From e6c2c08e1e6f045070f9c148c02a413746b342da Mon Sep 17 00:00:00 2001 From: David Michael Date: Mon, 18 Sep 2017 13:03:12 -0700 Subject: [PATCH] bump(metadata/glsa): sync with upstream --- .../metadata/glsa/glsa-201708-04.xml | 6 +- .../metadata/glsa/glsa-201708-07.xml | 6 +- .../metadata/glsa/glsa-201708-08.xml | 4 +- .../metadata/glsa/glsa-201708-09.xml | 50 ++++++++ .../metadata/glsa/glsa-201708-10.xml | 55 +++++++++ .../metadata/glsa/glsa-201709-01.xml | 51 ++++++++ .../metadata/glsa/glsa-201709-02.xml | 115 ++++++++++++++++++ .../metadata/glsa/glsa-201709-03.xml | 61 ++++++++++ .../metadata/glsa/glsa-201709-04.xml | 55 +++++++++ .../metadata/glsa/glsa-201709-05.xml | 50 ++++++++ .../metadata/glsa/glsa-201709-06.xml | 56 +++++++++ .../metadata/glsa/glsa-201709-07.xml | 60 +++++++++ .../metadata/glsa/glsa-201709-08.xml | 66 ++++++++++ .../metadata/glsa/glsa-201709-09.xml | 75 ++++++++++++ .../metadata/glsa/glsa-201709-10.xml | 61 ++++++++++ .../metadata/glsa/glsa-201709-11.xml | 55 +++++++++ .../metadata/glsa/glsa-201709-12.xml | 80 ++++++++++++ .../metadata/glsa/glsa-201709-13.xml | 50 ++++++++ .../metadata/glsa/glsa-201709-14.xml | 62 ++++++++++ .../metadata/glsa/timestamp.chk | 2 +- .../metadata/glsa/timestamp.commit | 2 +- 21 files changed, 1012 insertions(+), 10 deletions(-) create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-09.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-01.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-02.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-03.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-04.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-05.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-06.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-07.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-08.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-09.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-10.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-11.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-12.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-13.xml create mode 100644 sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-14.xml diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-04.xml index 09bf5c4fc7..70915b9814 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-04.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-04.xml @@ -7,12 +7,12 @@ kedpm 2017-08-21 - 2017-08-21: 1 + 2017-08-26: 3 616690 local, remote - 0.4.0-r2 + 0.4.0-r2 @@ -45,5 +45,5 @@ CVE-2017-8296 b-man - b-man + b-man diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-07.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-07.xml index 4db322cb46..82a0c3974d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-07.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-07.xml @@ -7,12 +7,12 @@ evilvte 2017-08-21 - 2017-08-21: 1 + 2017-08-26: 2 611290 remote - 0.5.1 + 0.5.1 @@ -45,5 +45,5 @@ b-man - b-man + b-man diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-08.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-08.xml index 1055905bd4..3cc37835c8 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-08.xml +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-08.xml @@ -12,8 +12,8 @@ remote - 1.0.6-r8 - 1.0.6-r8 + 1.0.6-r8 + 1.0.6-r8 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-09.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-09.xml new file mode 100644 index 0000000000..8a4b54e0c2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-09.xml @@ -0,0 +1,50 @@ + + + + AutoTrace: Multiple vulnerabilities + Multiple vulnerabilities have been found in AutoTrace, the worst of + which could cause a Denial of Service condition. + + autotrace + 2017-08-26 + 2017-08-26: 1 + 613992 + 619040 + remote + + + 0.31.1-r8 + + + +

AutoTrace converts bitmap to vector graphics.

+ + +

Heap-based buffer overflows have been discovered in the + pstoedit_suffix_table_init and pnm_load_rawpbm functions of AutoTrace. +

+ + +

Remote attackers, by enticing a user to process a crafted bmp image + file, could cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for AutoTrace. We recommend that users + unmerge AutoTrace: +

+ + + # emerge --unmerge "media-gfx/autotrace" + + + + CVE-2016-7392 + CVE-2017-9153 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-10.xml new file mode 100644 index 0000000000..a65b1b12d8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-10.xml @@ -0,0 +1,55 @@ + + + + jbig2dec: User-assisted execution of arbitrary code + Multiple integer overflow flaws have been discovered in jbig2dec, + possibly resulting in execution of arbitrary code or Denial of Service. + + jbig2dec + 2017-08-26 + 2017-08-26: 1 + 616464 + remote + + + 0.13-r4 + 0.13-r4 + + + +

jbig2dec is a decoder implementation of the JBIG2 image compression + format. +

+ + +

Integer overflow errors have been discovered in the + jbig2_decode_symbol_dict, jbig2_build_huffman_table, and + jbig2_image_compose functions of jbig2dec. +

+ + +

A remote attacker, by enticing a user to open a specially crafted JBIG2 + file using an application linked against jbig2dec, could possibly execute + arbitrary code with the privileges of the process or cause a Denial of + Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All jbig2dec users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=media-libs/jbig2dec-0.13-r4" + + + + CVE-2017-7885 + CVE-2017-7975 + CVE-2017-7976 + + BlueKnight + ackle + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-01.xml new file mode 100644 index 0000000000..3aa8b6e95c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-01.xml @@ -0,0 +1,51 @@ + + + + MCollective: Remote Code Execution + A vulnerability in MCollective might allow remote attackers to + execute arbitrary code. + + mcollective + 2017-09-04 + 2017-09-04: 1 + 624704 + remote + + + 2.11.0 + 2.11.0 + + + +

MCollective is a framework to build server orchestration or parallel job + execution systems. +

+ + +

A vulnerability was discovered in MCollective which allowed for + deserialized YAML from agents without calling safe_load. This allows the + potential for arbitrary code execution on the server. +

+ + +

A remote attacker could possibly execute arbitrary code with the + privileges of the process or cause a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All MCollective users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-admin/mcollective-2.11.0" + + + + CVE-2017-2292 + + Zlogene + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-02.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-02.xml new file mode 100644 index 0000000000..9a5f02e501 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-02.xml @@ -0,0 +1,115 @@ + + + + Binutils: Multiple vulnerabilities + Multiple vulnerabilities have been found in Binutils, the worst of + which may allow remote attackers to cause a Denial of Service condition. + + binutils + 2017-09-17 + 2017-09-17: 1 + 618006 + 618514 + 618516 + 618520 + 618826 + 621130 + 624524 + 624702 + remote + + + 2.28.1 + 2.28.1 + + + +

The GNU Binutils are a collection of tools to create, modify and analyse + binary files. Many of the files use BFD, the Binary File Descriptor + library, to do low-level manipulation. +

+ + +

Multiple vulnerabilities have been discovered in Binutils. Please review + References for additional information. +

+ + +

A remote attacker, by enticing a user to compile/execute a specially + crafted ELF file, PE File, or binary file, could possibly cause a Denial + of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All Binutils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.28.1" + + + + + CVE-2017-6965 + + + CVE-2017-6966 + + + CVE-2017-6969 + + + CVE-2017-7614 + + + CVE-2017-8392 + + + CVE-2017-8393 + + + CVE-2017-8394 + + + CVE-2017-8395 + + + CVE-2017-8396 + + + CVE-2017-8397 + + + CVE-2017-8398 + + + CVE-2017-8421 + + + CVE-2017-9038 + + + CVE-2017-9039 + + + CVE-2017-9040 + + + CVE-2017-9041 + + + CVE-2017-9042 + + + CVE-2017-9742 + + + CVE-2017-9954 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-03.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-03.xml new file mode 100644 index 0000000000..0ffee333d0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-03.xml @@ -0,0 +1,61 @@ + + + + WebKitGTK+: Multiple vulnerabilities + Multiple vulnerabilities have been found in WebkitGTK+, the worst + of which may allow remote attackers to execute arbitrary code. + + webkit-gtk + 2017-09-17 + 2017-09-17: 1 + 622442 + remote + + + 2.16.5 + 2.16.5 + + + +

WebKitGTK+ is a full-featured port of the WebKit rendering engine, + suitable for projects requiring any kind of web integration, offers + Webkit’s full functionality and is used on a wide range of systems. +

+ + +

Multiple vulnerabilities have been discovered in WebkitGTK+. Please + review the references below for details. +

+ + +

A remote attacker could execute arbitrary code via crafted web content.

+ + +

There is no known workaround at this time.

+ + +

All WebkitGTK+ users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.16.5" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + + CVE-2017-2424 + + + CVE-2017-2538 + + WebkitGTK+ + Security Announce + + + BlueKnight + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-04.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-04.xml new file mode 100644 index 0000000000..d649344554 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-04.xml @@ -0,0 +1,55 @@ + + + + mod_gnutls: Certificate validation error + A vulnerability in mod_gnutls allows remote attackers to spoof + clients via crafted certificates. + + mod_gnutls + 2017-09-17 + 2017-09-17: 1 + 541038 + remote + + + 0.7.3 + 0.7.3 + + + +

mod_gnutls is an extension for ​Apache’s httpd. It uses the + ​GnuTLS library to provide HTTPS. It supports some protocols and + features that mod_ssl does not. +

+ + + +

It was discovered that the authentication hook in mod_gnutls does not + validate client’s certificates even when option + “GnuTLSClientVerify” is set to “require”. +

+ + +

A remote attacker could present a crafted certificate and spoof clients + data. +

+ + +

There is no known workaround at this time.

+ + +

All mod_gnutls users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=www-apache/mod_gnutls-0.7.3" + + + + + CVE-2015-2091 + + + whissi + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-05.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-05.xml new file mode 100644 index 0000000000..771f0cdc9c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-05.xml @@ -0,0 +1,50 @@ + + + + chkrootkit: Local privilege escalation + A vulnerability in chkrootkit may allow local users to gain root + privileges. + + chkrootkit + 2017-09-17 + 2017-09-17: 1 + 512356 + local + + + 0.50 + 0.50 + + + +

chkrootkit is a tool to locally check for signs of a rootkit.

+ + +

When /tmp is mounted without the noexec option chkrootkit will execute + files in /tmp with root privileges. +

+ + +

A local attacker could possibly execute arbitrary code with root + privileges. +

+ + +

Users should mount /tmp with noexec option.

+ + +

All chkrootkit users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-forensics/chkrootkit-0.50" + + + + + CVE-2014-0476 + + + BlueKnight + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-06.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-06.xml new file mode 100644 index 0000000000..e7fa1c1623 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-06.xml @@ -0,0 +1,56 @@ + + + + Supervisor: command injection vulnerability + A vulnerability in Supervisor might allow remote attackers to + execute arbitrary code. + + + supervisor + 2017-09-17 + 2017-09-17: 1 + 626100 + remote + + + 3.1.4 + 3.1.4 + + + +

Supervisor is a client/server system that allows its users to monitor + and control a number of processes on UNIX-like operating systems. +

+ + +

A vulnerability in Supervisor was discovered in which an authenticated + client could send malicious XML-RPC requests and supervidord will run + them as shell commands with process privileges. In some cases, + supervisord is configured with root permissions. +

+ + +

A remote attacker could execute arbitrary code with the privileges of + the process. +

+ + +

There is no known workaround at this time.

+ + +

All Supervisor users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4" + + + + + + CVE-2017-11610 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-07.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-07.xml new file mode 100644 index 0000000000..aebd775ed1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-07.xml @@ -0,0 +1,60 @@ + + + + Kpathsea: User-assisted execution of arbitrary code + A vulnerability in Kpathsea allows remote attackers to execute + arbitrary commands by manipulating the -tex option from mpost program. + + kpathsea + 2017-09-17 + 2017-09-17: 1 + 612328 + remote + + + 6.2.2_p20160523 + 6.2.2_p20160523 + + + +

Kpathsea is a library to do path searching. It is used by TeX Live and + others TeX related software. +

+ + +

It was discovered that the mpost program from the shell_escape_commands + list is capable of executing arbitrary external programs during the + conversion of .tex files. The responsible function is runpopen() + (texmfmp.c). +

+ + +

A remote attacker, by enticing a user to open a specially crafted .tex + file, could possibly execute arbitrary code with the privileges of the + process. +

+ + +

There is no known workaround at this time.

+ + +

All Kpathsea users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose + ">=dev-libs/kpathsea-6.2.2_p20160523" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + + CVE-2016-10243 + + + whissi + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-08.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-08.xml new file mode 100644 index 0000000000..4ae457a5b5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-08.xml @@ -0,0 +1,66 @@ + + + + GDK-PixBuf: Multiple vulnerabilities + Multiple vulnerabilities have been found in GDK-PixBuf, the worst + of which could result in the execution of arbitrary code. + + gdk-pixbuf + 2017-09-17 + 2017-09-17: 1 + 592976 + 611390 + 630026 + remote + + + 2.36.9 + 2.36.9 + + + +

GDK-PixBuf is an image loading library for GTK+.

+ + +

Multiple vulnerabilities have been discovered in GDK-PixBuf. Please + review the referenced CVE identifiers for details. +

+ + +

A remote attacker, by sending a specially crafted TIFF, JPEG, or URL, + could execute arbitrary code with the privileges of the process or cause + a Denial of Service condition. +

+ + +

There is no known workaround at this time.

+ + +

All GDK-PixBuf users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=x11-libs/gdk-pixbuf-2.36.9" + + +

Packages which depend on this library may need to be recompiled. Tools + such as revdep-rebuild may assist in identifying some of these packages. +

+ + + + CVE-2017-6311 + + + CVE-2017-6312 + + + CVE-2017-6313 + + + CVE-2017-6314 + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-09.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-09.xml new file mode 100644 index 0000000000..b0fb60e8ed --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-09.xml @@ -0,0 +1,75 @@ + + + + Subversion: Arbitrary code execution + A command injection vulnerability in Subversion may allow remote + attackers to execute arbitrary code. + + subversion + 2017-09-17 + 2017-09-17: 1 + 627480 + remote + + + 1.9.7 + 1.8.18 + 1.9.7 + + + +

Subversion is a version control system intended to eventually replace + CVS. Like CVS, it has an optional client-server architecture (where the + server can be an Apache server running mod_svn, or an ssh program as in + CVS’s :ext: method). In addition to supporting the features found in + CVS, Subversion also provides support for moving and copying files and + directories. +

+ + +

Specially crafted ‘ssh://...’ URLs may allow the owner of the + repository to execute arbitrary commands on client’s machine if those + commands are already installed on the client’s system. This is + especially dangerous when the third-party repository has one or more + submodules with specially crafted ‘ssh://...’ URLs. Each time the + repository is recursively cloned or submodules are updated the payload + will be triggered. +

+ + +

A remote attacker, by enticing a user to clone a specially crafted + repository, could possibly execute arbitrary code with the privileges of + the process. +

+ + +

There are several alternative ways to fix this vulnerability. Please + refer to Subversion Team Announce for more details. +

+ + +

All Subversion 1.9.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.9.7" + + +

All Subversion 1.8.x users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.8.18" + + + + + CVE-2017-9800 + + + Subversion Team Announce + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-10.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-10.xml new file mode 100644 index 0000000000..1583ae4cf4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-10.xml @@ -0,0 +1,61 @@ + + + + Git: Command injection + A command injection vulnerability in Git may allow remote attackers + to execute arbitrary code. + + git + 2017-09-17 + 2017-09-17: 1 + 627488 + remote + + + 2.13.5 + 2.13.5 + + + +

Git is a small and fast distributed version control system designed to + handle small and large projects. +

+ + +

Specially crafted ‘ssh://...’ URLs may allow the owner of the + repository to execute arbitrary commands on client’s machine if those + commands are already installed on the client’s system. This is + especially dangerous when the third-party repository has one or more + submodules with specially crafted ‘ssh://...’ URLs. Each time the + repository is recursively cloned or submodules are updated the payload + will be triggered. +

+ + +

A remote attacker, by enticing a user to clone a specially crafted + repository, could possibly execute arbitrary code with the privileges of + the process. +

+ + +

There is no known workaround at this time.

+ + +

All Git users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.13.5" + + + + + CVE-2017-1000117 + + Mailing + list ARChives (MARC) Git Team Announce + + + b-man + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-11.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-11.xml new file mode 100644 index 0000000000..c9bbbce3d8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-11.xml @@ -0,0 +1,55 @@ + + + + GIMPS: Root privilege escalation + Gentoo's GIMPS ebuilds are vulnerable to privilege escalation due + to improper permissions. A local attacker could use it to gain root + privileges. + + gimps + 2017-09-17 + 2017-09-17: 1 + 603408 + local + + + 28.10-r1 + 28.10-r1 + + + +

GIMPS, the Great Internet Mersenne Prime Search, is a software capable + of find Mersenne Primes, which are used in cryptography. GIMPS is also + used for hardware testing. +

+ + +

It was discovered that Gentoo’s default GIMPS installation suffered + from a privilege escalation vulnerability in the init script. This script + calls an unsafe “chown -R” command in checkconfig() function. +

+ + +

A local attacker who does not belong to the root group, but has the + ability to modify the /var/lib/gimps directory can escalate privileges to + the root group. +

+ + +

There is no known workaround at this time.

+ + +

All GIMPS users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=sci-mathematics/gimps-28.10-r1" + + + + + CVE-2017-14484 + + BlueKnight + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-12.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-12.xml new file mode 100644 index 0000000000..ccad06cd75 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-12.xml @@ -0,0 +1,80 @@ + + + + Perl: Race condition vulnerability + A vulnerability in module File::Path for Perl allows local + attackers to set arbitrary mode values on arbitrary files bypassing + security restrictions. + + perl + 2017-09-17 + 2017-09-17: 1 + 620304 + local + + + 5.24.1-r2 + 5.24.1-r2 + + + 2.130.0 + 2.130.0 + + + 2.130.0 + 2.130.0 + + + +

File::Path module provides a convenient way to create directories of + arbitrary depth and to delete an entire directory subtree from the + filesystem. +

+ + +

A race condition occurs within concurrent environments. This condition + was discovered by The cPanel Security Team in the rmtree and remove_tree + functions in the File-Path module before 2.13 for Perl. This is due to + the time-of-check-to-time-of-use (TOCTOU) race condition between the + stat() that decides the inode is a directory and the chmod() that tries + to make it user-rwx. +

+ + +

A local attacker could exploit this condition to set arbitrary mode + values on arbitrary files and hence bypass security restrictions. +

+ + +

There is no known workaround at this time.

+ + +

All Perl users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2" + + +

All File-Path users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0" + + +

All Perl-File-Path users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0" + + + + + CVE-2017-6512 + + + chrisadr + chrisadr + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-13.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-13.xml new file mode 100644 index 0000000000..65d0d96e6e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-13.xml @@ -0,0 +1,50 @@ + + + + SquirrelMail: Remote Code Execution + A vulnerability in SquirrelMail might allow remote attackers to + execute arbitrary code. + + squirrelmail + 2017-09-17 + 2017-09-17: 1 + 616700 + remote + + + 1.4.23_pre20140426 + + + +

SquirrelMail is a webmail package written in PHP. It supports IMAP and + SMTP and can optionally be installed with SQL support. +

+ + +

It was discovered that the sendmail.cf file is mishandled in a popen + call. +

+ + +

A remote attacker, by enticing a user to open an e-mail attachment, + could execute arbitrary shell commands. +

+ + +

There is no known workaround at this time.

+ + +

Gentoo has discontinued support for SquirrelMail and recommends that + users unmerge the package: +

+ + + # emerge --unmerge "mail-client/squirrelmail" + + + + CVE-2017-7692 + + b-man + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-14.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-14.xml new file mode 100644 index 0000000000..17ac2965f5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-14.xml @@ -0,0 +1,62 @@ + + + + cURL: Multiple vulnerabilities + Multiple vulnerabilities have been found in cURL, the worst of + which may allow attackers to bypass intended restrictions. + + curl + 2017-09-17 + 2017-09-17: 1 + 615870 + 615994 + 626776 + remote + + + 7.55.1 + 7.55.1 + + + +

cURL is a tool and libcurl is a library for transferring data with URL + syntax. +

+ + +

Multiple vulnerabilities have been discovered in cURL. Please review the + CVE identifiers referenced below for details. +

+ + +

Remote attackers could cause a Denial of Service condition, obtain + sensitive information, or bypass intended restrictions for TLS sessions. +

+ + +

There is no known workaround at this time.

+ + +

All cURL users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-misc/curl-7.55.1" + + + + + CVE-2017-1000099 + + + CVE-2017-1000100 + + + CVE-2017-1000101 + + CVE-2017-7407 + CVE-2017-7468 + + BlueKnight + b-man + diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index 87171a4dae..8d0bb23cfd 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Mon, 21 Aug 2017 16:39:23 +0000 +Mon, 18 Sep 2017 19:39:14 +0000 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit index 2c23e69a25..defda47548 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit @@ -1 +1 @@ -e6b03f4f47a8d3f64f4dc686f054a6ecc4d23f8e 1503278719 2017-08-21T01:25:19+00:00 +1426d2aa885beb439e28d2ecdcbbb79fc0b7b9f9 1505683118 2017-09-17T21:18:38+00:00