mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-10-02 19:11:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
David Michael 2017-10-09 11:51:02 -07:00
parent c357d7637d
commit 1aea7a18e8
12 changed files with 564 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201705-15.xml vendored
View File

@ -5,13 +5,13 @@
<synopsis>A vulnerability in sudo allows local users to gain root privileges.</synopsis>
<product type="ebuild">sudo,privilege</product>
<announced>2017-05-30</announced>
<revised>2017-05-30: 1</revised>
<revised>2017-10-07: 3</revised>
<bug>620182</bug>
<access>local</access>
<affected>
<package name="app-admin/sudo" auto="yes" arch="*">
<unaffected range="ge">1.8.20_p1</unaffected>
<vulnerable range="lt">1.8.20_p1</vulnerable>
<unaffected range="ge">1.8.20_p2</unaffected>
<vulnerable range="lt">1.8.20_p2</vulnerable>
</package>
</affected>
<background>
@ -27,6 +27,8 @@
user-controlled, arbitrary tty device during its traversal of “/dev”
by utilizing the world-writable /dev/shm.
</p>
<p>For further information, please see the Qualys Security Advisory</p>
</description>
<impact type="high">
<p>A local attacker can pretend that his tty is any character device on the
@ -43,7 +45,7 @@
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.8.20_p1"
# emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.8.20_p2"
</code>
</resolution>
@ -51,7 +53,10 @@
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000367">
CVE-2017-1000367
</uri>
<uri link="https://www.qualys.com/2017/05/30/cve-2017-1000367/cve-2017-1000367.txt">
Qualys Security Advisory for CVE-2017-1000367
</uri>
</references>
<metadata tag="requester" timestamp="2017-05-30T07:27:08Z">K_F</metadata>
<metadata tag="submitter" timestamp="2017-05-30T15:17:59Z">K_F</metadata>
<metadata tag="submitter" timestamp="2017-10-07T14:23:55Z">K_F</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-01.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-01">
<title>RubyGems: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities were found in RubyGems, the worst of which
allows execution of arbitrary code.
</synopsis>
<product type="ebuild">rubygems</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>629230</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/rubygems" auto="yes" arch="*">
<unaffected range="ge">2.6.13</unaffected>
<vulnerable range="lt">2.6.13</vulnerable>
</package>
</affected>
<background>
<p>RubyGems is a sophisticated package manager for Ruby.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in RubyGems. Please review
the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to install a specially crafted
gem, could possibly execute arbitrary code with the privileges of the
process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All RubyGems users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-ruby/rubygems-2.6.13"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0899">
CVE-2017-0899
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0900">
CVE-2017-0900
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0901">
CVE-2017-0901
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0902">
CVE-2017-0902
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-03T14:54:42Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-10-08T12:53:26Z">chrisadr</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-02.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-02">
<title>file: Stack-based buffer overflow</title>
<synopsis>A stack-based buffer overflow was found in file, possibly resulting
in the execution of arbitrary code.
</synopsis>
<product type="ebuild">file</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>629872</bug>
<access>remote</access>
<affected>
<package name="sys-apps/file" auto="yes" arch="*">
<unaffected range="ge">5.32</unaffected>
<vulnerable range="lt">5.32</vulnerable>
</package>
</affected>
<background>
<p>file is a utility that guesses a file format by scanning binary data for
patterns.
</p>
</background>
<description>
<p>An issue discovered in file allows attackers to write 20 bytes to the
stack buffer via a specially crafted .notes section.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by using a specially crafted .notes section in an ELF
binary, could execute arbitrary code or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All file users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/file-5.32"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000249">
CVE-2017-1000249
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-29T23:38:45Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-10-08T13:26:24Z">chrisadr</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-03.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-03">
<title>ICU: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ICU, the worst of which
could allow remote code execution.
</synopsis>
<product type="ebuild">icu</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>616468</bug>
<access>remote</access>
<affected>
<package name="dev-libs/icu" auto="yes" arch="*">
<unaffected range="ge">58.2-r1</unaffected>
<vulnerable range="lt">58.2-r1</vulnerable>
</package>
</affected>
<background>
<p>ICU is a mature, widely used set of C/C++ and Java libraries providing
Unicode and Globalization support for software applications.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ICU. Please review the
referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ICU users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/icu-58.2-r1"
</code>
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.
</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7867">
CVE-2017-7867
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7868">
CVE-2017-7868
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-03T15:56:43Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-10-08T13:30:01Z">chrisadr</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-04.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-04">
<title>sudo: Privilege escalation</title>
<synopsis>A vulnerability in sudo allows local users to gain root privileges.</synopsis>
<product type="ebuild">sudo</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>620482</bug>
<access>local</access>
<affected>
<package name="app-admin/sudo" auto="yes" arch="*">
<unaffected range="ge">1.8.20_p2</unaffected>
<vulnerable range="lt">1.8.20_p2</vulnerable>
</package>
</affected>
<background>
<p>sudo (su “do”) allows a system administrator to delegate authority
to give certain users (or groups of users) the ability to run some (or
all) commands as root or another user while providing an audit trail of
the commands and their arguments.
</p>
</background>
<description>
<p>The fix present in app-admin/sudo-1.8.20_p1 (GLSA 201705-15) was
incomplete as it did not address the problem of a command with a newline
in the name.
</p>
</description>
<impact type="high">
<p>A local attacker could execute arbitrary code with root privileges.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All sudo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.8.20_p2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000368">
CVE-2017-1000368
</uri>
<uri link="https://security.gentoo.org/glsa/201705-15">GLSA 201705-15</uri>
</references>
<metadata tag="requester" timestamp="2017-10-05T18:00:01Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-10-08T13:34:25Z">chrisadr</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-05.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-05">
<title>Munin: Arbitrary file write</title>
<synopsis>A vulnerability in Munin allows local attackers to overwrite any
file accessible to the www-data user.
</synopsis>
<product type="ebuild">munin</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>610602</bug>
<access>local</access>
<affected>
<package name="net-analyzer/munin" auto="yes" arch="*">
<unaffected range="ge">2.0.33</unaffected>
<vulnerable range="lt">2.0.33</vulnerable>
</package>
</affected>
<background>
<p>Munin is an open source server monitoring tool.</p>
</background>
<description>
<p>When Munin is compiled with CGI graphics enabled then the files
accessible to the www-data user can be overwritten.
</p>
</description>
<impact type="normal">
<p>A local attacker, by setting multiple upper_limit GET parameters, could
overwrite files accessible to the www-user.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Munin users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/munin-2.0.33"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6188">
CVE-2017-6188
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-01T22:42:42Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-10-08T13:43:10Z">chrisadr</metadata>
</glsa>

101
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-06.xml vendored Normal file
View File

@ -0,0 +1,101 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-06">
<title>PostgreSQL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst
of which could result in privilege escalation.
</synopsis>
<product type="ebuild">postgresql</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>618462</bug>
<bug>627462</bug>
<access>remote</access>
<affected>
<package name="dev-db/postgresql" auto="yes" arch="*">
<unaffected range="ge" slot="9.6">9.6.4</unaffected>
<unaffected range="ge" slot="9.5">9.5.8</unaffected>
<unaffected range="ge" slot="9.4">9.4.13</unaffected>
<unaffected range="ge" slot="9.3">9.3.18</unaffected>
<unaffected range="ge" slot="9.2">9.2.22</unaffected>
<vulnerable range="lt">9.6.4</vulnerable>
</package>
</affected>
<background>
<p>PostgreSQL is an open source object-relational database management
system.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could escalate privileges, cause a Denial of Service
condition, obtain passwords, cause a loss in information, or obtain
sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.6.4"
</code>
<p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.5.8"
</code>
<p>All PostgreSQL 9.4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.4.13"
</code>
<p>All PostgreSQL 9.3.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.3.18"
</code>
<p>All PostgreSQL 9.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.2.22"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7484">
CVE-2017-7484
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7485">
CVE-2017-7485
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7486">
CVE-2017-7486
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7546">
CVE-2017-7546
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7547">
CVE-2017-7547
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7548">
CVE-2017-7548
</uri>
</references>
<metadata tag="requester" timestamp="2017-10-02T06:12:53Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-10-08T13:55:26Z">chrisadr</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-07.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-07">
<title>OCaml: Privilege escalation</title>
<synopsis>A vulnerability in OCaml may allow local users to gain root
privileges.
</synopsis>
<product type="ebuild">ocaml</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>622544</bug>
<access>remote</access>
<affected>
<package name="dev-lang/ocaml" auto="yes" arch="*">
<unaffected range="ge">4.04.2</unaffected>
<vulnerable range="lt">4.04.2</vulnerable>
</package>
</affected>
<background>
<p>OCaml is a high-level, strongly-typed, functional, and object-oriented
programming language from the ML family of languages.
</p>
</background>
<description>
<p>A bad sanitization of environment variables: CAML_CPLUGINS,
CAML_NATIVE_CPLUGINS and CAML_BYTE_CPLUGINS in the OCaml compiler allows
the execution of raised privileges via external code.
</p>
</description>
<impact type="high">
<p>A local attacker, by using specially crafted environment variables,
could possibly escalate privileges to the root group.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OCaml users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/ocaml-4.04.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9772">
CVE-2017-9772
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-27T11:54:27Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-10-08T14:04:43Z">chrisadr</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-08.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-08">
<title>Pacemaker: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Pacemaker, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">pacemaker</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>546550</bug>
<bug>599194</bug>
<access>local, remote</access>
<affected>
<package name="sys-cluster/pacemaker" auto="yes" arch="*">
<unaffected range="ge">1.1.16 </unaffected>
<vulnerable range="lt">1.1.16</vulnerable>
</package>
</affected>
<background>
<p>Pacemaker is an Open Source, High Availability resource manager suitable
for both small and large clusters.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Pacemaker. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code or a local attacker could
escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Pacemaker users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-cluster/pacemaker-1.1.16 "
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1867">
CVE-2015-1867
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7035">
CVE-2016-7035
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-03T21:27:22Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-10-08T14:14:41Z">chrisadr</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-09.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201710-09">
<title>PCRE2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PCRE2, the worst of
which may allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">libpcre2</product>
<announced>2017-10-08</announced>
<revised>2017-10-08: 1</revised>
<bug>614050</bug>
<bug>617942</bug>
<bug>617944</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libpcre2" auto="yes" arch="*">
<unaffected range="ge">10.30</unaffected>
<vulnerable range="lt">10.30</vulnerable>
</package>
</affected>
<background>
<p>PCRE2 is a project based on PCRE (Perl Compatible Regular Expressions)
which has a new and revised API.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PCRE2. Please review
the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or have
other unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PCRE2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libpcre2-10.30"
</code>
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.
</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7186">
CVE-2017-7186
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8399">
CVE-2017-8399
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8786">
CVE-2017-8786
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-19T01:23:39Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-10-08T14:42:50Z">chrisadr</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Fri, 29 Sep 2017 17:39:27 +0000
Mon, 09 Oct 2017 18:08:59 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
612f47deca97e8d7ffc2100c1dbc82a602abdf39 1506632095 2017-09-28T20:54:55+00:00
6563aef7bcf2b256b39e321f440df3efe76f81f4 1507473808 2017-10-08T14:43:28+00:00