From 2ac1a5fd5700364ca672e092b9aa280ccf141790 Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Thu, 1 May 2025 07:06:59 +0000 Subject: [PATCH] portage-stable/metadata: Monthly GLSA metadata updates --- .../portage-stable/metadata/glsa/Manifest | 30 ++++++------ .../metadata/glsa/Manifest.files.gz | Bin 596819 -> 596980 bytes .../metadata/glsa/glsa-202504-01.xml | 44 ++++++++++++++++++ .../metadata/glsa/timestamp.chk | 2 +- .../metadata/glsa/timestamp.commit | 2 +- 5 files changed, 61 insertions(+), 17 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest index d7fa5a6d36..3bcf223499 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 596819 BLAKE2B 63522f06337573996c66aa3c0b81ef535020898b18e1885eee805fd1835f056debd8871c1b871e9129a2cfd9138cdf6cb96404b2859059f0e8906b7e44fbcee9 SHA512 87fcb2c073963a66ce8ec1e356d102364b832e77939304f57faeeda9b592eab9192b225eb977ad168b619ca3b7f0da1061763084ff671cea0d6a094c478551f0 -TIMESTAMP 2025-04-01T06:10:43Z +MANIFEST Manifest.files.gz 596980 BLAKE2B eddb25532154bba44bb35623eb68543626c56c08b4a9b70673d678e12e2e9d223dee9cf4d0203ab7966bfde59e62bbac75b407365fffaffd689f74499226bdef SHA512 63607f6c6d89e0de89c2ed0d49a183cf3ebf144547b6b6c3a675072d222d42a76895e60d6f7b099c2762d742420925f50f5f0705f64f212c92b5228a8c6aac91 +TIMESTAMP 2025-05-01T06:40:34Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmfrg2NfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmgTF2JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klA/uw/+IQmu9DSSDbsEjnWyooGUNr+aXX5NjlQX2+8c7AWpFugIUJCqiHFXyM1Q -oXe76kt/DK8I8za/2ouhAzauiSib4J1fdTxk+vzQS99EH+ocerbDWS5Twxb/7p7V -/6n4YdRN1wIQUOScvCDui/o6hqXOFk9LdGXBaDr388USilca08DSx0kK1aK/UFX6 -ZVGltml3Qax5PgbFdYAD68tS2KKDYCwtCouUMQ0kG96P+EQfgWdH3FDZ9DZ3GbYs -q7Q6Bj77vRKY5PFAQTlePRSsp1hpCsfeZESi3dTdgagiG5BRaOhGoMzkbnzSNXlu -xRu713wcSFXTNgpZvXP08tb2HudB4bpvo7FT7pDhmJq2CmVqdoNenaiU5ewb3yKp -I2YH/BqDKuYpFOOd/KfjRt6X+YtMM33KwMa3erWxk+G9ObTEV/iugleawiVPXBrr -kN2OJCgt+Gz0oXdx3ieWvql95X7UDxGyYNvrZsOcVPct2MGRtsyjLS5Dbz00Viea -huQ0t4CU6eJ093g88vKDfmMwTP7ViRX1z4447iAonb90tucRnGy+0WAWYmHq2uWQ -rzLSlxBFxtsxxzRYXvb11V/MD7lxE968IYx1pB/n12vl7CoIVL+wfrDWYWZB/Vv5 -oS1SxZa7EBMHE0i35PhMeE1SMKMQFDKvwShtLW4cK4rz7D/G1NM= -=m/Wp +klDRMQ/+PAi2qYoR0sip4LFgbYOupfpmsR8tU5KJ1/74lCyKWzBeJXLv6ZpzzUfQ +/zdiT7LTQTI/S+rLzGZ9iuru+SDj+TmSaqqe3/V47EMXrIUMQmi2/wpv4Xdz6SZv +vaIEnBvxy7AcER2kd3SjuP7oqh49lY3M8lSxGzDcyLuKLMtA0GruuXoOHK8Kc32p +e4MTmHiysNkwQ48mxpogteDz6UzMDz69H+RidhBJLcXj+VNi69jmLFUUWJ0WlINK +BScxduFU4NdYew2iDUFohVSAvLshHnpWUg/S6WlJo1Kf7XSjROBnuNxbrHrRfBRh +m4mx1fdXE73jM7QOpyx+BflrOEBmvrsGC2WJpI+YU5HmhRldkq9I1+amcPJEx/WD +8lTul44UWczfeDxOjVSwQ4Ez0a3YzGxtvo/6aT/P/8u6lxZwXC73F4vPe9B/qQDn +tCVkS4kDfMQf3zUlypFo3ny6eF54AcWzaT6XDIYVYJD1aSMXXqHhoffznAFB9Tjd +gmYAjCPk/6Oi7WPKEg+TryBnQLv9GEL7TRpQDAAMf0vc8OXwsJbEfS1HO8msMjA7 ++q4SVTPh7y9uKR62hu9MLuEXBxm3w4fS+U8e+62SVPIqwFsa5Q92Sh98AOPjK9yY +ViFNSQ0SCOaoWbmk9YFaC7JywXnlIXpD7si1W5a4hQ9aIF+qLqs= +=4GyX -----END PGP SIGNATURE----- diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz index 3253252d39ddc1ccc13bbedd1aea6893c8da2f16..174f96b7d26268e217cf5e8e4a00f6a0f9ff9966 100644 GIT binary patch delta 4229 zcmV;05PI*^wj}hoB!GkggaU*Egam{Iga(8Mgb1_=4GVu;P z{;>hifUklDqagw6`NM1Ro^$qg_x`);zP(k&A~PeHnGq&#-thF2C+_yYnmB!}5|3Bt z&g;RRPKQiZ?LP>Dw4~!ZAv1z5Kp?7`u}VGOI(l+Yi3HG3!sw&iuToX+yW?(!&Bn2V z{g7slJt==d+9TsuyD1NytT_-YGh3iI~FQdba0+eN{;3bl zBha|?cZTuV1WeH259f9Ln!{LXQCj1N1FL9Eg0~M-dnX%Tx~=%(&#U#-FAu|i-9bE$ z(y)%n-L}XT36w;Kmvjubg=TXCQIyaVZNq`-Zq-v+2?&U4$(5uz1f4UmW|@z*f^rQ@D; zK~-BVAP~DOfZlevP5$eP&6%`zUIS8 z{OXra;SFzHO48{-t3jM<#?bK*g$9qmX zUxOXSX`S#~1v6?3r&Nw3G@3rB?6(X{u-Wj#YNfBqmABOr=UVehrYzXWqZ4ebe6pr| za3jsGyt7{Ps4U6O5dk0ilX7-kxxKETgy%utg zu~dbXG?95#Up-t^!W_1wI)SLQ!$Jov<4_35;-Vr5&%Quuf5%4a8^}_;{XR*vaNcR}5HSn}*Y#f}XxI(;VYR;c<-?mL;KPbPni?B9 z6M=aEa=Wt&$*DJhAtZ&2qU(oNRV+#x+sOXDv(1-|C9w&LD$5t2@BxO(gu7s2oq`q$@rdESg5`oOM+=)E_B}aQ0!f>UXXBh2?Ke zZ`sJUCJI|fW9f0=K#|>BFDv$QRdeBjp&fP$0(5L@<}en`gYSIk>w9gf_L_7oGwvPZ zO1Gvpf2udi<&K+R}cr@pRzR1u!B4Y#vdhl!BN>nq}kjXxdyUtp8!Per}rI zqI{O?yJT$GYwcVQ*x7?idoEg=EJ@wmCb^LVf8@Z9`n3E{ebF=T&ZArKYNOk`WS7iM zuJ5)bn?91Z2C9u{x;4FT=aHsR3Z27&CSBV;ug&Hn?{ox;ZLm0v~ zdg5>C1rqic6{pwZm=pl+L?Yeg3G(Uj0agiwN^pxQZ8@hql^x2%F^E&s@_v6PpvlpG**jlP8&%Tjt4(~4gx&?B_%kAC8?p`C=Q>=Oh$J%BE$f^&HPI5_PK{WaH|^7j(N7&L!02)FwnfTOubrQ+p=1o5XCEXJ75!u=}mb zq>6I;^J@Lr*+vqW&G3($WGCs%Ja#Pm9>Y zIMlY#XzZCRqu1QdUrm?hIlSzOe*nb1!mYmkspRBI`ct>`r=G|uWRZCv+exn|#oL8$ zHAtYAs@g^6zwOw9b)BJXV4s$b8D1A2sN|5uNUp>HqifOf)jfl#j>18{IZ$YVJpYv39ZBoFh8koHo;3k>FpWb z&P6$mP7GNR-JI^6pq?&N0&xrreT3g6I9utkh^y@*>0H0ntO)l{g=}71Jv#@N5EKb8 zIawi7z4I@K9m9$WpLE!@dil1n|HC{{W6eGfC5zX zP&G+1SQM9e6bUJRbojiE_u1Dv>HD{dI)n)E{zL7x`x{7M;H*t>sVfqRU0iotXBGF)vqY;U5v(4 z)23>*lW*W90dgxND|M1p2Lvgurq5)u7-pn!$d6N_j5a8Lbt$TOPCJi5Z;|~;(t-Gw zw5)FF9y?UpQ6g$to`4hN#mRk%fZvXQYKW$&F#vez;>Uu7ev9qBvwMoN7l*o;T539Z z&}`~)Kt9_%Ya`F2^jfeNhUE`YrCnVelPW!P+0sSi4_m#9Z!_4Mtnb-Btk#d!!@F%; z@jftTB`AYR3WBf$pfmfgEe}xl!e1A;q$WSGPOzz^np0cDBDqG>MRm;OoB^41irfmI zjGZ>*duO)~+yNHWs#y!vJ3{@OpPG+DRJ@ET!N-^C6$u-EcJ_1{$~3w3;|)rPC+%*Y zL-5v=4fWVTcP%9-g1zk;mXhYA{Pbb9zOj6Mw_s*%ohld>U7i7B<oUu?9H`-)(magT!cO=JDA)g~vo#nlpod63tqOB$lkEh!vzjA`oi%*&7 zdMS7w_8LJ0@)PCtHJ>31y8H?dhr0zG3^K8qH&c{8Yg|pd+2#+bG?7*<4M)eavP1J;IN2im zs6J|}FY7v`j-|?09;Xhf@&v*DkHMy7bFlt@oPFJ^^{oyY-&KExVhNUWCZT0&V_8*D zyPQCO8v1J;D}tRL?Md^k^P0oSaCld0@g9L4rmU#)DMb}yq*u}`8&g5P z7F`+vuT{tM?)I|QdY;3TJXzuRRI<#YCy|k z8u7!a7L5bKI^I}vf!8<9(}d_ke9p+Qxync#e3?qNTAA?Q9cAWNPQ46ylnB`+`b{!< z&`Fc`OSYUPSf)Y^KlfYuT_!ze6(8i^B!d`HE-MafFo$KTNJ%PB@QCGvXvJh2_2bdIX@N?B~{h z?2c?^L&kZqw~68b==)eL=#G6r7C_3=Pgt!ILvx3%lu^e6Hr3X00Sy*sUdi2#y+oS~ z>?B(IC{)YUfK_=0EN=>7vC#fcPGR=!{qoKtk1x!Ev^3nTe?PT;4 z1nzYumsiV`NWc4lx8O@A?I>VHt|cbGiU|o`hHMwh#Q87VEL#_v&gX+;<@TtFoJrm4 ztot{?{7FqWwrSTWkd2?$A6F~B8CJjc*18;nABPp6~L|uUF z=OpN??av6B1(~|#7kiTUFs(yCDeT(wq9P=Iq&w@zmyM)~b}Ja9Q+FcilN4%u=|KoP zrt$`a+|`af7<6eF-yN^5RlzY8to5nYVvrZNc{1Oyw#mak&U%ADIpGIT9`My|#v#{` zTlh}p9%{HdyV8hPL5jgvhMC-dK%GBoB!NqQc;fN@`XHRn)!+mATD1Zga(ACn%?ZfI zk|AGw(tb+%)vP26djWhmJ_=~4IR~!XCrON`1ON-wp`D9mPTJK0&8i+gVLL%KeUDE7 zNoud0_{6&`_?t!oHd)vX8_d8waCs#iEvz<(;L4b;56 zDLgDAR5R!}HnKTN=h>d59`KcKw%B0tDaO-~Rd6 b@jw6j;UE6vx8MH$`(OSKH|U(bg-Q_sp`%&} delta 4066 zcmV<84;}FIwaWfdp{&51kXYyQ?r$f0r|NikXoS?q=ccW+ral@br==?e@PTbNbprJYJzY zuLpZN9Wq%*|3MI>B^}=hnF(|O0#VhBRqE;1(UXHpB!GSrMjz#Vm8x>z#k*BD8^;dz zLz<0yQi6Z9N5(zuri?mSb0An|w$gE1O@dWj#tTyLJRKgc{ljW~p;PeGYldv?a>cfN z6A~%pHJ@Lh(qsZr=PY?w5;d3v|Aj=&lFbj~T40`?lCyy*

O2+1&5hiw4J*;@2C8+lgEm1X|o)x z;D7~9NvXqvpIn%O6WH5kCI8wbwJJF$3P3G+iy}K zzm$REV-;d))^JjxMv0&fa!xdOOFP9kqsFjJ%BJ2Pb&J@6Wkyh8H<27;`EU}yZE}C# z?Y#|@Nze9`^rddMscGM9tHH^i%{bW(mDc!efQsfkxBVO;Spn7niO7TS>2!*##Vhm-i# zFQ3C3-nyE)=z2K7yNdooPBC@G%jV#KHE#oln(wS-ikC+Y2_S!22hmP^h(U1&_1=c6 zAa8mQ7EM*>z0^#1NQ{k9HEM76O4@R25kBbgsgmcdzNnt)#j~o0sl;|_G^*o0C!Mds z4&$^=c&>sOM+>J^jw3XhKB(-s0!y&j@WX25ugR6S)e`4g^U9_y*vX?4Y&!U4P5IzP znlE>(7@VOKM$$o+1ngKAU;bCuA{-hP$Gi6qsIbiJEje+YC~&9k7h35Rk=1MG&5SjTmHRu(0SC*qb`BPe!xGacShp z{|A(<+Mr=`lS&9$Ksv&#B_OXO99AGQf`pC_tM%P4|JHx)R!?snIP1?zfa!pcq=PjcSMLa`0>xeIdaz2cZINR2YNB-ZjD?mo9rrPY z*wQzE+a#8?A33OZE2qB+bHkr@ceOFc@6df0>|RH{^%a`s$YtZ6f%mgA6iwhD0yrn`};07Upkh=Ca9_`Uwpy`7%CGAd)8i+gWIV_ zZG9)}2fni_j8w_@=J$SXY&s#K7y~%F=@@J-d8B`a9FM+#k8Rx?utqE+?&wptji5o) zj!ZiCot3p(Nq%OkQht)d1Yt=6-e`|Wn zMz%Fk*g_i1j{^sa?B04=v7Zk$7cLlDv|A9MV^cGSv1%TCm#DArwWZpRtYevRFODnU zn$~})-YA!AEH>nvfC&1@AP*HT*J~>3-j=2I=-TXOA9Ngct!TeY>bV}h2X%T=`Z%ex zdV4PvB+Ou8_(RWK)uz0q{bu9oz^4mfLh0tx9qC}s9?6`_sU)+YDgB2aPjL8|HvD{5Vp}1 ze@icru*ax4y&lJ`0B|P~=`K%@&yNqVY9LgCTTE%oIo+x3P#KOvoSK&R`@?E|WBGr# z>4K)@0HJI2E!D*NGc8)aM1(;Uzchi-(oIuc%K$8hy zEX+L9_9T}rUCNV?2+9CS@hX|bx*UHt*LGWbRAo&UF@=LGp0&TvrmZUh&Opw$9WNhN z>+7bOcX+ebn(MIK-d*hOHIhBWs%LPlZB~Gss@D|N?NEhScL_isYc;peA4fkPLxQ0u zkqtNc9UaT5AI|8(TV8|`%|C0uhn48ASc;8*>j#}0GYOPIp6YB1Au}puWp97jmIOWi zD7Qba){jl@n|cQLSHImyGXyQZKyk$U`3Q)iePa#{a$BkD-;pUTE%2avwiExfh>gaf zwuMGhFJu|L=63#Sx-`$>WmkU!AeI$w_4Q9BCr{F!x}`t$L{1@#%=_3*dL=2|E_ACw z0<~1tE-C+Q#}=&X40QwhymZX)x-hENa%xfKD6;yxb?v7yP!{Ri5XyiQr$L!mw?jSGrXNk zavGf&iX^%@-8n%$U8n@&7#8{nzgcj$aoM#Jgpkxp)^^C7Byvyn$?rW=yUPRWmgF1`7eDiX_*_G+ zo5Bv}Ev%`PwL2D11&#C&=A2v_7l3pPwTB;JKpd~QydpbnwEVDI`I}Y0qP%x88c$7| zs?|=uftLixt&FVHNl_gTq_~;I|8a9nxe)4;Gv5j3ljP*w)f8NsmfkNbu+cpbn>9t z)Z>7Bv3b@;o=54mU@r{IACgMDx;kc6dgijFi^w0gdKcejur*oVvwv8vAFGFV+qUX` zU@1ya21*qKVFy5G_Fr2bpzejgE^=8-eqfzoQ%g0cwuVJ=ji#&Wn9Df>GU*h#RX`a# zZOHe|ZXdVvJLDgPz1ltn^ zJFp(<;G{WYp(<{&$?mLO%X{xg;#47@BXu~-dpSD+7IH*eO&lIiw@rTK1f^G>vdr~T z@Qn5#0e_Kh+t&#U@)I*etJX{s)Hyq31qu-EPfmz)mFlT2i@MtsP8E|qK6BVe==~Oi z`jMCEQ9Q*+XB&k>el&I`D;M=2JW~CzTHmv;Z#>cQMz*Z_8;@@4%JH%%hL_`t{XFVj z9#skY$-FE$U@2&-3*T`@DscK5k-3JNet*fhJ;2Ib6(Le=ltTh}0rYSbfc`8O z=cm-4D6g;i3`Nl8SAaO&E$CoSh|Rp2qVz@MYU0f{e^8}~v}$QMIhIu%n)kxV7THJj zQDc2w*C}>flhGAlUyg*pzGz*8h*QuY0w=)nU`S>d#Ot!E(+dv`lR*4;9od zCx4KJ{#tP*u=ArmX}NV?b2u3e?@BG+Be27i6;(bZYrz7obr4p!idu>EN}3g8D#+KO zOC#X5!|}Yky{xsKC%Td+E1aH#Eb}P2{@5l6b7u3X3ZV#c=D2q0#UTbA1prqG3tit_ z)x_A^?r-fcVHb~tL=7VQ-)!iEN2^T|yMK)ts?$SbTKceB-&p?5-g_uT=(S(I^uj)j z_~BHG#sOg+Z!EdM>zn3jLUbWMXJpu1Wuy+i%t5wVh49}UW#(8;y$pGj1lc9}O)`1V zNt5@>wwz^Hra}!r_gng1W<6&WALQR;gBVe+C=P5eNO{XRI!e6fD=(M)eTURLz)h_HV)eJD07&1n!-MIz}w?_|zwWZdM0 zVvN%kzehnD??s(0at3q!UCUjo4x?>{DDW+Au{{OY(NOatp$CP z_J_ea*teN~UahZt`Fg$86YY_5qQ(iE?Es$~XAt0kGk{-ZsDDX{v09^Ch*~;ZT#^W) zPB2MQPwjK6xKdgYy+I`+5#92)^pJ2Dcgda|Rj!uj_Q5(GZhm2T@4g-Zs3`lnHGjJ! zo7s?YM)o#QJOF(ks|DS$56A*YdHM+ttHjXUVJl_Q@qkUWwOl}h)tOgvw_`8KCIkD* z38kt*=0_culdyk&SgkKCU*2+}#&g4yq(0uz>S;^3diAYtkAv~H-x9`HV;#5jR7t01 zlzY^(I7B(!?Lm4n*S^0YziE(3w0~05DCtS6$(>B|BHUNew$Ysf8p zr+N=H+?`!%#H%31U@OB+ZZn|H8h`ow-~Q_#|NPJY`2AnMt$+XCe*3?_j{p9j5C8Cg UfBWrUzyIa`0Rt4c3|C1J0Q+0+A^-pY diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml new file mode 100644 index 0000000000..1e80046976 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml @@ -0,0 +1,44 @@ + + + + XZ Utils: Use after free + A vulnerability has been discovered in XZ Utils, which could lead to denial of service. + xz-utils + 2025-04-05 + 2025-04-05 + 953086 + remote + + + 5.6.4-r1 + 5.6.4-r1 + + + +

XZ Utils is free general-purpose data compression software with a high compression ratio.

+ + +

A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details.

+ + +

The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. + +It's unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default.

+ + +

There is no known workaround at this time.

+ + +

All XZ utils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.6.4-r1" + + + + CVE-2025-31115 + + sam + sam + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index f75a4e36bb..66c0857d6d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Tue, 01 Apr 2025 06:10:40 +0000 +Thu, 01 May 2025 06:40:32 +0000 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit index ad34d21cfe..d4c903585d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit @@ -1 +1 @@ -8c44a0fc9958fea4290f5cca3cda73137cf7786a 1743192053 2025-03-28T20:00:53Z +da2df533a0a1b5799029686bc64ece18ac31947e 1743813771 2025-04-05T00:42:51Z