mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-07 18:31:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
David Michael 2017-09-18 13:03:12 -07:00
parent 1c68c9c7b0
commit e6c2c08e1e
21 changed files with 1012 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-04.xml vendored
View File

@ -7,12 +7,12 @@
</synopsis>
<product type="ebuild">kedpm</product>
<announced>2017-08-21</announced>
<revised>2017-08-21: 1</revised>
<revised>2017-08-26: 3</revised>
<bug>616690</bug>
<access>local, remote</access>
<affected>
<package name="app-admin/kedpm" auto="yes" arch="*">
<vulnerable range="lt">0.4.0-r2</vulnerable>
<vulnerable range="le">0.4.0-r2</vulnerable>
</package>
</affected>
<background>
@ -45,5 +45,5 @@
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8296">CVE-2017-8296</uri>
</references>
<metadata tag="requester" timestamp="2017-08-14T23:18:50Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-08-21T00:06:05Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-08-26T14:46:29Z">b-man</metadata>
</glsa>

6
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-07.xml vendored
View File

@ -7,12 +7,12 @@
</synopsis>
<product type="ebuild">evilvte</product>
<announced>2017-08-21</announced>
<revised>2017-08-21: 1</revised>
<revised>2017-08-26: 2</revised>
<bug>611290</bug>
<access>remote</access>
<affected>
<package name="x11-terms/evilvte" auto="yes" arch="*">
<vulnerable range="lt">0.5.1</vulnerable>
<vulnerable range="le">0.5.1</vulnerable>
</package>
</affected>
<background>
@ -45,5 +45,5 @@
</uri>
</references>
<metadata tag="requester" timestamp="2017-08-14T23:29:51Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-08-21T01:03:58Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-08-26T14:45:16Z">b-man</metadata>
</glsa>

4
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-08.xml vendored
View File

@ -12,8 +12,8 @@
<access>remote</access>
<affected>
<package name="app-arch/bzip2" auto="yes" arch="*">
<unaffected range="ge" slot="">1.0.6-r8</unaffected>
<vulnerable range="lt" slot="">1.0.6-r8</vulnerable>
<unaffected range="ge">1.0.6-r8</unaffected>
<vulnerable range="lt">1.0.6-r8</vulnerable>
</package>
</affected>
<background>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-09.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201708-09">
<title>AutoTrace: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in AutoTrace, the worst of
which could cause a Denial of Service condition.
</synopsis>
<product type="ebuild">autotrace</product>
<announced>2017-08-26</announced>
<revised>2017-08-26: 1</revised>
<bug>613992</bug>
<bug>619040</bug>
<access>remote</access>
<affected>
<package name="media-gfx/autotrace" auto="yes" arch="*">
<vulnerable range="le">0.31.1-r8</vulnerable>
</package>
</affected>
<background>
<p>AutoTrace converts bitmap to vector graphics.</p>
</background>
<description>
<p>Heap-based buffer overflows have been discovered in the
pstoedit_suffix_table_init and pnm_load_rawpbm functions of AutoTrace.
</p>
</description>
<impact type="normal">
<p>Remote attackers, by enticing a user to process a crafted bmp image
file, could cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for AutoTrace. We recommend that users
unmerge AutoTrace:
</p>
<code>
# emerge --unmerge "media-gfx/autotrace"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7392">CVE-2016-7392</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9153">CVE-2017-9153</uri>
</references>
<metadata tag="requester" timestamp="2017-08-22T03:00:50Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-08-26T14:47:40Z">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201708-10.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201708-10">
<title>jbig2dec: User-assisted execution of arbitrary code</title>
<synopsis>Multiple integer overflow flaws have been discovered in jbig2dec,
possibly resulting in execution of arbitrary code or Denial of Service.
</synopsis>
<product type="ebuild">jbig2dec</product>
<announced>2017-08-26</announced>
<revised>2017-08-26: 1</revised>
<bug>616464</bug>
<access>remote</access>
<affected>
<package name="media-libs/jbig2dec" auto="yes" arch="*">
<unaffected range="ge">0.13-r4</unaffected>
<vulnerable range="lt">0.13-r4</vulnerable>
</package>
</affected>
<background>
<p>jbig2dec is a decoder implementation of the JBIG2 image compression
format.
</p>
</background>
<description>
<p>Integer overflow errors have been discovered in the
jbig2_decode_symbol_dict, jbig2_build_huffman_table, and
jbig2_image_compose functions of jbig2dec.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to open a specially crafted JBIG2
file using an application linked against jbig2dec, could possibly execute
arbitrary code with the privileges of the process or cause a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All jbig2dec users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/jbig2dec-0.13-r4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7885">CVE-2017-7885</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7975">CVE-2017-7975</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7976">CVE-2017-7976</uri>
</references>
<metadata tag="requester" timestamp="2017-08-02T02:58:46Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-08-26T14:52:50Z">ackle</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-01.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-01">
<title>MCollective: Remote Code Execution</title>
<synopsis>A vulnerability in MCollective might allow remote attackers to
execute arbitrary code.
</synopsis>
<product type="ebuild">mcollective</product>
<announced>2017-09-04</announced>
<revised>2017-09-04: 1</revised>
<bug>624704</bug>
<access>remote</access>
<affected>
<package name="app-admin/mcollective" auto="yes" arch="*">
<unaffected range="ge">2.11.0</unaffected>
<vulnerable range="lt">2.11.0</vulnerable>
</package>
</affected>
<background>
<p>MCollective is a framework to build server orchestration or parallel job
execution systems.
</p>
</background>
<description>
<p>A vulnerability was discovered in MCollective which allowed for
deserialized YAML from agents without calling safe_load. This allows the
potential for arbitrary code execution on the server.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MCollective users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/mcollective-2.11.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2292">CVE-2017-2292</uri>
</references>
<metadata tag="requester" timestamp="2017-08-26T22:18:27Z">Zlogene</metadata>
<metadata tag="submitter" timestamp="2017-09-04T22:33:20Z">b-man</metadata>
</glsa>

115
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-02.xml vendored Normal file
View File

@ -0,0 +1,115 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-02">
<title>Binutils: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Binutils, the worst of
which may allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">binutils</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>618006</bug>
<bug>618514</bug>
<bug>618516</bug>
<bug>618520</bug>
<bug>618826</bug>
<bug>621130</bug>
<bug>624524</bug>
<bug>624702</bug>
<access>remote</access>
<affected>
<package name="sys-devel/binutils" auto="yes" arch="*">
<unaffected range="ge">2.28.1</unaffected>
<vulnerable range="lt">2.28.1</vulnerable>
</package>
</affected>
<background>
<p>The GNU Binutils are a collection of tools to create, modify and analyse
binary files. Many of the files use BFD, the Binary File Descriptor
library, to do low-level manipulation.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Binutils. Please review
References for additional information.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to compile/execute a specially
crafted ELF file, PE File, or binary file, could possibly cause a Denial
of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Binutils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.28.1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6965">
CVE-2017-6965
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6966">
CVE-2017-6966
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6969">
CVE-2017-6969
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7614">
CVE-2017-7614
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8392">
CVE-2017-8392
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8393">
CVE-2017-8393
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8394">
CVE-2017-8394
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8395">
CVE-2017-8395
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8396">
CVE-2017-8396
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8397">
CVE-2017-8397
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8398">
CVE-2017-8398
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8421">
CVE-2017-8421
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9038">
CVE-2017-9038
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9039">
CVE-2017-9039
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9040">
CVE-2017-9040
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9041">
CVE-2017-9041
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9042">
CVE-2017-9042
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9742">
CVE-2017-9742
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9954">
CVE-2017-9954
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-16T22:31:03Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:30:04Z">chrisadr</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-03.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-03">
<title>WebKitGTK+: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in WebkitGTK+, the worst
of which may allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">webkit-gtk</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>622442</bug>
<access>remote</access>
<affected>
<package name="net-libs/webkit-gtk" auto="yes" arch="*">
<unaffected range="ge">2.16.5</unaffected>
<vulnerable range="lt">2.16.5</vulnerable>
</package>
</affected>
<background>
<p>WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, offers
Webkits full functionality and is used on a wide range of systems.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in WebkitGTK+. Please
review the references below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could execute arbitrary code via crafted web content.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All WebkitGTK+ users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/webkit-gtk-2.16.5"
</code>
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.
</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2424">
CVE-2017-2424
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2538">
CVE-2017-2538
</uri>
<uri link="https://webkitgtk.org/security/WSA-2017-0005.html">WebkitGTK+
Security Announce
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-10T06:48:46Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:37:18Z">chrisadr</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-04.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-04">
<title>mod_gnutls: Certificate validation error</title>
<synopsis>A vulnerability in mod_gnutls allows remote attackers to spoof
clients via crafted certificates.
</synopsis>
<product type="ebuild">mod_gnutls</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>541038</bug>
<access>remote</access>
<affected>
<package name="www-apache/mod_gnutls" auto="yes" arch="*">
<unaffected range="ge">0.7.3</unaffected>
<vulnerable range="lt">0.7.3</vulnerable>
</package>
</affected>
<background>
<p>mod_gnutls is an extension for Apaches httpd. It uses the
GnuTLS library to provide HTTPS. It supports some protocols and
features that mod_ssl does not.
</p>
</background>
<description>
<p>It was discovered that the authentication hook in mod_gnutls does not
validate clients certificates even when option
“GnuTLSClientVerify” is set to “require”.
</p>
</description>
<impact type="normal">
<p>A remote attacker could present a crafted certificate and spoof clients
data.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All mod_gnutls users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-apache/mod_gnutls-0.7.3"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2091">
CVE-2015-2091
</uri>
</references>
<metadata tag="requester" timestamp="2017-06-17T21:37:14Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:43:18Z">chrisadr</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-05.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-05">
<title>chkrootkit: Local privilege escalation</title>
<synopsis>A vulnerability in chkrootkit may allow local users to gain root
privileges.
</synopsis>
<product type="ebuild">chkrootkit</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>512356</bug>
<access>local</access>
<affected>
<package name="app-forensics/chkrootkit" auto="yes" arch="*">
<unaffected range="ge">0.50</unaffected>
<vulnerable range="lt">0.50</vulnerable>
</package>
</affected>
<background>
<p>chkrootkit is a tool to locally check for signs of a rootkit.</p>
</background>
<description>
<p>When /tmp is mounted without the noexec option chkrootkit will execute
files in /tmp with root privileges.
</p>
</description>
<impact type="high">
<p>A local attacker could possibly execute arbitrary code with root
privileges.
</p>
</impact>
<workaround>
<p>Users should mount /tmp with noexec option.</p>
</workaround>
<resolution>
<p>All chkrootkit users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-forensics/chkrootkit-0.50"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0476">
CVE-2014-0476
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-10T06:30:28Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:44:38Z">chrisadr</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-06.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-06">
<title>Supervisor: command injection vulnerability</title>
<synopsis>A vulnerability in Supervisor might allow remote attackers to
execute arbitrary code.
</synopsis>
<product type="ebuild">supervisor</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>626100</bug>
<access>remote</access>
<affected>
<package name="app-admin/supervisor" auto="yes" arch="*">
<unaffected range="ge">3.1.4</unaffected>
<vulnerable range="lt">3.1.4</vulnerable>
</package>
</affected>
<background>
<p>Supervisor is a client/server system that allows its users to monitor
and control a number of processes on UNIX-like operating systems.
</p>
</background>
<description>
<p>A vulnerability in Supervisor was discovered in which an authenticated
client could send malicious XML-RPC requests and supervidord will run
them as shell commands with process privileges. In some cases,
supervisord is configured with root permissions.
</p>
</description>
<impact type="high">
<p>A remote attacker could execute arbitrary code with the privileges of
the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Supervisor users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "=app-admin/supervisor-3.1.4"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11610">
CVE-2017-11610
</uri>
</references>
<metadata tag="requester" timestamp="2017-07-27T14:58:00Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:45:48Z">chrisadr</metadata>
</glsa>

60
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-07.xml vendored Normal file
View File

@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-07">
<title>Kpathsea: User-assisted execution of arbitrary code</title>
<synopsis>A vulnerability in Kpathsea allows remote attackers to execute
arbitrary commands by manipulating the -tex option from mpost program.
</synopsis>
<product type="ebuild">kpathsea</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>612328</bug>
<access>remote</access>
<affected>
<package name="dev-libs/kpathsea" auto="yes" arch="*">
<unaffected range="ge">6.2.2_p20160523</unaffected>
<vulnerable range="lt">6.2.2_p20160523</vulnerable>
</package>
</affected>
<background>
<p>Kpathsea is a library to do path searching. It is used by TeX Live and
others TeX related software.
</p>
</background>
<description>
<p>It was discovered that the mpost program from the shell_escape_commands
list is capable of executing arbitrary external programs during the
conversion of .tex files. The responsible function is runpopen()
(texmfmp.c).
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to open a specially crafted .tex
file, could possibly execute arbitrary code with the privileges of the
process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Kpathsea users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-libs/kpathsea-6.2.2_p20160523"
</code>
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.
</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10243">
CVE-2016-10243
</uri>
</references>
<metadata tag="requester" timestamp="2017-06-17T20:59:54Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:47:02Z">chrisadr</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-08.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-08">
<title>GDK-PixBuf: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GDK-PixBuf, the worst
of which could result in the execution of arbitrary code.
</synopsis>
<product type="ebuild">gdk-pixbuf</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>592976</bug>
<bug>611390</bug>
<bug>630026</bug>
<access>remote</access>
<affected>
<package name="x11-libs/gdk-pixbuf" auto="yes" arch="*">
<unaffected range="ge">2.36.9</unaffected>
<vulnerable range="lt">2.36.9</vulnerable>
</package>
</affected>
<background>
<p>GDK-PixBuf is an image loading library for GTK+.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GDK-PixBuf. Please
review the referenced CVE identifiers for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by sending a specially crafted TIFF, JPEG, or URL,
could execute arbitrary code with the privileges of the process or cause
a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GDK-PixBuf users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-libs/gdk-pixbuf-2.36.9"
</code>
<p>Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.
</p>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6311">
CVE-2017-6311
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6312">
CVE-2017-6312
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6313">
CVE-2017-6313
</uri>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6314">
CVE-2017-6314
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-10T23:08:28Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:48:14Z">chrisadr</metadata>
</glsa>

75
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-09.xml vendored Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-09">
<title>Subversion: Arbitrary code execution</title>
<synopsis>A command injection vulnerability in Subversion may allow remote
attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">subversion</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>627480</bug>
<access>remote</access>
<affected>
<package name="dev-vcs/subversion" auto="yes" arch="*">
<unaffected range="ge">1.9.7</unaffected>
<unaffected range="rgt">1.8.18</unaffected>
<vulnerable range="lt">1.9.7</vulnerable>
</package>
</affected>
<background>
<p>Subversion is a version control system intended to eventually replace
CVS. Like CVS, it has an optional client-server architecture (where the
server can be an Apache server running mod_svn, or an ssh program as in
CVSs :ext: method). In addition to supporting the features found in
CVS, Subversion also provides support for moving and copying files and
directories.
</p>
</background>
<description>
<p>Specially crafted ssh://... URLs may allow the owner of the
repository to execute arbitrary commands on clients machine if those
commands are already installed on the clients system. This is
especially dangerous when the third-party repository has one or more
submodules with specially crafted ssh://... URLs. Each time the
repository is recursively cloned or submodules are updated the payload
will be triggered.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to clone a specially crafted
repository, could possibly execute arbitrary code with the privileges of
the process.
</p>
</impact>
<workaround>
<p>There are several alternative ways to fix this vulnerability. Please
refer to Subversion Team Announce for more details.
</p>
</workaround>
<resolution>
<p>All Subversion 1.9.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-vcs/subversion-1.9.7"
</code>
<p>All Subversion 1.8.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-vcs/subversion-1.8.18"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9800">
CVE-2017-9800
</uri>
<uri link="https://subversion.apache.org/security/CVE-2017-9800-advisory.txt">
Subversion Team Announce
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-01T12:55:21Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-09-17T15:50:43Z">chrisadr</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-10.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-10">
<title>Git: Command injection</title>
<synopsis>A command injection vulnerability in Git may allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">git</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>627488</bug>
<access>remote</access>
<affected>
<package name="dev-vcs/git" auto="yes" arch="*">
<unaffected range="ge">2.13.5</unaffected>
<vulnerable range="lt">2.13.5</vulnerable>
</package>
</affected>
<background>
<p>Git is a small and fast distributed version control system designed to
handle small and large projects.
</p>
</background>
<description>
<p>Specially crafted ssh://... URLs may allow the owner of the
repository to execute arbitrary commands on clients machine if those
commands are already installed on the clients system. This is
especially dangerous when the third-party repository has one or more
submodules with specially crafted ssh://... URLs. Each time the
repository is recursively cloned or submodules are updated the payload
will be triggered.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to clone a specially crafted
repository, could possibly execute arbitrary code with the privileges of
the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Git users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-vcs/git-2.13.5"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000117">
CVE-2017-1000117
</uri>
<uri link="https://marc.info/?l=git&amp;m=150238802328673&amp;w=2">Mailing
list ARChives (MARC) Git Team Announce
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-08T23:46:38Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-09-17T19:03:46Z">chrisadr</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-11.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-11">
<title>GIMPS: Root privilege escalation</title>
<synopsis>Gentoo's GIMPS ebuilds are vulnerable to privilege escalation due
to improper permissions. A local attacker could use it to gain root
privileges.
</synopsis>
<product type="ebuild">gimps</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>603408</bug>
<access>local</access>
<affected>
<package name="sci-mathematics/gimps" auto="yes" arch="*">
<unaffected range="ge">28.10-r1</unaffected>
<vulnerable range="lt">28.10-r1</vulnerable>
</package>
</affected>
<background>
<p>GIMPS, the Great Internet Mersenne Prime Search, is a software capable
of find Mersenne Primes, which are used in cryptography. GIMPS is also
used for hardware testing.
</p>
</background>
<description>
<p>It was discovered that Gentoos default GIMPS installation suffered
from a privilege escalation vulnerability in the init script. This script
calls an unsafe “chown -R” command in checkconfig() function.
</p>
</description>
<impact type="high">
<p>A local attacker who does not belong to the root group, but has the
ability to modify the /var/lib/gimps directory can escalate privileges to
the root group.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GIMPS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sci-mathematics/gimps-28.10-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14484">CVE-2017-14484</uri>
</references>
<metadata tag="requester" timestamp="2017-09-10T06:41:04Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-09-17T19:05:30Z">chrisadr</metadata>
</glsa>

80
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-12.xml vendored Normal file
View File

@ -0,0 +1,80 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-12">
<title>Perl: Race condition vulnerability</title>
<synopsis>A vulnerability in module File::Path for Perl allows local
attackers to set arbitrary mode values on arbitrary files bypassing
security restrictions.
</synopsis>
<product type="ebuild">perl</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>620304</bug>
<access>local</access>
<affected>
<package name="dev-lang/perl" auto="yes" arch="*">
<unaffected range="ge">5.24.1-r2</unaffected>
<vulnerable range="lt">5.24.1-r2</vulnerable>
</package>
<package name="perl-core/File-Path" auto="yes" arch="*">
<unaffected range="ge">2.130.0</unaffected>
<vulnerable range="lt">2.130.0</vulnerable>
</package>
<package name="virtual/perl-File-Path" auto="yes" arch="*">
<unaffected range="ge">2.130.0</unaffected>
<vulnerable range="lt">2.130.0</vulnerable>
</package>
</affected>
<background>
<p>File::Path module provides a convenient way to create directories of
arbitrary depth and to delete an entire directory subtree from the
filesystem.
</p>
</background>
<description>
<p>A race condition occurs within concurrent environments. This condition
was discovered by The cPanel Security Team in the rmtree and remove_tree
functions in the File-Path module before 2.13 for Perl. This is due to
the time-of-check-to-time-of-use (TOCTOU) race condition between the
stat() that decides the inode is a directory and the chmod() that tries
to make it user-rwx.
</p>
</description>
<impact type="normal">
<p>A local attacker could exploit this condition to set arbitrary mode
values on arbitrary files and hence bypass security restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Perl users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/perl-5.24.1-r2"
</code>
<p>All File-Path users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=perl-core/File-Path-2.130.0"
</code>
<p>All Perl-File-Path users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=virtual/perl-File-Path-2.130.0"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512">
CVE-2017-6512
</uri>
</references>
<metadata tag="requester" timestamp="2017-09-12T03:14:08Z">chrisadr</metadata>
<metadata tag="submitter" timestamp="2017-09-17T19:28:53Z">chrisadr</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-13.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-13">
<title>SquirrelMail: Remote Code Execution</title>
<synopsis>A vulnerability in SquirrelMail might allow remote attackers to
execute arbitrary code.
</synopsis>
<product type="ebuild">squirrelmail</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>616700</bug>
<access>remote</access>
<affected>
<package name="mail-client/squirrelmail" auto="yes" arch="*">
<vulnerable range="lt">1.4.23_pre20140426</vulnerable>
</package>
</affected>
<background>
<p>SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP and can optionally be installed with SQL support.
</p>
</background>
<description>
<p>It was discovered that the sendmail.cf file is mishandled in a popen
call.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to open an e-mail attachment,
could execute arbitrary shell commands.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>Gentoo has discontinued support for SquirrelMail and recommends that
users unmerge the package:
</p>
<code>
# emerge --unmerge "mail-client/squirrelmail"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7692">CVE-2017-7692</uri>
</references>
<metadata tag="requester" timestamp="2017-09-08T23:47:24Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-09-17T20:28:22Z">b-man</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201709-14.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-14">
<title>cURL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in cURL, the worst of
which may allow attackers to bypass intended restrictions.
</synopsis>
<product type="ebuild">curl</product>
<announced>2017-09-17</announced>
<revised>2017-09-17: 1</revised>
<bug>615870</bug>
<bug>615994</bug>
<bug>626776</bug>
<access>remote</access>
<affected>
<package name="net-misc/curl" auto="yes" arch="*">
<unaffected range="ge">7.55.1</unaffected>
<vulnerable range="lt">7.55.1</vulnerable>
</package>
</affected>
<background>
<p>cURL is a tool and libcurl is a library for transferring data with URL
syntax.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in cURL. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers could cause a Denial of Service condition, obtain
sensitive information, or bypass intended restrictions for TLS sessions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All cURL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/curl-7.55.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000099">
CVE-2017-1000099
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000100">
CVE-2017-1000100
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000101">
CVE-2017-1000101
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7407">CVE-2017-7407</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7468">CVE-2017-7468</uri>
</references>
<metadata tag="requester" timestamp="2017-09-03T21:18:02Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-09-17T21:18:05Z">b-man</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Mon, 21 Aug 2017 16:39:23 +0000
Mon, 18 Sep 2017 19:39:14 +0000

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit vendored
View File

@ -1 +1 @@
e6b03f4f47a8d3f64f4dc686f054a6ecc4d23f8e 1503278719 2017-08-21T01:25:19+00:00
1426d2aa885beb439e28d2ecdcbbb79fc0b7b9f9 1505683118 2017-09-17T21:18:38+00:00