From 17948062a02bf93483c9e09d1d2c000ed1f05a58 Mon Sep 17 00:00:00 2001 From: Nick Owens Date: Mon, 10 Oct 2016 08:18:00 -0700 Subject: [PATCH] bump(metadata/glsa): sync with upstream --- .../metadata/glsa/glsa-201402-24.xml | 5 +- .../metadata/glsa/glsa-201507-20.xml | 1 + .../metadata/glsa/glsa-201606-18.xml | 1 + .../metadata/glsa/glsa-201607-03.xml | 83 ++++++++++++++++ .../metadata/glsa/glsa-201607-04.xml | 58 +++++++++++ .../metadata/glsa/glsa-201607-05.xml | 62 ++++++++++++ .../metadata/glsa/glsa-201607-06.xml | 48 +++++++++ .../metadata/glsa/glsa-201607-07.xml | 77 +++++++++++++++ .../metadata/glsa/glsa-201607-08.xml | 49 ++++++++++ .../metadata/glsa/glsa-201607-09.xml | 52 ++++++++++ .../metadata/glsa/glsa-201607-10.xml | 49 ++++++++++ .../metadata/glsa/glsa-201607-11.xml | 68 +++++++++++++ .../metadata/glsa/glsa-201607-12.xml | 55 +++++++++++ .../metadata/glsa/glsa-201607-13.xml | 54 ++++++++++ .../metadata/glsa/glsa-201607-14.xml | 57 +++++++++++ .../metadata/glsa/glsa-201607-15.xml | 91 +++++++++++++++++ .../metadata/glsa/glsa-201607-16.xml | 48 +++++++++ .../metadata/glsa/glsa-201607-17.xml | 54 ++++++++++ .../metadata/glsa/glsa-201608-01.xml | 55 +++++++++++ .../metadata/glsa/glsa-201609-01.xml | 98 +++++++++++++++++++ .../metadata/glsa/glsa-201609-02.xml | 52 ++++++++++ .../metadata/glsa/glsa-201610-01.xml | 51 ++++++++++ .../metadata/glsa/glsa-201610-02.xml | 62 ++++++++++++ .../metadata/glsa/glsa-201610-03.xml | 57 +++++++++++ .../metadata/glsa/glsa-201610-04.xml | 64 ++++++++++++ .../metadata/glsa/timestamp.chk | 2 +- 26 files changed, 1350 insertions(+), 3 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-03.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-04.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-05.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-06.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-07.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-08.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-09.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-11.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-12.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-13.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-14.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-15.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-16.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-17.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201608-01.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-01.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-02.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-01.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-02.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-03.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-04.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201402-24.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201402-24.xml index 858d348146..0420ab5689 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201402-24.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201402-24.xml @@ -8,7 +8,7 @@ gnupg libgcrypt February 21, 2014 - July 07, 2014: 2 + August 24, 2016: 3 449546 478184 484836 @@ -23,6 +23,7 @@ 1.4.18 1.4.19 1.4.20 + 1.4.21 2.0.22 @@ -86,5 +87,5 @@ ackle - ackle + ackle diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201507-20.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201507-20.xml index 1572d9e6a9..4827cfbbbf 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201507-20.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201507-20.xml @@ -31,6 +31,7 @@ 9.3.9 9.3.10 9.3.11 + 9.3.12 9.4.3 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml index 194161bded..2e4401ccb1 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml @@ -18,6 +18,7 @@ 7.2.6.6-r1 3.0.1 + 3.1.0 7.2.6.6-r1 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-03.xml new file mode 100644 index 0000000000..ee94c2cae8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-03.xml @@ -0,0 +1,83 @@ + + + + Adobe Flash Player: Multiple vulnerabilities + Multiple vulnerabilities have been found in Adobe Flash Player, the + worst of which allows remote attackers to execute arbitrary code. + + + July 13, 2016 + July 13, 2016: 2 + 588738 + remote + + + 11.2.202.632 + 11.2.202.632 + + + +

The Adobe Flash Player is a renderer for the SWF file format, which is + commonly used to provide interactive websites. +

+ + +

Multiple vulnerabilities have been discovered in Adobe Flash Player. + Please review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, obtain + sensitive information, or bypass security restrictions. +

+ + +

There is no known workaround at this time.

+ + +

All Adobe Flash Player users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose "www-plugins/adobe-flash-11.2.202.632" + + + + CVE-2016-4217 + CVE-2016-4218 + CVE-2016-4219 + CVE-2016-4220 + CVE-2016-4221 + CVE-2016-4222 + CVE-2016-4223 + CVE-2016-4224 + CVE-2016-4225 + CVE-2016-4226 + CVE-2016-4227 + CVE-2016-4228 + CVE-2016-4229 + CVE-2016-4230 + CVE-2016-4231 + CVE-2016-4232 + CVE-2016-4233 + CVE-2016-4234 + CVE-2016-4235 + CVE-2016-4236 + CVE-2016-4237 + CVE-2016-4238 + CVE-2016-4239 + CVE-2016-4240 + CVE-2016-4241 + CVE-2016-4242 + CVE-2016-4243 + CVE-2016-4244 + CVE-2016-4245 + CVE-2016-4246 + CVE-2016-4247 + CVE-2016-4248 + CVE-2016-4249 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-04.xml new file mode 100644 index 0000000000..f52915c354 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-04.xml @@ -0,0 +1,58 @@ + + + + GD: Multiple vulnerabilities + Multiple vulnerabilities have been found in GD, the worst of which + allows remote attackers to execute arbitrary code. + + + July 16, 2016 + July 16, 2016: 1 + 504872 + 538686 + 581942 + remote + + + 2.2.2 + 2.2.2 + + + +

GD is a graphic library for fast image creation.

+ + +

Multiple vulnerabilities have been discovered in GD. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GD users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/gd-2.2.2" + + + + + CVE-2014-2497 + + + CVE-2014-9709 + + CVE-2016-3074 + + + BlueKnight + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-05.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-05.xml new file mode 100644 index 0000000000..c5c22623d8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-05.xml @@ -0,0 +1,62 @@ + + + + Cacti: Multiple vulnerabilities + Multiple vulnerabilities have been found in Cacti, the worst of + which could lead to the remote execution of arbitrary code. + + + July 16, 2016 + July 16, 2016: 1 + 519900 + 568400 + 570984 + 574412 + 582996 + remote + + + 0.8.8h + 0.8.8h + + + +

Cacti is a complete frontend to rrdtool.

+ + +

Multiple vulnerabilities have been discovered in Cacti. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or remote authenticated users could bypass + intended access restrictions. +

+ + +

There is no known workaround at this time.

+ + +

All Cacti users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/cacti-0.8.8h" + + + + CVE-2014-5261 + CVE-2014-5262 + CVE-2015-8369 + CVE-2015-8377 + CVE-2015-8604 + CVE-2016-2313 + CVE-2016-3172 + CVE-2016-3659 + + + BlueKnight + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-06.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-06.xml new file mode 100644 index 0000000000..ece3869dc5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-06.xml @@ -0,0 +1,48 @@ + + + + CUPS: Buffer overflow + A buffer overflow in CUPS might allow remote attackers to execute + arbitrary code. + + + July 16, 2016 + July 16, 2016: 1 + 539582 + remote + + + 2.0.2-r1 + 2.0.2-r1 + + + +

CUPS, the Common Unix Printing System, is a full-featured print server.

+ + +

A vulnerability has been discovered in CUPS concerning the handling of + compressed raster files. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process. +

+ + +

There is no known workaround at this time.

+ + +

All CUPS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-print/cups-2.0.2-r1" + + + + CVE-2014-9679 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-07.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-07.xml new file mode 100644 index 0000000000..ba6017d172 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-07.xml @@ -0,0 +1,77 @@ + + + + Chromium: Multiple vulnerabilities + Multiple vulnerabilities have been found in the Chromium web + browser, the worst of which allows remote attackers to execute arbitrary + code. + + + July 16, 2016 + July 16, 2016: 1 + 584310 + 586704 + remote + + + 51.0.2704.103 + 51.0.2704.103 + + + +

Chromium is an open-source browser project that aims to build a safer, + faster, and more stable way for all users to experience the web. +

+ + +

Multiple vulnerabilities have been discovered in the Chromium web + browser. Please review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, obtain + sensitive information, or bypass security restrictions. +

+ + +

There is no known workaround at this time.

+ + +

All Chromium users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=www-client/chromium-51.0.2704.103" + + + + CVE-2016-1672 + CVE-2016-1673 + CVE-2016-1674 + CVE-2016-1675 + CVE-2016-1676 + CVE-2016-1677 + CVE-2016-1678 + CVE-2016-1679 + CVE-2016-1680 + CVE-2016-1681 + CVE-2016-1682 + CVE-2016-1683 + CVE-2016-1684 + CVE-2016-1685 + CVE-2016-1686 + CVE-2016-1687 + CVE-2016-1688 + CVE-2016-1689 + CVE-2016-1690 + CVE-2016-1691 + CVE-2016-1692 + CVE-2016-1693 + CVE-2016-1694 + CVE-2016-1695 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-08.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-08.xml new file mode 100644 index 0000000000..144c5e53cd --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-08.xml @@ -0,0 +1,49 @@ + + + + Dropbear: Privilege escalation + A vulnerability has been found in Dropbear, which allows remote + authenticated users to bypass intended shell-command restrictions. + + + July 20, 2016 + July 20, 2016: 1 + 577050 + remote + + + 2016.73 + 2016.73 + + + +

Dropbear is a relatively small SSH server and client.

+ + +

A CRLF injection vulnerability in Dropbear SSH allows remote + authenticated users to bypass intended shell-command restrictions via + crafted X11 forwarding data. +

+ + +

A remote authenticated user could execute arbitrary code with the + privileges of the process. +

+ + +

There is no known workaround at this time.

+ + +

All Dropbear users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2016.73" + + + + CVE-2016-3116 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-09.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-09.xml new file mode 100644 index 0000000000..214bff4b77 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-09.xml @@ -0,0 +1,52 @@ + + + + Commons-BeanUtils: Arbitrary code execution + Apache Commons BeanUtils does not properly suppress the class + property, which could lead to the remote execution of arbitrary code. + + commons-beanutils + July 20, 2016 + July 20, 2016: 1 + 534498 + remote + + + 1.9.2 + 1.9.2 + + + +

Commons-beanutils provides easy-to-use wrappers around Reflection and + Introspection APIs +

+ + +

Apache Commons BeanUtils does not suppress the class property, which + allows for the manipulation of the ClassLoader. +

+ + +

Remote attackers could potentially execute arbitrary code with the + privileges of the process. +

+ + +

There is no known workaround at this time.

+ + +

All Commons BeanUtils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-java/commons-beanutils-1.9.2" + + + + + CVE-2014-0114 + + Zlogene + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-10.xml new file mode 100644 index 0000000000..d3640d8930 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-10.xml @@ -0,0 +1,49 @@ + + + + Varnish: Multiple vulnerabilities + Improper input validation in Varnish allows remote attackers to + conduct HTTP smuggling attacks, and possibly trigger a buffer overflow. + + + July 20, 2016 + July 20, 2016: 1 + 542886 + remote + + + 3.0.7 + 3.0.7 + + + +

Varnish is a web application accelerator.

+ + +

Varnish fails to properly validate input from HTTP headers, and does not + deny requests with multiple Content-Length headers. +

+ + +

Remote attackers could conduct an HTTP response splitting attack, which + may further enable them to conduct Cross-Site Scripting (XSS), Cache + Poisoning, Defacement, and Page Hijacking. +

+ + +

There is no known workaround at this time.

+ + +

All Varnish users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/varnish-3.0.7" + + + + CVE-2015-8852 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-11.xml new file mode 100644 index 0000000000..66a4c0918a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-11.xml @@ -0,0 +1,68 @@ + + + + Bugzilla: Multiple vulnerabilities + Multiple vulnerabilities have been found in Bugzilla, the worst of + which could lead to the escalation of privileges. + + + July 20, 2016 + July 20, 2016: 1 + 524316 + 537448 + 560406 + 583236 + remote + + + 5.0.3 + 4.4.12 + 5.0.3 + + + +

Bugzilla is the bug-tracking system from the Mozilla project.

+ + +

Multiple vulnerabilities have been discovered in Bugzilla. Please review + the CVE identifiers referenced below for details. +

+ + +

Privileged account holders could execute system level commands, and the + new user process could be exploited to allow for the escalation of + privileges. +

+ + +

There is no known workaround at this time.

+ + +

All Bugzilla 4.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-4.4.12" + + +

All Bugzilla 5.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apps/bugzilla-5.0.3" + + + + + CVE-2014-1572 + + + CVE-2014-1573 + + CVE-2014-8630 + + + BlueKnight + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-12.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-12.xml new file mode 100644 index 0000000000..a8ba395b4d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-12.xml @@ -0,0 +1,55 @@ + + + + Exim: Arbitrary code execution + A local attacker could execute arbitrary code by providing + unsanitized data to a data source or escalate privileges. + + exim + July 20, 2016 + July 20, 2016: 1 + 517934 + 576582 + local + + + 4.87 + 4.87 + + + +

Exim is a message transfer agent (MTA) designed to be a a highly + configurable, drop-in replacement for sendmail. +

+ + +

Vulnerabilities have been discovered in Exim’s implementation of + set-uid root and when using ‘perl_startup’. These vulnerabilities + require a user account on the Exim server and a configuration that does + lookups against files to which the user has edit access. +

+ + +

A local attacker could possibly execute arbitrary code with the + privileges of the process, or escalate privileges. +

+ + +

There is no known workaround at this time.

+ + +

All Exim users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-mta/exim-4.87" + + + + CVE-2014-2972 + + + keytoaster + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-13.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-13.xml new file mode 100644 index 0000000000..5ac0fc4466 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-13.xml @@ -0,0 +1,54 @@ + + + + libbsd: Arbitrary code execution + A buffer overflow in libbsd might allow remote attackers to execute + arbitrary code. + + + July 20, 2016 + July 20, 2016: 1 + 573160 + remote + + + 0.8.2 + 0.8.2 + + + +

This library provides useful functions commonly found on BSD systems, + and lacking on others like GNU systems, thus making it easier to port + projects with strong BSD origins, without needing to embed the same code + over and over again on each project. +

+ + +

libbsd contains a buffer overflow in the fgetwln() function. An if + statement, which is responsible for checking the necessity to reallocate + memory in the target buffer, is off by one therefore an out of bounds + write occurs. +

+ + +

Remote attackers could potentially execute arbitrary code with the + privileges of the process. +

+ + +

There is no known workaround at this time.

+ + +

All libbsd users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --verbose --oneshot ">=dev-libs/libbsd-0.8.2" + + + + CVE-2016-2090 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-14.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-14.xml new file mode 100644 index 0000000000..cf90babd7a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-14.xml @@ -0,0 +1,57 @@ + + + + Ansible: Privilege escalation + A vulnerability in Ansible may allow local attackers to gain + escalated privileges or write arbitrary files. + + ansible + July 20, 2016 + July 20, 2016: 2 + 578814 + local + + + 2.0.2.0-r1 + 1.9.6 + 2.0.2.0-r1 + + + +

Ansible is a radically simple IT automation platform.

+ + +

The create_script function in the lxc_container module of Ansible uses + predictable temporary file names, making it vulnerable to a symlink + attack. +

+ + +

Local attackers could write arbitrary files or gain escalated privileges + within the container. +

+ + +

There is no known workaround at this time.

+ + +

All Ansible 1.9.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/ansible-1.9.6" + + +

All Ansible 2.0.2.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/ansible-2.0.2.0-r1" + + + + CVE-2016-3096 + + b-man + ackle + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-15.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-15.xml new file mode 100644 index 0000000000..41bcc4b862 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-15.xml @@ -0,0 +1,91 @@ + + + + NTP: Multiple vulnerabilities + Multiple vulnerabilities have been found in NTP, the worst of which + could lead to Denial of Service. + + ntp + July 20, 2016 + July 20, 2016: 1 + 563774 + 572452 + 581528 + 584954 + remote + + + 4.2.8_p8 + 4.2.8_p8 + + + +

NTP contains software for the Network Time Protocol.

+ + +

Multiple vulnerabilities have been discovered in NTP. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly cause a Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All NTP users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8_p8" + + + + CVE-2015-7691 + CVE-2015-7692 + CVE-2015-7701 + CVE-2015-7702 + CVE-2015-7703 + CVE-2015-7704 + CVE-2015-7705 + CVE-2015-7848 + CVE-2015-7849 + CVE-2015-7850 + CVE-2015-7851 + CVE-2015-7852 + CVE-2015-7853 + CVE-2015-7854 + CVE-2015-7855 + CVE-2015-7871 + CVE-2015-7973 + CVE-2015-7974 + CVE-2015-7975 + CVE-2015-7976 + CVE-2015-7977 + CVE-2015-7978 + CVE-2015-7979 + CVE-2015-8138 + CVE-2015-8139 + CVE-2015-8140 + CVE-2015-8158 + CVE-2016-1547 + CVE-2016-1548 + CVE-2016-1549 + CVE-2016-1550 + CVE-2016-1551 + CVE-2016-2516 + CVE-2016-2517 + CVE-2016-2518 + CVE-2016-2519 + CVE-2016-4953 + CVE-2016-4954 + CVE-2016-4955 + CVE-2016-4956 + CVE-2016-4957 + + K_F + + pinkbyte + + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-16.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-16.xml new file mode 100644 index 0000000000..1bfeb7b367 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-16.xml @@ -0,0 +1,48 @@ + + + + arpwatch: Privilege escalation + arpwatch is vulnerable to the escalation of privileges. + + July 20, 2016 + July 20, 2016: 1 + 419375 + local, remote + + + 2.1.15-r8 + 2.1.15-r8 + + + +

The ethernet monitor program; for keeping track of ethernet/ip address + pairings. +

+ + +

Arpwatch does not properly drop supplementary groups.

+ + +

Attackers, if able to exploit arpwatch, could escalate privileges + outside of the running process. +

+ + +

There is no known workaround at this time.

+ + +

All arpwatch users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --verbose --oneshot ">=net-analyzer/arpwatch-2.1.15-r8" + + + + + CVE-2012-2653 + + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-17.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-17.xml new file mode 100644 index 0000000000..9608edf5ea --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-17.xml @@ -0,0 +1,54 @@ + + + + BeanShell: Arbitrary code execution + BeanShell is vulnerable to the remote execution of arbitrary code + via Java serialization or XStream from an untrusted source. + + + July 30, 2016 + July 30, 2016: 1 + 575482 + remote + + + 2.0_beta6 + 2.0_beta6 + + + +

BeanShell is a small, free, embeddable Java source interpreter with + object scripting language features, written in Java. +

+ + +

An application that includes BeanShell on the classpath may be + vulnerable if another part of the application uses Java serialization or + XStream to deserialize data from an untrusted source. +

+ + +

Remote attackers could execute arbitrary code including shell commands.

+ + +

There is no known workaround at this time.

+ + +

All BeanShell users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --verbose --oneshot ">=dev-java/bsh-2.0_beta6" + + + + + BeanShell 2.0b6 Release Information + + + CVE-2016-2510 + + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201608-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201608-01.xml new file mode 100644 index 0000000000..f4c378ca61 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201608-01.xml @@ -0,0 +1,55 @@ + + + + OptiPNG: Multiple vulnerabilities + Multiple vulnerabilities have been found in OptiPNG, the worst of + which could lead to the remote execution of arbitrary code, or cause a + Denial of Service condition. + + + August 11, 2016 + August 11, 2016: 1 + 561882 + 579030 + remote + + + 0.7.6 + 0.7.6 + + + +

OptiPNG is a PNG optimizer that recompresses image files to a smaller + size, without losing any information. +

+ + +

Multiple vulnerabilities have been discovered in OptiPNG. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted image + file resulting in the execution of arbitrary code with the privileges of + the process, or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All OptiPNG users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/optipng-0.7.6" + + + + CVE-2016-2191 + CVE-2016-3981 + CVE-2016-3982 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-01.xml new file mode 100644 index 0000000000..6f4c6eeabc --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-01.xml @@ -0,0 +1,98 @@ + + + + QEMU: Multiple vulnerabilities + Multiple vulnerabilities have been found in QEMU, the worst of + which could lead to arbitrary code execution, or cause a Denial of Service + condition. + + qemu + September 25, 2016 + September 26, 2016: 2 + 573816 + 579734 + 580040 + 583496 + 583952 + 584094 + 584102 + 584146 + 584514 + 584630 + 584918 + 589924 + 589928 + 591242 + 591244 + 591374 + 591380 + 591678 + 592430 + 593034 + 593036 + 593038 + 593284 + 593950 + 593956 + remote + + + 2.7.0-r3 + 2.7.0-r3 + + + +

QEMU is a generic and open source machine emulator and virtualizer.

+ + +

Multiple vulnerabilities have been discovered in QEMU. Please review the + CVE identifiers referenced below for details. +

+ + +

Local users within a guest QEMU environment can execute arbitrary code + within the host or a cause a Denial of Service condition of the QEMU + guest process. +

+ + +

There is no known workaround at this time.

+ + +

All QEMU users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/qemu-2.7.0-r3" + + + + CVE-2016-2841 + CVE-2016-4001 + CVE-2016-4002 + CVE-2016-4020 + CVE-2016-4439 + CVE-2016-4441 + CVE-2016-4453 + CVE-2016-4454 + CVE-2016-4964 + CVE-2016-5106 + CVE-2016-5107 + CVE-2016-5126 + CVE-2016-5238 + CVE-2016-5337 + CVE-2016-5338 + CVE-2016-6490 + CVE-2016-6833 + CVE-2016-6834 + CVE-2016-6836 + CVE-2016-6888 + CVE-2016-7116 + CVE-2016-7156 + CVE-2016-7157 + CVE-2016-7421 + CVE-2016-7422 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-02.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-02.xml new file mode 100644 index 0000000000..6478422b0f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-02.xml @@ -0,0 +1,52 @@ + + + + Bundler: Insecure installation + A vulnerability has been found in Bundler, allowing injection of + arbitrary code via the gem installation process. + + bundler + September 26, 2016 + September 26, 2016: 1 + 523798 + remote + + + 1.7.3 + 1.7.3 + + + +

Bundler provides a consistent environment for Ruby projects by tracking + and installing the exact gems and versions that are needed. +

+ + +

Bundler, allows the installation of gems from different sources with the + same names, when multiple top-level gem sources are used. +

+ + +

Remote attackers could inject arbitrary code via the gem install + process. +

+ + +

There is no known workaround at this time.

+ + +

All Bundler users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-ruby/bundler-1.7.3" + + + + CVE-2013-0334 + + + BlueKnight + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-01.xml new file mode 100644 index 0000000000..c7907aba64 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-01.xml @@ -0,0 +1,51 @@ + + + + Groovy: Arbitrary code execution + Groovy is vulnerable to a remote execution of arbitrary code when + java serialization is used. + + groovy + October 06, 2016 + October 06, 2016: 1 + 555470 + remote + + + 2.4.5 + 2.4.5 + + + +

A multi-faceted language for the Java platform

+ + +

Groovy’s MethodClosure class, in runtime/MethodClosure.java, is + vulnerable to a crafted serialized object. +

+ + +

Remote attackers could potentially execute arbitrary code, or cause + Denial of Service condition +

+ + +

A workaround exists by using a custom security policy file utilizing the + standard Java security manager, or do not rely on serialization to + communicate remotely. +

+ + +

All Groovy users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/groovy-2.4.5" + + + + CVE-2015-3253 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-02.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-02.xml new file mode 100644 index 0000000000..98bf17f1c5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-02.xml @@ -0,0 +1,62 @@ + + + + Apache: Multiple vulnerabilities + Multiple vulnerabilities have been found in Apache, the worst of + which could allow HTTP request smuggling attacks or a Denial of Service + condition. + + + October 06, 2016 + October 06, 2016: 1 + 524680 + 536684 + 554948 + 557198 + 583276 + 588138 + remote + + + 2.2.31 + 2.4.23 + 2.4.23 + + + +

Apache HTTP Server is one of the most popular web servers on the + Internet. +

+ + +

Multiple vulnerabilities have been discovered in Apache HTTP Server. + Please review the CVE identifiers referenced below for details. +

+ + +

Remote attackers could bypass intended access restrictions, conduct HTTP + request smuggling attacks, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Apache users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.23" + + + + CVE-2014-3581 + CVE-2015-3183 + CVE-2016-1546 + CVE-2016-4979 + + + BlueKnight + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-03.xml new file mode 100644 index 0000000000..0689a54158 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-03.xml @@ -0,0 +1,57 @@ + + + + Quagga: Arbitrary code execution + A buffer overflow in Quagga might allow remote attackers to execute + arbitrary code. + + quagga + October 10, 2016 + October 10, 2016: 1 + 577156 + remote + + + 1.0.20160315 + 1.0.20160315 + + + +

Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and + BGP. +

+ + +

A memcpy function in the VPNv4 NLRI parser of bgp_mplsvpn.c does not + properly check the upper-bound length of received Labeled-VPN SAFI routes + data, which may allow for arbitrary code execution on the stack. +

+ + +

A remote attacker could send a specially crafted packet, possibly + resulting in execution of arbitrary code with the privileges of the + process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Quagga users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/quagga-1.0.20160315" + + + + + CVE-2016-2342 + + + pinkbyte + + + pinkbyte + + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-04.xml new file mode 100644 index 0000000000..d3d4aee45d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-04.xml @@ -0,0 +1,64 @@ + + + + libgcrypt: Multiple vulnerabilities + Multiple vulnerabilities have been fixed in libgcrypt,the worst of + which results in predictable output from the random number generator. + + libgcrypt + October 10, 2016 + October 10, 2016: 1 + 541564 + 559942 + 574268 + 591534 + remote + + + 1.7.3 + 1.7.3 + + + +

libgcrypt is a general purpose cryptographic library derived out of + GnuPG. +

+ + +

Multiple vulnerabilities have been discovered in libgcrypt. Please + review the CVE identifiers referenced below for details. +

+ + +

Side-channel attacks can leak private key information. A separate + critical bug allows an attacker who obtains 4640 bits from the RNG to + trivially predict the next 160 bits of output. +

+ + + +

There is no known workaround at this time.

+ + +

All libgcrypt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.7.3" + + + + + CVE-2014-3591 + CVE-2015-0837 + CVE-2015-7511 + CVE-2016-6313 + + Factoring RSA Keys With TLS Perfect Forward Secrecy + + + + BlueKnight + + K_F + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index 259eebd651..261f502200 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 11 Jul 2016 17:10:51 +0000 +Mon, 10 Oct 2016 14:40:40 +0000