mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #480 from mischief/glsa

Browse Source 
bump(metadata/glsa): sync with upstream
This commit is contained in:
Nick Owens 2016-10-10 14:40:55 -07:00 committed by GitHub
commit 712511a0aa
26 changed files with 1350 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201402-24.xml vendored
View File

@ -8,7 +8,7 @@
</synopsis> </synopsis>
<product type="ebuild">gnupg libgcrypt</product> <product type="ebuild">gnupg libgcrypt</product>
<announced>February 21, 2014</announced> <announced>February 21, 2014</announced>
<revised>July 07, 2014: 2</revised> <revised>August 24, 2016: 3</revised>
<bug>449546</bug> <bug>449546</bug>
<bug>478184</bug> <bug>478184</bug>
<bug>484836</bug> <bug>484836</bug>
@ -23,6 +23,7 @@
<unaffected range="rge">1.4.18</unaffected> <unaffected range="rge">1.4.18</unaffected>
<unaffected range="rge">1.4.19</unaffected> <unaffected range="rge">1.4.19</unaffected>
<unaffected range="rge">1.4.20</unaffected> <unaffected range="rge">1.4.20</unaffected>
<unaffected range="rge">1.4.21</unaffected>
<vulnerable range="lt">2.0.22</vulnerable> <vulnerable range="lt">2.0.22</vulnerable>
</package> </package>
<package name="dev-libs/libgcrypt" auto="yes" arch="*"> <package name="dev-libs/libgcrypt" auto="yes" arch="*">
@ -86,5 +87,5 @@
</uri> </uri>
</references> </references>
<metadata tag="requester" timestamp="Tue, 15 Jan 2013 21:37:26 +0000">ackle</metadata> <metadata tag="requester" timestamp="Tue, 15 Jan 2013 21:37:26 +0000">ackle</metadata>
<metadata tag="submitter" timestamp="Mon, 07 Jul 2014 12:54:35 +0000">ackle</metadata> <metadata tag="submitter" timestamp="Wed, 24 Aug 2016 12:08:25 +0000">ackle</metadata>
</glsa> </glsa>

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201507-20.xml vendored
View File

@ -31,6 +31,7 @@
<unaffected range="rge">9.3.9</unaffected> <unaffected range="rge">9.3.9</unaffected>
<unaffected range="rge">9.3.10</unaffected> <unaffected range="rge">9.3.10</unaffected>
<unaffected range="rge">9.3.11</unaffected> <unaffected range="rge">9.3.11</unaffected>
<unaffected range="rge">9.3.12</unaffected>
<vulnerable range="lt">9.4.3</vulnerable> <vulnerable range="lt">9.4.3</vulnerable>
</package> </package>
</affected> </affected>

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml vendored
View File

@ -18,6 +18,7 @@
<package name="dev-java/icedtea-bin" auto="yes" arch="*"> <package name="dev-java/icedtea-bin" auto="yes" arch="*">
<unaffected range="ge">7.2.6.6-r1</unaffected> <unaffected range="ge">7.2.6.6-r1</unaffected>
<unaffected range="rge">3.0.1</unaffected> <unaffected range="rge">3.0.1</unaffected>
<unaffected range="rge">3.1.0</unaffected>
<vulnerable range="lt">7.2.6.6-r1</vulnerable> <vulnerable range="lt">7.2.6.6-r1</vulnerable>
</package> </package>
</affected> </affected>

83
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-03.xml vendored Normal file
View File

@ -0,0 +1,83 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-03">
<title>Adobe Flash Player: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>July 13, 2016</announced>
<revised>July 13, 2016: 2</revised>
<bug>588738</bug>
<access>remote</access>
<affected>
<package name="www-plugins/adobe-flash" auto="yes" arch="*">
<unaffected range="ge">11.2.202.632</unaffected>
<vulnerable range="lt">11.2.202.632</vulnerable>
</package>
</affected>
<background>
<p>The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Adobe Flash Player users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "www-plugins/adobe-flash-11.2.202.632"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4217">CVE-2016-4217</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4218">CVE-2016-4218</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4219">CVE-2016-4219</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4220">CVE-2016-4220</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4221">CVE-2016-4221</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4222">CVE-2016-4222</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4223">CVE-2016-4223</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4224">CVE-2016-4224</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4225">CVE-2016-4225</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4226">CVE-2016-4226</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4227">CVE-2016-4227</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4228">CVE-2016-4228</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4229">CVE-2016-4229</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4230">CVE-2016-4230</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4231">CVE-2016-4231</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4232">CVE-2016-4232</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4233">CVE-2016-4233</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4234">CVE-2016-4234</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4235">CVE-2016-4235</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4236">CVE-2016-4236</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4237">CVE-2016-4237</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4238">CVE-2016-4238</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4239">CVE-2016-4239</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4240">CVE-2016-4240</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4241">CVE-2016-4241</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4242">CVE-2016-4242</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4243">CVE-2016-4243</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4244">CVE-2016-4244</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4245">CVE-2016-4245</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4246">CVE-2016-4246</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4247">CVE-2016-4247</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4248">CVE-2016-4248</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4249">CVE-2016-4249</uri>
</references>
<metadata tag="requester" timestamp="Wed, 13 Jul 2016 18:15:38 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 13 Jul 2016 18:55:55 +0000">b-man</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-04.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-04">
<title>GD: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GD, the worst of which
allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>July 16, 2016</announced>
<revised>July 16, 2016: 1</revised>
<bug>504872</bug>
<bug>538686</bug>
<bug>581942</bug>
<access>remote</access>
<affected>
<package name="media-libs/gd" auto="yes" arch="*">
<unaffected range="ge">2.2.2</unaffected>
<vulnerable range="lt">2.2.2</vulnerable>
</package>
</affected>
<background>
<p>GD is a graphic library for fast image creation.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GD. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GD users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/gd-2.2.2"
</code>
</resolution>
<references>
<uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2497">
CVE-2014-2497
</uri>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709">
CVE-2014-9709
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074">CVE-2016-3074</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 07:19:37 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sat, 16 Jul 2016 13:08:00 +0000">b-man</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-05.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-05">
<title>Cacti: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Cacti, the worst of
which could lead to the remote execution of arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>July 16, 2016</announced>
<revised>July 16, 2016: 1</revised>
<bug>519900</bug>
<bug>568400</bug>
<bug>570984</bug>
<bug>574412</bug>
<bug>582996</bug>
<access>remote</access>
<affected>
<package name="net-analyzer/cacti" auto="yes" arch="*">
<unaffected range="ge">0.8.8h</unaffected>
<vulnerable range="lt">0.8.8h</vulnerable>
</package>
</affected>
<background>
<p>Cacti is a complete frontend to rrdtool.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Cacti. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or remote authenticated users could bypass
intended access restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Cacti users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/cacti-0.8.8h"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5261">CVE-2014-5261</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5262">CVE-2014-5262</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8369">CVE-2015-8369</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8377">CVE-2015-8377</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8604">CVE-2015-8604</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2313">CVE-2016-2313</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3172">CVE-2016-3172</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3659">CVE-2016-3659</uri>
</references>
<metadata tag="requester" timestamp="Tue, 26 Apr 2016 06:10:39 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sat, 16 Jul 2016 13:14:38 +0000">b-man</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-06.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-06">
<title>CUPS: Buffer overflow</title>
<synopsis>A buffer overflow in CUPS might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>July 16, 2016</announced>
<revised>July 16, 2016: 1</revised>
<bug>539582</bug>
<access>remote</access>
<affected>
<package name="net-print/cups" auto="yes" arch="*">
<unaffected range="ge">2.0.2-r1</unaffected>
<vulnerable range="lt">2.0.2-r1</vulnerable>
</package>
</affected>
<background>
<p>CUPS, the Common Unix Printing System, is a full-featured print server.</p>
</background>
<description>
<p>A vulnerability has been discovered in CUPS concerning the handling of
compressed raster files.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All CUPS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-print/cups-2.0.2-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9679">CVE-2014-9679</uri>
</references>
<metadata tag="requester" timestamp="Fri, 01 Jul 2016 05:48:13 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sat, 16 Jul 2016 13:19:26 +0000">b-man</metadata>
</glsa>

77
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-07.xml vendored Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-07">
<title>Chromium: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in the Chromium web
browser, the worst of which allows remote attackers to execute arbitrary
code.
</synopsis>
<product type="ebuild"></product>
<announced>July 16, 2016</announced>
<revised>July 16, 2016: 1</revised>
<bug>584310</bug>
<bug>586704</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">51.0.2704.103</unaffected>
<vulnerable range="lt">51.0.2704.103</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in the Chromium web
browser. Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-51.0.2704.103"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1672">CVE-2016-1672</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1673">CVE-2016-1673</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1674">CVE-2016-1674</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1675">CVE-2016-1675</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1676">CVE-2016-1676</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1677">CVE-2016-1677</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1678">CVE-2016-1678</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1679">CVE-2016-1679</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1680">CVE-2016-1680</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1681">CVE-2016-1681</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1682">CVE-2016-1682</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1683">CVE-2016-1683</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1684">CVE-2016-1684</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1685">CVE-2016-1685</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1686">CVE-2016-1686</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1687">CVE-2016-1687</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1688">CVE-2016-1688</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1689">CVE-2016-1689</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1690">CVE-2016-1690</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1691">CVE-2016-1691</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1692">CVE-2016-1692</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1693">CVE-2016-1693</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1694">CVE-2016-1694</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1695">CVE-2016-1695</uri>
</references>
<metadata tag="requester" timestamp="Wed, 22 Jun 2016 11:53:59 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sat, 16 Jul 2016 13:23:11 +0000">b-man</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-08.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-08">
<title>Dropbear: Privilege escalation</title>
<synopsis>A vulnerability has been found in Dropbear, which allows remote
authenticated users to bypass intended shell-command restrictions.
</synopsis>
<product type="ebuild"></product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>577050</bug>
<access>remote</access>
<affected>
<package name="net-misc/dropbear" auto="yes" arch="*">
<unaffected range="ge">2016.73</unaffected>
<vulnerable range="lt">2016.73</vulnerable>
</package>
</affected>
<background>
<p>Dropbear is a relatively small SSH server and client.</p>
</background>
<description>
<p>A CRLF injection vulnerability in Dropbear SSH allows remote
authenticated users to bypass intended shell-command restrictions via
crafted X11 forwarding data.
</p>
</description>
<impact type="normal">
<p>A remote authenticated user could execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Dropbear users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/dropbear-2016.73"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3116">CVE-2016-3116</uri>
</references>
<metadata tag="requester" timestamp="Tue, 21 Jun 2016 05:13:38 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 08:45:10 +0000">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-09.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-09">
<title>Commons-BeanUtils: Arbitrary code execution</title>
<synopsis>Apache Commons BeanUtils does not properly suppress the class
property, which could lead to the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">commons-beanutils</product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>534498</bug>
<access>remote</access>
<affected>
<package name="dev-java/commons-beanutils" auto="yes" arch="*">
<unaffected range="ge">1.9.2</unaffected>
<vulnerable range="lt">1.9.2</vulnerable>
</package>
</affected>
<background>
<p>Commons-beanutils provides easy-to-use wrappers around Reflection and
Introspection APIs
</p>
</background>
<description>
<p>Apache Commons BeanUtils does not suppress the class property, which
allows for the manipulation of the ClassLoader.
</p>
</description>
<impact type="normal">
<p>Remote attackers could potentially execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Commons BeanUtils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/commons-beanutils-1.9.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0114">CVE-2014-0114</uri>
</references>
<metadata tag="requester" timestamp="Sat, 05 Sep 2015 19:30:11 +0000">Zlogene</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 08:50:29 +0000">b-man</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-10.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-10">
<title>Varnish: Multiple vulnerabilities</title>
<synopsis>Improper input validation in Varnish allows remote attackers to
conduct HTTP smuggling attacks, and possibly trigger a buffer overflow.
</synopsis>
<product type="ebuild"></product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>542886</bug>
<access>remote</access>
<affected>
<package name="www-servers/varnish" auto="yes" arch="*">
<unaffected range="ge">3.0.7</unaffected>
<vulnerable range="lt">3.0.7</vulnerable>
</package>
</affected>
<background>
<p>Varnish is a web application accelerator.</p>
</background>
<description>
<p>Varnish fails to properly validate input from HTTP headers, and does not
deny requests with multiple Content-Length headers.
</p>
</description>
<impact type="normal">
<p>Remote attackers could conduct an HTTP response splitting attack, which
may further enable them to conduct Cross-Site Scripting (XSS), Cache
Poisoning, Defacement, and Page Hijacking.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Varnish users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-servers/varnish-3.0.7"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8852">CVE-2015-8852</uri>
</references>
<metadata tag="requester" timestamp="Sat, 02 Jul 2016 01:59:09 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 09:01:06 +0000">b-man</metadata>
</glsa>

68
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-11.xml vendored Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-11">
<title>Bugzilla: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Bugzilla, the worst of
which could lead to the escalation of privileges.
</synopsis>
<product type="ebuild"></product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>524316</bug>
<bug>537448</bug>
<bug>560406</bug>
<bug>583236</bug>
<access>remote</access>
<affected>
<package name="www-apps/bugzilla" auto="yes" arch="*">
<unaffected range="ge">5.0.3</unaffected>
<unaffected range="rgt">4.4.12</unaffected>
<vulnerable range="lt">5.0.3</vulnerable>
</package>
</affected>
<background>
<p>Bugzilla is the bug-tracking system from the Mozilla project.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Bugzilla. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Privileged account holders could execute system level commands, and the
new user process could be exploited to allow for the escalation of
privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Bugzilla 4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-apps/bugzilla-4.4.12"
</code>
<p>All Bugzilla 5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-apps/bugzilla-5.0.3"
</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1572">
CVE-2014-1572
</uri>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1573">
CVE-2014-1573
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8630">CVE-2014-8630</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 05:32:55 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 11:12:25 +0000">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-12.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-12">
<title>Exim: Arbitrary code execution</title>
<synopsis>A local attacker could execute arbitrary code by providing
unsanitized data to a data source or escalate privileges.
</synopsis>
<product type="ebuild">exim</product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>517934</bug>
<bug>576582</bug>
<access>local</access>
<affected>
<package name="mail-mta/exim" auto="yes" arch="*">
<unaffected range="ge">4.87</unaffected>
<vulnerable range="lt">4.87</vulnerable>
</package>
</affected>
<background>
<p>Exim is a message transfer agent (MTA) designed to be a a highly
configurable, drop-in replacement for sendmail.
</p>
</background>
<description>
<p>Vulnerabilities have been discovered in Exims implementation of
set-uid root and when using perl_startup. These vulnerabilities
require a user account on the Exim server and a configuration that does
lookups against files to which the user has edit access.
</p>
</description>
<impact type="normal">
<p>A local attacker could possibly execute arbitrary code with the
privileges of the process, or escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Exim users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-mta/exim-4.87"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2972">CVE-2014-2972</uri>
</references>
<metadata tag="requester" timestamp="Sat, 28 Mar 2015 20:38:10 +0000">
keytoaster
</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 11:18:46 +0000">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-13.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-13">
<title>libbsd: Arbitrary code execution</title>
<synopsis>A buffer overflow in libbsd might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>573160</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libbsd" auto="yes" arch="*">
<unaffected range="ge">0.8.2</unaffected>
<vulnerable range="lt">0.8.2</vulnerable>
</package>
</affected>
<background>
<p>This library provides useful functions commonly found on BSD systems,
and lacking on others like GNU systems, thus making it easier to port
projects with strong BSD origins, without needing to embed the same code
over and over again on each project.
</p>
</background>
<description>
<p>libbsd contains a buffer overflow in the fgetwln() function. An if
statement, which is responsible for checking the necessity to reallocate
memory in the target buffer, is off by one therefore an out of bounds
write occurs.
</p>
</description>
<impact type="normal">
<p>Remote attackers could potentially execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libbsd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=dev-libs/libbsd-0.8.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2090">CVE-2016-2090</uri>
</references>
<metadata tag="requester" timestamp="Sat, 19 Mar 2016 13:08:02 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 11:20:49 +0000">b-man</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-14.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-14">
<title>Ansible: Privilege escalation</title>
<synopsis>A vulnerability in Ansible may allow local attackers to gain
escalated privileges or write arbitrary files.
</synopsis>
<product type="ebuild">ansible</product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 2</revised>
<bug>578814</bug>
<access>local</access>
<affected>
<package name="app-admin/ansible" auto="yes" arch="*">
<unaffected range="ge">2.0.2.0-r1</unaffected>
<unaffected range="rge">1.9.6</unaffected>
<vulnerable range="lt">2.0.2.0-r1</vulnerable>
</package>
</affected>
<background>
<p>Ansible is a radically simple IT automation platform.</p>
</background>
<description>
<p>The create_script function in the lxc_container module of Ansible uses
predictable temporary file names, making it vulnerable to a symlink
attack.
</p>
</description>
<impact type="normal">
<p>Local attackers could write arbitrary files or gain escalated privileges
within the container.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ansible 1.9.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/ansible-1.9.6"
</code>
<p>All Ansible 2.0.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/ansible-2.0.2.0-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3096">CVE-2016-3096</uri>
</references>
<metadata tag="requester" timestamp="Sat, 25 Jun 2016 23:46:35 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 11:34:27 +0000">ackle</metadata>
</glsa>

91
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-15.xml vendored Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-15">
<title>NTP: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in NTP, the worst of which
could lead to Denial of Service.
</synopsis>
<product type="ebuild">ntp</product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>563774</bug>
<bug>572452</bug>
<bug>581528</bug>
<bug>584954</bug>
<access>remote</access>
<affected>
<package name="net-misc/ntp" auto="yes" arch="*">
<unaffected range="ge">4.2.8_p8</unaffected>
<vulnerable range="lt">4.2.8_p8</vulnerable>
</package>
</affected>
<background>
<p>NTP contains software for the Network Time Protocol.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a Denial of Service condition.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All NTP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/ntp-4.2.8_p8"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7691">CVE-2015-7691</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7692">CVE-2015-7692</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7701">CVE-2015-7701</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7702">CVE-2015-7702</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7703">CVE-2015-7703</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7704">CVE-2015-7704</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7705">CVE-2015-7705</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7848">CVE-2015-7848</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7849">CVE-2015-7849</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7850">CVE-2015-7850</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7851">CVE-2015-7851</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7852">CVE-2015-7852</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7853">CVE-2015-7853</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7854">CVE-2015-7854</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7855">CVE-2015-7855</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7871">CVE-2015-7871</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7973">CVE-2015-7973</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7974">CVE-2015-7974</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7975">CVE-2015-7975</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7976">CVE-2015-7976</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7977">CVE-2015-7977</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7978">CVE-2015-7978</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7979">CVE-2015-7979</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8138">CVE-2015-8138</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8139">CVE-2015-8139</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8140">CVE-2015-8140</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8158">CVE-2015-8158</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1547">CVE-2016-1547</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1548">CVE-2016-1548</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1549">CVE-2016-1549</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1550">CVE-2016-1550</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1551">CVE-2016-1551</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2516">CVE-2016-2516</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2517">CVE-2016-2517</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2518">CVE-2016-2518</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2519">CVE-2016-2519</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4953">CVE-2016-4953</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4954">CVE-2016-4954</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4955">CVE-2016-4955</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4956">CVE-2016-4956</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4957">CVE-2016-4957</uri>
</references>
<metadata tag="requester" timestamp="Mon, 08 Feb 2016 20:28:03 +0000">K_F</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 11:50:31 +0000">
pinkbyte
</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-16.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-16">
<title>arpwatch: Privilege escalation</title>
<synopsis>arpwatch is vulnerable to the escalation of privileges.</synopsis>
<product type="ebuild"></product>
<announced>July 20, 2016</announced>
<revised>July 20, 2016: 1</revised>
<bug>419375</bug>
<access>local, remote</access>
<affected>
<package name="net-analyzer/arpwatch" auto="yes" arch="*">
<unaffected range="ge">2.1.15-r8</unaffected>
<vulnerable range="lt">2.1.15-r8</vulnerable>
</package>
</affected>
<background>
<p>The ethernet monitor program; for keeping track of ethernet/ip address
pairings.
</p>
</background>
<description>
<p>Arpwatch does not properly drop supplementary groups.</p>
</description>
<impact type="high">
<p>Attackers, if able to exploit arpwatch, could escalate privileges
outside of the running process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All arpwatch users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=net-analyzer/arpwatch-2.1.15-r8"
</code>
</resolution>
<references>
<uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2653">
CVE-2012-2653
</uri>
</references>
<metadata tag="requester" timestamp="Sat, 19 Mar 2016 12:49:20 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 20 Jul 2016 12:02:59 +0000">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-17.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-17">
<title>BeanShell: Arbitrary code execution</title>
<synopsis>BeanShell is vulnerable to the remote execution of arbitrary code
via Java serialization or XStream from an untrusted source.
</synopsis>
<product type="ebuild"></product>
<announced>July 30, 2016</announced>
<revised>July 30, 2016: 1</revised>
<bug>575482</bug>
<access>remote</access>
<affected>
<package name="dev-java/bsh" auto="yes" arch="*">
<unaffected range="ge">2.0_beta6</unaffected>
<vulnerable range="lt">2.0_beta6</vulnerable>
</package>
</affected>
<background>
<p>BeanShell is a small, free, embeddable Java source interpreter with
object scripting language features, written in Java.
</p>
</background>
<description>
<p>An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java serialization or
XStream to deserialize data from an untrusted source.
</p>
</description>
<impact type="normal">
<p>Remote attackers could execute arbitrary code including shell commands.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All BeanShell users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=dev-java/bsh-2.0_beta6"
</code>
</resolution>
<references>
<uri link="https://github.com/beanshell/beanshell/releases/tag/2.0b6">
BeanShell 2.0b6 Release Information
</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2510">
CVE-2016-2510
</uri>
</references>
<metadata tag="requester" timestamp="Tue, 15 Mar 2016 10:56:37 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sat, 30 Jul 2016 00:53:17 +0000">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201608-01.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201608-01">
<title>OptiPNG: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in OptiPNG, the worst of
which could lead to the remote execution of arbitrary code, or cause a
Denial of Service condition.
</synopsis>
<product type="ebuild"></product>
<announced>August 11, 2016</announced>
<revised>August 11, 2016: 1</revised>
<bug>561882</bug>
<bug>579030</bug>
<access>remote</access>
<affected>
<package name="media-gfx/optipng" auto="yes" arch="*">
<unaffected range="ge">0.7.6</unaffected>
<vulnerable range="lt">0.7.6</vulnerable>
</package>
</affected>
<background>
<p>OptiPNG is a PNG optimizer that recompresses image files to a smaller
size, without losing any information.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OptiPNG. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted image
file resulting in the execution of arbitrary code with the privileges of
the process, or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OptiPNG users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-gfx/optipng-0.7.6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2191">CVE-2016-2191</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3981">CVE-2016-3981</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3982">CVE-2016-3982</uri>
</references>
<metadata tag="requester" timestamp="Sun, 26 Jun 2016 12:03:00 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Thu, 11 Aug 2016 06:06:28 +0000">b-man</metadata>
</glsa>

98
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-01.xml vendored Normal file
View File

@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201609-01">
<title>QEMU: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in QEMU, the worst of
which could lead to arbitrary code execution, or cause a Denial of Service
condition.
</synopsis>
<product type="ebuild">qemu</product>
<announced>September 25, 2016</announced>
<revised>September 26, 2016: 2</revised>
<bug>573816</bug>
<bug>579734</bug>
<bug>580040</bug>
<bug>583496</bug>
<bug>583952</bug>
<bug>584094</bug>
<bug>584102</bug>
<bug>584146</bug>
<bug>584514</bug>
<bug>584630</bug>
<bug>584918</bug>
<bug>589924</bug>
<bug>589928</bug>
<bug>591242</bug>
<bug>591244</bug>
<bug>591374</bug>
<bug>591380</bug>
<bug>591678</bug>
<bug>592430</bug>
<bug>593034</bug>
<bug>593036</bug>
<bug>593038</bug>
<bug>593284</bug>
<bug>593950</bug>
<bug>593956</bug>
<access>remote</access>
<affected>
<package name="app-emulation/qemu" auto="yes" arch="*">
<unaffected range="ge">2.7.0-r3</unaffected>
<vulnerable range="lt">2.7.0-r3</vulnerable>
</package>
</affected>
<background>
<p>QEMU is a generic and open source machine emulator and virtualizer.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QEMU. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Local users within a guest QEMU environment can execute arbitrary code
within the host or a cause a Denial of Service condition of the QEMU
guest process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QEMU users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/qemu-2.7.0-r3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2841">CVE-2016-2841</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4001">CVE-2016-4001</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4002">CVE-2016-4002</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4020">CVE-2016-4020</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4439">CVE-2016-4439</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4441">CVE-2016-4441</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4453">CVE-2016-4453</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4454">CVE-2016-4454</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4964">CVE-2016-4964</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5106">CVE-2016-5106</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5107">CVE-2016-5107</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5126">CVE-2016-5126</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5238">CVE-2016-5238</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5337">CVE-2016-5337</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5338">CVE-2016-5338</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6490">CVE-2016-6490</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6833">CVE-2016-6833</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6834">CVE-2016-6834</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6836">CVE-2016-6836</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6888">CVE-2016-6888</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7116">CVE-2016-7116</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7156">CVE-2016-7156</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7157">CVE-2016-7157</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7421">CVE-2016-7421</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7422">CVE-2016-7422</uri>
</references>
<metadata tag="requester" timestamp="Fri, 01 Jul 2016 00:30:33 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Mon, 26 Sep 2016 00:34:50 +0000">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201609-02.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201609-02">
<title>Bundler: Insecure installation</title>
<synopsis>A vulnerability has been found in Bundler, allowing injection of
arbitrary code via the gem installation process.
</synopsis>
<product type="ebuild">bundler</product>
<announced>September 26, 2016</announced>
<revised>September 26, 2016: 1</revised>
<bug>523798</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/bundler" auto="yes" arch="*">
<unaffected range="ge">1.7.3</unaffected>
<vulnerable range="lt">1.7.3</vulnerable>
</package>
</affected>
<background>
<p>Bundler provides a consistent environment for Ruby projects by tracking
and installing the exact gems and versions that are needed.
</p>
</background>
<description>
<p>Bundler, allows the installation of gems from different sources with the
same names, when multiple top-level gem sources are used.
</p>
</description>
<impact type="normal">
<p>Remote attackers could inject arbitrary code via the gem install
process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Bundler users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-ruby/bundler-1.7.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0334">CVE-2013-0334</uri>
</references>
<metadata tag="requester" timestamp="Sat, 31 Jan 2015 22:12:51 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Mon, 26 Sep 2016 04:04:29 +0000">b-man</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-01.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201610-01">
<title>Groovy: Arbitrary code execution</title>
<synopsis>Groovy is vulnerable to a remote execution of arbitrary code when
java serialization is used.
</synopsis>
<product type="ebuild">groovy</product>
<announced>October 06, 2016</announced>
<revised>October 06, 2016: 1</revised>
<bug>555470</bug>
<access>remote</access>
<affected>
<package name="dev-java/groovy" auto="yes" arch="*">
<unaffected range="ge">2.4.5</unaffected>
<vulnerable range="lt">2.4.5</vulnerable>
</package>
</affected>
<background>
<p>A multi-faceted language for the Java platform</p>
</background>
<description>
<p>Groovys MethodClosure class, in runtime/MethodClosure.java, is
vulnerable to a crafted serialized object.
</p>
</description>
<impact type="normal">
<p>Remote attackers could potentially execute arbitrary code, or cause
Denial of Service condition
</p>
</impact>
<workaround>
<p>A workaround exists by using a custom security policy file utilizing the
standard Java security manager, or do not rely on serialization to
communicate remotely.
</p>
</workaround>
<resolution>
<p>All Groovy users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/groovy-2.4.5"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3253">CVE-2015-3253</uri>
</references>
<metadata tag="requester" timestamp="Tue, 15 Mar 2016 09:21:07 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Thu, 06 Oct 2016 14:32:23 +0000">b-man</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-02.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201610-02">
<title>Apache: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Apache, the worst of
which could allow HTTP request smuggling attacks or a Denial of Service
condition.
</synopsis>
<product type="ebuild"></product>
<announced>October 06, 2016</announced>
<revised>October 06, 2016: 1</revised>
<bug>524680</bug>
<bug>536684</bug>
<bug>554948</bug>
<bug>557198</bug>
<bug>583276</bug>
<bug>588138</bug>
<access>remote</access>
<affected>
<package name="www-servers/apache" auto="yes" arch="*">
<unaffected range="rgt">2.2.31</unaffected>
<unaffected range="ge">2.4.23</unaffected>
<vulnerable range="lt">2.4.23</vulnerable>
</package>
</affected>
<background>
<p>Apache HTTP Server is one of the most popular web servers on the
Internet.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Apache HTTP Server.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers could bypass intended access restrictions, conduct HTTP
request smuggling attacks, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Apache users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-servers/apache-2.4.23"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3581">CVE-2014-3581</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3183">CVE-2015-3183</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1546">CVE-2016-1546</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4979">CVE-2016-4979</uri>
</references>
<metadata tag="requester" timestamp="Sun, 13 Sep 2015 13:17:03 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Thu, 06 Oct 2016 17:20:25 +0000">b-man</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-03.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201610-03">
<title>Quagga: Arbitrary code execution</title>
<synopsis>A buffer overflow in Quagga might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">quagga</product>
<announced>October 10, 2016</announced>
<revised>October 10, 2016: 1</revised>
<bug>577156</bug>
<access>remote</access>
<affected>
<package name="net-misc/quagga" auto="yes" arch="*">
<unaffected range="ge">1.0.20160315</unaffected>
<vulnerable range="lt">1.0.20160315</vulnerable>
</package>
</affected>
<background>
<p>Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and
BGP.
</p>
</background>
<description>
<p>A memcpy function in the VPNv4 NLRI parser of bgp_mplsvpn.c does not
properly check the upper-bound length of received Labeled-VPN SAFI routes
data, which may allow for arbitrary code execution on the stack.
</p>
</description>
<impact type="high">
<p>A remote attacker could send a specially crafted packet, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Quagga users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/quagga-1.0.20160315"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2342">CVE-2016-2342</uri>
</references>
<metadata tag="requester" timestamp="Thu, 06 Oct 2016 14:23:47 +0000">
pinkbyte
</metadata>
<metadata tag="submitter" timestamp="Mon, 10 Oct 2016 08:11:56 +0000">
pinkbyte
</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-04.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201610-04">
<title>libgcrypt: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been fixed in libgcrypt,the worst of
which results in predictable output from the random number generator.
</synopsis>
<product type="ebuild">libgcrypt</product>
<announced>October 10, 2016</announced>
<revised>October 10, 2016: 1</revised>
<bug>541564</bug>
<bug>559942</bug>
<bug>574268</bug>
<bug>591534</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libgcrypt" auto="yes" arch="*">
<unaffected range="ge">1.7.3</unaffected>
<vulnerable range="lt">1.7.3</vulnerable>
</package>
</affected>
<background>
<p>libgcrypt is a general purpose cryptographic library derived out of
GnuPG.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libgcrypt. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Side-channel attacks can leak private key information. A separate
critical bug allows an attacker who obtains 4640 bits from the RNG to
trivially predict the next 160 bits of output.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libgcrypt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libgcrypt-1.7.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3591">CVE-2014-3591</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0837">CVE-2015-0837</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7511">CVE-2015-7511</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6313">CVE-2016-6313</uri>
<uri link="https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/">
Factoring RSA Keys With TLS Perfect Forward Secrecy
</uri>
</references>
<metadata tag="requester" timestamp="Wed, 02 Dec 2015 21:25:17 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Mon, 10 Oct 2016 11:04:11 +0000">K_F</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 11 Jul 2016 17:10:51 +0000 Mon, 10 Oct 2016 14:40:40 +0000