Merge pull request #3990 from flatcar/buildbot/monthly-glsa-metadata-updates-2026-05-01

Monthly GLSA metadata 2026-05-01
2026-05-05 04:06:33 +02:00 · 2026-05-04 13:02:54 +02:00 · 2026-05-04 13:02:54 +02:00 · c4b6797a89
commit c4b6797a89
parent 400b4dabd4 fa3b9c0ad2
6 changed files with 103 additions and 18 deletions
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest
@ -1,24 +1,24 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512

-MANIFEST Manifest.files.gz 606986 BLAKE2B a1a7c8f65fa2d227109ddc598ecd792925cbf4dd59fd721d0e3d30d2ca2d680abe6f48efd8c7f747286a8b9b83dd77ab08effbd12fd5cff7aea22ff05b4b3249 SHA512 1d46d342b6898d53ef6e234a4ca25659b7a64373067f8d911b4a7efe73a227178e519cb54901fc15172d8a4113aeafaf14390ce5e552d1e17e50d3297a8f0701
-TIMESTAMP 2026-04-01T07:08:01Z
+MANIFEST Manifest.files.gz 607306 BLAKE2B 92017b6799c6b9c6711d15259ccc5be7553c29a3562d24a367c7d7fa515cce981f1217aad923c07afa53479c855092c79ea478c7db5c27df5970742f0481eaaf SHA512 4fb6dcd2062715f4926aa685e41323a46d1b1f83e7be9008f32bd997a354c2cf495d9a497cf42a39b59bc734dabbeb4a8cb987031227e5f6741d4c6fc3ec95bf
+TIMESTAMP 2026-05-01T07:08:09Z
 -----BEGIN PGP SIGNATURE-----

-iQKvBAEBCgCZFiEE4dartjv8+0ugL98c7FkO6skYklAFAmnMxFEbFIAAAAAABAAO
+iQKvBAEBCgCZFiEE4dartjv8+0ugL98c7FkO6skYklAFAmn0UVkbFIAAAAAABAAO
 bWFudTIsMi41KzEuMTEsMiwyXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25z
 Lm9wZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFMUQ2QUJCNjNCRkNGQjRCQTAyRkRG
-MUNFQzU5MEVFQUM5MTg5MjUwAAoJEOxZDurJGJJQCCMQAJqLP7jt/MtqrWUu66/N
-g4C4QYQY65p5tHkq6lFs/X24MeAtuRUgKbaOQm02KZJNb61bvZBdgtNE8P14qWJX
-LtJ8hqYOJiDT3hDhnL5Z+UbjIxDdn6m2udztvXvdkgRiQEUnhaTv8BpeOwvdGnZ4
-nswP+jJ5hMK4tYuMFy96jO39jKAbKo4HNYQCW8CJe4/HRSboXe20Z+N74xqq5M2e
-aajm7K7adRALxIYM2Ih3V64LfVsPn31TzMfXaFk0y4p3f82uZ/hTophDZIdePR0M
-a1hkcQRPdHOmbVftt3llye5XoSmq0d+Pie7axQUJVwlFd+gORzNqvK3U+9PeeKjB
-FU6wU1vmR2mlIE90prbdDKPkoNhOnn9CVLHRHYl0M8WLh4TATrDl0HcUbEOrE/CC
-vay9V4s+lABWZh2D/BToIrWUs0UMpWtt/5e5ZANrECj7T5ExWngHY7zCCDn1dySw
-Poabc3KIQlBzmstxNBqTUIvxdaxhvF+Hh7Fj4Grzzmsgio76mBhQLUF2ML8vquVe
-ipeNd0fnGIWUN6eGdC6BZ73wVC66r53bSjHPMa+N6KyCgmHbGP/HCE0GuUvnKtBc
-joBONGhatuZEM3zLIMLLxHg4cMYVEF2vA19Mh89OhYQDlIbEf5Bc/LpPYOtN3LdD
-vHcXTmn2vbBiAIieKmqm6Elk
-=iTBC
+MUNFQzU5MEVFQUM5MTg5MjUwAAoJEOxZDurJGJJQehAQAIbfYrOfZXXVM5NCsVSH
+s9QR1OC6QdiSTci3jmOmSqRzMQtIEq0MpOmuFYtJuoCZcGuE8jKpSyx12PArZRYW
+abGU7C+hGt6qF73p47FewiTLHQv3kBEKV8H/sJCuFv6aoOqczSxFnpJiIDP2Cr2O
+5oQtnpvS06Yu+GcRzkwiKQ05UP4yprfoFk7Y7RlaTniVoSNdXwTEVF33CuJNQyT8
+7mD68mxYAlL71M56yE7a6AZPMd+QpqJf+mqpGBMAO3A9J0UHdYTnQG4RZZsgLvvy
+Zg0hSafEedVmokw5Iw8QqGdBHscCoL2H5I+0rPhjwHto9MrD5lmFYWh10xi3ncGW
+EV7YKfY7nzr2UdPWyingtMcHXgUz4oo1rNHSfBJ9bNizqxraJUFo4ZEC7xTHyeiB
+yjKPVOFXkr0njGso3O6Xo+KRyG5bfNWst3Bz5E6rxlGozwEZtvtfOHYrUe8vzQHp
+LNmczBy8M13dMC6DIYtalp9Gdi9K8Si+bFCepe9Ux92DFDcaymT3WyJauva+3NT/
+g76MRRW9Ez/p7h1J0wRYF0GLLaYC7l7kr4pavUHu8VvP0SS/fQanCmIpnPYUUqwe
+/rzIzuZGtU1lW0ynXlGiosxh3zIQgw7WthjlsQTWH3XiRu02ZKrkCDY56ZDmmGl0
+INhWuascPpUN8zEuK0URt1zS
+=xCZR
 -----END PGP SIGNATURE-----
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202604-03.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202604-03.xml
@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202604-03">
+    <title>FUSE: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been found in FUSE, the worst of which can lead to code execution.</synopsis>
+    <product type="ebuild">fuse</product>
+    <announced>2026-04-17</announced>
+    <revised count="1">2026-04-17</revised>
+    <bug>971552</bug>
+    <access>remote</access>
+    <affected>
+        <package name="sys-fs/fuse" auto="yes" arch="*">
+            <unaffected range="ge" slot="3">3.18.1</unaffected>
+            <vulnerable range="lt" slot="3">3.18.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>FUSE (Filesystem in Userspace) is an interface for userspace programs to export a filesystem to the Linux kernel.</p>
+    </background>
+    <description>
+        <p>The following vulnerabilities have been discovered in FUSE: a NULL pointer dereference (when running with the NUMA architecture) and a use-after-free. The worst of which can lead to code execution. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>The following is a possible outcome: denial of service (crash) and potential code execution.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All FUSE users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-fs/fuse-3.18.1:3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2026-33150">CVE-2026-33150</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2026-33179">CVE-2026-33179</uri>
+    </references>
+    <metadata tag="requester" timestamp="2026-04-17T19:33:25.077082Z">csfore</metadata>
+    <metadata tag="submitter" timestamp="2026-04-17T19:33:25.079638Z">csfore</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202604-04.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202604-04.xml
@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202604-04">
+    <title>DTrace: Arbitrary file creation via dtprobed</title>
+    <synopsis>A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.</synopsis>
+    <product type="ebuild">dtrace</product>
+    <announced>2026-04-17</announced>
+    <revised count="1">2026-04-17</revised>
+    <bug>971491</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-debug/dtrace" auto="yes" arch="*">
+            <unaffected range="ge">2.0.6</unaffected>
+            <vulnerable range="lt">2.0.6</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>DTrace is a dynamic tracing tool for analysing or debugging the whole system. Specifically, dtprobed is a component of the DTrace system that keeps track of USDT probes within running processes, parsing and storing the DOF they provide for later consumption by dtrace proper.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been found in dtprobed that allows for arbitrary file creation through specially crafted USDT provider names.</p>
+    </description>
+    <impact type="normal">
+        <p>The worst possible outcome is the ability for an attacker to run arbitrary code via the maliciously created file.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All DTrace users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-debug/dtrace-2.0.6"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2026-21991">CVE-2026-21991</uri>
+    </references>
+    <metadata tag="requester" timestamp="2026-04-17T20:47:15.308512Z">csfore</metadata>
+    <metadata tag="submitter" timestamp="2026-04-17T20:47:15.311877Z">csfore</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
@ -1 +1 @@
-Wed, 01 Apr 2026 07:08:00 +0000
+Fri, 01 May 2026 07:08:08 +0000
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit
@ -1 +1 @@
-d2078931cc4cb1c6d04130dacbed885a7d2bf71c 1773030064 2026-03-09T04:21:04Z
+f40d2fdd24a34342a4c050396f064a038ebebb9b 1776459195 2026-04-17T20:53:15Z