bump(metadata/glsa): sync with upstream

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-15.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-15">
+  <title>Poppler: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Poppler, the worst of
+    which allows remote attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">poppler</product>
+  <announced>November 22, 2016</announced>
+  <revised>November 22, 2016: 3</revised>
+  <bug>542220</bug>
+  <bug>579752</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-text/poppler" auto="yes" arch="*">
+      <unaffected range="ge">0.42.0</unaffected>
+      <vulnerable range="lt">0.42.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Poppler is a PDF rendering library based on the xpdf-3.0 code base.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Poppler. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to open a specially crafted PDF
+      using Poppler, possibly resulting in execution of arbitrary code with the
+      privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Poppler users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-text/poppler-0.42.0"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8868">
+      CVE-2015-8868
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Sat, 06 Jun 2015 14:35:30 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 22 Nov 2016 11:58:21 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-16.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-16">
+  <title>Chromium: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in the Chromium web
+    browser, the worst of which allows remote attackers to execute arbitrary
+    code.
+  </synopsis>
+  <product type="ebuild">chromium</product>
+  <announced>November 22, 2016</announced>
+  <revised>November 22, 2016: 3</revised>
+  <bug>599416</bug>
+  <access>remote</access>
+  <affected>
+    <package name="www-client/chromium" auto="yes" arch="*">
+      <unaffected range="ge">54.0.2840.100</unaffected>
+      <vulnerable range="lt">54.0.2840.100</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Chromium is an open-source browser project that aims to build a safer,
+      faster, and more stable way for all users to experience the web.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in the Chromium web
+      browser. Please review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, cause a Denial of Service condition, obtain
+      sensitive information, or bypass security restrictions.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Chromium users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-client/chromium-54.0.2840.100"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5199">CVE-2016-5199</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5200">CVE-2016-5200</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5201">CVE-2016-5201</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5202">CVE-2016-5202</uri>
+  </references>
+  <metadata tag="requester" timestamp="Thu, 17 Nov 2016 09:25:06 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Tue, 22 Nov 2016 11:58:33 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-17.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-17">
+  <title>RPCBind: Denial of Service</title>
+  <synopsis>A buffer overflow in RPCBind might allow remote attackers to cause
+    a Denial of Service.
+  </synopsis>
+  <product type="ebuild">rpcbind</product>
+  <announced>November 22, 2016</announced>
+  <revised>November 22, 2016: 2</revised>
+  <bug>560990</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-nds/rpcbind" auto="yes" arch="*">
+      <unaffected range="ge">0.2.3-r1</unaffected>
+      <vulnerable range="lt">0.2.3-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The RPCBind utility is a server that converts RPC program numbers into
+      universal addresses.
+    </p>
+  </background>
+  <description>
+    <p>A use-after-free vulnerability was discovered in RPCBind’s
+      svc_dodestroy function when trying to free a corrupted xprt-&gt;xp_netid
+      pointer.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly cause a Denial of Service condition.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All RPCBind users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-nds/rpcbind-0.2.3-r1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7236">CVE-2015-7236</uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 23 Dec 2015 23:23:05 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 22 Nov 2016 11:58:44 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-18.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-18">
+  <title>Adobe Flash Player: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
+    worst of which allows remote attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">adobe-flash</product>
+  <announced>November 22, 2016</announced>
+  <revised>November 22, 2016: 2</revised>
+  <bug>599204</bug>
+  <access>remote</access>
+  <affected>
+    <package name="www-plugins/adobe-flash" auto="yes" arch="*">
+      <unaffected range="ge">23.0.0.207</unaffected>
+      <unaffected range="rge">11.2.202.644</unaffected>
+      <vulnerable range="lt">23.0.0.207</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The Adobe Flash Player is a renderer for the SWF file format, which is
+      commonly used to provide interactive websites.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
+      Please review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Adobe Flash Player 23.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-plugins/adobe-flash-23.0.0.207"
+    </code>
+    
+    <p>All Adobe Flash Player 11.x users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-plugins/adobe-flash-11.2.202.644"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7857">CVE-2016-7857</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7858">CVE-2016-7858</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7859">CVE-2016-7859</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7860">CVE-2016-7860</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7861">CVE-2016-7861</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7862">CVE-2016-7862</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7863">CVE-2016-7863</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7864">CVE-2016-7864</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7865">CVE-2016-7865</uri>
+  </references>
+  <metadata tag="requester" timestamp="Fri, 11 Nov 2016 06:18:07 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Tue, 22 Nov 2016 11:59:00 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-19.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-19">
+  <title>Tar: Extract pathname bypass</title>
+  <synopsis>A path traversal attack in Tar may lead to the remote execution of
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">tar</product>
+  <announced>November 22, 2016</announced>
+  <revised>November 22, 2016: 2</revised>
+  <bug>598334</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-arch/tar" auto="yes" arch="*">
+      <unaffected range="ge">1.29-r1</unaffected>
+      <vulnerable range="lt">1.29-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The Tar program provides the ability to create and manipulate tar
+      archives.
+    </p>
+  </background>
+  <description>
+    <p>Tar attempts to avoid path traversal attacks by removing offending parts
+      of the element name at extract. This sanitizing leads to a vulnerability
+      where the attacker can bypass the path name(s) specified on the command
+      line.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>The attacker can create a crafted tar archive that, if extracted by the
+      victim, replaces files and directories the victim has access to in the
+      target directory, regardless of the path name(s) specified on the command
+      line.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Tar users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-arch/tar-1.29-r1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6321">CVE-2016-6321</uri>
+  </references>
+  <metadata tag="requester" timestamp="Fri, 11 Nov 2016 06:05:11 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Tue, 22 Nov 2016 11:59:11 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-20.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-20">
+  <title>TestDisk: User-assisted execution of arbitrary code</title>
+  <synopsis>A buffer overflow in TestDisk might allow remote attackers to
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">testdisk</product>
+  <announced>November 22, 2016</announced>
+  <revised>November 22, 2016: 2</revised>
+  <bug>548258</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="app-admin/testdisk" auto="yes" arch="*">
+      <unaffected range="ge">7.0-r2</unaffected>
+      <vulnerable range="lt">7.0-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>TestDisk is powerful free data recovery software! It was primarily
+      designed to help recover lost partitions and/or make non-booting disks
+      bootable again when these symptoms are caused by faulty software: certain
+      types of viruses or human error (such as accidentally deleting a
+      Partition Table). Partition table recovery using TestDisk is really easy.
+    </p>
+  </background>
+  <description>
+    <p>A buffer overflow can be triggered within TestDisk when a malicious disk
+      image is attempting to be recovered.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could coerce the victim to run TestDisk against their
+      malicious image.  This may be leveraged by an attacker to crash TestDisk
+      and gain control of program execution.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All TestDisk users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-admin/testdisk-7.0-r2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://www.security-assessment.com/files/documents/advisory/Testdisk%20Check_OS2MB%20Stack%20Buffer%20Overflow%20-%20Release.pdf">
+      TestDisk check_OS2MB Stack Buffer overflow
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Thu, 30 Apr 2015 18:55:08 +0000">K_F</metadata>
+  <metadata tag="submitter" timestamp="Tue, 22 Nov 2016 11:59:23 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk

@@ -1 +1 @@
-Mon, 21 Nov 2016 18:13:23 +0000
+Tue, 22 Nov 2016 19:13:27 +0000