mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 18:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

metadata: Monthly GLSA metadata updates

Browse Source
This commit is contained in:
Flatcar Buildbot 2022-12-01 09:04:51 +00:00 committed by Dongsu Park
parent d2944c7d76
commit 29186d73ad
13 changed files with 551 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 536244 BLAKE2B 47908e9e54099299278f14e5112b789aac78178d7406b6880e3986163e8e2aeec411757dbe131202da7291c508ea72a7d158f7fe08facf6e36a23a28a992a7d8 SHA512 ef16d73b0d889ec01efae4d55e398ba1b384a7b46066c129d82b336f46e8804d0dd1765c65c49d93842dc829696efc67759ac790655f316a70359fb8847d9e4e
TIMESTAMP 2022-11-18T11:39:56Z
MANIFEST Manifest.files.gz 537682 BLAKE2B 5ea36706e9f3100f98a8bfc48465fc9c9965ad20b834454f02d0d345f47d095e5a9ed35b5f6e37007ee947d09446b720eafc19bfcbc8f9bac4db48a6a80580dd SHA512 0f5654de23f73899b445d3d10fa87c3ab643f77308df25999549e1b63748b5f101eb3f130afac8fb3e03eab64646d0e2016efd11a0f4eccc7a3b6117155d8d63
TIMESTAMP 2022-12-01T08:39:53Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmN3bwxfFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOIaFlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klBofg//VsVRzTk9MRvuKpQh5uKwkc4MXC+hY/TOxmUKNMuG6ZjaNiXdjz0Z5HXr
R5OlMOiOdRsBp2y9UHAcyjopo8OdIf3g6jzdpbBcEBw/nx+iHsP8ebrsHqiXSLXI
77XS2/pob3vYuSndXbfvLs0ZemqBXOcflneIQ9rkOD/LnpOyH1o3RYPnahoAVqQZ
mytgfss+b7cZjogvbiOCBqjPtTTHn6F8rDq9Jmn7KsbIi6hIzHDcKa4CI/C4f74n
MKi992d5ZLKck+zkOEU+fYXy9xuoALPxxM8tD4LvyfW+2DoVmgtERDw2HPxWTBim
7yB2pmcrkv5sOeNar2ftZdFRS7ZX26OS9wvIE6qZbh6cnjTKJB71mY/DwV3V0sPX
1nQLG0V5Ors9wtM93GbbQY9Qxh8l9WQ6/jpNiwqoZLfPRUcsgo69Q0VxOd/qKXOQ
sKR5opWTozn6qL55+CuqH3msq+agDkWAYSjdmNTiEbEv6inlSx+zJlGuChA6Ve7c
0e7UnJYyQQiyir8bxXtJPZesrIav61Q/eM+X4LtGrxeGFzvAmn/yl6f9uda2w16w
yG64E9BdgHZEX8r2QCIGs9iJE9DZ+7dgc9RwXVmEDxRiZ96395ZzHta++PypIL4B
MkK5S669/ZseQz/2LmceECvdXIKt95dJKvmgVpcs/vU+eCuTu/s=
=/0PV
klA9WA/+PADS6PqbAWmuYbwjJNAacc9lBgJA268HKwm9JQzEP0PkCCq/+s1hEWX9
j4Oc/yWTyJ/V/fesmun/BULTUwzm7tQZAPcXT/N5Hy0JiuGokPnDJsCZuV0EyD30
g4h08NnfSIJsOqHXjbRKhhLu98va0oQeGNOaY03wOnye5vZnXrp8+0dRIOzq+k/y
iBzZoTsp+zC4S3S+fMIHSzWMQ5zKLSzeMxpoFTrgWTeTnkiz1bcm6LDo43kqnyqu
o9a1eblEqe0TibbWCsLWnY32aii9jkQ3fUAFzPbxtZgRl02G6FxPgq7zchvhkmjM
cMlnck0SXQd2jm8QIlykOVV5BNMFDIlqYOPsRb5fdBe3IhJJ3KSqA3drX+QDk/Wl
BG04cSmmkSDFyREP+JyG2dMZMOGirb+3RDbp8HCavy0r9iRKXGF1hzbT7lpCGqpB
vdwTroQvgiEWg6JUR/z42hq2JXFUPIWcqZe6UfX2dIPFN2fdf0Tu0VpIzBZv+DEk
iA9q3xTpESXtxHI58dNLnrc8Re2T96cw/37eZxo5svoaE24CSxZV33tYnVFKa5+l
KRFdjYFSEh38xwih9P0Tq0nkDcJf8spJ6RDUATfBhxvLMjEjHBfInOBxZXa4IKin
KaedpDiaGMo3gohuCwqyxjBjcLqMiAJhMR6qVFSRDZgF9nni/u0=
=2S4S
-----END PGP SIGNATURE-----

4
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-21.xml vendored
View File

@ -9,7 +9,7 @@
<bug>772272</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libebml" auto="yes" arch="arm,ppc,sparc,x86">
<package name="dev-libs/libebml" auto="yes" arch="arm ppc sparc x86">
<unaffected range="ge">1.4.2</unaffected>
<vulnerable range="lt">1.4.2</vulnerable>
</package>
@ -39,4 +39,4 @@
</references>
<metadata tag="requester" timestamp="2022-08-14T00:09:54.090013Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-08-14T00:09:54.093255Z">ajak</metadata>
</glsa>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-03.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-03">
<title>PHP: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PHP, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">php</product>
<announced>2022-11-19</announced>
<revised count="1">2022-11-19</revised>
<bug>867913</bug>
<bug>873376</bug>
<bug>877853</bug>
<access>remote</access>
<affected>
<package name="dev-lang/php" auto="yes" arch="*">
<unaffected range="ge" slot="8.1">8.1.12</unaffected>
<unaffected range="ge" slot="8.0">8.0.25</unaffected>
<unaffected range="ge" slot="7.4">7.4.33</unaffected>
<vulnerable range="lt" slot="8.1">8.1.12</vulnerable>
<vulnerable range="lt" slot="8.0">8.0.25</vulnerable>
<vulnerable range="lt" slot="7.4">7.4.33</vulnerable>
</package>
</affected>
<background>
<p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PHP 7.4 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-7.4.33"
</code>
<p>All PHP 8.0 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.0.25"
</code>
<p>All PHP 8.1 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.1.12"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31628">CVE-2022-31628</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31629">CVE-2022-31629</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31630">CVE-2022-31630</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-37454">CVE-2022-37454</uri>
</references>
<metadata tag="requester" timestamp="2022-11-19T03:32:18.817744Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-19T03:32:18.825295Z">sam</metadata>
</glsa>

87
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-04.xml vendored Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-04">
<title>PostgreSQL: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution.</synopsis>
<product type="ebuild">postgresql</product>
<announced>2022-11-19</announced>
<revised count="1">2022-11-19</revised>
<bug>793734</bug>
<bug>808984</bug>
<bug>823125</bug>
<bug>865255</bug>
<access>remote</access>
<affected>
<package name="dev-db/postgresql" auto="yes" arch="*">
<unaffected range="ge">14.5</unaffected>
<unaffected range="ge" slot="13">13.8</unaffected>
<unaffected range="ge" slot="12">12.12</unaffected>
<unaffected range="ge" slot="11">11.17</unaffected>
<unaffected range="ge" slot="10">10.22</unaffected>
<vulnerable range="lt" slot="14">14.5</vulnerable>
<vulnerable range="lt" slot="13">13.8</vulnerable>
<vulnerable range="lt" slot="12">12.12</vulnerable>
<vulnerable range="lt" slot="11">11.17</vulnerable>
<vulnerable range="lt">10.22</vulnerable>
</package>
</affected>
<background>
<p>PostgreSQL is an open source object-relational database management system.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PostgreSQL 10.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.22:10"
</code>
<p>All PostgreSQL 11.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.17:11"
</code>
<p>All PostgreSQL 12.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.12:12"
</code>
<p>All PostgreSQL 13.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.8:13"
</code>
<p>All PostgreSQL 14.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.5:14"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3677">CVE-2021-3677</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23214">CVE-2021-23214</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23222">CVE-2021-23222</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32027">CVE-2021-32027</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32028">CVE-2021-32028</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1552">CVE-2022-1552</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2625">CVE-2022-2625</uri>
</references>
<metadata tag="requester" timestamp="2022-11-19T03:33:10.915978Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-19T03:33:10.920639Z">sam</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-05.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-05">
<title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">thunderbird,thunderbird-bin</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>881407</bug>
<access>remote</access>
<affected>
<package name="mail-client/thunderbird" auto="yes" arch="*">
<unaffected range="ge">102.5.0</unaffected>
<vulnerable range="lt">102.5.0</vulnerable>
</package>
<package name="mail-client/thunderbird-bin" auto="yes" arch="*">
<unaffected range="ge">102.5.0</unaffected>
<vulnerable range="lt">102.5.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-102.5.0"
</code>
<p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-102.5.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45403">CVE-2022-45403</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45404">CVE-2022-45404</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45405">CVE-2022-45405</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45406">CVE-2022-45406</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45408">CVE-2022-45408</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45409">CVE-2022-45409</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45410">CVE-2022-45410</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45411">CVE-2022-45411</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45412">CVE-2022-45412</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45416">CVE-2022-45416</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45418">CVE-2022-45418</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45420">CVE-2022-45420</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45421">CVE-2022-45421</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:50:21.079709Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:50:21.087736Z">ajak</metadata>
</glsa>

89
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-06.xml vendored Normal file
View File

@ -0,0 +1,89 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-06">
<title>Mozilla Firefox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">firefox,firefox-bin</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>881403</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">107.0</unaffected>
<unaffected range="ge" slot="esr">102.5.0</unaffected>
<vulnerable range="lt" slot="rapid">107.0</vulnerable>
<vulnerable range="lt" slot="esr">102.5.0</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">107.0</unaffected>
<unaffected range="ge" slot="esr">102.5.0</unaffected>
<vulnerable range="lt" slot="rapid">107.0</vulnerable>
<vulnerable range="lt" slot="esr">102.5.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-102.5.0"
</code>
<p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-102.5.0"
</code>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-107.0"
</code>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-107.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40674">CVE-2022-40674</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45403">CVE-2022-45403</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45404">CVE-2022-45404</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45405">CVE-2022-45405</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45406">CVE-2022-45406</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45407">CVE-2022-45407</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45408">CVE-2022-45408</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45409">CVE-2022-45409</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45410">CVE-2022-45410</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45411">CVE-2022-45411</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45412">CVE-2022-45412</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45413">CVE-2022-45413</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45415">CVE-2022-45415</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45416">CVE-2022-45416</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45417">CVE-2022-45417</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45418">CVE-2022-45418</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45419">CVE-2022-45419</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45420">CVE-2022-45420</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45421">CVE-2022-45421</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:51:05.820873Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:51:05.825843Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-07.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-07">
<title>sysstat: Arbitrary Code Execution</title>
<synopsis>An integer overflow vulnerability has been found in sysstat which could result in arbitrary code execution.</synopsis>
<product type="ebuild">sysstat</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>880543</bug>
<access>local</access>
<affected>
<package name="app-admin/sysstat" auto="yes" arch="*">
<unaffected range="ge">12.7.1</unaffected>
<vulnerable range="lt">12.7.1</vulnerable>
</package>
</affected>
<background>
<p>sysstat is a package containing a number of performance monitoring utilities for Linux, including sar, mpstat, iostat and sa tools.</p>
</background>
<description>
<p>On 32 bit systems, an integer overflow can be triggered when displaying activity data files.</p>
</description>
<impact type="normal">
<p>Arbitrary code execution can be achieved via sufficiently crafted malicious input.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All sysstat users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sysstat-12.7.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39377">CVE-2022-39377</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:51:28.943709Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:51:28.948154Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-08.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-08">
<title>sudo: Heap-Based Buffer Overread</title>
<synopsis>A vulnerability has been discovered in sudo which could result in denial of service.</synopsis>
<product type="ebuild">sudo</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>879209</bug>
<access>remote</access>
<affected>
<package name="app-admin/sudo" auto="yes" arch="*">
<unaffected range="ge">1.9.12-r1</unaffected>
<vulnerable range="lt">1.9.12-r1</vulnerable>
</package>
</affected>
<background>
<p>sudo allows a system administrator to give users the ability to run commands as other users.</p>
</background>
<description>
<p>In certain password input handling, sudo incorrectly assumes the password input is at least nine bytes in size, leading to a heap buffer overread.</p>
</description>
<impact type="normal">
<p>In the worst case, the heap buffer overread can result in the denial of service of the sudo process.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All sudo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.12-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43995">CVE-2022-43995</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:52:48.652373Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:52:48.657000Z">ajak</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-09.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-09">
<title>xterm: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been found in xterm which could allow for arbitrary code execution.</synopsis>
<product type="ebuild">xterm</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>880747</bug>
<access>remote</access>
<affected>
<package name="x11-terms/xterm" auto="yes" arch="*">
<unaffected range="ge">375</unaffected>
<vulnerable range="lt">375</vulnerable>
</package>
</affected>
<background>
<p>xterm is a terminal emulator for the X Window system.</p>
</background>
<description>
<p>xterm does not correctly handle control characters related to OSC 50 font ops sequence handling.</p>
</description>
<impact type="normal">
<p>The vulnerability allows text written to the terminal to write text to the terminal&#39;s command line. If the terminal&#39;s shell is zsh running with vi line editing mode, text written to the terminal can also trigger the execution of arbitrary commands via writing ^G to the terminal.</p>
</impact>
<workaround>
<p>As a workaround, users can disable xterm&#39;s usage of OSC 50 sequences by adding the following to the XResources configuration:
XTerm*allowFontOps: false</p>
</workaround>
<resolution>
<p>All xterm users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-terms/xterm-375"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45063">CVE-2022-45063</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:53:08.351235Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:53:08.356875Z">ajak</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-10.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-10">
<title>Pillow: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Pillow, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">pillow</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>855683</bug>
<bug>878769</bug>
<bug>832598</bug>
<bug>830934</bug>
<bug>811450</bug>
<bug>802090</bug>
<access>remote</access>
<affected>
<package name="dev-python/pillow" auto="yes" arch="*">
<unaffected range="ge">9.3.0</unaffected>
<vulnerable range="lt">9.3.0</vulnerable>
</package>
</affected>
<background>
<p>The friendly PIL fork.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Pillow. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Pillow users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pillow-9.3.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-23437">CVE-2021-23437</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-34552">CVE-2021-34552</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22815">CVE-2022-22815</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22816">CVE-2022-22816</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22817">CVE-2022-22817</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24303">CVE-2022-24303</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45198">CVE-2022-45198</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45199">CVE-2022-45199</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:53:25.971741Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:53:25.978803Z">ajak</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202211-11.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202211-11">
<title>GPL Ghostscript: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">ghostscript-gpl</product>
<announced>2022-11-22</announced>
<revised count="1">2022-11-22</revised>
<bug>852944</bug>
<bug>812509</bug>
<access>remote</access>
<affected>
<package name="app-text/ghostscript-gpl" auto="yes" arch="*">
<unaffected range="ge">9.56.1</unaffected>
<vulnerable range="lt">9.56.1</vulnerable>
</package>
</affected>
<background>
<p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GPL Ghostscript users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3781">CVE-2021-3781</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2085">CVE-2022-2085</uri>
</references>
<metadata tag="requester" timestamp="2022-11-22T03:53:57.184664Z">ajak</metadata>
<metadata tag="submitter" timestamp="2022-11-22T03:53:57.190013Z">ajak</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Fri, 18 Nov 2022 11:39:53 +0000
Thu, 01 Dec 2022 08:39:49 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
d2caa7d73160aa5b9c9cda07665068a8b25fa730 1668098162 2022-11-10T16:36:02+00:00
be9dce898af341b1581822048910cec753530cb0 1669334514 2022-11-25T00:01:54+00:00