mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-11 06:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1814 from flatcar/buildbot/monthly-glsa-metadata-updates-2024-04-01

Browse Source 
Monthly GLSA metadata 2024-04-01
This commit is contained in:
Dongsu Park 2024-04-11 14:51:34 +02:00 committed by GitHub
commit 6dc0cd0786
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
44 changed files with 1997 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 563604 BLAKE2B d497f4e02c0349649ea1fd84297af45ff253c185da14e6dba30f010f40d1ab86fdeb750087d23d7e892d4b2a6c45bb36baacd75348d2a50c0dc3c70213c1836e SHA512 c8b2f6bb87969de216a6075f22dc589f34d03bc0cd503b9bbedb9672f2aa19209f4d1236cd3f9aaf54428705e66f266c37a1f0bdb30c6fdae78df87761e4d8da
TIMESTAMP 2024-02-01T06:41:25Z
MANIFEST Manifest.files.gz 569494 BLAKE2B 475196fd0ff28d6023f45e6c22284bded2028bbe891778e3828fb75c3727438168bcd5ab63fe48683bb5874710c096e12470eee93163ae90c07d1f9d79810710 SHA512 94822c7f83b3b68b28e1885c442c2d9b5794eb5f861b8a0862162601a2c2b03cdc2bb6144d8b4a1d61befedf2ff1952e540c518e34c7f15ff5af14b7dc567fcb
TIMESTAMP 2024-04-01T06:40:39Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmW7PRVfFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYKVudfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klB4QRAAmmnYvk0FaooM922vBqTuhwuoLVbDtysDcvBsJHLxoL+AQlp+0romn4tJ
rHDAcIPSjxMPzei60/FKb8/lWyAwDtRJJ6W0NLOBe5K0SRUKTLKQz4OZ3aHFNl2t
Yp18kfnUgMyZ7l3v2CrKEE3oC+hWpULJ9GF+uuvpSHUXDOqIkbm6vhWQWRzDwCrA
0RacuWPedLm34CiqwiZSEsnzOzvBb8A7tbmKtSyqhBTKyam7wy0/Tn99Wp5tnDGu
Vtp7rgT1wMmGFOEYt2I+QM1fWGxf/GN3CNPNrNRQoQHcs9BadB8hn+auklc8zOc2
RxEgAaESWhDLSsHkI1xp4osi9OTBqME1wUcjHPQr8d9JAdzsg5L8wW7rJE8YflM6
uUrchSczds2gc34nG/ZYBC88EpvnU6U2AqZZ22LwOCi5qWo3GQZOc4jZqIuumogi
faLkvuNCX2JKYKZdQQ4Byz9WMN+4X5dWLnQfJT9nHc0F/rTsV4ZcpDUApBCiqCD0
lHY6ZPKcVL7d8cqQ2h6SjRkO0FrytUbBZm97g861/jX/evt1wY8Jx1e+FAxQksq+
uPTXpriBil+N5YWzpHbuOZYjAQ7fv7fx50HM3RVNz2wwa7OUxhIFaE7/vBNbPL1F
axrmSl59VEi9APSEmapOVVZR5tloRvDacB0elAhfpbqCb2BCO9E=
=EZVX
klBWrg//cxk8dWFEYLuuzfXLVmmEZmb3IPhBpMDKhQkoNbb4yGkCNuZUP42QdZzt
f9qKIN4MD71/C9n5pt3UQBYH2fw2BBPDi2mpIVAdSQxydQCOimOF1BVTGDBBvNXd
W64uDqqLnLAUVikdexeTCfHFvoOrqI8xALviM7U+EaXq+9a5s0CjvCFvYWkCKR0B
ytl9J6eD0u7MWWQoNa5wrolHgRidVFtKfIbiOwAOmkWeXrcZ5s5h5eJg+UF9+UxS
i7+sh9NZ4OAoTXszcf9x4L4RGkqWbTHpG6MBqhATI8N6jVsxXtJv3TlvS/OKi9Yn
Dj+GUuok7WdbFGARfAASDGwolspDCacYXj618kioIySnaQrKuUTwFWPveAkfNLWc
k79bwmBbmc6ILRhaYCpuN4hAC14gkL6xxrwGfuY7VxtjRockWTSUTLm9ACnjI7SY
7r4dVvgQQqqu7F5+mpN8gV9yfu7hXvhAaZU8ptzJV6stjEpK/MW0h1BDimMArowI
sGVSPMVkp80BNSHIPwiVM4sQTK1tDsdx9AjHz9hn/UV4uHSobiYvKE5/TUzhJoUO
ERD9VRcyvpat+jNkmQD8a3ZBSbnK8rRee3sC5LhbOh/YeeZwCCBo3ai6LoeFkH4W
c7yTtKfDg7Vb7tODZRG4DdVIHMxDUIT7v8Qi65Rntj6IxFlnMhQ=
=BHZC
-----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

6
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-24.xml vendored
View File

@ -5,7 +5,7 @@
<synopsis>Multiple vulnerabilities have been discovered in the GNU C Library, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">glibc</product>
<announced>2022-08-14</announced>
<revised count="1">2022-08-14</revised>
<revised count="2">2024-02-18</revised>
<bug>803437</bug>
<bug>807935</bug>
<bug>831096</bug>
@ -13,8 +13,8 @@
<access>remote</access>
<affected>
<package name="sys-libs/glibc" auto="yes" arch="*">
<unaffected range="ge">2.34</unaffected>
<vulnerable range="lt">2.34</vulnerable>
<unaffected range="ge">2.34-r7</unaffected>
<vulnerable range="lt">2.34-r7</vulnerable>
</package>
</affected>
<background>

6
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202305-15.xml vendored
View File

@ -5,7 +5,7 @@
<synopsis>Multiple vulnerabilities have been discovered in systemd, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">systemd,systemd-tmpfiles,systemd-utils,udev</product>
<announced>2023-05-03</announced>
<revised count="1">2023-05-03</revised>
<revised count="2">2024-02-11</revised>
<bug>880547</bug>
<bug>830967</bug>
<access>remote</access>
@ -15,14 +15,14 @@
<vulnerable range="lt">251.3</vulnerable>
</package>
<package name="sys-apps/systemd-tmpfiles" auto="yes" arch="*">
<vulnerable range="lt">250</vulnerable>
<vulnerable range="le">250</vulnerable>
</package>
<package name="sys-apps/systemd-utils" auto="yes" arch="*">
<unaffected range="ge">251.3</unaffected>
<vulnerable range="lt">251.3</vulnerable>
</package>
<package name="sys-fs/udev" auto="yes" arch="*">
<vulnerable range="lt">250</vulnerable>
<vulnerable range="le">250</vulnerable>
</package>
</affected>
<background>

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-33.xml vendored
View File

@ -8,6 +8,7 @@
<revised count="1">2024-01-31</revised>
<bug>915222</bug>
<bug>918667</bug>
<bug>920667</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-01.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-01">
<title>glibc: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities in glibc could result in Local Privilege Escalation.</synopsis>
<product type="ebuild">glibc</product>
<announced>2024-02-02</announced>
<revised count="1">2024-02-02</revised>
<bug>918412</bug>
<bug>923352</bug>
<access>local and remote</access>
<affected>
<package name="sys-libs/glibc" auto="yes" arch="*">
<unaffected range="ge">2.38-r10</unaffected>
<vulnerable range="lt">2.38-r10</vulnerable>
</package>
</affected>
<background>
<p>glibc is a package that contains the GNU C library.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All glibc users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.38-r10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5156">CVE-2023-5156</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6246">CVE-2023-6246</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6779">CVE-2023-6779</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6780">CVE-2023-6780</uri>
<uri>GLIBC-SA-2024-0001</uri>
<uri>GLIBC-SA-2024-0002</uri>
<uri>GLIBC-SA-2024-0003</uri>
</references>
<metadata tag="requester" timestamp="2024-02-02T03:02:44.468870Z">sam</metadata>
<metadata tag="submitter" timestamp="2024-02-02T03:02:44.472185Z">sam</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-02.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-02">
<title>SDDM: Privilege Escalation</title>
<synopsis>A vulnerability has been discovered in SDDM which can lead to privilege escalation.</synopsis>
<product type="ebuild">sddm</product>
<announced>2024-02-03</announced>
<revised count="1">2024-02-03</revised>
<bug>753104</bug>
<access>local</access>
<affected>
<package name="x11-misc/sddm" auto="yes" arch="*">
<unaffected range="ge">0.18.1-r6</unaffected>
<vulnerable range="lt">0.18.1-r6</vulnerable>
</package>
</affected>
<background>
<p>SDDM is a modern display manager for X11 and Wayland sessions aiming to be fast, simple and beautiful. It uses modern technologies like QtQuick, which in turn gives the designer the ability to create smooth, animated user interfaces.</p>
</background>
<description>
<p>A vulnerability has been discovered in SDDM. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>SDDM passes the -auth and -displayfd command line arguments when
starting the Xserver. It then waits for the display number to be
received from the Xserver via the `displayfd`, before the Xauthority
file specified via the `-auth` parameter is actually written. This
results in a race condition, creating a time window in which no valid
Xauthority file is existing while the Xserver is already running.
The X.Org server, when encountering a non-existing, empty or
corrupt/incomplete Xauthority file, will grant any connecting client
access to the Xorg display. A local unprivileged attacker can thus
create an unauthorized connection to the Xserver and grab e.g. keyboard
input events from other legitimate users accessing the Xserver.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All SDDM users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-misc/sddm-0.18.1-r6"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28049">CVE-2020-28049</uri>
</references>
<metadata tag="requester" timestamp="2024-02-03T06:18:59.426090Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-03T06:18:59.429353Z">ajak</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-03.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-03">
<title>QtGui: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in QtGui which can lead to remote code execution.</synopsis>
<product type="ebuild">qtgui</product>
<announced>2024-02-03</announced>
<revised count="1">2024-02-03</revised>
<bug>808531</bug>
<bug>907119</bug>
<access>remote</access>
<affected>
<package name="dev-qt/qtgui" auto="yes" arch="*">
<unaffected range="ge">5.15.9-r1</unaffected>
<vulnerable range="lt">5.15.9-r1</vulnerable>
</package>
</affected>
<background>
<p>QtGui is a module for the Qt toolkit.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QtGui. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QtGui users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.15.9-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38593">CVE-2021-38593</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32763">CVE-2023-32763</uri>
</references>
<metadata tag="requester" timestamp="2024-02-03T06:19:26.894264Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-03T06:19:26.896389Z">ajak</metadata>
</glsa>

40
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-04.xml vendored Normal file
View File

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-04">
<title>GNAT Ada Suite: Remote Code Execution</title>
<synopsis>A vulnerability has been discovered in GNAT Ada Suite which can lead to remote code execution.</synopsis>
<product type="ebuild">gnat-suite-bin</product>
<announced>2024-02-03</announced>
<revised count="2">2024-02-11</revised>
<bug>787440</bug>
<access>remote</access>
<affected>
<package name="dev-ada/gnat-suite-bin" auto="yes" arch="*">
<vulnerable range="le">2019-r2</vulnerable>
</package>
</affected>
<background>
<p>The GNAT Ada Suite is an Ada development environment.</p>
</background>
<description>
<p>A vulnerability has been discovered in GNAT Ada Suite. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for GNAT Ada Suite. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "dev-ada/gnat-suite-bin"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27619">CVE-2020-27619</uri>
</references>
<metadata tag="requester" timestamp="2024-02-03T06:20:11.020220Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-03T06:20:11.022709Z">ajak</metadata>
</glsa>

60
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-05.xml vendored Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-05">
<title>Microsoft Edge: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Microsoft Edge, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">microsoft-edge</product>
<announced>2024-02-03</announced>
<revised count="1">2024-02-03</revised>
<bug>907817</bug>
<bug>908518</bug>
<bug>918586</bug>
<bug>919495</bug>
<access>remote</access>
<affected>
<package name="www-client/microsoft-edge" auto="yes" arch="*">
<unaffected range="ge">120.0.2210.61</unaffected>
<vulnerable range="lt">120.0.2210.61</vulnerable>
</package>
</affected>
<background>
<p>Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Microsoft Edge. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Microsoft Edge users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-120.0.2210.61"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29345">CVE-2023-29345</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33143">CVE-2023-33143</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33145">CVE-2023-33145</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-35618">CVE-2023-35618</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36022">CVE-2023-36022</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36029">CVE-2023-36029</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36034">CVE-2023-36034</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36409">CVE-2023-36409</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36559">CVE-2023-36559</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36562">CVE-2023-36562</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36727">CVE-2023-36727</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36735">CVE-2023-36735</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36741">CVE-2023-36741</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36787">CVE-2023-36787</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36880">CVE-2023-36880</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38174">CVE-2023-38174</uri>
</references>
<metadata tag="requester" timestamp="2024-02-03T08:00:41.979777Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-03T08:00:41.982534Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-06.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-06">
<title>FreeType: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in FreeType, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">freetype</product>
<announced>2024-02-03</announced>
<revised count="1">2024-02-03</revised>
<bug>840224</bug>
<bug>881443</bug>
<access>local and remote</access>
<affected>
<package name="media-libs/freetype" auto="yes" arch="*">
<unaffected range="ge">2.13.0</unaffected>
<vulnerable range="lt">2.13.0</vulnerable>
</package>
</affected>
<background>
<p>FreeType is a high-quality and portable font engine.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in FreeType. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FreeType users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/freetype-2.13.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27404">CVE-2022-27404</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27405">CVE-2022-27405</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27406">CVE-2022-27406</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2004">CVE-2023-2004</uri>
</references>
<metadata tag="requester" timestamp="2024-02-03T08:57:48.987312Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-03T08:57:48.989733Z">graaff</metadata>
</glsa>

112
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-07.xml vendored Normal file
View File

@ -0,0 +1,112 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-07">
<title>Xen: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xen, the worst of which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">xen</product>
<announced>2024-02-04</announced>
<revised count="1">2024-02-04</revised>
<bug>754105</bug>
<bug>757126</bug>
<bug>826998</bug>
<bug>837575</bug>
<bug>858122</bug>
<bug>876790</bug>
<bug>879031</bug>
<bug>903624</bug>
<bug>905389</bug>
<bug>915970</bug>
<access>remote</access>
<affected>
<package name="app-emulation/xen" auto="yes" arch="*">
<unaffected range="ge">4.16.6_pre1</unaffected>
<vulnerable range="lt">4.16.6_pre1</vulnerable>
</package>
</affected>
<background>
<p>Xen is a bare-metal hypervisor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.16.6_pre1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28703">CVE-2021-28703</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28704">CVE-2021-28704</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28705">CVE-2021-28705</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28706">CVE-2021-28706</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28707">CVE-2021-28707</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28708">CVE-2021-28708</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28709">CVE-2021-28709</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23816">CVE-2022-23816</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23824">CVE-2022-23824</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23825">CVE-2022-23825</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26356">CVE-2022-26356</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26357">CVE-2022-26357</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26358">CVE-2022-26358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26359">CVE-2022-26359</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26360">CVE-2022-26360</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26361">CVE-2022-26361</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27672">CVE-2022-27672</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29900">CVE-2022-29900</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29901">CVE-2022-29901</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33746">CVE-2022-33746</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33747">CVE-2022-33747</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33748">CVE-2022-33748</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33749">CVE-2022-33749</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42309">CVE-2022-42309</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42310">CVE-2022-42310</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42319">CVE-2022-42319</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42320">CVE-2022-42320</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42321">CVE-2022-42321</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42322">CVE-2022-42322</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42323">CVE-2022-42323</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42324">CVE-2022-42324</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42325">CVE-2022-42325</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42326">CVE-2022-42326</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42327">CVE-2022-42327</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42330">CVE-2022-42330</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42331">CVE-2022-42331</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42332">CVE-2022-42332</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42333">CVE-2022-42333</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42334">CVE-2022-42334</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42335">CVE-2022-42335</uri>
<uri>XSA-351</uri>
<uri>XSA-355</uri>
<uri>XSA-385</uri>
<uri>XSA-387</uri>
<uri>XSA-388</uri>
<uri>XSA-389</uri>
<uri>XSA-397</uri>
<uri>XSA-399</uri>
<uri>XSA-400</uri>
<uri>XSA-407</uri>
<uri>XSA-412</uri>
<uri>XSA-414</uri>
<uri>XSA-415</uri>
<uri>XSA-416</uri>
<uri>XSA-417</uri>
<uri>XSA-418</uri>
<uri>XSA-419</uri>
<uri>XSA-420</uri>
<uri>XSA-421</uri>
<uri>XSA-422</uri>
<uri>XSA-425</uri>
<uri>XSA-430</uri>
</references>
<metadata tag="requester" timestamp="2024-02-04T07:16:20.846105Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-04T07:16:20.848211Z">graaff</metadata>
</glsa>

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-08.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-08">
<title>OpenSSL: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in OpenSSL, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">openssl</product>
<announced>2024-02-04</announced>
<revised count="1">2024-02-04</revised>
<bug>876787</bug>
<bug>893446</bug>
<bug>902779</bug>
<bug>903545</bug>
<bug>907413</bug>
<bug>910556</bug>
<bug>911560</bug>
<access>remote</access>
<affected>
<package name="dev-libs/openssl" auto="yes" arch="*">
<unaffected range="ge">3.0.10</unaffected>
<vulnerable range="lt">3.0.10</vulnerable>
</package>
</affected>
<background>
<p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenSSL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-3.0.10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3358">CVE-2022-3358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4203">CVE-2022-4203</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4304">CVE-2022-4304</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4450">CVE-2022-4450</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0215">CVE-2023-0215</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0216">CVE-2023-0216</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0217">CVE-2023-0217</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0286">CVE-2023-0286</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0401">CVE-2023-0401</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0464">CVE-2023-0464</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0465">CVE-2023-0465</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0466">CVE-2023-0466</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2650">CVE-2023-2650</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2975">CVE-2023-2975</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3446">CVE-2023-3446</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3817">CVE-2023-3817</uri>
</references>
<metadata tag="requester" timestamp="2024-02-04T08:02:53.423975Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-02-04T08:02:53.426294Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-09.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-09">
<title>Wireshark: Multiple Vulnerabilities</title>
<synopsis>Multiple out-of-bounds read vulnerabilities have been discovered in Wireshark.</synopsis>
<product type="ebuild">wireshark</product>
<announced>2024-02-04</announced>
<revised count="1">2024-02-04</revised>
<bug>915224</bug>
<bug>917421</bug>
<access>remote</access>
<affected>
<package name="net-analyzer/wireshark" auto="yes" arch="*">
<unaffected range="ge">4.0.11</unaffected>
<vulnerable range="lt">4.0.11</vulnerable>
</package>
</affected>
<background>
<p>Wireshark is a versatile network protocol analyzer.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Wireshark users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-4.0.11"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5371">CVE-2023-5371</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6174">CVE-2023-6174</uri>
<uri>WNPA-SEC-2023-27</uri>
<uri>WNPA-SEC-2023-28</uri>
</references>
<metadata tag="requester" timestamp="2024-02-04T09:10:28.677221Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-02-04T09:10:28.679331Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-10.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-10">
<title>NBD Tools: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in NBD Tools, the worst of which could result in arbitary code execution.</synopsis>
<product type="ebuild">nbd</product>
<announced>2024-02-04</announced>
<revised count="1">2024-02-04</revised>
<bug>834678</bug>
<access>remote</access>
<affected>
<package name="sys-block/nbd" auto="yes" arch="*">
<unaffected range="ge">3.24</unaffected>
<vulnerable range="lt">3.24</vulnerable>
</package>
</affected>
<background>
<p>The NBD Tools are the Network Block Device utilities allowing one to use remote block devices over a TCP/IP network. It includes a userland NBD server.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in NBD Tools. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All NBD Tools users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-block/nbd-3.24"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26495">CVE-2022-26495</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26496">CVE-2022-26496</uri>
</references>
<metadata tag="requester" timestamp="2024-02-04T09:45:27.057982Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-02-04T09:45:27.060281Z">graaff</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-11.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-11">
<title>libxml2: Multiple Vulnerabilities</title>
<synopsis>Multiple denial of service vulnerabilities have been found in libxml2.</synopsis>
<product type="ebuild">libxml2</product>
<announced>2024-02-09</announced>
<revised count="1">2024-02-09</revised>
<bug>904202</bug>
<bug>905399</bug>
<bug>915351</bug>
<bug>923806</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libxml2" auto="yes" arch="*">
<unaffected range="ge">2.12.5</unaffected>
<vulnerable range="lt">2.12.5</vulnerable>
</package>
</affected>
<background>
<p>libxml2 is the XML C parser and toolkit developed for the GNOME project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libxml2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.12.5"
</code>
<p>If you cannot update to libxml2-2.12 yet you can update to the latest 2.11 version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.11.7 =dev-libs/libxml2-2.11*"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28484">CVE-2023-28484</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29469">CVE-2023-29469</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45322">CVE-2023-45322</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-25062">CVE-2024-25062</uri>
</references>
<metadata tag="requester" timestamp="2024-02-09T09:36:35.975755Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-02-09T09:36:35.978152Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-12.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-12">
<title>GNU Tar: Out of Bounds Read</title>
<synopsis>A vulnerability has been discovered in GNU Tar which may lead to an out of bounds read.</synopsis>
<product type="ebuild">tar</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>898176</bug>
<access>remote</access>
<affected>
<package name="app-arch/tar" auto="yes" arch="*">
<unaffected range="ge">1.34-r3</unaffected>
<vulnerable range="lt">1.34-r3</vulnerable>
</package>
</affected>
<background>
<p>The GNU Tar program provides the ability to create tar archives, as well as various other kinds of manipulation.</p>
</background>
<description>
<p>A vulnerability have been discovered in GNU Tar. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>GNU Tar has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs via a V7 archive in which mtime has approximately 11 whitespace characters.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GNU Tar users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/tar-1.34-r3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48303">CVE-2022-48303</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T07:18:24.316864Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T07:18:24.319114Z">graaff</metadata>
</glsa>

40
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-13.xml vendored Normal file
View File

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-13">
<title>TACACS+: Remote Code Execution</title>
<synopsis>A vulnerability has been discovered in TACACS+ which could lead to remote code execution.</synopsis>
<product type="ebuild">tac_plus</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>918536</bug>
<access>remote</access>
<affected>
<package name="net-nds/tac_plus" auto="yes" arch="*">
<vulnerable range="le">4.0.4.27a-r3</vulnerable>
</package>
</affected>
<background>
<p>An updated version of Cisco&#39;s TACACS+ server.</p>
</background>
<description>
<p>A vulnerabilitiy has been discovered in TACACS+. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>A lack of input validation exists in tac_plus which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent to tac_plus to inject shell commands and gain remote code execution on the tac_plus server.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for TACACS+. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "net-nds/tac_plus"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45239">CVE-2023-45239</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T07:32:10.393499Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T07:32:10.395789Z">graaff</metadata>
</glsa>

69
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-14.xml vendored Normal file
View File

@ -0,0 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-14">
<title>QtWebEngine: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">qtwebengine</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>922189</bug>
<access>remote</access>
<affected>
<package name="dev-qt/qtwebengine" auto="yes" arch="*">
<unaffected range="ge">5.15.12_p20240122</unaffected>
<vulnerable range="lt">5.15.12_p20240122</vulnerable>
</package>
</affected>
<background>
<p>QtWebEngine is a library for rendering dynamic web content in Qt5 and Qt6 C++ and QML applications.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QtWebEngine. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QtWebEngine users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtwebengine-5.15.12_p20240122"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5997">CVE-2023-5997</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6112">CVE-2023-6112</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6345">CVE-2023-6345</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6346">CVE-2023-6346</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6347">CVE-2023-6347</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6348">CVE-2023-6348</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6350">CVE-2023-6350</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6351">CVE-2023-6351</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6508">CVE-2023-6508</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6509">CVE-2023-6509</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6510">CVE-2023-6510</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6511">CVE-2023-6511</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6512">CVE-2023-6512</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6702">CVE-2023-6702</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6703">CVE-2023-6703</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6704">CVE-2023-6704</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6705">CVE-2023-6705</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6706">CVE-2023-6706</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6707">CVE-2023-6707</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-7024">CVE-2023-7024</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0222">CVE-2024-0222</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0223">CVE-2024-0223</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0224">CVE-2024-0224</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0225">CVE-2024-0225</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0333">CVE-2024-0333</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0517">CVE-2024-0517</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0518">CVE-2024-0518</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0519">CVE-2024-0519</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T07:37:49.729326Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T07:37:49.731886Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-15.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-15">
<title>e2fsprogs: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in e2fsprogs which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">e2fsprogs</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>838388</bug>
<access>local</access>
<affected>
<package name="sys-fs/e2fsprogs" auto="yes" arch="*">
<unaffected range="ge">1.46.6</unaffected>
<vulnerable range="lt">1.46.6</vulnerable>
</package>
</affected>
<background>
<p>e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 file systems.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in e2fsprogs. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>An out-of-bounds read/write vulnerability was found in e2fsprogs. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All e2fsprogs users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.46.6"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1304">CVE-2022-1304</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T07:59:58.426596Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T07:59:58.430463Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-16.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-16">
<title>Apache Log4j: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Apache Log4j, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">log4j</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>719146</bug>
<access>remote</access>
<affected>
<package name="dev-java/log4j" auto="yes" arch="*">
<vulnerable range="le">1.2.17</vulnerable>
</package>
</affected>
<background>
<p>Log4j is a Java logging framework that supports various use cases with a rich set of components, a separate API, and a performance-optimized implementation.</p>
</background>
<description>
<p>Multiple vulnerabilities hav been discovered in Apache Log4j. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for log4j. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "dev-java/log4j"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17571">CVE-2019-17571</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9488">CVE-2020-9488</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9493">CVE-2020-9493</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23302">CVE-2022-23302</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23305">CVE-2022-23305</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T08:32:34.454522Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T08:32:34.456886Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-17.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-17">
<title>CUPS: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in CUPS, the worst of which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">cups</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>847625</bug>
<bug>907675</bug>
<bug>909018</bug>
<bug>914781</bug>
<access>local</access>
<affected>
<package name="net-print/cups" auto="yes" arch="*">
<unaffected range="ge">2.4.7</unaffected>
<vulnerable range="lt">2.4.7</vulnerable>
</package>
</affected>
<background>
<p>CUPS, the Common Unix Printing System, is a full-featured print server.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in CUPS. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All CUPS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/cups-2.4.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-26691">CVE-2022-26691</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4504">CVE-2023-4504</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32324">CVE-2023-32324</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34241">CVE-2023-34241</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T08:55:48.218414Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T08:55:48.221198Z">graaff</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-18.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-18">
<title>Exim: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Exim, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">exim</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>914923</bug>
<bug>921520</bug>
<access>remote</access>
<affected>
<package name="mail-mta/exim" auto="yes" arch="*">
<unaffected range="ge">4.97.1</unaffected>
<vulnerable range="lt">4.97.1</vulnerable>
</package>
</affected>
<background>
<p>Exim is a message transfer agent (MTA) designed to be a a highly configurable, drop-in replacement for sendmail.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Exim users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-mta/exim-4.97.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42114">CVE-2023-42114</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42115">CVE-2023-42115</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42116">CVE-2023-42116</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42117">CVE-2023-42117</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42119">CVE-2023-42119</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-51766">CVE-2023-51766</uri>
<uri>ZDI-CAN-17433</uri>
<uri>ZDI-CAN-17434</uri>
<uri>ZDI-CAN-17515</uri>
<uri>ZDI-CAN-17554</uri>
<uri>ZDI-CAN-17643</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T09:29:14.312588Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T09:29:14.315063Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-19.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-19">
<title>libcaca: Arbitary Code Execution</title>
<synopsis>A vulnerability has been discovered in libcaca which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">libcaca</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>772317</bug>
<access>remote</access>
<affected>
<package name="media-libs/libcaca" auto="yes" arch="*">
<unaffected range="ge">0.99_beta19-r4</unaffected>
<vulnerable range="lt">0.99_beta19-r4</vulnerable>
</package>
</affected>
<background>
<p>libcaca is a library that creates colored ASCII-art graphics.</p>
</background>
<description>
<p>A vulnerability has been discovered in libcaca. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libcaca users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libcaca-0.99_beta19-r4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3410">CVE-2021-3410</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T10:22:11.346423Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T10:22:11.349349Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-20.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-20">
<title>Thunar: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in Thunar which may lead to arbitrary code execution</synopsis>
<product type="ebuild">thunar</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>789396</bug>
<access>local</access>
<affected>
<package name="xfce-base/thunar" auto="yes" arch="*">
<unaffected range="ge">4.17.3</unaffected>
<vulnerable range="lt">4.17.3</vulnerable>
</package>
</affected>
<background>
<p>Thunar is a modern file manager for the Xfce Desktop Environment. Thunar has been designed from the ground up to be fast and easy to use. Its user interface is clean and intuitive and does not include any confusing or useless options by default. Thunar starts up quickly and navigating through files and folders is fast and responsive.</p>
</background>
<description>
<p>A vulnerability has been discovered in Thunar. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>When called with a regular file as command line argument, Thunar
would delegate to some other program without user confirmation
based on the file type. This could be exploited to trigger code
execution in a chain of vulnerabilities.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Thunar users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=xfce-base/thunar-4.17.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32563">CVE-2021-32563</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T10:48:22.149721Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T10:48:22.154139Z">graaff</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-21.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-21">
<title>QtNetwork: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in QtNetwork, the worst of which could lead to execution of arbitrary code.</synopsis>
<product type="ebuild">qtbase,qtnetwork</product>
<announced>2024-02-18</announced>
<revised count="1">2024-02-18</revised>
<bug>907120</bug>
<bug>921292</bug>
<access>local and remote</access>
<affected>
<package name="dev-qt/qtbase" auto="yes" arch="*">
<unaffected range="ge">6.6.1-r2</unaffected>
<vulnerable range="lt">6.6.1-r2</vulnerable>
</package>
<package name="dev-qt/qtnetwork" auto="yes" arch="*">
<unaffected range="ge">5.15.12-r1</unaffected>
<vulnerable range="lt">5.15.12-r1</vulnerable>
</package>
</affected>
<background>
<p>QtNetwork provides a set of APIs for programming applications that use TCP/IP. It is part of the Qt framework.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QtNetwork. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Qt 5 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtnetwork-5.15.12-r1"
</code>
<p>All Qt 6 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.6.1-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32762">CVE-2023-32762</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-51714">CVE-2023-51714</uri>
</references>
<metadata tag="requester" timestamp="2024-02-18T11:07:25.578934Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-18T11:07:25.581712Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-22.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-22">
<title>intel-microcode: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in intel-microcode, the worst of which can lead to privilege escalation.</synopsis>
<product type="ebuild">intel-microcode</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>832985</bug>
<bug>894474</bug>
<access>local</access>
<affected>
<package name="sys-firmware/intel-microcode" auto="yes" arch="*">
<unaffected range="ge">20230214_p20230212</unaffected>
<vulnerable range="lt">20230214_p20230212</vulnerable>
</package>
</affected>
<background>
<p>Intel IA32/IA64 microcode update data.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in NVIDIA Drivers. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All intel-microcode users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-firmware/intel-microcode-20230214_p20230212"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-0127">CVE-2021-0127</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-0146">CVE-2021-0146</uri>
</references>
<metadata tag="requester" timestamp="2024-02-19T05:57:31.402960Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-19T05:57:31.405318Z">ajak</metadata>
</glsa>

84
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-23.xml vendored Normal file
View File

@ -0,0 +1,84 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-23">
<title>Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">chromium,google-chrome,microsoft-edge</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>922062</bug>
<bug>922340</bug>
<bug>922903</bug>
<bug>923370</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">121.0.6167.139</unaffected>
<vulnerable range="lt">121.0.6167.139</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">121.0.6167.139</unaffected>
<vulnerable range="lt">121.0.6167.139</vulnerable>
</package>
<package name="www-client/microsoft-edge" auto="yes" arch="*">
<unaffected range="ge">121.0.2277.83</unaffected>
<vulnerable range="lt">121.0.2277.83</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. Google Chrome is one fast, simple, and secure browser for all your devices. Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and its derivatives. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/google-chrome-121.0.6167.139"
</code>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/chromium-121.0.6167.139"
</code>
<p>All Microsoft Edge users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-121.0.2277.83"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0333">CVE-2024-0333</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0517">CVE-2024-0517</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0518">CVE-2024-0518</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0519">CVE-2024-0519</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0804">CVE-2024-0804</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0805">CVE-2024-0805</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0806">CVE-2024-0806</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0807">CVE-2024-0807</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0808">CVE-2024-0808</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0809">CVE-2024-0809</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0810">CVE-2024-0810</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0811">CVE-2024-0811</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0812">CVE-2024-0812</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0813">CVE-2024-0813</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0814">CVE-2024-0814</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1059">CVE-2024-1059</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1060">CVE-2024-1060</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-1077">CVE-2024-1077</uri>
</references>
<metadata tag="requester" timestamp="2024-02-19T05:58:06.874508Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-19T05:58:06.876972Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-24.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-24">
<title>Seamonkey: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Seamonkey, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">seamonkey</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>767400</bug>
<bug>828479</bug>
<access>remote</access>
<affected>
<package name="www-client/seamonkey" auto="yes" arch="*">
<unaffected range="ge">2.53.10.2</unaffected>
<vulnerable range="lt">2.53.10.2</vulnerable>
</package>
</affected>
<background>
<p>The Seamonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the Mozilla Application Suite.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Seamonkey. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Seamonkey users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.53.10.2"
</code>
</resolution>
<references>
</references>
<metadata tag="requester" timestamp="2024-02-19T05:58:31.869833Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-19T05:58:31.878346Z">ajak</metadata>
</glsa>

129
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-25.xml vendored Normal file
View File

@ -0,0 +1,129 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-25">
<title>Mozilla Thunderbird: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">thunderbird,thunderbird-bin</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>918444</bug>
<bug>920508</bug>
<bug>924845</bug>
<access>remote</access>
<affected>
<package name="mail-client/thunderbird" auto="yes" arch="*">
<unaffected range="ge">115.7.0</unaffected>
<vulnerable range="lt">115.7.0</vulnerable>
</package>
<package name="mail-client/thunderbird-bin" auto="yes" arch="*">
<unaffected range="ge">115.7.0</unaffected>
<vulnerable range="lt">115.7.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Thunderbird is a popular open-source email client from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Thunderbird binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.7.0"
</code>
<p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.7.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3417">CVE-2023-3417</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3600">CVE-2023-3600</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4045">CVE-2023-4045</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4046">CVE-2023-4046</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4047">CVE-2023-4047</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4048">CVE-2023-4048</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4049">CVE-2023-4049</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4050">CVE-2023-4050</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4051">CVE-2023-4051</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4052">CVE-2023-4052</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4053">CVE-2023-4053</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4054">CVE-2023-4054</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4055">CVE-2023-4055</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4056">CVE-2023-4056</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4057">CVE-2023-4057</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4573">CVE-2023-4573</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4574">CVE-2023-4574</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4575">CVE-2023-4575</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4576">CVE-2023-4576</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4577">CVE-2023-4577</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4578">CVE-2023-4578</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4580">CVE-2023-4580</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4581">CVE-2023-4581</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4582">CVE-2023-4582</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4583">CVE-2023-4583</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4584">CVE-2023-4584</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4585">CVE-2023-4585</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5168">CVE-2023-5168</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5169">CVE-2023-5169</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5171">CVE-2023-5171</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5174">CVE-2023-5174</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5176">CVE-2023-5176</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5721">CVE-2023-5721</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5724">CVE-2023-5724</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5725">CVE-2023-5725</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5726">CVE-2023-5726</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5727">CVE-2023-5727</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5728">CVE-2023-5728</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5730">CVE-2023-5730</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5732">CVE-2023-5732</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6204">CVE-2023-6204</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6205">CVE-2023-6205</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6206">CVE-2023-6206</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6207">CVE-2023-6207</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6208">CVE-2023-6208</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6209">CVE-2023-6209</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6212">CVE-2023-6212</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6856">CVE-2023-6856</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6857">CVE-2023-6857</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6858">CVE-2023-6858</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6859">CVE-2023-6859</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6860">CVE-2023-6860</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6861">CVE-2023-6861</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6862">CVE-2023-6862</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6863">CVE-2023-6863</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6864">CVE-2023-6864</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37201">CVE-2023-37201</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37202">CVE-2023-37202</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37207">CVE-2023-37207</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37208">CVE-2023-37208</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-37211">CVE-2023-37211</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-50761">CVE-2023-50761</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-50762">CVE-2023-50762</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0741">CVE-2024-0741</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0742">CVE-2024-0742</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0746">CVE-2024-0746</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0747">CVE-2024-0747</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0749">CVE-2024-0749</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0750">CVE-2024-0750</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0751">CVE-2024-0751</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0753">CVE-2024-0753</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0755">CVE-2024-0755</uri>
<uri>MFSA-2024-01</uri>
<uri>MFSA-2024-02</uri>
<uri>MFSA-2024-04</uri>
</references>
<metadata tag="requester" timestamp="2024-02-19T05:59:00.992641Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-19T05:59:00.995575Z">ajak</metadata>
</glsa>

88
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-26.xml vendored Normal file
View File

@ -0,0 +1,88 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-26">
<title>Mozilla Firefox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">firefox,firefox-bin</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>924844</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">122.0</unaffected>
<unaffected range="ge" slot="esr">115.7.0</unaffected>
<vulnerable range="lt" slot="rapid">122.0</vulnerable>
<vulnerable range="lt" slot="esr">115.7.0</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge" slot="rapid">122.0</unaffected>
<unaffected range="ge" slot="esr">115.7.0</unaffected>
<vulnerable range="lt" slot="rapid">122.0</vulnerable>
<vulnerable range="lt" slot="esr">115.7.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-115.7.0:esr"
</code>
<p>All Mozilla Firefox ESR binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-115.7.0:esr"
</code>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-122.0:rapid"
</code>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-122.0:rapid"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0741">CVE-2024-0741</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0742">CVE-2024-0742</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0743">CVE-2024-0743</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0744">CVE-2024-0744</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0745">CVE-2024-0745</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0746">CVE-2024-0746</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0747">CVE-2024-0747</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0748">CVE-2024-0748</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0749">CVE-2024-0749</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0750">CVE-2024-0750</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0751">CVE-2024-0751</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0752">CVE-2024-0752</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0753">CVE-2024-0753</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0754">CVE-2024-0754</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0755">CVE-2024-0755</uri>
<uri>MFSA-2024-01</uri>
<uri>MFSA-2024-02</uri>
<uri>MFSA-2024-04</uri>
</references>
<metadata tag="requester" timestamp="2024-02-19T05:59:26.896253Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-02-19T05:59:26.899882Z">ajak</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-27.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-27">
<title>Glade: Denial of Service</title>
<synopsis>A vulnerability has been discovered in Glade which can lead to a denial of service.</synopsis>
<product type="ebuild">glade</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>747451</bug>
<access>local and remote</access>
<affected>
<package name="dev-util/glade" auto="yes" arch="*">
<unaffected range="ge">3.38.2</unaffected>
<vulnerable range="lt">3.38.2</vulnerable>
</package>
</affected>
<background>
<p>Glade is a RAD tool to enable quick &amp; easy development of user interfaces for the GTK+ toolkit (Version 3 only) and the GNOME desktop environment.</p>
</background>
<description>
<p>A vulnerability has been found in Glade which can lead to a denial of service when working with specific glade files.</p>
</description>
<impact type="normal">
<p>A crafted file may lead to crashes in Glade.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Glade users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/glade-3.38.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36774">CVE-2020-36774</uri>
</references>
<metadata tag="requester" timestamp="2024-02-19T06:02:10.382734Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-19T06:02:10.385523Z">ajak</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-28.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-28">
<title>Samba: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Samba, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">samba</product>
<announced>2024-02-19</announced>
<revised count="1">2024-02-19</revised>
<bug>891267</bug>
<bug>910606</bug>
<bug>915556</bug>
<access>remote</access>
<affected>
<package name="net-fs/samba" auto="yes" arch="*">
<unaffected range="ge">4.18.9</unaffected>
<vulnerable range="lt">4.18.9</vulnerable>
</package>
</affected>
<background>
<p>Samba is a suite of SMB and CIFS client/server programs.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Samba users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-fs/samba-4.18.9"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14628">CVE-2018-14628</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2127">CVE-2022-2127</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3347">CVE-2023-3347</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3961">CVE-2023-3961</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4091">CVE-2023-4091</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4154">CVE-2023-4154</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34966">CVE-2023-34966</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34967">CVE-2023-34967</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34968">CVE-2023-34968</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42669">CVE-2023-42669</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42670">CVE-2023-42670</uri>
</references>
<metadata tag="requester" timestamp="2024-02-19T06:05:38.330272Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-19T06:05:38.333066Z">ajak</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-29.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-29">
<title>LibreOffice: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in LibreOffice, the worst of which could result in user-assisted code execution.</synopsis>
<product type="ebuild">libreoffice,libreoffice-bin</product>
<announced>2024-02-21</announced>
<revised count="1">2024-02-21</revised>
<bug>919894</bug>
<access>remote</access>
<affected>
<package name="app-office/libreoffice" auto="yes" arch="*">
<unaffected range="ge">7.5.9.2</unaffected>
<vulnerable range="lt">7.5.9.2</vulnerable>
</package>
<package name="app-office/libreoffice-bin" auto="yes" arch="*">
<unaffected range="ge">7.5.9.2</unaffected>
<vulnerable range="lt">7.5.9.2</vulnerable>
</package>
</affected>
<background>
<p>LibreOffice is a powerful office suite; its clean interface and powerful tools let you unleash your creativity and grow your productivity.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in LibreOffice. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All LibreOffice binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/libreoffice-bin-7.5.9.2"
</code>
<p>All LibreOffice users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/libreoffice-7.5.9.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6185">CVE-2023-6185</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6186">CVE-2023-6186</uri>
</references>
<metadata tag="requester" timestamp="2024-02-21T16:46:04.755022Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-02-21T16:46:04.757962Z">graaff</metadata>
</glsa>

41
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-30.xml vendored Normal file
View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-30">
<title>Glances: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been found in Glances which may lead to arbitrary code execution.</synopsis>
<product type="ebuild">glances</product>
<announced>2024-02-26</announced>
<revised count="1">2024-02-26</revised>
<bug>791565</bug>
<access>remote</access>
<affected>
<package name="sys-process/glances" auto="yes" arch="*">
<unaffected range="ge">3.1.7</unaffected>
<vulnerable range="lt">3.1.7</vulnerable>
</package>
</affected>
<background>
<p>Glances is an open-source system cross-platform monitoring tool. It allows real-time monitoring of various aspects of your system such as CPU, memory, disk, network usage etc.</p>
</background>
<description>
<p>A vulnerability in XML parsing may lead to a variety of XML attacks.</p>
</description>
<impact type="normal">
<p>A vulnerability in XML parsing may lead to a variety of XML attacks.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Glances users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-process/glances-3.1.7"
</code>
</resolution>
<references>
</references>
<metadata tag="requester" timestamp="2024-02-26T12:07:09.643689Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-26T12:07:09.650874Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-31.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-31">
<title>GNU Aspell: Heap Buffer Overflow</title>
<synopsis>A vulnerability has been discovered in GNU Aspell which leads to a heap buffer overflow.</synopsis>
<product type="ebuild">aspell</product>
<announced>2024-02-26</announced>
<revised count="1">2024-02-26</revised>
<bug>803113</bug>
<access>remote</access>
<affected>
<package name="app-text/aspell" auto="yes" arch="*">
<unaffected range="ge">0.60.8-r3</unaffected>
<vulnerable range="lt">0.60.8-r3</vulnerable>
</package>
</affected>
<background>
<p>GNU Aspell is a popular spell-checker. Dictionaries are available for many languages.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GNU Aspell. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>GNU Aspell has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list)</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All aspell users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/aspell-0.60.8-r3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-25051">CVE-2019-25051</uri>
</references>
<metadata tag="requester" timestamp="2024-02-26T12:30:16.027845Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-26T12:30:16.031079Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-32.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-32">
<title>btrbk: Remote Code Execution</title>
<synopsis>A vulnerability has been discovered in btrbk which can lead to remote code execution.</synopsis>
<product type="ebuild">btrbk</product>
<announced>2024-02-26</announced>
<revised count="1">2024-02-26</revised>
<bug>806962</bug>
<access>remote</access>
<affected>
<package name="app-backup/btrbk" auto="yes" arch="*">
<unaffected range="ge">0.31.2</unaffected>
<vulnerable range="lt">0.31.2</vulnerable>
</package>
</affected>
<background>
<p>btrbk is a backup tool for btrfs subvolumes, taking advantage of btrfs specific capabilities to create atomic snapshots and transfer them incrementally to your backup locations.</p>
</background>
<description>
<p>A vulnerability has been discovered in btrbk. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>Specialy crafted commands may be executed without being propely checked. Applies to remote hosts filtering ssh commands using ssh_filter_btrbk.sh in authorized_keys.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All btrbk users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-backup/btrbk-0.31.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38173">CVE-2021-38173</uri>
</references>
<metadata tag="requester" timestamp="2024-02-26T12:53:03.371210Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-26T12:53:03.375893Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-33.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202402-33">
<title>PyYAML: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been found in PyYAML which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">pyyaml</product>
<announced>2024-02-26</announced>
<revised count="1">2024-02-26</revised>
<bug>766228</bug>
<access>remote</access>
<affected>
<package name="dev-python/pyyaml" auto="yes" arch="*">
<unaffected range="ge">5.4</unaffected>
<vulnerable range="lt">5.4</vulnerable>
</package>
</affected>
<background>
<p>PyYAML is a YAML parser and emitter for Python.</p>
</background>
<description>
<p>A vulnerability has been discovered in PyYAML. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PyYAML users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pyyaml-5.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14343">CVE-2020-14343</uri>
</references>
<metadata tag="requester" timestamp="2024-02-26T15:44:41.690132Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-02-26T15:44:41.694949Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202403-01.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202403-01">
<title>Tox: Remote Code Execution</title>
<synopsis>A vulnerability has been discovered in Tox which may lead to remote code execution.</synopsis>
<product type="ebuild">tox</product>
<announced>2024-03-03</announced>
<revised count="1">2024-03-03</revised>
<bug>829650</bug>
<access>remote</access>
<affected>
<package name="net-libs/tox" auto="yes" arch="*">
<unaffected range="ge">0.2.13</unaffected>
<vulnerable range="lt">0.2.13</vulnerable>
</package>
</affected>
<background>
<p>Tox is easy-to-use software that connects you with friends and family without anyone else listening in.</p>
</background>
<description>
<p>A vulnerability has been discovered in btrbk. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>A stack-based buffer overflow allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Tox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/tox-0.2.13"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44847">CVE-2021-44847</uri>
</references>
<metadata tag="requester" timestamp="2024-03-03T10:05:56.740887Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-03-03T10:05:56.742991Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202403-02.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202403-02">
<title>Blender: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">blender</product>
<announced>2024-03-03</announced>
<revised count="1">2024-03-03</revised>
<bug>834011</bug>
<access>remote</access>
<affected>
<package name="media-gfx/blender" auto="yes" arch="*">
<unaffected range="ge">3.1.0</unaffected>
<vulnerable range="lt">3.1.0</vulnerable>
</package>
</affected>
<background>
<p>Blender is a 3D Creation/Animation/Publishing System.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Blender. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Blender users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/blender-3.1.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0544">CVE-2022-0544</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0545">CVE-2022-0545</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0546">CVE-2022-0546</uri>
</references>
<metadata tag="requester" timestamp="2024-03-03T10:35:38.708571Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-03-03T10:35:38.710453Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202403-03.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202403-03">
<title>UltraJSON: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in UltraJSON, the worst of which could lead to key confusion and value overwriting.</synopsis>
<product type="ebuild">ujson</product>
<announced>2024-03-03</announced>
<revised count="1">2024-03-03</revised>
<bug>855689</bug>
<access>remote</access>
<affected>
<package name="dev-python/ujson" auto="yes" arch="*">
<unaffected range="ge">5.4.0</unaffected>
<vulnerable range="lt">5.4.0</vulnerable>
</package>
</affected>
<background>
<p>UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python 3.8+.</p>
</background>
<description>
<p>Affected versions were found to improperly decode certain characters. JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries. All users parsing JSON from untrusted sources are vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library&#39;s `json` module does, preserving them in the parsed output.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All UltraJSON users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/ujson-5.4.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31116">CVE-2022-31116</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31117">CVE-2022-31117</uri>
</references>
<metadata tag="requester" timestamp="2024-03-03T10:43:37.084240Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-03-03T10:43:37.087046Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202403-04.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202403-04">
<title>XZ utils: Backdoor in release tarballs</title>
<synopsis>A backdoor has been discovered in XZ utils that could lead to remote compromise of systems.</synopsis>
<product type="ebuild">xz-utils</product>
<announced>2024-03-29</announced>
<revised count="1">2024-03-29</revised>
<bug>928134</bug>
<access>remote</access>
<affected>
<package name="app-arch/xz-utils" auto="yes" arch="*">
<unaffected range="lt">5.6.0</unaffected>
<vulnerable range="ge">5.6.0</vulnerable>
</package>
</affected>
<background>
<p>XZ Utils is free general-purpose data compression software with a high compression ratio.</p>
</background>
<description>
<p>A backdoor has been discovered in XZ utils. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>Our current understanding of the backdoor is that is does not affect Gentoo systems, because
1. the backdoor only appears to be included on specific systems and Gentoo does not qualify;
2. the backdoor as it is currently understood targets OpenSSH patched to work with systemd-notify support. Gentoo does not support or include these patches;
Analysis is still ongoing, however, and additional vectors may still be identified. For this reason we are still issuing this advisory as if that will be the case.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All XZ utils users should downgrade to the latest version before the backdoor was introduced:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&lt;app-arch/xz-utils-5.6.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-3094">CVE-2024-3094</uri>
</references>
<metadata tag="requester" timestamp="2024-03-29T21:48:56.283016Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-03-29T21:48:56.285132Z">graaff</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Thu, 01 Feb 2024 06:41:20 +0000
Mon, 01 Apr 2024 06:40:34 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
8064a0b694d29fb2fca491d65494098fb43c2ffa 1706715575 2024-01-31T15:39:35+00:00
ad7cf37eb216318a2076f79b7aceee6389bc887b 1711749190 2024-03-29T21:53:10+00:00