mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #498 from mischief/glsa-2016-12-13

Browse Source 
bump(metadata/glsa): sync with upstream
This commit is contained in:
Nick Owens 2016-12-13 12:46:13 -08:00 committed by GitHub
commit b3a2e0481c
13 changed files with 639 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-32.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-32">
<title>elfutils: Heap-based buffer overflow</title>
<synopsis>A heap-based buffer overflow vulnerability in elfutils might allow
remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">elfutils</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>507246</bug>
<access>remote</access>
<affected>
<package name="dev-libs/elfutils" auto="yes" arch="*">
<unaffected range="ge">0.159</unaffected>
<vulnerable range="lt">0.159</vulnerable>
</package>
</affected>
<background>
<p>Elfutils provides a library and utilities to access, modify and analyse
ELF objects.
</p>
</background>
<description>
<p>An integer overflow, in the check_section function of dwarf_begin_elf.c,
in the libdw library can lead to a heap-based buffer overflow.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file,
possibly resulting in the execution of arbitrary code with the privileges
of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All elfutils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/elfutils-0.159"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0172">CVE-2014-0172</uri>
</references>
<metadata tag="requester" timestamp="Tue, 22 Nov 2016 14:55:36 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:58:39 +0000">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-33.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-33">
<title>GPL Ghostscript: User-assisted execution of arbitrary code</title>
<synopsis>An integer overflow in GPL Ghostscript may allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">ghostscript-gpl</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>556316</bug>
<access>remote</access>
<affected>
<package name="app-text/ghostscript-gpl" auto="yes" arch="*">
<unaffected range="ge">9.09</unaffected>
<vulnerable range="lt">9.09</vulnerable>
</package>
</affected>
<background>
<p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
</background>
<description>
<p>An integer overflow flaw was discovered that leads to an out-of-bounds
read and write in gs_ttf.ps.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file,
possibly resulting in the execution of arbitrary code with the privileges
of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GPL Ghostscript users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-text/ghostscript-gpl-9.09"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3228">CVE-2015-3228</uri>
</references>
<metadata tag="requester" timestamp="Tue, 22 Nov 2016 15:13:30 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:58:50 +0000">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-34.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-34">
<title>systemd: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in systemd, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">systemd</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>486904</bug>
<access>local, remote</access>
<affected>
<package name="sys-apps/systemd" auto="yes" arch="*">
<unaffected range="ge">208</unaffected>
<vulnerable range="lt">208</vulnerable>
</package>
</affected>
<background>
<p>A system and service manager.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in systemd. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly execute arbitrary code with the privileges of
the process, cause a Denial of Service condition, or gain escalated
privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All systemd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/systemd-208"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4391">CVE-2013-4391</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4393">CVE-2013-4393</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4394">CVE-2013-4394</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Nov 2016 20:50:18 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:59:01 +0000">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-35.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-35">
<title>XStream: Remote execution of arbitrary code</title>
<synopsis>A vulnerability in XStream may allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">xstream</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>497652</bug>
<access>remote</access>
<affected>
<package name="dev-java/xstream" auto="yes" arch="*">
<unaffected range="ge">1.4.8-r1</unaffected>
<vulnerable range="lt">1.4.8-r1</vulnerable>
</package>
</affected>
<background>
<p>XStream is a simple library to serialize objects to XML and back again.</p>
</background>
<description>
<p>It was found that XStream would deserialize arbitrary user-supplied XML
content, thus representing objects of any type.
</p>
</description>
<impact type="normal">
<p>A remote attacker could pass a specially crafted XML document to
XStream, possibly resulting in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All XStream users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-java/xstream-1.4.8-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7285">CVE-2013-7285</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 21:29:45 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:59:12 +0000">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-36.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-36">
<title>TigerVNC: Integer overflow</title>
<synopsis>An integer overflow in TigerVNC might allow remote attackers to
execute
arbitrary code.
</synopsis>
<product type="ebuild">tigervnc</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>534714</bug>
<access>remote</access>
<affected>
<package name="net-misc/tigervnc" auto="yes" arch="*">
<unaffected range="ge">1.4.2</unaffected>
<vulnerable range="lt">1.4.2</vulnerable>
</package>
</affected>
<background>
<p>TigerVNC is a high-performance VNC server/client.</p>
</background>
<description>
<p>TigerVNC is impacted by the same vulnerability as found in
CVE-2014-6051. An integer overflow, leading to a heap-based buffer
overflow, was found in the way screen sizes were handled.
</p>
</description>
<impact type="normal">
<p>A remote attacker, utilizing a malicious VNC server, could execute
arbitrary code with the privileges of the user running the client, or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All TigerVNC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/tigervnc-1.4.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6051">CVE-2014-6051</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8240">CVE-2014-8240</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 21:39:43 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:59:26 +0000">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-37.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-37">
<title>Pixman: Buffer overflow</title>
<synopsis>A buffer overflow in Pixman might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">pixman</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>561526</bug>
<access>remote</access>
<affected>
<package name="x11-libs/pixman" auto="yes" arch="*">
<unaffected range="ge">0.32.8</unaffected>
<vulnerable range="lt">0.32.8</vulnerable>
</package>
</affected>
<background>
<p>Pixman is a pixel manipulation library.</p>
</background>
<description>
<p>In pixman-general, careless computations done with the dest_buffer
pointer may overflow, failing the buffer upper limit check.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a Denial of Service condition, or
execute arbitrary code with the privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Pixman users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-libs/pixman-0.32.8"
</code>
</resolution>
<references>
<uri link="http://lists.x.org/archives/xorg-announce/2015-September/002637.html">
Pixman 0.32.8 Release Notes
</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 08:11:30 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:59:37 +0000">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-38.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-38">
<title>Botan: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Botan, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">botan</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>574034</bug>
<access>remote</access>
<affected>
<package name="dev-libs/botan" auto="yes" arch="*">
<unaffected range="ge">1.10.12</unaffected>
<vulnerable range="lt">1.10.12</vulnerable>
</package>
</affected>
<background>
<p>Botan (Japanese for peony) is a cryptography library written in C++11.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Botan. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Botan users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/botan-1.10.12"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2194">CVE-2016-2194</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2195">CVE-2016-2195</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 22:26:17 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 06:59:50 +0000">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-39.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-39">
<title>Bash: Arbitrary code execution</title>
<synopsis>A vulnerability in Bash could potentially lead to arbitrary code
execution.
</synopsis>
<product type="ebuild">bash</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>594496</bug>
<access>remote</access>
<affected>
<package name="app-shells/bash" auto="yes" arch="*">
<unaffected range="ge">4.3_p46-r1</unaffected>
<vulnerable range="lt">4.3_p46-r1</vulnerable>
</package>
</affected>
<background>
<p>Bash is the standard GNU Bourne Again SHell.</p>
</background>
<description>
<p>A vulnerability was found in the way Bash expands $HOSTNAME. Injecting
malicious code into $HOSTNAME could cause it to run each time Bash
expands \h in the prompt string.
</p>
</description>
<impact type="normal">
<p>A remote attacker controlling the systems hostname (i.e. via DHCP)
could possibly execute arbitrary code with the privileges of the process,
or cause a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Bash users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-shells/bash-4.3_p46-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0634">CVE-2016-0634</uri>
</references>
<metadata tag="requester" timestamp="Fri, 23 Sep 2016 02:45:43 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 07:00:09 +0000">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-40.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-40">
<title>SQUASHFS: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in SQUASHFS, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">squashfs-tools</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 2</revised>
<bug>427356</bug>
<access>remote</access>
<affected>
<package name="squashfs-tools" auto="yes" arch="*">
<unaffected range="ge">4.3</unaffected>
<vulnerable range="lt">4.3</vulnerable>
</package>
</affected>
<background>
<p>Squashfs is a compressed read-only filesystem for Linux. Squashfs is
intended for general read-only filesystem use, for archival use (i.e. in
cases where a .tar.gz file may be used), and in constrained block
device/memory systems (e.g. embedded systems) where low overhead is
needed.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in SQUASHFS. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted .sqsh
file using unsquashfs; possibly resulting in the execution of arbitrary
code with the privileges of the process, or a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All squashfs-tools users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=squashfs-tools-4.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4024">CVE-2012-4024</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025">CVE-2012-4025</uri>
</references>
<metadata tag="requester" timestamp="Tue, 29 Nov 2016 23:27:04 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 07:00:20 +0000">whissi</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-41.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-41">
<title>WebKitGTK+: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WebKitGTK+, the worst
of which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">webkit-gtk</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 3</revised>
<bug>570034</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge">2.4.10-r200</unaffected>
<vulnerable range="lt">2.4.10-r200</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from hybrid
HTML/CSS applications to full-fledged web browsers. It offers WebKits
full functionality and is useful in a wide range of systems from desktop
computers to embedded systems like phones, tablets, and televisions.
WebKitGTK+ is made by a lively community of developers and designers, who
hope to bring the web platform to everyone. Its the official web
engine of the GNOME platform and is used in browsers such as Epiphany and
Midori.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker can use multiple vectors to execute arbitrary code or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebKitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.4.10-r200"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4412">CVE-2014-4412</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4413">CVE-2014-4413</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4414">CVE-2014-4414</uri>
</references>
<metadata tag="requester" timestamp="Sat, 12 Mar 2016 11:54:30 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 13:01:16 +0000">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-42.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-42">
<title>Zabbix: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Zabbix, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">zabbix</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 1</revised>
<bug>582536</bug>
<bug>598762</bug>
<access>remote</access>
<affected>
<package name="net-analyzer/zabbix" auto="yes" arch="*">
<unaffected range="ge">2.2.16</unaffected>
<vulnerable range="lt">2.2.16</vulnerable>
</package>
</affected>
<background>
<p>Zabbix is software for monitoring applications, networks, and servers.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Zabbix. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Zabbix users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/zabbix-2.2.16"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4338">CVE-2016-4338</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9140">CVE-2016-9140</uri>
</references>
<metadata tag="requester" timestamp="Tue, 21 Jul 2015 02:35:28 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 11:41:09 +0000">whissi</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-43.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-43">
<title>Node.js: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Node.js, the worst of
which can allow remote attackers to cause Denial of Service conditions.
</synopsis>
<product type="ebuild">nodejs</product>
<announced>December 13, 2016</announced>
<revised>December 13, 2016: 1</revised>
<bug>568900</bug>
<bug>586084</bug>
<bug>595256</bug>
<access>remote</access>
<affected>
<package name="net-libs/nodejs" auto="yes" arch="*">
<unaffected range="rge">0.12.17</unaffected>
<unaffected range="ge">4.6.1</unaffected>
<vulnerable range="lt">4.6.1</vulnerable>
</package>
</affected>
<background>
<p>Node.js is a JavaScript runtime built on Chromes V8 JavaScript
engine.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Node.js. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a Denial of Service condition, or
conduct man-in-the-middle attacks.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Node.js 0.12.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/nodejs-0.12.17"
</code>
<p>All Node.js 4.6.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/nodejs-4.6.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8027">CVE-2015-8027</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2086">CVE-2016-2086</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2216">CVE-2016-2216</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5325">CVE-2016-5325</uri>
</references>
<metadata tag="requester" timestamp="Wed, 07 Sep 2016 07:02:17 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 13 Dec 2016 14:35:08 +0000">whissi</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 12 Dec 2016 00:43:15 +0000
Tue, 13 Dec 2016 20:13:14 +0000