<title>Coreutils: Arbitrary code execution</title>
<synopsis>A vulnerability in Coreutils could lead to the execution of
arbitrary code or a Denial of Service condition.
</synopsis>
<product type="ebuild">coreutils</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>530514</bug>
<access>local, remote</access>
<affected>
<package name="sys-apps/coreutils" auto="yes" arch="*">
<unaffected range="ge">8.23</unaffected>
<vulnerable range="lt">8.23</vulnerable>
</package>
</affected>
<background>
<p>The GNU Core Utilities are the basic file, shell and text manipulation
utilities of the GNU operating system.
</p>
</background>
<description>
<p>A memory corruption flaw in GNU Coreutils parse_datetime function was
reported. Applications using parse_datetime(), such as touch or date, may
accepted untrusted input.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Coreutils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/coreutils-8.23"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9471">CVE-2014-9471</uri>
</references>
<metadata tag="requester" timestamp="Sun, 27 Nov 2016 06:48:53 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:11:59 +0000">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-23.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-23">
<title>socat: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in socat, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">socat</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>573602</bug>
<access>remote</access>
<affected>
<package name="net-misc/socat" auto="yes" arch="*">
<unaffected range="ge">1.7.3.1</unaffected>
<vulnerable range="lt">1.7.3.1</vulnerable>
</package>
</affected>
<background>
<p>socat is a multipurpose bidirectional relay, similar to netcat.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in socat. Please review
the references below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or obtain confidential information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All socat users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/socat-1.7.3.1"
</code>
</resolution>
<references>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2217">
CVE-2016-2217
</uri>
<uri link="http://www.dest-unreach.org/socat/contrib/socat-secadv7.html">
Socat security advisory 7
</uri>
<uri link="http://www.dest-unreach.org/socat/contrib/socat-secadv8.html">
Socat security advisory 8
</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 20:50:25 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:12:54 +0000">whissi</metadata>
</glsa>

60
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-24.xml vendored Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-24">
<title>Binutils: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities were found in Binutils, the worst of which
may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">binutils</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>526626</bug>
<access>local, remote</access>
<affected>
<package name="sys-devel/binutils" auto="yes" arch="*">
<unaffected range="ge">2.25</unaffected>
<vulnerable range="lt">2.25</vulnerable>
</package>
</affected>
<background>
<p>The GNU Binutils are a collection of tools to create, modify and analyse
binary files. Many of the files use BFD, the Binary File Descriptor
library, to do low-level manipulation.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Binutils. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file,
possibly resulting in execution of arbitrary code with the privileges of
the process, cause a Denial of Service condition, or overwrite arbitrary
files.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Binutils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.25"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8484">CVE-2014-8484</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8485">CVE-2014-8485</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8501">CVE-2014-8501</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8502">CVE-2014-8502</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8503">CVE-2014-8503</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8504">CVE-2014-8504</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8737">CVE-2014-8737</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8738">CVE-2014-8738</uri>
</references>
<metadata tag="requester" timestamp="Fri, 25 Nov 2016 00:21:44 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:14:11 +0000">whissi</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-25.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-25">
<title>CrackLib: Buffer overflow</title>
<synopsis>A vulnerability in CrackLib could lead to the execution of
arbitrary code.
</synopsis>
<product type="ebuild">cracklib</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>591456</bug>
<access>local</access>
<affected>
<package name="sys-libs/cracklib" auto="yes" arch="*">
<unaffected range="ge">2.9.6-r1</unaffected>
<vulnerable range="lt">2.9.6-r1</vulnerable>
</package>
</affected>
<background>
<p>CrackLib is a library used to enforce strong passwords by comparing user
selected passwords to words in chosen word lists.
</p>
</background>
<description>
<p>A stack-based buffer overflow was discovered in the FascistGecosUser
function of lib/fascist.c.
</p>
</description>
<impact type="normal">
<p>A local attacker could set a specially crafted GECOS field value in
“/etc/passwd”; possibly resulting in the execution of arbitrary code
with the privileges of the process, a Denial of Service condition, or the
escalation of privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All CrackLib users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-libs/cracklib-2.9.6-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6318">CVE-2016-6318</uri>
</references>
<metadata tag="requester" timestamp="Thu, 31 Dec 2015 02:46:03 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:55:10 +0000">whissi</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-26.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-26">
<title>OpenJPEG: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in OpenJPEG, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">openjpeg</product>
<announced>December 08, 2016</announced>
<revised>December 08, 2016: 1</revised>
<bug>560632</bug>
<bug>572430</bug>
<bug>577608</bug>
<bug>594740</bug>
<access>remote</access>
<affected>
<package name="media-libs/openjpeg" auto="yes" arch="*">
<unaffected range="ge">2.1.1_p20160922</unaffected>
<unaffected range="rge">1.5.2</unaffected>
<vulnerable range="lt">2.1.1_p20160922</vulnerable>
</package>
</affected>
<background>
<p>OpenJPEG is an open-source JPEG 2000 library.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OpenJPEG. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted JPEG
file, possibly resulting in execution of arbitrary code or a Denial of
Service condition. Furthermore, a remote attacker may be able to obtain
sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenJPEG 2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=media-libs/openjpeg-2.1.1_p20160922:2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8871">CVE-2015-8871</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1923">CVE-2016-1923</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1924">CVE-2016-1924</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3181">CVE-2016-3181</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3182">CVE-2016-3182</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3183">CVE-2016-3183</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7445">CVE-2016-7445</uri>
</references>
<metadata tag="requester" timestamp="Wed, 07 Dec 2016 23:52:17 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Thu, 08 Dec 2016 13:55:57 +0000">whissi</metadata>
</glsa>

75
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-27.xml vendored Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-27">
<title>VirtualBox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst
of which allows local users to escalate privileges.
</synopsis>
<product type="ebuild">virtualbox</product>
<announced>December 11, 2016</announced>
<revised>December 11, 2016: 2</revised>
<bug>505274</bug>
<bug>537218</bug>
<bug>550964</bug>
<access>local</access>
<affected>
<package name="app-emulation/virtualbox" auto="yes" arch="*">
<unaffected range="ge">4.3.28</unaffected>
<vulnerable range="lt">4.3.28</vulnerable>
</package>
<package name="app-emulation/virtualbox-bin" auto="yes" arch="*">
<unaffected range="ge">4.3.28</unaffected>
<vulnerable range="lt">4.3.28</vulnerable>
</package>
</affected>
<background>
<p>VirtualBox is a powerful virtualization product from Oracle.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in VirtualBox. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Local attackers could cause a Denial of Service condition, execute
arbitrary code, or escalate their privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All VirtualBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-4.3.28"
</code>
<p>All VirtualBox-bin users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/virtualbox-bin-4.3.28"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0981">CVE-2014-0981</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0983">CVE-2014-0983</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6588">CVE-2014-6588</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6589">CVE-2014-6589</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6590">CVE-2014-6590</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6595">CVE-2014-6595</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0377">CVE-2015-0377</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0418">CVE-2015-0418</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0427">CVE-2015-0427</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456">CVE-2015-3456</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5608">CVE-2016-5608</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5610">CVE-2016-5610</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5611">CVE-2016-5611</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5613">CVE-2016-5613</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:13:06 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:42:01 +0000">b-man</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-28.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-28">
<title>Docker: Privilege escalation</title>
<synopsis>A vulnerability in Docker could lead to the escalation of
privileges.
</synopsis>
<product type="ebuild"></product>
<announced>December 11, 2016</announced>
<revised>December 11, 2016: 1</revised>
<bug>581236</bug>
<access>remote</access>
<affected>
<package name="app-emulation/docker" auto="yes" arch="*">
<unaffected range="ge">1.11.0</unaffected>
<vulnerable range="lt">1.11.0</vulnerable>
</package>
</affected>
<background>
<p>Docker is the worlds leading software containerization platform.</p>
</background>
<description>
<p>Docker does not properly distinguish between numeric UIDs and string
usernames.
</p>
</description>
<impact type="normal">
<p>Local attackers could possibly escalate their privileges.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Docker users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/docker-1.11.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3697">CVE-2016-3697</uri>
</references>
<metadata tag="requester" timestamp="Sat, 26 Nov 2016 00:31:47 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:40:37 +0000">b-man</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-29.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-29">
<title>libmms: Remote execution of arbitrary code</title>
<synopsis>A heap-based buffer overflow vulnerability in libmms might allow
remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">libmms</product>
<announced>December 11, 2016</announced>
<revised>December 11, 2016: 1</revised>
<bug>507822</bug>
<access>remote</access>
<affected>
<package name="media-libs/libmms" auto="yes" arch="*">
<unaffected range="ge">0.6.4</unaffected>
<vulnerable range="lt">0.6.4</vulnerable>
</package>
</affected>
<background>
<p>libmms is a library for downloading (streaming) media files using the
mmst and mmsh protocols.
</p>
</background>
<description>
<p>A heap-based buffer overflow was discovered in the get_answer function
within mmsh.c of libmms.
</p>
</description>
<impact type="normal">
<p>A remote attacker might send a specially crafted MMS over HTTP (MMSH)
response, possibly resulting in the remote execution of arbitrary code
with the privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libmms users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libmms-0.6.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2892">CVE-2014-2892</uri>
</references>
<metadata tag="requester" timestamp="Sun, 27 Nov 2016 10:19:34 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:47:07 +0000">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-30.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-30">
<title>SoX: User-assisted execution of arbitrary code</title>
<synopsis>Multiple heap overflows in SoX may allow remote attackers to
execute arbitrary code.
</synopsis>
<product type="ebuild">sox</product>
<announced>December 11, 2016</announced>
<revised>December 11, 2016: 1</revised>
<bug>533296</bug>
<access>remote</access>
<affected>
<package name="media-sound/sox" auto="yes" arch="*">
<unaffected range="ge">14.4.2</unaffected>
<vulnerable range="lt">14.4.2</vulnerable>
</package>
</affected>
<background>
<p>SoX is a command line utility that can convert various formats of
computer audio files in to other formats.
</p>
</background>
<description>
<p>A heap-based buffer overflow can be triggered when processing a
malicious NIST Sphere or WAV audio file.
</p>
</description>
<impact type="normal">
<p>A remote attacker could coerce the victim to run SoX against their
malicious file. This may be leveraged by an attacker to gain control of
program execution with the privileges of the user.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All SoX users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-sound/sox-14.4.2"
</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8145">
CVE-2014-8145
</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:47:17 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sun, 11 Dec 2016 23:50:03 +0000">b-man</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-31.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-31">
<title>exFAT: Multiple vulnerabilities</title>
<synopsis>Two vulnerabilities have been found in exFAT allowing remote
attackers to execute arbitrary code or cause Denial of Service.
</synopsis>
<product type="ebuild"></product>
<announced>December 12, 2016</announced>
<revised>December 12, 2016: 1</revised>
<bug>563936</bug>
<access>remote</access>
<affected>
<package name="sys-fs/exfat-utils" auto="yes" arch="*">
<unaffected range="ge">1.2.1</unaffected>
<vulnerable range="lt">1.2.1</vulnerable>
</package>
</affected>
<background>
<p>A full-featured exFAT file system implementation for Unix-like systems.</p>
</background>
<description>
<p>Two vulnerabilities were found in exFAT. A malformed input can cause a
write heap overflow or cause an endless loop.
</p>
</description>
<impact type="normal">
<p>Remote attackers could execute arbitrary code or cause Denial of
Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All exFAT users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-fs/exfat-utils-1.2.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8026">CVE-2015-8026</uri>
<uri link="http://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html">
Heap overflow and endless loop in exfatfsck / exfat-utils
</uri>
</references>
<metadata tag="requester" timestamp="Thu, 31 Dec 2015 02:26:18 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Mon, 12 Dec 2016 00:14:52 +0000">b-man</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Wed, 07 Dec 2016 18:13:28 +0000
Mon, 12 Dec 2016 00:43:15 +0000