mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-10 03:41:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #689 from dm0-/glsa

Browse Source 
Sync GLSAs
This commit is contained in:
David Michael 2018-10-08 13:11:56 -04:00 committed by GitHub
commit 58dd711534
12 changed files with 644 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512 Hash: SHA512
MANIFEST Manifest.files.gz 427414 BLAKE2B 03f31e82901c67c54c9e2a393ac3d0d1d25bb342aa53f12ef4cda3b8ecae5db556d030b733bc4f3fdba54171e0a9a96a6e0e3c4ab9239061ea537618ba745ce1 SHA512 01f241123b41771420b69c122806bf7c9c1b4f6f77886ed4e9a9737364198dc0d9cc296f967c056f28a2af511a8d2680a7991527b5ca7723fbd12dcffe525a32 MANIFEST Manifest.files.gz 428688 BLAKE2B ad7b0e93dc8d25ffce2b6b151e2b2f9d3f4644e2e0bd01b04b2cf32db642d1d55604ebfba538d50e5bffd72012f36cafeebb5fa8b059c51e9495a17ed7d24e61 SHA512 38eef2b8a964d52745f651dc5c44cb508b253654c94f1704d61e63093636d75a72c2f7e2db78f40261fe9fecdede9dacd2401b62f42b01813651f01c9fe87245
TIMESTAMP 2018-07-30T15:38:34Z TIMESTAMP 2018-10-07T19:38:41Z
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAltfMPpfFIAAAAAALgAo iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlu6YMFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klBgNw//T4p4YyrqTdUXKjPqYDKbPIAY6BLQMU6U2py9pMfpRJy6Mb7Otpfr2KCJ klBcCw/+KQFZnE+4IPn8ztI2u4v/O0Nsm2Nmv0gKVaRrGLSszOh1NQ7I2/Ran1vH
kM7Fc6KssxErmqes0ivw8FIU6/6NgnTMLETlPC6LPPApd49FmkRrI0JV4qt5CAgR JH7U1joN/9/se20Sx5nqaXt2ubVNhu4jRYrFVNbbAuDyNqLr8NPi2I0YQPa0pqkW
whUVWRNU7+LGxzL3w9Sj3Z47b6XPRHZwVzsX0F8eXAC4C2prRojGOd+Zs+wilFgE bxvcNQjcQ5s2tWZTMANkt3DriA117zQidyFjOuZKcZkx5eiTcSq/ICtpF4vQT9U1
DiWg3PAiGQQjIOgNq3Jl86d09vD0QkCYNlTJrCil54VW9ct6vXLiyv7Gij5EMmay PaB9moOXB7gM+EVvskPYT5D3f16Pe2xTdMPVV7DqDCQFxO7VuiX1tZagVuTkR8Ik
gFnhFTNahYgrJkt8EP7R+lRILynopntLOnE1dpsWqWdyqvXaILxNiMWSxQO6c2E+ bg5f26ap0TpZOGpCXD56VTOUupb5Yf4K8OJgeg9Q8OQEihXxx2q3fLg69Zf/4E0t
lhxvIaD2jZIdldbiy2va3jENhVr7RpqMx9N7mB/CRf0VNhPJc9onqfXWT0h3QCBt Nwg+uoXvov8EsL8v9W+Tmx9EZTPy1zgTPkqz4e9WsfrVq5QDvro3/tTR28AkhO1i
CtosieBoPc8rW3OJYIbvCQmMLzNQ2u4gKVcYwbNGMOwkOiO1oHgevpwHdQ2O5jyK jzEsR4CZpghnVhl0yejTyrx0u3oP1txkoqpa7DPgUTE3dTICmYiEP/YGtKp7qoIv
EDsxINAOG27DHbdHVqWhTfRI5SmxWq47uE6zjM0zKWimbjRY8RFpExVDjM8SCyh0 /eoUnAA50ojeobe8kx7PxQrgWFZbK4ImWZZvTE+5oTVQrTiUse/vJb4il1Xe0xWU
J59CYZXLi3h1MpX1Ydi20kGkJKO6O6WzzZzLOn1OK4uBPnD/WYiO36IDH2PjwRSM Dalh9+9K8WrnBfZ6kv7hevdAEmnxZZzX1jPGe1gRLKoBVa/JeXLnmfq8v2li7W53
XK2pK+UR6bV7Jb9vyK6kdwi+fKMz7BSsJcfXLr67MOAuorx/qq+2vdwghEVmpWj8 uT4nEWZ2Tv+SKSOET8oZfzPL4GjufIyWfNZ1noPjfonXy9J99yb1mkp7Wpcak0c+
jc6bhGf5mde/MetlAtL2rHWJC1UPNiTBATnZYBIMe1po0zuIjCY= 8nMYs6pFmQeaerLMbnRGmitvGkpcipZFw3PJFlsh/xnq+/KCM0Y=
=OVLH =tYDL
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

105
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201808-01.xml vendored Normal file
View File

@ -0,0 +1,105 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201808-01">
<title>Chromium, Google Chrome: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chromium and Google
Chrome, the worst of which allows remote attackers to escalate privileges.
</synopsis>
<product type="ebuild">chromium</product>
<announced>2018-08-22</announced>
<revised count="2">2018-08-22</revised>
<bug>657376</bug>
<bug>662436</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">68.0.3440.75</unaffected>
<vulnerable range="lt">68.0.3440.75</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">68.0.3440.75</unaffected>
<vulnerable range="lt">68.0.3440.75</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
<p>Google Chrome is one fast, simple, and secure browser for all your
devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers and Google Chrome
Releases for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could escalate privileges, cause a heap buffer
overflow, obtain sensitive information or spoof a URL.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-68.0.3440.75"
</code>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/google-chrome-68.0.3440.75"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4117">CVE-2018-4117</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6044">CVE-2018-6044</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6150">CVE-2018-6150</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6151">CVE-2018-6151</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6152">CVE-2018-6152</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6153">CVE-2018-6153</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6154">CVE-2018-6154</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6155">CVE-2018-6155</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6156">CVE-2018-6156</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6157">CVE-2018-6157</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6158">CVE-2018-6158</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6159">CVE-2018-6159</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6160">CVE-2018-6160</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6161">CVE-2018-6161</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6162">CVE-2018-6162</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6163">CVE-2018-6163</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6164">CVE-2018-6164</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6165">CVE-2018-6165</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6166">CVE-2018-6166</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6167">CVE-2018-6167</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6168">CVE-2018-6168</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6169">CVE-2018-6169</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6170">CVE-2018-6170</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6171">CVE-2018-6171</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6172">CVE-2018-6172</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6173">CVE-2018-6173</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6174">CVE-2018-6174</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6175">CVE-2018-6175</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6176">CVE-2018-6176</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6177">CVE-2018-6177</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6178">CVE-2018-6178</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6179">CVE-2018-6179</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2108-6150">CVE-2108-6150</uri>
<uri link="https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html">
Google Chrome 68.0.3440.75 release announcement
</uri>
</references>
<metadata tag="requester" timestamp="2018-07-30T23:07:09Z">irishluck83</metadata>
<metadata tag="submitter" timestamp="2018-08-22T21:30:07Z">Zlogene</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201808-02.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201808-02">
<title>LinuX Containers user space utilities: Arbitrary file read</title>
<synopsis>A vulnerability has been found in LXC which may allow for arbitrary
file access (read-only).
</synopsis>
<product type="ebuild">lxc</product>
<announced>2018-08-22</announced>
<revised count="2">2018-08-22</revised>
<bug>662780</bug>
<access>local</access>
<affected>
<package name="app-emulation/lxc" auto="yes" arch="*">
<unaffected range="ge">3.0.1-r1</unaffected>
<vulnerable range="lt">3.0.1-r1</vulnerable>
</package>
</affected>
<background>
<p>LinuX Containers user space utilities.</p>
</background>
<description>
<p>lxc-user-nic when asked to delete a network interface will
unconditionally open a user provided path. This code path may be used by
an unprivileged user to check for the existence of a path which they
wouldnt otherwise be able to reach.
</p>
</description>
<impact type="low">
<p>A local unprivileged user could use this flaw to access arbitrary files,
including special device files.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All LXC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/lxc-3.0.1-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6556">CVE-2018-6556</uri>
</references>
<metadata tag="requester" timestamp="2018-08-13T17:16:02Z">irishluck83</metadata>
<metadata tag="submitter" timestamp="2018-08-22T21:31:58Z">Zlogene</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201808-03.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201808-03">
<title>NetworkManager VPNC plugin: Privilege escalation</title>
<synopsis>A vulnerability in NetworkManager VPNC plugin allows local users to
escalate privileges.
</synopsis>
<product type="ebuild">networkmanager-vpnc</product>
<announced>2018-08-22</announced>
<revised count="1">2018-08-22</revised>
<bug>661712</bug>
<access>local</access>
<affected>
<package name="net-misc/networkmanager-vpnc" auto="yes" arch="*">
<unaffected range="ge">1.2.6</unaffected>
<vulnerable range="lt">1.2.6</vulnerable>
</package>
</affected>
<background>
<p>NetworkManager is an universal network configuration daemon for laptops,
desktops, servers and virtualization hosts.
</p>
<p>The VPNC plugin provides easy access Cisco Concentrator based VPNs
utilizing NetworkManager.
</p>
</background>
<description>
<p>When initiating a VPNC connection, NetworkManager spawns a new vpnc
process and passes the configuration via STDIN. By injecting a special
character into a configuration parameter, an attacker can coerce
NetworkManager to set the Password helper option to an attacker
controlled executable file.
</p>
</description>
<impact type="normal">
<p>A local attacker is able to escalate privileges via a specially crafted
configuration file.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All NetworkManager VPNC plugin users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=net-misc/networkmanager-vpnc-1.2.6"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10900">CVE-2018-10900</uri>
</references>
<metadata tag="requester" timestamp="2018-07-30T00:25:20Z">irishluck83</metadata>
<metadata tag="submitter" timestamp="2018-08-22T21:14:54Z">irishluck83</metadata>
</glsa>

111
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201808-04.xml vendored Normal file
View File

@ -0,0 +1,111 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201808-04">
<title>WebkitGTK+: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst
of which may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">webkit-gtk</product>
<announced>2018-08-22</announced>
<revised count="1">2018-08-22</revised>
<bug>652820</bug>
<bug>658168</bug>
<bug>662974</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge">2.20.4</unaffected>
<vulnerable range="lt">2.20.4</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from hybrid
HTML/CSS applications to full-fledged web browsers.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary commands or cause a denial of
service condition via a maliciously crafted web content.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebkitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.20.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11646">CVE-2018-11646</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11712">CVE-2018-11712</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11713">CVE-2018-11713</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12293">CVE-2018-12293</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12294">CVE-2018-12294</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4101">CVE-2018-4101</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4113">CVE-2018-4113</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4114">CVE-2018-4114</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4117">CVE-2018-4117</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4118">CVE-2018-4118</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4119">CVE-2018-4119</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4120">CVE-2018-4120</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4121">CVE-2018-4121</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4122">CVE-2018-4122</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4125">CVE-2018-4125</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4127">CVE-2018-4127</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4128">CVE-2018-4128</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4129">CVE-2018-4129</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4133">CVE-2018-4133</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4146">CVE-2018-4146</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4162">CVE-2018-4162</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4163">CVE-2018-4163</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4165">CVE-2018-4165</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4190">CVE-2018-4190</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4192">CVE-2018-4192</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4199">CVE-2018-4199</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4200">CVE-2018-4200</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4201">CVE-2018-4201</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4204">CVE-2018-4204</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4214">CVE-2018-4214</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4218">CVE-2018-4218</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4222">CVE-2018-4222</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4232">CVE-2018-4232</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4233">CVE-2018-4233</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4261">CVE-2018-4261</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4262">CVE-2018-4262</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4263">CVE-2018-4263</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4264">CVE-2018-4264</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4265">CVE-2018-4265</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4266">CVE-2018-4266</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4267">CVE-2018-4267</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4270">CVE-2018-4270</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4272">CVE-2018-4272</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4273">CVE-2018-4273</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4278">CVE-2018-4278</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4284">CVE-2018-4284</uri>
<uri link="https://webkitgtk.org/security/WSA-2018-0003.html">WebKitGTK+
Security Advisory WSA-2018-0003
</uri>
<uri link="https://webkitgtk.org/security/WSA-2018-0004.html">WebKitGTK+
Security Advisory WSA-2018-0004
</uri>
<uri link="https://webkitgtk.org/security/WSA-2018-0005.html">WebKitGTK+
Security Advisory WSA-2018-0005
</uri>
<uri link="https://webkitgtk.org/security/WSA-2018-0006.html">WebKitGTK+
Security Advisory WSA-2018-0006
</uri>
</references>
<metadata tag="requester" timestamp="2018-08-06T19:11:23Z">whissi</metadata>
<metadata tag="submitter" timestamp="2018-08-22T21:15:04Z">irishluck83</metadata>
</glsa>

115
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201810-01.xml vendored Normal file
View File

@ -0,0 +1,115 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201810-01">
<title>Mozilla Firefox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the
worst of which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">firefox</product>
<announced>2018-10-02</announced>
<revised count="1">2018-10-02</revised>
<bug>650422</bug>
<bug>657976</bug>
<bug>659432</bug>
<bug>665496</bug>
<bug>666760</bug>
<bug>667612</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge">60.2.2</unaffected>
<vulnerable range="lt">60.2.2</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge">60.2.2</unaffected>
<vulnerable range="lt">60.2.2</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="high">
<p>A remote attacker could entice a user to view a specially crafted web
page, possibly resulting in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition. Furthermore,
a remote attacker may be able to perform Man-in-the-Middle attacks,
obtain sensitive information, spoof the address bar, conduct clickjacking
attacks, bypass security restrictions and protection mechanisms, or have
other unspecified impact.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-60.2.2"
</code>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-bin-60.2.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16541">CVE-2017-16541</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12358">CVE-2018-12358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12359">CVE-2018-12359</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12360">CVE-2018-12360</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12361">CVE-2018-12361</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12362">CVE-2018-12362</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12363">CVE-2018-12363</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12364">CVE-2018-12364</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12365">CVE-2018-12365</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12366">CVE-2018-12366</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12367">CVE-2018-12367</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12368">CVE-2018-12368</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12369">CVE-2018-12369</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12370">CVE-2018-12370</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12371">CVE-2018-12371</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12376">CVE-2018-12376</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12377">CVE-2018-12377</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12378">CVE-2018-12378</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12379">CVE-2018-12379</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12381">CVE-2018-12381</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12383">CVE-2018-12383</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12385">CVE-2018-12385</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12386">CVE-2018-12386</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12387">CVE-2018-12387</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5125">CVE-2018-5125</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5127">CVE-2018-5127</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5129">CVE-2018-5129</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5130">CVE-2018-5130</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5131">CVE-2018-5131</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5144">CVE-2018-5144</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5150">CVE-2018-5150</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5154">CVE-2018-5154</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5155">CVE-2018-5155</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5156">CVE-2018-5156</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5157">CVE-2018-5157</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5158">CVE-2018-5158</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5159">CVE-2018-5159</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5168">CVE-2018-5168</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5178">CVE-2018-5178</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5183">CVE-2018-5183</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5186">CVE-2018-5186</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5187">CVE-2018-5187</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5188">CVE-2018-5188</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6126">CVE-2018-6126</uri>
</references>
<metadata tag="requester" timestamp="2018-10-02T09:03:17Z">whissi</metadata>
<metadata tag="submitter" timestamp="2018-10-02T22:17:52Z">irishluck83</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201810-02.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201810-02">
<title>SoX: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in SoX, the worst of which
may lead to a Denial of Service condition.
</synopsis>
<product type="ebuild">sox</product>
<announced>2018-10-06</announced>
<revised count="1">2018-10-06</revised>
<bug>626702</bug>
<bug>627570</bug>
<bug>634450</bug>
<bug>634814</bug>
<access>remote</access>
<affected>
<package name="media-sound/sox" auto="yes" arch="*">
<unaffected range="ge">14.4.2-r1</unaffected>
<vulnerable range="lt">14.4.2-r1</vulnerable>
</package>
</affected>
<background>
<p>SoX is a command line utility that can convert various formats of
computer audio files in to other formats.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in SoX. Please review the
referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a crafted WAV, HCOM,
SND, or AIFF file, could cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All SoX users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-sound/sox-14.4.2-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11332">CVE-2017-11332</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11358">CVE-2017-11358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11359">CVE-2017-11359</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15370">CVE-2017-15370</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15371">CVE-2017-15371</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15372">CVE-2017-15372</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15642">CVE-2017-15642</uri>
</references>
<metadata tag="requester" timestamp="2018-09-30T21:36:08Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2018-10-06T16:59:06Z">irishluck83</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201810-03.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201810-03">
<title>OpenSSH: User enumeration vulnerability</title>
<synopsis>A vulnerability in OpenSSH might allow remote attackers to
determine valid usernames.
</synopsis>
<product type="ebuild">openssh</product>
<announced>2018-10-06</announced>
<revised count="1">2018-10-06</revised>
<bug>664264</bug>
<access>remote</access>
<affected>
<package name="net-misc/openssh" auto="yes" arch="*">
<unaffected range="ge">7.7_p1-r8</unaffected>
<vulnerable range="lt">7.7_p1-r8</vulnerable>
</package>
</affected>
<background>
<p>OpenSSH is a complete SSH protocol implementation that includes SFTP
client and server support.
</p>
</background>
<description>
<p>It was discovered that OpenSSH was prone to a user enumeration
vulnerability.
</p>
</description>
<impact type="low">
<p>A remote attacker could conduct user enumeration.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenSSH users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/openssh-7.7_p1-r8"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-15473">CVE-2018-15473</uri>
</references>
<metadata tag="requester" timestamp="2018-08-23T00:18:32Z">whissi</metadata>
<metadata tag="submitter" timestamp="2018-10-06T17:02:32Z">whissi</metadata>
</glsa>

76
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201810-04.xml vendored Normal file
View File

@ -0,0 +1,76 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201810-04">
<title>ImageMagick: Security hardening</title>
<synopsis>Due to multiple vulnerabilities in various coders used by
ImageMagick, Gentoo Linux now installs a policy.xml file which will
restrict coder usage by default.
</synopsis>
<product type="ebuild">imagemagick</product>
<announced>2018-10-06</announced>
<revised count="1">2018-10-06</revised>
<bug>664236</bug>
<access>local, remote</access>
<affected>
<package name="media-gfx/imagemagick" auto="yes" arch="*">
<unaffected range="ge">6.9.10.10-r1</unaffected>
<unaffected range="ge">7.0.8.10-r1</unaffected>
<vulnerable range="lt">6.9.10.10-r1</vulnerable>
<vulnerable range="lt">7.0.8.10-r1</vulnerable>
</package>
</affected>
<background>
<p>ImageMagick is a collection of tools and libraries for many image
formats.
</p>
</background>
<description>
<p>If you process an image with ImageMagick and dont validate the file
before (e.g. check magic byte), ImageMagick will call any coders found in
the given file. So if ImageMagick will find Ghostscript for example, it
will call Ghostscript.
</p>
<p>Due to multiple -dSAFER sandbox bypass vulnerabilities in Ghostscript,
this can lead to arbitrary code execution.
</p>
<p>To mitigate this problem we install a policy.xml file by default which
will disable PS, EPS, PDF, and XPS coders.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted
image file, could execute arbitrary code with the privileges of the
process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ImageMagick 6 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=media-gfx/imagemagick-6.9.10.10-r1"
</code>
<p>All ImageMagick 7 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=media-gfx/imagemagick-7.0.8.10-r1"
</code>
</resolution>
<references>
<uri link="https://www.kb.cert.org/vuls/id/332928">Ghostscript contains
multiple -dSAFER sandbox bypass vulnerabilities (VU#332928)
</uri>
</references>
<metadata tag="requester" timestamp="2018-08-22T17:43:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2018-10-06T17:09:35Z">whissi</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 30 Jul 2018 15:38:31 +0000 Sun, 07 Oct 2018 19:38:38 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
bc003b9516bfd3c1d933c8cd919b86b13f8c5548 1532902339 2018-07-29T22:12:19+00:00 b914ac7ce64b6f61d701c5cf4173dd03fafdca0e 1538845801 2018-10-06T17:10:01+00:00