From d3ed097affb676a78b6fb5c090e0dea525e7c5dc Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Tue, 25 Feb 2025 14:42:23 +0100
Subject: [PATCH] overlay profiles: Add some security-related accept keywords

---
 .../coreos/base/package.accept_keywords       | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
index ee7146ad57..6d19f11843 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords
@@ -10,6 +10,9 @@
 # Keep versions on both arches in sync.
 =app-containers/cri-tools-1.32.0 ~arm64
 
+# Needed to address CVE-2024-11218.
+=app-containers/podman-5.3.2 ~amd64 ~arm64
+
 # Seems to be the only available ebuild in portage-stable right now.
 =app-crypt/adcli-0.9.2 ~arm64
 
@@ -39,6 +42,9 @@
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/jose-12 **
 
+# Needed to address CVE-2024-12133.
+=dev-libs/libtasn1-4.20.0 ~amd64 ~arm64
+
 # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
 =dev-libs/luksmeta-9-r1 **
 
@@ -54,8 +60,18 @@
 
 # Keep versions on both arches in sync.
 =net-firewall/conntrack-tools-1.4.8-r1 ~arm64
+
+# Needed to address CVE-2024-12243.
+=net-libs/gnutls-3.8.9 ~amd64 ~arm64
+
+# Keep versions on both arches in sync.
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
+
+# Needed to address CVE-2025-0167, CVE-2025-0665, CVE-2025-0725.
+=net-misc/curl-8.12.1 ~amd64 ~arm64
+
+# Keep versions on both arches in sync.
 =net-misc/openssh-9.9_p2 ~arm64
 
 # Needed to address CVE-2024-54661
@@ -82,6 +98,11 @@
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
+# Needed to address CVE-2024-53589, CVE-2025-1176, CVE-2025-1178,
+# CVE-2025-1179, CVE-2025-1180, CVE-2025-1181, CVE-2025-1182.
+=sys-devel/binutils-2.44 ~amd64 ~arm64
+=sys-libs/binutils-libs-2.44 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =sys-libs/libsemanage-3.7 ~arm64
 =sys-process/audit-4.0.2-r1 ~arm64