From a9a49baafebee5226c742eb71fd280f8e6ea4326 Mon Sep 17 00:00:00 2001 From: Alex Crawford Date: Mon, 2 Jan 2017 07:54:58 -0800 Subject: [PATCH] bump(metadata/glsa): sync with upstream --- .../metadata/glsa/glsa-201611-11.xml | 8 +- .../metadata/glsa/glsa-201612-40.xml | 8 +- .../metadata/glsa/glsa-201612-44.xml | 53 +++++++++++ .../metadata/glsa/glsa-201612-45.xml | 53 +++++++++++ .../metadata/glsa/glsa-201612-46.xml | 53 +++++++++++ .../metadata/glsa/glsa-201612-47.xml | 64 +++++++++++++ .../metadata/glsa/glsa-201612-48.xml | 65 +++++++++++++ .../metadata/glsa/glsa-201612-49.xml | 47 +++++++++ .../metadata/glsa/glsa-201612-50.xml | 54 +++++++++++ .../metadata/glsa/glsa-201612-51.xml | 49 ++++++++++ .../metadata/glsa/glsa-201612-52.xml | 66 +++++++++++++ .../metadata/glsa/glsa-201612-53.xml | 56 +++++++++++ .../metadata/glsa/glsa-201612-54.xml | 58 +++++++++++ .../metadata/glsa/glsa-201612-55.xml | 59 ++++++++++++ .../metadata/glsa/glsa-201612-56.xml | 95 +++++++++++++++++++ .../metadata/glsa/glsa-201701-01.xml | 91 ++++++++++++++++++ .../metadata/glsa/glsa-201701-02.xml | 50 ++++++++++ .../metadata/glsa/glsa-201701-03.xml | 91 ++++++++++++++++++ .../metadata/glsa/glsa-201701-04.xml | 46 +++++++++ .../metadata/glsa/glsa-201701-05.xml | 53 +++++++++++ .../metadata/glsa/glsa-201701-06.xml | 52 ++++++++++ .../metadata/glsa/glsa-201701-07.xml | 48 ++++++++++ .../metadata/glsa/glsa-201701-08.xml | 70 ++++++++++++++ .../metadata/glsa/glsa-201701-09.xml | 48 ++++++++++ .../metadata/glsa/glsa-201701-10.xml | 65 +++++++++++++ .../metadata/glsa/glsa-201701-11.xml | 53 +++++++++++ .../metadata/glsa/glsa-201701-12.xml | 62 ++++++++++++ .../metadata/glsa/glsa-201701-13.xml | 56 +++++++++++ .../metadata/glsa/timestamp.chk | 2 +- 29 files changed, 1568 insertions(+), 7 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-44.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-45.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-46.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-47.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-48.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-49.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-50.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-51.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-52.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-53.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-54.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-55.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-56.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-01.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-02.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-03.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-04.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-05.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-06.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-07.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-08.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-09.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-11.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-12.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-13.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml index f3038223d8..e26c96b0c0 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml @@ -7,7 +7,7 @@ November 18, 2016 - November 18, 2016: 1 + January 02, 2017: 2 594368 594520 595192 @@ -21,6 +21,7 @@ 598044 598046 598328 + 603442 local @@ -53,6 +54,9 @@ + + CVE-2016-10029 + CVE-2016-7161 CVE-2016-7423 CVE-2016-7466 @@ -73,5 +77,5 @@ CVE-2016-9105 b-man - b-man + b-man diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-40.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-40.xml index 25f2052b4e..a82fde227b 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-40.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-40.xml @@ -7,11 +7,11 @@ squashfs-tools December 13, 2016 - December 13, 2016: 2 + December 14, 2016: 3 427356 remote - + 4.3 4.3 @@ -44,7 +44,7 @@ # emerge --sync - # emerge --ask --oneshot --verbose ">=squashfs-tools-4.3" + # emerge --ask --oneshot --verbose ">=sys-fs/squashfs-tools-4.3" @@ -52,5 +52,5 @@ CVE-2012-4025 whissi - whissi + whissi diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-44.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-44.xml new file mode 100644 index 0000000000..5e87434fed --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-44.xml @@ -0,0 +1,53 @@ + + + + Roundcube: Arbitrary code execution + A vulnerability in Roundcube could potentially lead to arbitrary + code execution. + + roundcube + December 24, 2016 + December 24, 2016: 1 + 601410 + remote + + + 1.2.3 + 1.2.3 + + + +

Free and open source webmail software for the masses, written in PHP.

+ + +

Roundcube, when no SMTP server is configured and the sendmail program is + enabled, does not properly restrict the use of custom envelope-from + addresses on the sendmail command line. +

+ + +

An authenticated remote attacker could possibly execute arbitrary code + with the privileges of the process, or cause a Denial of Service + condition. +

+ + +

Don’t use a MTA (Mail Transfer Agent) in conjunction with Roundcube + which implements sendmail’s “-O” or “-X” parameter, or + configure Roundcube to use a SMTP server as recommended by upstream. +

+ + +

All Roundcube users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/roundcube-1.2.3" + + + + CVE-2016-9920 + + whissi + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-45.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-45.xml new file mode 100644 index 0000000000..4ef88625ff --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-45.xml @@ -0,0 +1,53 @@ + + + + Tor: Multiple vulnerabilities + Multiple vulnerabilities were found in Tor, the worst of which + could allow remote attackers to cause a Denial of Service condition. + + tor + December 24, 2016 + December 24, 2016: 1 + 591008 + 597394 + 597524 + remote + + + 0.2.8.9 + 0.2.8.9 + + + +

Tor is an implementation of second generation Onion Routing, a + connection-oriented anonymizing communication service. +

+ + +

Multiple vulnerabilities have been discovered in Tor. Please review the + CVE identifier and change log referenced below for details. +

+ + +

A remote attacker could possibly cause a Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All Tor users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.8.9" + + + + CVE-2016-8860 + + Tor 0.2.8.9 Change Log + + + whissi + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-46.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-46.xml new file mode 100644 index 0000000000..5a12cc0646 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-46.xml @@ -0,0 +1,53 @@ + + + + Xerces-C++: Multiple vulnerabilities + Multiple vulnerabilities have been found in Xerces-C++, the worst + of which may allow remote attackers to execute arbitrary code. + + xerces-c + December 24, 2016 + December 24, 2016: 1 + 575700 + 584506 + local, remote + + + 3.1.4-r1 + 3.1.4-r1 + + + +

Xerces-C++ is a validating XML parser written in a portable subset of + C++. +

+ + +

Multiple vulnerabilities have been discovered in Xerces-C++. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to process a specially crafted + file, possibly resulting in the remote execution of arbitrary code with + the privileges of the process, or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Xerces-C++ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/xerces-c-3.1.4-r1" + + + + CVE-2016-0729 + CVE-2016-2099 + + b-man + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-47.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-47.xml new file mode 100644 index 0000000000..c56e4fb829 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-47.xml @@ -0,0 +1,64 @@ + + + + Samba: Multiple vulnerabilities + Multiple vulnerabilities have been found in Samba, the worst of + which may allow execution of arbitrary code with root privileges. + + samba + December 24, 2016 + December 24, 2016: 1 + 568432 + 578004 + local, remote + + + 4.2.11 + 4.2.11 + + + +

Samba is a suite of SMB and CIFS client/server programs.

+ + +

Multiple vulnerabilities have been discovered in samba. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with root + privileges, cause a Denial of Service condition, conduct a + man-in-the-middle attack, obtain sensitive information, or bypass file + permissions. +

+ + +

There is no known workaround at this time.

+ + +

All Samba users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-fs/samba-4.2.11" + + + + CVE-2015-3223 + CVE-2015-5252 + CVE-2015-5296 + CVE-2015-5299 + CVE-2015-5330 + CVE-2015-7540 + CVE-2015-8467 + CVE-2016-2110 + CVE-2016-2111 + CVE-2016-2112 + CVE-2016-2113 + CVE-2016-2114 + CVE-2016-2115 + CVE-2016-2118 + + whissi + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-48.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-48.xml new file mode 100644 index 0000000000..e396e98fab --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-48.xml @@ -0,0 +1,65 @@ + + + + Firejail: Multiple vulnerabilities + Multiple vulnerabilities have been discovered in Firejail, the + worst of which may allow bypassing of sandbox protection. + + firejail + December 27, 2016 + December 27, 2016: 1 + 601994 + local, remote + + + 0.9.44.2 + 0.9.44.2 + + + 0.9.38.6 + + + +

A SUID program that reduces the risk of security breaches by restricting + the running environment of untrusted applications using Linux namespaces + and seccomp-bpf. +

+ + +

Multiple vulnerabilities have been discovered in Firejail. Please review + upstream’s release notes below for details. +

+ + +

A remote attacker could possibly bypass sandbox protection, cause a + Denial of Service condition, or change a system’s DNS server. +

+ + +

There is no known workaround at this time.

+ + +

All Firejail users should switch to the newly added LTS version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/firejail-lts-0.9.38.6" + + +

Users who want to stay on the current branch should upgrade to the + latest version: +

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/firejail-0.9.44.2" + + + + + Firejail Release Notes + + + b-man + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-49.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-49.xml new file mode 100644 index 0000000000..624084e3f8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-49.xml @@ -0,0 +1,47 @@ + + + + mod_wsgi: Privilege escalation + A vulnerability in mod_wsgi could lead to privilege escalation. + mod_wsgi + December 30, 2016 + December 30, 2016: 1 + 536270 + local, remote + + + 4.3.0 + 4.3.0 + + + +

mod_wsgi is an Apache2 module for running Python WSGI applications.

+ + +

mod_wsgi, when creating a daemon process group, does not properly handle + dropping group privileges. +

+ + +

Context-dependent attackers could escalate privileges due to the + improper handling of group privileges. +

+ + +

There is no known workaround at this time.

+ + +

All mod_wsgi users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_wsgi-4.3.0" + + + + + CVE-2014-8583 + + whissi + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-50.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-50.xml new file mode 100644 index 0000000000..e6bc9029a6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-50.xml @@ -0,0 +1,54 @@ + + + + Openfire: Multiple vulnerabilities + Multiple vulnerabilities have been found in Openfire, the worst of + which could lead to privilege escalation. + + openfire + December 31, 2016 + December 31, 2016: 1 + 603604 + remote + + + 4.1.0 + 4.1.0 + + + +

Openfire (formerly Wildfire) is a cross-platform real-time collaboration + server based on the XMPP (Jabber) protocol. +

+ + +

Multiple vulnerabilities have been discovered in Openfire. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could bypass the CSRF protection mechanism, conduct + Cross-Site Scripting attacks, or an authenticated remote attacker could + gain privileges while accessing Openfire’s web interface. +

+ + +

There is no known workaround at this time.

+ + +

All Openfire users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/openfire-4.1.0" + + + + + CVE-2015-6972 + CVE-2015-6973 + CVE-2015-7707 + + whissi + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-51.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-51.xml new file mode 100644 index 0000000000..c37baa1ba6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-51.xml @@ -0,0 +1,49 @@ + + + + Icinga: Privilege escalation + A vulnerability in Icinga could lead to privilege escalation. + icinga + December 31, 2016 + December 31, 2016: 1 + 603534 + local + + + 1.13.4 + 1.13.4 + + + +

Icinga is an open source computer system and network monitoring + application. It was originally created as a fork of the Nagios system + monitoring application in 2009. +

+ + +

Icinga daemon was found to perform unsafe operations when handling the + log file. +

+ + +

A local attacker, who either is already Icinga’s system user or + belongs to Icinga’s group, could potentially escalate privileges. +

+ + +

There is no known workaround at this time.

+ + +

All Icinga users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-analyzer/icinga-1.13.4" + + + + CVE-2016-9566 + + whissi + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-52.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-52.xml new file mode 100644 index 0000000000..a11910851e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-52.xml @@ -0,0 +1,66 @@ + + + + Pillow: Multiple vulnerabilities + Multiple vulnerabilities have been found in Pillow, the worst of + which may allow execution of arbitrary code. + + pillow + December 31, 2016 + December 31, 2016: 1 + 507982 + 573958 + 599608 + 599610 + 599612 + local, remote + + + 3.4.2 + 3.4.2 + + + +

The friendly PIL fork.

+ + +

Multiple vulnerabilities have been discovered in Pillow. Please review + the CVE identifiers referenced below for details. +

+ + +

A local attacker could perform symlink attacks to overwrite arbitrary + files with the privileges of the user running the application, or obtain + sensitive information. +

+ +

A remote attackers could execute arbitrary code with the privileges of + the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Pillow users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-python/pillow-3.4.2" + + + + CVE-2014-1932 + CVE-2014-1933 + CVE-2016-0740 + CVE-2016-0775 + CVE-2016-2533 + CVE-2016-4009 + CVE-2016-9189 + CVE-2016-9190 + + + keytoaster + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-53.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-53.xml new file mode 100644 index 0000000000..dcc094c1ae --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-53.xml @@ -0,0 +1,56 @@ + + + + CyaSSL: Multiple vulnerabilities + Multiple vulnerabilities have been found in CyaSSL, the worst of + which may allow attackers to execute arbitrary code. + + cyassl + December 31, 2016 + December 31, 2016: 1 + 507418 + local, remote + + + 2.9.4 + + + +

CyaSSL is a small, fast, portable implementation of TLS/SSL for embedded + devices to the cloud. +

+ + +

Multiple vulnerabilities have been discovered in CyaSSL. Please review + the CVE identifiers referenced below for details. +

+ + +

An attacker could possibly execute arbitrary code with the privileges of + the process, cause a Denial of Service condition, or conduct a + man-in-the-middle attack. +

+ + +

There is no known workaround at this time.

+ + +

Upstream has discontinued the software in favor of wolfSSL. Therefore, + the CyaSSL package has been removed from the Gentoo repository and + current users are advised to unmerge the package. +

+ + + # emerge --unmerge "net-libs/cyassl" + + + + CVE-2014-2896 + CVE-2014-2897 + CVE-2014-2898 + CVE-2014-2899 + CVE-2014-2900 + + whissi + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-54.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-54.xml new file mode 100644 index 0000000000..e4b8d2c965 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-54.xml @@ -0,0 +1,58 @@ + + + + Chicken: Multiple vulnerabilities + Multiple vulnerabilities have been found in Chicken, the worst of + which allows remote attackers to execute arbitrary code. + + chicken + December 31, 2016 + December 31, 2016: 1 + 467966 + 486350 + 510712 + 536448 + 552202 + local, remote + + + 4.10.0-r1 + 4.10.0-r1 + + + +

Chicken is a scheme interpreter and native scheme to C compiler.

+ + +

Multiple vulnerabilities have been discovered in Chicken. Please review + the CVE identifiers referenced below for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Chicken users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-scheme/chicken-4.10.0-r1" + + + + CVE-2013-2024 + CVE-2013-4385 + CVE-2014-3776 + CVE-2014-9651 + CVE-2015-4556 + + + BlueKnight + + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-55.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-55.xml new file mode 100644 index 0000000000..70bb09e01b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-55.xml @@ -0,0 +1,59 @@ + + + + libjpeg-turbo: User-assisted execution of arbitrary code + An out-of-bounds read in libjpeg-turbo might allow remote attackers + to execute arbitrary code. + + libjpeg-turbo + December 31, 2016 + December 31, 2016: 1 + 585782 + remote + + + 1.5.0 + 1.5.0 + + + +

libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, + SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and + decompression. +

+ + +

The accelerated Huffman decoder was previously invoked if there were 128 + bytes in the input buffer. However, it is possible to construct a JPEG + image with Huffman blocks > 430 bytes in length. This release simply + increases the minimum buffer size for the accelerated Huffman decoder to + 512 bytes, which should accommodate any possible input. +

+ + +

A remote attacker could coerce the victim to run a specially crafted + image file resulting in the execution of arbitrary code. +

+ + +

There is no known workaround at this time.

+ + +

All libjpeg-turbo users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/libjpeg-turbo-1.5.0" + + + + + LJT-01-005 + + + Prevent overread when decoding malformed JPEG + + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-56.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-56.xml new file mode 100644 index 0000000000..d9a1c98e73 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-56.xml @@ -0,0 +1,95 @@ + + + + Xen: Multiple vulnerabilities + Multiple vulnerabilities have been found in Xen, the worst of which + could lead to the execution of arbitrary code on the host system. + + xen + December 31, 2016 + December 31, 2016: 1 + 600382 + 600662 + 601248 + 601250 + 601986 + local + + + 4.7.1-r4 + 4.7.1-r4 + + + 4.7.1-r4 + 4.7.1-r4 + + + 4.7.1-r1 + 4.7.1-r1 + + + +

Xen is a bare-metal hypervisor.

+ + +

Multiple vulnerabilities have been discovered in Xen. Please review the + CVE identifiers referenced below for details. +

+ + +

A local attacker could possibly execute arbitrary code with the + privileges of the process, could gain privileges on the host system, + cause a Denial of Service condition, or obtain sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All Xen users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/xen-4.7.1-r4" + + +

All Xen Tools users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-tools-4.7.1-r4" + + +

All Xen PvGrub users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=app-emulation/xen-pvgrub-4.7.1-r1" + + + + + CVE-2016-10024 + + CVE-2016-9377 + CVE-2016-9378 + CVE-2016-9379 + CVE-2016-9380 + CVE-2016-9381 + CVE-2016-9382 + CVE-2016-9383 + CVE-2016-9384 + CVE-2016-9385 + CVE-2016-9386 + CVE-2016-9637 + CVE-2016-9815 + CVE-2016-9816 + CVE-2016-9817 + CVE-2016-9818 + CVE-2016-9932 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-01.xml new file mode 100644 index 0000000000..9b51efed5b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-01.xml @@ -0,0 +1,91 @@ + + + + MariaDB and MySQL: Multiple vulnerabilities + Multiple vulnerabilities have been found in MariaDB and MySQL, the + worst of which could lead to the remote execution of arbitrary code. + + mysql, mariadb + January 01, 2017 + January 01, 2017: 2 + 593584 + 593608 + 593614 + 593618 + 597538 + 598704 + local, remote + + + 10.0.28 + 10.0.28 + + + 5.6.34 + 5.6.34 + + + +

MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an + enhanced, drop-in replacement for MySQL. +

+ + +

Multiple vulnerabilities have been discovered in MariaDB and MySQL. + Please review the CVE identifiers referenced below for details. +

+ + +

Attackers could execute arbitrary code, escalate privileges, and impact + availability via unspecified vectors. +

+ + +

There is no known workaround at this time.

+ + +

All MariaDB users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mariadb-10.0.28" + + +

All MySQL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-db/mysql-5.6.34" + + + + CVE-2016-3492 + CVE-2016-3495 + CVE-2016-5507 + CVE-2016-5584 + CVE-2016-5609 + CVE-2016-5612 + CVE-2016-5625 + CVE-2016-5626 + CVE-2016-5627 + CVE-2016-5628 + CVE-2016-5629 + CVE-2016-5630 + CVE-2016-5631 + CVE-2016-5632 + CVE-2016-5633 + CVE-2016-5634 + CVE-2016-5635 + CVE-2016-6652 + CVE-2016-6662 + CVE-2016-8283 + CVE-2016-8284 + CVE-2016-8286 + CVE-2016-8287 + CVE-2016-8288 + CVE-2016-8289 + CVE-2016-8290 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-02.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-02.xml new file mode 100644 index 0000000000..7ad55118b8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-02.xml @@ -0,0 +1,50 @@ + + + + Bash: Multiple vulnerabilities + Multiple vulnerabilities were found in Bash, the worst of which may + allow execution of arbitrary code. + + bash + January 01, 2017 + January 01, 2017: 1 + 595268 + 600174 + local + + + 4.3_p48-r1 + 4.3_p48-r1 + + + +

Bash is the standard GNU Bourne Again SHell.

+ + +

Multiple vulnerabilities have been discovered in Bash. Please review the + CVE identifiers referenced below for details. +

+ + +

A local attacker could possibly execute arbitrary code with the + privileges of the process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Bash users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-shells/bash-4.3_p48-r1" + + + + CVE-2016-7543 + CVE-2016-9401 + + b-man + whissi + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-03.xml new file mode 100644 index 0000000000..c3c714b20a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-03.xml @@ -0,0 +1,91 @@ + + + + libarchive: Multiple vulnerabilities + Multiple vulnerabilities have been found in libarchive, the worst + of which allows for the remote execution of arbitrary code. + + libarchive + January 01, 2017 + January 01, 2017: 1 + 548110 + 552646 + 582526 + 586086 + 586182 + 596568 + 598950 + remote + + + 3.2.2 + 3.2.2 + + + +

libarchive is a library for manipulating different streaming archive + formats, including certain tar variants, several cpio formats, and both + BSD and GNU ar variants. +

+ + +

Multiple vulnerabilities have been discovered in libarchive. Please + review the CVE identifiers referenced below for details. +

+ + +

A remote attacker could entice a user to open a specially crafted + archive file possibly resulting in the execution of arbitrary code with + the privileges of the process or a Denial of Service condition. +

+ + + +

There is no known workaround at this time.

+ + +

All libarchive users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.2.2" + + + + CVE-2015-2304 + CVE-2015-8915 + CVE-2015-8916 + CVE-2015-8917 + CVE-2015-8918 + CVE-2015-8919 + CVE-2015-8920 + CVE-2015-8921 + CVE-2015-8922 + CVE-2015-8923 + CVE-2015-8924 + CVE-2015-8925 + CVE-2015-8926 + CVE-2015-8927 + CVE-2015-8928 + CVE-2015-8929 + CVE-2015-8930 + CVE-2015-8931 + CVE-2015-8932 + CVE-2015-8933 + CVE-2015-8934 + CVE-2016-1541 + CVE-2016-4300 + CVE-2016-4301 + CVE-2016-4302 + CVE-2016-4809 + CVE-2016-5418 + CVE-2016-5844 + CVE-2016-6250 + CVE-2016-7166 + CVE-2016-8687 + CVE-2016-8688 + CVE-2016-8689 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-04.xml new file mode 100644 index 0000000000..d7998ddfd0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-04.xml @@ -0,0 +1,46 @@ + + + + Mutt: Heap-based buffer overflow + A heap-based buffer overflow in Mutt might allow remote attackers + to cause a Denial of Service condition. + + mutt + January 01, 2017 + January 01, 2017: 1 + 530842 + remote + + + 1.5.23-r5 + 1.5.23-r5 + + + +

Mutt is a small but very powerful text-based mail client.

+ + +

A heap-based buffer overflow was discovered in Mutt’s mutt_substrdup + function. +

+ + +

A remote attacker could cause a Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All Mutt users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=mail-client/mutt-1.5.23-r5" + + + + CVE-2014-9116 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-05.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-05.xml new file mode 100644 index 0000000000..fa7db24639 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-05.xml @@ -0,0 +1,53 @@ + + + + BusyBox: Denial of Service + A vulnerability in BusyBox might allow remote attackers to cause a + Denial of Service condition. + + busybox + January 01, 2017 + January 01, 2017: 1 + 590478 + remote + + + 1.25.1 + 1.25.1 + + + +

BusyBox is a set of tools for embedded systems and is a replacement for + GNU Coreutils. +

+ + +

The recv_and_process_client_pkt function in networking/ntpd.c in BusyBox + allows remote attackers to cause a Denial of Service (CPU and bandwidth + consumption) via a forged NTP packet, which triggers a communication + loop. +

+ + +

A remote attacker might send a specially crafted package to a machine + running BusyBox ntpd, possibly resulting in a Denial of Service + condition. +

+ + +

There is no known workaround at this time.

+ + +

All BusyBox users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/busybox-1.25.1" + + + + CVE-2016-6301 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-06.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-06.xml new file mode 100644 index 0000000000..6da62bac85 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-06.xml @@ -0,0 +1,52 @@ + + + + e2fsprogs: Heap-based buffer overflow + A heap-based buffer overflow in e2fsprogs might allow local + attackers to execute arbitrary code. + + e2fsprogs + January 01, 2017 + January 01, 2017: 1 + 538930 + local, remote + + + 1.42.12 + 1.42.12 + + + +

e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4 + file systems. +

+ + +

A heap-based buffer overflow was discovered in openfs.c in the libext2fs + library in e2fsprogs. +

+ + +

A remote attacker could entice a user to use ext2fs library (for + example, fsck) on a specially crafted Ext2/3/4 file system possibly + resulting in the execution of arbitrary code with the privileges of the + process or a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All e2fsprogs users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-fs/e2fsprogs-1.42.12" + + + + CVE-2015-0247 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-07.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-07.xml new file mode 100644 index 0000000000..63992a1139 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-07.xml @@ -0,0 +1,48 @@ + + + + Open vSwitch: Remote execution of arbitrary code + A buffer overflow in Open vSwitch might allow remote attackers to + execute arbitrary code. + + openvswitch + January 01, 2017 + January 01, 2017: 2 + 577568 + remote + + + 2.5.0 + 2.5.0 + + + +

Open vSwitch is a production quality multilayer virtual switch.

+ + +

A buffer overflow was discovered in lib/flow.c in ovs-vswitchd.

+ + +

A remote attacker, using a specially crafted MPLS packet, could execute + arbitrary code. +

+ + +

There is no known workaround at this time.

+ + +

All Open vSwitch users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/openvswitch-2.5.0" + + + + + CVE-2016-2074 + + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-08.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-08.xml new file mode 100644 index 0000000000..d2e6fc3fd3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-08.xml @@ -0,0 +1,70 @@ + + + + w3m: Multiple vulnerabilities + Multiple vulnerabilities have been found in w3m, the worst of which + could lead to the execution of arbitrary code. + + w3m + January 01, 2017 + January 01, 2017: 1 + 579312 + 600176 + remote + + + 0.5.3-r9 + 0.5.3-r9 + + + +

w3m is a text based WWW browser.

+ + +

Multiple vulnerabilities have been discovered in w3m. Please review the + CVE identifiers referenced below for details. +

+ + +

A remote attacker could execute arbitrary code with the privileges of + the process or cause a Denial of Service condition via a maliciously + crafted HTML file. +

+ + +

There is no known workaround at this time.

+ + +

All w3m users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-client/w3m-0.5.3-r9" + + + + CVE-2016-9422 + CVE-2016-9423 + CVE-2016-9424 + CVE-2016-9425 + CVE-2016-9426 + CVE-2016-9428 + CVE-2016-9429 + CVE-2016-9430 + CVE-2016-9431 + CVE-2016-9432 + CVE-2016-9433 + CVE-2016-9434 + CVE-2016-9435 + CVE-2016-9436 + CVE-2016-9437 + CVE-2016-9438 + CVE-2016-9439 + CVE-2016-9440 + CVE-2016-9441 + CVE-2016-9442 + CVE-2016-9443 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-09.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-09.xml new file mode 100644 index 0000000000..f837927716 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-09.xml @@ -0,0 +1,48 @@ + + + + Xdg-Utils: Command injection + A command injection vulnerability in Xdg-Utils may allow for the + execution of arbitrary code. + + xdg-utils + January 01, 2017 + January 01, 2017: 1 + 472888 + local, remote + + + 1.1.1 + 1.1.1 + + + +

Xdg-Utils is a set of tools allowing all applications to easily + integrate with the Free Desktop configuration. +

+ + +

An eval injection vulnerability was discovered in Xdg-Utils.

+ + +

A context-dependent attacker could execute arbitrary code via the URL + argument to xdg-open. +

+ + +

There is no known workaround at this time.

+ + +

All Xdg-Utils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-misc/xdg-utils-1.1.1" + + + + CVE-2014-9622 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-10.xml new file mode 100644 index 0000000000..e27e10e1c9 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-10.xml @@ -0,0 +1,65 @@ + + + + libotr, Pidgin OTR: Remote execution of arbitrary code + Multiple vulnerabilities have been found in libotr and Pidgin OTR, + allowing remote attackers to execute arbitrary code. + + libotr, pidgin-otr + January 02, 2017 + January 02, 2017: 1 + 576914 + 576916 + remote + + + 4.1.1 + 4.1.1 + + + 4.0.2 + 4.0.2 + + + +

Pidgin Off-the-Record (OTR) messaging allows you to have private + conversations over instant messaging. libotr is a portable off-the-record + messaging library. +

+ + +

Multiple vulnerabilities exist in both libotr and Pidgin OTR. Please + review the CVE identifiers for more information. +

+ + +

A remote attacker could send a specially crafted message, possibly + resulting in the execution of arbitrary code with the privileges of the + process, or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All libotr users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/libotr-4.1.1" + + +

All Pidgin OTR users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-plugins/pidgin-otr-4.0.2" + + + + CVE-2015-8833 + CVE-2016-2851 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-11.xml new file mode 100644 index 0000000000..b2e8ed5236 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-11.xml @@ -0,0 +1,53 @@ + + + + musl: Integer overflow + An integer overflow in musl might allow an attacker to execute + arbitrary code. + + musl + January 02, 2017 + January 02, 2017: 1 + 597498 + local, remote + + + 1.1.15-r2 + 1.1.15-r2 + + + +

musl is a “libc”, an implementation of the standard library + functionality described in the ISO C and POSIX standards, plus common + extensions, intended for use on Linux-based systems. +

+ + +

A vulnerability was discovered in musl’s tre_tnfa_run_parallel + function buffer overflow logic, due to the incorrect use of integer types + and missing overflow checks. +

+ + +

An attacker, who controls the regular expression and/or string being + searched, could execute arbitrary code with the privileges of the + process. +

+ + +

There is no known workaround at this time.

+ + +

All musl users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.15-r2" + + + + CVE-2016-8859 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-12.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-12.xml new file mode 100644 index 0000000000..e8494cb973 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-12.xml @@ -0,0 +1,62 @@ + + + + memcached: Multiple vulnerabilities + Multiple vulnerabilities have been found in memcached which could + lead to the remote execution of arbitrary code. + + memcached + January 02, 2017 + January 02, 2017: 1 + 598836 + remote + + + 1.4.33 + 1.4.33 + + + +

memcached is a high-performance, distributed memory object caching + system +

+ + +

Multiple integer overflow vulnerabilities were discovered in memcached. + Please review the CVE identifiers and Cisco TALOS reports referenced + below for details. +

+ + +

A remote attacker could abuse memcached’s binary protocol leading to + the remote execution of arbitrary code. +

+ + +

There is no known workaround at this time.

+ + +

All memcached users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/memcached-1.4.33" + + + + CVE-2016-8704 + CVE-2016-8705 + CVE-2016-8706 + + TALOS-2016-0219 + + + TALOS-2016-0220 + + + TALOS-2016-0221 + + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-13.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-13.xml new file mode 100644 index 0000000000..7484a5b4f0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-13.xml @@ -0,0 +1,56 @@ + + + + HDF5: Multiple vulnerabilities + Multiple vulnerabilities have been found in HDF5 which could lead + to the arbitrary execution of code. + + hdf5 + January 02, 2017 + January 02, 2017: 1 + 601404 + 601408 + 601414 + 601420 + local, remote + + + 1.8.18 + 1.8.18 + + + +

HDF5 technology suite includes a data model, library, and file format + for storing and managing data. +

+ + +

Multiple arbitrary code execution vulnerabilities have been discovered + in HDF5. Please review the CVE identifiers referenced below for details. +

+ + +

An attacker could execute arbitrary code with the privileges of the + process via a maliciously crafted database file. +

+ + +

There is no known workaround at this time.

+ + +

All HDF5 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-libs/hdf5-1.8.18" + + + + CVE-2016-4330 + CVE-2016-4331 + CVE-2016-4332 + CVE-2016-4333 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index d11a9fb91b..56f02b0417 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Tue, 13 Dec 2016 20:13:14 +0000 +Mon, 02 Jan 2017 15:13:23 +0000