mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 02:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #460 from mischief/glsa-sync

Browse Source 
bump(metadata/glsa): sync with upstream
This commit is contained in:
Nick Owens 2016-07-11 11:28:42 -07:00 committed by GitHub
commit 717beb7ee0
15 changed files with 730 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201010-01.xml vendored
View File

@ -24,6 +24,7 @@
<unaffected range="rge">1.2.53</unaffected>
<unaffected range="rge">1.2.54</unaffected>
<unaffected range="rge">1.2.55</unaffected>
<unaffected range="rge">1.2.56</unaffected>
<vulnerable range="lt">1.4.3</vulnerable>
</package>
</affected>

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201206-15.xml vendored
View File

@ -24,6 +24,7 @@
<unaffected range="rge">1.2.53</unaffected>
<unaffected range="rge">1.2.54</unaffected>
<unaffected range="rge">1.2.55</unaffected>
<unaffected range="rge">1.2.56</unaffected>
<vulnerable range="lt">1.5.10</vulnerable>
</package>
</affected>

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201504-05.xml vendored
View File

@ -19,6 +19,7 @@
</package>
<package name="dev-db/mariadb" auto="yes" arch="*">
<unaffected range="ge">10.0.16</unaffected>
<unaffected range="rge">5.5.49</unaffected>
<vulnerable range="lt">10.0.16</vulnerable>
</package>
</affected>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-11.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-11">
<title>claws-mail: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in claws-mail,
particularly in the default SSL implementation.
</synopsis>
<product type="ebuild"></product>
<announced>June 26, 2016</announced>
<revised>June 26, 2016: 1</revised>
<bug>525588</bug>
<bug>569010</bug>
<bug>570692</bug>
<access>remote</access>
<affected>
<package name="mail-client/claws-mail" auto="yes" arch="*">
<unaffected range="ge">3.13.2</unaffected>
<vulnerable range="lt">3.13.2</vulnerable>
</package>
</affected>
<background>
<p>Claws Mail is a GTK based e-mail client.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in claws-mail. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly intercept communications due to the default
implementation of SSL 3.0.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All claws-mail users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/claws-mail-3.13.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566">CVE-2014-3566</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8614">CVE-2015-8614</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8614">CVE-2015-8614</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8708">CVE-2015-8708</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8708">CVE-2015-8708</uri>
</references>
<metadata tag="requester" timestamp="Tue, 26 Apr 2016 06:27:10 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 26 Jun 2016 12:30:09 +0000">b-man</metadata>
</glsa>

78
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-12.xml vendored Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-12">
<title>libssh and libssh2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libssh and libssh2, the
worst of which allows remote attackers to cause Denial of Service.
</synopsis>
<product type="ebuild"></product>
<announced>June 26, 2016</announced>
<revised>June 26, 2016: 1</revised>
<bug>533366</bug>
<bug>575474</bug>
<bug>575484</bug>
<access>remote</access>
<affected>
<package name="net-libs/libssh" auto="yes" arch="*">
<unaffected range="ge">0.7.3</unaffected>
<vulnerable range="lt">0.7.3</vulnerable>
</package>
<package name="net-libs/libssh2" auto="yes" arch="*">
<unaffected range="ge">1.7.0</unaffected>
<vulnerable range="lt">1.7.0</vulnerable>
</package>
</affected>
<background>
<p>libssh is a mulitplatform C library implementing the SSHv2 and SSHv1
protocol on client and server side.
</p>
</background>
<description>
<p>libssh and libssh2 both have a bits/bytes confusion bug and generate an
abnormaly short ephemeral secret for the diffie-hellman-group1 and
diffie-hellman-group14 key exchange methods. The resulting secret is 128
bits long, instead of the recommended sizes of 1024 and 2048 bits
respectively.
</p>
<p>Additionally, a double free on dangling pointers in initial key exchange
packets within libssh could leave dangling pointers in the session crypto
structures. It is possible to send a malicious kexinit package to
eventually cause a server to do a double-free before this fix. This could
be used for a Denial of Service attack.
</p>
</description>
<impact type="normal">
<p>Remote attackers may gain access to confidential information due to the
short keysize generated by libssh and libssh2, or cause a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libssh users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/libssh-0.7.3"
</code>
<p>All libssh2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/libssh2-1.7.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8132">CVE-2014-8132</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0739">CVE-2016-0739</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0787">CVE-2016-0787</uri>
</references>
<metadata tag="requester" timestamp="Tue, 30 Jun 2015 22:23:55 +0000">
keytoaster
</metadata>
<metadata tag="submitter" timestamp="Sun, 26 Jun 2016 12:56:59 +0000">b-man</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-13.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-13">
<title>sudo: Unauthorized privilege escalation in sudoedit</title>
<synopsis>sudo is vulnerable to an escalation of privileges via a symlink
attack.
</synopsis>
<product type="ebuild"></product>
<announced>June 26, 2016</announced>
<revised>June 26, 2016: 1</revised>
<bug>564774</bug>
<access>local</access>
<affected>
<package name="app-admin/sudo" auto="yes" arch="*">
<unaffected range="ge">1.8.15-r1</unaffected>
<vulnerable range="lt">1.8.15-r1</vulnerable>
</package>
</affected>
<background>
<p>sudo (su “do”) allows a system administrator to delegate authority
to give certain users (or groups of users) the ability to run some (or
all) commands as root or another user while providing an audit trail of
the commands and their arguments.
</p>
</background>
<description>
<p>sudoedit in sudo is vulnerable to the escalation of privileges by local
users via a symlink attack. This can be exploited by a file whose full
path is defined using multiple wildcards in /etc/sudoers, as demonstrated
by “/home/<em>/</em>/file.txt.
</p>
</description>
<impact type="normal">
<p>Local users are able to gain unauthorized privileges on the system.</p>
</impact>
<workaround>
<p>There is no known work around at this time.</p>
</workaround>
<resolution>
<p>All sudo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.8.15-r1"
</code>
</resolution>
<references>
<uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5602">
CVE-2015-5602
</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Dec 2015 23:28:50 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 26 Jun 2016 13:48:21 +0000">b-man</metadata>
</glsa>

67
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-14.xml vendored Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-14">
<title>ImageMagick: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ImageMagick including
overflows and possible Denials of Service.
</synopsis>
<product type="ebuild">imagemagick</product>
<announced>June 26, 2016</announced>
<revised>June 26, 2016: 1</revised>
<bug>534106</bug>
<bug>562892</bug>
<access>remote</access>
<affected>
<package name="media-gfx/imagemagick" auto="yes" arch="*">
<unaffected range="ge">6.9.0.3</unaffected>
<vulnerable range="lt">6.9.0.3</vulnerable>
</package>
</affected>
<background>
<p>Imagemagick is a collection of tools and libraries for many image
formats.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ImageMagick including,
but not limited to, various overflows and potential Denials of Service.
Please visit the references and related bug reports for additional
information.
</p>
</description>
<impact type="normal">
<p>Remote attackers could potentially perform buffer overflows or conduct
Denials of Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ImageMagick users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-gfx/imagemagick-6.9.0.3"
</code>
</resolution>
<references>
<uri link="https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803">
Double free in coders/pict.c:2000
</uri>
<uri link="https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362">
Double free in coders/tga.c:221
</uri>
<uri link="http://www.openwall.com/lists/oss-security/2014/12/24/1">
Imagemagick fuzzing bug
</uri>
<uri link="https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747">
Integer and Buffer overflow in coders/icon.c
</uri>
</references>
<metadata tag="requester" timestamp="Sat, 17 Jan 2015 17:37:18 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 26 Jun 2016 13:53:19 +0000">b-man</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-15.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-15">
<title>FreeXL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in FreeXL, allowing remote
attackers to executive arbitrary code or cause Denial of Service.
</synopsis>
<product type="ebuild"></product>
<announced>June 26, 2016</announced>
<revised>June 26, 2016: 1</revised>
<bug>544426</bug>
<access>remote</access>
<affected>
<package name="dev-libs/freexl" auto="yes" arch="*">
<unaffected range="ge">1.0.1</unaffected>
<vulnerable range="lt">1.0.1</vulnerable>
</package>
</affected>
<background>
<p>FreeXL is an open source library to extract valid data from within an
Excel (.xls) spreadsheet.
</p>
</background>
<description>
<p>FreeXLs shared strings and workbook functions are vulnerable to the
remote execution of arbitrary code and Denial of Service. This can be
achieved through specially crafted workbooks from attackers.
</p>
</description>
<impact type="normal">
<p>Remote attackers could potentially execute arbitrary code or cause
Denial of Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FreeXL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "dev-libs/freexl-1.0.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2753">CVE-2015-2753</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2754">CVE-2015-2754</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2776">CVE-2015-2776</uri>
</references>
<metadata tag="requester" timestamp="Wed, 16 Mar 2016 12:15:29 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 26 Jun 2016 23:53:53 +0000">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-16.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-16">
<title>PLIB: Buffer overflow vulnerability</title>
<synopsis>A buffer overflow in PLIB might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>June 26, 2016</announced>
<revised>June 26, 2016: 1</revised>
<bug>395553</bug>
<access>remote</access>
<affected>
<package name="media-libs/plib" auto="yes" arch="*">
<unaffected range="ge">1.8.5-r1</unaffected>
<vulnerable range="lt">1.8.5-r1</vulnerable>
</package>
</affected>
<background>
<p>PLIB includes sound effects, music, a complete 3D engine, font
rendering, a simple Windowing library, a game scripting language, a GUI,
networking, 3D math library and a collection of handy utility functions.
</p>
</background>
<description>
<p>A buffer overflow in PLIB allows user-assisted remote attackers to
execute arbitrary code via vectors involving a long error message, as
demonstrated by a crafted acc file for TORCS.
</p>
</description>
<impact type="normal">
<p>Remote attackers could execute arbitrary code with the privileges of the
process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PLIB users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=media-libs/plib-1.8.5-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4620">CVE-2011-4620</uri>
</references>
<metadata tag="requester" timestamp="Sat, 19 Mar 2016 12:41:25 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 26 Jun 2016 23:59:26 +0000">b-man</metadata>
</glsa>

77
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-17.xml vendored Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-17">
<title>hostapd and wpa_supplicant: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in hostapd and
wpa_supplicant, allowing remote attackers to execute arbitrary code or
cause Denial of Service.
</synopsis>
<product type="ebuild">wpa_supplicant</product>
<announced>June 27, 2016</announced>
<revised>June 27, 2016: 1</revised>
<bug>524928</bug>
<bug>547492</bug>
<bug>548742</bug>
<bug>548744</bug>
<bug>554860</bug>
<bug>554862</bug>
<access>remote</access>
<affected>
<package name="net-wireless/hostapd" auto="yes" arch="*">
<unaffected range="ge">2.5</unaffected>
<vulnerable range="lt">2.5</vulnerable>
</package>
<package name="net-wireless/wpa_supplicant" auto="yes" arch="*">
<unaffected range="ge">2.5-r1</unaffected>
<vulnerable range="lt">2.5-r1</vulnerable>
</package>
</affected>
<background>
<p>wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE
802.11i / RSN). hostapd is a user space daemon for access point and
authentication servers.
</p>
</background>
<description>
<p>Multiple vulnerabilities exist in both hostapd and wpa_supplicant.
Please review the CVE identifiers for more information.
</p>
</description>
<impact type="normal">
<p>Remote attackers could execute arbitrary code with the privileges of the
process or cause Denial of Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All hostapd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-wireless/hostapd-2.5"
</code>
<p>All wpa_supplicant users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=net-wireless/wpa_supplicant-2.5-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3686">CVE-2014-3686</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3686">CVE-2014-3686</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1863">CVE-2015-1863</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4141">CVE-2015-4141</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4142">CVE-2015-4142</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4143">CVE-2015-4143</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4144">CVE-2015-4144</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4145">CVE-2015-4145</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4146">CVE-2015-4146</uri>
</references>
<metadata tag="requester" timestamp="Thu, 30 Apr 2015 18:59:29 +0000">K_F</metadata>
<metadata tag="submitter" timestamp="Mon, 27 Jun 2016 10:31:51 +0000">b-man</metadata>
</glsa>

84
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml vendored Normal file
View File

@ -0,0 +1,84 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-18">
<title>IcedTea: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in IcedTea allowing remote
attackers to affect confidentiality, integrity, and availability through
various vectors.
</synopsis>
<product type="ebuild"></product>
<announced>June 27, 2016</announced>
<revised>June 27, 2016: 1</revised>
<bug>578300</bug>
<bug>578788</bug>
<bug>581028</bug>
<bug>581238</bug>
<access>remote</access>
<affected>
<package name="dev-java/icedtea-bin" auto="yes" arch="*">
<unaffected range="ge">7.2.6.6-r1</unaffected>
<unaffected range="rge">3.0.1</unaffected>
<vulnerable range="lt">7.2.6.6-r1</vulnerable>
</package>
</affected>
<background>
<p>IcedTeas aim is to provide OpenJDK in a form suitable for easy
configuration, compilation and distribution with the primary goal of
allowing inclusion in GNU/Linux distributions.
</p>
</background>
<description>
<p>Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot,
Libraries, and JAXP, exist which allows remote attackers to affect the
confidentiality, integrity, and availability of vulnerable systems. Many
of the vulnerabilities can only be exploited through sandboxed Java Web
Start applications and java applets. Please review the CVE identifiers
referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers may execute arbitrary code, compromise information, or
cause Denial of Service.
</p>
</impact>
<workaround>
<p>There is no known work around at this time.</p>
</workaround>
<resolution>
<p>Gentoo Security is no longer supporting dev-java/icedtea, as it has been
officially dropped from the stable tree.
</p>
<p>Users of the IcedTea 3.x binary package should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/icedtea-bin-3.0.1"
</code>
<p>Users of the IcedTea 7.x binary package should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/icedtea-7.2.6.6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0636">CVE-2016-0636</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0636">CVE-2016-0636</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0686">CVE-2016-0686</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0687">CVE-2016-0687</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0695">CVE-2016-0695</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3422">CVE-2016-3422</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3425">CVE-2016-3425</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3427">CVE-2016-3427</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3443">CVE-2016-3443</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3449">CVE-2016-3449</uri>
</references>
<metadata tag="requester" timestamp="Sat, 25 Jun 2016 12:17:07 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Mon, 27 Jun 2016 22:40:49 +0000">b-man</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-19.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201606-19">
<title>kwalletd: Information disclosure</title>
<synopsis>Kwalletd password stores are vulnerable to codebook attacks.</synopsis>
<product type="ebuild">kwalletd</product>
<announced>June 27, 2016</announced>
<revised>June 27, 2016: 1</revised>
<bug>496768</bug>
<access>local</access>
<affected>
<package name="kde-apps/kwalletd" auto="yes" arch="*">
<unaffected range="ge">4.14.3-r2</unaffected>
<vulnerable range="lt">4.14.3-r2</vulnerable>
</package>
</affected>
<background>
<p>Kwalletd is is a credentials management application for KDE.</p>
</background>
<description>
<p>Kwalletd in KWallet uses Blowfish with ECB mode instead of CBC mode when
encrypting the password store.
</p>
</description>
<impact type="normal">
<p>Local attackers, with access to the password store, could conduct a
codebook attack in order to obtain confidential passwords.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All kwalletd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=kde-apps/kwalletd-4.14.3-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7252">CVE-2013-7252</uri>
</references>
<metadata tag="requester" timestamp="Mon, 11 May 2015 16:07:07 +0000">K_F</metadata>
<metadata tag="submitter" timestamp="Mon, 27 Jun 2016 22:45:32 +0000">b-man</metadata>
</glsa>

78
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-01.xml vendored Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-01">
<title>Squid: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Squid, the worst of
which could lead to arbitrary code execution, or cause a Denial of Service
condition.
</synopsis>
<product type="ebuild"></product>
<announced>July 09, 2016</announced>
<revised>July 09, 2016: 1</revised>
<bug>536276</bug>
<bug>575542</bug>
<bug>578970</bug>
<bug>580656</bug>
<bug>582814</bug>
<access>remote</access>
<affected>
<package name="net-proxy/squid" auto="yes" arch="*">
<unaffected range="ge">3.5.19</unaffected>
<vulnerable range="lt">3.5.19</vulnerable>
</package>
</affected>
<background>
<p>Squid is a full-featured Web proxy cache designed to run on Unix
systems. It supports proxying and caching of HTTP, FTP, and other URLs,
as well as SSL support, cache hierarchies, transparent caching, access
control lists and many other features.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Squid. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker can possibly execute arbitrary code or create a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Squid users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-proxy/squid-3.5.19"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6270">CVE-2014-6270</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6270">CVE-2014-6270</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2569">CVE-2016-2569</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2569">CVE-2016-2569</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2570">CVE-2016-2570</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2570">CVE-2016-2570</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2571">CVE-2016-2571</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2571">CVE-2016-2571</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2572">CVE-2016-2572</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2572">CVE-2016-2572</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3947">CVE-2016-3947</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3948">CVE-2016-3948</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4051">CVE-2016-4051</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4052">CVE-2016-4052</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4053">CVE-2016-4053</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4054">CVE-2016-4054</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4553">CVE-2016-4553</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4554">CVE-2016-4554</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4555">CVE-2016-4555</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4556">CVE-2016-4556</uri>
</references>
<metadata tag="requester" timestamp="Tue, 05 Apr 2016 04:00:07 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sat, 09 Jul 2016 01:46:31 +0000">b-man</metadata>
</glsa>

78
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201607-02.xml vendored Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201607-02">
<title>libpcre: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libpcre, the worst of
which could lead to arbitrary code execution, or cause a Denial of Service
condition.
</synopsis>
<product type="ebuild"></product>
<announced>July 09, 2016</announced>
<revised>July 09, 2016: 1</revised>
<bug>529952</bug>
<bug>551240</bug>
<bug>553300</bug>
<bug>570694</bug>
<bug>575546</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libpcre" auto="yes" arch="*">
<unaffected range="ge">8.38-r1</unaffected>
<vulnerable range="lt">8.38-r1</vulnerable>
</package>
</affected>
<background>
<p>libpcre is a library providing functions for Perl-compatible regular
expressions.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libpcre. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker can possibly execute arbitrary code or create a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libpcre users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libpcre-8.38-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8964">CVE-2014-8964</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8964">CVE-2014-8964</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5073">CVE-2015-5073</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5073">CVE-2015-5073</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5073">CVE-2015-5073</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8380">CVE-2015-8380</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8381">CVE-2015-8381</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8383">CVE-2015-8383</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8384">CVE-2015-8384</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8385">CVE-2015-8385</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8386">CVE-2015-8386</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8387">CVE-2015-8387</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8388">CVE-2015-8388</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8389">CVE-2015-8389</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8390">CVE-2015-8390</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8391">CVE-2015-8391</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8392">CVE-2015-8392</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8393">CVE-2015-8393</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8394">CVE-2015-8394</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8395">CVE-2015-8395</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1283">CVE-2016-1283</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1283">CVE-2016-1283</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 06:59:58 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sat, 09 Jul 2016 02:07:37 +0000">b-man</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Wed, 22 Jun 2016 17:40:47 +0000
Mon, 11 Jul 2016 17:10:51 +0000