mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-29 09:31:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #411 from flatcar/buildbot/monthly-glsa-metadata-updates-2023-02-01

Browse Source 
Monthly GLSA metadata 2023-02-01
This commit is contained in:
Dongsu Park 2023-02-01 14:26:11 +01:00 committed by GitHub
commit 52831e27f7
13 changed files with 453 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512 Hash: SHA512
MANIFEST Manifest.files.gz 538785 BLAKE2B a42e589b6c2be5ab4486b79822a326a12b3725dbc28e32cbb116cd453b6899511ab2026524f136171407f678f9acafd852f1a2a245b8caed5bad581d2eb86337 SHA512 8ff81ddfe9cd2569ab4fe6eabe9daf23f1f66918aba5cae55ff8241b2bb330fac90cb5595df81455bfa98b51ed1c6e965c73508fe1b662e752525e3e27b52956 MANIFEST Manifest.files.gz 540216 BLAKE2B d30aef090eaffb1f3ce91f96dfcc44f7a5d1a954885fba68126dee1aa21a3de740e45dd7106f5d3ba2b51e48eda29870b954e2a90cc8bfa9dc1ac93912daadef SHA512 f9ff42d8d58ea6e6bae5d32f95af7bcddc333ce0478d31cfefb14e85c8d99eaf4d3d9a0802c961e3f7e7d8f3696894cb1d1d0e81db3807d1796858a550f0351f
TIMESTAMP 2023-01-01T06:39:50Z TIMESTAMP 2023-02-01T06:40:02Z
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOxKrZfFIAAAAAALgAo iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmPaCUJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klC9ixAAlN/ZDgZxdBTgSZ3atw+dpo6ESRtQ7gkxPHvzT+eT1h3F0dSTaY7ts76N klCklQ/7BVDhFbxa/ldVx+FXtHAvix9WxQEbldYkNkNWSPHEM8zZGtD8fzaJxdfX
1qkK0HJWgAuhwiqe0225mCYXe9v6m9EmmJ4kHSoShiGXyS/SWpYt6sUY2nlbAZgV LyCz1L4B5Q/2dBFBpXptHIBFsPMT/F7c7pVaxYR00RTsph1Gy//j7FWWElPUNz18
jAIGEnyGsSmAHTfhXz9M3jDfT0Lz4icm/GMLfR2/ZhjeFkAt4Z32qVcphNJ8QwxY bzw8P+GV5+exv1XN+Uf1N12gVdVUHrYJ1VcokqGwQ8tphUuzt8v/YOuzo8jT6or7
P8F8mo+MY3GRwLMQk0cuJkNVsFf3+2WOfDVm03btzCeWWdxl34A/+v7bbFMGdKXd 7c1I9A3mj7TZQnHvmPV7uxK+NyjRp/AkSac9xILCwzlwGgTvsvh6+9Oozg5TWsFM
4zR6z7cHmhJX/hLy9SvrrkevODry90s+khHplCo9+lSXlapVF31PROW6g8ALXxhF LJQ2VPe1qMh24zSiHF03a9UtIQvegXX4IBqvks74was9nRcZXCYisjc6GLcPd4FD
3/t2N22u1mx+V8Bpx578awRjupLUH753zj7h+Pl/PJWXjGcQoBIOJUvx8f8uTLx3 pwAN51qsYpuT91VSUWnyfk6upONlei13CaRrJDWKTfPuuTjj/G+bpDS8RkRtkPnh
2VdysCeI2t99wn5f9TLrkqQ0KhYqr8xwvEC+b2pPEMOaQZsYbAx1aNHYTDD2imDx pdc0fiV4AFcbWDX00fCMPR7Nj6Q3MRjCfRnP1rsMMnF6Vc4mtN5Y4nNwUHo2JCu0
tDl/a5zXlbwWD4HavYbf0oKQG3T6lqmD6DGA+LDHAhVDdQwUNYPcRgvO8Ytw29Dd CjUCJ2pwpCqnNW3kRYp8MYK4TUkJ3Tnj1WoWemGTYUUsjiDhOUWVVvulmKJFl+tp
CuvKk0xHfUuL0mbobXp7BpQZdV8bUZhbGK8ftiDGSaHPwTYAvkP/C1po1FoD7MYj wMPhFmPYPb++ByPBO424EDelixGkAQSeUx58J1xNz1j35snF6CqC9Hx4CjMJgD97
fnyLkDOvj+fkyMdB7OV/9newvbtuRUaNhindnjBjz6olzFgCtSMrN5G0ZZmm4bw+ XtaqU/AN2IYJuqZFDC6cYfnL6ypVIVWoXOpqiC4Z0VUXzLw3VF0kSQ3NM6/py6Pb
lkEpAY/cM1XMMG/49419NC9IV9votImHvwTS/3hY8unTkN7Qdxk= b76p1639npqhiWGZw0oPHvK6NKKtDQhkSoytMmulVq0YxSYYRdM=
=I9HV =ccNa
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

72
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-01.xml vendored Normal file
View File

@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-01">
<title>NTFS-3G: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in NTFS-3G, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">ntfs3g</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>878885</bug>
<bug>847598</bug>
<bug>811156</bug>
<access>remote</access>
<affected>
<package name="sys-fs/ntfs3g" auto="yes" arch="*">
<unaffected range="ge">2022.10.3</unaffected>
<vulnerable range="lt">2022.10.3</vulnerable>
</package>
</affected>
<background>
<p>NTFS-3G is a stable, full-featured, read-write NTFS driver for various operating systems.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in NTFS-3G. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All NTFS-3G users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/ntfs3g-2022.10.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33285">CVE-2021-33285</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33286">CVE-2021-33286</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33287">CVE-2021-33287</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-33289">CVE-2021-33289</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35266">CVE-2021-35266</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35267">CVE-2021-35267</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35268">CVE-2021-35268</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35269">CVE-2021-35269</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39251">CVE-2021-39251</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39252">CVE-2021-39252</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39253">CVE-2021-39253</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39254">CVE-2021-39254</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39255">CVE-2021-39255</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39256">CVE-2021-39256</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39257">CVE-2021-39257</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39258">CVE-2021-39258</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39259">CVE-2021-39259</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39260">CVE-2021-39260</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39261">CVE-2021-39261</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39262">CVE-2021-39262</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-39263">CVE-2021-39263</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30783">CVE-2022-30783</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30784">CVE-2022-30784</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30785">CVE-2022-30785</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30786">CVE-2022-30786</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30787">CVE-2022-30787</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30788">CVE-2022-30788</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30789">CVE-2022-30789</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-40284">CVE-2022-40284</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:15:14.346677Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:15:14.351130Z">ajak</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-02.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-02">
<title>Twisted: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">twisted</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>878499</bug>
<bug>834542</bug>
<bug>832875</bug>
<access>remote</access>
<affected>
<package name="dev-python/twisted" auto="yes" arch="*">
<unaffected range="ge">22.10.0</unaffected>
<vulnerable range="lt">22.10.0</vulnerable>
</package>
</affected>
<background>
<p>Twisted is an asynchronous networking framework written in Python.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Twisted. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Twisted users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/twisted-22.10.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21712">CVE-2022-21712</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21716">CVE-2022-21716</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39348">CVE-2022-39348</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:16:16.479507Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:16:16.483411Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-03.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-03">
<title>scikit-learn: Denial of Service</title>
<synopsis>A vulnerability was found in scikit-learn which could result in denial of service.</synopsis>
<product type="ebuild">scikit-learn</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>758323</bug>
<access>remote</access>
<affected>
<package name="sci-libs/scikit-learn" auto="yes" arch="*">
<unaffected range="ge">1.1.1</unaffected>
<vulnerable range="lt">1.1.1</vulnerable>
</package>
</affected>
<background>
<p>scikit-learn is a machine learning library for Python.</p>
</background>
<description>
<p>When supplied with a crafted model SVM, predict() can result in a null pointer dereference.</p>
</description>
<impact type="low">
<p>An attcker capable of providing a crafted model to scikit-learn can result in denial of service.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All scikit-learn users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sci-libs/scikit-learn-1.1.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28975">CVE-2020-28975</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:16:33.475780Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:16:33.478230Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-04.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-04">
<title>jupyter_core: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user.</synopsis>
<product type="ebuild">jupyter_core</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>878497</bug>
<access>remote</access>
<affected>
<package name="dev-python/jupyter_core" auto="yes" arch="*">
<unaffected range="ge">4.11.2</unaffected>
<vulnerable range="lt">4.11.2</vulnerable>
</package>
</affected>
<background>
<p>jupyter_core contains core Jupyter functionality.</p>
</background>
<description>
<p>jupyter_core trusts files for execution in the current working directory without validating ownership of those files.</p>
</description>
<impact type="high">
<p>By writing to a directory that is used a the current working directory for jupyter_core by another user, users can elevate privileges to those of another user.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All jupyter_core users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/jupyter_core-4.11.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39286">CVE-2022-39286</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:17:05.951365Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:17:05.954259Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-05.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-05">
<title>Apache Commons Text: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution.</synopsis>
<product type="ebuild">commons-text</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>877577</bug>
<access>remote</access>
<affected>
<package name="dev-java/commons-text" auto="yes" arch="*">
<unaffected range="ge">1.10.0</unaffected>
<vulnerable range="lt">1.10.0</vulnerable>
</package>
</affected>
<background>
<p>Apache Commons Text is a library focused on algorithms working on strings.</p>
</background>
<description>
<p>Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is &#34;${prefix:name}&#34;, where &#34;prefix&#34; is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. The set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - &#34;script&#34; - execute expressions using the JVM script execution engine (javax.script) - &#34;dns&#34; - resolve dns records - &#34;url&#34; - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.</p>
</description>
<impact type="high">
<p>Crafted input to Apache Commons Text could trigger remote code execution.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Apache Commons Text users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/commons-text-1.10.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42889">CVE-2022-42889</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:18:10.785619Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:18:10.790088Z">ajak</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-06.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-06">
<title>liblouis: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">liblouis</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>835093</bug>
<access>remote</access>
<affected>
<package name="dev-libs/liblouis" auto="yes" arch="*">
<unaffected range="ge">3.22.0</unaffected>
<vulnerable range="lt">3.22.0</vulnerable>
</package>
</affected>
<background>
<p>liblouis is an open-source braille translator and back-translator.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in liblouis. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All liblouis users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.22.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26981">CVE-2022-26981</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31783">CVE-2022-31783</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:18:26.543131Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:18:26.546170Z">ajak</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-07.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-07">
<title>Alpine: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Alpine, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">alpine</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>807613</bug>
<access>remote</access>
<affected>
<package name="mail-client/alpine" auto="yes" arch="*">
<unaffected range="ge">2.25</unaffected>
<vulnerable range="lt">2.25</vulnerable>
</package>
</affected>
<background>
<p>Alpine is an easy to use text-based based mail and news client.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Alpine. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Alpine users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/alpine-2.25"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38370">CVE-2021-38370</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-46853">CVE-2021-46853</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:18:50.361361Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:18:50.363738Z">ajak</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-08.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-08">
<title>Mbed TLS: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">mbedtls</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>857813</bug>
<bug>829660</bug>
<bug>801376</bug>
<bug>778254</bug>
<bug>764317</bug>
<bug>740108</bug>
<bug>730752</bug>
<access>remote</access>
<affected>
<package name="net-libs/mbedtls" auto="yes" arch="*">
<unaffected range="ge">2.28.1</unaffected>
<vulnerable range="lt">2.28.1</vulnerable>
</package>
</affected>
<background>
<p>Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate and expand” implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mbed TLS. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mbed TLS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-16150">CVE-2020-16150</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36421">CVE-2020-36421</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36422">CVE-2020-36422</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36423">CVE-2020-36423</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36424">CVE-2020-36424</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36425">CVE-2020-36425</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36426">CVE-2020-36426</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36475">CVE-2020-36475</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36476">CVE-2020-36476</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36477">CVE-2020-36477</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36478">CVE-2020-36478</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-43666">CVE-2021-43666</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44732">CVE-2021-44732</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45450">CVE-2021-45450</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-35409">CVE-2022-35409</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:19:06.415631Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:19:06.418706Z">ajak</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202301-09.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202301-09">
<title>protobuf-java: Denial of Service</title>
<synopsis>A vulnerability has been discovered in protobuf-java which could result in denial of service.</synopsis>
<product type="ebuild">protobuf-java</product>
<announced>2023-01-11</announced>
<revised count="1">2023-01-11</revised>
<bug>876903</bug>
<access>remote</access>
<affected>
<package name="dev-java/protobuf-java" auto="yes" arch="*">
<unaffected range="ge">3.20.3</unaffected>
<vulnerable range="lt">3.20.3</vulnerable>
</package>
</affected>
<background>
<p>protobuf-java contains the Java bindings for Google&#39;s Protocol Buffers.</p>
</background>
<description>
<p>Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.</p>
</description>
<impact type="low">
<p>Crafted input can trigger a denial of service via long garbage collection pauses.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All protobuf-java users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3171">CVE-2022-3171</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3509">CVE-2022-3509</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3510">CVE-2022-3510</uri>
</references>
<metadata tag="requester" timestamp="2023-01-11T05:19:53.039305Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-01-11T05:19:53.043563Z">ajak</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Sun, 01 Jan 2023 06:39:47 +0000 Wed, 01 Feb 2023 06:40:00 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
b95962b57e3a2b7645af0491db5baf8f15b6b69d 1672253964 2022-12-28T18:59:24+00:00 da9b5483883fcc611753d44d34c0ede9188ce21c 1673414531 2023-01-11T05:22:11+00:00