mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-24 23:21:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

portage-stable/metadata: Monthly GLSA metadata updates

Browse Source
This commit is contained in:
Flatcar Buildbot 2024-02-01 07:15:04 +00:00 committed by Dongsu Park
parent 17ebdcc5d5
commit 394f7376ae
38 changed files with 1963 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 558197 BLAKE2B dde0fd5bc1749affc0b48b285b7ab9bd0a7216628f650cd3cbf0e6b2a1788ebd2dc667afbfee3491b42c071ba583d8c7e204468384a8f639b22206d6cbf47903 SHA512 6a3cf3862910d3680e54853c513e07b7a7d791fa5a5732653e79584f351498dd0ac5f7c244cf38dd9920afd7da27fd2c1e7a51770500da41d964a2a5ddd6ec92
TIMESTAMP 2024-01-01T06:39:54Z
MANIFEST Manifest.files.gz 563604 BLAKE2B d497f4e02c0349649ea1fd84297af45ff253c185da14e6dba30f010f40d1ab86fdeb750087d23d7e892d4b2a6c45bb36baacd75348d2a50c0dc3c70213c1836e SHA512 c8b2f6bb87969de216a6075f22dc589f34d03bc0cd503b9bbedb9672f2aa19209f4d1236cd3f9aaf54428705e66f266c37a1f0bdb30c6fdae78df87761e4d8da
TIMESTAMP 2024-02-01T06:41:25Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmWSXjpfFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmW7PRVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klB20BAAqVFxMgUnpYZN3TY1cE1pYHAycfbddPzAPAx0I3yPolECfSJpH5UP5EEF
r23EVYdedYTG4cj4cXLRRr0cWdI5/2xHN5YzXqMQdAiNekIjeNc/d/bz+fKXbAZv
a2hGFz71burELuaLhtUOgHhxTPZGA7dZ82k2ZkrHdd3zVyxp6rzS1uQOWj6uKib6
2dGfgRR+sUdAgIFTexJuCRCt861U5LXEeE7kj8tGXE0kc93JXG5QS3b2NmDvY7GZ
COv3ZeAjYVGkfDQtQtzekL+Sd4UyvICHEZ2M1vPVc5RFFjNUuyC2q7P73DoKXKvD
2RQ4SL7/w9EoBtA+8/glaX59LdnOzIQYtwcmBjfhVn1628RwJesKpAFFVag1hYED
uxh2vlcC/PkvqCf/yYExNh6Krm1agmm4ZJ1l56GckCQWgGgRAwkVt3tjlsNdUoxX
55gRtYMLj153y/2Z2ULpMmB6wOvPNwzSbZ5h9+EMt6UnK6QtDVqO5zc5fVPfpNj5
0mMNdF1XEfcm64fYeu5IRc2B8MIFGr9c9cFKP4hWXXCMEjB78UtICqwDihgD0s4T
T1zRCMhX5gJv77xwNy6OHe9voXkhV5i3XLyW8fpRTIgWx9WooiFCsDPQLDr/4Qv1
kqUMaIxkUBmAdOh28ouAd4w2gKe1AqeLLr9quaN7LTItxG77BaI=
=4bYj
klB4QRAAmmnYvk0FaooM922vBqTuhwuoLVbDtysDcvBsJHLxoL+AQlp+0romn4tJ
rHDAcIPSjxMPzei60/FKb8/lWyAwDtRJJ6W0NLOBe5K0SRUKTLKQz4OZ3aHFNl2t
Yp18kfnUgMyZ7l3v2CrKEE3oC+hWpULJ9GF+uuvpSHUXDOqIkbm6vhWQWRzDwCrA
0RacuWPedLm34CiqwiZSEsnzOzvBb8A7tbmKtSyqhBTKyam7wy0/Tn99Wp5tnDGu
Vtp7rgT1wMmGFOEYt2I+QM1fWGxf/GN3CNPNrNRQoQHcs9BadB8hn+auklc8zOc2
RxEgAaESWhDLSsHkI1xp4osi9OTBqME1wUcjHPQr8d9JAdzsg5L8wW7rJE8YflM6
uUrchSczds2gc34nG/ZYBC88EpvnU6U2AqZZ22LwOCi5qWo3GQZOc4jZqIuumogi
faLkvuNCX2JKYKZdQQ4Byz9WMN+4X5dWLnQfJT9nHc0F/rTsV4ZcpDUApBCiqCD0
lHY6ZPKcVL7d8cqQ2h6SjRkO0FrytUbBZm97g861/jX/evt1wY8Jx1e+FAxQksq+
uPTXpriBil+N5YWzpHbuOZYjAQ7fv7fx50HM3RVNz2wwa7OUxhIFaE7/vBNbPL1F
axrmSl59VEi9APSEmapOVVZR5tloRvDacB0elAhfpbqCb2BCO9E=
=EZVX
-----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-01.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-01">
<title>Joblib: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been found in Joblib which allows for arbitrary code execution.</synopsis>
<product type="ebuild">joblib</product>
<announced>2024-01-02</announced>
<revised count="1">2024-01-02</revised>
<bug>873151</bug>
<access>remote</access>
<affected>
<package name="dev-python/joblib" auto="yes" arch="*">
<unaffected range="ge">1.2.0</unaffected>
<vulnerable range="lt">1.2.0</vulnerable>
</package>
</affected>
<background>
<p>Joblib is a set of tools to provide lightweight pipelining in Python. In particular:
1. transparent disk-caching of functions and lazy re-evaluation (memoize pattern)
2. easy simple parallel computing
Joblib is optimized to be fast and robust on large data in particular and has specific optimizations for numpy arrays.</p>
</background>
<description>
<p>A vulnerability has been discovered in Joblib. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>Joblib is vulnerable to arbitrary code execution via the pre_dispatch flag in Parallel() class due to the eval() statement.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Joblib users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/joblib-1.2.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21797">CVE-2022-21797</uri>
</references>
<metadata tag="requester" timestamp="2024-01-02T14:38:14.200471Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-02T14:38:14.202528Z">graaff</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-02.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-02">
<title>c-ares: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in c-ares, the worst of which could result in the loss of confidentiality or integrity.</synopsis>
<product type="ebuild">c-ares</product>
<announced>2024-01-05</announced>
<revised count="1">2024-01-05</revised>
<bug>807604</bug>
<bug>807775</bug>
<bug>892489</bug>
<bug>905341</bug>
<access>remote</access>
<affected>
<package name="net-dns/c-ares" auto="yes" arch="*">
<unaffected range="ge">1.19.0</unaffected>
<vulnerable range="lt">1.19.0</vulnerable>
</package>
</affected>
<background>
<p>c-ares is a C library for asynchronous DNS requests (including name resolves).</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in c-ares. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All c-ares users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.19.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3672">CVE-2021-3672</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22930">CVE-2021-22930</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22931">CVE-2021-22931</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22939">CVE-2021-22939</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22940">CVE-2021-22940</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4904">CVE-2022-4904</uri>
</references>
<metadata tag="requester" timestamp="2024-01-05T09:27:33.033646Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-05T09:27:33.037404Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-03.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-03">
<title>BlueZ: Privilege Escalation</title>
<synopsis>Multiple vulnerabilities have been discovered in Bluez, the worst of which can lead to privilege escalation.</synopsis>
<product type="ebuild">bluez</product>
<announced>2024-01-05</announced>
<revised count="1">2024-01-05</revised>
<bug>919383</bug>
<access>remote</access>
<affected>
<package name="net-wireless/bluez" auto="yes" arch="*">
<unaffected range="ge">5.70-r1</unaffected>
<vulnerable range="lt">5.70-r1</vulnerable>
</package>
</affected>
<background>
<p>BlueZ is the canonical bluetooth tools and system daemons package for Linux.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in BlueZ. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>An attacker may inject unauthenticated keystrokes via Bluetooth, leading to privilege escalation or denial of service.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All BlueZ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/bluez-5.70-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45866">CVE-2023-45866</uri>
</references>
<metadata tag="requester" timestamp="2024-01-05T12:09:52.619298Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-05T12:09:52.622390Z">graaff</metadata>
</glsa>

68
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-04.xml vendored Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-04">
<title>WebKitGTK+: Multiple Vulnerabilities</title>
<synopsis>Several vulnerabilities have been found in WebKitGTK+, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">webkit-gtk</product>
<announced>2024-01-05</announced>
<revised count="1">2024-01-05</revised>
<bug>907818</bug>
<bug>909663</bug>
<bug>910656</bug>
<bug>918087</bug>
<bug>918099</bug>
<bug>919290</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge" slot="4">2.42.3</unaffected>
<unaffected range="ge" slot="4.1">2.42.3</unaffected>
<unaffected range="ge" slot="6">2.42.3</unaffected>
<vulnerable range="lt" slot="4">2.42.3</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebKitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.42.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28198">CVE-2023-28198</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28204">CVE-2023-28204</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32370">CVE-2023-32370</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32373">CVE-2023-32373</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32393">CVE-2023-32393</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32439">CVE-2023-32439</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37450">CVE-2023-37450</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38133">CVE-2023-38133</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38572">CVE-2023-38572</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38592">CVE-2023-38592</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38594">CVE-2023-38594</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38595">CVE-2023-38595</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38597">CVE-2023-38597</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38599">CVE-2023-38599</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38600">CVE-2023-38600</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38611">CVE-2023-38611</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40397">CVE-2023-40397</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42916">CVE-2023-42916</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42917">CVE-2023-42917</uri>
<uri link="https://webkitgtk.org/security/WSA-2023-0006.html">WSA-2023-0006</uri>
</references>
<metadata tag="requester" timestamp="2024-01-05T13:00:45.321572Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-05T13:00:45.323961Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-05.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-05">
<title>RDoc: Command Injection</title>
<synopsis>A vulnerability has been found in RDoc which allows for command injection.</synopsis>
<product type="ebuild">rdoc</product>
<announced>2024-01-05</announced>
<revised count="1">2024-01-05</revised>
<bug>801301</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/rdoc" auto="yes" arch="*">
<unaffected range="ge">6.3.2</unaffected>
<vulnerable range="lt">6.3.2</vulnerable>
</package>
</affected>
<background>
<p>RDoc produces HTML and command-line documentation for Ruby projects.</p>
</background>
<description>
<p>A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>RDoc used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with | and ends with tags, the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All RDoc users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rdoc-6.3.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31799">CVE-2021-31799</uri>
</references>
<metadata tag="requester" timestamp="2024-01-05T13:34:12.712050Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-05T13:34:12.715693Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-06.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-06">
<title>CUPS filters: Remote Code Execution</title>
<synopsis>A vulnerability has been found in CUPS filters where remote code execution is possible via the beh filter.</synopsis>
<product type="ebuild">cups-filters</product>
<announced>2024-01-05</announced>
<revised count="1">2024-01-05</revised>
<bug>906944</bug>
<access>remote</access>
<affected>
<package name="net-print/cups-filters" auto="yes" arch="*">
<unaffected range="ge">1.28.17-r2</unaffected>
<vulnerable range="lt">1.28.17-r2</vulnerable>
</package>
</affected>
<background>
<p>CUPS filters provides backends, filters, and other software that was once part of the core CUPS distribution.</p>
</background>
<description>
<p>A vulnerability has been discovered in cups-filters. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>If you use beh to create an accessible network printer, this security vulnerability can cause remote code execution.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All cups-filters users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-filters-1.28.17-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24805">CVE-2023-24805</uri>
<uri>GHSA-gpxc-v2m8-fr3x</uri>
</references>
<metadata tag="requester" timestamp="2024-01-05T14:26:44.306186Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-05T14:26:44.308150Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-07.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-07">
<title>R: Directory Traversal</title>
<synopsis>A vulnerability was found in R which could allow for remote code execution.</synopsis>
<product type="ebuild">R</product>
<announced>2024-01-06</announced>
<revised count="1">2024-01-06</revised>
<bug>765361</bug>
<access>remote</access>
<affected>
<package name="dev-lang/R" auto="yes" arch="*">
<unaffected range="ge">4.0.4</unaffected>
<vulnerable range="lt">4.0.4</vulnerable>
</package>
</affected>
<background>
<p>R is a language and environment for statistical computing and graphics.</p>
</background>
<description>
<p>The native R package installation mechanisms do not sufficiently validate installed source packages for path traversal.</p>
</description>
<impact type="normal">
<p>Installation of a malicious R package could result in an arbitrary file overwrite which could result in arbitrary code execution, as might be seen with the overwrite of an authorized_keys file.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All R users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/R-4.0.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27637">CVE-2020-27637</uri>
</references>
<metadata tag="requester" timestamp="2024-01-06T09:03:55.341282Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-06T09:03:55.343880Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-08.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-08">
<title>util-linux: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in util-linux which can lead to denial of service or information disclosure.</synopsis>
<product type="ebuild">util-linux</product>
<announced>2024-01-07</announced>
<revised count="1">2024-01-07</revised>
<bug>806070</bug>
<bug>831978</bug>
<bug>833365</bug>
<access>remote</access>
<affected>
<package name="sys-apps/util-linux" auto="yes" arch="*">
<unaffected range="ge">2.37.4</unaffected>
<vulnerable range="lt">2.37.4</vulnerable>
</package>
</affected>
<background>
<p>util-linux is a suite of Linux programs including mount and umount, programs used to mount and unmount filesystems.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in util-linux. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All util-linux users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.37.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3995">CVE-2021-3995</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3996">CVE-2021-3996</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37600">CVE-2021-37600</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0563">CVE-2022-0563</uri>
</references>
<metadata tag="requester" timestamp="2024-01-07T08:30:19.699309Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-07T08:30:19.701387Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-09.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-09">
<title>Eclipse Mosquitto: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Eclipse Mosquitto which could result in denial of service.</synopsis>
<product type="ebuild">mosquitto</product>
<announced>2024-01-07</announced>
<revised count="1">2024-01-07</revised>
<bug>918540</bug>
<access>remote</access>
<affected>
<package name="app-misc/mosquitto" auto="yes" arch="*">
<unaffected range="ge">2.0.17</unaffected>
<vulnerable range="lt">2.0.17</vulnerable>
</package>
</affected>
<background>
<p>Eclipse Mosquitto is an open source MQTT v3 broker.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Eclipse Mosquitto. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Eclipse Mosquitto users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-misc/mosquitto-2.0.17"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0809">CVE-2023-0809</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3592">CVE-2023-3592</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28366">CVE-2023-28366</uri>
</references>
<metadata tag="requester" timestamp="2024-01-07T09:13:27.446170Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-07T09:13:27.448434Z">graaff</metadata>
</glsa>

134
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-10.xml vendored Normal file
View File

@ -0,0 +1,134 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-10">
<title>Mozilla Firefox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">firefox,firefox-bin</product>
<announced>2024-01-07</announced>
<revised count="1">2024-01-07</revised>
<bug>908245</bug>
<bug>914073</bug>
<bug>918433</bug>
<bug>920507</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">121.0</unaffected>
<unaffected range="ge" slot="esr">115.6.0</unaffected>
<vulnerable range="lt" slot="rapid">121.0</vulnerable>
<vulnerable range="lt" slot="esr">115.6.0</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">121.0</unaffected>
<unaffected range="ge" slot="esr">115.6.0</unaffected>
<vulnerable range="lt" slot="rapid">121.0</vulnerable>
<vulnerable range="lt" slot="esr">115.6.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.6.0:esr"
</code>
<p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-115.6.0:esr"
</code>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-121.0:rapid"
</code>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-121.0:rapid"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3482">CVE-2023-3482</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4058">CVE-2023-4058</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4579">CVE-2023-4579</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4863">CVE-2023-4863</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5129">CVE-2023-5129</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5170">CVE-2023-5170</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5172">CVE-2023-5172</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5173">CVE-2023-5173</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5175">CVE-2023-5175</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5722">CVE-2023-5722</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5723">CVE-2023-5723</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5729">CVE-2023-5729</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5731">CVE-2023-5731</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5758">CVE-2023-5758</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6135">CVE-2023-6135</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6210">CVE-2023-6210</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6211">CVE-2023-6211</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6213">CVE-2023-6213</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6856">CVE-2023-6856</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6857">CVE-2023-6857</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6858">CVE-2023-6858</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6859">CVE-2023-6859</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6860">CVE-2023-6860</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6861">CVE-2023-6861</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6862">CVE-2023-6862</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6863">CVE-2023-6863</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6864">CVE-2023-6864</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6865">CVE-2023-6865</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6866">CVE-2023-6866</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6867">CVE-2023-6867</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6868">CVE-2023-6868</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6869">CVE-2023-6869</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6870">CVE-2023-6870</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6871">CVE-2023-6871</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6872">CVE-2023-6872</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6873">CVE-2023-6873</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32205">CVE-2023-32205</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32206">CVE-2023-32206</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32207">CVE-2023-32207</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32208">CVE-2023-32208</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32209">CVE-2023-32209</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32210">CVE-2023-32210</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32211">CVE-2023-32211</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32212">CVE-2023-32212</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32213">CVE-2023-32213</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32214">CVE-2023-32214</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32215">CVE-2023-32215</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32216">CVE-2023-32216</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34414">CVE-2023-34414</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34415">CVE-2023-34415</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34416">CVE-2023-34416</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34417">CVE-2023-34417</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37203">CVE-2023-37203</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37204">CVE-2023-37204</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37205">CVE-2023-37205</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37206">CVE-2023-37206</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37209">CVE-2023-37209</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37210">CVE-2023-37210</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37212">CVE-2023-37212</uri>
<uri>MFSA-2023-40</uri>
<uri>MFSA-TMP-2023-0002</uri>
</references>
<metadata tag="requester" timestamp="2024-01-07T09:38:31.185976Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-07T09:38:31.188129Z">graaff</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-11.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-11">
<title>Apache Batik: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Apache Batik, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">batik</product>
<announced>2024-01-07</announced>
<revised count="1">2024-01-07</revised>
<bug>724534</bug>
<bug>872689</bug>
<bug>918088</bug>
<access>remote</access>
<affected>
<package name="dev-java/batik" auto="yes" arch="*">
<unaffected range="ge">1.17</unaffected>
<vulnerable range="lt">1.17</vulnerable>
</package>
</affected>
<background>
<p>Apache Batik is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Apache Batik. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Apache Batik users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/batik-1.17"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8013">CVE-2018-8013</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17566">CVE-2019-17566</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-11987">CVE-2020-11987</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38398">CVE-2022-38398</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38648">CVE-2022-38648</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40146">CVE-2022-40146</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41704">CVE-2022-41704</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42890">CVE-2022-42890</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44729">CVE-2022-44729</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44730">CVE-2022-44730</uri>
</references>
<metadata tag="requester" timestamp="2024-01-07T10:19:19.481297Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-07T10:19:19.484005Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-12.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-12">
<title>Synapse: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilites have been found in Synapse, the worst of which could result in information leaks.</synopsis>
<product type="ebuild">synapse</product>
<announced>2024-01-07</announced>
<revised count="1">2024-01-07</revised>
<bug>914765</bug>
<bug>916609</bug>
<access>remote</access>
<affected>
<package name="net-im/synapse" auto="yes" arch="*">
<unaffected range="ge">1.96.0</unaffected>
<vulnerable range="lt">1.96.0</vulnerable>
</package>
</affected>
<background>
<p>Synapse is a Matrix homeserver written in Python/Twisted.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Synapse. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Synapse users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/synapse-1.96.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41335">CVE-2023-41335</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42453">CVE-2023-42453</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43796">CVE-2023-43796</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45129">CVE-2023-45129</uri>
</references>
<metadata tag="requester" timestamp="2024-01-07T10:31:28.910221Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-07T10:31:28.912325Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-13.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-13">
<title>FAAD2: Multiple Vulnerabilities</title>
<synopsis>Multiple denial of service vulnerabilities have been found in FAAD2.</synopsis>
<product type="ebuild">faad2</product>
<announced>2024-01-10</announced>
<revised count="1">2024-01-10</revised>
<bug>918558</bug>
<access>remote</access>
<affected>
<package name="media-libs/faad2" auto="yes" arch="*">
<unaffected range="ge">2.11.0</unaffected>
<vulnerable range="lt">2.11.0</vulnerable>
</package>
</affected>
<background>
<p>FAAD2 is an open source MPEG-4 and MPEG-2 AAC decoder.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in FAAD2. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FAAD2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/faad2-2.11.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38857">CVE-2023-38857</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38858">CVE-2023-38858</uri>
</references>
<metadata tag="requester" timestamp="2024-01-10T11:43:50.951508Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-10T11:43:50.953718Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-14.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-14">
<title>RedCloth: ReDoS Vulnerability</title>
<synopsis>A denial of service vulnerability has been found in RedCloth.</synopsis>
<product type="ebuild">redcloth</product>
<announced>2024-01-10</announced>
<revised count="1">2024-01-10</revised>
<bug>908035</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/redcloth" auto="yes" arch="*">
<unaffected range="ge">4.3.2-r5</unaffected>
<vulnerable range="lt">4.3.2-r5</vulnerable>
</package>
</affected>
<background>
<p>RedCloth is a module for using Textile in Ruby</p>
</background>
<description>
<p>A vulnerability has been discovered in RedCloth. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="low">
<p>RedCloth is vulnerable to a regular expression denial of service (&#34;ReDoS&#34;) attack via the sanitize_html function.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All RedCloth users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/redcloth-4.3.2-r5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31606">CVE-2023-31606</uri>
</references>
<metadata tag="requester" timestamp="2024-01-10T13:10:26.781895Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-10T13:10:26.785113Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-15.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-15">
<title>Prometheus SNMP Exporter: Basic Authentication Bypass</title>
<synopsis>A vulnerability has been found in Prometheus SNMP Exporter which could allow for authentication bypass.</synopsis>
<product type="ebuild">snmp_exporter</product>
<announced>2024-01-12</announced>
<revised count="1">2024-01-12</revised>
<bug>883649</bug>
<access>remote</access>
<affected>
<package name="app-metrics/snmp_exporter" auto="yes" arch="*">
<unaffected range="ge">0.24.1</unaffected>
<vulnerable range="lt">0.24.1</vulnerable>
</package>
</affected>
<background>
<p>The Prometheus SNMP Exporter is the recommended way to expose SNMP data in a format which Prometheus can ingest.</p>
</background>
<description>
<p>A vulnerability has been discovered in Prometheus SNMP Exporter. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="low">
<p>A user who knows the password hash of a user capable of performing HTTP basic authentication with a vulnerable exporter can use the hash to successfully authenticate as that user via cache manipulation, without knowing the password from which the hash was derived.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Prometheus SNMP Exporter users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-metrics/snmp_exporter-0.24.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46146">CVE-2022-46146</uri>
</references>
<metadata tag="requester" timestamp="2024-01-12T10:52:37.002879Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-12T10:52:37.005288Z">graaff</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-16.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-16">
<title>FreeRDP: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in FreeRDP, the worst of which could result in code execution.</synopsis>
<product type="ebuild">freerdp</product>
<announced>2024-01-12</announced>
<revised count="1">2024-01-12</revised>
<bug>881525</bug>
<bug>918546</bug>
<access>remote</access>
<affected>
<package name="net-misc/freerdp" auto="yes" arch="*">
<unaffected range="ge">2.11.0</unaffected>
<vulnerable range="lt">2.11.0</vulnerable>
</package>
</affected>
<background>
<p>FreeRDP is a free implementation of the remote desktop protocol.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in FreeRDP. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FreeRDP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/freerdp-2.11.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39316">CVE-2022-39316</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39317">CVE-2022-39317</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39318">CVE-2022-39318</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39319">CVE-2022-39319</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39320">CVE-2022-39320</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39347">CVE-2022-39347</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41877">CVE-2022-41877</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39350">CVE-2023-39350</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39351">CVE-2023-39351</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39352">CVE-2023-39352</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39353">CVE-2023-39353</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39354">CVE-2023-39354</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39355">CVE-2023-39355</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39356">CVE-2023-39356</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40181">CVE-2023-40181</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40186">CVE-2023-40186</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40187">CVE-2023-40187</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40188">CVE-2023-40188</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40567">CVE-2023-40567</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40569">CVE-2023-40569</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40574">CVE-2023-40574</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40575">CVE-2023-40575</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40576">CVE-2023-40576</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40589">CVE-2023-40589</uri>
</references>
<metadata tag="requester" timestamp="2024-01-12T11:46:37.421757Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-12T11:46:37.424087Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-17.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-17">
<title>libgit2: Privilege Escalation Vulnerability</title>
<synopsis>A vulnerability has been found in libgit2 which could result in privilege escalation.</synopsis>
<product type="ebuild">libgit2</product>
<announced>2024-01-14</announced>
<revised count="1">2024-01-14</revised>
<bug>857792</bug>
<access>local</access>
<affected>
<package name="dev-libs/libgit2" auto="yes" arch="*">
<unaffected range="ge">1.4.4</unaffected>
<vulnerable range="lt">1.4.4</vulnerable>
</package>
</affected>
<background>
<p>libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API.</p>
</background>
<description>
<p>A vulnerability has been discovered in libgit2. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>Usages of a malicious crafted Git repository could allow the creator of the repository to elevate privileges to those of the user accessing the repository.</p>
</impact>
<workaround>
<p>Administrators can ensure that their usages of libgit2 only interact with repositories which have only been modified by trusted users.</p>
</workaround>
<resolution>
<p>All libgit2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libgit2-1.4.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29187">CVE-2022-29187</uri>
</references>
<metadata tag="requester" timestamp="2024-01-14T09:13:55.679015Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-14T09:13:55.681859Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-18.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-18">
<title>zlib: Buffer Overflow</title>
<synopsis>A vulnerability has been found in zlib that can lead to a heap-based buffer overflow.</synopsis>
<product type="ebuild">zlib</product>
<announced>2024-01-15</announced>
<revised count="1">2024-01-15</revised>
<bug>916484</bug>
<access>remote</access>
<affected>
<package name="sys-libs/zlib" auto="yes" arch="*">
<unaffected range="ge">1.2.13-r2</unaffected>
<vulnerable range="lt">1.2.13-r2</vulnerable>
</package>
</affected>
<background>
<p>zlib is a widely used free and patent unencumbered data compression library.</p>
</background>
<description>
<p>A vulnerability has been discovered in zlib. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in ZipOpenNewFileInZip4_64 via a long filename, comment, or extra field.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All zlib users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.13-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45853">CVE-2023-45853</uri>
</references>
<metadata tag="requester" timestamp="2024-01-15T12:02:56.466413Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-15T12:02:56.468710Z">graaff</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-19.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-19">
<title>Opera: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Opera, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">opera,opera-beta</product>
<announced>2024-01-15</announced>
<revised count="1">2024-01-15</revised>
<bug>750929</bug>
<access>remote</access>
<affected>
<package name="www-client/opera" auto="yes" arch="*">
<unaffected range="ge">73.0.3856.284</unaffected>
<vulnerable range="lt">73.0.3856.284</vulnerable>
</package>
<package name="www-client/opera-beta" auto="yes" arch="*">
<unaffected range="ge">73.0.3856.284</unaffected>
<vulnerable range="lt">73.0.3856.284</vulnerable>
</package>
</affected>
<background>
<p>Opera is a fast web browser that is available free of charge.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Opera. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Opera users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-73.0.3856.284"
</code>
<p>All Opera users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/opera-beta-73.0.3856.284"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-15999">CVE-2020-15999</uri>
</references>
<metadata tag="requester" timestamp="2024-01-15T12:40:03.932610Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-15T12:40:03.934835Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-20.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-20">
<title>QPDF: Buffer Overflow</title>
<synopsis>A vulnerability has been found in QPDF which can lead to a heap-based buffer overflow.</synopsis>
<product type="ebuild">qpdf</product>
<announced>2024-01-15</announced>
<revised count="1">2024-01-15</revised>
<bug>803110</bug>
<access>remote</access>
<affected>
<package name="app-text/qpdf" auto="yes" arch="*">
<unaffected range="ge">10.1.0</unaffected>
<vulnerable range="lt">10.1.0</vulnerable>
</package>
</affected>
<background>
<p>QPDF: A content-preserving PDF document transformer.</p>
</background>
<description>
<p>A vulnerability has been discovered in QPDF. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>QPDF has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QPDF users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/qpdf-10.1.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-36978">CVE-2021-36978</uri>
</references>
<metadata tag="requester" timestamp="2024-01-15T13:05:16.102082Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-15T13:05:16.105037Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-21.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-21">
<title>KTextEditor: Arbitrary Local Code Execution</title>
<synopsis>A vulnerability has been found in KTextEditor where local code can be executed without user interaction.</synopsis>
<product type="ebuild">ktexteditor</product>
<announced>2024-01-15</announced>
<revised count="1">2024-01-15</revised>
<bug>832447</bug>
<access>remote</access>
<affected>
<package name="kde-frameworks/ktexteditor" auto="yes" arch="*">
<unaffected range="ge">5.90.0-r2</unaffected>
<vulnerable range="lt">5.90.0-r2</vulnerable>
</package>
</affected>
<background>
<p>Framework providing a full text editor component for KDE.</p>
</background>
<description>
<p>A vulnerability has been discovered in KTextEditor. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>KTextEditor executes binaries without user interaction in a few cases, e.g. KTextEditor will try to check on external file modification via invoking the &#34;git&#34; binary if the file is known in the repository with the new content.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All KTextEditor users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-frameworks/ktexteditor-5.90.0-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23853">CVE-2022-23853</uri>
</references>
<metadata tag="requester" timestamp="2024-01-15T15:42:22.100996Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-15T15:42:22.106940Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-22.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-22">
<title>libspf2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in libspf2, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">libspf2</product>
<announced>2024-01-15</announced>
<revised count="1">2024-01-15</revised>
<bug>807739</bug>
<access>remote</access>
<affected>
<package name="mail-filter/libspf2" auto="yes" arch="*">
<unaffected range="ge">1.2.11</unaffected>
<vulnerable range="lt">1.2.11</vulnerable>
</package>
</affected>
<background>
<p>libspf2 is a library that implements the Sender Policy Framework, allowing mail transfer agents to make sure that an email is authorized by the domain name that it is coming from.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libspf2. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Various buffer overflows have been identified that can lead to denial of service and possibly arbitrary code execution.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libspf2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.11"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20314">CVE-2021-20314</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33912">CVE-2021-33912</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33913">CVE-2021-33913</uri>
</references>
<metadata tag="requester" timestamp="2024-01-15T15:55:54.972939Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-15T15:55:54.975403Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-23.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-23">
<title>libuv: Buffer Overread</title>
<synopsis>A buffer overread vulnerability has been found in libuv.</synopsis>
<product type="ebuild">libuv</product>
<announced>2024-01-16</announced>
<revised count="1">2024-01-16</revised>
<bug>800986</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libuv" auto="yes" arch="*">
<unaffected range="ge">1.41.1</unaffected>
<vulnerable range="lt">1.41.1</vulnerable>
</package>
</affected>
<background>
<p>libuv is a multi-platform support library with a focus on asynchronous I/O.</p>
</background>
<description>
<p>libuv fails to ensure that a pointer lies within the bounds of a defined buffer in the uv__idna_toascii() function before reading and manipulating the memory at that address.</p>
</description>
<impact type="low">
<p>The overread can result in information disclosure or application crash.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libuv users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.41.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-22918">CVE-2021-22918</uri>
</references>
<metadata tag="requester" timestamp="2024-01-16T12:19:14.656272Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-16T12:19:14.662177Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-24.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-24">
<title>Nettle: Denial of Service</title>
<synopsis>Multiple denial of service vulnerabilities have been discovered in Nettle.</synopsis>
<product type="ebuild">nettle</product>
<announced>2024-01-16</announced>
<revised count="1">2024-01-16</revised>
<bug>806839</bug>
<bug>907673</bug>
<access>remote</access>
<affected>
<package name="dev-libs/nettle" auto="yes" arch="*">
<unaffected range="ge">3.9.1</unaffected>
<vulnerable range="lt">3.9.1</vulnerable>
</package>
</affected>
<background>
<p>Nettle is a cryptographic library that is designed to fit easily in almost any context: In cryptographic toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like lsh or GnuPG, or even in kernel space.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Nettle. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>A flaw was found in the way nettle&#39;s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Nettle users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nettle-3.9.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3580">CVE-2021-3580</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36660">CVE-2023-36660</uri>
</references>
<metadata tag="requester" timestamp="2024-01-16T13:42:42.515739Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-16T13:42:42.518143Z">graaff</metadata>
</glsa>

99
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-25.xml vendored Normal file
View File

@ -0,0 +1,99 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-25">
<title>OpenJDK: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in OpenJDK, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">openjdk,openjdk-bin,openjdk-jre-bin</product>
<announced>2024-01-17</announced>
<revised count="1">2024-01-17</revised>
<bug>859376</bug>
<bug>859400</bug>
<bug>877597</bug>
<bug>891323</bug>
<bug>908243</bug>
<access>remote</access>
<affected>
<package name="dev-java/openjdk" auto="yes" arch="*">
<unaffected range="ge" slot="8">8.372_p07</unaffected>
<unaffected range="ge" slot="11">11.0.19_p7</unaffected>
<unaffected range="ge" slot="17">17.0.7_p7</unaffected>
<vulnerable range="lt" slot="8">8.372_p07</vulnerable>
<vulnerable range="lt" slot="11">11.0.19_p7</vulnerable>
<vulnerable range="lt" slot="17">17.0.7_p7</vulnerable>
</package>
<package name="dev-java/openjdk-bin" auto="yes" arch="*">
<unaffected range="ge" slot="8">8.372_p07</unaffected>
<unaffected range="ge" slot="11">11.0.19_p7</unaffected>
<unaffected range="ge" slot="17">17.0.7_p7</unaffected>
<vulnerable range="lt" slot="8">8.372_p07</vulnerable>
<vulnerable range="lt" slot="11">11.0.19_p7</vulnerable>
<vulnerable range="lt" slot="17">17.0.7_p7</vulnerable>
</package>
<package name="dev-java/openjdk-jre-bin" auto="yes" arch="*">
<unaffected range="ge" slot="8">8.372_p07</unaffected>
<unaffected range="ge" slot="11">11.0.19_p7</unaffected>
<unaffected range="ge" slot="17">17.0.7_p7</unaffected>
<vulnerable range="lt" slot="8">8.372_p07</vulnerable>
<vulnerable range="lt" slot="11">11.0.19_p7</vulnerable>
<vulnerable range="lt" slot="17">17.0.7_p7</vulnerable>
</package>
</affected>
<background>
<p>OpenJDK is an open source implementation of the Java programming language.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OpenJDK. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenJDK users should upgrade to the latest versions:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-8.372_p07"
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-11.0.19_p7"
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-17.0.7_p7"
</code>
<p>All OpenJDK JRE binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-8.372_p07"
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-11.0.19_p7"
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-17.0.7_p7"
</code>
<p>All OpenJDK binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.372_p07"
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-11.0.19_p7"
# emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-17.0.7_p7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21540">CVE-2022-21540</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21541">CVE-2022-21541</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21549">CVE-2022-21549</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21618">CVE-2022-21618</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21619">CVE-2022-21619</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21624">CVE-2022-21624</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21626">CVE-2022-21626</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21628">CVE-2022-21628</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34169">CVE-2022-34169</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39399">CVE-2022-39399</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42920">CVE-2022-42920</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21830">CVE-2023-21830</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21835">CVE-2023-21835</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21843">CVE-2023-21843</uri>
</references>
<metadata tag="requester" timestamp="2024-01-17T13:45:06.792804Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-17T13:45:06.795516Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-26.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-26">
<title>Apache XML-RPC: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Apache XML-RPC, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">xmlrpc</product>
<announced>2024-01-22</announced>
<revised count="1">2024-01-22</revised>
<bug>713098</bug>
<access>remote</access>
<affected>
<package name="dev-java/xmlrpc" auto="yes" arch="*">
<vulnerable range="le">3.1.3</vulnerable>
</package>
</affected>
<background>
<p>Apache XML-RPC (previously known as Helma XML-RPC) is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Apache XML-RPC. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for Apache XML-RPC. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "dev-java/xmlrpc"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-5002">CVE-2016-5002</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-5003">CVE-2016-5003</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17570">CVE-2019-17570</uri>
</references>
<metadata tag="requester" timestamp="2024-01-22T14:37:11.898800Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-22T14:37:11.903161Z">graaff</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-27.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-27">
<title>Ruby: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.</synopsis>
<product type="ebuild">ruby</product>
<announced>2024-01-24</announced>
<revised count="1">2024-01-24</revised>
<bug>747007</bug>
<bug>801061</bug>
<bug>827251</bug>
<bug>838073</bug>
<bug>882893</bug>
<bug>903630</bug>
<access>local and remote</access>
<affected>
<package name="dev-lang/ruby" auto="yes" arch="*">
<unaffected range="ge" slot="3.1">3.1.4</unaffected>
<unaffected range="ge" slot="3.2">3.2.2</unaffected>
<vulnerable range="lt" slot="2.5">2.5.9</vulnerable>
<vulnerable range="lt" slot="2.6">2.6.10</vulnerable>
<vulnerable range="lt" slot="2.7">2.7.8</vulnerable>
<vulnerable range="lt" slot="3.0">3.0.6</vulnerable>
<vulnerable range="lt" slot="3.1">3.1.4</vulnerable>
<vulnerable range="lt" slot="3.2">3.2.2</vulnerable>
</package>
</affected>
<background>
<p>Ruby is an interpreted scripting language for quick and easy object-oriented programming. It comes bundled with a HTTP server (&#34;WEBrick&#34;).</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Ruby. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ruby users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --depclean ruby:2.5 ruby:2.6 ruby:2.7 ruby:3.0
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-3.1.4:3.1"
# emerge --ask --oneshot --verbose ">=dev-lang/ruby-3.2.2:3.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-25613">CVE-2020-25613</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31810">CVE-2021-31810</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32066">CVE-2021-32066</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33621">CVE-2021-33621</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41816">CVE-2021-41816</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41817">CVE-2021-41817</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41819">CVE-2021-41819</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28738">CVE-2022-28738</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28739">CVE-2022-28739</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28755">CVE-2023-28755</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28756">CVE-2023-28756</uri>
</references>
<metadata tag="requester" timestamp="2024-01-24T04:04:06.335865Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-24T04:04:06.338696Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-28.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-28">
<title>GOCR: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in GOCR, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">gocr</product>
<announced>2024-01-24</announced>
<revised count="1">2024-01-24</revised>
<bug>824290</bug>
<access>remote</access>
<affected>
<package name="app-text/gocr" auto="yes" arch="*">
<vulnerable range="le">0.52-r1</vulnerable>
</package>
</affected>
<background>
<p>GOCR is an OCR (Optical Character Recognition) program, developed under the GNU Public License. It converts scanned images of text back to text files.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GOCR. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for GOCR. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "app-text/gocr"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33479">CVE-2021-33479</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33480">CVE-2021-33480</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33481">CVE-2021-33481</uri>
</references>
<metadata tag="requester" timestamp="2024-01-24T04:04:56.645847Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-24T04:04:56.650159Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-29.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-29">
<title>sudo: Memory Manipulation</title>
<synopsis>A vulnerability has been discovered in sudo which can lead to execution manipulation through rowhammer-style memory manipulation.</synopsis>
<product type="ebuild">sudo</product>
<announced>2024-01-24</announced>
<revised count="1">2024-01-24</revised>
<bug>920510</bug>
<access>remote</access>
<affected>
<package name="app-admin/sudo" auto="yes" arch="*">
<unaffected range="ge">1.9.15_p2</unaffected>
<vulnerable range="lt">1.9.15_p2</vulnerable>
</package>
</affected>
<background>
<p>sudo allows a system administrator to give users the ability to run commands as other users.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in sudo. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Stack/register variables can be flipped via fault injection, affecting execution flow in security-sensitive code.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All sudo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.15_p2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42465">CVE-2023-42465</uri>
</references>
<metadata tag="requester" timestamp="2024-01-24T04:05:24.519163Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-24T04:05:24.521789Z">ajak</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-30.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-30">
<title>X.Org X Server, XWayland: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in the Xorg Server and XWayland, the worst of which can result in privilege escalation or remote code execution.</synopsis>
<product type="ebuild">xorg-server,xwayland</product>
<announced>2024-01-31</announced>
<revised count="1">2024-01-31</revised>
<bug>916254</bug>
<bug>919803</bug>
<bug>922395</bug>
<access>remote</access>
<affected>
<package name="x11-base/xorg-server" auto="yes" arch="*">
<unaffected range="ge">21.1.11</unaffected>
<vulnerable range="lt">21.1.11</vulnerable>
</package>
<package name="x11-base/xwayland" auto="yes" arch="*">
<unaffected range="ge">23.2.4</unaffected>
<vulnerable range="lt">23.2.4</vulnerable>
</package>
</affected>
<background>
<p>The X Window System is a graphical windowing system based on a client/server model.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in X.Org X Server and XWayland. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>The X server can be crashed by a malicious client, or potentially be compromised for remote code execution in environments with X11 forwarding.</p>
</impact>
<workaround>
<p>Users can ensure no untrusted clients can access the running X implementation.</p>
</workaround>
<resolution>
<p>All X.Org X Server users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.11"
</code>
<p>All XWayland users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-base/xwayland-23.2.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5367">CVE-2023-5367</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5380">CVE-2023-5380</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6377">CVE-2023-6377</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6478">CVE-2023-6478</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6816">CVE-2023-6816</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0229">CVE-2024-0229</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0408">CVE-2024-0408</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0409">CVE-2024-0409</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-21885">CVE-2024-21885</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-21886">CVE-2024-21886</uri>
</references>
<metadata tag="requester" timestamp="2024-01-31T11:33:19.783411Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-31T11:33:19.787307Z">graaff</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-31.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-31">
<title>containerd: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation.</synopsis>
<product type="ebuild">containerd</product>
<announced>2024-01-31</announced>
<revised count="1">2024-01-31</revised>
<bug>802948</bug>
<bug>816315</bug>
<bug>834689</bug>
<bug>835917</bug>
<bug>850124</bug>
<bug>884803</bug>
<access>remote</access>
<affected>
<package name="app-containers/containerd" auto="yes" arch="*">
<unaffected range="ge">1.6.14</unaffected>
<vulnerable range="lt">1.6.14</vulnerable>
</package>
</affected>
<background>
<p>containerd is a daemon with an API and a command line client, to manage containers on one machine. It uses runC to run containers according to the OCI specification.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in containerd. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All containerd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-containers/containerd-1.6.14"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32760">CVE-2021-32760</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41103">CVE-2021-41103</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23471">CVE-2022-23471</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23648">CVE-2022-23648</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24769">CVE-2022-24769</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31030">CVE-2022-31030</uri>
</references>
<metadata tag="requester" timestamp="2024-01-31T12:30:06.354455Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-01-31T12:30:06.357060Z">graaff</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-32.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-32">
<title>libaom: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in libaom, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">libaom</product>
<announced>2024-01-31</announced>
<revised count="1">2024-01-31</revised>
<bug>793932</bug>
<bug>798126</bug>
<bug>828112</bug>
<access>local and remote</access>
<affected>
<package name="media-libs/libaom" auto="yes" arch="*">
<unaffected range="ge">3.2.0</unaffected>
<vulnerable range="lt">3.2.0</vulnerable>
</package>
</affected>
<background>
<p>libaom is the Alliance for Open Media&#39;s AV1 Codec SDK.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libaom. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libaom users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libaom-3.2.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36129">CVE-2020-36129</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36130">CVE-2020-36130</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36131">CVE-2020-36131</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36133">CVE-2020-36133</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36134">CVE-2020-36134</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36135">CVE-2020-36135</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30473">CVE-2021-30473</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30474">CVE-2021-30474</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30475">CVE-2021-30475</uri>
</references>
<metadata tag="requester" timestamp="2024-01-31T13:58:08.024856Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-31T13:58:08.028645Z">graaff</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-33.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-33">
<title>WebKitGTK+: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may lead to remote code execution.</synopsis>
<product type="ebuild">webkit-gtk</product>
<announced>2024-01-31</announced>
<revised count="1">2024-01-31</revised>
<bug>915222</bug>
<bug>918667</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge" slot="4">2.42.2</unaffected>
<unaffected range="ge" slot="4.1">2.42.2</unaffected>
<unaffected range="ge" slot="6">2.42.2</unaffected>
<vulnerable range="lt" slot="4">2.42.2</vulnerable>
<vulnerable range="lt" slot="4.1">2.42.2</vulnerable>
<vulnerable range="lt" slot="6">2.42.2</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebKitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.42.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32359">CVE-2023-32359</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-35074">CVE-2023-35074</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39434">CVE-2023-39434</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-39928">CVE-2023-39928</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40451">CVE-2023-40451</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41074">CVE-2023-41074</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41983">CVE-2023-41983</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41993">CVE-2023-41993</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42852">CVE-2023-42852</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42890">CVE-2023-42890</uri>
<uri link="https://webkitgtk.org/security/WSA-2023-0009.html">WSA-2023-0009</uri>
</references>
<metadata tag="requester" timestamp="2024-01-31T14:29:39.449978Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-31T14:29:39.452391Z">graaff</metadata>
</glsa>

229
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-34.xml vendored Normal file
View File

@ -0,0 +1,229 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202401-34">
<title>Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">chromium,google-chrome,microsoft-edge</product>
<announced>2024-01-31</announced>
<revised count="1">2024-01-31</revised>
<bug>907999</bug>
<bug>908471</bug>
<bug>909283</bug>
<bug>910522</bug>
<bug>911675</bug>
<bug>912364</bug>
<bug>913016</bug>
<bug>913710</bug>
<bug>914350</bug>
<bug>914871</bug>
<bug>915137</bug>
<bug>915560</bug>
<bug>915961</bug>
<bug>916252</bug>
<bug>916620</bug>
<bug>917021</bug>
<bug>917357</bug>
<bug>918882</bug>
<bug>919321</bug>
<bug>919802</bug>
<bug>920442</bug>
<bug>921337</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">120.0.6099.109</unaffected>
<vulnerable range="lt">120.0.6099.109</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">120.0.6099.109</unaffected>
<vulnerable range="lt">120.0.6099.109</vulnerable>
</package>
<package name="www-client/microsoft-edge" auto="yes" arch="*">
<unaffected range="ge">120.0.2210.133</unaffected>
<vulnerable range="lt">120.0.2210.133</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
Google Chrome is one fast, simple, and secure browser for all your devices.
Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and its derivatives. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/google-chrome-120.0.6099.109"
</code>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/chromium-120.0.6099.109"
</code>
<p>All Microsoft Edge users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-120.0.2210.133"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2312">CVE-2023-2312</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2929">CVE-2023-2929</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2930">CVE-2023-2930</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2931">CVE-2023-2931</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2932">CVE-2023-2932</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2933">CVE-2023-2933</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2934">CVE-2023-2934</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2935">CVE-2023-2935</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2936">CVE-2023-2936</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2937">CVE-2023-2937</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2938">CVE-2023-2938</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2939">CVE-2023-2939</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2940">CVE-2023-2940</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2941">CVE-2023-2941</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3079">CVE-2023-3079</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3214">CVE-2023-3214</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3215">CVE-2023-3215</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3216">CVE-2023-3216</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3217">CVE-2023-3217</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3420">CVE-2023-3420</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3421">CVE-2023-3421</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3422">CVE-2023-3422</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3727">CVE-2023-3727</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3728">CVE-2023-3728</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3730">CVE-2023-3730</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3732">CVE-2023-3732</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3733">CVE-2023-3733</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3734">CVE-2023-3734</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3735">CVE-2023-3735</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3736">CVE-2023-3736</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3737">CVE-2023-3737</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3738">CVE-2023-3738</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3740">CVE-2023-3740</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4068">CVE-2023-4068</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4069">CVE-2023-4069</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4070">CVE-2023-4070</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4071">CVE-2023-4071</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4072">CVE-2023-4072</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4073">CVE-2023-4073</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4074">CVE-2023-4074</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4075">CVE-2023-4075</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4076">CVE-2023-4076</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4077">CVE-2023-4077</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4078">CVE-2023-4078</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4349">CVE-2023-4349</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4350">CVE-2023-4350</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4351">CVE-2023-4351</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4352">CVE-2023-4352</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4353">CVE-2023-4353</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4354">CVE-2023-4354</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4355">CVE-2023-4355</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4356">CVE-2023-4356</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4357">CVE-2023-4357</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4358">CVE-2023-4358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4359">CVE-2023-4359</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4360">CVE-2023-4360</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4361">CVE-2023-4361</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4362">CVE-2023-4362</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4363">CVE-2023-4363</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4364">CVE-2023-4364</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4365">CVE-2023-4365</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4366">CVE-2023-4366</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4367">CVE-2023-4367</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4368">CVE-2023-4368</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4427">CVE-2023-4427</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4428">CVE-2023-4428</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4429">CVE-2023-4429</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4430">CVE-2023-4430</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4431">CVE-2023-4431</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4572">CVE-2023-4572</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4761">CVE-2023-4761</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4762">CVE-2023-4762</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4763">CVE-2023-4763</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4764">CVE-2023-4764</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4900">CVE-2023-4900</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4901">CVE-2023-4901</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4902">CVE-2023-4902</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4903">CVE-2023-4903</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4904">CVE-2023-4904</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4905">CVE-2023-4905</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4906">CVE-2023-4906</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4907">CVE-2023-4907</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4908">CVE-2023-4908</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4909">CVE-2023-4909</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5186">CVE-2023-5186</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5187">CVE-2023-5187</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5217">CVE-2023-5217</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5218">CVE-2023-5218</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5346">CVE-2023-5346</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5472">CVE-2023-5472</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5473">CVE-2023-5473</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5474">CVE-2023-5474</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5475">CVE-2023-5475</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5476">CVE-2023-5476</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5477">CVE-2023-5477</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5478">CVE-2023-5478</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5479">CVE-2023-5479</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5480">CVE-2023-5480</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5481">CVE-2023-5481</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5482">CVE-2023-5482</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5483">CVE-2023-5483</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5484">CVE-2023-5484</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5485">CVE-2023-5485</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5486">CVE-2023-5486</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5487">CVE-2023-5487</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5849">CVE-2023-5849</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5850">CVE-2023-5850</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5851">CVE-2023-5851</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5852">CVE-2023-5852</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5853">CVE-2023-5853</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5854">CVE-2023-5854</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5855">CVE-2023-5855</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5856">CVE-2023-5856</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5857">CVE-2023-5857</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5858">CVE-2023-5858</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5859">CVE-2023-5859</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5996">CVE-2023-5996</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5997">CVE-2023-5997</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6112">CVE-2023-6112</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6345">CVE-2023-6345</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6346">CVE-2023-6346</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6347">CVE-2023-6347</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6348">CVE-2023-6348</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6350">CVE-2023-6350</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6351">CVE-2023-6351</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6508">CVE-2023-6508</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6509">CVE-2023-6509</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6510">CVE-2023-6510</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6511">CVE-2023-6511</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6512">CVE-2023-6512</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6702">CVE-2023-6702</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6703">CVE-2023-6703</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6704">CVE-2023-6704</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6705">CVE-2023-6705</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6706">CVE-2023-6706</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6707">CVE-2023-6707</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-7024">CVE-2023-7024</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0222">CVE-2024-0222</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0223">CVE-2024-0223</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0224">CVE-2024-0224</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0225">CVE-2024-0225</uri>
</references>
<metadata tag="requester" timestamp="2024-01-31T15:39:13.302328Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-01-31T15:39:13.304555Z">graaff</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 01 Jan 2024 06:39:51 +0000
Thu, 01 Feb 2024 06:41:20 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
3dfe782899716a3480c9481c69bca8c231c663a7 1703730129 2023-12-28T02:22:09+00:00
8064a0b694d29fb2fca491d65494098fb43c2ffa 1706715575 2024-01-31T15:39:35+00:00