From d5ee825435313e359b076d4e1d34cc6b737ef114 Mon Sep 17 00:00:00 2001 From: David Michael Date: Sun, 15 Oct 2017 14:42:24 -0700 Subject: [PATCH] bump(metadata/glsa): sync with upstream --- .../metadata/glsa/glsa-201705-15.xml | 10 +-- .../metadata/glsa/glsa-201710-10.xml | 82 +++++++++++++++++++ .../metadata/glsa/glsa-201710-11.xml | 63 ++++++++++++++ .../metadata/glsa/glsa-201710-12.xml | 56 +++++++++++++ .../metadata/glsa/glsa-201710-13.xml | 77 +++++++++++++++++ .../metadata/glsa/glsa-201710-14.xml | 72 ++++++++++++++++ .../metadata/glsa/glsa-201710-15.xml | 52 ++++++++++++ .../metadata/glsa/glsa-201710-16.xml | 51 ++++++++++++ .../metadata/glsa/timestamp.chk | 2 +- .../metadata/glsa/timestamp.commit | 2 +- 10 files changed, 460 insertions(+), 7 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-11.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-12.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-13.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-14.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-15.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-16.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201705-15.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201705-15.xml index ee01ba3b83..88217e6cdf 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201705-15.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201705-15.xml @@ -5,13 +5,13 @@ A vulnerability in sudo allows local users to gain root privileges. sudo,privilege 2017-05-30 - 2017-10-07: 3 + 2017-10-10: 4 620182 local - 1.8.20_p2 - 1.8.20_p2 + 1.8.20_p1 + 1.8.20_p1 @@ -45,7 +45,7 @@ # emerge --sync - # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.20_p2" + # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.8.20_p1" @@ -58,5 +58,5 @@ K_F - K_F + K_F diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-10.xml new file mode 100644 index 0000000000..dd52a7ddc0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-10.xml @@ -0,0 +1,82 @@ + + + + elfutils: Multiple vulnerabilities + Multiple vulnerabilities have been found in elfutils, the worst of + which may allow remote attackers to cause a Denial of Service condition. + + elfutils + 2017-10-13 + 2017-10-13: 1 + 614002 + 614004 + 618004 + remote + + + 0.169-r1 + 0.169-r1 + + + +

Elfutils provides a library and utilities to access, modify and analyse + ELF objects. +

+ + +

Multiple vulnerabilities have been discovered in elfutils. Please review + the referenced CVE identifiers for details. +

+ + +

A remote attacker could possibly cause a Denial of Service condition via + specially crafted ELF files. +

+ + +

There is no known workaround at this time.

+ + +

All elfutils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/elfutils-0.169-r1" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + + CVE-2016-10254 + + + CVE-2016-10255 + + + CVE-2017-7607 + + + CVE-2017-7608 + + + CVE-2017-7609 + + + CVE-2017-7610 + + + CVE-2017-7611 + + + CVE-2017-7612 + + + CVE-2017-7613 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-11.xml new file mode 100644 index 0000000000..bfaf72daf2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-11.xml @@ -0,0 +1,63 @@ + + + + GNU Libtasn1: Multiple vulnerabilities + Multiple vulnerabilities have been found in GNU Libtasn1, the worst + of which may allow remote attackers to execute arbitrary code. + + libtasn1 + 2017-10-13 + 2017-10-13: 1 + 619686 + 627014 + remote + + + 4.12-r1 + 4.12-r1 + + + +

A library that provides Abstract Syntax Notation One (ASN.1, as + specified by the X.680 ITU-T recommendation) parsing and structures + management, and Distinguished Encoding Rules (DER, as per X.690) encoding + and decoding functions. +

+ + +

Multiple vulnerabilities have been discovered in GNU Libtasn1. Please + review the referenced CVE identifiers for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, or have + other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All GNU Libtasn1 users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-libs/libtasn1-4.12-r1" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + + CVE-2017-10790 + + + CVE-2017-6891 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-12.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-12.xml new file mode 100644 index 0000000000..a8e08cdda1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-12.xml @@ -0,0 +1,56 @@ + + + + Puppet Agent: Multiple vulnerabilities + Multiple vulnerabilities have been found in Puppet Agent, the worst + of which could result in the execution of arbitrary code. + + puppetagent + 2017-10-13 + 2017-10-13: 1 + 597684 + remote + + + 1.7.1 + 1.7.1 + + + +

Puppet Agent contains Puppet’s main code and all of the dependencies + needed to run it, including Facter, Hiera, and bundled versions of Ruby + and OpenSSL. +

+ + +

Multiple vulnerabilities have been discovered in Puppet Agent. Please + review the references for details. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or obtain sensitive information. +

+ + +

There is no known workaround at this time.

+ + +

All Puppet Agent users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/puppet-agent-1.7.1" + + + + + CVE-2016-5714 + + Puppet + Security Advise Oct 2016 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-13.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-13.xml new file mode 100644 index 0000000000..3e94863a03 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-13.xml @@ -0,0 +1,77 @@ + + + + Graphite: Multiple vulnerabilities + Multiple vulnerabilities have been found in Graphite, the worst of + which could lead to the remote execution of arbitrary code. + + + graphite2 + 2017-10-13 + 2017-10-13: 1 + 621724 + remote + + + 1.3.10 + 1.3.10 + + + +

Graphite is a “smart font” system developed specifically to handle + the complexities of lesser-known languages of the world. +

+ + +

Multiple vulnerabilities have been discovered in Graphite. Please review + the referenced CVE identifiers for details. +

+ + + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process, cause a Denial of Service condition, or have + other unspecified impacts. +

+ + +

There is no known workaround at this time.

+ + +

All Graphite users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-gfx/graphite2-1.3.10" + + + + + + CVE-2017-7771 + + + CVE-2017-7772 + + + CVE-2017-7773 + + + CVE-2017-7774 + + + CVE-2017-7775 + + + CVE-2017-7776 + + + CVE-2017-7777 + + + CVE-2017-7778 + + + chrisadr + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-14.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-14.xml new file mode 100644 index 0000000000..f5e253bc8f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-14.xml @@ -0,0 +1,72 @@ + + + + WebKitGTK+: Multiple Vulnerabilities + Multiple vulnerabilities have been found in WebkitGTK+, the worst + of which may allow remote attackers to execute arbitrary code. + + webkit-gtk + 2017-10-13 + 2017-10-13: 1 + 626142 + remote + + + 2.16.6 + 2.16.6 + + + +

WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, offers + Webkit’s full functionality and is used on a wide range of systems. +

+ + +

Multiple vulnerabilities have been discovered in WebkitGTK+. Please + review the references below for details. +

+ + +

A remote attacker could execute arbitrary code, cause a Denial of + Service condition, bypass intended memory-read restrictions, conduct a + timing side-channel attack to bypass the Same Origin Policy, obtain + sensitive information, or spoof the address bar. +

+ + + +

There is no known workaround at this time.

+ + +

All WebKitGTK+ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.6" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + CVE-2017-7006 + CVE-2017-7011 + CVE-2017-7012 + CVE-2017-7018 + CVE-2017-7019 + CVE-2017-7020 + CVE-2017-7030 + CVE-2017-7034 + CVE-2017-7037 + CVE-2017-7038 + CVE-2017-7039 + CVE-2017-7040 + CVE-2017-7041 + CVE-2017-7042 + CVE-2017-7043 + + BlueKnight + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-15.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-15.xml new file mode 100644 index 0000000000..60c2f5ccd1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-15.xml @@ -0,0 +1,52 @@ + + + + GnuTLS: Denial of Service + A null pointer dereference in GnuTLS might allow attackers to cause + a Denial of Service condition. + + gnutls + 2017-10-15 + 2017-10-15: 1 + 622038 + remote + + + 3.5.13 + 3.5.13 + + + +

GnuTLS is a secure communications library implementing the SSL, TLS and + DTLS protocols and technologies around them. +

+ + +

A null pointer dereference while decoding a status response TLS + extension with valid contents was discovered in GnuTLS. +

+ + +

A remote attacker could possibly cause a Denial of Service condition.

+ + +

There is no known workaround at this time.

+ + +

All GnuTLS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/gnutls-3.5.13" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + CVE-2017-7507 + + chrisadr + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-16.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-16.xml new file mode 100644 index 0000000000..2328ec60a1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201710-16.xml @@ -0,0 +1,51 @@ + + + + Shadow: Buffer overflow + A vulnerability found in Shadow may allow remote attackers to cause + a Denial of Service condition or produce other unspecified behaviors. + + shadow + 2017-10-15 + 2017-10-15: 1 + 627044 + remote + + + 4.5 + 4.5 + + + +

Shadow is a set of tools to deal with user accounts.

+ + +

Malformed input in the newusers tool may produce crashes and other + unspecified behaviors. +

+ + +

A remote attacker could possibly cause a Denial of Service condition or + bypass privilege boundaries in some web-hosting environments in which a + Control Panel allows an unprivileged user account to create subaccounts. +

+ + +

There is no known workaround at this time.

+ + +

All Shadow users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.5" + + + + + CVE-2017-12424 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index 4996685384..a3e68c623d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 09 Oct 2017 18:08:59 +0000 +Sun, 15 Oct 2017 21:09:21 +0000 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit index 9a85e68140..a05cb74363 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit @@ -1 +1 @@ -6563aef7bcf2b256b39e321f440df3efe76f81f4 1507473808 2017-10-08T14:43:28+00:00 +f5081800804d6a1f4598cbc03e5a8f2664f6a070 1508098974 2017-10-15T20:22:54+00:00