mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 10:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
Alex Crawford 2017-01-02 07:54:58 -08:00
parent bb29e80ea6
commit a9a49baafe
29 changed files with 1568 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml vendored
View File

@ -7,7 +7,7 @@
</synopsis> </synopsis>
<product type="ebuild"></product> <product type="ebuild"></product>
<announced>November 18, 2016</announced> <announced>November 18, 2016</announced>
<revised>November 18, 2016: 1</revised> <revised>January 02, 2017: 2</revised>
<bug>594368</bug> <bug>594368</bug>
<bug>594520</bug> <bug>594520</bug>
<bug>595192</bug> <bug>595192</bug>
@ -21,6 +21,7 @@
<bug>598044</bug> <bug>598044</bug>
<bug>598046</bug> <bug>598046</bug>
<bug>598328</bug> <bug>598328</bug>
<bug>603442</bug>
<access>local</access> <access>local</access>
<affected> <affected>
<package name="app-emulation/qemu" auto="yes" arch="*"> <package name="app-emulation/qemu" auto="yes" arch="*">
@ -53,6 +54,9 @@
</code> </code>
</resolution> </resolution>
<references> <references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10029">
CVE-2016-10029
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7161">CVE-2016-7161</uri> <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7161">CVE-2016-7161</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7423">CVE-2016-7423</uri> <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7423">CVE-2016-7423</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7466">CVE-2016-7466</uri> <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7466">CVE-2016-7466</uri>
@ -73,5 +77,5 @@
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9105">CVE-2016-9105</uri> <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9105">CVE-2016-9105</uri>
</references> </references>
<metadata tag="requester" timestamp="Thu, 17 Nov 2016 07:04:59 +0000">b-man</metadata> <metadata tag="requester" timestamp="Thu, 17 Nov 2016 07:04:59 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Fri, 18 Nov 2016 23:08:06 +0000">b-man</metadata> <metadata tag="submitter" timestamp="Mon, 02 Jan 2017 10:33:37 +0000">b-man</metadata>
</glsa> </glsa>

8
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-40.xml vendored
View File

@ -7,11 +7,11 @@
</synopsis> </synopsis>
<product type="ebuild">squashfs-tools</product> <product type="ebuild">squashfs-tools</product>
<announced>December 13, 2016</announced> <announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised> <revised>December 14, 2016: 3</revised>
<bug>427356</bug> <bug>427356</bug>
<access>remote</access> <access>remote</access>
<affected> <affected>
<package name="squashfs-tools" auto="yes" arch="*"> <package name="sys-fs/squashfs-tools" auto="yes" arch="*">
<unaffected range="ge">4.3</unaffected> <unaffected range="ge">4.3</unaffected>
<vulnerable range="lt">4.3</vulnerable> <vulnerable range="lt">4.3</vulnerable>
</package> </package>
@ -44,7 +44,7 @@
<code> <code>
# emerge --sync # emerge --sync
# emerge --ask --oneshot --verbose "&gt;=squashfs-tools-4.3" # emerge --ask --oneshot --verbose "&gt;=sys-fs/squashfs-tools-4.3"
</code> </code>
</resolution> </resolution>
<references> <references>
@ -52,5 +52,5 @@
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025">CVE-2012-4025</uri> <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025">CVE-2012-4025</uri>
</references> </references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 23:27:04 +0000">whissi</metadata> <metadata tag="requester" timestamp="Tue, 29 Nov 2016 23:27:04 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 07:00:20 +0000">whissi</metadata> <metadata tag="submitter" timestamp="Wed, 14 Dec 2016 10:21:21 +0000">whissi</metadata>
</glsa> </glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-44.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-44">
<title>Roundcube: Arbitrary code execution</title>
<synopsis>A vulnerability in Roundcube could potentially lead to arbitrary
code execution.
</synopsis>
<product type="ebuild">roundcube</product>
<announced>December 24, 2016</announced>
<revised>December 24, 2016: 1</revised>
<bug>601410</bug>
<access>remote</access>
<affected>
<package name="mail-client/roundcube" auto="yes" arch="*">
<unaffected range="ge">1.2.3</unaffected>
<vulnerable range="lt">1.2.3</vulnerable>
</package>
</affected>
<background>
<p>Free and open source webmail software for the masses, written in PHP.</p>
</background>
<description>
<p>Roundcube, when no SMTP server is configured and the sendmail program is
enabled, does not properly restrict the use of custom envelope-from
addresses on the sendmail command line.
</p>
</description>
<impact type="normal">
<p>An authenticated remote attacker could possibly execute arbitrary code
with the privileges of the process, or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>Dont use a MTA (Mail Transfer Agent) in conjunction with Roundcube
which implements sendmails “-O” or “-X” parameter, or
configure Roundcube to use a SMTP server as recommended by upstream.
</p>
</workaround>
<resolution>
<p>All Roundcube users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/roundcube-1.2.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9920">CVE-2016-9920</uri>
</references>
<metadata tag="requester" timestamp="Fri, 23 Dec 2016 15:26:48 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sat, 24 Dec 2016 06:42:27 +0000">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-45.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-45">
<title>Tor: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities were found in Tor, the worst of which
could allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">tor</product>
<announced>December 24, 2016</announced>
<revised>December 24, 2016: 1</revised>
<bug>591008</bug>
<bug>597394</bug>
<bug>597524</bug>
<access>remote</access>
<affected>
<package name="net-misc/tor" auto="yes" arch="*">
<unaffected range="ge">0.2.8.9</unaffected>
<vulnerable range="lt">0.2.8.9</vulnerable>
</package>
</affected>
<background>
<p>Tor is an implementation of second generation Onion Routing, a
connection-oriented anonymizing communication service.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Tor. Please review the
CVE identifier and change log referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a Denial of Service condition.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Tor users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/tor-0.2.8.9"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8860">CVE-2016-8860</uri>
<uri link="https://raw.githubusercontent.com/torproject/tor/tor-0.2.8.9/ChangeLog">
Tor 0.2.8.9 Change Log
</uri>
</references>
<metadata tag="requester" timestamp="Mon, 28 Nov 2016 01:21:24 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sat, 24 Dec 2016 06:50:16 +0000">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-46.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-46">
<title>Xerces-C++: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xerces-C++, the worst
of which may allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">xerces-c</product>
<announced>December 24, 2016</announced>
<revised>December 24, 2016: 1</revised>
<bug>575700</bug>
<bug>584506</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/xerces-c" auto="yes" arch="*">
<unaffected range="ge">3.1.4-r1</unaffected>
<vulnerable range="lt">3.1.4-r1</vulnerable>
</package>
</affected>
<background>
<p>Xerces-C++ is a validating XML parser written in a portable subset of
C++.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xerces-C++. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to process a specially crafted
file, possibly resulting in the remote execution of arbitrary code with
the privileges of the process, or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xerces-C++ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/xerces-c-3.1.4-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0729">CVE-2016-0729</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2099">CVE-2016-2099</uri>
</references>
<metadata tag="requester" timestamp="Sat, 15 Oct 2016 11:41:27 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sat, 24 Dec 2016 07:11:18 +0000">whissi</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-47.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-47">
<title>Samba: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Samba, the worst of
which may allow execution of arbitrary code with root privileges.
</synopsis>
<product type="ebuild">samba</product>
<announced>December 24, 2016</announced>
<revised>December 24, 2016: 1</revised>
<bug>568432</bug>
<bug>578004</bug>
<access>local, remote</access>
<affected>
<package name="net-fs/samba" auto="yes" arch="*">
<unaffected range="ge">4.2.11</unaffected>
<vulnerable range="lt">4.2.11</vulnerable>
</package>
</affected>
<background>
<p>Samba is a suite of SMB and CIFS client/server programs.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in samba. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with root
privileges, cause a Denial of Service condition, conduct a
man-in-the-middle attack, obtain sensitive information, or bypass file
permissions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Samba users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-fs/samba-4.2.11"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3223">CVE-2015-3223</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5252">CVE-2015-5252</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5296">CVE-2015-5296</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5299">CVE-2015-5299</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5330">CVE-2015-5330</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7540">CVE-2015-7540</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8467">CVE-2015-8467</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2110">CVE-2016-2110</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2111">CVE-2016-2111</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2112">CVE-2016-2112</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2113">CVE-2016-2113</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2114">CVE-2016-2114</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2115">CVE-2016-2115</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2118">CVE-2016-2118</uri>
</references>
<metadata tag="requester" timestamp="Mon, 19 Dec 2016 13:31:34 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sat, 24 Dec 2016 07:24:48 +0000">whissi</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-48.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-48">
<title>Firejail: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Firejail, the
worst of which may allow bypassing of sandbox protection.
</synopsis>
<product type="ebuild">firejail</product>
<announced>December 27, 2016</announced>
<revised>December 27, 2016: 1</revised>
<bug>601994</bug>
<access>local, remote</access>
<affected>
<package name="sys-apps/firejail" auto="yes" arch="*">
<unaffected range="ge">0.9.44.2</unaffected>
<vulnerable range="lt">0.9.44.2</vulnerable>
</package>
<package name="sys-apps/firejail-lts" auto="yes" arch="*">
<unaffected range="ge">0.9.38.6</unaffected>
</package>
</affected>
<background>
<p>A SUID program that reduces the risk of security breaches by restricting
the running environment of untrusted applications using Linux namespaces
and seccomp-bpf.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Firejail. Please review
upstreams release notes below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly bypass sandbox protection, cause a
Denial of Service condition, or change a systems DNS server.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Firejail users should switch to the newly added LTS version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/firejail-lts-0.9.38.6"
</code>
<p>Users who want to stay on the current branch should upgrade to the
latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/firejail-0.9.44.2"
</code>
</resolution>
<references>
<uri link="http://firejail.wordpress.com/download-2/release-notes/">
Firejail Release Notes
</uri>
</references>
<metadata tag="requester" timestamp="Mon, 05 Dec 2016 02:08:23 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Tue, 27 Dec 2016 00:43:05 +0000">whissi</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-49.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-49">
<title>mod_wsgi: Privilege escalation</title>
<synopsis>A vulnerability in mod_wsgi could lead to privilege escalation.</synopsis>
<product type="ebuild">mod_wsgi</product>
<announced>December 30, 2016</announced>
<revised>December 30, 2016: 1</revised>
<bug>536270</bug>
<access>local, remote</access>
<affected>
<package name="www-apache/mod_wsgi" auto="yes" arch="*">
<unaffected range="ge">4.3.0</unaffected>
<vulnerable range="lt">4.3.0</vulnerable>
</package>
</affected>
<background>
<p>mod_wsgi is an Apache2 module for running Python WSGI applications.</p>
</background>
<description>
<p>mod_wsgi, when creating a daemon process group, does not properly handle
dropping group privileges.
</p>
</description>
<impact type="normal">
<p>Context-dependent attackers could escalate privileges due to the
improper handling of group privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All mod_wsgi users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-apache/mod_wsgi-4.3.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8583">CVE-2014-8583</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Nov 2016 00:29:47 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Fri, 30 Dec 2016 00:41:42 +0000">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-50.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-50">
<title>Openfire: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Openfire, the worst of
which could lead to privilege escalation.
</synopsis>
<product type="ebuild">openfire</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>603604</bug>
<access>remote</access>
<affected>
<package name="net-im/openfire" auto="yes" arch="*">
<unaffected range="ge">4.1.0</unaffected>
<vulnerable range="lt">4.1.0</vulnerable>
</package>
</affected>
<background>
<p>Openfire (formerly Wildfire) is a cross-platform real-time collaboration
server based on the XMPP (Jabber) protocol.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Openfire. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could bypass the CSRF protection mechanism, conduct
Cross-Site Scripting attacks, or an authenticated remote attacker could
gain privileges while accessing Openfires web interface.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Openfire users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-im/openfire-4.1.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6972">CVE-2015-6972</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-6973">CVE-2015-6973</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7707">CVE-2015-7707</uri>
</references>
<metadata tag="requester" timestamp="Sat, 31 Dec 2016 00:17:25 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 06:27:02 +0000">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-51.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-51">
<title>Icinga: Privilege escalation</title>
<synopsis>A vulnerability in Icinga could lead to privilege escalation.</synopsis>
<product type="ebuild">icinga</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>603534</bug>
<access>local</access>
<affected>
<package name="net-analyzer/icinga" auto="yes" arch="*">
<unaffected range="ge">1.13.4</unaffected>
<vulnerable range="lt">1.13.4</vulnerable>
</package>
</affected>
<background>
<p>Icinga is an open source computer system and network monitoring
application. It was originally created as a fork of the Nagios system
monitoring application in 2009.
</p>
</background>
<description>
<p>Icinga daemon was found to perform unsafe operations when handling the
log file.
</p>
</description>
<impact type="normal">
<p>A local attacker, who either is already Icingas system user or
belongs to Icingas group, could potentially escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Icinga users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/icinga-1.13.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566">CVE-2016-9566</uri>
</references>
<metadata tag="requester" timestamp="Fri, 30 Dec 2016 23:44:53 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 06:37:34 +0000">whissi</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-52.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-52">
<title>Pillow: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Pillow, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">pillow</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>507982</bug>
<bug>573958</bug>
<bug>599608</bug>
<bug>599610</bug>
<bug>599612</bug>
<access>local, remote</access>
<affected>
<package name="dev-python/pillow" auto="yes" arch="*">
<unaffected range="ge">3.4.2</unaffected>
<vulnerable range="lt">3.4.2</vulnerable>
</package>
</affected>
<background>
<p>The friendly PIL fork.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Pillow. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could perform symlink attacks to overwrite arbitrary
files with the privileges of the user running the application, or obtain
sensitive information.
</p>
<p>A remote attackers could execute arbitrary code with the privileges of
the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Pillow users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-python/pillow-3.4.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1932">CVE-2014-1932</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1933">CVE-2014-1933</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0740">CVE-2016-0740</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0775">CVE-2016-0775</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2533">CVE-2016-2533</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4009">CVE-2016-4009</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9189">CVE-2016-9189</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9190">CVE-2016-9190</uri>
</references>
<metadata tag="requester" timestamp="Mon, 04 Aug 2014 19:10:45 +0000">
keytoaster
</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 14:15:38 +0000">b-man</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-53.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-53">
<title>CyaSSL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in CyaSSL, the worst of
which may allow attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">cyassl</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>507418</bug>
<access>local, remote</access>
<affected>
<package name="net-libs/cyassl" auto="yes" arch="*">
<vulnerable range="rle">2.9.4</vulnerable>
</package>
</affected>
<background>
<p>CyaSSL is a small, fast, portable implementation of TLS/SSL for embedded
devices to the cloud.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in CyaSSL. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly execute arbitrary code with the privileges of
the process, cause a Denial of Service condition, or conduct a
man-in-the-middle attack.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Upstream has discontinued the software in favor of wolfSSL. Therefore,
the CyaSSL package has been removed from the Gentoo repository and
current users are advised to unmerge the package.
</p>
<code>
# emerge --unmerge "net-libs/cyassl"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2896">CVE-2014-2896</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2897">CVE-2014-2897</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2898">CVE-2014-2898</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2899">CVE-2014-2899</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2900">CVE-2014-2900</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Nov 2016 15:11:37 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 14:47:50 +0000">b-man</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-54.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-54">
<title>Chicken: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Chicken, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">chicken</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>467966</bug>
<bug>486350</bug>
<bug>510712</bug>
<bug>536448</bug>
<bug>552202</bug>
<access>local, remote</access>
<affected>
<package name="dev-scheme/chicken" auto="yes" arch="*">
<unaffected range="ge">4.10.0-r1</unaffected>
<vulnerable range="lt">4.10.0-r1</vulnerable>
</package>
</affected>
<background>
<p>Chicken is a scheme interpreter and native scheme to C compiler.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Chicken. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chicken users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-scheme/chicken-4.10.0-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2024">CVE-2013-2024</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4385">CVE-2013-4385</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3776">CVE-2014-3776</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9651">CVE-2014-9651</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4556">CVE-2015-4556</uri>
</references>
<metadata tag="requester" timestamp="Mon, 21 Dec 2015 14:54:52 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 15:19:08 +0000">b-man</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-55.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-55">
<title>libjpeg-turbo: User-assisted execution of arbitrary code</title>
<synopsis>An out-of-bounds read in libjpeg-turbo might allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">libjpeg-turbo</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>585782</bug>
<access>remote</access>
<affected>
<package name="media-libs/libjpeg-turbo" auto="yes" arch="*">
<unaffected range="ge">1.5.0</unaffected>
<vulnerable range="lt">1.5.0</vulnerable>
</package>
</affected>
<background>
<p>libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX,
SSE2, NEON, AltiVec) to accelerate baseline JPEG compression and
decompression.
</p>
</background>
<description>
<p>The accelerated Huffman decoder was previously invoked if there were 128
bytes in the input buffer. However, it is possible to construct a JPEG
image with Huffman blocks &gt; 430 bytes in length. This release simply
increases the minimum buffer size for the accelerated Huffman decoder to
512 bytes, which should accommodate any possible input.
</p>
</description>
<impact type="normal">
<p>A remote attacker could coerce the victim to run a specially crafted
image file resulting in the execution of arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libjpeg-turbo users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libjpeg-turbo-1.5.0"
</code>
</resolution>
<references>
<uri link="https://wiki.mozilla.org/images/7/77/Libjpeg-turbo-report.pdf">
LJT-01-005
</uri>
<uri link="https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0463f7c9aad060fcd56e98d025ce16185279e2bc">
Prevent overread when decoding malformed JPEG
</uri>
</references>
<metadata tag="requester" timestamp="Sun, 20 Nov 2016 06:32:59 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 15:38:15 +0000">b-man</metadata>
</glsa>

95
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-56.xml vendored Normal file
View File

@ -0,0 +1,95 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-56">
<title>Xen: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
could lead to the execution of arbitrary code on the host system.
</synopsis>
<product type="ebuild">xen</product>
<announced>December 31, 2016</announced>
<revised>December 31, 2016: 1</revised>
<bug>600382</bug>
<bug>600662</bug>
<bug>601248</bug>
<bug>601250</bug>
<bug>601986</bug>
<access>local</access>
<affected>
<package name="app-emulation/xen" auto="yes" arch="*">
<unaffected range="ge">4.7.1-r4</unaffected>
<vulnerable range="lt">4.7.1-r4</vulnerable>
</package>
<package name="app-emulation/xen-tools" auto="yes" arch="*">
<unaffected range="ge">4.7.1-r4</unaffected>
<vulnerable range="lt">4.7.1-r4</vulnerable>
</package>
<package name="app-emulation/xen-pvgrub" auto="yes" arch="*">
<unaffected range="ge">4.7.1-r1</unaffected>
<vulnerable range="lt">4.7.1-r1</vulnerable>
</package>
</affected>
<background>
<p>Xen is a bare-metal hypervisor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could possibly execute arbitrary code with the
privileges of the process, could gain privileges on the host system,
cause a Denial of Service condition, or obtain sensitive information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.7.1-r4"
</code>
<p>All Xen Tools users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/xen-tools-4.7.1-r4"
</code>
<p>All Xen PvGrub users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/xen-pvgrub-4.7.1-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10024">
CVE-2016-10024
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9377">CVE-2016-9377</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9378">CVE-2016-9378</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9379">CVE-2016-9379</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9380">CVE-2016-9380</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9381">CVE-2016-9381</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9382">CVE-2016-9382</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9383">CVE-2016-9383</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9384">CVE-2016-9384</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9385">CVE-2016-9385</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9386">CVE-2016-9386</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9637">CVE-2016-9637</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9815">CVE-2016-9815</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9816">CVE-2016-9816</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9817">CVE-2016-9817</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9818">CVE-2016-9818</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9932">CVE-2016-9932</uri>
</references>
<metadata tag="requester" timestamp="Sat, 26 Nov 2016 10:47:37 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sat, 31 Dec 2016 16:13:07 +0000">b-man</metadata>
</glsa>

91
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-01.xml vendored Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-01">
<title>MariaDB and MySQL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in MariaDB and MySQL, the
worst of which could lead to the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">mysql, mariadb</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 2</revised>
<bug>593584</bug>
<bug>593608</bug>
<bug>593614</bug>
<bug>593618</bug>
<bug>597538</bug>
<bug>598704</bug>
<access>local, remote</access>
<affected>
<package name="dev-db/mariadb" auto="yes" arch="*">
<unaffected range="ge">10.0.28</unaffected>
<vulnerable range="lt">10.0.28</vulnerable>
</package>
<package name="dev-db/mysql" auto="yes" arch="*">
<unaffected range="ge">5.6.34</unaffected>
<vulnerable range="lt">5.6.34</vulnerable>
</package>
</affected>
<background>
<p>MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an
enhanced, drop-in replacement for MySQL.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in MariaDB and MySQL.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Attackers could execute arbitrary code, escalate privileges, and impact
availability via unspecified vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MariaDB users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/mariadb-10.0.28"
</code>
<p>All MySQL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/mysql-5.6.34"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3492">CVE-2016-3492</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3495">CVE-2016-3495</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5507">CVE-2016-5507</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5584">CVE-2016-5584</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5609">CVE-2016-5609</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5612">CVE-2016-5612</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5625">CVE-2016-5625</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5626">CVE-2016-5626</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5627">CVE-2016-5627</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5628">CVE-2016-5628</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5629">CVE-2016-5629</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5630">CVE-2016-5630</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5631">CVE-2016-5631</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5632">CVE-2016-5632</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5633">CVE-2016-5633</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5634">CVE-2016-5634</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5635">CVE-2016-5635</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6652">CVE-2016-6652</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6662">CVE-2016-6662</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8283">CVE-2016-8283</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8284">CVE-2016-8284</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8286">CVE-2016-8286</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8287">CVE-2016-8287</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8288">CVE-2016-8288</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8289">CVE-2016-8289</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8290">CVE-2016-8290</uri>
</references>
<metadata tag="requester" timestamp="Sat, 19 Nov 2016 05:29:06 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 13:32:50 +0000">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-02.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-02">
<title>Bash: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities were found in Bash, the worst of which may
allow execution of arbitrary code.
</synopsis>
<product type="ebuild">bash</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>595268</bug>
<bug>600174</bug>
<access>local</access>
<affected>
<package name="app-shells/bash" auto="yes" arch="*">
<unaffected range="ge">4.3_p48-r1</unaffected>
<vulnerable range="lt">4.3_p48-r1</vulnerable>
</package>
</affected>
<background>
<p>Bash is the standard GNU Bourne Again SHell.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Bash. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Bash users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-shells/bash-4.3_p48-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7543">CVE-2016-7543</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9401">CVE-2016-9401</uri>
</references>
<metadata tag="requester" timestamp="Tue, 21 Jun 2016 09:45:02 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 13:44:22 +0000">whissi</metadata>
</glsa>

91
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-03.xml vendored Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-03">
<title>libarchive: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libarchive, the worst
of which allows for the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">libarchive</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>548110</bug>
<bug>552646</bug>
<bug>582526</bug>
<bug>586086</bug>
<bug>586182</bug>
<bug>596568</bug>
<bug>598950</bug>
<access>remote</access>
<affected>
<package name="app-arch/libarchive" auto="yes" arch="*">
<unaffected range="ge">3.2.2</unaffected>
<vulnerable range="lt">3.2.2</vulnerable>
</package>
</affected>
<background>
<p>libarchive is a library for manipulating different streaming archive
formats, including certain tar variants, several cpio formats, and both
BSD and GNU ar variants.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libarchive. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted
archive file possibly resulting in the execution of arbitrary code with
the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libarchive users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-arch/libarchive-3.2.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2304">CVE-2015-2304</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8915">CVE-2015-8915</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8916">CVE-2015-8916</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8917">CVE-2015-8917</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8918">CVE-2015-8918</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8919">CVE-2015-8919</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8920">CVE-2015-8920</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8921">CVE-2015-8921</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8922">CVE-2015-8922</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8923">CVE-2015-8923</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8924">CVE-2015-8924</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8925">CVE-2015-8925</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8926">CVE-2015-8926</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8927">CVE-2015-8927</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8928">CVE-2015-8928</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8929">CVE-2015-8929</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8930">CVE-2015-8930</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8931">CVE-2015-8931</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8932">CVE-2015-8932</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8933">CVE-2015-8933</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8934">CVE-2015-8934</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1541">CVE-2016-1541</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4300">CVE-2016-4300</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4301">CVE-2016-4301</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4302">CVE-2016-4302</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4809">CVE-2016-4809</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5418">CVE-2016-5418</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5844">CVE-2016-5844</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6250">CVE-2016-6250</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7166">CVE-2016-7166</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8687">CVE-2016-8687</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8688">CVE-2016-8688</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8689">CVE-2016-8689</uri>
</references>
<metadata tag="requester" timestamp="Mon, 27 Jun 2016 12:09:04 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 14:31:15 +0000">b-man</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-04.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-04">
<title>Mutt: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in Mutt might allow remote attackers
to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">mutt</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>530842</bug>
<access>remote</access>
<affected>
<package name="mail-client/mutt" auto="yes" arch="*">
<unaffected range="ge">1.5.23-r5</unaffected>
<vulnerable range="lt">1.5.23-r5</vulnerable>
</package>
</affected>
<background>
<p>Mutt is a small but very powerful text-based mail client.</p>
</background>
<description>
<p>A heap-based buffer overflow was discovered in Mutts mutt_substrdup
function.
</p>
</description>
<impact type="normal">
<p>A remote attacker could cause a Denial of Service condition.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mutt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/mutt-1.5.23-r5"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9116">CVE-2014-9116</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 11:02:45 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 15:05:18 +0000">b-man</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-05.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-05">
<title>BusyBox: Denial of Service</title>
<synopsis>A vulnerability in BusyBox might allow remote attackers to cause a
Denial of Service condition.
</synopsis>
<product type="ebuild">busybox</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>590478</bug>
<access>remote</access>
<affected>
<package name="sys-apps/busybox" auto="yes" arch="*">
<unaffected range="ge">1.25.1</unaffected>
<vulnerable range="lt">1.25.1</vulnerable>
</package>
</affected>
<background>
<p>BusyBox is a set of tools for embedded systems and is a replacement for
GNU Coreutils.
</p>
</background>
<description>
<p>The recv_and_process_client_pkt function in networking/ntpd.c in BusyBox
allows remote attackers to cause a Denial of Service (CPU and bandwidth
consumption) via a forged NTP packet, which triggers a communication
loop.
</p>
</description>
<impact type="normal">
<p>A remote attacker might send a specially crafted package to a machine
running BusyBox ntpd, possibly resulting in a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All BusyBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/busybox-1.25.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6301">CVE-2016-6301</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 12:19:19 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 15:33:56 +0000">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-06.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-06">
<title>e2fsprogs: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow in e2fsprogs might allow local
attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">e2fsprogs</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>538930</bug>
<access>local, remote</access>
<affected>
<package name="sys-fs/e2fsprogs" auto="yes" arch="*">
<unaffected range="ge">1.42.12</unaffected>
<vulnerable range="lt">1.42.12</vulnerable>
</package>
</affected>
<background>
<p>e2fsprogs is a set of utilities for maintaining the ext2, ext3 and ext4
file systems.
</p>
</background>
<description>
<p>A heap-based buffer overflow was discovered in openfs.c in the libext2fs
library in e2fsprogs.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to use ext2fs library (for
example, fsck) on a specially crafted Ext2/3/4 file system possibly
resulting in the execution of arbitrary code with the privileges of the
process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All e2fsprogs users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-fs/e2fsprogs-1.42.12"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0247">CVE-2015-0247</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 11:12:55 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 15:41:00 +0000">b-man</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-07.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-07">
<title>Open vSwitch: Remote execution of arbitrary code</title>
<synopsis>A buffer overflow in Open vSwitch might allow remote attackers to
execute arbitrary code.
</synopsis>
<product type="ebuild">openvswitch</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 2</revised>
<bug>577568</bug>
<access>remote</access>
<affected>
<package name="net-misc/openvswitch" auto="yes" arch="*">
<unaffected range="ge">2.5.0</unaffected>
<vulnerable range="lt">2.5.0</vulnerable>
</package>
</affected>
<background>
<p>Open vSwitch is a production quality multilayer virtual switch.</p>
</background>
<description>
<p>A buffer overflow was discovered in lib/flow.c in ovs-vswitchd.</p>
</description>
<impact type="normal">
<p>A remote attacker, using a specially crafted MPLS packet, could execute
arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Open vSwitch users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/openvswitch-2.5.0"
</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2074">
CVE-2016-2074
</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 12:31:09 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 16:00:54 +0000">b-man</metadata>
</glsa>

70
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-08.xml vendored Normal file
View File

@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-08">
<title>w3m: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in w3m, the worst of which
could lead to the execution of arbitrary code.
</synopsis>
<product type="ebuild">w3m</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>579312</bug>
<bug>600176</bug>
<access>remote</access>
<affected>
<package name="www-client/w3m" auto="yes" arch="*">
<unaffected range="ge">0.5.3-r9</unaffected>
<vulnerable range="lt">0.5.3-r9</vulnerable>
</package>
</affected>
<background>
<p>w3m is a text based WWW browser.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in w3m. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code with the privileges of
the process or cause a Denial of Service condition via a maliciously
crafted HTML file.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All w3m users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/w3m-0.5.3-r9"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9422">CVE-2016-9422</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9423">CVE-2016-9423</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9424">CVE-2016-9424</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9425">CVE-2016-9425</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9426">CVE-2016-9426</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9428">CVE-2016-9428</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9429">CVE-2016-9429</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9430">CVE-2016-9430</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9431">CVE-2016-9431</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9432">CVE-2016-9432</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9433">CVE-2016-9433</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9434">CVE-2016-9434</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9435">CVE-2016-9435</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9436">CVE-2016-9436</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9437">CVE-2016-9437</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9438">CVE-2016-9438</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9439">CVE-2016-9439</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9440">CVE-2016-9440</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9441">CVE-2016-9441</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9442">CVE-2016-9442</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9443">CVE-2016-9443</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 13:18:36 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 16:15:30 +0000">b-man</metadata>
</glsa>

48
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-09.xml vendored Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-09">
<title>Xdg-Utils: Command injection</title>
<synopsis>A command injection vulnerability in Xdg-Utils may allow for the
execution of arbitrary code.
</synopsis>
<product type="ebuild">xdg-utils</product>
<announced>January 01, 2017</announced>
<revised>January 01, 2017: 1</revised>
<bug>472888</bug>
<access>local, remote</access>
<affected>
<package name="x11-misc/xdg-utils" auto="yes" arch="*">
<unaffected range="ge">1.1.1</unaffected>
<vulnerable range="lt">1.1.1</vulnerable>
</package>
</affected>
<background>
<p>Xdg-Utils is a set of tools allowing all applications to easily
integrate with the Free Desktop configuration.
</p>
</background>
<description>
<p>An eval injection vulnerability was discovered in Xdg-Utils.</p>
</description>
<impact type="normal">
<p>A context-dependent attacker could execute arbitrary code via the URL
argument to xdg-open.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xdg-Utils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-misc/xdg-utils-1.1.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9622">CVE-2014-9622</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 12:56:54 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 01 Jan 2017 16:34:46 +0000">b-man</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-10.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-10">
<title>libotr, Pidgin OTR: Remote execution of arbitrary code</title>
<synopsis>Multiple vulnerabilities have been found in libotr and Pidgin OTR,
allowing remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">libotr, pidgin-otr</product>
<announced>January 02, 2017</announced>
<revised>January 02, 2017: 1</revised>
<bug>576914</bug>
<bug>576916</bug>
<access>remote</access>
<affected>
<package name="net-libs/libotr" auto="yes" arch="*">
<unaffected range="ge">4.1.1</unaffected>
<vulnerable range="lt">4.1.1</vulnerable>
</package>
<package name="x11-plugins/pidgin-otr" auto="yes" arch="*">
<unaffected range="ge">4.0.2</unaffected>
<vulnerable range="lt">4.0.2</vulnerable>
</package>
</affected>
<background>
<p>Pidgin Off-the-Record (OTR) messaging allows you to have private
conversations over instant messaging. libotr is a portable off-the-record
messaging library.
</p>
</background>
<description>
<p>Multiple vulnerabilities exist in both libotr and Pidgin OTR. Please
review the CVE identifiers for more information.
</p>
</description>
<impact type="normal">
<p>A remote attacker could send a specially crafted message, possibly
resulting in the execution of arbitrary code with the privileges of the
process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libotr users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/libotr-4.1.1"
</code>
<p>All Pidgin OTR users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-plugins/pidgin-otr-4.0.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8833">CVE-2015-8833</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2851">CVE-2016-2851</uri>
</references>
<metadata tag="requester" timestamp="Sun, 01 Jan 2017 11:51:33 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Mon, 02 Jan 2017 14:19:57 +0000">b-man</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-11.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-11">
<title>musl: Integer overflow</title>
<synopsis>An integer overflow in musl might allow an attacker to execute
arbitrary code.
</synopsis>
<product type="ebuild">musl</product>
<announced>January 02, 2017</announced>
<revised>January 02, 2017: 1</revised>
<bug>597498</bug>
<access>local, remote</access>
<affected>
<package name="sys-libs/musl" auto="yes" arch="*">
<unaffected range="ge">1.1.15-r2</unaffected>
<vulnerable range="lt">1.1.15-r2</vulnerable>
</package>
</affected>
<background>
<p>musl is a “libc”, an implementation of the standard library
functionality described in the ISO C and POSIX standards, plus common
extensions, intended for use on Linux-based systems.
</p>
</background>
<description>
<p>A vulnerability was discovered in musls tre_tnfa_run_parallel
function buffer overflow logic, due to the incorrect use of integer types
and missing overflow checks.
</p>
</description>
<impact type="normal">
<p>An attacker, who controls the regular expression and/or string being
searched, could execute arbitrary code with the privileges of the
process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All musl users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-libs/musl-1.1.15-r2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8859">CVE-2016-8859</uri>
</references>
<metadata tag="requester" timestamp="Mon, 02 Jan 2017 07:23:08 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Mon, 02 Jan 2017 14:34:33 +0000">b-man</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-12.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-12">
<title>memcached: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in memcached which could
lead to the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">memcached</product>
<announced>January 02, 2017</announced>
<revised>January 02, 2017: 1</revised>
<bug>598836</bug>
<access>remote</access>
<affected>
<package name="net-misc/memcached" auto="yes" arch="*">
<unaffected range="ge">1.4.33</unaffected>
<vulnerable range="lt">1.4.33</vulnerable>
</package>
</affected>
<background>
<p>memcached is a high-performance, distributed memory object caching
system
</p>
</background>
<description>
<p>Multiple integer overflow vulnerabilities were discovered in memcached.
Please review the CVE identifiers and Cisco TALOS reports referenced
below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could abuse memcacheds binary protocol leading to
the remote execution of arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All memcached users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/memcached-1.4.33"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8704">CVE-2016-8704</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8705">CVE-2016-8705</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8706">CVE-2016-8706</uri>
<uri link="http://www.talosintelligence.com/reports/TALOS-2016-0219/">
TALOS-2016-0219
</uri>
<uri link="http://www.talosintelligence.com/reports/TALOS-2016-0220/">
TALOS-2016-0220
</uri>
<uri link="http://www.talosintelligence.com/reports/TALOS-2016-0221/">
TALOS-2016-0221
</uri>
</references>
<metadata tag="requester" timestamp="Mon, 02 Jan 2017 07:31:20 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Mon, 02 Jan 2017 14:42:05 +0000">b-man</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-13.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-13">
<title>HDF5: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in HDF5 which could lead
to the arbitrary execution of code.
</synopsis>
<product type="ebuild">hdf5</product>
<announced>January 02, 2017</announced>
<revised>January 02, 2017: 1</revised>
<bug>601404</bug>
<bug>601408</bug>
<bug>601414</bug>
<bug>601420</bug>
<access>local, remote</access>
<affected>
<package name="sci-libs/hdf5" auto="yes" arch="*">
<unaffected range="ge">1.8.18</unaffected>
<vulnerable range="lt">1.8.18</vulnerable>
</package>
</affected>
<background>
<p>HDF5 technology suite includes a data model, library, and file format
for storing and managing data.
</p>
</background>
<description>
<p>Multiple arbitrary code execution vulnerabilities have been discovered
in HDF5. Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could execute arbitrary code with the privileges of the
process via a maliciously crafted database file.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All HDF5 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sci-libs/hdf5-1.8.18"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4330">CVE-2016-4330</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4331">CVE-2016-4331</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4332">CVE-2016-4332</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4333">CVE-2016-4333</uri>
</references>
<metadata tag="requester" timestamp="Mon, 02 Jan 2017 07:36:29 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Mon, 02 Jan 2017 14:52:28 +0000">b-man</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Tue, 13 Dec 2016 20:13:14 +0000 Mon, 02 Jan 2017 15:13:23 +0000