bump(metadata/glsa): sync with upstream

2025-10-02 02:51:06 +02:00 · 2018-01-08 09:55:53 -05:00 · 2018-01-08 09:55:53 -05:00 · 27e7839ace
commit 27e7839ace
parent 6bcbb02c18
14 changed files with 743 additions and 17 deletions
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest
@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

-MANIFEST Manifest.files.gz 412859 BLAKE2B 29f22611257846c43da3f994e05684673fa1caa957a4b148f39ff19bc84f3682e8490d97c111e7eccbdb376d70136a0d0906ef152ce3abf044f4fb391eb520c4 SHA512 49d32fc5be9c59d40fa5555276aaf748a6274c5421c12e450644629355174f7bb6f7e77103a5571ae8f5e28bcd53505531ac68ed8f7957c3debfc9196bd152cd
-TIMESTAMP 2017-12-15T14:38:51Z
+MANIFEST Manifest.files.gz 414446 BLAKE2B 5b433dfd85097ead79bccfcdc5ac71450a49f0cd04217ea95a0da4d9b3a14d6a0df186361cf5d3a4ff24547968a8bdb79ea1e31d21aa21b86708e0885a152525 SHA512 2410eac2ebdd40b883f4296ea6c8ebefb16545c125c9ecb039ba9a79dc2d32f43aaaa01673cb98557d5d7aa414d7d0c72e688610d9b127a0d56cb1584e16cf5c
+TIMESTAMP 2018-01-08T14:09:18Z
 -----BEGIN PGP SIGNATURE-----

-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAloz3ntfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlpTe45fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klChjw//YTiUDD4Fm0n7wQTnP+T2uP/k5D8u5GxF+dTXC8apVyGVlVq2LLUTTCPL
-uLV+HWbXNvh11bjZpDrZU8TtI410H19iaK8+6vzpRhea2v5ClabU7J2MmaDZoOc7
-p+UyEntdtrw7DU/SNxHSdeAQ+ll0lers1pxMaoW+FFT1tvMUJBkO73QuZu6lApad
-PORPMc2ibAju/EY1TiuKsSM9V2Vz9iKWNtjQzObCUCfZEKq39HhAEY+0ldqI/TDz
-NgXr8MbYgIV/WxkOaDdNy2s4Q/AA1TdgJUHBH4d8qNl3m456p+maYiEwKJIpdbgx
-R1h7ofef6I7Z/qmafUtfuNkpaZpl0o+Od2142Lfu5Ux0C67LRC2wMzztaPIkcuDs
-4xkPDLQ+Hjzo9ix3Uk+J1iziHkdtf450Q4C2q0jdxWO0mkMf0DWc/uhd1GnWHJ4I
-o1IflamHKQBAKC0+7zQw+hZ+pksEvuqboeC3Xh3Nxe9TQqRWje8+hs911N5QtYU9
-XqNIhuaEiSIi0b5Ld8lT6S4HP9KRnEM2L3WI7SRzIkEQl920MVybkyHq7ElhWGyg
-Ma1U6ulPo8ExHZigdMF7kjM2A/8YRqyKLMiyfSea1e/waNqlmqXHIPAgz8RePuF6
-/cB49iydB/jcLzPmnkQ0up0ivOUwX/Wizk3aWRr83Zcc2+4ULi0=
-=AvJa
+klDADw//Y0MSMH/w88YmIdFIFhAFkVaiucRv0Y3ghNhw8ygK7XZZOgEjuY3drvfW
+utdtH01gKMFQcv1aM+1N9m9qzvQM6sNwx/NPUi/eUil4XWlbqF1jJgvFavD5DEVW
+3lLEx3ZvZG4IC39GtVOIlExMt5OOduP5xGCg6vKJXNRUKM3Y+h+4wFcEqi4ZCXOk
+x2LNDnfFlndvaDAu/mYOVRxxBYffvJD5WYn6XCAMot3ZHaqAXKklVkwSSr2DGNwS
+MG+tfo25tUstvkExRbnfOogZwQDbXXlHhe+a1swxuRSUCk3ZzRaWXHAAG1hGAlgP
+MujuK2+Sflrbukf2bQcjIbUkL/6c/qIBA+t484cY8WLjCPD2f8Go0DlmEpCuB1s9
+kjMgpolbXFjE73F9PLOaM7svYQCKB6GbJGcmo6BL7vuwfhS2YZZpoKMbO6EdYimk
+2NhHGpBSAOfZMKUgV/ll0meAZesOZXxf1f+e+QG19iiFHUMj//Nux04QUVyAuTy4
+R9DLOClKPOnMr1ODMRYznzSWDCAPaRTaBvrYK/yOk0AUerfCUt9F92ypbPTxD1qw
+JaBUMmObEYMI5oj7wN1iigFCvnLmgcEjVXhXMB1Gzywi3N2T2KPk2ANcCjWxTyvn
+D+b/1KH9cWusFhl87Axt3R4JRAD0SRT6X/08+eybXcS2Ow+jJaI=
+=sXyp
 -----END PGP SIGNATURE-----
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-01.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-01.xml
@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-01">
+  <title>Binutils: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of
+    which may allow remote attackers to cause a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">binutils</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>624700</bug>
+  <bug>627516</bug>
+  <bug>628538</bug>
+  <bug>629344</bug>
+  <bug>629922</bug>
+  <bug>631324</bug>
+  <bug>632100</bug>
+  <bug>632132</bug>
+  <bug>632384</bug>
+  <bug>632668</bug>
+  <bug>633988</bug>
+  <bug>635218</bug>
+  <bug>635692</bug>
+  <bug>635860</bug>
+  <bug>635968</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="sys-devel/binutils" auto="yes" arch="*">
+      <unaffected range="ge">2.29.1-r1</unaffected>
+      <vulnerable range="lt">2.29.1-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The GNU Binutils are a collection of tools to create, modify and analyse
+      binary files. Many of the files use BFD, the Binary File Descriptor
+      library, to do low-level manipulation.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Binutils. Please review
+      the referenced CVE identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to compile/execute a specially
+      crafted ELF, tekhex, PE, or binary file, could possibly cause a Denial of
+      Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are no known workarounds at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Binutils users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.29.1-r1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12456">
+      CVE-2017-12456
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12799">
+      CVE-2017-12799
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12967">
+      CVE-2017-12967
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14128">
+      CVE-2017-14128
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14129">
+      CVE-2017-14129
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14130">
+      CVE-2017-14130
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14333">
+      CVE-2017-14333
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15023">
+      CVE-2017-15023
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15938">
+      CVE-2017-15938
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15939">
+      CVE-2017-15939
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15996">
+      CVE-2017-15996
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7209">
+      CVE-2017-7209
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7210">
+      CVE-2017-7210
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7223">
+      CVE-2017-7223
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7224">
+      CVE-2017-7224
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7225">
+      CVE-2017-7225
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7227">
+      CVE-2017-7227
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743">
+      CVE-2017-9743
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746">
+      CVE-2017-9746
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749">
+      CVE-2017-9749
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750">
+      CVE-2017-9750
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751">
+      CVE-2017-9751
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755">
+      CVE-2017-9755
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756">
+      CVE-2017-9756
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:47:37Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:07:52Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-02.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-02.xml
@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-02">
+  <title>OptiPNG: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in OptiPNG, the worst of
+    which may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">optipng</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>637936</bug>
+  <bug>639690</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-gfx/optipng" auto="yes" arch="*">
+      <unaffected range="ge">0.7.6-r2</unaffected>
+      <vulnerable range="lt">0.7.6-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OptiPNG is a PNG optimizer that re-compresses image files to a smaller
+      size, without losing any information.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OptiPNG. Please review
+      the referenced CVE identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to process a specially crafted
+      image file, possibly resulting in execution of arbitrary code with the
+      privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OptiPNG users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-gfx/optipng-0.7.6-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000229">
+      CVE-2017-1000229
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16938">
+      CVE-2017-16938
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-12-03T01:46:44Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:16:40Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-03.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-03.xml
@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-03">
+  <title>Chromium, Google Chrome: Multiple vulnerabilities </title>
+  <synopsis>Multiple vulnerabilities have been found in Chromium and Google
+    Chrome, the worst of which could result in the execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">chromium,google-chrome</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>640334</bug>
+  <bug>641376</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="www-client/chromium" auto="yes" arch="*">
+      <unaffected range="ge">63.0.3239.108</unaffected>
+      <vulnerable range="lt">63.0.3239.108</vulnerable>
+    </package>
+    <package name="www-client/google-chrome" auto="yes" arch="*">
+      <unaffected range="ge">63.0.3239.108</unaffected>
+      <vulnerable range="lt">63.0.3239.108</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Chromium is an open-source browser project that aims to build a safer,
+      faster, and more stable way for all users to experience the web.
+    </p>
+    
+    <p>Google Chrome is one fast, simple, and secure browser for all your
+      devices
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Chromium and Google
+      Chrome. Please review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, cause a Denial of Service condition, bypass
+      content security controls, or conduct URL spoofing.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are no known workarounds at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Chromium users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-client/chromium-63.0.3239.108"
+    </code>
+    
+    <p>All Google Chrome users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-client/google-chrome-63.0.3239.108"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15407">
+      CVE-2017-15407
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15408">
+      CVE-2017-15408
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15409">
+      CVE-2017-15409
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15410">
+      CVE-2017-15410
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15411">
+      CVE-2017-15411
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15412">
+      CVE-2017-15412
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15413">
+      CVE-2017-15413
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15415">
+      CVE-2017-15415
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15416">
+      CVE-2017-15416
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15417">
+      CVE-2017-15417
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15418">
+      CVE-2017-15418
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15419">
+      CVE-2017-15419
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15420">
+      CVE-2017-15420
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15422">
+      CVE-2017-15422
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15423">
+      CVE-2017-15423
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15424">
+      CVE-2017-15424
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15425">
+      CVE-2017-15425
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15426">
+      CVE-2017-15426
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15427">
+      CVE-2017-15427
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15429">
+      CVE-2017-15429
+    </uri>
+    <uri link="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html">
+      Google Chrome Release 20171206
+    </uri>
+    <uri link="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop_14.html">
+      Google Chrome Release 20171214
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:50:33Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:22:12Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-04.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-04.xml
@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-04">
+  <title>LibXcursor: User-assisted execution of arbitrary code</title>
+  <synopsis>A vulnerability in LibXcursor might allow remote attackers to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">LibXcursor</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>639062</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="x11-libs/libXcursor" auto="yes" arch="*">
+      <unaffected range="ge">1.1.15</unaffected>
+      <vulnerable range="lt">1.1.15</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>X.Org X11 libXcursor runtime library.</p>
+  </background>
+  <description>
+    <p>It was discovered that libXcursor is prone to several heap overflows
+      when parsing malicious files.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to process a specially crafted
+      cursor file, could possibly execute arbitrary code with the privileges of
+      the process or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All LibXcursor users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXcursor-1.1.15"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16612">
+      CVE-2017-16612
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:33:40Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:27:33Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-05.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-05.xml
@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-05">
+  <title>OpenSSH: Permission issue</title>
+  <synopsis>A flaw has been discovered in OpenSSH which could allow a remote
+    attacker to create zero-length files.
+  </synopsis>
+  <product type="ebuild">OpenSSH</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>633428</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/openssh" auto="yes" arch="*">
+      <unaffected range="ge">7.5_p1-r3</unaffected>
+      <vulnerable range="lt">7.5_p1-r3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSSH is a complete SSH protocol implementation that includes SFTP
+      client and server support.
+    </p>
+  </background>
+  <description>
+    <p>The process_open function in sftp-server.c in OpenSSH did not properly
+      prevent write operations in readonly mode.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could cause the creation of zero-length files.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSSH users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/openssh-7.5_p1-r3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15906">
+      CVE-2017-15906
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:55:47Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:36:33Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-06.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-06.xml
@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-06">
+  <title>Back In Time: Command injection</title>
+  <synopsis>A command injection vulnerability in 'Back in Time' may allow for
+    the execution of arbitrary shell commands.
+  </synopsis>
+  <product type="ebuild">backintime</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>636974</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="app-backup/backintime" auto="yes" arch="*">
+      <unaffected range="ge">1.1.24</unaffected>
+      <vulnerable range="lt">1.1.24</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>A simple backup tool for Linux, inspired by “flyback project”.</p>
+  </background>
+  <description>
+    <p>‘Back in Time’ did improper escaping/quoting of file paths used as
+      arguments to the ‘notify-send’ command leading to some parts of file
+      paths being executed as shell commands within an os.system call.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A context-dependent attacker could execute arbitrary shell commands via
+      a specially crafted file.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All ‘Back In Time’ users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-backup/backintime-1.1.24"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16667">
+      CVE-2017-16667
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:36:24Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:41:27Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-07.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-07.xml
@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-07">
+  <title>GNU Emacs: Command injection</title>
+  <synopsis>A vulnerability has been found in Emacs which may allow for
+    arbitrary command execution.
+  </synopsis>
+  <product type="ebuild">Emacs</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-08: 2</revised>
+  <bug>630680</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-editors/emacs" auto="yes" arch="*">
+      <unaffected range="ge" slot="23">23.4-r16</unaffected>
+      <unaffected range="ge" slot="24">24.5-r4</unaffected>
+      <unaffected range="ge" slot="25">25.2-r1</unaffected>
+      <vulnerable range="lt" slot="23">23.4-r16</vulnerable>
+      <vulnerable range="lt" slot="24">24.5-r4</vulnerable>
+      <vulnerable range="lt" slot="25">25.2-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>GNU Emacs is a highly extensible and customizable text editor.</p>
+  </background>
+  <description>
+    <p>A command injection flaw within the Emacs “enriched mode” handling
+      has been discovered.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to open a specially crafted file,
+      could execute arbitrary commands with the privileges of process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All GNU Emacs 23.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-23.4-r16:23"
+    </code>
+    
+    <p>All GNU Emacs 24.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-24.5-r4:24"
+    </code>
+    
+    <p>All GNU Emacs 25.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-editors/emacs-25.2-r1:25"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14482">
+      CVE-2017-14482
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:59:49Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-08T13:17:01Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-08.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-08.xml
@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-08">
+  <title>MiniUPnPc: Arbitrary code execution</title>
+  <synopsis>A vulnerability in MiniUPnPc might allow remote attackers to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">MiniUPnP</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>562684</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-libs/miniupnpc" auto="yes" arch="*">
+      <unaffected range="ge">2.0.20170509</unaffected>
+      <vulnerable range="lt">2.0.20170509</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The client library, enabling applications to access the services
+      provided by an UPnP “Internet Gateway Device” present on the network.
+    </p>
+  </background>
+  <description>
+    <p>An exploitable buffer overflow vulnerability exists in the XML parser
+      functionality of the MiniUPnP library.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to connect to a malicious server,
+      could cause the execution of arbitrary code with the privileges of the
+      user running a MiniUPnPc linked application.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All MiniUPnPc users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-libs/miniupnpc-2.0.20170509"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6031">
+      CVE-2015-6031
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T06:06:14Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:51:08Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-09.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-09.xml
@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-09">
+  <title>WebkitGTK+: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in WebkitGTK+, the worst
+    of which may lead to arbitrary code execution. 
+  </synopsis>
+  <product type="ebuild">WebkitGTK+</product>
+  <announced>2018-01-07</announced>
+  <revised>2018-01-07: 1</revised>
+  <bug>641752</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-libs/webkit-gtk" auto="yes" arch="*">
+      <unaffected range="ge" slot="4">2.18.4</unaffected>
+      <vulnerable range="lt" slot="4">2.18.4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>WebKitGTK+ is a full-featured port of the WebKit rendering engine.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in WebkitGTK+. Please
+      review the referenced CVE Identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>An attacker, by enticing a user to visit maliciously crafted web
+      content, may be able to execute arbitrary code or cause memory
+      corruption.
+    </p>
+  </impact>
+  <workaround>
+    <p>There are no known workarounds at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All WebkitGTK+ users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.18.4:4"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13856">
+      CVE-2017-13856
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13866">
+      CVE-2017-13866
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13870">
+      CVE-2017-13870
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7156">
+      CVE-2017-7156
+    </uri>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7157">
+      CVE-2017-7157
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:25:45Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-07T23:57:41Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-10.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201801-10.xml
@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201801-10">
+  <title>LibXfont, LibXfont2: Arbitrary file access</title>
+  <synopsis>A vulnerability has been found in LibXfont and LibXfont2 which may
+    allow for arbitrary file access.
+  </synopsis>
+  <product type="ebuild">LibXfont, LibXfont2</product>
+  <announced>2018-01-08</announced>
+  <revised>2018-01-08: 1</revised>
+  <bug>639064</bug>
+  <access>local</access>
+  <affected>
+    <package name="x11-libs/libXfont" auto="yes" arch="*">
+      <unaffected range="ge">1.5.4</unaffected>
+      <vulnerable range="lt">1.5.4</vulnerable>
+    </package>
+    <package name="x11-libs/libXfont2" auto="yes" arch="*">
+      <unaffected range="ge">2.0.3</unaffected>
+      <vulnerable range="lt">2.0.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>X.Org Xfont library.</p>
+  </background>
+  <description>
+    <p>It was discovered that libXfont incorrectly followed symlinks when
+      opening font files.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local unprivileged user could use this flaw to cause the X server to
+      access arbitrary files, including special device files.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All LibXfont users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXfont-1.5.4"
+    </code>
+    
+    <p>All LibXfont2 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=x11-libs/libXfont2-2.0.3"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16611">
+      CVE-2017-16611
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-01-05T05:31:41Z">jmbailey</metadata>
+  <metadata tag="submitter" timestamp="2018-01-08T12:26:24Z">jmbailey</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
@ -1 +1 @@
-Fri, 15 Dec 2017 14:38:47 +0000
+Mon, 08 Jan 2018 14:09:15 +0000
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit
@ -1 +1 @@
-30b0a682c74fee092dcec1e6356f4afc7fa14625 1513277071 2017-12-14T18:44:31+00:00
+83b03abfd2cbeb32bafb0df4d1a742e9717c33a3 1515417463 2018-01-08T13:17:43+00:00