From 29186d73ad34548ad5c7153be3f69cda2d646fac Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 1 Dec 2022 09:04:51 +0000 Subject: [PATCH] metadata: Monthly GLSA metadata updates --- .../portage-stable/metadata/glsa/Manifest | 30 +++---- .../metadata/glsa/glsa-202208-21.xml | 4 +- .../metadata/glsa/glsa-202211-03.xml | 65 ++++++++++++++ .../metadata/glsa/glsa-202211-04.xml | 87 ++++++++++++++++++ .../metadata/glsa/glsa-202211-05.xml | 65 ++++++++++++++ .../metadata/glsa/glsa-202211-06.xml | 89 +++++++++++++++++++ .../metadata/glsa/glsa-202211-07.xml | 42 +++++++++ .../metadata/glsa/glsa-202211-08.xml | 42 +++++++++ .../metadata/glsa/glsa-202211-09.xml | 44 +++++++++ .../metadata/glsa/glsa-202211-10.xml | 54 +++++++++++ .../metadata/glsa/glsa-202211-11.xml | 44 +++++++++ .../metadata/glsa/timestamp.chk | 2 +- .../metadata/glsa/timestamp.commit | 2 +- 13 files changed, 551 insertions(+), 19 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-03.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-04.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-05.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-06.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-07.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-08.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-09.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-11.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest index adc8c31162..19dba1808d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 536244 BLAKE2B 47908e9e54099299278f14e5112b789aac78178d7406b6880e3986163e8e2aeec411757dbe131202da7291c508ea72a7d158f7fe08facf6e36a23a28a992a7d8 SHA512 ef16d73b0d889ec01efae4d55e398ba1b384a7b46066c129d82b336f46e8804d0dd1765c65c49d93842dc829696efc67759ac790655f316a70359fb8847d9e4e -TIMESTAMP 2022-11-18T11:39:56Z +MANIFEST Manifest.files.gz 537682 BLAKE2B 5ea36706e9f3100f98a8bfc48465fc9c9965ad20b834454f02d0d345f47d095e5a9ed35b5f6e37007ee947d09446b720eafc19bfcbc8f9bac4db48a6a80580dd SHA512 0f5654de23f73899b445d3d10fa87c3ab643f77308df25999549e1b63748b5f101eb3f130afac8fb3e03eab64646d0e2016efd11a0f4eccc7a3b6117155d8d63 +TIMESTAMP 2022-12-01T08:39:53Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmN3bwxfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOIaFlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klBofg//VsVRzTk9MRvuKpQh5uKwkc4MXC+hY/TOxmUKNMuG6ZjaNiXdjz0Z5HXr -R5OlMOiOdRsBp2y9UHAcyjopo8OdIf3g6jzdpbBcEBw/nx+iHsP8ebrsHqiXSLXI -77XS2/pob3vYuSndXbfvLs0ZemqBXOcflneIQ9rkOD/LnpOyH1o3RYPnahoAVqQZ -mytgfss+b7cZjogvbiOCBqjPtTTHn6F8rDq9Jmn7KsbIi6hIzHDcKa4CI/C4f74n -MKi992d5ZLKck+zkOEU+fYXy9xuoALPxxM8tD4LvyfW+2DoVmgtERDw2HPxWTBim -7yB2pmcrkv5sOeNar2ftZdFRS7ZX26OS9wvIE6qZbh6cnjTKJB71mY/DwV3V0sPX -1nQLG0V5Ors9wtM93GbbQY9Qxh8l9WQ6/jpNiwqoZLfPRUcsgo69Q0VxOd/qKXOQ -sKR5opWTozn6qL55+CuqH3msq+agDkWAYSjdmNTiEbEv6inlSx+zJlGuChA6Ve7c -0e7UnJYyQQiyir8bxXtJPZesrIav61Q/eM+X4LtGrxeGFzvAmn/yl6f9uda2w16w -yG64E9BdgHZEX8r2QCIGs9iJE9DZ+7dgc9RwXVmEDxRiZ96395ZzHta++PypIL4B -MkK5S669/ZseQz/2LmceECvdXIKt95dJKvmgVpcs/vU+eCuTu/s= -=/0PV +klA9WA/+PADS6PqbAWmuYbwjJNAacc9lBgJA268HKwm9JQzEP0PkCCq/+s1hEWX9 +j4Oc/yWTyJ/V/fesmun/BULTUwzm7tQZAPcXT/N5Hy0JiuGokPnDJsCZuV0EyD30 +g4h08NnfSIJsOqHXjbRKhhLu98va0oQeGNOaY03wOnye5vZnXrp8+0dRIOzq+k/y +iBzZoTsp+zC4S3S+fMIHSzWMQ5zKLSzeMxpoFTrgWTeTnkiz1bcm6LDo43kqnyqu +o9a1eblEqe0TibbWCsLWnY32aii9jkQ3fUAFzPbxtZgRl02G6FxPgq7zchvhkmjM +cMlnck0SXQd2jm8QIlykOVV5BNMFDIlqYOPsRb5fdBe3IhJJ3KSqA3drX+QDk/Wl +BG04cSmmkSDFyREP+JyG2dMZMOGirb+3RDbp8HCavy0r9iRKXGF1hzbT7lpCGqpB +vdwTroQvgiEWg6JUR/z42hq2JXFUPIWcqZe6UfX2dIPFN2fdf0Tu0VpIzBZv+DEk +iA9q3xTpESXtxHI58dNLnrc8Re2T96cw/37eZxo5svoaE24CSxZV33tYnVFKa5+l +KRFdjYFSEh38xwih9P0Tq0nkDcJf8spJ6RDUATfBhxvLMjEjHBfInOBxZXa4IKin +KaedpDiaGMo3gohuCwqyxjBjcLqMiAJhMR6qVFSRDZgF9nni/u0= +=2S4S -----END PGP SIGNATURE----- diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-21.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-21.xml index 3f883725ca..a54d200c89 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-21.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-21.xml @@ -9,7 +9,7 @@ 772272 remote - + 1.4.2 1.4.2 @@ -39,4 +39,4 @@ ajak ajak - \ No newline at end of file + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-03.xml new file mode 100644 index 0000000000..237aa0d806 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-03.xml @@ -0,0 +1,65 @@ + + + + PHP: Multiple Vulnerabilities + Multiple vulnerabilities have been found in PHP, the worst of which could result in arbitrary code execution. + php + 2022-11-19 + 2022-11-19 + 867913 + 873376 + 877853 + remote + + + 8.1.12 + 8.0.25 + 7.4.33 + 8.1.12 + 8.0.25 + 7.4.33 + + + +

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.

+ + +

Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All PHP 7.4 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.33" + + +

All PHP 8.0 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.0.25" + + +

All PHP 8.1 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.12" + + + + CVE-2022-31628 + CVE-2022-31629 + CVE-2022-31630 + CVE-2022-37454 + + ajak + sam + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-04.xml new file mode 100644 index 0000000000..ba61adcd9e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-04.xml @@ -0,0 +1,87 @@ + + + + PostgreSQL: Multiple Vulnerabilities + Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution. + postgresql + 2022-11-19 + 2022-11-19 + 793734 + 808984 + 823125 + 865255 + remote + + + 14.5 + 13.8 + 12.12 + 11.17 + 10.22 + 14.5 + 13.8 + 12.12 + 11.17 + 10.22 + + + +

PostgreSQL is an open source object-relational database management system.

+ + +

Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All PostgreSQL 10.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.22:10" + + +

All PostgreSQL 11.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.17:11" + + +

All PostgreSQL 12.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.12:12" + + +

All PostgreSQL 13.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.8:13" + + +

All PostgreSQL 14.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.5:14" + + + + CVE-2021-3677 + CVE-2021-23214 + CVE-2021-23222 + CVE-2021-32027 + CVE-2021-32028 + CVE-2022-1552 + CVE-2022-2625 + + ajak + sam + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-05.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-05.xml new file mode 100644 index 0000000000..b1b775bd9e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-05.xml @@ -0,0 +1,65 @@ + + + + Mozilla Thunderbird: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. + thunderbird,thunderbird-bin + 2022-11-22 + 2022-11-22 + 881407 + remote + + + 102.5.0 + 102.5.0 + + + 102.5.0 + 102.5.0 + + + +

Mozilla Thunderbird is a popular open-source email client from the Mozilla project.

+ + +

Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Thunderbird binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.5.0" + + +

All Mozilla Thunderbird users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.5.0" + + + + CVE-2022-45403 + CVE-2022-45404 + CVE-2022-45405 + CVE-2022-45406 + CVE-2022-45408 + CVE-2022-45409 + CVE-2022-45410 + CVE-2022-45411 + CVE-2022-45412 + CVE-2022-45416 + CVE-2022-45418 + CVE-2022-45420 + CVE-2022-45421 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-06.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-06.xml new file mode 100644 index 0000000000..1fbd73ac29 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-06.xml @@ -0,0 +1,89 @@ + + + + Mozilla Firefox: Multiple Vulnerabilities + Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. + firefox,firefox-bin + 2022-11-22 + 2022-11-22 + 881403 + remote + + + 107.0 + 102.5.0 + 107.0 + 102.5.0 + + + 107.0 + 102.5.0 + 107.0 + 102.5.0 + + + +

Mozilla Firefox is a popular open-source web browser from the Mozilla project.

+ + +

Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Mozilla Firefox ESR binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.5.0" + + +

All Mozilla Firefox ESR users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-102.5.0" + + +

All Mozilla Firefox binary users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-107.0" + + +

All Mozilla Firefox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/firefox-107.0" + + + + CVE-2022-40674 + CVE-2022-45403 + CVE-2022-45404 + CVE-2022-45405 + CVE-2022-45406 + CVE-2022-45407 + CVE-2022-45408 + CVE-2022-45409 + CVE-2022-45410 + CVE-2022-45411 + CVE-2022-45412 + CVE-2022-45413 + CVE-2022-45415 + CVE-2022-45416 + CVE-2022-45417 + CVE-2022-45418 + CVE-2022-45419 + CVE-2022-45420 + CVE-2022-45421 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-07.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-07.xml new file mode 100644 index 0000000000..045ffe019c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-07.xml @@ -0,0 +1,42 @@ + + + + sysstat: Arbitrary Code Execution + An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution. + sysstat + 2022-11-22 + 2022-11-22 + 880543 + local + + + 12.7.1 + 12.7.1 + + + +

sysstat is a package containing a number of performance monitoring utilities for Linux, including sar, mpstat, iostat and sa tools.

+ + +

On 32 bit systems, an integer overflow can be triggered when displaying activity data files.

+ + +

Arbitrary code execution can be achieved via sufficiently crafted malicious input.

+ + +

There is no known workaround at this time.

+ + +

All sysstat users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1" + + + + CVE-2022-39377 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-08.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-08.xml new file mode 100644 index 0000000000..ef60623602 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-08.xml @@ -0,0 +1,42 @@ + + + + sudo: Heap-Based Buffer Overread + A vulnerability has been discovered in sudo which could result in denial of service. + sudo + 2022-11-22 + 2022-11-22 + 879209 + remote + + + 1.9.12-r1 + 1.9.12-r1 + + + +

sudo allows a system administrator to give users the ability to run commands as other users.

+ + +

In certain password input handling, sudo incorrectly assumes the password input is at least nine bytes in size, leading to a heap buffer overread.

+ + +

In the worst case, the heap buffer overread can result in the denial of service of the sudo process.

+ + +

There is no known workaround at this time.

+ + +

All sudo users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1" + + + + CVE-2022-43995 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-09.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-09.xml new file mode 100644 index 0000000000..d17ced8042 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-09.xml @@ -0,0 +1,44 @@ + + + + xterm: Arbitrary Code Execution + A vulnerability has been found in xterm which could allow for arbitrary code execution. + xterm + 2022-11-22 + 2022-11-22 + 880747 + remote + + + 375 + 375 + + + +

xterm is a terminal emulator for the X Window system.

+ + +

xterm does not correctly handle control characters related to OSC 50 font ops sequence handling.

+ + +

The vulnerability allows text written to the terminal to write text to the terminal's command line. If the terminal's shell is zsh running with vi line editing mode, text written to the terminal can also trigger the execution of arbitrary commands via writing ^G to the terminal.

+ + +

As a workaround, users can disable xterm's usage of OSC 50 sequences by adding the following to the XResources configuration: + +XTerm*allowFontOps: false

+ + +

All xterm users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-terms/xterm-375" + + + + CVE-2022-45063 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-10.xml new file mode 100644 index 0000000000..2f53a15436 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-10.xml @@ -0,0 +1,54 @@ + + + + Pillow: Multiple Vulnerabilities + Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution. + pillow + 2022-11-22 + 2022-11-22 + 855683 + 878769 + 832598 + 830934 + 811450 + 802090 + remote + + + 9.3.0 + 9.3.0 + + + +

The friendly PIL fork.

+ + +

Multiple vulnerabilities have been discovered in Pillow. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All Pillow users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pillow-9.3.0" + + + + CVE-2021-23437 + CVE-2021-34552 + CVE-2022-22815 + CVE-2022-22816 + CVE-2022-22817 + CVE-2022-24303 + CVE-2022-45198 + CVE-2022-45199 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-11.xml new file mode 100644 index 0000000000..4c3adcd096 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-11.xml @@ -0,0 +1,44 @@ + + + + GPL Ghostscript: Multiple Vulnerabilities + Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution. + ghostscript-gpl + 2022-11-22 + 2022-11-22 + 852944 + 812509 + remote + + + 9.56.1 + 9.56.1 + + + +

Ghostscript is an interpreter for the PostScript language and for PDF.

+ + +

Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.

+ + +

Please review the referenced CVE identifiers for details.

+ + +

There is no known workaround at this time.

+ + +

All GPL Ghostscript users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1" + + + + CVE-2021-3781 + CVE-2022-2085 + + ajak + ajak + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index b85b4f37be..203b38b4ce 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Fri, 18 Nov 2022 11:39:53 +0000 +Thu, 01 Dec 2022 08:39:49 +0000 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit index 856b1311a2..bc76378b1c 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit @@ -1 +1 @@ -d2caa7d73160aa5b9c9cda07665068a8b25fa730 1668098162 2022-11-10T16:36:02+00:00 +be9dce898af341b1581822048910cec753530cb0 1669334514 2022-11-25T00:01:54+00:00