mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-27 16:41:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

portage-stable/metadata: Monthly GLSA metadata updates

Browse Source
This commit is contained in:
Flatcar Buildbot 2025-02-01 07:05:18 +00:00 committed by Krzesimir Nowak
parent b3d993190e
commit 64c19a0836
15 changed files with 672 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512 Hash: SHA512
MANIFEST Manifest.files.gz 594915 BLAKE2B 220d9175cb1796cb5045abb4a1dd895efa478aa604a6eb3dde800553a73ce6b12ecf630b6574e1fc834659bac119417be17231464d8355e60ed5ed18f51b8044 SHA512 db425e75cb49a2ea05358c8e7f4e366d86628930a1e26279cb8287fe250565842ac004358a56986eb2aa4342ed7217cf30c8f78d97a02ed24483cca80fd1b2eb MANIFEST Manifest.files.gz 596663 BLAKE2B d03f77688298f7e2b1c117787c6f899250317779b0320cb4d08119535bbb454be5ff75faf4d4f6b88394f22fc5ce722770f4e51f537acca0853947165902a3ab SHA512 ca731da057a6d173058e289dcfa3c1e06f0e35cc32aa1f85102f6637f27eb4a9f2444a9eb532f9df30535ce50e36fc4a7976c85eb02dcc7f7b80b4a213ec6d2d
TIMESTAMP 2025-01-01T06:40:41Z TIMESTAMP 2025-02-01T06:42:06Z
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmd042lfFIAAAAAALgAo iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmedwj5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klBoyg//VQm7GsyyuffSjKJO3H/YJF558ygX0IxnZPwgQweC9ERRd3NlONm2mlph klBlXBAAr4sY5iEDzYLEfvubrkiF3uuAHKfIwYSEXfmUWd0Ltv+skBym3Rmr5yp0
TzmZhAC+PnRGN+QTZh3M/kNuxPytaf6bg9vSNs2v221CHcSqErbzbMAiDO8ZRPoj 4/+OTE+9CqgqdbnWdlFbQcaBf+dLmZ6Q/CUZ054dbW5EjVchTx1VsKb+zSCyUSky
ToTfCC1jH2AoEAAmCWd120MK7nA1dzKx0DSvWhuTv02ssdS9Plj+SJ0SY6stjE3w Vm4uCHniPN7UgODv/NX8kttdQLojIR+HW0DvAJ6cDb9GFOYpvyilYezK0HuGNkje
vfyYTvVjsz90UppvVl9zdKPQa5st2ojC9/tJxCFEjTxV1ubGJDI/7TdArgyTTSDg vXWoiBRERytYJ74cigATfNaQ6aVgZAhWB/CMqC4EWW4d9o8e0XIi6TSq2cNgraAu
rx4Bbc5su4ANjXbYHofhar2X0/YYF6l/bglDMhCJIn8OwOyzWqXufgrmhmnCrCgt +Mxa4n7LrMaBFHKy+TNdeirztkHJSKdAAFwscpBZwngl8XwmOR3EIIJyzuvZ9jtY
V6FLxXqWimOmIiIL1YUwUgc3p0JYNuYAwGt5I6Tf/gX2h/4aHOxUvgDdvRf+hoUl uOkoLN+sn16Pz0zyuuonYn5aTu0TkazdEh6MVR2YTz8CcifTt1HcPivRiiB2Wa+e
9USr4sw5qovn+pFdDNwYrZ2+Uat83IYET85Mnlc8sqf3wH8I17lPKOzLtcgtkRND 50csAbppVN9UvCKMaR+Z+/JBnFP2BcuYNIdW+qUlzGHecB01PBLYBN9AI2HK9Ujn
i062wD9kU6gCen6fM80vuW4k40UphiAkrLhy8nMaWjBBVbRdXpGddGdOuPk0yX+b AgtQ8uwX49PDief0RQcUlAQ1xQ4wRu4HOgZHxT6XL9LTLVSMedm9/R4CK7uc1s4S
g+qjOXnkY/rZPek+u0lpS1MPU661IFJgXQs9wFaV9++VXpcpVCyFoyUNhhaIxEH9 U5uuC7xkPHXVi8s26wCf4+g7Rx2vVtxCEmevgnnBETD0B9OxECfqf+ZQfqqfwbL3
KEQwa8bz2DkoBCeJMYjH3xigcXMavQ9KTrRqkl2lUk1tLf/dBwY3d7Ao8rpCkirO JhT2rMejK7WWJC/Owp2syiWwEHEg8pR8XeyqwTSVmeqceJClQGWt0d4cIYSBUW2b
AF2w3sJ5hbD7PXm4OEDG3EYt1uQftsnV/UcNB26SVu8UT1tfmR0= efiUP+na+uWMxVbQm92Q/UKCrJe/cp9FvHDUyYeGuxun/1u1gXw=
=IQdp =4Nub
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-01.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-01">
<title>rsync: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in rsync, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">rsync</product>
<announced>2025-01-15</announced>
<revised count="1">2025-01-15</revised>
<bug>948106</bug>
<access>remote</access>
<affected>
<package name="net-misc/rsync" auto="yes" arch="*">
<unaffected range="ge">3.3.0-r2</unaffected>
<vulnerable range="lt">3.3.0-r2</vulnerable>
</package>
</affected>
<background>
<p>rsync is a server and client utility that provides fast incremental file transfers. It is used to efficiently synchronize files between hosts and is used by emerge to fetch Gentoo&#39;s Portage tree.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in rsync. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All rsync users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/rsync-3.3.0-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12084">CVE-2024-12084</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12085">CVE-2024-12085</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12086">CVE-2024-12086</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12087">CVE-2024-12087</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12088">CVE-2024-12088</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12747">CVE-2024-12747</uri>
</references>
<metadata tag="requester" timestamp="2025-01-15T17:18:08.215935Z">sam</metadata>
<metadata tag="submitter" timestamp="2025-01-15T17:18:08.218034Z">sam</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-02.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-02">
<title>GIMP: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in GIMP, the worst of which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">gimp</product>
<announced>2025-01-17</announced>
<revised count="2">2025-01-18</revised>
<bug>845402</bug>
<bug>856283</bug>
<bug>917406</bug>
<access>remote</access>
<affected>
<package name="media-gfx/gimp" auto="yes" arch="*">
<unaffected range="ge">2.10.36</unaffected>
<vulnerable range="lt">2.10.36</vulnerable>
</package>
</affected>
<background>
<p>GIMP is the GNU Image Manipulation Program. XCF is the native image file format used by GIMP.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GIMP. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GIMP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.10.36"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30067">CVE-2022-30067</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32990">CVE-2022-32990</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44441">CVE-2023-44441</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44442">CVE-2023-44442</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44443">CVE-2023-44443</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44444">CVE-2023-44444</uri>
</references>
<metadata tag="requester" timestamp="2025-01-17T07:05:31.622583Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-17T07:05:31.625362Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-03.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-03">
<title>pip: arbitrary configuration injection</title>
<synopsis>A vulnerability has been discovered in pip, which could lead to arbitrary configuration options being injected.</synopsis>
<product type="ebuild">pip</product>
<announced>2025-01-17</announced>
<revised count="1">2025-01-17</revised>
<bug>918427</bug>
<access>local</access>
<affected>
<package name="dev-python/pip" auto="yes" arch="*">
<unaffected range="ge">23.3</unaffected>
<vulnerable range="lt">23.3</vulnerable>
</package>
</affected>
<background>
<p>pip is a tool for installing and managing Python packages.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in pip. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>When installing a package from a Mercurial VCS URL (ie &#34;pip install hg+...&#34;), the specified Mercurial revision could be used to inject arbitrary configuration options to the &#34;hg clone&#34; call (ie &#34;--config&#34;). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren&#39;t installing from Mercurial.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All pip users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pip-23.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5752">CVE-2023-5752</uri>
</references>
<metadata tag="requester" timestamp="2025-01-17T07:08:02.410954Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-17T07:08:02.413296Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-04.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-04">
<title>Yubico pam-u2f: Partial Authentication Bypass</title>
<synopsis>A vulnerability has been discovered in Yubico pam-u2f, which can lead to a partial authentication bypass.</synopsis>
<product type="ebuild">pam_u2f</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>948201</bug>
<access>local</access>
<affected>
<package name="sys-auth/pam_u2f" auto="yes" arch="*">
<unaffected range="ge">1.3.2</unaffected>
<vulnerable range="lt">1.3.2</vulnerable>
</package>
</affected>
<background>
<p>Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Depending on specific settings and usage scenarios the result of the pam-u2f module may be altered or ignored.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Yubico pam-u2f users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-23013">CVE-2025-23013</uri>
<uri link="https://www.yubico.com/support/security-advisories/YSA-2025-01">YSA-2025-01</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T06:15:02.537459Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T06:15:02.541001Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-05.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-05">
<title>libuv: Hostname Truncation</title>
<synopsis>A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.</synopsis>
<product type="ebuild">libuv</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>924127</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libuv" auto="yes" arch="*">
<unaffected range="ge">1.48.0</unaffected>
<vulnerable range="lt">1.48.0</vulnerable>
</package>
</affected>
<background>
<p>libuv is a multi-platform support library with a focus on asynchronous I/O.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libuv users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24806">CVE-2024-24806</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T06:16:58.811764Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T06:16:58.815474Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-06.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-06">
<title>GPL Ghostscript: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">ghostscript-gpl</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>942639</bug>
<access>remote</access>
<affected>
<package name="app-text/ghostscript-gpl" auto="yes" arch="*">
<unaffected range="ge">10.04.0</unaffected>
<vulnerable range="lt">10.04.0</vulnerable>
</package>
</affected>
<background>
<p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GPL Ghostscript users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.04.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46951">CVE-2024-46951</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46952">CVE-2024-46952</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46953">CVE-2024-46953</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46954">CVE-2024-46954</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46955">CVE-2024-46955</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46956">CVE-2024-46956</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T06:18:34.082233Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T06:18:34.085244Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-07.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-07">
<title>libgsf: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in libgsf, the worst of which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">libgsf</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>940777</bug>
<access>remote</access>
<affected>
<package name="gnome-extra/libgsf" auto="yes" arch="*">
<unaffected range="ge">1.14.53</unaffected>
<vulnerable range="lt">1.14.53</vulnerable>
</package>
</affected>
<background>
<p>The GNOME Structured File Library is an I/O library that can read and write common file types and handle structured formats that provide file-system-in-a-file semantics.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libgsf. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libgsf users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=gnome-extra/libgsf-1.14.53"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-36474">CVE-2024-36474</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-42415">CVE-2024-42415</uri>
<uri>TALOS-2024-2068</uri>
<uri>TALOS-2024-2069</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T06:25:02.419159Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T06:25:02.421783Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-08.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-08">
<title>Qt: Buffer Overflow</title>
<synopsis>A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service.</synopsis>
<product type="ebuild">qtbase,qtcore</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>911790</bug>
<access>local</access>
<affected>
<package name="dev-qt/qtbase" auto="yes" arch="*">
<unaffected range="ge">6.5.2</unaffected>
<vulnerable range="lt">6.5.2</vulnerable>
</package>
<package name="dev-qt/qtcore" auto="yes" arch="*">
<unaffected range="ge">5.15.10-r1</unaffected>
<vulnerable range="lt">5.15.10-r1</vulnerable>
</package>
</affected>
<background>
<p>Qt is a cross-platform application development framework.</p>
</background>
<description>
<p>When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash or freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Qt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.15.10-r1"
# emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.5.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37369">CVE-2023-37369</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38197">CVE-2023-38197</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T07:21:01.913237Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T07:21:01.915567Z">graaff</metadata>
</glsa>

134
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-09.xml vendored Normal file
View File

@ -0,0 +1,134 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-09">
<title>QtWebEngine: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">qtwebengine</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>944807</bug>
<access>remote</access>
<affected>
<package name="dev-qt/qtwebengine" auto="yes" arch="*">
<unaffected range="ge">5.15.16_p20241115</unaffected>
<vulnerable range="lt">5.15.16_p20241115</vulnerable>
</package>
</affected>
<background>
<p>QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QtWebEngine users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.16_p20241115"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4058">CVE-2024-4058</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4059">CVE-2024-4059</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4060">CVE-2024-4060</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4558">CVE-2024-4558</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4559">CVE-2024-4559</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-4761">CVE-2024-4761</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5157">CVE-2024-5157</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5158">CVE-2024-5158</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5159">CVE-2024-5159</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5160">CVE-2024-5160</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5830">CVE-2024-5830</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5831">CVE-2024-5831</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5832">CVE-2024-5832</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5833">CVE-2024-5833</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5834">CVE-2024-5834</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5835">CVE-2024-5835</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5836">CVE-2024-5836</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5837">CVE-2024-5837</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5838">CVE-2024-5838</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5839">CVE-2024-5839</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5840">CVE-2024-5840</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5841">CVE-2024-5841</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5842">CVE-2024-5842</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5843">CVE-2024-5843</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5844">CVE-2024-5844</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5845">CVE-2024-5845</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5846">CVE-2024-5846</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-5847">CVE-2024-5847</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6290">CVE-2024-6290</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6291">CVE-2024-6291</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6292">CVE-2024-6292</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6293">CVE-2024-6293</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6988">CVE-2024-6988</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6989">CVE-2024-6989</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6991">CVE-2024-6991</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6994">CVE-2024-6994</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6995">CVE-2024-6995</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6996">CVE-2024-6996</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6997">CVE-2024-6997</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6998">CVE-2024-6998</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6999">CVE-2024-6999</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7000">CVE-2024-7000</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7001">CVE-2024-7001</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7003">CVE-2024-7003</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7004">CVE-2024-7004</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7005">CVE-2024-7005</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7532">CVE-2024-7532</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7533">CVE-2024-7533</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7534">CVE-2024-7534</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7535">CVE-2024-7535</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7536">CVE-2024-7536</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7550">CVE-2024-7550</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7964">CVE-2024-7964</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7965">CVE-2024-7965</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7966">CVE-2024-7966</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7967">CVE-2024-7967</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7968">CVE-2024-7968</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7969">CVE-2024-7969</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7971">CVE-2024-7971</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7972">CVE-2024-7972</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7973">CVE-2024-7973</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7974">CVE-2024-7974</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7975">CVE-2024-7975</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7976">CVE-2024-7976</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7977">CVE-2024-7977</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7978">CVE-2024-7978</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7979">CVE-2024-7979</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7980">CVE-2024-7980</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7981">CVE-2024-7981</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8033">CVE-2024-8033</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8034">CVE-2024-8034</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8035">CVE-2024-8035</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8193">CVE-2024-8193</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8194">CVE-2024-8194</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8198">CVE-2024-8198</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8636">CVE-2024-8636</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8637">CVE-2024-8637</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8638">CVE-2024-8638</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8639">CVE-2024-8639</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9120">CVE-2024-9120</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9121">CVE-2024-9121</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9122">CVE-2024-9122</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9123">CVE-2024-9123</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9602">CVE-2024-9602</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9603">CVE-2024-9603</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10229">CVE-2024-10229</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10230">CVE-2024-10230</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10231">CVE-2024-10231</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10826">CVE-2024-10826</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10827">CVE-2024-10827</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-45490">CVE-2024-45490</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-45491">CVE-2024-45491</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-45492">CVE-2024-45492</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T07:22:20.140856Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T07:22:20.142818Z">graaff</metadata>
</glsa>

104
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-10.xml vendored Normal file
View File

@ -0,0 +1,104 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-10">
<title>Mozilla Firefox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">firefox,firefox-bin</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>942469</bug>
<bug>945050</bug>
<bug>948113</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">134.0</unaffected>
<unaffected range="ge" slot="esr">128.6.0</unaffected>
<vulnerable range="lt" slot="rapid">134.0</vulnerable>
<vulnerable range="lt" slot="esr">128.6.0</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">134.0</unaffected>
<unaffected range="ge" slot="esr">128.6.0</unaffected>
<vulnerable range="lt" slot="rapid">134.0</vulnerable>
<vulnerable range="lt" slot="esr">128.6.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox users should upgrade to the latest version in their release channel:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-134.0:rapid"
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-128.6.0:esr"
</code>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-134.0:rapid"
# emerge --ask --oneshot --verbose ">=www-client/firefox-128.6.0:esr"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10458">CVE-2024-10458</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10459">CVE-2024-10459</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10460">CVE-2024-10460</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10461">CVE-2024-10461</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10462">CVE-2024-10462</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10463">CVE-2024-10463</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10464">CVE-2024-10464</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10465">CVE-2024-10465</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10466">CVE-2024-10466</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10467">CVE-2024-10467</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-10468">CVE-2024-10468</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11692">CVE-2024-11692</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11694">CVE-2024-11694</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11695">CVE-2024-11695</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11696">CVE-2024-11696</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11697">CVE-2024-11697</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11699">CVE-2024-11699</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11700">CVE-2024-11700</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11701">CVE-2024-11701</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11704">CVE-2024-11704</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11705">CVE-2024-11705</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11706">CVE-2024-11706</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-11708">CVE-2024-11708</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0237">CVE-2025-0237</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0238">CVE-2025-0238</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0239">CVE-2025-0239</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0240">CVE-2025-0240</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0241">CVE-2025-0241</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0242">CVE-2025-0242</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0243">CVE-2025-0243</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-0247">CVE-2025-0247</uri>
<uri>MFSA2024-55</uri>
<uri>MFSA2024-56</uri>
<uri>MFSA2024-57</uri>
<uri>MFSA2024-58</uri>
<uri>MFSA2024-59</uri>
<uri>MFSA2024-63</uri>
<uri>MFSA2024-64</uri>
<uri>MFSA2024-65</uri>
<uri>MFSA2024-67</uri>
<uri>MFSA2024-68</uri>
<uri>MFSA2025-01</uri>
<uri>MFSA2025-02</uri>
<uri>MFSA2025-05</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T07:24:25.583285Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T07:24:25.586463Z">graaff</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-11.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202501-11">
<title>PHP: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in PHP, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">php</product>
<announced>2025-01-23</announced>
<revised count="1">2025-01-23</revised>
<bug>941598</bug>
<access>remote</access>
<affected>
<package name="dev-lang/php" auto="yes" arch="*">
<unaffected range="ge" slot="8.2">8.2.24</unaffected>
<unaffected range="ge" slot="8.3">8.3.12</unaffected>
<vulnerable range="lt" slot="8.2">8.2.24</vulnerable>
<vulnerable range="lt" slot="8.3">8.3.12</vulnerable>
<vulnerable range="lt" slot="8.1">8.1.30</vulnerable>
</package>
</affected>
<background>
<p>PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PHP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.2.24:8.2"
# emerge --ask --oneshot --verbose ">=dev-lang/php-8.3.12:8.3"
</code>
<p>Gentoo has discontinued support for php 8.1:</p>
<code>
# emerge --ask --verbose --depclean "dev-lang/php:8.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8925">CVE-2024-8925</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-8927">CVE-2024-8927</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-9026">CVE-2024-9026</uri>
</references>
<metadata tag="requester" timestamp="2025-01-23T07:26:35.892309Z">graaff</metadata>
<metadata tag="submitter" timestamp="2025-01-23T07:26:35.894806Z">graaff</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Wed, 01 Jan 2025 06:40:39 +0000 Sat, 01 Feb 2025 06:42:03 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
75999cf3645e45cf60bdeaf1621c235c071cf08b 1734174153 2024-12-14T11:02:33Z 681de9cd0cd49ec8f318f71af0c5917f69f302d8 1737617238 2025-01-23T07:27:18Z