bump(metadata/glsa): sync with upstream

2025-09-01 03:41:11 +02:00 · 2017-04-07 14:53:34 -07:00 · 2017-04-07 14:53:34 -07:00 · d4bd5db5a4
commit d4bd5db5a4
parent 1e63ab8ae6
5 changed files with 224 additions and 1 deletions
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-04.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-04.xml
@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201703-04">
+  <title>cURL: Certificate validation error</title>
+  <synopsis>A coding error has been found in cURL, causing the TLS Certificate
+    Status Request extension check to always return true.
+  </synopsis>
+  <product type="ebuild">curl</product>
+  <announced>2017-03-28</announced>
+  <revised>2017-03-28: 1</revised>
+  <bug>610572</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/curl" auto="yes" arch="*">
+      <unaffected range="ge">7.53.0</unaffected>
+      <vulnerable range="lt">7.53.0</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>cURL is a tool and libcurl is a library for transferring data with URL
+      syntax.
+    </p>
+  </background>
+  <description>
+    <p>cURL and applications linked against libcurl support “OCSP
+      stapling”, also known as the TLS Certificate Status Request extension
+      (using the CURLOPT_SSL_VERIFYSTATUS option). When telling cURL to use
+      this feature, it uses that TLS extension to ask for a fresh proof of the
+      server’s certificate’s validity. If the server doesn’t support the
+      extension, or fails to provide said proof, cURL is expected to return an
+      error.
+      Due to a coding mistake, the code that checks for a test success or
+      failure, ends up always thinking there’s valid proof, even when there
+      is none or if the server doesn’t support the TLS extension in question.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Due to the error, a user maybe does not detect when a server’s
+      certificate goes invalid or otherwise be mislead that the server is in a
+      better shape than it is in reality.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All cURL users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/curl-7.53.0"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2629">CVE-2017-2629</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-03-07T21:41:04Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-03-28T01:57:09Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-05.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-05.xml
@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201703-05">
+  <title>GNU Libtasn1: Denial of Service</title>
+  <synopsis>A vulnerability in Libtasn1 allows remote attackers to cause a
+    Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">libtasn1</product>
+  <announced>2017-03-28</announced>
+  <revised>2017-03-28: 1</revised>
+  <bug>579748</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-libs/libtasn1" auto="yes" arch="*">
+      <unaffected range="ge">4.8</unaffected>
+      <vulnerable range="lt">4.8</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>A library that provides Abstract Syntax Notation One (ASN.1, as
+      specified by the X.680 ITU-T recommendation) parsing and structures
+      management, and Distinguished Encoding Rules (DER, as per X.690) encoding
+      and decoding functions.
+    </p>
+  </background>
+  <description>
+    <p>Libtasn1 does not correctly handle certain malformed DER certificates.</p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user or automated system to process a
+      specially crafted certificate using Libtasn1, resulting in a Denial of
+      Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Libtasn1 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-libs/libtasn1-4.8"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4008">CVE-2016-4008</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-02-22T11:00:00Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2017-03-28T02:54:28Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-06.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-06.xml
@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201703-06">
+  <title>Deluge: Remote execution of arbitrary code </title>
+  <synopsis>A vulnerability in Deluge might allow remote attackers to execute
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">deluge</product>
+  <announced>2017-03-28</announced>
+  <revised>2017-03-28: 1</revised>
+  <bug>612144</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-p2p/deluge" auto="yes" arch="*">
+      <unaffected range="ge">1.3.14</unaffected>
+      <vulnerable range="lt">1.3.14</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Deluge is a BitTorrent client.</p>
+  </background>
+  <description>
+    <p>A CSRF vulnerability was discovered in the web UI of Deluge.</p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user currently logged in into Deluge
+      web UI to visit a malicious web page which uses forged requests to make
+      Deluge download and install a Deluge plug-in provided by the attacker.
+      The plug-in can then execute arbitrary code as the user running Deluge.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Deluge users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-p2p/deluge-1.3.14"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7178">CVE-2017-7178</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-03-18T12:56:30Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2017-03-28T03:08:19Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-07.xml
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-07.xml
@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201703-07">
+  <title>Xen: Privilege Escalation</title>
+  <synopsis>A vulnerability in Xen's bundled QEMU version might allow privilege
+    escalation.
+  </synopsis>
+  <product type="ebuild">xen</product>
+  <announced>2017-03-28</announced>
+  <revised>2017-03-28: 1</revised>
+  <bug>609120</bug>
+  <access>local</access>
+  <affected>
+    <package name="app-emulation/xen-tools" auto="yes" arch="*">
+      <unaffected range="ge">4.7.1-r8</unaffected>
+      <vulnerable range="lt">4.7.1-r8</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Xen is a bare-metal hypervisor.</p>
+  </background>
+  <description>
+    <p>In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine
+      cirrus_bitblt_cputovideo fails to check wethehr the specified memory
+      region is safe.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local attacker could potentially execute arbitrary code with
+      privileges of Xen (QEMU) process on the host, gain privileges on the host
+      system, or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>Running guests in Paravirtualization (PV)  mode,  or running guests in
+      Hardware-assisted virtualizion (HVM) utilizing stub domains mitigate
+      the issue.
+    </p>
+    
+    <p>Running HVM guests with the device model in a stubdomain will mitigate
+      the issue.
+    </p>
+    
+    <p>Changing the video card emulation to stdvga (stdvga=1, vga=”stdvga”,
+      in the xl domain configuration) will avoid the vulnerability.
+    </p>
+  </workaround>
+  <resolution>
+    <p>All Xen Tools users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=app-emulation/xen-tools-4.7.1-r8"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2620">CVE-2017-2620</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-02-24T02:24:45Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-03-28T03:15:18Z">whissi</metadata>
+</glsa>
--- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
+++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk
@ -1 +1 @@
-Tue, 21 Mar 2017 21:38:55 +0000
+Fri, 07 Apr 2017 21:09:29 +0000