mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 18:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
David Michael 2018-12-21 15:34:04 +00:00
parent f26782d9a8
commit 827cad70ea
15 changed files with 681 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 433135 BLAKE2B 08bfc4178f110d18daf9e50c33952a85a482c64d23c2c125c97f8cec66852a409145a06cdb11a9133f11f551652f71ca3c6cff6f9ad86e0e250b41b9cd1b5224 SHA512 68d673cc2f0e4949c03c21be733250173baa6252b489b636a97186f2e5bd182f13f09c79c29136d620f6ec56097de0dd794676970976fc7c502ce23ac7fe7e66
TIMESTAMP 2018-11-29T02:38:38Z
MANIFEST Manifest.files.gz 434883 BLAKE2B 437fd719358cb224888b8071f01d60b1548cd1a82f20093903aa74e9fe63671e56f03a20ed426aae11e7d6fdd7027beb57804429044781bc9dc3557ccbbcb5a8 SHA512 16828091dc592888ea79b76c0a3e0ec358317e4c345386d11d12983b85a84ed74ba2d650d8af4f0f90a313afdad1a7fd1808666df2dca69ee70f2802b663b733
TIMESTAMP 2018-12-21T15:08:37Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlv/US5fFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlwdAfVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klBVPxAAtqZBAZOfA5rfftfNz/J8MfutHu4vqupcbntkksfNWVH+TqgKpG1cEnpt
Ej5fl0F4dAYBS/O3jO3eS/K6aNqKGpbYtOu2N3U4Hi9hb427AobakMjuSnIWWalr
L546Wto4+JvFZZeuEdlHVwZk1RE2g/9itzrlW+yKayCnSnXAUxz+jGE9Tv2FjlUG
OBu6aqh1W3tNj49gCVfvgGZICm9w7d0AdNyN5sVDaU7eOPTHxCxOLHoIsa8mnbA4
N/s9JuCccLXpKwE9w774+/kidFcHvc88v9Bd8BcIJTtFkGILkD+qdZy1o/50iufh
H/GATcmP+VgLdbydrQ7Dp5y37jZfXeFUVbZrKb3wjP3jR9qsAFmaJm8H4SBVsdnX
owiEoZQRuCMvE+885UGP3vszAQ5lyS/Z4Tcp/KQim8rxPSrXu/98g1fFnwzynCzd
3CEHXc0U2M0zSO8vPdpcLqxGpxikXjSSEGlR3m7WaHjHkSqZIeD28q88qCWGPsQC
8kkzs5uObEOIj6k9EXJmo6nnKmYNh97InQV5ryurzuhYfHY2UTDU1J6qAIALu4/9
yNqlx8ljo42MVva9V6RmevmdL9Jh0+JQgRLgYeWCtsHYKxKqVBUB+BCgd5f44e+E
LdJAP1sNWAbODF4Ju1bmyf2FBrJA+3eFmLnSeWjVQt9TqsJE9E8=
=RYxc
klCKNg//dCIBDp+4caJgLpkB4vH2SC244vRQmnQiKQREG+3OXgizDV9ZrS/FIREr
gTPFzuUvsxuuvvPwVDG04eLyu5LK05v4ngj/QF3le+WWh+q9HNGdf0h2gK8iIQ5d
DJvwHNux7ACcW10sdSzdPro6vh2H3iNNrki0zLQKp3c4GkWOOWBaxBIJTrkjB4t0
EIBKESKLW/vNB7De8ewXJ2OdKu4gJF84jbeAMxs36rkidirJ3hZRbZ4F7Xbyo4QP
KOktgqEKY1SV0r9rr2LIi0KlGTfeEApwzZGoZWt8KoGFzbeEaEaFJ1TokmQJ6Igr
ACY+IOrqZw7ItO7U8+oYCj/CydT6OyEQ1LcO7HBN1eDwcazaTYrtmjm5tEypv2Mx
1ZN7GTTKa/f0ug04fPHwg8cPLeUjW87qc3x5PMI90fIreIw8gSANQbQJJJB4Cnym
hYqGiax+uchoSRiKC+wfJ6ytfn6JFuIWqtKVZAl40/GoS453Qb6+l/+TzwiThbIR
gSwiA8w1pQ42UIAHJvTftBdO6kNqtaMdBHV3Cmr0Ty7WDZBqfWORpNyXqzUextlJ
1m8hxTbM1e3MrpW9Djn7n3/Ec5XwODhIpdBfLWxDGdYwMWSNHBBwdjgRNtw4uAyR
/17jtMxe2dw3ax3SHB/5Q5iRWchgX4E6AGsmJAzQoqfC0hYtA+0=
=Ofjz
-----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201811-23.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201811-23">
<title>libsndfile: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libsndfile, the worst
of which might allow remote attackers to cause a Denial of Service
condition.
</synopsis>
<product type="ebuild">libsndfile</product>
<announced>2018-11-30</announced>
<revised count="1">2018-11-30</revised>
<bug>618016</bug>
<bug>624814</bug>
<bug>627152</bug>
<bug>631634</bug>
<bug>660452</bug>
<access>remote</access>
<affected>
<package name="media-libs/libsndfile" auto="yes" arch="*">
<unaffected range="ge">1.0.28-r4</unaffected>
<vulnerable range="lt">1.0.28-r4</vulnerable>
</package>
</affected>
<background>
<p>libsndfile is a C library for reading and writing files containing
sampled sound.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libsndfile. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to open a specially crafted file,
could cause a Denial of Service condition or have other unspecified
impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libsndfile users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libsndfile-1.0.28-r4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12562">CVE-2017-12562</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14634">CVE-2017-14634</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6892">CVE-2017-6892</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8361">CVE-2017-8361</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8362">CVE-2017-8362</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8363">CVE-2017-8363</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-8365">CVE-2017-8365</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-13139">CVE-2018-13139</uri>
</references>
<metadata tag="requester" timestamp="2018-11-25T00:29:50Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-11-30T08:52:15Z">b-man</metadata>
</glsa>

94
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201811-24.xml vendored Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201811-24">
<title>PostgreSQL: SQL injection</title>
<synopsis>A SQL injection in PostgreSQL may allow attackers to execute
arbitrary SQL statements.
</synopsis>
<product type="ebuild">postgresql</product>
<announced>2018-11-30</announced>
<revised count="2">2018-12-03</revised>
<bug>670724</bug>
<access>remote</access>
<affected>
<package name="dev-db/postgresql" auto="yes" arch="*">
<unaffected range="ge" slot="9.3">9.3.25</unaffected>
<unaffected range="ge" slot="9.4">9.4.20</unaffected>
<unaffected range="ge" slot="9.5">9.5.15</unaffected>
<unaffected range="ge" slot="9.6">9.6.11</unaffected>
<unaffected range="ge" slot="10">10.6</unaffected>
<unaffected range="ge" slot="11">11.1</unaffected>
<vulnerable range="lt" slot="9.3">9.3.25</vulnerable>
<vulnerable range="lt" slot="9.4">9.4.20</vulnerable>
<vulnerable range="lt" slot="9.5">9.5.15</vulnerable>
<vulnerable range="lt" slot="9.6">9.6.11</vulnerable>
<vulnerable range="lt" slot="10">10.6</vulnerable>
<vulnerable range="lt" slot="11">11.1</vulnerable>
</package>
</affected>
<background>
<p>PostgreSQL is an open source object-relational database management
system.
</p>
</background>
<description>
<p>A vulnerability was discovered in PostgreSQLs pg_upgrade and pg_dump.</p>
</description>
<impact type="normal">
<p>An attacker, by enticing a user to process a specially crafted trigger
definition, can execute arbitrary SQL statements with superuser
privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PostgreSQL 9.3.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.3.25"
</code>
<p>All PostgreSQL 9.4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.4.20"
</code>
<p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.5.15"
</code>
<p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.6.11"
</code>
<p>All PostgreSQL 10.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-10.6"
</code>
<p>All PostgreSQL 11.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-11.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16850">CVE-2018-16850</uri>
</references>
<metadata tag="requester" timestamp="2018-11-29T21:19:15Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-03T19:06:05Z">b-man</metadata>
</glsa>

82
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-01.xml vendored Normal file
View File

@ -0,0 +1,82 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-01">
<title>PHP: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PHP, the worst of which
could result in a Denial of Service condition.
</synopsis>
<product type="ebuild">php</product>
<announced>2018-12-02</announced>
<revised count="3">2018-12-03</revised>
<bug>658092</bug>
<bug>666256</bug>
<access>local, remote</access>
<affected>
<package name="dev-lang/php" auto="yes" arch="*">
<unaffected range="ge" slot="5.6">5.6.38</unaffected>
<unaffected range="ge" slot="7.0">7.0.32</unaffected>
<unaffected range="ge" slot="7.1">7.1.22</unaffected>
<unaffected range="ge" slot="7.2">7.2.10</unaffected>
<vulnerable range="lt" slot="5.6">5.6.38</vulnerable>
<vulnerable range="lt" slot="7.0">7.0.32</vulnerable>
<vulnerable range="lt" slot="7.1">7.1.22</vulnerable>
<vulnerable range="lt" slot="7.2">7.2.10</vulnerable>
</package>
</affected>
<background>
<p>PHP is an open source general-purpose scripting language that is
especially suited for web development.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PHP. Please review the
referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>An attacker could cause a Denial of Service condition or obtain
sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PHP 5.6.X users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-5.6.38"
</code>
<p>All PHP 7.0.X users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.0.32"
</code>
<p>All PHP 7.1.X users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.1.22"
</code>
<p>All PHP 7.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.2.10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10545">CVE-2018-10545</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10546">CVE-2018-10546</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10548">CVE-2018-10548</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10549">CVE-2018-10549</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-17082">CVE-2018-17082</uri>
</references>
<metadata tag="requester" timestamp="2018-11-25T02:00:06Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-03T19:04:03Z">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-02.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-02">
<title>ConnMan: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ConnMan, the worst of
which could result in the remote execution of code.
</synopsis>
<product type="ebuild">connman</product>
<announced>2018-12-02</announced>
<revised count="1">2018-12-02</revised>
<bug>628566</bug>
<bug>630028</bug>
<access>remote</access>
<affected>
<package name="net-misc/connman" auto="yes" arch="*">
<unaffected range="ge">1.35-r1</unaffected>
<vulnerable range="lt">1.35-r1</vulnerable>
</package>
</affected>
<background>
<p>ConnMan provides a daemon for managing Internet connections.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ConnMan. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, via a crafted DNS packet, could remotely execute code
or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ConnMan users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/connman-1.35-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12865">CVE-2017-12865</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5716">CVE-2017-5716</uri>
</references>
<metadata tag="requester" timestamp="2018-11-25T04:29:34Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-02T15:46:16Z">b-man</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-03.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-03">
<title>Nagios: Privilege escalation</title>
<synopsis>A vulnerability in Nagios allows local users to escalate
privileges.
</synopsis>
<product type="ebuild">nagios</product>
<announced>2018-12-02</announced>
<revised count="1">2018-12-02</revised>
<bug>629380</bug>
<access>local</access>
<affected>
<package name="net-analyzer/nagios-core" auto="yes" arch="*">
<unaffected range="ge">4.3.4</unaffected>
<vulnerable range="lt">4.3.4</vulnerable>
</package>
</affected>
<background>
<p>Nagios is an open source host, service and network monitoring program.</p>
</background>
<description>
<p>A vulnerability in Nagios was discovered due to the improper handling of
configuration files which can be owned by a non-root user.
</p>
</description>
<impact type="normal">
<p>A local attacker can escalate privileges to root by leveraging access to
a non-root owned configuration file.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Nagios users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/nagios-core-4.3.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14312">CVE-2017-14312</uri>
</references>
<metadata tag="requester" timestamp="2018-11-24T23:02:56Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-02T15:48:26Z">b-man</metadata>
</glsa>

74
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-04.xml vendored Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-04">
<title>WebkitGTK+: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst
of which may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">webkitgtk</product>
<announced>2018-12-02</announced>
<revised count="1">2018-12-02</revised>
<bug>667892</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge">2.22.0</unaffected>
<vulnerable range="lt">2.22.0</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from hybrid
HTML/CSS applications to full-fledged web browsers.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary commands or cause a Denial of
Service condition via maliciously crafted web content.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebkitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.22.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4191">CVE-2018-4191</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4197">CVE-2018-4197</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4207">CVE-2018-4207</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4208">CVE-2018-4208</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4209">CVE-2018-4209</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4210">CVE-2018-4210</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4212">CVE-2018-4212</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4213">CVE-2018-4213</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4299">CVE-2018-4299</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4306">CVE-2018-4306</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4309">CVE-2018-4309</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4311">CVE-2018-4311</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4312">CVE-2018-4312</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4314">CVE-2018-4314</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4315">CVE-2018-4315</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4316">CVE-2018-4316</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4317">CVE-2018-4317</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4318">CVE-2018-4318</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4319">CVE-2018-4319</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4323">CVE-2018-4323</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4328">CVE-2018-4328</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4358">CVE-2018-4358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4359">CVE-2018-4359</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4361">CVE-2018-4361</uri>
</references>
<metadata tag="requester" timestamp="2018-11-24T23:17:09Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-02T15:50:31Z">b-man</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-05.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-05">
<title>EDE: Privilege escalation</title>
<synopsis>A vulnerability in EDE could result in privilege escalation.</synopsis>
<product type="ebuild">ede, emacs</product>
<announced>2018-12-06</announced>
<revised count="1">2018-12-06</revised>
<bug>398241</bug>
<access>local</access>
<affected>
<package name="app-xemacs/ede" auto="yes" arch="*">
<unaffected range="ge">1.07</unaffected>
<vulnerable range="lt">1.07</vulnerable>
</package>
</affected>
<background>
<p>A package that simplifies the task of creating, building, and debugging
large programs with Emacs. It provides some of the features of an IDE, or
Integrated Development Environment, in Emacs.
</p>
</background>
<description>
<p>An untrusted search path vulnerability was discovered in EDE.</p>
</description>
<impact type="normal">
<p>A local attacker could escalate his privileges via a specially crafted
Lisp expression in a Project.ede file in the directory or a parent
directory of an opened file.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All EDE users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-xemacs/ede-1.07"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2012-0035">CVE-2012-0035</uri>
</references>
<metadata tag="requester" timestamp="2018-12-03T22:46:03Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-06T22:01:41Z">b-man</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-06.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-06">
<title>CouchDB: Multiple vulnerabilities </title>
<synopsis>Multiple vulnerabilities have been found in CouchDB, the worst of
which could lead to the remote execution of code.
</synopsis>
<product type="ebuild">couchdb</product>
<announced>2018-12-15</announced>
<revised count="1">2018-12-15</revised>
<bug>630796</bug>
<bug>660908</bug>
<bug>663164</bug>
<access>remote</access>
<affected>
<package name="dev-db/couchdb" auto="yes" arch="*">
<vulnerable range="le">2.1.2</vulnerable>
</package>
</affected>
<background>
<p>Apache CouchDB is a distributed, fault-tolerant and schema-free
document-oriented database.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in CouchDB. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code or escalate privileges.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for CouchDB and recommends that users
unmerge the package:
</p>
<code>
# emerge --unmerge "dev-db/couchdb"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11769">CVE-2018-11769</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8007">CVE-2018-8007</uri>
</references>
<metadata tag="requester" timestamp="2018-12-11T17:40:03Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-15T20:07:59Z">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-07.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-07">
<title>SpamAssassin: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in SpamAssassin, the worst
of which may lead to remote code execution.
</synopsis>
<product type="ebuild">spamassassin</product>
<announced>2018-12-15</announced>
<revised count="1">2018-12-15</revised>
<bug>666348</bug>
<access>remote</access>
<affected>
<package name="mail-filter/spamassassin" auto="yes" arch="*">
<unaffected range="ge">3.4.2-r2</unaffected>
<vulnerable range="lt">3.4.2-r2</vulnerable>
</package>
</affected>
<background>
<p>SpamAssassin is an extensible email filter used to identify junk email.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in SpamAssassin. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code, escalate privileges, or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All SpamAssassin users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=mail-filter/spamassassin-3.4.2-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-1238">CVE-2016-1238</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15705">CVE-2017-15705</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11780">CVE-2018-11780</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-11781">CVE-2018-11781</uri>
</references>
<metadata tag="requester" timestamp="2018-12-12T22:44:21Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-15T20:09:55Z">b-man</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-08.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-08">
<title>Scala: Privilege escalation</title>
<synopsis>A vulnerability in Scala could result in privilege escalation.</synopsis>
<product type="ebuild">scala</product>
<announced>2018-12-15</announced>
<revised count="1">2018-12-15</revised>
<bug>637940</bug>
<access>local</access>
<affected>
<package name="dev-lang/scala" auto="yes" arch="*">
<unaffected range="ge">2.12.4</unaffected>
<vulnerable range="lt">2.12.4</vulnerable>
</package>
</affected>
<background>
<p>Scala combines object-oriented and functional programming in one
concise, high-level language.
</p>
</background>
<description>
<p>It was discovered that Scalas compilation daemon does not properly
manage permissions for private files.
</p>
</description>
<impact type="normal">
<p>A local attacker could escalate privileges.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Scala users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/scala-2.12.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-15288">CVE-2017-15288</uri>
</references>
<metadata tag="requester" timestamp="2018-12-02T21:21:35Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-12-15T20:11:15Z">b-man</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201812-09.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201812-09">
<title>Go: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Go, the worst which
could lead to the execution of arbitrary code.
</synopsis>
<product type="ebuild">go</product>
<announced>2018-12-21</announced>
<revised count="1">2018-12-21</revised>
<bug>673234</bug>
<access>remote</access>
<affected>
<package name="dev-lang/go" auto="yes" arch="*">
<unaffected range="ge">1.10.7</unaffected>
<vulnerable range="lt">1.10.7</vulnerable>
</package>
</affected>
<background>
<p>Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Go. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could cause arbitrary code execution by passing
specially crafted Go packages the go get -u command.
</p>
<p>The remote attacker could also craft pathological inputs causing a CPU
based Denial of Service condition via the crypto/x509 package.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Go users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/go-1.10.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16873">CVE-2018-16873</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16874">CVE-2018-16874</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16875">CVE-2018-16875</uri>
</references>
<metadata tag="requester" timestamp="2018-12-20T18:21:42Z">Zlogene</metadata>
<metadata tag="submitter" timestamp="2018-12-21T11:58:46Z">Zlogene</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Thu, 29 Nov 2018 02:38:34 +0000
Fri, 21 Dec 2018 15:08:33 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
948748bd6e80dceb3f96d8040bee52380c2f2fe8 1543445572 2018-11-28T22:52:52+00:00
50b59faac05c76419ff9b3a69d1e89f8a5c99678 1545393597 2018-12-21T11:59:57+00:00