bump(metadata/glsa): sync with upstream

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-03.xml

@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-03">
+  <title>LibreOffice, OpenOffice: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in both LibreOffice and
+    OpenOffice, the worst of which allows for the remote execution of arbitrary
+    code.
+  </synopsis>
+  <product type="ebuild"></product>
+  <announced>November 04, 2016</announced>
+  <revised>November 04, 2016: 1</revised>
+  <bug>565026</bug>
+  <bug>587566</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-office/libreoffice" auto="yes" arch="*">
+      <unaffected range="ge">5.1.4.2</unaffected>
+      <vulnerable range="lt">5.1.4.2</vulnerable>
+    </package>
+    <package name="app-office/libreoffice-bin" auto="yes" arch="*">
+      <unaffected range="ge">5.1.4.2</unaffected>
+      <vulnerable range="lt">5.1.4.2</vulnerable>
+    </package>
+    <package name="app-office/openoffice-bin" auto="yes" arch="*">
+      <unaffected range="ge">4.1.2</unaffected>
+      <vulnerable range="lt">4.1.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>LibreOffice is a powerful office suite; its clean interface and powerful
+      tools let you unleash your creativity and grow your productivity.
+    </p>
+    
+    <p>Apache OpenOffice is the leading open-source office software suite for
+      word processing, spreadsheets, presentations, graphics, databases and
+      more.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been found in both LibreOffice and
+      OpenOffice.  Please review the referenced CVE’s for specific
+      information regarding each.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Remote attackers could obtain sensitive information, cause a Denial of
+      Service condition, or execute arbitrary code.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known work around at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All LibreOffice users should upgrade their respective packages to the
+      latest version:
+    </p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-office/libreoffice-5.1.4.2"
+      # emerge --ask --oneshot --verbose
+      "&gt;=app-office/libreoffice-bin-debug-5.1.4.2" <code></code>
+    </code>
+    
+    <p>All OpenOffice users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-office/openoffice-bin-4.1.2"<code></code>
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4551">
+      CVE-2015-4551
+    </uri>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5212">
+      CVE-2015-5212
+    </uri>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5213">
+      CVE-2015-5213
+    </uri>
+    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5214">
+      CVE-2015-5214
+    </uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4324">CVE-2016-4324</uri>
+  </references>
+  <metadata tag="requester" timestamp="Sat, 10 Sep 2016 07:32:58 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Fri, 04 Nov 2016 07:55:31 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-04.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-04">
+  <title>Oracle JRE/JDK: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Oracle's JRE and JDK
+    software suites allowing remote attackers to remotely execute arbitrary
+    code, obtain information, and cause Denial of Service.
+  </synopsis>
+  <product type="ebuild"></product>
+  <announced>November 04, 2016</announced>
+  <revised>November 04, 2016: 1</revised>
+  <bug>597516</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
+      <unaffected range="ge">1.8.0.111</unaffected>
+      <vulnerable range="lt">1.8.0.111</vulnerable>
+    </package>
+    <package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
+      <unaffected range="ge">1.8.0.111</unaffected>
+      <vulnerable range="lt">1.8.0.111</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Java Platform, Standard Edition (Java SE) lets you develop and deploy
+      Java applications on desktops and servers, as well as in today’s
+      demanding embedded environments. Java offers the rich user interface,
+      performance, versatility, portability, and security that today’s
+      applications require.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities exist in both Oracle’s JRE and JDK. Please
+      review the referenced CVE’s for additional information.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Remote attackers could gain access to information, remotely execute
+      arbitrary code, or cause Denial of Service.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Oracle JRE Users users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=dev-java/oracle-jre-bin-1.8.0.111"
+    </code>
+    
+    <p>All Oracle JDK Users users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=dev-java/oracle-jdk-bin-1.8.0.111"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5542">CVE-2016-5542</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5554">CVE-2016-5554</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5556">CVE-2016-5556</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5568">CVE-2016-5568</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5573">CVE-2016-5573</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5582">CVE-2016-5582</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5597">CVE-2016-5597</uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 19 Oct 2016 12:41:06 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Fri, 04 Nov 2016 08:28:05 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-05.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-05">
+  <title>tnftp: Arbitrary code execution </title>
+  <synopsis>tnftp is vulnerable to remote code execution if output file is not
+    specified. 
+  </synopsis>
+  <product type="ebuild">tnftp</product>
+  <announced>November 15, 2016</announced>
+  <revised>November 15, 2016: 1</revised>
+  <bug>527302</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-ftp/tnftp" auto="yes" arch="*">
+      <unaffected range="ge">20141104</unaffected>
+      <vulnerable range="lt">20141104</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>tnftp is a NetBSD FTP client with several advanced features.</p>
+  </background>
+  <description>
+          <p>The fetch_url function in usr.bin/ftp/fetch.c allows remote
+            attackers to execute arbitrary commands via a
+          </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All tnftp users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --verbose --oneshot "&gt;=net-ftp/tnftp-20141104"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517">CVE-2014-8517</uri>
+  </references>
+  <metadata tag="requester" timestamp="Mon, 21 Dec 2015 19:31:36 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 15 Nov 2016 06:40:01 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-06.xml

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-06">
+  <title>xinetd: Privilege escalation </title>
+  <synopsis>A vulnerability in xinetd could lead to privilege escalation.</synopsis>
+  <product type="ebuild">xinetd</product>
+  <announced>November 15, 2016</announced>
+  <revised>November 15, 2016: 1</revised>
+  <bug>488158</bug>
+  <access>remote</access>
+  <affected>
+    <package name="sys-apps/xinetd" auto="yes" arch="*">
+      <unaffected range="ge">2.3.15-r2</unaffected>
+      <vulnerable range="lt">2.3.15-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>xinetd is a secure replacement for inetd.</p>
+  </background>
+  <description>
+    <p>Xinetd does not enforce the user and group configuration directives for
+      TCPMUX services, which causes these services to be run as root.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Attackers could escalate privileges outside of the running process.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All xinetd users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --verbose --oneshot "&gt;=sys-apps/xinetd-2.3.15-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4342">CVE-2013-4342</uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 23 Dec 2015 23:25:51 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:16:41 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-07.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-07">
+  <title>polkit: Heap-corruption on duplicate IDs </title>
+  <synopsis>polkit is vulnerable to local privilege escalation.</synopsis>
+  <product type="ebuild">polkit</product>
+  <announced>November 15, 2016</announced>
+  <revised>November 15, 2016: 1</revised>
+  <bug>555666</bug>
+  <access>local</access>
+  <affected>
+    <package name="sys-auth/polkit" auto="yes" arch="*">
+      <unaffected range="ge">0.113</unaffected>
+      <vulnerable range="lt">0.113</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>polkit is a toolkit for managing policies relating to unprivileged
+      processes communicating with privileged processes.
+    </p>
+  </background>
+  <description>
+    <p>A vulnerability was discovered in polkit’s
+      polkit_backend_action_pool_init function due to duplicate action IDs in
+      action descriptions.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Local attackers are able to gain unauthorized privileges on the system.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All polkit users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-auth/polkit-0.113"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3255">CVE-2015-3255</uri>
+  </references>
+  <metadata tag="requester" timestamp="Fri, 25 Dec 2015 00:47:50 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:23:23 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-08.xml

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-08">
+  <title>libpng: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in libpng, the worst of
+    which may allow remote attackers to cause Denial of Service.
+  </synopsis>
+  <product type="ebuild">libpng</product>
+  <announced>November 15, 2016</announced>
+  <revised>November 15, 2016: 1</revised>
+  <bug>564244</bug>
+  <bug>565678</bug>
+  <bug>568216</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-libs/libpng" auto="yes" arch="*">
+      <unaffected range="rge">1.2.56</unaffected>
+      <unaffected range="rge">1.5.26</unaffected>
+      <unaffected range="ge">1.6.21</unaffected>
+      <vulnerable range="lt">1.6.21</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>libpng is a standard library used to process PNG (Portable Network
+      Graphics) images. It is used by several other programs, including web
+      browsers and potentially server processes.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities were found in libpng. Please review the
+      referenced CVE’s for additional information.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Remote attackers could cause a Denial of Service condition or have other
+      unspecified impacts.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All libpng 1.2 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.2.56"
+    </code>
+    
+    <p>All libpng 1.5 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.5.26"
+    </code>
+    
+    <p>All libpng 1.6 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.6.21"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7981">CVE-2015-7981</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8126">CVE-2015-8126</uri>
+    <uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8540">
+      CVE-2015-8540
+    </uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 23 Dec 2015 23:42:59 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:39:40 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-09.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-09">
+  <title>Xen: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
+    allows gaining of privileges on the host system.
+  </synopsis>
+  <product type="ebuild">xen</product>
+  <announced>November 15, 2016</announced>
+  <revised>November 15, 2016: 1</revised>
+  <bug>588780</bug>
+  <bug>593198</bug>
+  <bug>594850</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-emulation/xen" auto="yes" arch="*">
+      <unaffected range="ge">4.6.3-r3</unaffected>
+      <vulnerable range="lt">4.6.3-r3</vulnerable>
+    </package>
+    <package name="app-emulation/xen-tools" auto="yes" arch="*">
+      <unaffected range="ge">4.6.3-r2</unaffected>
+      <vulnerable range="lt">4.6.3-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Xen is a bare-metal hypervisor.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Xen. Please review the
+      CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A malicious guest administrator could escalate their privileges on the
+      host system or cause a Denial of Service.  Additionally, a malicious
+      unprivileged guest user may be able to obtain or corrupt sensitive
+      information (including cryptographic material) in other programs in the
+      same guest.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Xen users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.6.3-r3"
+    </code>
+    
+    <p>All Xen tools users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-tools-4.6.3-r2
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6258">CVE-2016-6258</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7092">CVE-2016-7092</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7093">CVE-2016-7093</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7094">CVE-2016-7094</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7777">CVE-2016-7777</uri>
+  </references>
+  <metadata tag="requester" timestamp="Sat, 10 Sep 2016 06:59:48 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:42:10 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-10.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-10">
+  <title>libuv: Privilege escalation</title>
+  <synopsis>A vulnerability in libuv could lead to privilege escalation.</synopsis>
+  <product type="ebuild"></product>
+  <announced>November 17, 2016</announced>
+  <revised>November 17, 2016: 1</revised>
+  <bug>540826</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="dev-libs/libuv" auto="yes" arch="*">
+      <unaffected range="ge">1.4.2</unaffected>
+      <vulnerable range="lt">1.4.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>libuv is a multi-platform support library with a focus on asynchronous
+      I/O.
+    </p>
+  </background>
+  <description>
+    <p>It was discovered that libuv does not call setgroups before calling
+      setuid/setgid.  If this is not called, then even though the uid has been
+      dropped, there may still be groups associated that permit superuser
+      privileges.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>Context-dependent attackers could escalate privileges via unspecified
+      vectors.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All libuv users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --verbose --oneshot "&gt;=dev-libs/libuv-1.4.2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0278">CVE-2015-0278</uri>
+  </references>
+  <metadata tag="requester" timestamp="Thu, 17 Nov 2016 08:33:56 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Thu, 17 Nov 2016 10:08:59 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml

@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-11">
+  <title>QEMU: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in QEMU, the worst of
+    which could cause a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild"></product>
+  <announced>November 18, 2016</announced>
+  <revised>November 18, 2016: 1</revised>
+  <bug>594368</bug>
+  <bug>594520</bug>
+  <bug>595192</bug>
+  <bug>596048</bug>
+  <bug>596738</bug>
+  <bug>596752</bug>
+  <bug>596774</bug>
+  <bug>596776</bug>
+  <bug>597108</bug>
+  <bug>597110</bug>
+  <bug>598044</bug>
+  <bug>598046</bug>
+  <bug>598328</bug>
+  <access>local</access>
+  <affected>
+    <package name="app-emulation/qemu" auto="yes" arch="*">
+      <unaffected range="ge">2.7.0-r6</unaffected>
+      <vulnerable range="lt">2.7.0-r6</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>QEMU is a generic and open source machine emulator and virtualizer.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in QEMU. Please review the
+      CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A privileged user /process within a guest QEMU environment can cause a
+      Denial of Service condition against the QEMU guest process or the host.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All QEMU users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/qemu-2.7.0-r6"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7161">CVE-2016-7161</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7423">CVE-2016-7423</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7466">CVE-2016-7466</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7907">CVE-2016-7907</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7908">CVE-2016-7908</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7909">CVE-2016-7909</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7994">CVE-2016-7994</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8576">CVE-2016-8576</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8577">CVE-2016-8577</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8578">CVE-2016-8578</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8668">CVE-2016-8668</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8669">CVE-2016-8669</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8909">CVE-2016-8909</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8910">CVE-2016-8910</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9102">CVE-2016-9102</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9103">CVE-2016-9103</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9104">CVE-2016-9104</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9105">CVE-2016-9105</uri>
+  </references>
+  <metadata tag="requester" timestamp="Thu, 17 Nov 2016 07:04:59 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Fri, 18 Nov 2016 23:08:06 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-12.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-12">
+  <title>imlib2: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in imlib2, the worst of
+    which allows for the remote execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">imlib2</product>
+  <announced>November 20, 2016</announced>
+  <revised>November 20, 2016: 1</revised>
+  <bug>572884</bug>
+  <bug>578810</bug>
+  <bug>580038</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-libs/imlib2" auto="yes" arch="*">
+      <unaffected range="ge">1.4.9</unaffected>
+      <vulnerable range="lt">1.4.9</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>imlib2 is an advanced replacement for image manipulation libraries such
+      as libXpm. It is utilized by numerous programs, including gkrellm and
+      several window managers, to display images.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in imlib2. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could entice a user to open a specially crafted image
+      file using an application linked against imlib2, possibly resulting in
+      execution of arbitrary code with the privileges of the process or a
+      Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All imlib2 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-libs/imlib2-1.4.9"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9762">CVE-2014-9762</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9763">CVE-2014-9763</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9764">CVE-2014-9764</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4024">CVE-2016-4024</uri>
+  </references>
+  <metadata tag="requester" timestamp="Sun, 20 Nov 2016 06:16:27 +0000">b-man</metadata>
+  <metadata tag="submitter" timestamp="Sun, 20 Nov 2016 22:06:30 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-13.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-13">
+  <title>MongoDB: Denial of Service</title>
+  <synopsis>A vulnerability in MongoDB can lead to a Denial of Service
+    condition.
+  </synopsis>
+  <product type="ebuild">mongodb</product>
+  <announced>November 20, 2016</announced>
+  <revised>November 20, 2016: 1</revised>
+  <bug>542880</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-db/mongodb" auto="yes" arch="*">
+      <unaffected range="ge">2.4.13</unaffected>
+      <vulnerable range="lt">2.4.13</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>MongoDB (from “humongous”) is a scalable, high-performance, open
+      source, schema-free, document-oriented database.
+    </p>
+  </background>
+  <description>
+    <p>MongoDB’s ‘mongod’ server fails to validate some cases of
+      malformed BSON.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could send a specially crafted BSON request possibly
+      resulting in a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All MongoDB users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-db/mongodb-2.4.13"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1609">CVE-2015-1609</uri>
+  </references>
+  <metadata tag="requester" timestamp="Mon, 11 May 2015 20:38:27 +0000">K_F</metadata>
+  <metadata tag="submitter" timestamp="Sun, 20 Nov 2016 22:09:15 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-14.xml

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201611-14">
+  <title>MIT Kerberos 5: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been discovered in MIT Kerberos 5,
+    the worst of which may allow remote attackers to cause Denial of Service.
+  </synopsis>
+  <product type="ebuild">mit-krb5</product>
+  <announced>November 20, 2016</announced>
+  <revised>November 20, 2016: 1</revised>
+  <bug>564304</bug>
+  <access>remote</access>
+  <affected>
+    <package name="app-crypt/mit-krb5" auto="yes" arch="*">
+      <unaffected range="ge">1.13.2-r2</unaffected>
+      <vulnerable range="lt">1.13.2-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>MIT Kerberos 5 is a suite of applications that implement the Kerberos
+      network protocol.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly cause a Denial of Service condition.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All MIT Kerberos 5 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-crypt/mit-krb5-1.13.2-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2695">CVE-2015-2695</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2696">CVE-2015-2696</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2697">CVE-2015-2697</uri>
+  </references>
+  <metadata tag="requester" timestamp="Wed, 23 Dec 2015 22:59:55 +0000">
+    BlueKnight
+  </metadata>
+  <metadata tag="submitter" timestamp="Sun, 20 Nov 2016 22:10:32 +0000">b-man</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk

@@ -1 +1 @@
-Tue, 01 Nov 2016 19:13:17 +0000
+Mon, 21 Nov 2016 18:13:23 +0000