mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 18:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
Benjamin Gilbert 2020-04-16 06:12:34 +00:00 committed by Kai Lüke
parent ad734b5315
commit 8e6121e55e
81 changed files with 4673 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512 Hash: SHA512
MANIFEST Manifest.files.gz 450288 BLAKE2B 3798da941a15fcee18382da626450662d799e35257d8ad4a0b1552a6ddaae69d623b969c7ea2a3ff528f29e7ea6067f37208f6499dc6674753bd8f0bc73ac9b6 SHA512 c989a03018fd5d5d0ec3658457962a1285eb9736eaf370cd03c34b1c2e6807a141280958db2771efc54eda1120570c478512f7e244686722c0c6fc53bcfde64c MANIFEST Manifest.files.gz 462212 BLAKE2B 5776c6001abb402454a2b47a7b9bf3bf9047598d1aece9f78d5b9c3c27b9e2beb04358067b23d0aab0fa3a39a6704dbc7989395dc50e173ff19712be407974d6 SHA512 b5ee2fe405b23fa0d01a4455e021e430490898b9d86f37bdd8cdf6f3e1e612bc5782cde9c380e6d19690d6c9d75154b7ece632c229e69202510fa1255c1cb2a6
TIMESTAMP 2019-11-25T18:08:47Z TIMESTAMP 2020-04-16T05:39:02Z
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl3cGK9fFIAAAAAALgAo iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl6X73ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klD6eBAApy6F7OqvbNHOVDfc0l99xjuiTuxAyp5DZ87Z0b635086T9+HLyFh2TuW klAwzA/8Dv2dDluNwUU99HrcwRPXsD+VHkUsSIYQz+76O01a+3ypffDSHH8/fTx3
FlVMqkPe05RVyOH6Tq+fEmixQfzWucRdFCV9IpAdzIgLCue/4Ey1v/mZhoYqj3ve Z+vH4aT5UPTzB5pKfmmo8zdgJwJosj8Squ/YCE90pVyiChQHk1GTMMpl0rK3va81
2JUrfCmYKNU1N5qqdkSqdHG88wH/XjABodvPJLC3pgAMVQZ0Ln/t0HGwDr+q/zo8 /higcbCeLg9rAu+9qruPkjLGzbXFEkQLIt8lhPlnh2ddE1R8MTeYKIkNa0g1IFyD
N6sUV34fvm8aF5qQfJCyaoOTmJQNDAuZ7t0Dcfz8XlHCgOFSsW03gyIxeUJfdaRW 5lPQxDy3D7R5U1Wn3eqnLNzSmZhXum2Ko/pALX9jHTVt3Tfc2pmVqaS0AuTrUpGf
ADn0WJGAgyXhtMdQJMTRZ5H3n79B9VaNOJAuSR1SHv6MZf0ARgYpAT9QeQE1LH4y Lxha0BFnig4lMWHzniIz7zgwzo8A2upnFRl+caYxNAQwBvBCoJWBSWoGB4Kecwa2
CMQfmqHu/pHGJxAxOqV4Q7/bV6Ppv5iIXjCysEA66ySGLn/ZSX/aMssooe9l/ymi D+HY/7Y/J1n83//0h+3krFsamRJCwYt4pdFIdv2bBsxWUPlVPLMQWEmN7v06MUCN
rMkbovWSnq4B4o6JwqtRFONliQ/N/axJWTn9hcndsJRqv/kF5AVSXyogBMQQb8rR mX4bDu/L25m0xeFeGzlU+LiqeVoyIl6I429OfSovMvSn3Xou8kSx31kAgZVThvGK
hz76WpLx9ccwnFnrfRLLOBY1MVBSrBH7cj5jEv/uK26E48CwACJjDvJ6FREAJzx7 xPYGokcU0SAyJket82M5O4NyH+1sNeJEnLj4uya35a6w6u1ZLc7xawpiDxB8Rw5u
AWyGIGFS0fEwOiBEYWzLb46CsWNPMqm9js2002ygUe/FgnOQ0GwxX5y2UMvPn58h /bEgf6InZrX2XHD77dmfGOEEujYVnOrR32+8F9lUVzk8HkR+2ZRRM2bA32QeDQVq
1tHsy+RYTGE7VkKCMvw7RdNZZ3zDu1Zi/iFIArK4gtgrD7Ojf/XPNcpNVQz3MSh9 4RGhSSYJHP6uMpipCEGE3NN79y4/t1oAhAREBm4LIRBoi2uwxX7nB9c15rXnTGem
GJe1zeh4iKwlMJnsMydIP3UZTSc7V85Y/+t5JEYCj72swdPbr8U= XRqZUh1Ady6wN+N1iWrsJTmB9I/kaAfMgCjtmfZpsqcnQL5rub8=
=AYYs =eM2y
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

2
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201807-03.xml vendored
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201807-03"> <glsa id="201807-03">
<title>ZNC:Multiple Vulnerabilities</title> <title>ZNC: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ZNC, the worst of which <synopsis>Multiple vulnerabilities have been found in ZNC, the worst of which
could result in privilege escalation. could result in privilege escalation.
</synopsis> </synopsis>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201807-04.xml vendored
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201807-04"> <glsa id="201807-04">
<title>cURL:Heap-based Buffer Overflow </title> <title>cURL: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in cURL might allow remote attackers <synopsis>A heap-based buffer overflow in cURL might allow remote attackers
to execute arbitrary code. to execute arbitrary code.
</synopsis> </synopsis>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-01.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-01">
<title>Groovy: Arbitrary code execution</title>
<synopsis>A vulnerability within serialization might allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">groovy</product>
<announced>2020-03-07</announced>
<revised count="3">2020-03-12</revised>
<bug>605690</bug>
<access>remote</access>
<affected>
<package name="dev-java/groovy" auto="yes" arch="*">
<vulnerable range="le">2.4.5</vulnerable>
</package>
</affected>
<background>
<p>A multi-faceted language for the Java platform</p>
</background>
<description>
<p>It was discovered that there was a vulnerability within the Java
serialization/deserialization process.
</p>
</description>
<impact type="normal">
<p>An attacker, by crafting a special serialized object, could execute
arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for Groovy. We recommend that users
unmerge Groovy:
</p>
<code>
# emerge --unmerge "dev-java/groovy"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-6814">CVE-2016-6814</uri>
</references>
<metadata tag="requester" timestamp="2019-09-15T02:25:56Z">b-man</metadata>
<metadata tag="submitter" timestamp="2020-03-12T19:07:51Z">b-man</metadata>
</glsa>

104
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-02.xml vendored Normal file
View File

@ -0,0 +1,104 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-02">
<title>Mozilla Firefox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the
worst of which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">firefox</product>
<announced>2020-03-12</announced>
<revised count="2">2020-03-12</revised>
<bug>702638</bug>
<bug>705000</bug>
<bug>709346</bug>
<bug>712182</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge">68.6.0</unaffected>
<vulnerable range="lt">68.6.0</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge">68.6.0</unaffected>
<vulnerable range="lt">68.6.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to view a specially crafted web
page, possibly resulting in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition. Furthermore,
a remote attacker may be able to perform Man-in-the-Middle attacks,
obtain sensitive information, spoof the address bar, conduct clickjacking
attacks, bypass security restrictions and protection mechanisms, or have
other unspecified impact.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-68.6.0"
</code>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-bin-68.6.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11745">CVE-2019-11745</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17005">CVE-2019-17005</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17008">CVE-2019-17008</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17010">CVE-2019-17010</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17011">CVE-2019-17011</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17012">CVE-2019-17012</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17016">CVE-2019-17016</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17017">CVE-2019-17017</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17022">CVE-2019-17022</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17024">CVE-2019-17024</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17026">CVE-2019-17026</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20503">CVE-2019-20503</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6796">CVE-2020-6796</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6797">CVE-2020-6797</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6798">CVE-2020-6798</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6799">CVE-2020-6799</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6800">CVE-2020-6800</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6805">CVE-2020-6805</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6806">CVE-2020-6806</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6807">CVE-2020-6807</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6811">CVE-2020-6811</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6812">CVE-2020-6812</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6814">CVE-2020-6814</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/">
MFSA-2019-37
</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/">
MFSA-2020-03
</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/">
MFSA-2020-06
</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-09/">
MFSA-2020-09
</uri>
</references>
<metadata tag="requester" timestamp="2020-03-07T16:47:24Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-12T19:17:30Z">BlueKnight</metadata>
</glsa>

102
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-03.xml vendored Normal file
View File

@ -0,0 +1,102 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-03">
<title>PostgreSQL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PostgreSQL, the worst
of which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">postgresql</product>
<announced>2020-03-12</announced>
<revised count="2">2020-03-12</revised>
<bug>685846</bug>
<bug>688420</bug>
<bug>709708</bug>
<access>local, remote</access>
<affected>
<package name="dev-db/postgresql" auto="yes" arch="*">
<unaffected range="ge" slot="9.4">9.4.26</unaffected>
<unaffected range="ge" slot="9.5">9.5.21</unaffected>
<unaffected range="ge" slot="9.6">9.6.17</unaffected>
<unaffected range="ge" slot="10">10.12</unaffected>
<unaffected range="ge" slot="11">11.7</unaffected>
<unaffected range="ge" slot="12">12.2</unaffected>
<vulnerable range="lt" slot="9.4">9.4.26</vulnerable>
<vulnerable range="lt" slot="9.5">9.5.21</vulnerable>
<vulnerable range="lt" slot="9.6">9.6.17</vulnerable>
<vulnerable range="lt" slot="10">10.12</vulnerable>
<vulnerable range="lt" slot="11">11.7</vulnerable>
<vulnerable range="lt" slot="12">12.2</vulnerable>
</package>
</affected>
<background>
<p>PostgreSQL is an open source object-relational database management
system.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, bypass certain client-side connection security
features, read arbitrary server memory, alter certain data or cause a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PostgreSQL 9.4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.4.26:9.4"
</code>
<p>All PostgreSQL 9.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.5.21:9.5"
</code>
<p>All PostgreSQL 9.6.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-9.6.17:9.6"
</code>
<p>All PostgreSQL 10.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-10.12:10"
</code>
<p>All PostgreSQL 11.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-11.7:11"
</code>
<p>All PostgreSQL 12.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/postgresql-12.2:12"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10129">CVE-2019-10129</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10130">CVE-2019-10130</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10164">CVE-2019-10164</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1720">CVE-2020-1720</uri>
</references>
<metadata tag="requester" timestamp="2019-10-26T23:59:26Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-12T20:20:41Z">whissi</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-04.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-04">
<title>Vim, gVim: Remote execution of arbitrary code</title>
<synopsis>A vulnerability has been found in Vim and gVim concerning how
certain modeline options are treated.
</synopsis>
<product type="ebuild">vim,gvim</product>
<announced>2020-03-12</announced>
<revised count="1">2020-03-12</revised>
<bug>687394</bug>
<access>local, remote</access>
<affected>
<package name="app-editors/vim" auto="yes" arch="*">
<unaffected range="ge">8.1.1486</unaffected>
<vulnerable range="lt">8.1.1486</vulnerable>
</package>
<package name="app-editors/gvim" auto="yes" arch="*">
<unaffected range="ge">8.1.1486</unaffected>
<vulnerable range="lt">8.1.1486</vulnerable>
</package>
</affected>
<background>
<p>Vim is an efficient, highly configurable improved version of the classic
vi text editor. gVim is the GUI version of Vim.
</p>
</background>
<description>
<p>
It was found that the <code>:source!</code> command was not restricted by
the sandbox mode. If modeline was explicitly enabled, opening a specially
crafted text file in vim could result in arbitrary command execution.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file
using Vim or gVim, possibly resulting in execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Vim users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-editors/vim-8.1.1486"
</code>
<p>All gVim users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-editors/gvim-8.1.1486"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12735">CVE-2019-12735</uri>
</references>
<metadata tag="requester" timestamp="2019-10-27T00:04:29Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-12T20:37:36Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-05.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-05">
<title>e2fsprogs: Arbitrary code execution</title>
<synopsis>A vulnerability in e2fsprogs might allow an attacker to execute
arbitrary code.
</synopsis>
<product type="ebuild">e2fsprogs</product>
<announced>2020-03-13</announced>
<revised count="1">2020-03-13</revised>
<bug>695522</bug>
<access>local, remote</access>
<affected>
<package name="sys-fs/e2fsprogs" auto="yes" arch="*">
<unaffected range="ge">1.45.4</unaffected>
<vulnerable range="lt">1.45.4</vulnerable>
</package>
</affected>
<background>
<p>e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4
file systems.
</p>
</background>
<description>
<p>It was discovered that e2fsprogs incorrectly handled certain ext4
partitions.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
corrupted file system using e2fsck, possibly resulting in execution of
arbitrary code with the privileges of the process or a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All e2fsprogs users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-fs/e2fsprogs-1.45.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5094">CVE-2019-5094</uri>
</references>
<metadata tag="requester" timestamp="2019-10-29T10:09:38Z">ackle</metadata>
<metadata tag="submitter" timestamp="2020-03-13T01:50:25Z">whissi</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-06.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-06">
<title>Ruby: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Ruby, the worst of
which could lead to the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">ruby</product>
<announced>2020-03-13</announced>
<revised count="1">2020-03-13</revised>
<bug>696004</bug>
<access>remote</access>
<affected>
<package name="dev-lang/ruby" auto="yes" arch="*">
<unaffected range="ge" slot="2.4">2.4.9</unaffected>
<unaffected range="ge" slot="2.5">2.5.7</unaffected>
<vulnerable range="lt" slot="2.4">2.4.9</vulnerable>
<vulnerable range="lt" slot="2.5">2.5.7</vulnerable>
</package>
</affected>
<background>
<p>Ruby is an interpreted object-oriented programming language. The
elaborate standard library includes an HTTP server (“WEBRick”) and a
class for XML parsing (“REXML”).
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Ruby. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code, have unauthorized access
by bypassing intended path matching or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ruby 2.4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/ruby-2.4.9:2.4"
</code>
<p>All Ruby 2.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/ruby-2.5.7:2.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15845">CVE-2019-15845</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16201">CVE-2019-16201</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16254">CVE-2019-16254</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16255">CVE-2019-16255</uri>
</references>
<metadata tag="requester" timestamp="2019-10-26T17:40:41Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-13T02:29:30Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-07.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-07">
<title>RabbitMQ C client: Arbitrary code execution</title>
<synopsis>A vulnerability in RabbitMQ C client might allow an attacker to
execute arbitrary code.
</synopsis>
<product type="ebuild">rabbitmq-c</product>
<announced>2020-03-13</announced>
<revised count="1">2020-03-13</revised>
<bug>701810</bug>
<access>remote</access>
<affected>
<package name="net-libs/rabbitmq-c" auto="yes" arch="*">
<unaffected range="ge">0.10.0</unaffected>
<vulnerable range="lt">0.10.0</vulnerable>
</package>
</affected>
<background>
<p>A C-language AMQP client library for use with v2.0+ of the RabbitMQ
broker.
</p>
</background>
<description>
<p>It was discovered that RabbitMQ C client incorrectly handled certain
inputs.
</p>
</description>
<impact type="high">
<p>A remote attacker, by sending a specially crafted request, could
possibly execute arbitrary code with the privileges of the process or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All RabbitMQ C client users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/rabbitmq-c-0.10.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18609">CVE-2019-18609</uri>
</references>
<metadata tag="requester" timestamp="2019-12-26T15:20:01Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-13T02:48:45Z">whissi</metadata>
</glsa>

156
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-08.xml vendored Normal file
View File

@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-08">
<title>Chromium, Google Chrome: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chromium and Google
Chrome, the worst of which could allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">chromium,google-chrome</product>
<announced>2020-03-13</announced>
<revised count="1">2020-03-13</revised>
<bug>699676</bug>
<bug>700588</bug>
<bug>702498</bug>
<bug>703286</bug>
<bug>704960</bug>
<bug>705638</bug>
<bug>708322</bug>
<bug>710760</bug>
<bug>711570</bug>
<access>local, remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">80.0.3987.132</unaffected>
<vulnerable range="lt">80.0.3987.132</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">80.0.3987.132</unaffected>
<vulnerable range="lt">80.0.3987.132</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
<p>Google Chrome is one fast, simple, and secure browser for all your
devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers and Google Chrome
Releases for details.
</p>
</description>
<impact type="high">
<p>A remote attacker could execute arbitrary code, escalate privileges,
obtain sensitive information, spoof an URL or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-80.0.3987.132"
</code>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/google-chrome-80.0.3987.132"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13723">CVE-2019-13723</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13724">CVE-2019-13724</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13725">CVE-2019-13725</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13726">CVE-2019-13726</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13727">CVE-2019-13727</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13728">CVE-2019-13728</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13729">CVE-2019-13729</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13730">CVE-2019-13730</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13732">CVE-2019-13732</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13734">CVE-2019-13734</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13735">CVE-2019-13735</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13736">CVE-2019-13736</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13737">CVE-2019-13737</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13738">CVE-2019-13738</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13739">CVE-2019-13739</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13740">CVE-2019-13740</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13741">CVE-2019-13741</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13742">CVE-2019-13742</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13743">CVE-2019-13743</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13744">CVE-2019-13744</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13745">CVE-2019-13745</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13746">CVE-2019-13746</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13747">CVE-2019-13747</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13748">CVE-2019-13748</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13749">CVE-2019-13749</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13750">CVE-2019-13750</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13751">CVE-2019-13751</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13752">CVE-2019-13752</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13753">CVE-2019-13753</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13754">CVE-2019-13754</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13755">CVE-2019-13755</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13756">CVE-2019-13756</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13757">CVE-2019-13757</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13758">CVE-2019-13758</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13759">CVE-2019-13759</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13761">CVE-2019-13761</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13762">CVE-2019-13762</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13763">CVE-2019-13763</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13764">CVE-2019-13764</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13767">CVE-2019-13767</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6377">CVE-2020-6377</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6378">CVE-2020-6378</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6379">CVE-2020-6379</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6380">CVE-2020-6380</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6381">CVE-2020-6381</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6382">CVE-2020-6382</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6385">CVE-2020-6385</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6387">CVE-2020-6387</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6388">CVE-2020-6388</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6389">CVE-2020-6389</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6390">CVE-2020-6390</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6391">CVE-2020-6391</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6392">CVE-2020-6392</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6393">CVE-2020-6393</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6394">CVE-2020-6394</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6395">CVE-2020-6395</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6396">CVE-2020-6396</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6397">CVE-2020-6397</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6398">CVE-2020-6398</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6399">CVE-2020-6399</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6400">CVE-2020-6400</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6401">CVE-2020-6401</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6402">CVE-2020-6402</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6403">CVE-2020-6403</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6404">CVE-2020-6404</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6406">CVE-2020-6406</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6407">CVE-2020-6407</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6408">CVE-2020-6408</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6409">CVE-2020-6409</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6410">CVE-2020-6410</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6411">CVE-2020-6411</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6412">CVE-2020-6412</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6413">CVE-2020-6413</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6414">CVE-2020-6414</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6415">CVE-2020-6415</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6416">CVE-2020-6416</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6418">CVE-2020-6418</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6420">CVE-2020-6420</uri>
</references>
<metadata tag="requester" timestamp="2020-03-01T17:56:52Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-13T03:16:21Z">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-09.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-09">
<title>OpenID library for Ruby: Server-Side Request Forgery</title>
<synopsis>A vulnerability in OpenID library for Ruby at worst might allow an
attacker to bypass authentication.
</synopsis>
<product type="ebuild">ruby-openid</product>
<announced>2020-03-14</announced>
<revised count="2">2020-03-14</revised>
<bug>698464</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/ruby-openid" auto="yes" arch="*">
<unaffected range="ge">2.9.2</unaffected>
<vulnerable range="lt">2.9.2</vulnerable>
</package>
</affected>
<background>
<p>A Ruby library for verifying and serving OpenID identities.</p>
</background>
<description>
<p>It was discovered that OpenID library for Ruby performed discovery
first, and then verification.
</p>
</description>
<impact type="high">
<p>A remote attacker could possibly change the URL used for discovery and
trick the server into connecting to the URL. This server in turn could be
a private server not
publicly accessible.
</p>
<p>In addition, if the client that uses this library discloses connection
errors, this in turn could disclose information from the private server
to the attacker.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ruby-openid users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-ruby/ruby-openid-2.9.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11027">CVE-2019-11027</uri>
</references>
<metadata tag="requester" timestamp="2020-03-13T02:03:43Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-14T16:10:29Z">whissi</metadata>
</glsa>

106
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-10.xml vendored Normal file
View File

@ -0,0 +1,106 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-10">
<title>Mozilla Thunderbird: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird,
the worst of which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">thunderbird</product>
<announced>2020-03-14</announced>
<revised count="1">2020-03-14</revised>
<bug>698516</bug>
<bug>702638</bug>
<bug>709350</bug>
<bug>712518</bug>
<access>remote</access>
<affected>
<package name="mail-client/thunderbird" auto="yes" arch="*">
<unaffected range="ge">68.6.0</unaffected>
<vulnerable range="lt">68.6.0</vulnerable>
</package>
<package name="mail-client/thunderbird-bin" auto="yes" arch="*">
<unaffected range="ge">68.6.0</unaffected>
<vulnerable range="lt">68.6.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A remote attacker may be able to execute arbitrary code, cause a Denial
of Service condition, obtain sensitive information, or conduct Cross-Site
Request Forgery (CSRF).
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/thunderbird-68.6.0"
</code>
<p>All Mozilla Thunderbird binary users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=mail-client/thunderbird-bin-68.6.0"
</code>
</resolution>
<references>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/">
MFSA-2019-35
</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/">
MFSA-2019-37
</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/">
MFSA-2020-07
</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-10/">
MFSA-2020-10
</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11745">CVE-2019-11745</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11757">CVE-2019-11757</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11759">CVE-2019-11759</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11760">CVE-2019-11760</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11761">CVE-2019-11761</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11762">CVE-2019-11762</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11763">CVE-2019-11763</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11764">CVE-2019-11764</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17005">CVE-2019-17005</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17008">CVE-2019-17008</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17010">CVE-2019-17010</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17011">CVE-2019-17011</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17012">CVE-2019-17012</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20503">CVE-2019-20503</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6792">CVE-2020-6792</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6793">CVE-2020-6793</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6794">CVE-2020-6794</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6795">CVE-2020-6795</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6798">CVE-2020-6798</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6800">CVE-2020-6800</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6805">CVE-2020-6805</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6806">CVE-2020-6806</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6807">CVE-2020-6807</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6811">CVE-2020-6811</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6812">CVE-2020-6812</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6814">CVE-2020-6814</uri>
</references>
<metadata tag="requester" timestamp="2020-02-23T05:31:39Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-14T16:01:40Z">BlueKnight</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-11.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-11">
<title>SVG Salamander: Server-Side Request Forgery</title>
<synopsis>A SSRF may allow remote attackers to forge illegitimate requests.</synopsis>
<product type="ebuild">svgsalamander</product>
<announced>2020-03-14</announced>
<revised count="1">2020-03-14</revised>
<bug>607720</bug>
<access>remote</access>
<affected>
<package name="dev-java/svgsalamander" auto="yes" arch="*">
<vulnerable range="le">0.0-r2</vulnerable>
</package>
</affected>
<background>
<p>SVG Salamander is a light weight SVG renderer and animator for Java.</p>
</background>
<description>
<p>A Server-Side Request Forgery was discovered in SVG Salamander.</p>
</description>
<impact type="normal">
<p>An attacker, by sending a specially crafted SVG file, can conduct SSRF.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for SVG Salamander. We recommend that
users unmerge SVG Salamander:
</p>
<code>
# emerge --unmerge "dev-java/svgsalamander"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-5617">CVE-2017-5617</uri>
</references>
<metadata tag="requester" timestamp="2019-09-15T02:33:02Z">b-man</metadata>
<metadata tag="submitter" timestamp="2020-03-14T16:07:50Z">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-12.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-12">
<title>sudo: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in sudo, the worst of
which could result in privilege escalation.
</synopsis>
<product type="ebuild">sudo</product>
<announced>2020-03-14</announced>
<revised count="1">2020-03-14</revised>
<bug>697462</bug>
<bug>707574</bug>
<access>local</access>
<affected>
<package name="app-admin/sudo" auto="yes" arch="*">
<unaffected range="ge">1.8.31</unaffected>
<vulnerable range="lt">1.8.31</vulnerable>
</package>
</affected>
<background>
<p>sudo (su “do”) allows a system administrator to delegate authority
to give certain users (or groups of users) the ability to run some (or
all) commands as root or another user while providing an audit trail of
the commands and their arguments.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in sudo. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A local attacker could expose or corrupt memory information, inject code
to be run as a root user or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All sudo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/sudo-1.8.31"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14287">CVE-2019-14287</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18634">CVE-2019-18634</uri>
</references>
<metadata tag="requester" timestamp="2020-02-29T15:42:31Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-14T16:20:57Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-13.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-13">
<title>musl: x87 floating-point stack adjustment imbalance</title>
<synopsis>An x87 stack handling error in musl might allow an attacker to have
an application dependent impact.
</synopsis>
<product type="ebuild">musl</product>
<announced>2020-03-14</announced>
<revised count="2">2020-03-15</revised>
<bug>711276</bug>
<access>local, remote</access>
<affected>
<package name="sys-libs/musl" auto="yes" arch="*">
<unaffected range="ge">1.1.24</unaffected>
<vulnerable range="lt">1.1.24</vulnerable>
</package>
</affected>
<background>
<p>musl is an implementation of the C standard library built on top of the
Linux system call API, including interfaces defined in the base language
standard, POSIX, and widely agreed-upon extensions.
</p>
</background>
<description>
<p>A flaw in musl libcs arch-specific math assembly code for i386 was
found which can lead to x87 stack overflow in the execution of subsequent
math code.
</p>
</description>
<impact type="normal">
<p>Impact depends on how the application built against musl libc handles
the ABI-violating x87 state.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All musl users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-libs/musl-1.1.24"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14697">CVE-2019-14697</uri>
</references>
<metadata tag="requester" timestamp="2020-03-03T20:43:59Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T00:52:05Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-14.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-14">
<title>atftp: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in atftp, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">atftp</product>
<announced>2020-03-14</announced>
<revised count="1">2020-03-14</revised>
<bug>711630</bug>
<access>remote</access>
<affected>
<package name="net-ftp/atftp" auto="yes" arch="*">
<unaffected range="ge">0.7.2</unaffected>
<vulnerable range="lt">0.7.2</vulnerable>
</package>
</affected>
<background>
<p>atftp is a client/server implementation of the TFTP protocol that
implements RFCs 1350, 2090, 2347, 2348, and 2349.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in atftp. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A remote attacker could send a specially crafted packet to an atftp
instance, possibly resulting in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All atftp users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-ftp/atftp-0.7.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11365">CVE-2019-11365</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11366">CVE-2019-11366</uri>
</references>
<metadata tag="requester" timestamp="2020-03-08T00:17:16Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-14T16:48:02Z">whissi</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-15.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-15">
<title>ICU: Integer overflow</title>
<synopsis>An integer overflow flaw in ICU could possibly allow for the
execution of arbitrary code.
</synopsis>
<product type="ebuild">ICU</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>710758</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/icu" auto="yes" arch="*">
<unaffected range="ge">65.1-r1</unaffected>
<vulnerable range="lt">65.1-r1</vulnerable>
</package>
</affected>
<background>
<p>ICU is a mature, widely used set of C/C++ and Java libraries providing
Unicode and Globalization support for software applications.
</p>
</background>
<description>
<p>It was discovered that ICUs UnicodeString::doAppend() function is
vulnerable to an integer overflow. Please review the CVE identifiers
referenced below for more details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
string in an application linked against ICU, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ICU users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/icu-65.1-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10531">CVE-2020-10531</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T01:07:26Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T01:36:26Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-16.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-16">
<title>SQLite: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in SQLite, the worst of
which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">sqlite</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>697678</bug>
<bug>711526</bug>
<access>local, remote</access>
<affected>
<package name="dev-db/sqlite" auto="yes" arch="*">
<unaffected range="ge">3.31.1</unaffected>
<vulnerable range="lt">3.31.1</vulnerable>
</package>
</affected>
<background>
<p>SQLite is a C library that implements an SQL database engine.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in SQLite. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All SQLite users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/sqlite-3.31.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16168">CVE-2019-16168</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5827">CVE-2019-5827</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9327">CVE-2020-9327</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T01:58:17Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T02:02:12Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-17.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-17">
<title>nfdump: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in nfdump, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">nfsdump</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>711316</bug>
<access>local, remote</access>
<affected>
<package name="net-analyzer/nfdump" auto="yes" arch="*">
<unaffected range="ge">1.6.19</unaffected>
<vulnerable range="lt">1.6.19</vulnerable>
</package>
</affected>
<background>
<p>nfdump is a toolset in order to collect and process netflow and sflow
data, sent from netflow/sflow compatible devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in nfdump. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by sending specially crafted netflow/sflow data,
could possibly execute arbitrary code with the privileges of the process
or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All nfdump users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/nfdump-1.6.19"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1010057">
CVE-2019-1010057
</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14459">CVE-2019-14459</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T02:20:52Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T02:25:05Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-18.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-18">
<title>libvirt: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in libvirt, the worst
of which may result in the execution of arbitrary commands.
</synopsis>
<product type="ebuild">libvirt</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>711306</bug>
<access>local</access>
<affected>
<package name="app-emulation/libvirt" auto="yes" arch="*">
<unaffected range="ge">5.4.1</unaffected>
<vulnerable range="lt">5.4.1</vulnerable>
</package>
</affected>
<background>
<p>libvirt is a C toolkit for manipulating virtual machines.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libvirt. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A local privileged attacker could execute arbitrary commands, escalate
privileges or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libvirt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/libvirt-5.4.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10161">CVE-2019-10161</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10166">CVE-2019-10166</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10167">CVE-2019-10167</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10168">CVE-2019-10168</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T02:39:16Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T02:42:25Z">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-19.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-19">
<title>PPP: Buffer overflow</title>
<synopsis>A buffer overflow in PPP might allow a remote attacker to execute
arbitrary code.
</synopsis>
<product type="ebuild">PPP</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>710308</bug>
<access>remote</access>
<affected>
<package name="net-dialup/ppp" auto="yes" arch="*">
<unaffected range="ge">2.4.8</unaffected>
<vulnerable range="lt">2.4.8</vulnerable>
</package>
</affected>
<background>
<p>PPP is a Unix implementation of the Point-to-Point Protocol.</p>
</background>
<description>
<p>It was discovered that bounds check in PPP for the rhostname was
improperly constructed in the EAP request and response functions.
</p>
</description>
<impact type="high">
<p>A remote attacker, by sending specially crafted authentication data,
could possibly execute arbitrary code with the privileges of the process
or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PPP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-dialup/ppp-2.4.8"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8597">CVE-2020-8597</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T02:58:39Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T03:04:09Z">whissi</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-20.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-20">
<title>systemd: Heap use-after-free</title>
<synopsis>A heap use-after-free flaw in systemd at worst might allow an
attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">systemd</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>708806</bug>
<access>local</access>
<affected>
<package name="sys-apps/systemd" auto="yes" arch="*">
<unaffected range="ge">244.3</unaffected>
<vulnerable range="lt">244.3</vulnerable>
</package>
</affected>
<background>
<p>A system and service manager.</p>
</background>
<description>
<p>It was found that systemd incorrectly handled certain Polkit queries.</p>
</description>
<impact type="high">
<p>A local unprivileged user, by sending a specially crafted Polkit query,
could possibly execute arbitrary code with the privileges of the process,
escalate privileges or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All systemd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/systemd-244.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1712">CVE-2020-1712</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T03:18:50Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T03:26:30Z">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-21.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-21">
<title>runC: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in runC, the worst of
which may lead to privilege escalation.
</synopsis>
<product type="ebuild">runC</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>677744</bug>
<bug>709456</bug>
<bug>711182</bug>
<access>local, remote</access>
<affected>
<package name="app-emulation/runc" auto="yes" arch="*">
<unaffected range="ge">1.0.0_rc10</unaffected>
<vulnerable range="lt">1.0.0_rc10</vulnerable>
</package>
</affected>
<background>
<p>RunC is a CLI tool for spawning and running containers according to the
OCI specification.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in runC. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>An attacker, by running a malicious Docker image, could escape the
container, bypass security restrictions, escalate privileges or cause a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All runC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/runc-1.0.0_rc10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16884">CVE-2019-16884</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19921">CVE-2019-19921</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5736">CVE-2019-5736</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T04:19:19Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T04:26:32Z">whissi</metadata>
</glsa>

94
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-22.xml vendored Normal file
View File

@ -0,0 +1,94 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-22">
<title>WebkitGTK+: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst
of which may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">webkitgtk+</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>699156</bug>
<bug>706374</bug>
<bug>709612</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge">2.26.4</unaffected>
<vulnerable range="lt">2.26.4</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from hybrid
HTML/CSS applications to full-fledged web browsers.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code, cause a Denial of
Service condition, bypass intended memory-read restrictions, conduct a
timing side-channel attack to bypass the Same Origin Policy or obtain
sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebkitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.26.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8625">CVE-2019-8625</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8674">CVE-2019-8674</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8707">CVE-2019-8707</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8710">CVE-2019-8710</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8719">CVE-2019-8719</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8720">CVE-2019-8720</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8726">CVE-2019-8726</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8733">CVE-2019-8733</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8735">CVE-2019-8735</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8743">CVE-2019-8743</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8763">CVE-2019-8763</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8764">CVE-2019-8764</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8765">CVE-2019-8765</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8766">CVE-2019-8766</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8768">CVE-2019-8768</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8769">CVE-2019-8769</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8771">CVE-2019-8771</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8782">CVE-2019-8782</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8783">CVE-2019-8783</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8808">CVE-2019-8808</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8811">CVE-2019-8811</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8812">CVE-2019-8812</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8813">CVE-2019-8813</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8814">CVE-2019-8814</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8815">CVE-2019-8815</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8816">CVE-2019-8816</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8819">CVE-2019-8819</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8820">CVE-2019-8820</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8821">CVE-2019-8821</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8822">CVE-2019-8822</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8823">CVE-2019-8823</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8835">CVE-2019-8835</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8844">CVE-2019-8844</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-8846">CVE-2019-8846</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3862">CVE-2020-3862</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3864">CVE-2020-3864</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3865">CVE-2020-3865</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3867">CVE-2020-3867</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3868">CVE-2020-3868</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T04:37:44Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T04:42:48Z">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-23.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-23">
<title>libjpeg-turbo: User-assisted execution of arbitrary code</title>
<synopsis>Several integer overflows in libjpeg-turbo might allow an attacker
to execute arbitrary code.
</synopsis>
<product type="ebuild">libjpeg-turbo</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>699830</bug>
<access>local, remote</access>
<affected>
<package name="media-libs/libjpeg-turbo" auto="yes" arch="*">
<unaffected range="ge">2.0.3</unaffected>
<vulnerable range="lt">2.0.3</vulnerable>
</package>
</affected>
<background>
<p>libjpeg-turbo is a MMX, SSE, and SSE2 SIMD accelerated JPEG library.</p>
</background>
<description>
<p>It was discovered that libjpeg-turbo incorrectly handled certain JPEG
images.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted JPEG
file in an application linked against libjpeg-turbo, possibly resulting
in execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libjpeg-turbo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libjpeg-turbo-2.0.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2201">CVE-2019-2201</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T04:50:57Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T14:25:41Z">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-24.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-24">
<title>file: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in file might allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">file</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>698610</bug>
<access>local, remote</access>
<affected>
<package name="sys-apps/file" auto="yes" arch="*">
<unaffected range="ge">5.37-r1</unaffected>
<vulnerable range="lt">5.37-r1</vulnerable>
</package>
</affected>
<background>
<p>file is a utility that guesses a file format by scanning binary data for
patterns.
</p>
</background>
<description>
<p>It was discovered that file incorrectly handled certain malformed files.</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
file via libmagic or file, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All file users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/file-5.37-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18218">CVE-2019-18218</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T04:56:34Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T14:35:19Z">whissi</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-25.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-25">
<title>libTIFF: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in LibTIFF, the worst of
which could result in a Denial of Service condition.
</synopsis>
<product type="ebuild">tiff</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>639700</bug>
<bug>690732</bug>
<bug>699868</bug>
<access>local, remote</access>
<affected>
<package name="media-libs/tiff" auto="yes" arch="*">
<unaffected range="ge">4.1.0</unaffected>
<vulnerable range="lt">4.1.0</vulnerable>
</package>
</affected>
<background>
<p>The TIFF library contains encoding and decoding routines for the Tag
Image File Format. It is called by numerous programs, including GNOME and
KDE applications, to interpret TIFF images.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libTIFF. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing the user to process a specially crafted
TIFF file, could possibly cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libTIFF users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/tiff-4.1.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17095">CVE-2017-17095</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19210">CVE-2018-19210</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17546">CVE-2019-17546</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6128">CVE-2019-6128</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-7663">CVE-2019-7663</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T14:58:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T15:09:13Z">whissi</metadata>
</glsa>

87
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-26.xml vendored Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-26">
<title>Python: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Python, the worst of
which could result in a Denial of Service condition.
</synopsis>
<product type="ebuild">python</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>676700</bug>
<bug>680246</bug>
<bug>680298</bug>
<bug>684838</bug>
<bug>689822</bug>
<access>local, remote</access>
<affected>
<package name="dev-lang/python" auto="yes" arch="*">
<unaffected range="ge" slot="2.7">2.7.17</unaffected>
<unaffected range="ge" slot="3.5/3.5m">3.5.7</unaffected>
<unaffected range="ge" slot="3.6/3.6m">3.6.9</unaffected>
<unaffected range="ge" slot="3.7/3.7m">3.7.4</unaffected>
<vulnerable range="lt" slot="2.7">2.7.17</vulnerable>
<vulnerable range="lt" slot="3.5/3.5m">3.5.7</vulnerable>
<vulnerable range="lt" slot="3.6/3.6m">3.6.9</vulnerable>
<vulnerable range="lt" slot="3.7/3.7m">3.7.4</vulnerable>
</package>
</affected>
<background>
<p>Python is an interpreted, interactive, object-oriented programming
language.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Python. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly perform a CRLF injection attack, obtain
sensitive information, trick Python into sending cookies to the wrong
domain or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Python 2.7.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/python-2.7.17:2.7"
</code>
<p>All Python 3.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/python-3.5.7:3.5/3.5m"
</code>
<p>All Python 3.6.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/python-3.6.9:3.6/3.6m"
</code>
<p>All Python 3.7x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/python-3.7.4:3.7/3.7m"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20852">CVE-2018-20852</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5010">CVE-2019-5010</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9636">CVE-2019-9636</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9740">CVE-2019-9740</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9947">CVE-2019-9947</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9948">CVE-2019-9948</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T15:47:20Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T15:56:47Z">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-27.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-27">
<title>libssh: Arbitrary command execution</title>
<synopsis>A vulnerability in libssh could allow a remote attacker to execute
arbitrary commands.
</synopsis>
<product type="ebuild">libssh</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>701598</bug>
<access>remote</access>
<affected>
<package name="net-libs/libssh" auto="yes" arch="*">
<unaffected range="ge">0.9.3</unaffected>
<vulnerable range="lt">0.9.3</vulnerable>
</package>
</affected>
<background>
<p>libssh is a multiplatform C library implementing the SSHv2 protocol on
client and server side.
</p>
</background>
<description>
<p>It was discovered that libssh incorrectly handled certain scp commands.</p>
</description>
<impact type="normal">
<p>A remote attacker could trick a victim into using a specially crafted
scp command, possibly resulting in the execution of arbitrary commands on
the server.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libssh users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/libssh-0.9.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14889">CVE-2019-14889</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T16:06:34Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T16:16:36Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-28.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-28">
<title>libarchive: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libarchive, the worst
of which may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">libarchive</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>699222</bug>
<bug>710358</bug>
<access>local, remote</access>
<affected>
<package name="app-arch/libarchive" auto="yes" arch="*">
<unaffected range="ge">3.4.2</unaffected>
<vulnerable range="lt">3.4.2</vulnerable>
</package>
</affected>
<background>
<p>libarchive is a library for manipulating different streaming archive
formats, including certain tar variants, several cpio formats, and both
BSD and GNU ar variants.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libarchive. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted
archive file possibly resulting in the execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libarchive users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-arch/libarchive-3.4.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18408">CVE-2019-18408</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9308">CVE-2020-9308</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T16:23:19Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T16:26:32Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-29.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-29">
<title>cURL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in cURL, the worst of
which may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">curl</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>686050</bug>
<bug>694020</bug>
<access>remote</access>
<affected>
<package name="net-misc/curl" auto="yes" arch="*">
<unaffected range="ge">7.66.0</unaffected>
<vulnerable range="lt">7.66.0</vulnerable>
</package>
</affected>
<background>
<p>A command line tool and library for transferring data with URLs.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in cURL. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All cURL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/curl-7.66.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5435">CVE-2019-5435</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5436">CVE-2019-5436</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5481">CVE-2019-5481</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5482">CVE-2019-5482</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T16:31:33Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T16:37:06Z">whissi</metadata>
</glsa>

76
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-30.xml vendored Normal file
View File

@ -0,0 +1,76 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-30">
<title>Git: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Git, the worst of which
could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">git</product>
<announced>2020-03-15</announced>
<revised count="2">2020-03-20</revised>
<bug>702296</bug>
<access>local, remote</access>
<affected>
<package name="dev-vcs/git" auto="yes" arch="*">
<unaffected range="rge">2.21.1</unaffected>
<unaffected range="rge">2.23.1-r1</unaffected>
<unaffected range="rge">2.24.1</unaffected>
<vulnerable range="lt">2.24.1</vulnerable>
</package>
</affected>
<background>
<p>Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Git. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly overwrite arbitrary paths, execute arbitrary
code, and overwrite files in the .git directory.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Git 2.21.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-vcs/git-2.21.1"
</code>
<p>All Git 2.23.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-vcs/git-2.23.1-r1"
</code>
<p>All Git 2.24.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-vcs/git-2.24.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1348">CVE-2019-1348</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1349">CVE-2019-1349</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1350">CVE-2019-1350</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1351">CVE-2019-1351</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1352">CVE-2019-1352</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1353">CVE-2019-1353</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1354">CVE-2019-1354</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1387">CVE-2019-1387</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19604">CVE-2019-19604</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T16:52:27Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-20T21:00:47Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-31.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-31">
<title>gdb: Buffer overflow</title>
<synopsis>A buffer overflow in gdb might allow a remote attacker to cause a
Denial of Service condition.
</synopsis>
<product type="ebuild">gdb</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>690582</bug>
<access>local, remote</access>
<affected>
<package name="sys-devel/gdb" auto="yes" arch="*">
<unaffected range="ge">9.1</unaffected>
<vulnerable range="lt">9.1</vulnerable>
</package>
</affected>
<background>
<p>gdb is the GNU projects debugger, facilitating the analysis and
debugging of applications. The BFD library provides a uniform method of
accessing a variety of object file formats.
</p>
</background>
<description>
<p>It was discovered that gdb didnt properly validate the ELF section
sizes from input file.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted ELF
binary using gdb, possibly resulting in information disclosure or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All gdb users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-devel/gdb-9.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1010180">
CVE-2019-1010180
</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T19:07:24Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T19:13:13Z">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-32.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-32">
<title>Libgcrypt: Side-channel attack</title>
<synopsis>A vulnerability in Libgcrypt could allow a local attacker to
recover sensitive information.
</synopsis>
<product type="ebuild">libgcrypt</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>693108</bug>
<access>local</access>
<affected>
<package name="dev-libs/libgcrypt" auto="yes" arch="*">
<unaffected range="ge">1.8.5</unaffected>
<vulnerable range="lt">1.8.5</vulnerable>
</package>
</affected>
<background>
<p>Libgcrypt is a general purpose cryptographic library derived out of
GnuPG.
</p>
</background>
<description>
<p>A timing attack was found in the way ECCDSA was implemented in
Libgcrypt.
</p>
</description>
<impact type="low">
<p>A local man-in-the-middle attacker, during signature generation, could
possibly recover the private key.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Libgcrypt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libgcrypt-1.8.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13627">CVE-2019-13627</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T19:23:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T19:29:34Z">whissi</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-33.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-33">
<title>GStreamer Base Plugins: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in GStreamer Base Plugins might allow
remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">gst-plugins-base</product>
<announced>2020-03-15</announced>
<revised count="1">2020-03-15</revised>
<bug>701294</bug>
<access>remote</access>
<affected>
<package name="media-libs/gst-plugins-base" auto="yes" arch="*">
<unaffected range="ge">1.14.5-r1</unaffected>
<vulnerable range="lt">1.14.5-r1</vulnerable>
</package>
</affected>
<background>
<p>A well-groomed and well-maintained collection of GStreamer plug-ins and
elements, spanning the range of possible types of elements one would want
to write for GStreamer.
</p>
</background>
<description>
<p>It was discovered that GStreamer Base Plugins did not correctly handle
certain malformed RTSP streams.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted RTSP
stream with a GStreamer application, possibly resulting in the execution
of arbitrary code or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GStreamer Base Plugins users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=media-libs/gst-plugins-base-1.14.5-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9928">CVE-2019-9928</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T19:49:56Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-15T19:54:43Z">whissi</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-34.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-34">
<title>Squid: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Squid, the worst of
which could lead to arbitrary code execution.
</synopsis>
<product type="ebuild">squid</product>
<announced>2020-03-16</announced>
<revised count="1">2020-03-16</revised>
<bug>699854</bug>
<bug>708296</bug>
<access>remote</access>
<affected>
<package name="net-proxy/squid" auto="yes" arch="*">
<unaffected range="ge">4.10</unaffected>
<vulnerable range="lt">4.10</vulnerable>
</package>
</affected>
<background>
<p>Squid is a full-featured Web proxy cache designed to run on Unix
systems. It supports proxying and caching of HTTP, FTP, and other URLs,
as well as SSL support, cache hierarchies, transparent caching, access
control lists and many other features.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Squid. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by sending a specially crafted request, could
possibly execute arbitrary code with the privileges of the process,
obtain sensitive information or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Squid users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-proxy/squid-4.10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12526">CVE-2019-12526</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12528">CVE-2019-12528</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18678">CVE-2019-18678</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18679">CVE-2019-18679</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8449">CVE-2020-8449</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8450">CVE-2020-8450</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8517">CVE-2020-8517</uri>
</references>
<metadata tag="requester" timestamp="2019-11-11T17:42:19Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-16T11:34:35Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-35.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-35">
<title>ProFTPd: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ProFTPd, the worst of
which may lead to arbitrary code execution.
</synopsis>
<product type="ebuild">proftpd</product>
<announced>2020-03-16</announced>
<revised count="1">2020-03-16</revised>
<bug>699520</bug>
<bug>701814</bug>
<bug>710730</bug>
<access>remote</access>
<affected>
<package name="net-ftp/proftpd" auto="yes" arch="*">
<unaffected range="ge">1.3.6c</unaffected>
<vulnerable range="lt">1.3.6c</vulnerable>
</package>
</affected>
<background>
<p>ProFTPD is an advanced and very configurable FTP server.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ProFTPd. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by interrupting the data transfer channel, could
possibly execute arbitrary code with the privileges of the process or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ProFTPd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-ftp/proftpd-1.3.6c"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18217">CVE-2019-18217</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19269">CVE-2019-19269</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9272">CVE-2020-9272</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9273">CVE-2020-9273</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T06:37:49Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-16T21:08:17Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-36.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-36">
<title>libvorbis: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libvorbis, the worst of
which could result in a Denial of Service condition.
</synopsis>
<product type="ebuild">libvorbis</product>
<announced>2020-03-16</announced>
<revised count="1">2020-03-16</revised>
<bug>631646</bug>
<bug>699862</bug>
<access>local, remote</access>
<affected>
<package name="media-libs/libvorbis" auto="yes" arch="*">
<unaffected range="ge">1.3.6-r1</unaffected>
<vulnerable range="lt">1.3.6-r1</vulnerable>
</package>
</affected>
<background>
<p>libvorbis is the reference implementation of the Xiph.org Ogg Vorbis
audio file format. It is used by many applications for playback of Ogg
Vorbis files.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libvorbis. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing the user to process a specially crafted
audio file, could possibly cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libvorbis users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libvorbis-1.3.6-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14160">CVE-2017-14160</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10392">CVE-2018-10392</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10393">CVE-2018-10393</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T15:16:28Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-16T21:12:28Z">whissi</metadata>
</glsa>

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-37.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-37">
<title>Mozilla Network Security Service: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Network
Security Service (NSS), the worst of which may lead to arbitrary code
execution.
</synopsis>
<product type="ebuild">nss</product>
<announced>2020-03-16</announced>
<revised count="2">2020-03-16</revised>
<bug>627534</bug>
<bug>676868</bug>
<bug>701840</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/nss" auto="yes" arch="*">
<unaffected range="ge">3.49</unaffected>
<vulnerable range="lt">3.49</vulnerable>
</package>
</affected>
<background>
<p>The Mozilla Network Security Service (NSS) is a library implementing
security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS
#12, S/MIME and X.509 certificates.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Network
Security Service (NSS). Please review the CVE identifiers referenced
below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could execute arbitrary code, cause a Denial of Service
condition or have other unspecified impact.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Network Security Service (NSS) users should upgrade to the
latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/nss-3.49"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11695">CVE-2017-11695</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11696">CVE-2017-11696</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11697">CVE-2017-11697</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11698">CVE-2017-11698</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-18508">CVE-2018-18508</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11745">CVE-2019-11745</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T15:34:44Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-16T21:17:42Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-38.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-38">
<title>PECL Imagick: Arbitrary code execution</title>
<synopsis>A vulnerability in Imagick PHP extension might allow an attacker to
execute arbitrary code.
</synopsis>
<product type="ebuild">pecl-imagick</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>687030</bug>
<access>remote</access>
<affected>
<package name="dev-php/pecl-imagick" auto="yes" arch="*">
<unaffected range="ge">3.4.4</unaffected>
<vulnerable range="lt">3.4.4</vulnerable>
</package>
</affected>
<background>
<p>Imagick is a PHP extension to create and modify images using the
ImageMagick library.
</p>
</background>
<description>
<p>An out-of-bounds write vulnerability was discovered in the Imagick PHP
extension.
</p>
</description>
<impact type="high">
<p>A remote attacker, able to upload specially crafted images which will
get processed by Imagick, could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Imagick PHP extension users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-php/pecl-imagick-3.4.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11037">CVE-2019-11037</uri>
</references>
<metadata tag="requester" timestamp="2020-03-17T14:27:07Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T15:54:46Z">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-39.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-39">
<title>phpMyAdmin: SQL injection</title>
<synopsis>An SQL injection vulnerability in phpMyAdmin may allow attackers to
execute arbitrary SQL statements.
</synopsis>
<product type="ebuild">phpmyadmin</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>701830</bug>
<access>remote</access>
<affected>
<package name="dev-db/phpmyadmin" auto="yes" arch="*">
<unaffected range="ge">4.9.2</unaffected>
<vulnerable range="lt">4.9.2</vulnerable>
</package>
</affected>
<background>
<p>phpMyAdmin is a web-based management tool for MySQL databases.</p>
</background>
<description>
<p>PhpMyAdmin was vulnerable to an SQL injection attack through the
designer feature.
</p>
</description>
<impact type="normal">
<p>An authenticated remote attacker, by specifying a specially crafted
database/table name, could trigger an SQL injection attack.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All phpMyAdmin users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/phpmyadmin-4.9.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18622">CVE-2019-18622</uri>
<uri link="https://www.phpmyadmin.net/security/PMASA-2019-5/">PMASA-2019-5</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T16:07:14Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T16:19:16Z">whissi</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-40.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-40">
<title>Cacti: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Cacti, the worst of
which could lead to the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">cacti</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>702312</bug>
<bug>708938</bug>
<access>remote</access>
<affected>
<package name="net-analyzer/cacti" auto="yes" arch="*">
<unaffected range="ge">1.2.9</unaffected>
<vulnerable range="lt">1.2.9</vulnerable>
</package>
</affected>
<background>
<p>Cacti is a complete frontend to rrdtool.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Cacti. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers could execute arbitrary code or bypass intended access
restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Cacti users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/cacti-1.2.9"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16723">CVE-2019-16723</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17357">CVE-2019-17357</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17358">CVE-2019-17358</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7106">CVE-2020-7106</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7237">CVE-2020-7237</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T16:27:20Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T16:29:17Z">whissi</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-41.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-41">
<title>GNU FriBidi: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in GNU FriBidi might allow remote
attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">fribidi</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>699338</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/fribidi" auto="yes" arch="*">
<unaffected range="ge">1.0.8</unaffected>
<vulnerable range="lt">1.0.8</vulnerable>
</package>
</affected>
<background>
<p>The Free Implementation of the Unicode Bidirectional Algorithm.</p>
</background>
<description>
<p>A heap-based buffer overflow vulnerability was found in GNU FriBidi.</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a memory corruption, execute
arbitrary code with the privileges of the process or cause a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FriBidi users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/fribidi-1.0.8"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18397">CVE-2019-18397</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T16:36:42Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T16:41:09Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-42.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-42">
<title>libgit2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libgit2, the worst of
which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">libgit2</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>702522</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/libgit2" auto="yes" arch="*">
<unaffected range="ge">0.28.4</unaffected>
<vulnerable range="lt">0.28.4</vulnerable>
</package>
</affected>
<background>
<p>libgit2 is a portable, pure C implementation of the Git core methods
provided as a re-entrant linkable library with a solid API.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libgit2. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly overwrite arbitrary paths, execute arbitrary
code, and overwrite files in the .git directory.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libgit2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libgit2-0.28.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1348">CVE-2019-1348</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1350">CVE-2019-1350</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1387">CVE-2019-1387</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T16:48:12Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T16:50:07Z">whissi</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-43.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-43">
<title>Apache Tomcat: Multiple vulnerabilities</title>
<synopsis> Multiple vulnerabilities have been found in Apache Tomcat, the
worst of which could lead to arbitrary code execution.
</synopsis>
<product type="ebuild">tomcat</product>
<announced>2020-03-19</announced>
<revised count="2">2020-03-20</revised>
<bug>692402</bug>
<bug>706208</bug>
<bug>710656</bug>
<access>remote</access>
<affected>
<package name="www-servers/tomcat" auto="yes" arch="*">
<unaffected range="rge">8.5.51</unaffected>
<unaffected range="rge">7.0.100</unaffected>
<vulnerable range="lt">8.5.51</vulnerable>
</package>
</affected>
<background>
<p>Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Apache Tomcat. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly smuggle HTTP requests or execute arbitrary
code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Apache Tomcat 7.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-servers/tomcat-7.0.100:7"
</code>
<p>All Apache Tomcat 8.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-servers/tomcat-8.5.51:8.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-0221">CVE-2019-0221</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12418">CVE-2019-12418</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17563">CVE-2019-17563</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1938">CVE-2020-1938</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T17:09:01Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-20T21:02:49Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-44.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-44">
<title>Binary diff: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in Binary diff might allow remote
attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">bsdiff</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>701848</bug>
<access>local, remote</access>
<affected>
<package name="dev-util/bsdiff" auto="yes" arch="*">
<unaffected range="ge">4.3-r4</unaffected>
<vulnerable range="lt">4.3-r4</vulnerable>
</package>
</affected>
<background>
<p>bsdiff and bspatch are tools for building and applying patches to binary
files.
</p>
</background>
<description>
<p>It was discovered that the implementation of bspatch did not check for a
negative value on numbers of bytes read from the diff and extra streams.
</p>
</description>
<impact type="high">
<p>A remote attacker could entice a user to apply a specially crafted patch
using bspatch, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Binary diff users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-util/bsdiff-4.3-r4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2014-9862">CVE-2014-9862</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T18:34:43Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T18:40:24Z">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-45.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-45">
<title>PyYAML: Arbitrary code execution</title>
<synopsis>A flaw in PyYAML might allow attackers to execute arbitrary code.</synopsis>
<product type="ebuild">pyyaml</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>659348</bug>
<access>local, remote</access>
<affected>
<package name="dev-python/pyyaml" auto="yes" arch="*">
<unaffected range="ge">5.1</unaffected>
<vulnerable range="lt">5.1</vulnerable>
</package>
</affected>
<background>
<p>PyYAML is a YAML parser and emitter for Python.</p>
</background>
<description>
<p>It was found that using yaml.load() API on untrusted input could lead to
arbitrary code execution.
</p>
</description>
<impact type="high">
<p>A remote attacker could entice a user to process specially crafted input
in an application using yaml.load() from PyYAML, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PyYAML users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-python/pyyaml-5.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-18342">CVE-2017-18342</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T18:50:48Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T18:55:38Z">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-46.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-46">
<title>ClamAV: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ClamAV, the worst of
which could result in a Denial of Service condition.
</synopsis>
<product type="ebuild">clamav</product>
<announced>2020-03-19</announced>
<revised count="1">2020-03-19</revised>
<bug>702010</bug>
<bug>708424</bug>
<access>local, remote</access>
<affected>
<package name="app-antivirus/clamav" auto="yes" arch="*">
<unaffected range="ge">0.102.2</unaffected>
<vulnerable range="lt">0.102.2</vulnerable>
</package>
</affected>
<background>
<p>ClamAV is a GPL virus scanner.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ClamAV. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="low">
<p>A remote attacker could cause ClamAV to scan a specially crafted file,
possibly resulting in a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ClamAV users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-antivirus/clamav-0.102.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15961">CVE-2019-15961</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3123">CVE-2020-3123</uri>
</references>
<metadata tag="requester" timestamp="2020-03-19T20:43:36Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-19T20:46:54Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-47.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-47">
<title>Exim: Heap-based buffer overflow</title>
<synopsis>A vulnerability in Exim could allow a remote attacker to execute
arbitrary code.
</synopsis>
<product type="ebuild"></product>
<announced>2020-03-20</announced>
<revised count="1">2020-03-20</revised>
<bug>701282</bug>
<access>remote</access>
<affected>
<package name="mail-mta/exim" auto="yes" arch="*">
<unaffected range="ge">4.92.3</unaffected>
<vulnerable range="lt">4.92.3</vulnerable>
</package>
</affected>
<background>
<p>Exim is a message transfer agent (MTA) designed to be a a highly
configurable, drop-in replacement for sendmail.
</p>
</background>
<description>
<p>It was discovered that Exim incorrectly handled certain string
operations.
</p>
</description>
<impact type="high">
<p>A remote attacker, able to connect to a vulnerable Exim instance, could
possibly execute arbitrary code with the privileges of the process or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Exim users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-mta/exim-4.92.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16928">CVE-2019-16928</uri>
</references>
<metadata tag="requester" timestamp="2020-03-20T18:44:44Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-20T18:48:39Z">whissi</metadata>
</glsa>

78
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-48.xml vendored Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-48">
<title>Node.js: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Node.js, worst of which
could allow remote attackers to write arbitrary files.
</synopsis>
<product type="ebuild">nodejs</product>
<announced>2020-03-20</announced>
<revised count="2">2020-03-20</revised>
<bug>658074</bug>
<bug>665656</bug>
<bug>672136</bug>
<bug>679132</bug>
<bug>702988</bug>
<bug>708458</bug>
<access>local, remote</access>
<affected>
<package name="net-libs/nodejs" auto="yes" arch="*">
<unaffected range="rge">10.19.0</unaffected>
<unaffected range="rge">12.15.0</unaffected>
<vulnerable range="lt">12.15.0</vulnerable>
</package>
</affected>
<background>
<p>Node.js is a JavaScript runtime built on Chromes V8 JavaScript
engine.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Node.js. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly write arbitrary files, cause a Denial
of Service condition or can conduct HTTP request splitting attacks.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Node.js &lt;12.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/nodejs-10.19.0"
</code>
<p>All Node.js 12.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/nodejs-12.15.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12115">CVE-2018-12115</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12116">CVE-2018-12116</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12121">CVE-2018-12121</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12122">CVE-2018-12122</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12123">CVE-2018-12123</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7161">CVE-2018-7161</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7162">CVE-2018-7162</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7164">CVE-2018-7164</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7167">CVE-2018-7167</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15604">CVE-2019-15604</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15605">CVE-2019-15605</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15606">CVE-2019-15606</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16777">CVE-2019-16777</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5737">CVE-2019-5737</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-5739">CVE-2019-5739</uri>
</references>
<metadata tag="requester" timestamp="2020-03-20T04:40:01Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-20T20:50:31Z">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-49.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-49">
<title>BlueZ: Security bypass</title>
<synopsis>A vulnerability in BlueZ might allow remote attackers to bypass
security restrictions.
</synopsis>
<product type="ebuild">bluez</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>712292</bug>
<access>remote</access>
<affected>
<package name="net-wireless/bluez" auto="yes" arch="*">
<unaffected range="ge">5.54</unaffected>
<vulnerable range="lt">5.54</vulnerable>
</package>
</affected>
<background>
<p>Set of tools to manage Bluetooth devices for Linux.</p>
</background>
<description>
<p>It was discovered that the HID and HOGP profiles implementations in
BlueZ did not specifically require bonding between the device and the
host.
</p>
</description>
<impact type="high">
<p>A remote attacker with adjacent access could impersonate an existing HID
device, cause a Denial of Service condition or escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All BlueZ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-wireless/bluez-5.54"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0556">CVE-2020-0556</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T15:19:08Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T15:33:12Z">whissi</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-50.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-50">
<title>Tor: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities were found in Tor, the worst of which
could allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">tor</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>713238</bug>
<access>remote</access>
<affected>
<package name="net-vpn/tor" auto="yes" arch="*">
<unaffected range="rge">0.4.1.9</unaffected>
<unaffected range="rge">0.4.2.7</unaffected>
<vulnerable range="lt">0.4.2.7</vulnerable>
</package>
</affected>
<background>
<p>Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Tor, and tor. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="low">
<p>A remote attacker could possibly cause a Denial of Service condition.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Tor 0.4.1.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-vpn/tor-0.4.1.9"
</code>
<p>All Tor 0.4.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-vpn/tor-0.4.2.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10592">CVE-2020-10592</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-10593">CVE-2020-10593</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T15:44:11Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T15:54:00Z">whissi</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-51.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-51">
<title>WeeChat: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WeeChat, the worst of
which could allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">weechat</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>709452</bug>
<bug>714086</bug>
<access>remote</access>
<affected>
<package name="net-irc/weechat" auto="yes" arch="*">
<unaffected range="ge">2.7.1</unaffected>
<vulnerable range="lt">2.7.1</vulnerable>
</package>
</affected>
<background>
<p>Wee Enhanced Environment for Chat (WeeChat) is a light and extensible
console IRC client.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WeeChat. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="low">
<p>A remote attacker, by sending a specially crafted IRC message, could
possibly cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WeeChat users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-irc/weechat-2.7.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8955">CVE-2020-8955</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9759">CVE-2020-9759</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9760">CVE-2020-9760</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T16:00:28Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T16:04:22Z">whissi</metadata>
</glsa>

88
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-52.xml vendored Normal file
View File

@ -0,0 +1,88 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-52">
<title>Samba: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Samba, the worst of
which could lead to remote code execution.
</synopsis>
<product type="ebuild">samba</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>664316</bug>
<bug>672140</bug>
<bug>686036</bug>
<bug>693558</bug>
<bug>702928</bug>
<bug>706144</bug>
<access>remote</access>
<affected>
<package name="net-fs/samba" auto="yes" arch="*">
<unaffected range="rge">4.9.18</unaffected>
<unaffected range="rge">4.10.13</unaffected>
<unaffected range="rge">4.11.6</unaffected>
<vulnerable range="lt">4.11.6</vulnerable>
</package>
</affected>
<background>
<p>Samba is a suite of SMB and CIFS client/server programs.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Samba. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code, cause a Denial
of Service condition, conduct a man-in-the-middle attack, or obtain
sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Samba 4.9.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-fs/samba-4.9.18"
</code>
<p>All Samba 4.10.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-fs/samba-4.10.13"
</code>
<p>All Samba 4.11.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-fs/samba-4.11.6"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10858">CVE-2018-10858</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10918">CVE-2018-10918</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10919">CVE-2018-10919</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1139">CVE-2018-1139</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1140">CVE-2018-1140</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-14629">CVE-2018-14629</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16841">CVE-2018-16841</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16851">CVE-2018-16851</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16852">CVE-2018-16852</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16853">CVE-2018-16853</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16857">CVE-2018-16857</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16860">CVE-2018-16860</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10197">CVE-2019-10197</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14861">CVE-2019-14861</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14870">CVE-2019-14870</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14902">CVE-2019-14902</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14907">CVE-2019-14907</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19344">CVE-2019-19344</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T16:20:13Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T16:34:04Z">whissi</metadata>
</glsa>

78
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-53.xml vendored Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-53">
<title>Chromium, Google Chrome: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chromium and Google
Chrome, the worst of which could allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">chromium,google-chrome</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>713282</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">80.0.3987.149</unaffected>
<vulnerable range="lt">80.0.3987.149</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">80.0.3987.149</unaffected>
<vulnerable range="lt">80.0.3987.149</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
<p>Google Chrome is one fast, simple, and secure browser for all your
devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted HTML
or multimedia file using Chromium or Google Chrome, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-80.0.3987.149"
</code>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/google-chrome-80.0.3987.149"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6422">CVE-2020-6422</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6424">CVE-2020-6424</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6425">CVE-2020-6425</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6426">CVE-2020-6426</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6427">CVE-2020-6427</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6428">CVE-2020-6428</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6429">CVE-2020-6429</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6449">CVE-2020-6449</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T18:24:50Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T18:31:07Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-54.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-54">
<title>Pure-FTPd: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Pure-FTPd, the worst of
which could allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">pure-ftpd</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>711124</bug>
<access>remote</access>
<affected>
<package name="net-ftp/pure-ftpd" auto="yes" arch="*">
<unaffected range="ge">1.0.49-r2</unaffected>
<vulnerable range="lt">1.0.49-r2</vulnerable>
</package>
</affected>
<background>
<p>Pure-FTPd is a fast, production-quality and standards-compliant FTP
server.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Pure-FTPd. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="low">
<p>A remote attacker could possibly cause a Denial of Service condition or
cause an information disclosure.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Pure-FTPd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-ftp/pure-ftpd-1.0.49-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9274">CVE-2020-9274</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9365">CVE-2020-9365</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T18:52:14Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T18:58:54Z">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-55.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-55">
<title>Zsh: Privilege escalation</title>
<synopsis>A vulnerability in Zsh might allow an attacker to escalate
privileges.
</synopsis>
<product type="ebuild">zsh</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>711136</bug>
<access>local, remote</access>
<affected>
<package name="app-shells/zsh" auto="yes" arch="*">
<unaffected range="ge">5.8</unaffected>
<vulnerable range="lt">5.8</vulnerable>
</package>
</affected>
<background>
<p>A shell designed for interactive use, although it is also a powerful
scripting language.
</p>
</background>
<description>
<p>It was discovered that Zsh was insecure dropping privileges when
unsetting PRIVILEGED option.
</p>
</description>
<impact type="normal">
<p>An attacker could escalate privileges.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Zsh users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-shells/zsh-5.8"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-20044">CVE-2019-20044</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T20:14:34Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T20:22:40Z">whissi</metadata>
</glsa>

73
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-56.xml vendored Normal file
View File

@ -0,0 +1,73 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-56">
<title>Xen: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
could allow for privilege escalation.
</synopsis>
<product type="ebuild">xen</product>
<announced>2020-03-25</announced>
<revised count="1">2020-03-25</revised>
<bug>686024</bug>
<bug>699048</bug>
<bug>699996</bug>
<bug>702644</bug>
<access>local</access>
<affected>
<package name="app-emulation/xen" auto="yes" arch="*">
<unaffected range="ge">4.12.0-r1</unaffected>
<vulnerable range="lt">4.12.0-r1</vulnerable>
</package>
<package name="app-emulation/xen-tools" auto="yes" arch="*">
<unaffected range="ge">4.12.0-r1</unaffected>
<vulnerable range="lt">4.12.0-r1</vulnerable>
</package>
</affected>
<background>
<p>Xen is a bare-metal hypervisor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xen. Please review the
referenced CVE identifiers for details.
</p>
</description>
<impact type="high">
<p>A local attacker could potentially gain privileges on the host system or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.12.0-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12126">CVE-2018-12126</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12127">CVE-2018-12127</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12130">CVE-2018-12130</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12207">CVE-2018-12207</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-12207">CVE-2018-12207</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11091">CVE-2019-11091</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11135">CVE-2019-11135</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18420">CVE-2019-18420</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18421">CVE-2019-18421</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18423">CVE-2019-18423</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18424">CVE-2019-18424</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18425">CVE-2019-18425</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19577">CVE-2019-19577</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19578">CVE-2019-19578</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19580">CVE-2019-19580</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19581">CVE-2019-19581</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19582">CVE-2019-19582</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19583">CVE-2019-19583</uri>
</references>
<metadata tag="requester" timestamp="2020-03-25T20:41:14Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-25T20:45:30Z">whissi</metadata>
</glsa>

78
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-57.xml vendored Normal file
View File

@ -0,0 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-57">
<title>PHP: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PHP, the worst of which
could result in the execution of arbitrary shell commands.
</synopsis>
<product type="ebuild">PHP</product>
<announced>2020-03-26</announced>
<revised count="1">2020-03-26</revised>
<bug>671872</bug>
<bug>706168</bug>
<bug>710304</bug>
<bug>713484</bug>
<access>local, remote</access>
<affected>
<package name="dev-lang/php" auto="yes" arch="*">
<unaffected range="rge">7.2.29</unaffected>
<unaffected range="rge">7.3.16</unaffected>
<unaffected range="rge">7.4.4</unaffected>
<vulnerable range="lt">7.4.4</vulnerable>
</package>
</affected>
<background>
<p>PHP is an open source general-purpose scripting language that is
especially suited for web development.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>An attacker could possibly execute arbitrary shell commands, cause a
Denial of Service condition or obtain sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PHP 7.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.2.29"
</code>
<p>All PHP 7.3.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.3.16"
</code>
<p>All PHP 7.4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.4.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-19518">CVE-2018-19518</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7059">CVE-2020-7059</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7060">CVE-2020-7060</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7061">CVE-2020-7061</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7062">CVE-2020-7062</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7063">CVE-2020-7063</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7064">CVE-2020-7064</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7065">CVE-2020-7065</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-7066">CVE-2020-7066</uri>
</references>
<metadata tag="requester" timestamp="2020-03-26T13:24:45Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-26T13:30:45Z">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-58.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-58">
<title>UnZip: User-assisted execution of arbitrary code</title>
<synopsis>Multiple vulnerabilities have been found in UnZip, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">unzip</product>
<announced>2020-03-26</announced>
<revised count="1">2020-03-26</revised>
<bug>647008</bug>
<bug>691566</bug>
<access>local, remote</access>
<affected>
<package name="app-arch/unzip" auto="yes" arch="*">
<unaffected range="ge">6.0_p25</unaffected>
<vulnerable range="lt">6.0_p25</vulnerable>
</package>
</affected>
<background>
<p>Info-ZIPs UnZip is a tool to list and extract files inside PKZIP
compressed files.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in UnZip. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted ZIP
archive using UnZip, possibly resulting in execution of arbitrary code
with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All UnZip users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-arch/unzip-6.0_p25"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000035">
CVE-2018-1000035
</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13232">CVE-2019-13232</uri>
</references>
<metadata tag="requester" timestamp="2020-03-26T18:14:24Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-26T18:18:52Z">whissi</metadata>
</glsa>

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-59.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-59">
<title>libvpx: User-assisted execution of arbitrary code</title>
<synopsis>Multiple vulnerabilities have been found in libvpx, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">libvpx</product>
<announced>2020-03-26</announced>
<revised count="1">2020-03-26</revised>
<bug>701834</bug>
<access>local, remote</access>
<affected>
<package name="media-libs/libvpx" auto="yes" arch="*">
<unaffected range="rge">1.7.0-r1</unaffected>
<unaffected range="rge">1.8.1</unaffected>
<vulnerable range="lt">1.8.1</vulnerable>
</package>
</affected>
<background>
<p>libvpx is the VP8 codec SDK used to encode and decode video streams,
typically within a WebM format media file.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libvpx. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted media
file, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application, or a Denial of Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libvpx 1.7.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libvpx-1.7.0-r1"
</code>
<p>All libvpx 1.8.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libvpx-1.8.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9232">CVE-2019-9232</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9325">CVE-2019-9325</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9371">CVE-2019-9371</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-9433">CVE-2019-9433</uri>
</references>
<metadata tag="requester" timestamp="2020-03-26T18:33:42Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-26T18:39:39Z">whissi</metadata>
</glsa>

60
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-60.xml vendored Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-60">
<title>QtCore: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in QtCore, the worst of
which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">qtcore</product>
<announced>2020-03-26</announced>
<revised count="1">2020-03-26</revised>
<bug>699226</bug>
<bug>707354</bug>
<access>local, remote</access>
<affected>
<package name="dev-qt/qtcore" auto="yes" arch="*">
<unaffected range="rge">5.12.3-r2</unaffected>
<unaffected range="rge">5.13.2-r2</unaffected>
<vulnerable range="lt">5.13.2-r2</vulnerable>
</package>
</affected>
<background>
<p>The Qt toolkit is a comprehensive C++ application development framework.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QtCore. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly execute arbitrary code with the privileges of
the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QtCore 5.12.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-qt/qtcore-5.12.3-r2"
</code>
<p>All QtCore 5.13.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-qt/qtcore-5.13.2-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18281">CVE-2019-18281</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0569">CVE-2020-0569</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-0570">CVE-2020-0570</uri>
</references>
<metadata tag="requester" timestamp="2020-03-26T18:45:51Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-26T18:51:32Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-61.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-61">
<title>Adobe Flash Player: Remote execution of arbitrary code</title>
<synopsis>A vulnerability in Adobe Flash Player might allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">adobe-flash</product>
<announced>2020-03-26</announced>
<revised count="1">2020-03-26</revised>
<bug>709728</bug>
<access>remote</access>
<affected>
<package name="www-plugins/adobe-flash" auto="yes" arch="*">
<unaffected range="ge">32.0.0.330</unaffected>
<vulnerable range="lt">32.0.0.330</vulnerable>
</package>
</affected>
<background>
<p>The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
</p>
</background>
<description>
<p>A critical type confusion vulnerability was discovered in Adobe Flash
Player.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Adobe Flash users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-plugins/adobe-flash-32.0.0.330"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-3757">CVE-2020-3757</uri>
</references>
<metadata tag="requester" timestamp="2020-03-26T18:59:40Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-26T19:02:22Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-62.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-62">
<title>GNU Screen: Buffer overflow</title>
<synopsis>A buffer overflow in GNU Screen might allow remote attackers to
corrupt memory.
</synopsis>
<product type="ebuild">screen</product>
<announced>2020-03-30</announced>
<revised count="1">2020-03-30</revised>
<bug>708460</bug>
<access>remote</access>
<affected>
<package name="app-misc/screen" auto="yes" arch="*">
<unaffected range="ge">4.8.0</unaffected>
<vulnerable range="lt">4.8.0</vulnerable>
</package>
</affected>
<background>
<p>GNU Screen is a full-screen window manager that multiplexes a physical
terminal between several processes, typically interactive shells.
</p>
</background>
<description>
<p>A buffer overflow was found in the way GNU Screen treated the special
escape OSC 49.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by writing a specially crafted string of characters
to a GNU Screen window, could possibly corrupt memory or have other
unspecified impact.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GNU Screen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-misc/screen-4.8.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-9366">CVE-2020-9366</uri>
</references>
<metadata tag="requester" timestamp="2020-03-30T05:50:23Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-30T14:41:12Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-63.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-63">
<title>GNU IDN Library 2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GNU IDN Library 2, the
worst of which could result in the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">libidn2</product>
<announced>2020-03-30</announced>
<revised count="1">2020-03-30</revised>
<bug>697752</bug>
<access>local, remote</access>
<affected>
<package name="net-dns/libidn2" auto="yes" arch="*">
<unaffected range="ge">2.2.0</unaffected>
<vulnerable range="lt">2.2.0</vulnerable>
</package>
</affected>
<background>
<p>GNU IDN Library 2 is an implementation of the IDNA2008 + TR46
specifications (RFC 5890, RFC 5891, RFC 5892, RFC 5893, TR 46).
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GNU IDN Library 2.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could send specially crafted input, possibly resulting
in execution of arbitrary code with the privileges of the process,
impersonation of domains or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GNU IDN Library 2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-dns/libidn2-2.2.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12290">CVE-2019-12290</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-18224">CVE-2019-18224</uri>
</references>
<metadata tag="requester" timestamp="2020-03-30T14:23:33Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-30T14:45:26Z">whissi</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-64.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-64">
<title>libxls: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libxls, the worst of
which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">libxls</product>
<announced>2020-03-30</announced>
<revised count="1">2020-03-30</revised>
<bug>638336</bug>
<bug>674006</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/libxls" auto="yes" arch="*">
<unaffected range="ge">1.5.2</unaffected>
<vulnerable range="lt">1.5.2</vulnerable>
</package>
</affected>
<background>
<p>libxls is a C library for reading Excel files in the nasty old binary
OLE format, plus a command-line tool for converting XLS to CSV.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libxls. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
Excel file using libxls, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libxls users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/libxls-1.5.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12110">CVE-2017-12110</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12111">CVE-2017-12111</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2896">CVE-2017-2896</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2897">CVE-2017-2897</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2919">CVE-2017-2919</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20450">CVE-2018-20450</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-20452">CVE-2018-20452</uri>
</references>
<metadata tag="requester" timestamp="2020-03-28T22:19:47Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-30T14:52:32Z">whissi</metadata>
</glsa>

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-65.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-65">
<title>FFmpeg: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in FFmpeg, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">ffmpeg</product>
<announced>2020-03-30</announced>
<revised count="1">2020-03-30</revised>
<bug>660924</bug>
<bug>692418</bug>
<bug>711144</bug>
<access>local, remote</access>
<affected>
<package name="media-video/ffmpeg" auto="yes" arch="*">
<unaffected range="ge">4.2.0</unaffected>
<vulnerable range="ge">4</vulnerable>
</package>
</affected>
<background>
<p>FFmpeg is a complete, cross-platform solution to record, convert and
stream audio and video.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in FFmpeg. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user or automated system using FFmpeg
to process a specially crafted file, resulting in the execution of
arbitrary code or a Denial of Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FFmpeg 4.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-video/ffmpeg-4.2.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-10001">CVE-2018-10001</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6912">CVE-2018-6912</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7557">CVE-2018-7557</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7751">CVE-2018-7751</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-9841">CVE-2018-9841</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-12730">CVE-2019-12730</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13312">CVE-2019-13312</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13390">CVE-2019-13390</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17539">CVE-2019-17539</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-17542">CVE-2019-17542</uri>
</references>
<metadata tag="requester" timestamp="2020-03-20T05:25:46Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2020-03-30T15:05:02Z">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202003-66.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202003-66">
<title>QEMU: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in QEMU, the worst of
which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">qemu</product>
<announced>2020-03-30</announced>
<revised count="1">2020-03-30</revised>
<bug>709490</bug>
<bug>711334</bug>
<access>local</access>
<affected>
<package name="app-emulation/qemu" auto="yes" arch="*">
<unaffected range="ge">4.2.0-r2</unaffected>
<vulnerable range="lt">4.2.0-r2</vulnerable>
</package>
</affected>
<background>
<p>QEMU is a generic and open source machine emulator and virtualizer.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QEMU. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly execute arbitrary code with the privileges of
the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QEMU users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/qemu-4.2.0-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13164">CVE-2019-13164</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-8608">CVE-2020-8608</uri>
</references>
<metadata tag="requester" timestamp="2020-03-15T02:14:50Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-03-30T15:14:47Z">whissi</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-01.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-01">
<title>HAProxy: Remote execution of arbitrary code</title>
<synopsis>A vulnerability in HAProxy might lead to remote execution of
arbitrary code.
</synopsis>
<product type="ebuild">haproxy</product>
<announced>2020-04-01</announced>
<revised count="1">2020-04-01</revised>
<bug>701842</bug>
<access>remote</access>
<affected>
<package name="net-proxy/haproxy" auto="yes" arch="*">
<unaffected range="rge">1.8.23</unaffected>
<unaffected range="rge">1.9.13</unaffected>
<unaffected range="rge">2.0.10</unaffected>
<vulnerable range="lt">2.0.10</vulnerable>
</package>
</affected>
<background>
<p>HAProxy is a TCP/HTTP reverse proxy for high availability environments.</p>
</background>
<description>
<p>It was discovered that HAProxy incorrectly handled certain HTTP/2
headers.
</p>
</description>
<impact type="high">
<p>A remote attacker could send a specially crafted HTTP/2 header, possibly
resulting in execution of arbitrary code with the privileges of the
process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All HAProxy 1.8.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-proxy/haproxy-1.8.23"
</code>
<p>All HAProxy 1.9.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-proxy/haproxy-1.9.13"
</code>
<p>All HAProxy 2.0.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-proxy/haproxy-2.0.10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-19330">CVE-2019-19330</uri>
</references>
<metadata tag="requester" timestamp="2020-04-01T19:22:40Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-01T19:28:55Z">whissi</metadata>
</glsa>

122
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-02.xml vendored Normal file
View File

@ -0,0 +1,122 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-02">
<title>VirtualBox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst
of which could allow an attacker to take control of VirtualBox.
</synopsis>
<product type="ebuild">virtualbox</product>
<announced>2020-04-01</announced>
<revised count="1">2020-04-01</revised>
<bug>714064</bug>
<access>local, remote</access>
<affected>
<package name="app-emulation/virtualbox" auto="yes" arch="*">
<unaffected range="rge">5.2.36</unaffected>
<unaffected range="rge">6.0.16</unaffected>
<unaffected range="rge">6.1.2</unaffected>
<vulnerable range="lt">6.1.2</vulnerable>
</package>
<package name="app-emulation/virtualbox-bin" auto="yes" arch="*">
<unaffected range="rge">5.2.36</unaffected>
<unaffected range="rge">6.0.16</unaffected>
<unaffected range="rge">6.1.2</unaffected>
<vulnerable range="lt">6.1.2</vulnerable>
</package>
</affected>
<background>
<p>VirtualBox is a powerful virtualization product from Oracle.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in VirtualBox. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could take control of VirtualBox resulting in the execution
of arbitrary code with the privileges of the process, a Denial of Service
condition, or other unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All VirtualBox 5.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-5.2.36"
</code>
<p>All VirtualBox 6.0.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-6.0.16"
</code>
<p>All VirtualBox 6.1.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-6.1.2"
</code>
<p>All VirtualBox binary 5.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/virtualbox-bin-5.2.36"
</code>
<p>All VirtualBox binary 6.0.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/virtualbox-bin-6.0.16"
</code>
<p>All VirtualBox binary 6.1.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/virtualbox-bin-6.1.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2926">CVE-2019-2926</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2944">CVE-2019-2944</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-2984">CVE-2019-2984</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3002">CVE-2019-3002</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3005">CVE-2019-3005</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3017">CVE-2019-3017</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3021">CVE-2019-3021</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3026">CVE-2019-3026</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3028">CVE-2019-3028</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3031">CVE-2019-3031</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2674">CVE-2020-2674</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2678">CVE-2020-2678</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2681">CVE-2020-2681</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2682">CVE-2020-2682</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2689">CVE-2020-2689</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2690">CVE-2020-2690</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2691">CVE-2020-2691</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2692">CVE-2020-2692</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2693">CVE-2020-2693</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2698">CVE-2020-2698</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2702">CVE-2020-2702</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2703">CVE-2020-2703</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2704">CVE-2020-2704</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2705">CVE-2020-2705</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2725">CVE-2020-2725</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2726">CVE-2020-2726</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-2727">CVE-2020-2727</uri>
</references>
<metadata tag="requester" timestamp="2020-04-01T19:35:27Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-01T19:41:08Z">whissi</metadata>
</glsa>

60
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-03.xml vendored Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-03">
<title>GPL Ghostscript: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the
worst of which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">ghostscript</product>
<announced>2020-04-01</announced>
<revised count="1">2020-04-01</revised>
<bug>676264</bug>
<bug>692106</bug>
<bug>693002</bug>
<access>local, remote</access>
<affected>
<package name="app-text/ghostscript-gpl" auto="yes" arch="*">
<unaffected range="ge">9.28_rc4</unaffected>
<vulnerable range="lt">9.28_rc4</vulnerable>
</package>
</affected>
<background>
<p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
file using GPL Ghostscript, possibly resulting in execution of arbitrary
code with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GPL Ghostscript users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-text/ghostscript-gpl-9.28_rc4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10216">CVE-2019-10216</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14811">CVE-2019-14811</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14812">CVE-2019-14812</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14813">CVE-2019-14813</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14817">CVE-2019-14817</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3835">CVE-2019-3835</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-3838">CVE-2019-3838</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-6116">CVE-2019-6116</uri>
</references>
<metadata tag="requester" timestamp="2020-04-01T19:47:46Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-01T19:50:31Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-04.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-04">
<title>Qt WebEngine: Arbitrary code execution</title>
<synopsis>A heap use-after-free flaw in Qt WebEngine at worst might allow an
attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">qtwebengine</product>
<announced>2020-04-01</announced>
<revised count="1">2020-04-01</revised>
<bug>699328</bug>
<access>local, remote</access>
<affected>
<package name="dev-qt/qtwebengine" auto="yes" arch="*">
<unaffected range="ge">5.14.1</unaffected>
<vulnerable range="lt">5.14.1</vulnerable>
</package>
</affected>
<background>
<p>Library for rendering dynamic web content in Qt5 C++ and QML
applications.
</p>
</background>
<description>
<p>A use-after-free vulnerability has been found in the audio component of
Qt WebEngine.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted media
file in an application linked against Qt WebEngine, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Qt WebEngine users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-qt/qtwebengine-5.14.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13720">CVE-2019-13720</uri>
</references>
<metadata tag="requester" timestamp="2020-04-01T19:59:12Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-01T20:04:23Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-05.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-05">
<title>ledger: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ledger, the worst of
which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">ledger</product>
<announced>2020-04-01</announced>
<revised count="1">2020-04-01</revised>
<bug>627060</bug>
<access>remote</access>
<affected>
<package name="app-office/ledger" auto="yes" arch="*">
<unaffected range="ge">3.1.2</unaffected>
<vulnerable range="lt">3.1.2</vulnerable>
</package>
</affected>
<background>
<p>Ledger is a powerful, double-entry accounting system that is accessed
from the UNIX command-line.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ledger. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
file using ledger, possibly resulting in execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ledger users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-office/ledger-3.1.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12481">CVE-2017-12481</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12482">CVE-2017-12482</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2807">CVE-2017-2807</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2808">CVE-2017-2808</uri>
</references>
<metadata tag="requester" timestamp="2020-04-01T20:22:30Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-01T20:25:33Z">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-06.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-06">
<title>GnuTLS: DTLS protocol regression</title>
<synopsis>A regression in GnuTLS breaks the security guarantees of the DTLS
protocol.
</synopsis>
<product type="ebuild">gnutls</product>
<announced>2020-04-02</announced>
<revised count="1">2020-04-02</revised>
<bug>715602</bug>
<access>local, remote</access>
<affected>
<package name="net-libs/gnutls" auto="yes" arch="*">
<unaffected range="ge">3.6.13</unaffected>
<vulnerable range="lt">3.6.13</vulnerable>
</package>
</affected>
<background>
<p>GnuTLS is an Open Source implementation of the TLS and SSL protocols.</p>
</background>
<description>
<p>It was discovered that DTLS client did not contribute any randomness to
the DTLS negotiation.
</p>
</description>
<impact type="normal">
<p>Please review the referenced advisory for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GnuTLS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/gnutls-3.6.13"
</code>
</resolution>
<references>
<uri link="https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31">
GNUTLS-SA-2020-03-31
</uri>
</references>
<metadata tag="requester" timestamp="2020-04-02T22:03:22Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-02T23:01:11Z">whissi</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-07.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-07">
<title>Mozilla Firefox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the
worst of which could result in the arbitrary execution of code.
</synopsis>
<product type="ebuild">firefox</product>
<announced>2020-04-04</announced>
<revised count="1">2020-04-04</revised>
<bug>716098</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="rge">68.6.1</unaffected>
<unaffected range="rge">74.0.1</unaffected>
<vulnerable range="lt">74.0.1</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to view a specially crafted web
page, possibly resulting in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox ESR users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-68.6.1"
</code>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-74.0.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6819">CVE-2020-6819</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6820">CVE-2020-6820</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/">
MFSA-2020-11
</uri>
</references>
<metadata tag="requester" timestamp="2020-04-04T10:59:17Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-04T11:03:31Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-08.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-08">
<title>libssh: Denial of Service</title>
<synopsis>A vulnerability in libssh could allow a remote attacker to cause a
Denial of Service condition.
</synopsis>
<product type="ebuild">libssh</product>
<announced>2020-04-10</announced>
<revised count="1">2020-04-10</revised>
<bug>716788</bug>
<access>remote</access>
<affected>
<package name="net-libs/libssh" auto="yes" arch="*">
<unaffected range="ge">0.9.4</unaffected>
<vulnerable range="lt">0.9.4</vulnerable>
</package>
</affected>
<background>
<p>libssh is a multiplatform C library implementing the SSHv2 protocol on
client and server side.
</p>
</background>
<description>
<p>It was discovered that libssh could crash when AES-CTR ciphers are used.</p>
</description>
<impact type="low">
<p>A remote attacker running a malicious client or server could possibly
crash the counterpart implemented with libssh and cause a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>Disable AES-CTR ciphers. If you implement a server using libssh it is
recommended to use a prefork model so each session runs in an own
process.
</p>
</workaround>
<resolution>
<p>All libssh users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/libssh-0.9.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-1730">CVE-2020-1730</uri>
</references>
<metadata tag="requester" timestamp="2020-04-10T21:38:04Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-10T21:45:49Z">whissi</metadata>
</glsa>

97
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202004-09.xml vendored Normal file
View File

@ -0,0 +1,97 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202004-09">
<title>Chromium, Google Chrome: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chromium and Google
Chrome, the worst of which could allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">chrome,chromium</product>
<announced>2020-04-10</announced>
<revised count="1">2020-04-10</revised>
<bug>715720</bug>
<bug>716612</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">81.0.4044.92</unaffected>
<vulnerable range="lt">81.0.4044.92</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">81.0.4044.92</unaffected>
<vulnerable range="lt">81.0.4044.92</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
<p>Google Chrome is one fast, simple, and secure browser for all your
devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted HTML
or multimedia file using Chromium or Google Chrome, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-81.0.4044.92"
</code>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/google-chrome-81.0.4044.92"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6423">CVE-2020-6423</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6430">CVE-2020-6430</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6431">CVE-2020-6431</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6432">CVE-2020-6432</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6433">CVE-2020-6433</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6434">CVE-2020-6434</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6435">CVE-2020-6435</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6436">CVE-2020-6436</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6437">CVE-2020-6437</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6438">CVE-2020-6438</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6439">CVE-2020-6439</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6440">CVE-2020-6440</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6441">CVE-2020-6441</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6442">CVE-2020-6442</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6443">CVE-2020-6443</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6444">CVE-2020-6444</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6445">CVE-2020-6445</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6446">CVE-2020-6446</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6447">CVE-2020-6447</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6448">CVE-2020-6448</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6450">CVE-2020-6450</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6451">CVE-2020-6451</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6452">CVE-2020-6452</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6454">CVE-2020-6454</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6455">CVE-2020-6455</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-6456">CVE-2020-6456</uri>
</references>
<metadata tag="requester" timestamp="2020-04-10T21:58:24Z">whissi</metadata>
<metadata tag="submitter" timestamp="2020-04-10T22:01:27Z">whissi</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 25 Nov 2019 18:08:44 +0000 Thu, 16 Apr 2020 05:38:59 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
751af6f91da06f53265195cff434eb66a145af73 1574641117 2019-11-25T00:18:37+00:00 f2cb9b0eb0e16fd065838568dbe36727be807027 1586556154 2020-04-10T22:02:34+00:00