mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-15 08:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

portage-stable/metadata: Monthly GLSA metadata updates

Browse Source
This commit is contained in:
Flatcar Buildbot 2024-10-01 07:22:24 +00:00 committed by github-actions[bot]
parent db07824f82
commit 9c3cc8a0ff
36 changed files with 1658 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
MANIFEST Manifest.files.gz 585357 BLAKE2B 90b484a7cfadba26e75b941b109643027b5530ea0e0da6565b28a1492ef9b8c6cfc7254e54f18ef93a17f476c8c87b2c8309fbac1afa85d144cc4d664931e811 SHA512 f5bbc1b0b0163958f91ecc02b4f0422622112ac5c642a105fef46e39550fd8622a03abd647b830a766a072ad993d41863d2d1d5ca05368f5af8d868f03aaeae4
TIMESTAMP 2024-09-01T06:40:36Z
MANIFEST Manifest.files.gz 590436 BLAKE2B 15aabc4185729e136cdcfaf5f8f985f8037a950c2674b40f4a60d6db55b6e66ddf62465183eec797a8745737731f08c9f5b7997b3092ca23932abe139760e3a2 SHA512 d4bc062a4c9898005fcd53314c2db40baaef3e5725ab92e762d55ae3747dcb34a1602299c2aa4bdf60a06b6f322e89ee0b897eafffb10de6e5392274ab828bc5
TIMESTAMP 2024-10-01T06:40:44Z
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmbUDGRfFIAAAAAALgAo
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmb7mWxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klDgsBAAoUHUrodoZqVv+dQRYagMfOtKu+cZ/yb+l9WuJq5v6zJV1SU3HFJjb8jB
yvdsf1tED9myb4iYSBaUa3rGgXbpqT7MEBZDK8lCdxo/i9ATbjbD6eSmQNqMpWCE
XfeWtJ0pa9zLEPJfzUDQ+XfJlGUkhjtiB59+/cP11gOmwRFyANr4lRvhX5hFU1sj
X9HyFfr7RPSEnZNTRjIhtFRJQvWhkZzoZOzMnJPLzzMmJkU50hVsuutiRjsRZvlZ
r+Q6yy23fOJltACl7wu8HL1BYFsMZTzMmsPABXjF20rSYMS1zqaXP/0yEuwUcmRJ
EB9bE4ximGDUD55AI5t9v9M+N3wVCx7FWifhHdOLjr2fQ/aVURbAbXG+SGfSPcgq
LSPafIb5H2N26gk7/Op/FdKb/kZ9KsHt0e63znXhvUsCLScQhrrTbR3Y2zhaZxKd
EjghEbQcdMnVLzS5i/ZlhonjeOohRCeUqWFBTf2nrn/dwFPUEaG9aheroC3h6CNS
P/x1d+kuGTu1nCmo1qyYEswpFhshdWaDphc/DF7X5glI49zT98la3FcViXIJI1NR
+oWLc4T22ObxKiuZadtxFs+fxeDnWKE5K37e5/tAELKDlr/EsmK1lDHr04jThLKh
4jALrrOHx9ELnhV2VQUAR9ZdbEd9jLY0d2LWvE8ZdvlpIXBxkUQ=
=3RjN
klAYfQ/+OORrhaCeew6AHMTI6JedDh1PU9GyUImC7rN1cUyze4keLTTj7PjtwYhA
tdADi7qq9lVBlGdibw3zziyg6pZO6yBOCpBx7nRF6djTCh1PLutgv6YNywKEHNBn
Re8whp1RlIHNLnnWYHrRbz5R1LmdKDXXy97j7JK/JnyAYT1z88DVkGA8aaZlb1Gw
lhVrGeXoY38ak652IYpoCOpMY8klKRd5D2M6G7mccIFHHrPiqtVa+vqrPG1GNulS
z08BF8/xrIG+4UQggWNOHEQvNF826oDwVFQtvSengpH2Sb7oEKzOdD8kCXxlCyQ5
Tx4+Ig1KQosSdXga91F0z7fdIqtZu8gwa9D1b1f56slQdoMY8oJD1TU0wVCEqwhj
fqU4zimrtssezq7g1JAxXxuBoBkAj5+7Fb6HNptnWZxOBjOnqdsx2EcYmbcbC4By
xcfMpO/pTwYOn1w6OgZrJCuhafnvINOFzjl6+OqgtN294TeFKHXXdUB80ZMsib6r
70gaBqjdgf5Q8GXC8Ry0tiHVCrzxOgL8YX/TluA3sbYlIFn7hy8atNmj0Hg+SDxX
VCphysLRF6YNr74XcWJKPhr4M4YgCxRUwUL/hsb7U6/R2BriPyml9E0yiRCJ9bPC
dKFEQ8OzRQ/4cupRgQGorqrv+ilHmwwh10JKh44yrAS7J6da+4w=
=aTpw
-----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-01.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-01">
<title>Portage: Unverified PGP Signatures</title>
<synopsis>A vulnerability has been discovered in Portage, where PGP signatures would not be verified.</synopsis>
<product type="ebuild">portage</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>905356</bug>
<access>local</access>
<affected>
<package name="sys-apps/portage" auto="yes" arch="*">
<unaffected range="ge">3.0.47</unaffected>
<vulnerable range="lt">3.0.47</vulnerable>
</package>
</affected>
<background>
<p>Portage is the default Gentoo package management system.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Portage. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>When using the webrsync mechanism to sync the tree the PGP signatures that protect the integrity of the data in the tree would not be verified. This would allow a man-in-the-middle attack to inject arbitrary content into the tree.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Portage users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-3.0.47"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2016-20021">CVE-2016-20021</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T05:36:27.160412Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T05:36:27.162654Z">graaff</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-02.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-02">
<title>PostgreSQL: Privilege Escalation</title>
<synopsis>A vulnerability has been discovered in PostgreSQL, which can lead to privilege escalation.</synopsis>
<product type="ebuild">postgresql</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>937573</bug>
<access>local and remote</access>
<affected>
<package name="dev-db/postgresql" auto="yes" arch="*">
<unaffected range="ge" slot="12">12.20</unaffected>
<unaffected range="ge" slot="13">13.16</unaffected>
<unaffected range="ge" slot="14">14.13</unaffected>
<unaffected range="ge" slot="15">15.8</unaffected>
<unaffected range="ge" slot="16">16.4</unaffected>
<vulnerable range="lt" slot="12">12.20</vulnerable>
<vulnerable range="lt" slot="13">13.16</vulnerable>
<vulnerable range="lt" slot="14">14.13</vulnerable>
<vulnerable range="lt" slot="15">15.8</vulnerable>
<vulnerable range="lt" slot="16">16.4</vulnerable>
</package>
</affected>
<background>
<p>PostgreSQL is an open source object-relational database management system.</p>
</background>
<description>
<p>A vulnerability has been discovered in PostgreSQL. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PostgreSQL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.20:12"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.16:13"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.13:14"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-15.8:15"
# emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.4:16"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7348">CVE-2024-7348</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T05:47:12.326843Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T05:47:12.329535Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-03.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-03">
<title>GPL Ghostscript: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">ghostscript-gpl</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>932125</bug>
<access>remote</access>
<affected>
<package name="app-text/ghostscript-gpl" auto="yes" arch="*">
<unaffected range="ge">10.03.1</unaffected>
<vulnerable range="lt">10.03.1</vulnerable>
</package>
</affected>
<background>
<p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GPL Ghostscript users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.03.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-52722">CVE-2023-52722</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-29510">CVE-2024-29510</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-33869">CVE-2024-33869</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-33870">CVE-2024-33870</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-33871">CVE-2024-33871</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T05:52:02.744888Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T05:52:02.747684Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-04.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-04">
<title>calibre: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in calibre, the worst of which could lead to remote code execution.</synopsis>
<product type="ebuild">calibre</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>918429</bug>
<bug>936961</bug>
<access>local and remote</access>
<affected>
<package name="app-text/calibre" auto="yes" arch="*">
<unaffected range="ge">7.16.0</unaffected>
<vulnerable range="lt">7.16.0</vulnerable>
</package>
</affected>
<background>
<p>calibre is a powerful and easy to use e-book manager.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in calibre. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All calibre users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/calibre-7.16.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46303">CVE-2023-46303</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6781">CVE-2024-6781</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-6782">CVE-2024-6782</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7008">CVE-2024-7008</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7009">CVE-2024-7009</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T05:54:09.323646Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T05:54:09.325619Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-05.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-05">
<title>PJSIP: Heap Buffer Overflow</title>
<synopsis>A vulnerability has been discovered in PJSIP, which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">pjproject</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>917463</bug>
<access>local and remote</access>
<affected>
<package name="net-libs/pjproject" auto="yes" arch="*">
<unaffected range="ge">2.13.1</unaffected>
<vulnerable range="lt">2.13.1</vulnerable>
</package>
</affected>
<background>
<p>PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.</p>
</background>
<description>
<p>Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the CVE identifier referenced below for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PJSIP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.13.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27585">CVE-2023-27585</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:00:28.996175Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:00:28.999302Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-06.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-06">
<title>file: Stack Buffer Overread</title>
<synopsis>A vulnerability has been discovered in file, which could lead to a denial of service.</synopsis>
<product type="ebuild">file</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>918554</bug>
<access>remote</access>
<affected>
<package name="sys-apps/file" auto="yes" arch="*">
<unaffected range="ge">5.42</unaffected>
<vulnerable range="lt">5.42</vulnerable>
</package>
</affected>
<background>
<p>The file utility attempts to identify a files format by scanning binary data for patterns.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in file. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>File has an stack-based buffer over-read in file_copystr in funcs.c.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All file users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/file-5.42"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-48554">CVE-2022-48554</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:04:59.257322Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:04:59.260356Z">graaff</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-07.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-07">
<title>Rust: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Rust, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">rust,rust-bin</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>890371</bug>
<bug>911685</bug>
<access>remote</access>
<affected>
<package name="dev-lang/rust" auto="yes" arch="*">
<unaffected range="ge">1.71.1</unaffected>
<vulnerable range="lt">1.71.1</vulnerable>
</package>
<package name="dev-lang/rust-bin" auto="yes" arch="*">
<unaffected range="ge">1.71.1</unaffected>
<vulnerable range="lt">1.71.1</vulnerable>
</package>
</affected>
<background>
<p>A systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Rust. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Rust binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/rust-bin-1.71.1"
</code>
<p>All Rust users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/rust-1.71.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46176">CVE-2022-46176</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38497">CVE-2023-38497</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:09:00.541000Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:09:00.543705Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-08.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-08">
<title>OpenVPN: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure.</synopsis>
<product type="ebuild">openvpn</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>835514</bug>
<bug>917272</bug>
<access>remote</access>
<affected>
<package name="net-vpn/openvpn" auto="yes" arch="*">
<unaffected range="ge">2.6.7</unaffected>
<vulnerable range="lt">2.6.7</vulnerable>
</package>
</affected>
<background>
<p>OpenVPN is a multi-platform, full-featured SSL VPN solution.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OpenVPN. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenVPN users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-vpn/openvpn-2.6.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0547">CVE-2022-0547</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46849">CVE-2023-46849</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46850">CVE-2023-46850</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:34:37.212666Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:34:37.215160Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-09.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-09">
<title>Exo: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in Exo, which can lead to arbitrary code execution.</synopsis>
<product type="ebuild">exo</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>851201</bug>
<access>remote</access>
<affected>
<package name="xfce-base/exo" auto="yes" arch="*">
<unaffected range="ge">4.17.2</unaffected>
<vulnerable range="lt">4.17.2</vulnerable>
</package>
</affected>
<background>
<p>Exo is an Xfce library targeted at application development, originally developed by os-cillation. It contains various custom widgets and APIs extending the functionality of GLib and GTK. It also has some helper applications that are used throughout the entire Xfce desktop to manage preferred applications and edit .desktop files.</p>
</background>
<description>
<p>A vulnerability has been discovered in Exo. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Exo executes remote desktop files which may lead to unexpected arbitrary code execution.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Exo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=xfce-base/exo-4.17.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32278">CVE-2022-32278</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:39:07.184860Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:39:07.187259Z">graaff</metadata>
</glsa>

83
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-10.xml vendored Normal file
View File

@ -0,0 +1,83 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-10">
<title>Xen: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Xen, the worst of which could lead to privilege escalation.</synopsis>
<product type="ebuild">xen</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>918669</bug>
<bug>921355</bug>
<bug>923741</bug>
<bug>928620</bug>
<bug>929038</bug>
<access>remote</access>
<affected>
<package name="app-emulation/xen" auto="yes" arch="*">
<unaffected range="ge">4.17.4</unaffected>
<vulnerable range="lt">4.17.4</vulnerable>
</package>
</affected>
<background>
<p>Xen is a bare-metal hypervisor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/xen-4.17.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4949">CVE-2022-4949</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42336">CVE-2022-42336</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28746">CVE-2023-28746</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34319">CVE-2023-34319</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34320">CVE-2023-34320</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34321">CVE-2023-34321</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34322">CVE-2023-34322</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34323">CVE-2023-34323</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34324">CVE-2023-34324</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34325">CVE-2023-34325</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34327">CVE-2023-34327</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34328">CVE-2023-34328</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46835">CVE-2023-46835</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46836">CVE-2023-46836</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46837">CVE-2023-46837</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46839">CVE-2023-46839</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46840">CVE-2023-46840</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46841">CVE-2023-46841</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46842">CVE-2023-46842</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2193">CVE-2024-2193</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-31142">CVE-2024-31142</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-431.html">XSA-431</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-432.html">XSA-432</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-436.html">XSA-436</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-437.html">XSA-437</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-438.html">XSA-438</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-439.html">XSA-439</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-440.html">XSA-440</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-441.html">XSA-441</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-442.html">XSA-442</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-447.html">XSA-447</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-449.html">XSA-449</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-450.html">XSA-450</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-451.html">XSA-451</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-452.html">XSA-452</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-453.html">XSA-453</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-454.html">XSA-454</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-455.html">XSA-455</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:41:59.700785Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:41:59.703837Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-11.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-11">
<title>Oracle VirtualBox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which could lead to privilege escalation.</synopsis>
<product type="ebuild">virtualbox</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>918524</bug>
<access>remote</access>
<affected>
<package name="app-emulation/virtualbox" auto="yes" arch="*">
<unaffected range="ge">7.0.12</unaffected>
<vulnerable range="lt">7.0.12</vulnerable>
</package>
</affected>
<background>
<p>VirtualBox is a powerful virtualization product from Oracle.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Oracle VirtualBox. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Oracle VirtualBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.12"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22098">CVE-2023-22098</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22099">CVE-2023-22099</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-22100">CVE-2023-22100</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:56:15.978186Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:56:15.982430Z">graaff</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-12.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-12">
<title>pypy, pypy3: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in pypy and pypy3, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">pypy,pypy-exe,pypy-exe-bin,pypy3</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>741496</bug>
<bug>741560</bug>
<bug>774114</bug>
<bug>782520</bug>
<access>local</access>
<affected>
<package name="dev-python/pypy" auto="yes" arch="*">
<unaffected range="ge">7.3.3_p37_p1-r1</unaffected>
<vulnerable range="lt">7.3.3_p37_p1-r1</vulnerable>
</package>
<package name="dev-python/pypy-exe" auto="yes" arch="*">
<unaffected range="ge">7.3.2</unaffected>
<vulnerable range="lt">7.3.2</vulnerable>
</package>
<package name="dev-python/pypy-exe-bin" auto="yes" arch="*">
<vulnerable range="lt">7.3.2</vulnerable>
</package>
<package name="dev-python/pypy3" auto="yes" arch="*">
<unaffected range="ge">7.3.3_p37_p1-r1</unaffected>
<vulnerable range="lt">7.3.3_p37_p1-r1</vulnerable>
</package>
</affected>
<background>
<p>A fast, compliant alternative implementation of the Python language.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in pypy. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All pypy users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pypy-7.3.3_p37_p1-r1"
# emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-7.3.2"
# emerge --ask --oneshot --verbose ">=dev-python/pypy-exe-bin-7.3.2"
</code>
<p>All pypy3 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.3_p37_p1-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27619">CVE-2020-27619</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T06:59:11.659897Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T06:59:11.662062Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-13.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-13">
<title>gst-plugins-good: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in gst-plugins-good, the worst of which could lead to denial of service or arbitrary code execution.</synopsis>
<product type="ebuild">gst-plugins-good</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>859418</bug>
<access>local and remote</access>
<affected>
<package name="media-libs/gst-plugins-good" auto="yes" arch="*">
<unaffected range="ge">1.20.3</unaffected>
<vulnerable range="lt">1.20.3</vulnerable>
</package>
</affected>
<background>
<p>gst-plugins-good contains a set of plugins for the GStreamer open source multimedia framework.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in gst-plugins-good. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All gst-plugins-good users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/gst-plugins-good-1.20.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1920">CVE-2022-1920</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1921">CVE-2022-1921</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1922">CVE-2022-1922</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1923">CVE-2022-1923</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1924">CVE-2022-1924</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1925">CVE-2022-1925</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2122">CVE-2022-2122</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T07:13:16.567438Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T07:13:16.570171Z">graaff</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-14.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-14">
<title>Mbed TLS: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could lead to information disclosure or denial of service.</synopsis>
<product type="ebuild">mbedtls</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>886001</bug>
<bug>923279</bug>
<access>local and remote</access>
<affected>
<package name="net-libs/mbedtls" auto="yes" arch="*">
<unaffected range="ge">2.28.7</unaffected>
<vulnerable range="lt">2.28.7</vulnerable>
</package>
</affected>
<background>
<p>Mbed TLS (previously PolarSSL) is an “easy to understand, use, integrate and expand” implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mbed TLS. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mbed TLS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/mbedtls-2.28.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46392">CVE-2022-46392</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46393">CVE-2022-46393</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43615">CVE-2023-43615</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-45199">CVE-2023-45199</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23170">CVE-2024-23170</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23775">CVE-2024-23775</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T07:17:18.324977Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T07:17:18.327589Z">graaff</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-15.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-15">
<title>stb: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in stb, the worst of which lead to a denial of service.</synopsis>
<product type="ebuild">stb</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>818556</bug>
<access>local</access>
<affected>
<package name="dev-libs/stb" auto="yes" arch="*">
<unaffected range="ge">20240201</unaffected>
<vulnerable range="lt">20240201</vulnerable>
</package>
</affected>
<background>
<p>A set of single-file public domain (or MIT licensed) libraries for C/C++</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in stb. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All stb users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/stb-20240201"
</code>
<p>Note that stb is included at compile time, so all packages that depend on it should also be reinstalled. If you have app-portage/gentoolkit installed you can use:</p>
<code>
# emerge --ask --verbose $( equery depends dev-libs/stb | sed 's/^/=/' )
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-28021">CVE-2021-28021</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-37789">CVE-2021-37789</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42715">CVE-2021-42715</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-42716">CVE-2021-42716</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28041">CVE-2022-28041</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28042">CVE-2022-28042</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28048">CVE-2022-28048</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T07:19:29.592096Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-22T07:19:29.595210Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-16.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-16">
<title>Slurm: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Slurm, the worst of which could result in privilege escalation or code execution.</synopsis>
<product type="ebuild">slurm</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>631552</bug>
<bug>920104</bug>
<access>remote</access>
<affected>
<package name="sys-cluster/slurm" auto="yes" arch="*">
<vulnerable range="le">22.05.3</vulnerable>
</package>
</affected>
<background>
<p>Slurm is a highly scalable resource manager.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Slurm. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for Slurm. We recommend that users unmerge it:</p>
<code>
# emerge --ask --depclean "sys-cluster/slurm"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-36770">CVE-2020-36770</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49933">CVE-2023-49933</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49934">CVE-2023-49934</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49935">CVE-2023-49935</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49936">CVE-2023-49936</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49937">CVE-2023-49937</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-49938">CVE-2023-49938</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T07:39:27.768375Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-22T07:39:27.772433Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-17.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-17">
<title>VLC: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in VLC, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">vlc</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>788226</bug>
<bug>883943</bug>
<bug>917274</bug>
<access>remote</access>
<affected>
<package name="media-video/vlc" auto="yes" arch="*">
<unaffected range="ge">3.0.20</unaffected>
<vulnerable range="lt">3.0.20</vulnerable>
</package>
</affected>
<background>
<p>VLC is a cross-platform media player and streaming server.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in VLC. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All VLC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.20"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41325">CVE-2022-41325</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T07:58:11.321369Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-22T07:58:11.324218Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-18.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-18">
<title>liblouis: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in liblouis, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">liblouis</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>905298</bug>
<access>remote</access>
<affected>
<package name="dev-libs/liblouis" auto="yes" arch="*">
<unaffected range="ge">3.25.0</unaffected>
<vulnerable range="lt">3.25.0</vulnerable>
</package>
</affected>
<background>
<p>liblouis is an open-source braille translator and back-translator.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in liblouis. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All liblouis users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/liblouis-3.25.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26767">CVE-2023-26767</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26768">CVE-2023-26768</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26769">CVE-2023-26769</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T08:30:59.018458Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-22T08:30:59.022181Z">graaff</metadata>
</glsa>

72
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-19.xml vendored Normal file
View File

@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-19">
<title>Emacs, org-mode: Command Execution Vulnerability</title>
<synopsis>A vulnerability has been found in Emacs and org-mode which could result in arbitrary code execution.</synopsis>
<product type="ebuild">emacs,org-mode</product>
<announced>2024-09-22</announced>
<revised count="1">2024-09-22</revised>
<bug>934736</bug>
<access>local</access>
<affected>
<package name="app-editors/emacs" auto="yes" arch="*">
<unaffected range="ge" slot="26">26.3-r19</unaffected>
<unaffected range="ge" slot="27">27.2-r17</unaffected>
<unaffected range="ge" slot="28">28.2-r13</unaffected>
<unaffected range="ge" slot="29">29.3-r3</unaffected>
<vulnerable range="lt" slot="26">26.3-r19</vulnerable>
<vulnerable range="lt" slot="27">27.2-r17</vulnerable>
<vulnerable range="lt" slot="28">28.2-r13</vulnerable>
<vulnerable range="lt" slot="29">29.3-r3</vulnerable>
</package>
<package name="app-emacs/org-mode" auto="yes" arch="*">
<unaffected range="ge">9.7.5</unaffected>
<vulnerable range="lt">9.7.5</vulnerable>
</package>
</affected>
<background>
<p>Emacs is the extensible, customizable, self-documenting real-time display editor. org-mode is an Emacs mode for notes and project planning.</p>
</background>
<description>
<p>%(...) link abbreviations could specify unsafe functions.</p>
</description>
<impact type="high">
<p>Opening a malicious org-mode file could result in arbitrary code execution.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Emacs users should upgrade to the latest version according to the installed slot, one of:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-editors/emacs-26.3-r19:26"
</code>
<p>Alternatively:</p>
<code>
# emerge --ask --oneshot --verbose ">=app-editors/emacs-27.2-r17:27"
</code>
<code>
# emerge --ask --oneshot --verbose ">=app-editors/emacs-28.2-r13:28"
</code>
<code>
# emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r3:29"
</code>
<p>All org-mode users should upgrade to the latest package:</p>
<code>
# emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.7.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-39331">CVE-2024-39331</uri>
</references>
<metadata tag="requester" timestamp="2024-09-22T09:04:08.173072Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-22T09:04:08.176708Z">graaff</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-20.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-20">
<title>curl: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in curl, the worst of which could lead to information disclosure.</synopsis>
<product type="ebuild">curl</product>
<announced>2024-09-23</announced>
<revised count="1">2024-09-23</revised>
<bug>919325</bug>
<bug>919889</bug>
<bug>923413</bug>
<bug>927960</bug>
<access>remote</access>
<affected>
<package name="net-misc/curl" auto="yes" arch="*">
<unaffected range="ge">8.7.1</unaffected>
<vulnerable range="lt">8.7.1</vulnerable>
</package>
</affected>
<background>
<p>A command line tool and library for transferring data with URLs.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in curl. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All curl users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-8.7.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-42619">CVE-2023-42619</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46218">CVE-2023-46218</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46219">CVE-2023-46219</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0853">CVE-2024-0853</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2004">CVE-2024-2004</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2398">CVE-2024-2398</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-2466">CVE-2024-2466</uri>
</references>
<metadata tag="requester" timestamp="2024-09-23T05:53:30.922445Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-23T05:53:30.926884Z">graaff</metadata>
</glsa>

41
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-21.xml vendored Normal file
View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-21">
<title>Hunspell: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Hunspell, the worst of which could lead to arbitrary code execution.</synopsis>
<product type="ebuild">hunspell</product>
<announced>2024-09-24</announced>
<revised count="1">2024-09-24</revised>
<bug>866093</bug>
<access>local</access>
<affected>
<package name="app-text/hunspell" auto="yes" arch="*">
<unaffected range="ge">1.7.1</unaffected>
<vulnerable range="lt">1.7.1</vulnerable>
</package>
</affected>
<background>
<p>Hunspell is the spell checker of LibreOffice, OpenOffice.org, Mozilla Firefox &amp; Thunderbird, Google Chrome.</p>
</background>
<description>
<p>Malicious input to the hunspell spell checker could result in an application crash or other unspecified behavior.</p>
</description>
<impact type="normal">
<p>Malicious input to the hunspell spell checker could result in an application crash or other unspecified behavior.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Hunspell users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/hunspell-1.7.1"
</code>
</resolution>
<references>
</references>
<metadata tag="requester" timestamp="2024-09-24T05:10:05.686745Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-24T05:10:05.693494Z">graaff</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-22.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-22">
<title>GCC: Flawed Code Generation</title>
<synopsis>A vulnerability has been discovered in GCC, which can lead to flawed code generation.</synopsis>
<product type="ebuild">gcc</product>
<announced>2024-09-24</announced>
<revised count="1">2024-09-24</revised>
<bug>719466</bug>
<access>remote</access>
<affected>
<package name="sys-devel/gcc" auto="yes" arch="ppc ppc64">
<unaffected range="ge">10.0</unaffected>
<vulnerable range="lt">10.0</vulnerable>
</package>
</affected>
<background>
<p>The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Ada, Go, D and Modula-2 as well as libraries for these languages (libstdc++,...).</p>
</background>
<description>
<p>A vulnerability has been discovered in GCC. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>The POWER9 backend in GNU Compiler Collection (GCC) could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GCC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-devel/gcc-10.0"
</code>
<p>And then select it with gcc-config:</p>
<code>
# gcc-config latest
</code>
<p>In this case, users should also rebuild all affected packages with emerge -e, e.g.:</p>
<code>
# emerge --usepkg=n --emptytree @world
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-15847">CVE-2019-15847</uri>
</references>
<metadata tag="requester" timestamp="2024-09-24T05:11:59.047098Z">graaff</metadata>
<metadata tag="submitter" timestamp="2024-09-24T05:11:59.050051Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-23.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-23">
<title>ZNC: Remote Code Execution</title>
<synopsis>A vulnerability has been found in ZNC which could result in remote code execution.</synopsis>
<product type="ebuild">znc</product>
<announced>2024-09-24</announced>
<revised count="1">2024-09-24</revised>
<bug>935422</bug>
<access>remote</access>
<affected>
<package name="net-irc/znc" auto="yes" arch="*">
<unaffected range="ge">1.9.1</unaffected>
<vulnerable range="lt">1.9.1</vulnerable>
</package>
</affected>
<background>
<p>ZNC is an advanced IRC bouncer.</p>
</background>
<description>
<p>ZNC&#39;s modtcl could allow for remote code execution via a KICK.</p>
</description>
<impact type="normal">
<p>A vulnerable ZNC with the modtcl module loaded could be exploited for remote code execution.</p>
</impact>
<workaround>
<p>Unload the mod_tcl module.</p>
</workaround>
<resolution>
<p>All ZNC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-irc/znc-1.9.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-39844">CVE-2024-39844</uri>
</references>
<metadata tag="requester" timestamp="2024-09-24T05:14:03.149211Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-24T05:14:03.152374Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-24.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-24">
<title>Tor: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Tor, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">tor</product>
<announced>2024-09-24</announced>
<revised count="1">2024-09-24</revised>
<bug>916759</bug>
<bug>917142</bug>
<access>remote</access>
<affected>
<package name="net-vpn/tor" auto="yes" arch="*">
<unaffected range="ge">0.4.8.9</unaffected>
<vulnerable range="lt">0.4.8.9</vulnerable>
</package>
</affected>
<background>
<p>Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Tor. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Tor users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-vpn/tor-0.4.8.9"
</code>
</resolution>
<references>
<uri>TROVE-2023-004</uri>
<uri>TROVE-2023-006</uri>
</references>
<metadata tag="requester" timestamp="2024-09-24T05:15:39.701157Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-24T05:15:39.704608Z">graaff</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-25.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-25">
<title>Xpdf: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">xpdf</product>
<announced>2024-09-25</announced>
<revised count="1">2024-09-25</revised>
<bug>845027</bug>
<bug>908037</bug>
<bug>936407</bug>
<access>remote</access>
<affected>
<package name="app-text/xpdf" auto="yes" arch="*">
<unaffected range="ge">4.05</unaffected>
<vulnerable range="lt">4.05</vulnerable>
</package>
</affected>
<background>
<p>Xpdf is an X viewer for PDF files.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xpdf. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xpdf users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/xpdf-4.05"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7453">CVE-2018-7453</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-16369">CVE-2018-16369</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30524">CVE-2022-30524</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30775">CVE-2022-30775</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-33108">CVE-2022-33108</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36561">CVE-2022-36561</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38222">CVE-2022-38222</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38334">CVE-2022-38334</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38928">CVE-2022-38928</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41842">CVE-2022-41842</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41843">CVE-2022-41843</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41844">CVE-2022-41844</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43071">CVE-2022-43071</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43295">CVE-2022-43295</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45586">CVE-2022-45586</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45587">CVE-2022-45587</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2662">CVE-2023-2662</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2663">CVE-2023-2663</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2664">CVE-2023-2664</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3044">CVE-2023-3044</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-3436">CVE-2023-3436</uri>
</references>
<metadata tag="requester" timestamp="2024-09-25T06:29:33.984023Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-25T06:29:33.987005Z">graaff</metadata>
</glsa>

88
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-26.xml vendored Normal file
View File

@ -0,0 +1,88 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-26">
<title>IcedTea: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in IcedTea, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">icedtea,icedtea-bin</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>732628</bug>
<bug>803608</bug>
<bug>877599</bug>
<access>local</access>
<affected>
<package name="dev-java/icedtea" auto="yes" arch="*">
<vulnerable range="le">3.21.0</vulnerable>
</package>
<package name="dev-java/icedtea-bin" auto="yes" arch="*">
<vulnerable range="le">3.16.0-r2</vulnerable>
</package>
</affected>
<background>
<p>IcedTeas aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in IcedTea. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for IcedTea. We recommend that users unmerge it:</p>
<code>
# emerge --sync
# emerge --ask --depclean "dev-java/icedtea" "dev-java/icedtea-bin"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14556">CVE-2020-14556</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14562">CVE-2020-14562</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14573">CVE-2020-14573</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14577">CVE-2020-14577</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14578">CVE-2020-14578</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14579">CVE-2020-14579</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14581">CVE-2020-14581</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14583">CVE-2020-14583</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14593">CVE-2020-14593</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14621">CVE-2020-14621</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14664">CVE-2020-14664</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14779">CVE-2020-14779</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14781">CVE-2020-14781</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14782">CVE-2020-14782</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14792">CVE-2020-14792</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14796">CVE-2020-14796</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14797">CVE-2020-14797</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14798">CVE-2020-14798</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-14803">CVE-2020-14803</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2341">CVE-2021-2341</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2369">CVE-2021-2369</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2388">CVE-2021-2388</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-2432">CVE-2021-2432</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35550">CVE-2021-35550</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35556">CVE-2021-35556</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35559">CVE-2021-35559</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35561">CVE-2021-35561</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35564">CVE-2021-35564</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35565">CVE-2021-35565</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35567">CVE-2021-35567</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35578">CVE-2021-35578</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35586">CVE-2021-35586</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35588">CVE-2021-35588</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-35603">CVE-2021-35603</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21618">CVE-2022-21618</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21619">CVE-2022-21619</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21624">CVE-2022-21624</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21626">CVE-2022-21626</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-21628">CVE-2022-21628</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39399">CVE-2022-39399</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21830">CVE-2023-21830</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21835">CVE-2023-21835</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21843">CVE-2023-21843</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T06:22:32.677309Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T06:22:32.681950Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-27.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-27">
<title>tmux: Null Pointer Dereference</title>
<synopsis>A vulnerability has been found in tmux which could result in application crash.</synopsis>
<product type="ebuild">tmux</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>891783</bug>
<access>remote</access>
<affected>
<package name="app-misc/tmux" auto="yes" arch="*">
<unaffected range="ge">3.4</unaffected>
<vulnerable range="lt">3.4</vulnerable>
</package>
</affected>
<background>
<p>tmux is a terminal multiplexer.</p>
</background>
<description>
<p>A null pointer dereference issue was discovered in function window_pane_set_event in window.c in which allows attackers to cause denial of service or other unspecified impacts.</p>
</description>
<impact type="normal">
<p>Manipulating tmux window state could result in a null pointer dereference.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All tmux users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-misc/tmux-3.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-47016">CVE-2022-47016</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T07:06:23.951339Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T07:06:23.955977Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-28.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-28">
<title>HashiCorp Consul: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in HashiCorp Consul, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">consul</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>885997</bug>
<access>remote</access>
<affected>
<package name="app-admin/consul" auto="yes" arch="*">
<unaffected range="ge">1.15.10</unaffected>
<vulnerable range="lt">1.15.10</vulnerable>
</package>
</affected>
<background>
<p>HashiCorp Consul is a tool for service discovery, monitoring and configuration.</p>
</background>
<description>
<p>Multiple vulnerabilities have been found in HashiCorp Consul. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the CVE identifiers referenced below for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All HashiCorp Consul users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/consul-1.15.10"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41717">CVE-2022-41717</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T07:08:23.818242Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T07:08:23.822296Z">graaff</metadata>
</glsa>

60
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-29.xml vendored Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-29">
<title>Docker: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Docker, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">docker</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>816273</bug>
<bug>869407</bug>
<bug>877653</bug>
<bug>886509</bug>
<bug>903804</bug>
<bug>905336</bug>
<bug>925022</bug>
<access>remote</access>
<affected>
<package name="app-containers/docker" auto="yes" arch="*">
<unaffected range="ge">25.0.4</unaffected>
<vulnerable range="lt">25.0.4</vulnerable>
</package>
</affected>
<background>
<p>Docker contains the the core functions you need to create Docker images and run Docker containers</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Docker. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Docker users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-containers/docker-25.0.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41089">CVE-2021-41089</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-41091">CVE-2021-41091</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-36109">CVE-2022-36109</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41717">CVE-2022-41717</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-26054">CVE-2023-26054</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28840">CVE-2023-28840</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28841">CVE-2023-28841</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28842">CVE-2023-28842</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23650">CVE-2024-23650</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23651">CVE-2024-23651</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23652">CVE-2024-23652</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-23653">CVE-2024-23653</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24557">CVE-2024-24557</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T07:32:55.226701Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T07:32:55.232252Z">graaff</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-30.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-30">
<title>yt-dlp: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in yt-dlp, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">yt-dlp</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>909780</bug>
<bug>917355</bug>
<bug>935316</bug>
<access>remote</access>
<affected>
<package name="net-misc/yt-dlp" auto="yes" arch="*">
<unaffected range="ge">2024.07.01</unaffected>
<vulnerable range="lt">2024.07.01</vulnerable>
</package>
</affected>
<background>
<p>yt-dlp is a youtube-dl fork with additional features and fixes.</p>
</background>
<description>
<p>Multiple vulnerabilities have been found in yt-dlp. Please review the referenced CVE identifiers for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All yt-dlp users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/yt-dlp-2024.07.01"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-35934">CVE-2023-35934</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-46121">CVE-2023-46121</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38519">CVE-2024-38519</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T07:39:28.885110Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T07:39:28.889248Z">graaff</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-31.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-31">
<title>Apache HTTPD: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Apache HTTPD, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">apache</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>928540</bug>
<bug>935296</bug>
<bug>935427</bug>
<bug>936257</bug>
<access>remote</access>
<affected>
<package name="www-servers/apache" auto="yes" arch="*">
<unaffected range="ge">2.4.62</unaffected>
<vulnerable range="lt">2.4.62</vulnerable>
</package>
</affected>
<background>
<p>The Apache HTTP server is one of the most popular web servers on the Internet.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Apache HTTPD. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Apache HTTPD users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.62"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38709">CVE-2023-38709</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24795">CVE-2024-24795</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-27316">CVE-2024-27316</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-36387">CVE-2024-36387</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38472">CVE-2024-38472</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38473">CVE-2024-38473</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38474">CVE-2024-38474</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38475">CVE-2024-38475</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38476">CVE-2024-38476</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-38477">CVE-2024-38477</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-39573">CVE-2024-39573</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-39884">CVE-2024-39884</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-40725">CVE-2024-40725</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-40898">CVE-2024-40898</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T08:01:45.203406Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T08:01:45.208096Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202409-32.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202409-32">
<title>nginx: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in nginx, the worst of which could result in denial of service.</synopsis>
<product type="ebuild">nginx</product>
<announced>2024-09-28</announced>
<revised count="1">2024-09-28</revised>
<bug>924619</bug>
<bug>937938</bug>
<access>remote</access>
<affected>
<package name="www-servers/nginx" auto="yes" arch="*">
<unaffected range="ge">1.26.2-r2</unaffected>
<vulnerable range="lt">1.26.2-r2</vulnerable>
</package>
</affected>
<background>
<p>nginx is a robust, small, and high performance HTTP and reverse proxy server.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in nginx. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="low">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All nginx users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-1.26.2-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-7347">CVE-2024-7347</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24989">CVE-2024-24989</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24990">CVE-2024-24990</uri>
</references>
<metadata tag="requester" timestamp="2024-09-28T08:27:19.566049Z">ajak</metadata>
<metadata tag="submitter" timestamp="2024-09-28T08:27:19.571457Z">graaff</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Sun, 01 Sep 2024 06:40:32 +0000
Tue, 01 Oct 2024 06:40:39 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
7bcc5ebd7295c3c12ac47de41519dc019b4ba538 1723530188 2024-08-13T06:23:08Z
93155fde00088b123d8b46acf068ecadcf7bcfdb 1727512056 2024-09-28T08:27:36Z