mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 02:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
Nick Owens 2016-11-21 10:50:54 -08:00
parent 2ddfc8cb9f
commit dfd0c68390
13 changed files with 742 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-03.xml vendored Normal file
View File

@ -0,0 +1,91 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-03">
<title>LibreOffice, OpenOffice: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in both LibreOffice and
OpenOffice, the worst of which allows for the remote execution of arbitrary
code.
</synopsis>
<product type="ebuild"></product>
<announced>November 04, 2016</announced>
<revised>November 04, 2016: 1</revised>
<bug>565026</bug>
<bug>587566</bug>
<access>remote</access>
<affected>
<package name="app-office/libreoffice" auto="yes" arch="*">
<unaffected range="ge">5.1.4.2</unaffected>
<vulnerable range="lt">5.1.4.2</vulnerable>
</package>
<package name="app-office/libreoffice-bin" auto="yes" arch="*">
<unaffected range="ge">5.1.4.2</unaffected>
<vulnerable range="lt">5.1.4.2</vulnerable>
</package>
<package name="app-office/openoffice-bin" auto="yes" arch="*">
<unaffected range="ge">4.1.2</unaffected>
<vulnerable range="lt">4.1.2</vulnerable>
</package>
</affected>
<background>
<p>LibreOffice is a powerful office suite; its clean interface and powerful
tools let you unleash your creativity and grow your productivity.
</p>
<p>Apache OpenOffice is the leading open-source office software suite for
word processing, spreadsheets, presentations, graphics, databases and
more.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been found in both LibreOffice and
OpenOffice. Please review the referenced CVEs for specific
information regarding each.
</p>
</description>
<impact type="normal">
<p>Remote attackers could obtain sensitive information, cause a Denial of
Service condition, or execute arbitrary code.
</p>
</impact>
<workaround>
<p>There is no known work around at this time.</p>
</workaround>
<resolution>
<p>All LibreOffice users should upgrade their respective packages to the
latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-office/libreoffice-5.1.4.2"
# emerge --ask --oneshot --verbose
"&gt;=app-office/libreoffice-bin-debug-5.1.4.2" <code></code>
</code>
<p>All OpenOffice users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-office/openoffice-bin-4.1.2"<code></code>
</code>
</resolution>
<references>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4551">
CVE-2015-4551
</uri>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5212">
CVE-2015-5212
</uri>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5213">
CVE-2015-5213
</uri>
<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5214">
CVE-2015-5214
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4324">CVE-2016-4324</uri>
</references>
<metadata tag="requester" timestamp="Sat, 10 Sep 2016 07:32:58 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Fri, 04 Nov 2016 07:55:31 +0000">b-man</metadata>
</glsa>

73
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-04.xml vendored Normal file
View File

@ -0,0 +1,73 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-04">
<title>Oracle JRE/JDK: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Oracle's JRE and JDK
software suites allowing remote attackers to remotely execute arbitrary
code, obtain information, and cause Denial of Service.
</synopsis>
<product type="ebuild"></product>
<announced>November 04, 2016</announced>
<revised>November 04, 2016: 1</revised>
<bug>597516</bug>
<access>remote</access>
<affected>
<package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
<unaffected range="ge">1.8.0.111</unaffected>
<vulnerable range="lt">1.8.0.111</vulnerable>
</package>
<package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
<unaffected range="ge">1.8.0.111</unaffected>
<vulnerable range="lt">1.8.0.111</vulnerable>
</package>
</affected>
<background>
<p>Java Platform, Standard Edition (Java SE) lets you develop and deploy
Java applications on desktops and servers, as well as in todays
demanding embedded environments. Java offers the rich user interface,
performance, versatility, portability, and security that todays
applications require.
</p>
</background>
<description>
<p>Multiple vulnerabilities exist in both Oracles JRE and JDK. Please
review the referenced CVEs for additional information.
</p>
</description>
<impact type="normal">
<p>Remote attackers could gain access to information, remotely execute
arbitrary code, or cause Denial of Service.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Oracle JRE Users users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/oracle-jre-bin-1.8.0.111"
</code>
<p>All Oracle JDK Users users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/oracle-jdk-bin-1.8.0.111"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5542">CVE-2016-5542</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5554">CVE-2016-5554</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5556">CVE-2016-5556</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5568">CVE-2016-5568</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5573">CVE-2016-5573</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5582">CVE-2016-5582</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5597">CVE-2016-5597</uri>
</references>
<metadata tag="requester" timestamp="Wed, 19 Oct 2016 12:41:06 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Fri, 04 Nov 2016 08:28:05 +0000">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-05.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-05">
<title>tnftp: Arbitrary code execution </title>
<synopsis>tnftp is vulnerable to remote code execution if output file is not
specified.
</synopsis>
<product type="ebuild">tnftp</product>
<announced>November 15, 2016</announced>
<revised>November 15, 2016: 1</revised>
<bug>527302</bug>
<access>remote</access>
<affected>
<package name="net-ftp/tnftp" auto="yes" arch="*">
<unaffected range="ge">20141104</unaffected>
<vulnerable range="lt">20141104</vulnerable>
</package>
</affected>
<background>
<p>tnftp is a NetBSD FTP client with several advanced features.</p>
</background>
<description>
<p>The fetch_url function in usr.bin/ftp/fetch.c allows remote
attackers to execute arbitrary commands via a
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All tnftp users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=net-ftp/tnftp-20141104"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517">CVE-2014-8517</uri>
</references>
<metadata tag="requester" timestamp="Mon, 21 Dec 2015 19:31:36 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 15 Nov 2016 06:40:01 +0000">b-man</metadata>
</glsa>

46
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-06.xml vendored Normal file
View File

@ -0,0 +1,46 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-06">
<title>xinetd: Privilege escalation </title>
<synopsis>A vulnerability in xinetd could lead to privilege escalation.</synopsis>
<product type="ebuild">xinetd</product>
<announced>November 15, 2016</announced>
<revised>November 15, 2016: 1</revised>
<bug>488158</bug>
<access>remote</access>
<affected>
<package name="sys-apps/xinetd" auto="yes" arch="*">
<unaffected range="ge">2.3.15-r2</unaffected>
<vulnerable range="lt">2.3.15-r2</vulnerable>
</package>
</affected>
<background>
<p>xinetd is a secure replacement for inetd.</p>
</background>
<description>
<p>Xinetd does not enforce the user and group configuration directives for
TCPMUX services, which causes these services to be run as root.
</p>
</description>
<impact type="normal">
<p>Attackers could escalate privileges outside of the running process.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All xinetd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=sys-apps/xinetd-2.3.15-r2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4342">CVE-2013-4342</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Dec 2015 23:25:51 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:16:41 +0000">b-man</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-07.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-07">
<title>polkit: Heap-corruption on duplicate IDs </title>
<synopsis>polkit is vulnerable to local privilege escalation.</synopsis>
<product type="ebuild">polkit</product>
<announced>November 15, 2016</announced>
<revised>November 15, 2016: 1</revised>
<bug>555666</bug>
<access>local</access>
<affected>
<package name="sys-auth/polkit" auto="yes" arch="*">
<unaffected range="ge">0.113</unaffected>
<vulnerable range="lt">0.113</vulnerable>
</package>
</affected>
<background>
<p>polkit is a toolkit for managing policies relating to unprivileged
processes communicating with privileged processes.
</p>
</background>
<description>
<p>A vulnerability was discovered in polkits
polkit_backend_action_pool_init function due to duplicate action IDs in
action descriptions.
</p>
</description>
<impact type="normal">
<p>Local attackers are able to gain unauthorized privileges on the system.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All polkit users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-auth/polkit-0.113"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3255">CVE-2015-3255</uri>
</references>
<metadata tag="requester" timestamp="Fri, 25 Dec 2015 00:47:50 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:23:23 +0000">b-man</metadata>
</glsa>

75
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-08.xml vendored Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-08">
<title>libpng: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libpng, the worst of
which may allow remote attackers to cause Denial of Service.
</synopsis>
<product type="ebuild">libpng</product>
<announced>November 15, 2016</announced>
<revised>November 15, 2016: 1</revised>
<bug>564244</bug>
<bug>565678</bug>
<bug>568216</bug>
<access>remote</access>
<affected>
<package name="media-libs/libpng" auto="yes" arch="*">
<unaffected range="rge">1.2.56</unaffected>
<unaffected range="rge">1.5.26</unaffected>
<unaffected range="ge">1.6.21</unaffected>
<vulnerable range="lt">1.6.21</vulnerable>
</package>
</affected>
<background>
<p>libpng is a standard library used to process PNG (Portable Network
Graphics) images. It is used by several other programs, including web
browsers and potentially server processes.
</p>
</background>
<description>
<p>Multiple vulnerabilities were found in libpng. Please review the
referenced CVEs for additional information.
</p>
</description>
<impact type="normal">
<p>Remote attackers could cause a Denial of Service condition or have other
unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libpng 1.2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.2.56"
</code>
<p>All libpng 1.5 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.5.26"
</code>
<p>All libpng 1.6 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.6.21"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7981">CVE-2015-7981</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8126">CVE-2015-8126</uri>
<uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8540">
CVE-2015-8540
</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Dec 2015 23:42:59 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:39:40 +0000">b-man</metadata>
</glsa>

70
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-09.xml vendored Normal file
View File

@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-09">
<title>Xen: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
allows gaining of privileges on the host system.
</synopsis>
<product type="ebuild">xen</product>
<announced>November 15, 2016</announced>
<revised>November 15, 2016: 1</revised>
<bug>588780</bug>
<bug>593198</bug>
<bug>594850</bug>
<access>remote</access>
<affected>
<package name="app-emulation/xen" auto="yes" arch="*">
<unaffected range="ge">4.6.3-r3</unaffected>
<vulnerable range="lt">4.6.3-r3</vulnerable>
</package>
<package name="app-emulation/xen-tools" auto="yes" arch="*">
<unaffected range="ge">4.6.3-r2</unaffected>
<vulnerable range="lt">4.6.3-r2</vulnerable>
</package>
</affected>
<background>
<p>Xen is a bare-metal hypervisor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A malicious guest administrator could escalate their privileges on the
host system or cause a Denial of Service. Additionally, a malicious
unprivileged guest user may be able to obtain or corrupt sensitive
information (including cryptographic material) in other programs in the
same guest.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.6.3-r3"
</code>
<p>All Xen tools users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-tools-4.6.3-r2
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6258">CVE-2016-6258</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7092">CVE-2016-7092</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7093">CVE-2016-7093</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7094">CVE-2016-7094</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7777">CVE-2016-7777</uri>
</references>
<metadata tag="requester" timestamp="Sat, 10 Sep 2016 06:59:48 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Tue, 15 Nov 2016 07:42:10 +0000">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-10.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-10">
<title>libuv: Privilege escalation</title>
<synopsis>A vulnerability in libuv could lead to privilege escalation.</synopsis>
<product type="ebuild"></product>
<announced>November 17, 2016</announced>
<revised>November 17, 2016: 1</revised>
<bug>540826</bug>
<access>local, remote</access>
<affected>
<package name="dev-libs/libuv" auto="yes" arch="*">
<unaffected range="ge">1.4.2</unaffected>
<vulnerable range="lt">1.4.2</vulnerable>
</package>
</affected>
<background>
<p>libuv is a multi-platform support library with a focus on asynchronous
I/O.
</p>
</background>
<description>
<p>It was discovered that libuv does not call setgroups before calling
setuid/setgid. If this is not called, then even though the uid has been
dropped, there may still be groups associated that permit superuser
privileges.
</p>
</description>
<impact type="normal">
<p>Context-dependent attackers could escalate privileges via unspecified
vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libuv users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --verbose --oneshot "&gt;=dev-libs/libuv-1.4.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0278">CVE-2015-0278</uri>
</references>
<metadata tag="requester" timestamp="Thu, 17 Nov 2016 08:33:56 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Thu, 17 Nov 2016 10:08:59 +0000">b-man</metadata>
</glsa>

77
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-11.xml vendored Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-11">
<title>QEMU: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in QEMU, the worst of
which could cause a Denial of Service condition.
</synopsis>
<product type="ebuild"></product>
<announced>November 18, 2016</announced>
<revised>November 18, 2016: 1</revised>
<bug>594368</bug>
<bug>594520</bug>
<bug>595192</bug>
<bug>596048</bug>
<bug>596738</bug>
<bug>596752</bug>
<bug>596774</bug>
<bug>596776</bug>
<bug>597108</bug>
<bug>597110</bug>
<bug>598044</bug>
<bug>598046</bug>
<bug>598328</bug>
<access>local</access>
<affected>
<package name="app-emulation/qemu" auto="yes" arch="*">
<unaffected range="ge">2.7.0-r6</unaffected>
<vulnerable range="lt">2.7.0-r6</vulnerable>
</package>
</affected>
<background>
<p>QEMU is a generic and open source machine emulator and virtualizer.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QEMU. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A privileged user /process within a guest QEMU environment can cause a
Denial of Service condition against the QEMU guest process or the host.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QEMU users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/qemu-2.7.0-r6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7161">CVE-2016-7161</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7423">CVE-2016-7423</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7466">CVE-2016-7466</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7907">CVE-2016-7907</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7908">CVE-2016-7908</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7909">CVE-2016-7909</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7994">CVE-2016-7994</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8576">CVE-2016-8576</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8577">CVE-2016-8577</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8578">CVE-2016-8578</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8668">CVE-2016-8668</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8669">CVE-2016-8669</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8909">CVE-2016-8909</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8910">CVE-2016-8910</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9102">CVE-2016-9102</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9103">CVE-2016-9103</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9104">CVE-2016-9104</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9105">CVE-2016-9105</uri>
</references>
<metadata tag="requester" timestamp="Thu, 17 Nov 2016 07:04:59 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Fri, 18 Nov 2016 23:08:06 +0000">b-man</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-12.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-12">
<title>imlib2: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in imlib2, the worst of
which allows for the remote execution of arbitrary code.
</synopsis>
<product type="ebuild">imlib2</product>
<announced>November 20, 2016</announced>
<revised>November 20, 2016: 1</revised>
<bug>572884</bug>
<bug>578810</bug>
<bug>580038</bug>
<access>remote</access>
<affected>
<package name="media-libs/imlib2" auto="yes" arch="*">
<unaffected range="ge">1.4.9</unaffected>
<vulnerable range="lt">1.4.9</vulnerable>
</package>
</affected>
<background>
<p>imlib2 is an advanced replacement for image manipulation libraries such
as libXpm. It is utilized by numerous programs, including gkrellm and
several window managers, to display images.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in imlib2. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted image
file using an application linked against imlib2, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All imlib2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/imlib2-1.4.9"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9762">CVE-2014-9762</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9763">CVE-2014-9763</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9764">CVE-2014-9764</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4024">CVE-2016-4024</uri>
</references>
<metadata tag="requester" timestamp="Sun, 20 Nov 2016 06:16:27 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 20 Nov 2016 22:06:30 +0000">b-man</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-13.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-13">
<title>MongoDB: Denial of Service</title>
<synopsis>A vulnerability in MongoDB can lead to a Denial of Service
condition.
</synopsis>
<product type="ebuild">mongodb</product>
<announced>November 20, 2016</announced>
<revised>November 20, 2016: 1</revised>
<bug>542880</bug>
<access>remote</access>
<affected>
<package name="dev-db/mongodb" auto="yes" arch="*">
<unaffected range="ge">2.4.13</unaffected>
<vulnerable range="lt">2.4.13</vulnerable>
</package>
</affected>
<background>
<p>MongoDB (from “humongous”) is a scalable, high-performance, open
source, schema-free, document-oriented database.
</p>
</background>
<description>
<p>MongoDBs mongod server fails to validate some cases of
malformed BSON.
</p>
</description>
<impact type="normal">
<p>A remote attacker could send a specially crafted BSON request possibly
resulting in a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MongoDB users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/mongodb-2.4.13"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1609">CVE-2015-1609</uri>
</references>
<metadata tag="requester" timestamp="Mon, 11 May 2015 20:38:27 +0000">K_F</metadata>
<metadata tag="submitter" timestamp="Sun, 20 Nov 2016 22:09:15 +0000">b-man</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-14.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-14">
<title>MIT Kerberos 5: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in MIT Kerberos 5,
the worst of which may allow remote attackers to cause Denial of Service.
</synopsis>
<product type="ebuild">mit-krb5</product>
<announced>November 20, 2016</announced>
<revised>November 20, 2016: 1</revised>
<bug>564304</bug>
<access>remote</access>
<affected>
<package name="app-crypt/mit-krb5" auto="yes" arch="*">
<unaffected range="ge">1.13.2-r2</unaffected>
<vulnerable range="lt">1.13.2-r2</vulnerable>
</package>
</affected>
<background>
<p>MIT Kerberos 5 is a suite of applications that implement the Kerberos
network protocol.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly cause a Denial of Service condition.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MIT Kerberos 5 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-crypt/mit-krb5-1.13.2-r2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2695">CVE-2015-2695</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2696">CVE-2015-2696</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2697">CVE-2015-2697</uri>
</references>
<metadata tag="requester" timestamp="Wed, 23 Dec 2015 22:59:55 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 20 Nov 2016 22:10:32 +0000">b-man</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Tue, 01 Nov 2016 19:13:17 +0000
Mon, 21 Nov 2016 18:13:23 +0000