mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-19 05:21:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
David Michael 2018-05-16 16:48:42 -04:00
parent dccb032032
commit 99aa76bc84
19 changed files with 878 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 421384 BLAKE2B bfbe5e356f9fb5467472e01b9ffa4c7ab788e49c049d40c7633dfa4d2ebb5c4bf4f92a4fa43049b85dad5d10c593ecd0e243ea7c1975e84055fc34386f72a4e8 SHA512 f0c1e1729862aec592153456994003bbdbb8f9bff919d3e8a74ef963808bc6065be99f22297469abc9678fd65da4c09918d0a860c5e2f27c193f04efea6f9560
TIMESTAMP 2018-04-16T16:38:37Z
MANIFEST Manifest.files.gz 423767 BLAKE2B b4b02eedb610a1c6d9e2d0e9f57f61c0c0ddafb48679b275cd19d127faac6f1d44d72cf4d204e2e99bbdadfb9d1e296ea33c63e12cff5af0207e2e6247914ff9 SHA512 ba2fcf04666f32bf8235a27f099dd883ab13109b872e9d00eac03e3e02b976470b0d5a6f1b3ce76acd9005d909e8b6e04ffdfefb9cce629ec213bbe88eb4d8b4
TIMESTAMP 2018-05-16T20:08:33Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlrU0Y1fFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAlr8j8JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klBfbA/+II6sFbYzfmHBo4ga8eobS/m9HvPovkJSupaE/CJ52UMKsqp18Zr8Ja27
WRGo6T1onvi916MCzxFgxXNoUQfGMOaXAecOEZUyQ+DlzGtXB7c8u1scUojzgG/0
FtUEjMr5MUhbvj47OcbGrpnXY6eJEHwMbp/rQuftVORG1+e296B4bihALfpzP9J2
6nb/Oby8qGY4eXOhENW6s2+U1f5AAYggvxssKxQ+WK24rxPIRKIQn/8jACwdaDyx
YLyL+TXj4JFZ3HTjgDDn44aG1M2fkk/qViWpLw+F1jTaYmNUHUSk57aNtv6z15Yp
7V5cBz+No2gJNPaz2BtIAQw7NhYFV78I1tiQ9FqpB+jPmeBDerhKz/6dcNyekwSk
bGerQHuyO7SRhF+JWrust1OuKcn8z9b8WvV1XpWZo1eQuTSqU6JPFQWaBpVT7+CS
Zb5YBIZuqKyvEwhx8LT7osCDX8cXq4AsRfRJ+PwUL1Eh3dRjPCDURW+0SrYKb+xf
ppzUCJhQjk0iigYsow5d6v03pionjkl4xZWBBetnyGvH3lpb85AylEHCDbhLOx9z
/zM5y3mOl2AddyVQkvEyCDy4z42MjE5gxSAoA4ixjwuFtYsCqrdoa4kotksPhPP5
52d8oLEf3GvMNMxzILDBdkL6i2amqipA3q0MEyiB/2CblWsBccw=
=AM/3
klBLhA//RVNgrZDx/5ZGvC+E2NFZhybIh6MHFsCzYZjlm4GH1owjNTBz9Pb4qBmx
I+Nmb9OW6GV+ZBIHG3xaVFeswQD+q4rFObbyF1Yxw/pDaAi3Bmlm6B4vMENcXYTK
9d1QtaE5ronANqnq1tcA/+cHxJSTTqNoTzWPiyfv/mtajuhdI0z+7zTin8+CEELH
SRXJDXjpStwVZbKNP6OrNk7zluuerY86mgAqVMrV2ZIQ0FnEYC3M69Y7U5lccFrc
KxLpqZWNLhBYzrvP+aNdfpPSVrMJhPBnPOYvOm3Q+kP4iiwMuYKWEfgjn0GfepMi
nHY5HUCZAxyB+kl5oHLAe8QL1yU8YfBjcfC9j3ZL25+M2/+WoZwaUNyOpwa5xx0t
8grQY7Sz3/pHE5XIttn7yvRUt2R2kMIukkhY99GNEI0TzDVjZfIoxR9vquV6i7vM
XGL9pGAEW91FSG9ZOeZ8Kb56DePEj7GY/d7lHPnAa10KBWN8YH4j0L+aBCbNiBLM
ugnK9r0C4X5n0/kbPY+5OLP5bdP3RWxjl5aO0BHpx1jFAd0LJgyyAPYMlBC21cva
3eaQjvLmdYab6zpIjJ3eg4Iwk96rgCddwRwWio5nZn50kKF2dnavndMzQIzNp+un
iK7AonyV5Z+E8dgVF1dZd/QX6WecMObMZ50fAa/3zXDuYK+Ce54=
=rOnb
-----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-13.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-13">
<title>ncurses: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ncurses, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">ncurses</product>
<announced>2018-04-17</announced>
<revised count="1">2018-04-17</revised>
<bug>624644</bug>
<bug>625830</bug>
<bug>629276</bug>
<bug>639706</bug>
<access>remote</access>
<affected>
<package name="sys-libs/ncurses" auto="yes" arch="*">
<unaffected range="ge" slot="0">6.1</unaffected>
<vulnerable range="lt" slot="0">6.1</vulnerable>
</package>
</affected>
<background>
<p>Free software emulation of curses in System V.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ncurses. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing the user to process untrusted terminfo or
other data, could execute arbitrary code or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ncurses users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-libs/ncurses-6.1:0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-10684">CVE-2017-10684</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-10685">CVE-2017-10685</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11112">CVE-2017-11112</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11113">CVE-2017-11113</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13728">CVE-2017-13728</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13729">CVE-2017-13729</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13730">CVE-2017-13730</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13731">CVE-2017-13731</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13732">CVE-2017-13732</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13733">CVE-2017-13733</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-13734">CVE-2017-13734</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16879">CVE-2017-16879</uri>
</references>
<metadata tag="requester" timestamp="2018-04-15T18:38:59Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-17T18:18:44Z">b-man</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-14.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-14">
<title>GDK-PixBuf: Remote code execution</title>
<synopsis>A vulnerability has been found in GDK-PixBuf that may allow a
remote attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">gdkpixbuf</product>
<announced>2018-04-17</announced>
<revised count="1">2018-04-17</revised>
<bug>644770</bug>
<access>remote</access>
<affected>
<package name="x11-libs/gdk-pixbuf" auto="yes" arch="*">
<unaffected range="ge">2.36.11</unaffected>
<vulnerable range="lt">2.36.11</vulnerable>
</package>
</affected>
<background>
<p>GDK-PixBuf is an image loading library for GTK+.</p>
</background>
<description>
<p>Several integer overflows were discovered in GDK-PixBufs gif_get_lzw
function.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted
image file, could execute arbitrary code or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GDK-PixBuf users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-libs/gdk-pixbuf-2.36.11"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000422">
CVE-2017-1000422
</uri>
</references>
<metadata tag="requester" timestamp="2018-04-17T17:12:14Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-17T18:21:26Z">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-15.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-15">
<title>Evince: Command injection</title>
<synopsis>A vulnerability has been found in Evince which may allow for
arbitrary command execution.
</synopsis>
<product type="ebuild">evince</product>
<announced>2018-04-17</announced>
<revised count="1">2018-04-17</revised>
<bug>650272</bug>
<access>remote</access>
<affected>
<package name="app-text/evince" auto="yes" arch="*">
<unaffected range="ge">3.24.2-r1</unaffected>
<vulnerable range="lt">3.24.2-r1</vulnerable>
</package>
</affected>
<background>
<p>Evince is a document viewer for multiple document formats, including
PostScript.
</p>
</background>
<description>
<p>A vulnerability was discovered in Evinces handling of filenames while
printing PDF files.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing the user to process a specially crafted
file, could execute arbitrary commands.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Evince users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-text/evince-3.24.2-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000159">
CVE-2017-1000159
</uri>
</references>
<metadata tag="requester" timestamp="2018-04-17T17:27:38Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-17T18:22:39Z">b-man</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-16.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-16">
<title>ClamAV: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ClamAV, the worst of
which may allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">clamav</product>
<announced>2018-04-22</announced>
<revised count="1">2018-04-22</revised>
<bug>623534</bug>
<bug>625632</bug>
<bug>628686</bug>
<bug>628690</bug>
<bug>649314</bug>
<access>remote</access>
<affected>
<package name="app-antivirus/clamav" auto="yes" arch="*">
<unaffected range="ge">0.99.4</unaffected>
<vulnerable range="lt">0.99.4</vulnerable>
</package>
</affected>
<background>
<p>ClamAV is a GPL virus scanner.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ClamAV. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, through multiple vectors, could execute arbitrary
code, cause a Denial of Service condition, or have other unspecified
impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ClamAV users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-antivirus/clamav-0.99.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2012-6706">CVE-2012-6706</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11423">CVE-2017-11423</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6418">CVE-2017-6418</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6419">CVE-2017-6419</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-6420">CVE-2017-6420</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0202">CVE-2018-0202</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000085">
CVE-2018-1000085
</uri>
</references>
<metadata tag="requester" timestamp="2018-04-22T21:20:11Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-22T22:32:37Z">b-man</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-17.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-17">
<title>Quagga: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Quagga, the worst of
which could allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">quagga</product>
<announced>2018-04-22</announced>
<revised count="1">2018-04-22</revised>
<bug>647788</bug>
<access>remote</access>
<affected>
<package name="net-misc/quagga" auto="yes" arch="*">
<unaffected range="ge">1.2.4</unaffected>
<vulnerable range="lt">1.2.4</vulnerable>
</package>
</affected>
<background>
<p>Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and
BGP.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Quagga. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A remote attacker, by sending specially crafted packets, could execute
arbitrary code or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Quagga users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/quagga-1.2.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5378">CVE-2018-5378</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5379">CVE-2018-5379</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5380">CVE-2018-5380</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5381">CVE-2018-5381</uri>
</references>
<metadata tag="requester" timestamp="2018-04-20T13:52:43Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-22T22:35:42Z">b-man</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-18.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-18">
<title>tenshi: Privilege escalation</title>
<synopsis>Gentoo's tenshi ebuild is vulnerable to privilege escalation due to
the way pid files are handled.
</synopsis>
<product type="ebuild">tenshi</product>
<announced>2018-04-22</announced>
<revised count="1">2018-04-22</revised>
<bug>626654</bug>
<access>local</access>
<affected>
<package name="app-admin/tenshi" auto="yes" arch="*">
<unaffected range="ge">0.17</unaffected>
<vulnerable range="lt">0.17</vulnerable>
</package>
</affected>
<background>
<p>A log monitoring program, designed to watch one or more log files for
lines matching user defined regular expressions and report on the
matches.
</p>
</background>
<description>
<p>It was discovered that the tenshi ebuild creates a tenshi.pid file after
dropping privileges to a non-root account.
</p>
</description>
<impact type="normal">
<p>A local attacker could escalate privileges to root or kill arbitrary
processes.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All tenshi users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/tenshi-0.17"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-11746">CVE-2017-11746</uri>
</references>
<metadata tag="requester" timestamp="2018-04-18T00:37:51Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-22T22:37:25Z">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-19.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-19">
<title>mbed TLS: Multiple vulnerabilites</title>
<synopsis>Multiple vulnerabilities have been found in mbed TLS, the worst of
which could allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">mbedtls</product>
<announced>2018-04-22</announced>
<revised count="1">2018-04-22</revised>
<bug>647800</bug>
<access>remote</access>
<affected>
<package name="net-libs/mbedtls" auto="yes" arch="*">
<unaffected range="ge">2.7.2</unaffected>
<vulnerable range="lt">2.7.2</vulnerable>
</package>
</affected>
<background>
<p>mbed TLS (previously PolarSSL) is an “easy to understand, use,
integrate and expand” implementation of the TLS and SSL protocols and
the respective cryptographic algorithms and support code required.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in mbed TLS. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A remote attacker, through multiple vectors, could possibly execute
arbitrary code with the privileges of the process or cause a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All mbed TLS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/mbedtls-2.7.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-18187">CVE-2017-18187</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0487">CVE-2018-0487</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-0488">CVE-2018-0488</uri>
</references>
<metadata tag="requester" timestamp="2018-04-22T21:30:30Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-22T23:49:11Z">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-20.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-20">
<title>unADF: Remote code execution</title>
<synopsis>Multiple vulnerabilities have been found in unADF that may allow a
remote attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">unadf</product>
<announced>2018-04-22</announced>
<revised count="1">2018-04-22</revised>
<bug>636388</bug>
<access>remote</access>
<affected>
<package name="app-arch/unadf" auto="yes" arch="*">
<unaffected range="ge">0.7.12-r1</unaffected>
<vulnerable range="lt">0.7.12-r1</vulnerable>
</package>
</affected>
<background>
<p>An unzip like for .ADF files.</p>
</background>
<description>
<p>Multiple vulnerabilities were discovered in unADF that can lead to
remote code execution. Please review the CVE identifiers referenced below
for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted
file, could execute arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All unADF users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-arch/unadf-0.7.12-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-1243">CVE-2016-1243</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-1244">CVE-2016-1244</uri>
</references>
<metadata tag="requester" timestamp="2018-04-22T20:59:29Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-22T23:50:47Z">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-21.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-21">
<title>librelp: Remote code execution</title>
<synopsis>A vulnerability has been found in librelp that may allow a remote
attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">librelp</product>
<announced>2018-04-22</announced>
<revised count="1">2018-04-22</revised>
<bug>651192</bug>
<access>remote</access>
<affected>
<package name="dev-libs/librelp" auto="yes" arch="*">
<unaffected range="ge">1.2.15</unaffected>
<vulnerable range="lt">1.2.15</vulnerable>
</package>
</affected>
<background>
<p>A reliable logging program.</p>
</background>
<description>
<p>A buffer overflow was discovered in librelp with the handling of x509
certificates.
</p>
</description>
<impact type="high">
<p>A remote attacker, by sending a specially crafted x509 certificate,
could execute arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All librelp users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/librelp-1.2.15"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-1000140">
CVE-2018-1000140
</uri>
</references>
<metadata tag="requester" timestamp="2018-04-22T21:23:29Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-22T23:52:09Z">b-man</metadata>
</glsa>

104
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201804-22.xml vendored Normal file
View File

@ -0,0 +1,104 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201804-22">
<title>Chromium, Google Chrome: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chromium and Google
Chrome, the worst of which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">chromium,chrome</product>
<announced>2018-04-24</announced>
<revised count="1">2018-04-24</revised>
<bug>653696</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">66.0.3359.117</unaffected>
<vulnerable range="lt">66.0.3359.117</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">66.0.3359.117</unaffected>
<vulnerable range="lt">66.0.3359.117</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
<p>Google Chrome is one fast, simple, and secure browser for all your
devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers and Google Chrome
Releases for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, bypass
content security controls, or conduct URL spoofing.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-66.0.3359.117"
</code>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/google-chrome-66.0.3359.117"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6085">CVE-2018-6085</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6086">CVE-2018-6086</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6087">CVE-2018-6087</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6088">CVE-2018-6088</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6089">CVE-2018-6089</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6090">CVE-2018-6090</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6091">CVE-2018-6091</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6092">CVE-2018-6092</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6093">CVE-2018-6093</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6094">CVE-2018-6094</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6095">CVE-2018-6095</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6096">CVE-2018-6096</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6097">CVE-2018-6097</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6098">CVE-2018-6098</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6099">CVE-2018-6099</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6100">CVE-2018-6100</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6101">CVE-2018-6101</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6102">CVE-2018-6102</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6103">CVE-2018-6103</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6104">CVE-2018-6104</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6105">CVE-2018-6105</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6106">CVE-2018-6106</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6107">CVE-2018-6107</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6108">CVE-2018-6108</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6109">CVE-2018-6109</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6110">CVE-2018-6110</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6111">CVE-2018-6111</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6112">CVE-2018-6112</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6113">CVE-2018-6113</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6114">CVE-2018-6114</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6115">CVE-2018-6115</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6116">CVE-2018-6116</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6117">CVE-2018-6117</uri>
<uri link="https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html">
Google Chrome Release 20180417
</uri>
</references>
<metadata tag="requester" timestamp="2018-04-23T16:38:49Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-04-24T00:27:21Z">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201805-01.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201805-01">
<title>hesiod: Root privilege escalation </title>
<synopsis>A vulnerability was discovered in hesiod which may allow remote
attackers to gain root privileges.
</synopsis>
<product type="ebuild">hesiod</product>
<announced>2018-05-02</announced>
<revised count="1">2018-05-02</revised>
<bug>606652</bug>
<access>local, remote</access>
<affected>
<package name="net-dns/hesiod" auto="yes" arch="*">
<vulnerable range="le">3.1.0</vulnerable>
</package>
</affected>
<background>
<p>DNS functionality to access to DB of information that changes
infrequently.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in hesiod that have
remained unaddressed. Please review the referenced CVE identifiers for
details.
</p>
</description>
<impact type="normal">
<p>A remote or local attacker may be able to escalate privileges to root.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for hesiod and recommends that users
unmerge the package:
</p>
<code>
# emerge --unmerge "net-dns/hesiod"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-10151">CVE-2016-10151</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-10152">CVE-2016-10152</uri>
</references>
<metadata tag="requester" timestamp="2018-04-29T17:50:36Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-05-02T23:52:01Z">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201805-02.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201805-02">
<title>Python: Buffer overflow</title>
<synopsis>A buffer overflow in Python might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">python</product>
<announced>2018-05-02</announced>
<revised count="1">2018-05-02</revised>
<bug>637938</bug>
<access>remote</access>
<affected>
<package name="dev-lang/python" auto="yes" arch="*">
<unaffected range="ge" slot="2.7">2.7.14</unaffected>
<vulnerable range="lt" slot="2.7">2.7.14</vulnerable>
</package>
</affected>
<background>
<p>Python is an interpreted, interactive, object-oriented programming
language.
</p>
</background>
<description>
<p>A buffer overflow was discovered in Pythons PyString_DecodeEscape
function in stringobject.c.
</p>
</description>
<impact type="normal">
<p>Remote attackers, by enticing a user to process a specially crafted
file, could execute arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Python 2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/python-2.7.14:2.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-1000158">
CVE-2017-1000158
</uri>
</references>
<metadata tag="requester" timestamp="2018-04-24T00:27:08Z">b-man</metadata>
<metadata tag="submitter" timestamp="2018-05-02T23:53:50Z">b-man</metadata>
</glsa>

72
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201805-03.xml vendored Normal file
View File

@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201805-03">
<title>Chromium, Google Chrome: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chromium and Google
Chrome, the worst of which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">chromium, google-chrome</product>
<announced>2018-05-02</announced>
<revised count="1">2018-05-02</revised>
<bug>654384</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">66.0.3359.139</unaffected>
<vulnerable range="lt">66.0.3359.139</vulnerable>
</package>
<package name="www-client/google-chrome" auto="yes" arch="*">
<unaffected range="ge">66.0.3359.139</unaffected>
<vulnerable range="lt">66.0.3359.139</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
<p>Google Chrome is one fast, simple, and secure browser for all your
devices.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chromium and Google
Chrome. Please review the referenced CVE identifiers and Google Chrome
Releases for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-66.0.3359.139"
</code>
<p>All Google Chrome users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/google-chrome-66.0.3359.139"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6118">CVE-2018-6118</uri>
<uri link="https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop_26.html">
Google Chrome Release 20180426
</uri>
</references>
<metadata tag="requester" timestamp="2018-05-01T23:39:45Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2018-05-02T23:57:25Z">chrisadr</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201805-04.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201805-04">
<title>rsync: Arbitrary command execution</title>
<synopsis>A vulnerability in rsync might allow remote attackers to execute
arbitrary commands.
</synopsis>
<product type="ebuild">rsync</product>
<announced>2018-05-08</announced>
<revised count="1">2018-05-08</revised>
<bug>646818</bug>
<access>remote</access>
<affected>
<package name="net-misc/rsync" auto="yes" arch="*">
<unaffected range="ge">3.1.3</unaffected>
<vulnerable range="lt">3.1.3</vulnerable>
</package>
</affected>
<background>
<p>File transfer program to keep remote files into sync.</p>
</background>
<description>
<p>A vulnerability was discovered in rsyncs parse_arguments function in
options.c.
</p>
</description>
<impact type="normal">
<p>Remote attackers could possibly execute arbitrary commands with the
privilege of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All rsync users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/rsync-3.1.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-5764">CVE-2018-5764</uri>
</references>
<metadata tag="requester" timestamp="2018-05-03T08:10:23Z">Zlogene</metadata>
<metadata tag="submitter" timestamp="2018-05-08T15:27:34Z">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201805-05.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201805-05">
<title>mpv: Remote code execution</title>
<synopsis>A vulnerability has been found in mpv that may allow a remote
attacker to execute arbitrary code.
</synopsis>
<product type="ebuild">mpv</product>
<announced>2018-05-14</announced>
<revised count="1">2018-05-14</revised>
<bug>646886</bug>
<access>local, remote</access>
<affected>
<package name="media-video/mpv" auto="yes" arch="*">
<unaffected range="ge">0.27.2</unaffected>
<vulnerable range="lt">0.27.2</vulnerable>
</package>
</affected>
<background>
<p>Video player based on MPlayer/mplayer2</p>
</background>
<description>
<p>A vulnerability was discovered in mpv with the handling of HTML
documents containing VIDEO elements. Additionally, mpv accepts arbitrary
URLs in a src attribute without a protocol whitelist in
player/lua/ytdl_hook.lua.
</p>
</description>
<impact type="high">
<p>A remote attacker, by enticing the user to visit a specially crafted web
site, could execute arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All mpv users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-video/mpv-0.27.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6360">CVE-2018-6360</uri>
</references>
<metadata tag="requester" timestamp="2018-05-07T16:02:12Z">jmbailey</metadata>
<metadata tag="submitter" timestamp="2018-05-14T23:21:56Z">jmbailey</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 16 Apr 2018 16:38:33 +0000
Wed, 16 May 2018 20:08:29 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
aa26a212e36fbca3a9091a00250a459fd6576eae 1523834733 2018-04-15T23:25:33+00:00
40f254b177f3628d865f1e77c8fd7c94584de14e 1526340152 2018-05-14T23:22:32+00:00