bump(metadata/glsa): sync with upstream

2025-08-17 18:06:59 +02:00 · 2017-06-21 19:41:13 -07:00 · 2017-06-21 19:41:13 -07:00 · c91edc8b51
commit c91edc8b51
parent 38abe6bf30
7 changed files with 306 additions and 2 deletions
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-16.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-16.xml
@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201706-16">
+  <title>GNU Wget: Header injection</title>
+  <synopsis>A header injection vulnerability in GNU Wget might allow remote
+    attackers to inject arbitrary HTTP headers.
+  </synopsis>
+  <product type="ebuild">wget</product>
+  <announced>2017-06-20</announced>
+  <revised>2017-06-20: 1</revised>
+  <bug>612326</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/wget" auto="yes" arch="*">
+      <unaffected range="ge">1.19.1-r1</unaffected>
+      <vulnerable range="lt">1.19.1-r1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>GNU Wget is a free software package for retrieving files using HTTP,
+      HTTPS and FTP, the most widely-used Internet protocols.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that there was a header injection vulnerability in GNU
+      Wget which allowed remote attackers to inject arbitrary HTTP headers via
+      CRLF sequences in the host subcomponent of a URL.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could inject arbitrary HTTP headers in requests by
+      tricking a user running GNU Wget into processing crafted URLs.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All GNU Wget users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/wget-1.19.1-r1"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6508">CVE-2017-6508</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-03-23T20:33:13Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2017-06-20T17:09:12Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-17.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-17.xml
@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201706-17">
+  <title>Kodi: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Kodi, the worst of
+    which could allow remote attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">kodi</product>
+  <announced>2017-06-20</announced>
+  <revised>2017-06-20: 1</revised>
+  <bug>549342</bug>
+  <bug>619492</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-tv/kodi" auto="yes" arch="*">
+      <unaffected range="ge">17.2</unaffected>
+      <vulnerable range="lt">17.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Kodi (formerly XBMC) is a free and open-source media player software
+      application.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Kodi. Please review the
+      CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to open a specially crafted image
+      file using Kodi, possibly resulting in a Denial of Service condition.
+    </p>
+    
+    <p>Furthermore, a remote attacker could entice a user process a specially
+      crafted ZIP file containing subtitles using Kodi, possibly resulting in
+      execution of arbitrary code with the privileges of the process or a
+      Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Kodi users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-tv/kodi-17.2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3885">CVE-2015-3885</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8314">CVE-2017-8314</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-06-06T16:37:32Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2017-06-20T17:18:36Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-18.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-18.xml
@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201706-18">
+  <title>mbed TLS: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in mbed TLS, the worst of
+    which could lead to the remote execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">mbedtls</product>
+  <announced>2017-06-20</announced>
+  <revised>2017-06-20: 1</revised>
+  <bug>562608</bug>
+  <bug>571102</bug>
+  <bug>618824</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-libs/mbedtls" auto="yes" arch="*">
+      <unaffected range="ge">2.4.2</unaffected>
+      <vulnerable range="lt">2.4.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>mbed TLS (previously PolarSSL) is an “easy to understand, use,
+      integrate and expand” implementation of the TLS and SSL protocols and
+      the respective cryptographic algorithms and support code required.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in mbed TLS. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All mbed TLS users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-libs/mbedtls-2.4.2"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5291">CVE-2015-5291</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7575">CVE-2015-7575</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2784">CVE-2017-2784</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-04-17T22:12:43Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-06-20T17:42:02Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-19.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-19.xml
@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201706-19">
+  <title>GNU C Library: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in the GNU C Library, the
+    worst of which may allow execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">glibc</product>
+  <announced>2017-06-20</announced>
+  <revised>2017-06-20: 2</revised>
+  <bug>608698</bug>
+  <bug>608706</bug>
+  <bug>622220</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="sys-libs/glibc" auto="yes" arch="*">
+      <unaffected range="ge">2.23-r4</unaffected>
+      <vulnerable range="lt">2.23-r4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The GNU C library is the standard C library used by Gentoo Linux
+      systems.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in the GNU C Library.
+      Please review the CVE identifiers and Qualys’ security advisory
+      referenced below for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>An attacker could possibly execute arbitrary code with the privileges of
+      the process, escalate privileges or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All GNU C Library users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-libs/glibc-2.23-r4"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5180">CVE-2015-5180</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6323">CVE-2016-6323</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000366">
+      CVE-2017-1000366
+    </uri>
+    <uri link="https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt">
+      Qualys Security Advisory - The Stack Clash
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-06-20T17:01:37Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2017-06-20T17:49:43Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-20.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201706-20.xml
@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201706-20">
+  <title>Chromium: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in the Chromium web
+    browser, the worst of which allows remote attackers to execute arbitrary
+    code.
+  </synopsis>
+  <product type="ebuild">Chromium</product>
+  <announced>2017-06-20</announced>
+  <revised>2017-06-20: 1</revised>
+  <bug>617504</bug>
+  <bug>620956</bug>
+  <bug>621886</bug>
+  <access>remote</access>
+  <affected>
+    <package name="www-client/chromium" auto="yes" arch="*">
+      <unaffected range="ge">59.0.3071.104</unaffected>
+      <vulnerable range="lt">59.0.3071.104</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Chromium is an open-source browser project that aims to build a safer,
+      faster, and more stable way for all users to experience the web.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in the Chromium web
+      browser. Please review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process, cause a Denial of Service condition, obtain
+      sensitive information, bypass security restrictions or spoof content.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Chromium users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-client/chromium-59.0.3071.104"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5068">CVE-2017-5068</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5070">CVE-2017-5070</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5071">CVE-2017-5071</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5072">CVE-2017-5072</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5073">CVE-2017-5073</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5074">CVE-2017-5074</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5075">CVE-2017-5075</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5076">CVE-2017-5076</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5077">CVE-2017-5077</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5078">CVE-2017-5078</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5079">CVE-2017-5079</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5080">CVE-2017-5080</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5081">CVE-2017-5081</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5082">CVE-2017-5082</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5083">CVE-2017-5083</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5084">CVE-2017-5084</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5085">CVE-2017-5085</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5086">CVE-2017-5086</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5087">CVE-2017-5087</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5088">CVE-2017-5088</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5089">CVE-2017-5089</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-06-09T11:21:16Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2017-06-20T19:00:15Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
@ -1 +1 @@
-Fri, 16 Jun 2017 18:39:35 +0000
+Thu, 22 Jun 2017 02:08:59 +0000
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit
@ -1 +1 @@
-c2f911fc13b81dd715a1b756f739b077f8718170 1496836599 2017-06-07T11:56:39+00:00
+18375d0b60539dde07bb13258d4de5105b9e188e 1497985227 2017-06-20T19:00:27+00:00