mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-15 22:31:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
David Michael 2017-07-09 17:18:14 -07:00
parent 6265999206
commit 2327a315bb
18 changed files with 955 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-27.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201706-27">
<title>FreeRADIUS: Security bypass</title>
<synopsis>A vulnerability in FreeRADIUS might allow remote attackers to
bypass authentication.
</synopsis>
<product type="ebuild">freeradius</product>
<announced>2017-06-27</announced>
<revised>2017-06-27: 1</revised>
<bug>620186</bug>
<access>remote</access>
<affected>
<package name="net-dialup/freeradius" auto="yes" arch="*">
<unaffected range="ge">3.0.14</unaffected>
<vulnerable range="lt">3.0.14</vulnerable>
</package>
</affected>
<background>
<p>FreeRADIUS is an open source RADIUS authentication server.</p>
</background>
<description>
<p>It was discovered that the implementation of TTLS and PEAP in FreeRADIUS
skips inner authentication when it handles a resumed TLS connection. The
affected versions of FreeRADIUS fails to reliably prevent the resumption
of unauthenticated sessions unless the TLS session cache is disabled
completely.
</p>
</description>
<impact type="normal">
<p>An unauthenticated remote user can bypass authentication by starting a
session, and then resuming an unauthenticated TLS session before inner
authentication has been completed successfully.
</p>
</impact>
<workaround>
<p>Set “enabled = no” in the cache subsection of eap module settings to
disable TLS session caching.
</p>
</workaround>
<resolution>
<p>All FreeRADIUS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-dialup/freeradius-3.0.14"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9148">CVE-2017-9148</uri>
</references>
<metadata tag="requester" timestamp="2017-06-09T12:42:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-06-27T09:57:00Z">whissi</metadata>
</glsa>

67
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-28.xml vendored Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201706-28">
<title>LibreOffice: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in LibreOffice, the worst
of which allows for the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">libreoffice</product>
<announced>2017-06-27</announced>
<revised>2017-06-27: 1</revised>
<bug>616472</bug>
<access>remote</access>
<affected>
<package name="app-office/libreoffice" auto="yes" arch="*">
<unaffected range="ge">5.2.7.2</unaffected>
<vulnerable range="lt">5.2.7.2</vulnerable>
</package>
<package name="app-office/libreoffice-bin" auto="yes" arch="*">
<unaffected range="ge">5.2.7.2</unaffected>
<vulnerable range="lt">5.2.7.2</vulnerable>
</package>
</affected>
<background>
<p>LibreOffice is a powerful office suite; its clean interface and powerful
tools let you unleash your creativity and grow your productivity.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in LibreOffice. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file
using LibreOffice, possibly resulting in execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All LibreOffice users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-office/libreoffice-5.2.7.2"
</code>
<p>All LibreOffice binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-office/libreoffice-bin-5.2.7.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10327">
CVE-2016-10327
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7870">CVE-2017-7870</uri>
</references>
<metadata tag="requester" timestamp="2017-06-08T18:53:54Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-06-27T09:57:51Z">whissi</metadata>
</glsa>

67
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-29.xml vendored Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201706-29">
<title>KAuth and KDELibs: Privilege escalation</title>
<synopsis>A vulnerability in KAuth and KDELibs allows local users to gain
root privileges.
</synopsis>
<product type="ebuild">kauth,kdelibs</product>
<announced>2017-06-27</announced>
<revised>2017-06-27: 1</revised>
<bug>618108</bug>
<access>local</access>
<affected>
<package name="kde-frameworks/kauth" auto="yes" arch="*">
<unaffected range="ge">5.29.0-r1</unaffected>
<vulnerable range="lt">5.29.0-r1</vulnerable>
</package>
<package name="kde-frameworks/kdelibs" auto="yes" arch="*">
<unaffected range="ge">4.14.32</unaffected>
<vulnerable range="lt">4.14.32</vulnerable>
</package>
</affected>
<background>
<p>KAuth provides a convenient, system-integrated way to offload actions
that need to be performed as a privileged user (root, for example) to
small (hopefully secure) helper utilities.
</p>
<p>The KDE libraries, basis of KDE and used by many open source projects.</p>
</background>
<description>
<p>KAuth and KDELibs contains a logic flaw in which the service invoking
D-Bus is not properly checked. This allows spoofing the identity of the
caller and with some carefully crafted calls can lead to gaining root
from an unprivileged account.
</p>
</description>
<impact type="high">
<p>A local attacker could spoof the identity of the caller invoking D-Bus,
possibly resulting in gaining privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All KAuth users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=kde-frameworks/kauth-5.29.0-r1"
</code>
<p>All KDELibs users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=kde-frameworks/kdelibs-4.14.32"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8422">CVE-2017-8422</uri>
</references>
<metadata tag="requester" timestamp="2017-06-06T14:01:55Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-06-27T09:58:27Z">whissi</metadata>
</glsa>

91
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-01.xml vendored Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-01">
<title>IcedTea: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in IcedTea, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">icedtea</product>
<announced>2017-07-05</announced>
<revised>2017-07-05: 1</revised>
<bug>607676</bug>
<bug>609562</bug>
<bug>618874</bug>
<bug>619458</bug>
<access>remote</access>
<affected>
<package name="dev-java/icedtea-bin" auto="yes" arch="*">
<unaffected range="ge" slot="7">7.2.6.10</unaffected>
<unaffected range="ge" slot="8">3.4.0</unaffected>
<vulnerable range="lt">7.2.6.10</vulnerable>
<vulnerable range="lt">3.4.0</vulnerable>
</package>
</affected>
<background>
<p>IcedTeas aim is to provide OpenJDK in a form suitable for easy
configuration, compilation and distribution with the primary goal of
allowing inclusion in GNU/Linux distributions.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in IcedTea. Please review
the CVE identifiers referenced below for details.
</p>
<p>Note: If the web browser plug-in provided by the dev-java/icedtea-web
package was installed, the issues exposed via Java applets could have
been exploited without user interaction if a user visited a malicious
website.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, gain access to information, or cause a Denial
of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All IcedTea binary 7.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/icedtea-bin-7.2.6.10:7"
</code>
<p>All IcedTea binary 3.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/icedtea-bin-3.4.0:8"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2183">CVE-2016-2183</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5546">CVE-2016-5546</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5547">CVE-2016-5547</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5548">CVE-2016-5548</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5549">CVE-2016-5549</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5552">CVE-2016-5552</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3231">CVE-2017-3231</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3241">CVE-2017-3241</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3252">CVE-2017-3252</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3253">CVE-2017-3253</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3260">CVE-2017-3260</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3261">CVE-2017-3261</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3272">CVE-2017-3272</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3289">CVE-2017-3289</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3509">CVE-2017-3509</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3511">CVE-2017-3511</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3512">CVE-2017-3512</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3514">CVE-2017-3514</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3526">CVE-2017-3526</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3533">CVE-2017-3533</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3539">CVE-2017-3539</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3544">CVE-2017-3544</uri>
</references>
<metadata tag="requester" timestamp="2017-01-31T16:38:05Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-07-05T09:02:19Z">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-02.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-02">
<title>Game Music Emu: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Game Music Emu, the
worst of which could lead to the execution of arbitrary code.
</synopsis>
<product type="ebuild">game-music-emu</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>603092</bug>
<access>remote</access>
<affected>
<package name="media-libs/game-music-emu" auto="yes" arch="*">
<unaffected range="ge" slot="">0.6.1</unaffected>
<vulnerable range="lt" slot="">0.6.1</vulnerable>
</package>
</affected>
<background>
<p>Game Music Emu is a multi-purpose console music emulator and player
library.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Game Music Emu. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted SPC
music file, using Game Music Emu or an application linked against the
Game Music Emu library, possibly resulting in execution of arbitrary code
with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Game Music Emu users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/game-music-emu-0.6.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9957">CVE-2016-9957</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9958">CVE-2016-9958</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9959">CVE-2016-9959</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9960">CVE-2016-9960</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9961">CVE-2016-9961</uri>
</references>
<metadata tag="requester" timestamp="2017-03-24T05:27:52Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:04:39Z">whissi</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-03.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-03">
<title>phpMyAdmin: Security bypass</title>
<synopsis>A vulnerability in phpMyAdmin might allow remote attackers to
bypass authentication.
</synopsis>
<product type="ebuild">phpmyadmin</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>614522</bug>
<access>remote</access>
<affected>
<package name="dev-db/phpmyadmin" auto="yes" arch="*">
<unaffected range="ge" slot="">4.0.10.20</unaffected>
<unaffected range="ge" slot="">4.7.0</unaffected>
<vulnerable range="lt" slot="">4.0.10.20</vulnerable>
<vulnerable range="lt" slot="">4.7.0</vulnerable>
</package>
</affected>
<background>
<p>phpMyAdmin is a web-based management tool for MySQL databases.</p>
</background>
<description>
<p>A vulnerability was discovered where the restrictions caused by
“$cfg[Servers][$i][AllowNoPassword] = false” are bypassed
under certain PHP versions. This can lead compromised user accounts, who
have no passwords set, even if the administrator has set
“$cfg[Servers][$i][AllowNoPassword]” to false (which is
the default).
</p>
<p>This behavior depends on the PHP version used (it seems PHP 5 is
affected, while PHP 7.0 is not).
</p>
</description>
<impact type="normal">
<p>A remote attacker, who only needs to know the username, could bypass
security restrictions and access phpMyAdmin.
</p>
</impact>
<workaround>
<p>Set a password for all users.</p>
</workaround>
<resolution>
<p>All phpMyAdmin 4.0.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-db/phpmyadmin-4.0.10.20:4.0.10.20"
</code>
<p>All other phpMyAdmin users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/phpmyadmin-4.7.0:4.7.0"
</code>
</resolution>
<references>
<uri link="https://www.phpmyadmin.net/security/PMASA-2017-8/">PMASA-2017-8</uri>
</references>
<metadata tag="requester" timestamp="2017-04-28T01:10:27Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:04:56Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-04.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-04">
<title>libsndfile: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libsndfile, the worst
of which might allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">libsndfile</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>618010</bug>
<access>remote</access>
<affected>
<package name="media-libs/libsndfile" auto="yes" arch="*">
<unaffected range="ge" slot="">1.0.28</unaffected>
<vulnerable range="lt" slot="">1.0.28</vulnerable>
</package>
</affected>
<background>
<p>libsndfile is a C library for reading and writing files containing
sampled sound.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libsndfile. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file,
possibly resulting in the execution of arbitrary code with the privileges
of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libsndfile users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libsndfile-1.0.28"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7585">CVE-2017-7585</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7586">CVE-2017-7586</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7741">CVE-2017-7741</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7742">CVE-2017-7742</uri>
</references>
<metadata tag="requester" timestamp="2017-05-21T07:41:05Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:05:10Z">whissi</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-05.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-05">
<title>OpenSLP: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in OpenSLP, the worst of
which allows remote attackers to cause a Denial of Service condition or
other unspecified impacts.
</synopsis>
<product type="ebuild">OpenSLP</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>360061</bug>
<bug>434918</bug>
<bug>583396</bug>
<bug>595542</bug>
<access>remote</access>
<affected>
<package name="net-libs/openslp" auto="yes" arch="*">
<unaffected range="ge" slot="">2.0.0-r4</unaffected>
<vulnerable range="lt" slot="">2.0.0-r4</vulnerable>
</package>
</affected>
<background>
<p>OpenSLP is an open-source implementation of Service Location Protocol
(SLP).
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OpenSLP. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a Denial of Service condition or
have other unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenSLP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/openslp-2.0.0-r4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3609">CVE-2010-3609</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4428">CVE-2012-4428</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4912">CVE-2016-4912</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7567">CVE-2016-7567</uri>
</references>
<metadata tag="requester" timestamp="2017-05-21T02:50:48Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:05:22Z">whissi</metadata>
</glsa>

75
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-06.xml vendored Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-06">
<title>virglrenderer: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in virglrenderer, the
worst of which could allow local guest OS users to cause a Denial of
Service condition.
</synopsis>
<product type="ebuild">virglrenderer</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>606996</bug>
<bug>607022</bug>
<bug>608734</bug>
<bug>609400</bug>
<bug>609402</bug>
<bug>609492</bug>
<bug>609494</bug>
<bug>610678</bug>
<bug>610680</bug>
<bug>611378</bug>
<bug>611380</bug>
<bug>611382</bug>
<access>local</access>
<affected>
<package name="media-libs/virglrenderer" auto="yes" arch="*">
<unaffected range="ge" slot="">0.6.0</unaffected>
<vulnerable range="lt" slot="">0.6.0</vulnerable>
</package>
</affected>
<background>
<p>A virtual 3D GPU library, that allows the guest operating system to use
the host GPU to accelerate 3D rendering.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in virglrenderer. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could cause a Denial of Service condition.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All virglrenderer users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/virglrenderer-0.6.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10163">
CVE-2016-10163
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10214">
CVE-2016-10214
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5580">CVE-2017-5580</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5956">CVE-2017-5956</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5957">CVE-2017-5957</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5993">CVE-2017-5993</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5994">CVE-2017-5994</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6209">CVE-2017-6209</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6210">CVE-2017-6210</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6317">CVE-2017-6317</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6355">CVE-2017-6355</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6386">CVE-2017-6386</uri>
</references>
<metadata tag="requester" timestamp="2017-05-05T00:14:09Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:06:05Z">whissi</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-07.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-07">
<title>JasPer: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in JasPer, the worst of
which could could allow an attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">JasPer</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>559164</bug>
<bug>559168</bug>
<bug>571256</bug>
<bug>599430</bug>
<bug>602848</bug>
<access>remote</access>
<affected>
<package name="media-libs/jasper" auto="yes" arch="*">
<unaffected range="ge" slot="">2.0.12</unaffected>
<vulnerable range="lt" slot="">2.0.12</vulnerable>
</package>
</affected>
<background>
<p>JasPer is a software-based implementation of the codec specified in the
JPEG-2000 Part-1 standard.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in JasPer. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted image
file using JasPer possibly resulting in execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All JasPer users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/jasper-2.0.12"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5203">CVE-2015-5203</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8751">CVE-2015-8751</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9262">CVE-2016-9262</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9591">CVE-2016-9591</uri>
</references>
<metadata tag="requester" timestamp="2017-04-30T19:55:35Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:06:24Z">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-08.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-08">
<title>feh: Arbitrary remote code execution</title>
<synopsis>A vulnerability in feh might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">feh</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>616470</bug>
<access>remote</access>
<affected>
<package name="media-gfx/feh" auto="yes" arch="*">
<unaffected range="ge" slot="">2.18.3</unaffected>
<vulnerable range="lt" slot="">2.18.3</vulnerable>
</package>
</affected>
<background>
<p>feh is an X11 image viewer aimed mostly at console users.</p>
</background>
<description>
<p>Tobias Stoeckmann discovered it was possible to trigger an
out-of-boundary heap write with the image viewer feh while receiving an
IPC message.
</p>
</description>
<impact type="normal">
<p>A remote attacker, pretending to be the E17 window manager, could
possibly trigger an out-of-boundary heap write in feh while receiving an
IPC message. This could result in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All feh users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-gfx/feh-2.18.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7875">CVE-2017-7875</uri>
</references>
<metadata tag="requester" timestamp="2017-05-05T00:04:28Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:06:41Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-09.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-09">
<title>GNOME applet for NetworkManager: Arbitrary file read/write</title>
<synopsis>A vulnerability has been found in GNOME applet for NetworkManager
allowing local attackers to access the local filesystem.
</synopsis>
<product type="ebuild">nm-applet</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>613768</bug>
<access>local</access>
<affected>
<package name="gnome-extra/nm-applet" auto="yes" arch="*">
<unaffected range="ge" slot="">1.4.6-r1</unaffected>
<vulnerable range="lt" slot="">1.4.6-r1</vulnerable>
</package>
</affected>
<background>
<p>GNOME applet for NetworkManager is a GTK+ 3 front-end which works under
Xorg environments with a systray.
</p>
</background>
<description>
<p>Frederic Bardy and Quentin Biguenet discovered that GNOME applet for
NetworkManager incorrectly checked permissions when connecting to certain
wireless networks.
</p>
</description>
<impact type="normal">
<p>A local attacker could bypass security restrictions at the login screen
to access local files.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GNOME applet for NetworkManager users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=gnome-extra/nm-applet-1.4.6-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6590">CVE-2017-6590</uri>
</references>
<metadata tag="requester" timestamp="2017-04-02T12:44:50Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-08T12:07:02Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-10.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-10">
<title>VLC: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in VLC, the worst of which
may allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">vlc</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>619494</bug>
<access>remote</access>
<affected>
<package name="media-video/vlc" auto="yes" arch="*">
<unaffected range="ge">2.2.6</unaffected>
<vulnerable range="lt">2.2.6</vulnerable>
</package>
</affected>
<background>
<p>VLC is a cross-platform media player and streaming server.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in VLC. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to open a specially crafted
subtitles file, could possibly execute arbitrary code with the privileges
of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All VLC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-video/vlc-2.2.6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8310">CVE-2017-8310</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8311">CVE-2017-8311</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8312">CVE-2017-8312</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8313">CVE-2017-8313</uri>
</references>
<metadata tag="requester" timestamp="2017-06-28T11:50:57Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-07-08T20:11:58Z">b-man</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-11.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-11">
<title>RoundCube: Security bypass</title>
<synopsis>A vulnerability in RoundCube may allow authenticated users to
bypass security restrictions.
</synopsis>
<product type="ebuild">roundcube</product>
<announced>2017-07-08</announced>
<revised>2017-07-08: 1</revised>
<bug>618322</bug>
<access>remote</access>
<affected>
<package name="mail-client/roundcube" auto="yes" arch="*">
<unaffected range="ge">1.2.5</unaffected>
<vulnerable range="lt">1.2.5</vulnerable>
</package>
</affected>
<background>
<p>Free and open source webmail software for the masses, written in PHP.</p>
</background>
<description>
<p>Authenticated users can arbitrarily reset passwords due to a problem
caused by an improperly restricted exec call in the virtualmin and sasl
drivers of the password plugin.
</p>
</description>
<impact type="normal">
<p>Authenticated users can bypass security restrictions and elevate
privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All RoundCube users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/roundcube-1.2.5"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8114">CVE-2017-8114</uri>
</references>
<metadata tag="requester" timestamp="2017-06-19T11:26:16Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-07-08T20:12:11Z">b-man</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-12.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-12">
<title>MAN DB: Privilege escalation</title>
<synopsis>A vulnerability in MAN DB allows local users to gain root
privileges.
</synopsis>
<product type="ebuild">man-db</product>
<announced>2017-07-09</announced>
<revised>2017-07-09: 1</revised>
<bug>602588</bug>
<access>local</access>
<affected>
<package name="sys-apps/man-db" auto="yes" arch="*">
<unaffected range="ge" slot="">2.7.6.1-r2</unaffected>
<vulnerable range="lt" slot="">2.7.6.1-r2</vulnerable>
</package>
</affected>
<background>
<p>MAN DB is a man replacement that utilizes BerkelyDB instead of flat
files.
</p>
</background>
<description>
<p>The /var/cache/man directory as part of the MAN DB package has group
permissions set to root.
</p>
</description>
<impact type="high">
<p>A local user who does not belong to the root group, but has the ability
to modify the /var/cache/man directory can escalate privileges to the
group root.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MAN DB users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/man-db-2.7.6.1-r2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1336">CVE-2015-1336</uri>
</references>
<metadata tag="requester" timestamp="2017-01-18T16:57:30Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-07-09T20:19:23Z">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201707-13.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201707-13">
<title>libcroco: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libcroco, the worst of
which may have unspecified impacts.
</synopsis>
<product type="ebuild">libcroco</product>
<announced>2017-07-09</announced>
<revised>2017-07-09: 1</revised>
<bug>618012</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libcroco" auto="yes" arch="*">
<unaffected range="ge" slot="">0.6.12-r1</unaffected>
<vulnerable range="lt" slot="">0.6.12-r1</vulnerable>
</package>
</affected>
<background>
<p>libcroco is a standalone CSS2 parsing and manipulation library.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libcroco. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted CSS
file possibly resulting in a Denial of Service condition or other
unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libcroco users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libcroco-0.6.12-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7960">CVE-2017-7960</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7961">CVE-2017-7961</uri>
</references>
<metadata tag="requester" timestamp="2017-05-21T07:37:50Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-07-09T20:40:19Z">whissi</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Fri, 23 Jun 2017 17:39:03 +0000
Sun, 09 Jul 2017 23:40:01 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
3bbc3731a50a93315f90eba3a430b6d900cf3f5d 1498159143 2017-06-22T19:19:03+00:00
0d1886fce079a5b039baee6ef4287f5a55945dea 1499633121 2017-07-09T20:45:21+00:00