Merge pull request #657 from dm0-/glsa

Sync GLSAs

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 421068 BLAKE2B 7dadce7e4b041a3441a6b63ed7a860af4bdcb72f0c20dfbfdd9e4fb6e577a48f6a4fcb0599fba15eed3a96fa7c8c225773cd2e3d3942a286fd74ab527c15651e SHA512 acf6ff1943f0998753e92be7360ecf6e135b838a2681d49f8c91bef5155aaca01686c562e9e52ce269826b172b3f86851233b7716507c7b52394116ff6101c02
+MANIFEST Manifest.files.gz 421384 BLAKE2B bfbe5e356f9fb5467472e01b9ffa4c7ab788e49c049d40c7633dfa4d2ebb5c4bf4f92a4fa43049b85dad5d10c593ecd0e243ea7c1975e84055fc34386f72a4e8 SHA512 f0c1e1729862aec592153456994003bbdbb8f9bff919d3e8a74ef963808bc6065be99f22297469abc9678fd65da4c09918d0a860c5e2f27c193f04efea6f9560
-TIMESTAMP 2018-04-10T15:38:31Z
+TIMESTAMP 2018-04-16T16:38:37Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlrM2ndfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlrU0Y1fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBM2hAAhxjdROZlLwG2CxokiwKkVTLMepPK80nnhs85wEgE/DD4+zDo7qeKsRvi
+klBfbA/+II6sFbYzfmHBo4ga8eobS/m9HvPovkJSupaE/CJ52UMKsqp18Zr8Ja27
-24x/hzxUrr+B82GoEGK6nhCq90CCj54FMZNu+3csa8T8JaFJrzJ+HAU6iNtfdKjE
+WRGo6T1onvi916MCzxFgxXNoUQfGMOaXAecOEZUyQ+DlzGtXB7c8u1scUojzgG/0
-vMsE6Vdvehx6pgTEmVXrcc0iGQHKu8FNItd4z6MXvQg6s7UUJqdhw+mIV1t7jOB3
+FtUEjMr5MUhbvj47OcbGrpnXY6eJEHwMbp/rQuftVORG1+e296B4bihALfpzP9J2
-rbGrzpYFgn1fZggmRrhIk82Lf3cTlSe5AU5/3625wrYpNUkYzS0cgkIA+vTjWo0N
+6nb/Oby8qGY4eXOhENW6s2+U1f5AAYggvxssKxQ+WK24rxPIRKIQn/8jACwdaDyx
-2bOpNXSJQobx1mILAivJHyjcz2TU38Po63soohfjyj1qpDF1FNKcYaidbR7ytFXS
+YLyL+TXj4JFZ3HTjgDDn44aG1M2fkk/qViWpLw+F1jTaYmNUHUSk57aNtv6z15Yp
-V3NmV0eoXmstXDMBsH1r01YtVxs6zpHSWkoZDEZTixGGxhJdPqyO0eQo1fCzCg0k
+7V5cBz+No2gJNPaz2BtIAQw7NhYFV78I1tiQ9FqpB+jPmeBDerhKz/6dcNyekwSk
-AlIDdmNkfZAJiguSz8ZOjhIbhBrED7jyxl7q6bkfzC99rJwLSHeXk4h9bsGNdcFG
+bGerQHuyO7SRhF+JWrust1OuKcn8z9b8WvV1XpWZo1eQuTSqU6JPFQWaBpVT7+CS
-WKByqf2HACL8J+XRpiwUX/lF8YxQ6PkXr3fWi4/i6zrGMa/Mu2U+RKDzFEHTTbXc
+Zb5YBIZuqKyvEwhx8LT7osCDX8cXq4AsRfRJ+PwUL1Eh3dRjPCDURW+0SrYKb+xf
-nPuk4fY8aQt1FCXIjqBWUmhy4S/8VFCYKzru+s7NWNxFQsTzVXA8A5E4/KxOO4Ui
+ppzUCJhQjk0iigYsow5d6v03pionjkl4xZWBBetnyGvH3lpb85AylEHCDbhLOx9z
-jkUACXpPNWH/wAN55j5kZ4GwfvNDhQZ2Q/kiQAAWkcKUoYrQVrfB/gPy+eTTfa6N
+/zM5y3mOl2AddyVQkvEyCDy4z42MjE5gxSAoA4ixjwuFtYsCqrdoa4kotksPhPP5
-naEOmfnrFKuN0C0rYr6iLloS79cwvVSqZw2IjNsrcvAB7anhlUM=
+52d8oLEf3GvMNMxzILDBdkL6i2amqipA3q0MEyiB/2CblWsBccw=
-=iVON
+=AM/3
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-11.xml

@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201804-11">
+  <title>Adobe Flash Player: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
+    worst of which allows remote attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">flash</product>
+  <announced>2018-04-11</announced>
+  <revised count="1">2018-04-11</revised>
+  <bug>652960</bug>
+  <access>remote</access>
+  <affected>
+    <package name="www-plugins/adobe-flash" auto="yes" arch="*">
+      <unaffected range="ge">29.0.0.140</unaffected>
+      <vulnerable range="lt">29.0.0.140</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The Adobe Flash Player is a renderer for the SWF file format, which is
+      commonly used to provide interactive websites.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
+      Please review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, disclose sensitive information or bypass
+      security restrictions.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Adobe Flash users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-plugins/adobe-flash-29.0.0.140"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://helpx.adobe.com/security/products/flash-player/apsb18-08.html">
+      APSB18-08
+    </uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4932">CVE-2018-4932</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4933">CVE-2018-4933</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4934">CVE-2018-4934</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4935">CVE-2018-4935</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4936">CVE-2018-4936</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-4937">CVE-2018-4937</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-04-11T11:03:48Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2018-04-11T20:08:20Z">whissi</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-12.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201804-12">
+  <title>Go: Arbitrary code execution</title>
+  <synopsis>A vulnerability in Go allows remote attackers to execute arbitrary
+    commands.
+  </synopsis>
+  <product type="ebuild">go</product>
+  <announced>2018-04-15</announced>
+  <revised count="1">2018-04-15</revised>
+  <bug>650014</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-lang/go" auto="yes" arch="*">
+      <unaffected range="ge">1.10.1</unaffected>
+      <vulnerable range="lt">1.10.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Go is an open source programming language that makes it easy to build
+      simple, reliable, and efficient software.
+    </p>
+  </background>
+  <description>
+    <p>A vulnerability in Go was discovered which does not validate the import
+      path of remote repositories.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Remote attackers, by enticing a user to import from a crafted website,
+      could execute arbitrary commands.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Go users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-lang/go-1.10.1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7187">CVE-2018-7187</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-04-14T16:24:01Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2018-04-15T23:23:53Z">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk

@@ -1 +1 @@
-Tue, 10 Apr 2018 15:38:27 +0000
+Mon, 16 Apr 2018 16:38:33 +0000

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit

@@ -1 +1 @@
-6d341a6c00fd52a41ddaf7e932d941b6c7f9bf88 1523293654 2018-04-09T17:07:34+00:00
+aa26a212e36fbca3a9091a00250a459fd6576eae 1523834733 2018-04-15T23:25:33+00:00