mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-08 21:46:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1319 from flatcar/buildbot/monthly-glsa-metadata-updates-2023-11-01

Browse Source 
Monthly GLSA metadata 2023-11-01
This commit is contained in:
Thilo Fromm 2023-11-08 07:47:05 +01:00 committed by GitHub
commit b016fc01cd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 1184 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest vendored
View File

@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE----- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512 Hash: SHA512
MANIFEST Manifest.files.gz 548981 BLAKE2B 81700173ea02c0d006e3065367bd4b6801ae8e0cad7f0b23c4d86a41c1b860a4cbdeb3051fb86eb2d3f114b8ba0353d6e09e279718eed8ed2607a21c4e7ec67d SHA512 a987e0e64b2dbf1006cecbff251dc3524b4d244d2e54417a697139ac9ee5a97d21aefdfb0fb940e1890076d7fa18c793f4f7a60db6960004ade2253826320f19 MANIFEST Manifest.files.gz 552633 BLAKE2B f04d03cfce30402b87d7525767633e29394130432fcdd26de705b95ca93788a70abca8abbeee435b946253f2ad9b75f01bf24da1998a529bb89a6bbf1fcfc16e SHA512 6b0fd8a9a899a613a7dbab3dc51f5953cd3a0d18a12e17a4fceca64f11be5c7f83763d742dfada845bf1aec1c1467db31c6df823b9bc683d59fbec9a516d285a
TIMESTAMP 2023-10-01T06:40:07Z TIMESTAMP 2023-11-01T06:40:04Z
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmUZFEdfFIAAAAAALgAo iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmVB8sRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
klAXgg/9GGU9Zsh5GEuYoepVc11NhqztXU2fyrn8g4OkbIUFdOq45C/NDOzzmYkS klDycxAArpKet3g/jSJskcceOF38byx5QitCsuFUiXggVy/3UtTs2F9QY0awzRyN
vve4BAhQZkGn6ixII2dbDqQHmvE4x4NFyobSXLRIYFFAbbQBSRUmib3HbDkxoMhb daT6+MHgL/oMPDQKOF+Gdnxeks9iWhEENMsUGyi/C4gKb9BHe9KzMCKpz/5YuKLj
nTbnNXX5kOq1m6nb3ydnjOKxfgew50dQYT0Yp+Uh9rRtU7sP74KYkseV9p5z+fp1 mOZUsJjChrTMf97N9zuYFLPt+YhHlidKG2Nfa7oqEzUZed3nJK96QCWfHOKDBS8q
+PKY7Nn0G9qANHMgf1YrxC1cgt4WWXXnXJI7YvjcQ/XZJTrAX2oEEGYee8GsLnAn Pa/JAQ1Gca5Lt4vrlVGYreMCWzb0/9QEFex3WpN8K1TVQi4ttwysOI0zNWaUPilr
uGchKTPCbgBG1Dm9vM3jTctUpXKQ1s3B+T0ynciPHzb8IC0M0BvLdCVA1ZM99rCY o4x1yu2z+Iel3khyazx6FpRFlHrqNBOklmz3vkFleok5r+21qfxy05pwUw5a9rJN
CcCJFkITrSBuUrJl3NJUzlYe1XQUH29c0kQe+mR0F4gDjav7gZBE1mKb9lqw/r2A FxwyFtflborCepZCEN4k9YrYILk3yxhfrTvCl9GPD2mhqLA8KW3Lek4RZPXur1HK
vLnm4/kF7IYdxVSFgO2B8GvpPvFQW0hiEAkz+GDRnqYeinVmPTRkBR4VqQfQql1T laMy/d8Ziw/Z9/ksGim+LfVOJ7F0fgUFJxIJJ+eBLGZzz0RzLl64IKEugVxBnoCU
rBuhQV9wQ/y/NIZq41X/rljjTdTpvtzB5ZSAxg9fOMmgo3WH6wb/k/6fgEK/WSGf h2S0XiUUQpGGHlMTkQ5LgcWfbtorgZyQbUX4m/iCo0DGg66+7MADow8yRKRXGNQl
aTH44QoasTboF9kMrgfR+dB/aaTGAuFWC8Ulkjkxh4wE+HsLats2stAYsAnJfXL9 SN24MstUnhU7O/6plg35TRel9fhozl2vau5dWIpm/A3znHmyC3IT53Ffjo3dSwYW
jiW3dO8vdIvXYeI0Smmuxv6hHIz1ZJn8jvQv+iv+yonIbZEDQsgIBxxFPW5NrhiJ tHURmCy7Sz5K1gxB20PsQnt63L+WCya1vhTpF2kCzLivrYjypUXlIbuQXA7AGE7k
a1oJARWuMGvHTeYaqAkfPbS7/ew6b5jLWN3174qxqX6HCsnIyF8= ycBJqVGSz36DuCiEX0ckQbiIHreYqUQLjteVE85Y4XQyX4CSjZs=
=otvP =bBmm
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----

BIN
sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz vendored
View File

Binary file not shown.

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-01.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-01">
<title>ClamAV: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in ClamAV, the worst of which could result in remote code execution.</synopsis>
<product type="ebuild">clamav</product>
<announced>2023-10-01</announced>
<revised count="1">2023-10-01</revised>
<bug>831083</bug>
<bug>842813</bug>
<bug>894672</bug>
<access>remote</access>
<affected>
<package name="app-antivirus/clamav" auto="yes" arch="*">
<unaffected range="ge">0.103.7</unaffected>
<vulnerable range="lt">0.103.7</vulnerable>
</package>
</affected>
<background>
<p>ClamAV is a GPL virus scanner.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ClamAV users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.103.7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20698">CVE-2022-20698</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20770">CVE-2022-20770</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20771">CVE-2022-20771</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20785">CVE-2022-20785</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20792">CVE-2022-20792</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20796">CVE-2022-20796</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20803">CVE-2022-20803</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-20032">CVE-2023-20032</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-20052">CVE-2023-20052</uri>
</references>
<metadata tag="requester" timestamp="2023-10-01T08:37:37.977976Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-10-01T08:37:37.980167Z">graaff</metadata>
</glsa>

131
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-02.xml vendored Normal file
View File

@ -0,0 +1,131 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-02">
<title>NVIDIA Drivers: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in NVIDIA Drivers, the worst of which could result in root privilege escalation.</synopsis>
<product type="ebuild">nvidia-drivers</product>
<announced>2023-10-03</announced>
<revised count="1">2023-10-03</revised>
<bug>764512</bug>
<bug>784596</bug>
<bug>803389</bug>
<bug>832867</bug>
<bug>845063</bug>
<bug>866527</bug>
<bug>881341</bug>
<bug>884045</bug>
<bug>903614</bug>
<access>remote</access>
<affected>
<package name="x11-drivers/nvidia-drivers" auto="yes" arch="*">
<unaffected range="ge">470.182.03</unaffected>
<unaffected range="ge">515.105.01</unaffected>
<unaffected range="ge">525.105.17</unaffected>
<unaffected range="ge">530.41.03</unaffected>
<vulnerable range="lt">470.182.03</vulnerable>
<vulnerable range="lt">515.105.01</vulnerable>
<vulnerable range="lt">525.105.17</vulnerable>
<vulnerable range="lt">530.41.03</vulnerable>
</package>
</affected>
<background>
<p>NVIDIA Drivers are NVIDIA&#39;s accelerated graphics driver.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in NVIDIA Drivers. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All NVIDIA Drivers 470 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-470.182.03:0/470"
</code>
<p>All NVIDIA Drivers 515 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-515.105.01:0/515"
</code>
<p>All NVIDIA Drivers 525 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-525.105.17:0/525"
</code>
<p>All NVIDIA Drivers 530 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-530.41.03:0/530"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1052">CVE-2021-1052</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1053">CVE-2021-1053</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1056">CVE-2021-1056</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE20211076">CVE20211076</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE20211077">CVE20211077</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1090">CVE-2021-1090</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1093">CVE-2021-1093</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1094">CVE-2021-1094</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1095">CVE-2021-1095</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE202221813">CVE202221813</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE202221814">CVE202221814</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28181">CVE-2022-28181</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28183">CVE-2022-28183</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28184">CVE-2022-28184</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28185">CVE-2022-28185</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31607">CVE-2022-31607</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31608">CVE-2022-31608</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31615">CVE-2022-31615</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE202234665">CVE202234665</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34666">CVE-2022-34666</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34670">CVE-2022-34670</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34673">CVE-2022-34673</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34674">CVE-2022-34674</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34676">CVE-2022-34676</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34677">CVE-2022-34677</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34678">CVE-2022-34678</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34679">CVE-2022-34679</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34680">CVE-2022-34680</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34682">CVE-2022-34682</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34684">CVE-2022-34684</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42254">CVE-2022-42254</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42255">CVE-2022-42255</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42256">CVE-2022-42256</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42257">CVE-2022-42257</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42258">CVE-2022-42258</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42259">CVE-2022-42259</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42260">CVE-2022-42260</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42261">CVE-2022-42261</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42263">CVE-2022-42263</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42264">CVE-2022-42264</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42265">CVE-2022-42265</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0180">CVE-2023-0180</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0181">CVE-2023-0181</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0183">CVE-2023-0183</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0184">CVE-2023-0184</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0185">CVE-2023-0185</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0187">CVE-2023-0187</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0188">CVE-2023-0188</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0189">CVE-2023-0189</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0190">CVE-2023-0190</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0191">CVE-2023-0191</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0194">CVE-2023-0194</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0195">CVE-2023-0195</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0198">CVE-2023-0198</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0199">CVE-2023-0199</uri>
</references>
<metadata tag="requester" timestamp="2023-10-03T12:45:00.352577Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-10-03T12:45:00.356374Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-03.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-03">
<title>glibc: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities in glibc could result in Local Privilege Escalation.</synopsis>
<product type="ebuild">glibc</product>
<announced>2023-10-04</announced>
<revised count="1">2023-10-04</revised>
<bug>867952</bug>
<bug>914281</bug>
<bug>915127</bug>
<access>local and remote</access>
<affected>
<package name="sys-libs/glibc" auto="yes" arch="*">
<unaffected range="ge">2.37-r7</unaffected>
<vulnerable range="lt">2.37-r7</vulnerable>
</package>
</affected>
<background>
<p>glibc is a package that contains the GNU C library.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>An attacker could elevate privileges from a local user to root.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All glibc users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.37-r7"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39046">CVE-2022-39046</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4527">CVE-2023-4527</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4806">CVE-2023-4806</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4911">CVE-2023-4911</uri>
</references>
<metadata tag="requester" timestamp="2023-10-04T08:02:08.857868Z">sam</metadata>
<metadata tag="submitter" timestamp="2023-10-04T08:02:08.860070Z">sam</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-04.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-04">
<title>libvpx: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in libvpx, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">libvpx</product>
<announced>2023-10-04</announced>
<revised count="1">2023-10-04</revised>
<bug>914875</bug>
<bug>914987</bug>
<access>remote</access>
<affected>
<package name="media-libs/libvpx" auto="yes" arch="*">
<unaffected range="ge">1.13.1</unaffected>
<vulnerable range="lt">1.13.1</vulnerable>
</package>
</affected>
<background>
<p>libvpx is the VP8 codec SDK used to encode and decode video streams, typically within a WebM format media file.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libvpx. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libvpx users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libvpx-1.13.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5217">CVE-2023-5217</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44488">CVE-2023-44488</uri>
</references>
<metadata tag="requester" timestamp="2023-10-04T10:49:17.755721Z">sam</metadata>
<metadata tag="submitter" timestamp="2023-10-04T10:49:17.758091Z">sam</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-05.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-05">
<title>dav1d: Denial of Service</title>
<synopsis>A vulnerability has been found in dav1d which could result in denial of service.</synopsis>
<product type="ebuild">dav1d</product>
<announced>2023-10-08</announced>
<revised count="1">2023-10-08</revised>
<bug>906107</bug>
<access>remote</access>
<affected>
<package name="media-libs/dav1d" auto="yes" arch="*">
<unaffected range="ge">1.2.0</unaffected>
<vulnerable range="lt">1.2.0</vulnerable>
</package>
</affected>
<background>
<p>dav1d is an AV1 decoder.</p>
</background>
<description>
<p>In some circumstances, dav1d might treat an invalid frame as valid, resulting in a crash.</p>
</description>
<impact type="low">
<p>Malformed frame data can result in a denial of service.</p>
</impact>
<workaround>
<p>Users should avoid parsing untrusted video with dav1d.</p>
</workaround>
<resolution>
<p>All dav1d users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/dav1d-1.2.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32570">CVE-2023-32570</uri>
</references>
<metadata tag="requester" timestamp="2023-10-08T05:41:28.434632Z">ajak</metadata>
<metadata tag="submitter" timestamp="2023-10-08T05:41:28.437198Z">sam</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-06.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-06">
<title>Heimdal: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC.</synopsis>
<product type="ebuild">heimdal</product>
<announced>2023-10-08</announced>
<revised count="1">2023-10-08</revised>
<bug>881429</bug>
<bug>893722</bug>
<access>remote</access>
<affected>
<package name="app-crypt/heimdal" auto="yes" arch="*">
<unaffected range="ge">7.8.0-r1</unaffected>
<vulnerable range="lt">7.8.0-r1</vulnerable>
</package>
</affected>
<background>
<p>Heimdal is a free implementation of Kerberos 5.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a Kerberos Domain Controller.
Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Cross-realm trust vulnerability in Heimdal users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/heimdal-7.8.0-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-14870">CVE-2019-14870</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-44758">CVE-2021-44758</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3437">CVE-2022-3437</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3671">CVE-2022-3671</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41916">CVE-2022-41916</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42898">CVE-2022-42898</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44640">CVE-2022-44640</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44758">CVE-2022-44758</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45142">CVE-2022-45142</uri>
</references>
<metadata tag="requester" timestamp="2023-10-08T06:51:59.537471Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-08T06:51:59.541301Z">graaff</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-07.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-07">
<title>Oracle VirtualBox: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in VirtualBox, leading to compomise of VirtualBox.</synopsis>
<product type="ebuild">virtualbox</product>
<announced>2023-10-08</announced>
<revised count="1">2023-10-08</revised>
<bug>891327</bug>
<access>remote</access>
<affected>
<package name="app-emulation/virtualbox" auto="yes" arch="*">
<unaffected range="ge">7.0.6</unaffected>
<unaffected range="ge">6.1.46</unaffected>
<vulnerable range="lt">7.0.6</vulnerable>
<vulnerable range="lt">6.1.46</vulnerable>
</package>
</affected>
<background>
<p>VirtualBox is a powerful virtualization product from Oracle.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Oracle VirtualBox, the worst of which may lead to VirtualBox compromise by an attacker with network access.
Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Oracle VirtualBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.6"
</code>
<p>If you still need to use VirtualBox 6:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.46" "=app-emulation/virtualbox-6*"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21884">CVE-2023-21884</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21885">CVE-2023-21885</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21886">CVE-2023-21886</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21889">CVE-2023-21889</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21898">CVE-2023-21898</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-21899">CVE-2023-21899</uri>
</references>
<metadata tag="requester" timestamp="2023-10-08T07:06:19.159874Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-08T07:06:19.162195Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-08.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-08">
<title>man-db: privilege escalation</title>
<synopsis>A root privilege escalation through setuid executable and cron job has been discovered in man-db.</synopsis>
<product type="ebuild">man-db</product>
<announced>2023-10-08</announced>
<revised count="1">2023-10-08</revised>
<bug>662438</bug>
<access>remote</access>
<affected>
<package name="sys-apps/man-db" auto="yes" arch="*">
<unaffected range="ge">2.8.5</unaffected>
<vulnerable range="lt">2.8.5</vulnerable>
</package>
</affected>
<background>
<p>man-db is a man replacement that utilizes BerkeleyDB instead of flat files.</p>
</background>
<description>
<p>A root privilege escalation through setuid executable and cron job has been discovered in man-db. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>A local user with access to the man user or group can elevate privileges to root.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All man-db users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/man-db-2.8.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-25078">CVE-2018-25078</uri>
</references>
<metadata tag="requester" timestamp="2023-10-08T07:25:53.857649Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-08T07:25:53.860912Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-09.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-09">
<title>c-ares: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in c-ares the worst of which could result in Denial of Service.</synopsis>
<product type="ebuild">c-ares</product>
<announced>2023-10-08</announced>
<revised count="1">2023-10-08</revised>
<bug>906964</bug>
<access>remote</access>
<affected>
<package name="net-dns/c-ares" auto="yes" arch="*">
<unaffected range="ge">1.19.1</unaffected>
<vulnerable range="lt">1.19.1</vulnerable>
</package>
</affected>
<background>
<p>c-ares is a C library for asynchronous DNS requests (including name resolves).</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in c-ares. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="normal">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All c-ares users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.19.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31124">CVE-2023-31124</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31130">CVE-2023-31130</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-31147">CVE-2023-31147</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32067">CVE-2023-32067</uri>
</references>
<metadata tag="requester" timestamp="2023-10-08T07:28:06.690774Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-08T07:28:06.694172Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-10.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-10">
<title>libcue: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in libcue which could allow for arbitrary code execution.</synopsis>
<product type="ebuild">libcue</product>
<announced>2023-10-10</announced>
<revised count="1">2023-10-10</revised>
<bug>915500</bug>
<access>remote</access>
<affected>
<package name="media-libs/libcue" auto="yes" arch="*">
<unaffected range="ge">2.2.1-r1</unaffected>
<vulnerable range="lt">2.2.1-r1</vulnerable>
</package>
</affected>
<background>
<p>libcue is a CUE Sheet Parser Library.</p>
</background>
<description>
<p>libcue does not check bounds in a loop and suffers from an integer overflow flaw which can be exploited to take over the program.</p>
</description>
<impact type="high">
<p>Untrusted CUE sheet files can lead to arbitrary code execution.
app-misc/tracker-miners[cue] uses libcue to index CUE Sheet files in directories. It is possible that downloading a malicious CUE Sheet file into a directory indexed by tracker-miners could lead to remote code execution.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libcue users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libcue-2.2.1-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-43641">CVE-2023-43641</uri>
</references>
<metadata tag="requester" timestamp="2023-10-10T06:13:45.982909Z">sam</metadata>
<metadata tag="submitter" timestamp="2023-10-10T06:13:45.985293Z">sam</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-11.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-11">
<title>less: Denial of service</title>
<synopsis>A filtering bypass in less may allow denial of service.</synopsis>
<product type="ebuild">less</product>
<announced>2023-10-10</announced>
<revised count="1">2023-10-10</revised>
<bug>893530</bug>
<access>remote</access>
<affected>
<package name="sys-apps/less" auto="yes" arch="*">
<unaffected range="ge">608-r2</unaffected>
<vulnerable range="lt">608-r2</vulnerable>
</package>
</affected>
<background>
<p>less is a pager and text file viewer.</p>
</background>
<description>
<p>less suffered from a flaw in its terminal escape sequence handling which made its filtering incomplete.</p>
</description>
<impact type="normal">
<p>Malicious input could clear the terminal output or otherwise manipulate it with faked interactions.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All less users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/less-608-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46663">CVE-2022-46663</uri>
</references>
<metadata tag="requester" timestamp="2023-10-10T06:27:21.953151Z">sam</metadata>
<metadata tag="submitter" timestamp="2023-10-10T06:27:21.958103Z">sam</metadata>
</glsa>

68
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-12.xml vendored Normal file
View File

@ -0,0 +1,68 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-12">
<title>curl: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution.</synopsis>
<product type="ebuild">curl</product>
<announced>2023-10-11</announced>
<revised count="1">2023-10-11</revised>
<bug>887745</bug>
<bug>894676</bug>
<bug>902801</bug>
<bug>906590</bug>
<bug>910564</bug>
<bug>914091</bug>
<bug>915195</bug>
<access>remote</access>
<affected>
<package name="net-misc/curl" auto="yes" arch="*">
<unaffected range="ge">8.3.0-r2</unaffected>
<vulnerable range="lt">8.3.0-r2</vulnerable>
</package>
</affected>
<background>
<p>A command line tool and library for transferring data with URLs.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in curl. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.
Note that the risk of remote code execution is limited to SOCKS usage.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All curl users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-8.3.0-r2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43551">CVE-2022-43551</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-43552">CVE-2022-43552</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23914">CVE-2023-23914</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23915">CVE-2023-23915</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-23916">CVE-2023-23916</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27533">CVE-2023-27533</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27534">CVE-2023-27534</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27535">CVE-2023-27535</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27536">CVE-2023-27536</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27537">CVE-2023-27537</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-27538">CVE-2023-27538</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28319">CVE-2023-28319</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28320">CVE-2023-28320</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28321">CVE-2023-28321</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-28322">CVE-2023-28322</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32001">CVE-2023-32001</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38039">CVE-2023-38039</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38545">CVE-2023-38545</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38546">CVE-2023-38546</uri>
</references>
<metadata tag="requester" timestamp="2023-10-11T08:40:59.014071Z">sam</metadata>
<metadata tag="submitter" timestamp="2023-10-11T08:40:59.017290Z">sam</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-13.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-13">
<title>GNU Mailutils: unexpected processsing of escape sequences</title>
<synopsis>A vulnerability has been discovered in Mailutils where escape sequences are processed in a context where this may lead to RCE.</synopsis>
<product type="ebuild">mailutils</product>
<announced>2023-10-19</announced>
<revised count="1">2023-10-19</revised>
<bug>802867</bug>
<access>remote</access>
<affected>
<package name="net-mail/mailutils" auto="yes" arch="*">
<unaffected range="ge">3.12-r3</unaffected>
<vulnerable range="lt">3.12-r3</vulnerable>
</package>
</affected>
<background>
<p>GNU Mailutils is a collection of mail-related utilities, including an IMAP4 server (imap4d) and a Mail User Agent (mail).</p>
</background>
<description>
<p>A vulnerability has been discovered in GNU Mailutils. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>mail(1) from mailutils would process escape sequences (like ~! shellcommand) in message bodies piped/redirected in. This creates an RCE if some part of the message body is under an attacker&#39;s control.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mailutils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/mailutils-3.12-r3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-32749">CVE-2021-32749</uri>
</references>
<metadata tag="requester" timestamp="2023-10-19T05:47:33.365385Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-19T05:47:33.367529Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-14.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-14">
<title>libinput: format string vulnerability when using xf86-input-libinput</title>
<synopsis>A vulnerability has been discovered in libinput where an attacker may run malicous code by exploiting a format string vulnerability.</synopsis>
<product type="ebuild">libinput</product>
<announced>2023-10-26</announced>
<revised count="1">2023-10-26</revised>
<bug>839729</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libinput" auto="yes" arch="*">
<unaffected range="ge">1.20.1</unaffected>
<vulnerable range="lt">1.20.1</vulnerable>
</package>
</affected>
<background>
<p>A library to handle input devices in Wayland and, via xf86-input-libinput, in X.org.</p>
</background>
<description>
<p>An attacker may be able to run malicious code by exploiting a format string vulnerability. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root.
The device name ends up as part of the format string and a kernel device with printf-style format string placeholders in the device name can enable an attacker to run malicious code. An exploit is possible through any device where the attacker controls the device name, e.g. /dev/uinput or Bluetooth devices.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libinput users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libinput-1.20.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1215">CVE-2022-1215</uri>
</references>
<metadata tag="requester" timestamp="2023-10-26T04:38:40.405160Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-26T04:38:40.408918Z">graaff</metadata>
</glsa>

42
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-15.xml vendored Normal file
View File

@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-15">
<title>USBView: root privilege escalation via insecure polkit settings</title>
<synopsis>A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation.</synopsis>
<product type="ebuild">usbview</product>
<announced>2023-10-26</announced>
<revised count="1">2023-10-26</revised>
<bug>831756</bug>
<access>local</access>
<affected>
<package name="app-admin/usbview" auto="yes" arch="*">
<unaffected range="ge">2.2</unaffected>
<vulnerable range="lt">2.2</vulnerable>
</package>
</affected>
<background>
<p>USBView is a tool to display the topology of devices on the USB bus.</p>
</background>
<description>
<p>A vulnerability has been discovered in usbview. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>USBView allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All USBView users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23220">CVE-2022-23220</uri>
</references>
<metadata tag="requester" timestamp="2023-10-26T04:41:42.430938Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-26T04:41:42.434826Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-16.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-16">
<title>Ubiquiti UniFi: remote code execution via bundled log4j</title>
<synopsis>A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution</synopsis>
<product type="ebuild">unifi</product>
<announced>2023-10-26</announced>
<revised count="1">2023-10-26</revised>
<bug>828853</bug>
<access>remote</access>
<affected>
<package name="net-wireless/unifi" auto="yes" arch="*">
<unaffected range="ge">6.5.55</unaffected>
<vulnerable range="lt">6.5.55</vulnerable>
</package>
</affected>
<background>
<p>Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi APs.</p>
</background>
<description>
<p>A bundled version of log4j could facilitate remote code execution. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="high">
<p>An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ubiquity UniFi users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-wireless/unifi-6.5.55"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4104">CVE-2021-4104</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45046">CVE-2021-45046</uri>
</references>
<metadata tag="requester" timestamp="2023-10-26T04:47:43.475731Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-26T04:47:43.478412Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-17.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-17">
<title>UnZip: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in UnZip, the worst of which could lead to code execution.</synopsis>
<product type="ebuild">unzip</product>
<announced>2023-10-30</announced>
<revised count="1">2023-10-30</revised>
<bug>831190</bug>
<access>local</access>
<affected>
<package name="app-arch/unzip" auto="yes" arch="*">
<unaffected range="ge">6.0_p27</unaffected>
<vulnerable range="lt">6.0_p27</vulnerable>
</package>
</affected>
<background>
<p>Info-ZIPs UnZip is a tool to list and extract files inside PKZIP compressed files.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in UnZip. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All UnZip users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/unzip-6.0_p27"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0529">CVE-2022-0529</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0530">CVE-2022-0530</uri>
</references>
<metadata tag="requester" timestamp="2023-10-30T09:22:55.998380Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-30T09:22:56.000940Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-18.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-18">
<title>Rack: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents.</synopsis>
<product type="ebuild">rack</product>
<announced>2023-10-30</announced>
<revised count="1">2023-10-30</revised>
<bug>884795</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/rack" auto="yes" arch="*">
<unaffected range="ge">2.2.3.1</unaffected>
<vulnerable range="lt">2.2.3.1</vulnerable>
</package>
</affected>
<background>
<p>Rack is a modular Ruby web server interface.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Rack. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>A possible denial of service vulnerability was found in the multipart parsing component of Rack.
A sequence injection vulnerability was found which could allow a possible shell escape in the Lint and CommonLogger components of Rack.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Rack users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rack-2.2.3.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30122">CVE-2022-30122</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30123">CVE-2022-30123</uri>
</references>
<metadata tag="requester" timestamp="2023-10-30T09:36:59.521630Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-30T09:36:59.526118Z">graaff</metadata>
</glsa>

44
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-19.xml vendored Normal file
View File

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-19">
<title>Dovecot: Privilege Escalation</title>
<synopsis>A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used.</synopsis>
<product type="ebuild">dovecot</product>
<announced>2023-10-30</announced>
<revised count="1">2023-10-30</revised>
<bug>856733</bug>
<access>local and remote</access>
<affected>
<package name="net-mail/dovecot" auto="yes" arch="*">
<unaffected range="ge">2.3.19.1-r1</unaffected>
<vulnerable range="lt">2.3.19.1-r1</vulnerable>
</package>
</affected>
<background>
<p>Dovecot is an open source IMAP and POP3 email server.</p>
</background>
<description>
<p>A vulnerability has been discovered in Dovecot. Please review the CVE identifier referenced below for details.</p>
</description>
<impact type="normal">
<p>When two passdb configuration entries exist in Dovecot configuration, which have the same driver and args settings, the incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation with certain configurations involving master user authentication.
Dovecot documentation does not advise against the use of passdb definitions which have the same driver and args settings. One such configuration would be where an administrator wishes to use the same pam configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Dovecot users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.19.1-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30550">CVE-2022-30550</uri>
</references>
<metadata tag="requester" timestamp="2023-10-30T09:51:47.939912Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-30T09:51:47.942574Z">graaff</metadata>
</glsa>

45
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-20.xml vendored Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-20">
<title>rxvt-unicode: Arbitrary Code Execution</title>
<synopsis>A vulnerability has been discovered in rxvt-unicode where data written to the terminal can lead to code execution.</synopsis>
<product type="ebuild">rxvt-unicode</product>
<announced>2023-10-30</announced>
<revised count="1">2023-10-30</revised>
<bug>884787</bug>
<access>local and remote</access>
<affected>
<package name="x11-terms/rxvt-unicode" auto="yes" arch="*">
<unaffected range="ge">9.30</unaffected>
<vulnerable range="lt">9.30</vulnerable>
</package>
</affected>
<background>
<p>rxvt-unicode is a clone of the well known terminal emulator rxvt.</p>
</background>
<description>
<p>A vulnerability has been discovered in rxvt-unicode. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>in the Perl background extension, when an attacker can
control the data written to the user&#39;s terminal and certain options are set.
The &#34;background&#34; extension is automatically loaded if certain X resources are set such as &#39;transparent&#39; (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All rxvt-unicode users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.30"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4170">CVE-2022-4170</uri>
</references>
<metadata tag="requester" timestamp="2023-10-30T10:19:42.802538Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-30T10:19:42.804901Z">graaff</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-21.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-21">
<title>ConnMan: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in ConnMan, the worst of which can lead to remote code execution.</synopsis>
<product type="ebuild">connman</product>
<announced>2023-10-31</announced>
<revised count="1">2023-10-31</revised>
<bug>832028</bug>
<bug>863425</bug>
<access>remote</access>
<affected>
<package name="net-misc/connman" auto="yes" arch="*">
<unaffected range="ge">1.42_pre20220801</unaffected>
<vulnerable range="lt">1.42_pre20220801</vulnerable>
</package>
</affected>
<background>
<p>ConnMan provides a daemon for managing Internet connections.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ConnMan. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ConnMan users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/connman-1.42_pre20220801"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23096">CVE-2022-23096</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23097">CVE-2022-23097</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23098">CVE-2022-23098</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32292">CVE-2022-32292</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32293">CVE-2022-32293</uri>
</references>
<metadata tag="requester" timestamp="2023-10-31T06:25:15.876393Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-31T06:25:15.879529Z">graaff</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-22.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-22">
<title>Salt: Multiple Vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in Salt, the worst of which could result in local privilege escalation.</synopsis>
<product type="ebuild">salt</product>
<announced>2023-10-31</announced>
<revised count="1">2023-10-31</revised>
<bug>767919</bug>
<bug>812440</bug>
<bug>836365</bug>
<bug>855962</bug>
<access>local and remote</access>
<affected>
<package name="app-admin/salt" auto="yes" arch="*">
<unaffected range="ge">3004.2</unaffected>
<vulnerable range="lt">3004.2</vulnerable>
</package>
</affected>
<background>
<p>Salt is a fast, intelligent and scalable automation engine.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Salt. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Salt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/salt-3004.2"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28243">CVE-2020-28243</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28972">CVE-2020-28972</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-35662">CVE-2020-35662</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3144">CVE-2021-3144</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3148">CVE-2021-3148</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-3197">CVE-2021-3197</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-21996">CVE-2021-21996</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25281">CVE-2021-25281</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25282">CVE-2021-25282</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25283">CVE-2021-25283</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-25284">CVE-2021-25284</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31607">CVE-2021-31607</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22934">CVE-2022-22934</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22935">CVE-2022-22935</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22936">CVE-2022-22936</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22941">CVE-2022-22941</uri>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22967">CVE-2022-22967</uri>
</references>
<metadata tag="requester" timestamp="2023-10-31T11:57:07.707510Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-31T11:57:07.710051Z">graaff</metadata>
</glsa>

43
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-23.xml vendored Normal file
View File

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="202310-23">
<title>libxslt: Multiple Vulnerabilities</title>
<synopsis>Several use-after-free vulnerabilities have been found in libxslt.</synopsis>
<product type="ebuild">libxslt</product>
<announced>2023-10-31</announced>
<revised count="1">2023-10-31</revised>
<bug>820722</bug>
<bug>833508</bug>
<access>remote</access>
<affected>
<package name="dev-libs/libxslt" auto="yes" arch="*">
<unaffected range="ge">1.1.35</unaffected>
<vulnerable range="lt">1.1.35</vulnerable>
</package>
</affected>
<background>
<p>libxslt is the XSLT C library developed for the GNOME project. XSLT itself is an XML language to define transformations for XML.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libxslt. Please review the CVE identifiers referenced below for details.</p>
</description>
<impact type="high">
<p>Please review the referenced CVE identifiers for details.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libxslt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.35"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-30560">CVE-2021-30560</uri>
</references>
<metadata tag="requester" timestamp="2023-10-31T12:53:57.599608Z">graaff</metadata>
<metadata tag="submitter" timestamp="2023-10-31T12:53:57.603095Z">graaff</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Sun, 01 Oct 2023 06:40:03 +0000 Wed, 01 Nov 2023 06:40:00 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
de793de405f9e13d0d29d94de3f236ce0b5b3338 1696064247 2023-09-30T08:57:27+00:00 49515c936bcad95017ac696eb33dd49f6f28e9b5 1698756865 2023-10-31T12:54:25+00:00