mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 02:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

bump(metadata/glsa): sync with upstream

Browse Source
This commit is contained in:
David Michael 2017-03-21 15:29:24 -07:00
parent 3e79c3bd35
commit ea16d3f288
54 changed files with 3002 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201603-14.xml vendored
View File

@ -23,7 +23,7 @@
<vulnerable range="lt">7.2.6.4</vulnerable>
</package>
<package name="dev-java/icedtea-bin" auto="yes" arch="*">
<unaffected range="ge">7.2.6.4</unaffected>
<unaffected range="ge" slot="7">7.2.6.4</unaffected>
<unaffected range="rge">6.1.13.9</unaffected>
<unaffected range="lt">6</unaffected>
<vulnerable range="lt">7.2.6.4</vulnerable>

6
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml vendored
View File

@ -16,10 +16,8 @@
<access>remote</access>
<affected>
<package name="dev-java/icedtea-bin" auto="yes" arch="*">
<unaffected range="ge">7.2.6.6-r1</unaffected>
<unaffected range="rge">3.0.1</unaffected>
<unaffected range="rge">3.1.0</unaffected>
<unaffected range="rge">3.2.0</unaffected>
<unaffected range="ge" slot="7">7.2.6.6-r1</unaffected>
<unaffected range="ge" slot="8">3.0.1</unaffected>
<vulnerable range="lt">7.2.6.6-r1</vulnerable>
</package>
</affected>

12
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-18.xml vendored
View File

@ -6,16 +6,16 @@
which could lead to arbitrary code execution.
</synopsis>
<product type="ebuild">python</product>
<announced>January 10, 2017</announced>
<revised>January 10, 2017: 1</revised>
<announced>2017-01-10</announced>
<revised>2017-02-24: 2</revised>
<bug>531002</bug>
<bug>585910</bug>
<bug>585946</bug>
<access>remote</access>
<affected>
<package name="dev-lang/python" auto="yes" arch="*">
<unaffected range="rge">2.7.12</unaffected>
<unaffected range="ge">3.4.5</unaffected>
<unaffected range="ge" slot="2.7">2.7.12</unaffected>
<unaffected range="ge" slot="3.4">3.4.5</unaffected>
<vulnerable range="lt">3.4.5</vulnerable>
</package>
</affected>
@ -67,6 +67,6 @@
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0772">CVE-2016-0772</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5636">CVE-2016-5636</uri>
</references>
<metadata tag="requester" timestamp="Tue, 03 Jan 2017 06:13:03 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Tue, 10 Jan 2017 13:57:50 +0000">whissi</metadata>
<metadata tag="requester" timestamp="2017-01-03T06:13:03Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-24T10:28:53Z">whissi</metadata>
</glsa>

4
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-62.xml vendored
View File

@ -7,7 +7,7 @@
</synopsis>
<product type="ebuild">firejail</product>
<announced>2017-01-24</announced>
<revised>2017-01-24: 1</revised>
<revised>2017-01-31: 2</revised>
<bug>604758</bug>
<access>local, remote</access>
<affected>
@ -60,5 +60,5 @@
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5207">CVE-2017-5207</uri>
</references>
<metadata tag="requester" timestamp="2017-01-13T15:06:51Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-24T11:32:53Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-31T03:41:42Z">whissi</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-64.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-64">
<title>X.Org X Server: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in X.Org X Server, the
worst of which may allow authenticated attackers to read from or send
information to arbitrary X11 clients.
</synopsis>
<product type="ebuild">xorg-server</product>
<announced>2017-01-25</announced>
<revised>2017-01-25: 1</revised>
<bug>493294</bug>
<bug>548002</bug>
<bug>551680</bug>
<access>remote</access>
<affected>
<package name="x11-base/xorg-server" auto="yes" arch="*">
<unaffected range="ge">1.18.4</unaffected>
<vulnerable range="lt">1.18.4</vulnerable>
</package>
</affected>
<background>
<p>The X Window System is a graphical windowing system based on a
client/server model.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in X.Org X Server. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An authenticated attacker could possibly cause a Denial of Service
condition or read from or send information to arbitrary X11 clients.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All X.Org X Server users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-base/xorg-server-1.18.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6424">CVE-2013-6424</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3164">CVE-2015-3164</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3418">CVE-2015-3418</uri>
<uri link="https://lists.x.org/archives/xorg-announce/2015-June/002611.html">
X.Org/Wayland Security Advisory: Missing authentication in XWayland
</uri>
</references>
<metadata tag="requester" timestamp="2015-07-16T14:04:33Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-01-25T12:57:10Z">whissi</metadata>
</glsa>

87
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-65.xml vendored Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-65">
<title>Oracle JRE/JDK: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Oracle's JRE and JDK
software suites, the worst of which may allow execution of arbitrary code
</synopsis>
<product type="ebuild">jre,jdk,oracle</product>
<announced>2017-01-25</announced>
<revised>2017-01-25: 1</revised>
<bug>606118</bug>
<access>remote</access>
<affected>
<package name="dev-java/oracle-jre-bin" auto="yes" arch="*">
<unaffected range="ge">1.8.0.121</unaffected>
<vulnerable range="lt">1.8.0.121</vulnerable>
</package>
<package name="dev-java/oracle-jdk-bin" auto="yes" arch="*">
<unaffected range="ge">1.8.0.121</unaffected>
<vulnerable range="lt">1.8.0.121</vulnerable>
</package>
</affected>
<background>
<p>Java Platform, Standard Edition (Java SE) lets you develop and deploy
Java applications on desktops and servers, as well as in todays
demanding embedded environments. Java offers the rich user interface,
performance, versatility, portability, and security that todays
applications require.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in in Oracles JRE and
JDK. Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, gain access to information, or cause a Denial
of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Oracle JRE users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/oracle-jre-bin-1.8.0.121"
</code>
<p>All Oracle JDK users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-java/oracle-jdk-bin-1.8.0.121"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2183">CVE-2016-2183</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5546">CVE-2016-5546</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5547">CVE-2016-5547</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5548">CVE-2016-5548</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5549">CVE-2016-5549</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5552">CVE-2016-5552</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8328">CVE-2016-8328</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3231">CVE-2017-3231</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3241">CVE-2017-3241</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3252">CVE-2017-3252</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3253">CVE-2017-3253</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3259">CVE-2017-3259</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3260">CVE-2017-3260</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3261">CVE-2017-3261</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3262">CVE-2017-3262</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3272">CVE-2017-3272</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3289">CVE-2017-3289</uri>
<uri link="http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA">
Oracle Critical Patch Update Advisory - January 2017
</uri>
</references>
<metadata tag="requester" timestamp="2017-01-21T22:56:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-25T13:04:35Z">whissi</metadata>
</glsa>

74
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-66.xml vendored Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-66">
<title>Chromium: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in the Chromium web
browser, the worst of which allows remote attackers to execute arbitrary
code.
</synopsis>
<product type="ebuild">chromium</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>607276</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">56.0.2924.76</unaffected>
<vulnerable range="lt">56.0.2924.76</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in the Chromium web
browser. Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, bypass security restrictions, or perform
cross-site scripting (XSS).
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-56.0.2924.76"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5006">CVE-2017-5006</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5007">CVE-2017-5007</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5008">CVE-2017-5008</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5009">CVE-2017-5009</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5010">CVE-2017-5010</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5011">CVE-2017-5011</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5012">CVE-2017-5012</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5013">CVE-2017-5013</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5014">CVE-2017-5014</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5015">CVE-2017-5015</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5016">CVE-2017-5016</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5017">CVE-2017-5017</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5018">CVE-2017-5018</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5019">CVE-2017-5019</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5020">CVE-2017-5020</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5021">CVE-2017-5021</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5022">CVE-2017-5022</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5023">CVE-2017-5023</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5024">CVE-2017-5024</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5025">CVE-2017-5025</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5026">CVE-2017-5026</uri>
</references>
<metadata tag="requester" timestamp="2017-01-28T01:28:05Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-29T01:03:18Z">b-man</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-67.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-67">
<title>a2ps: Arbitrary code execution</title>
<synopsis>A vulnerability in a2ps' fixps script might allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">a2ps</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>506352</bug>
<access>remote</access>
<affected>
<package name="app-text/a2ps" auto="yes" arch="*">
<unaffected range="ge">4.14-r5</unaffected>
<vulnerable range="lt">4.14-r5</vulnerable>
</package>
</affected>
<background>
<p>a2ps is an Any to PostScript filter.</p>
</background>
<description>
<p>a2ps fixps script does not invoke gs with the -dSAFER option.</p>
</description>
<impact type="normal">
<p>Remote attackers, by enticing a user to process a specially crafted
PostScript file, could delete arbitrary files or execute arbitrary code
with the privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All a2ps users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-text/a2ps-4.14-r5"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0466">CVE-2014-0466</uri>
</references>
<metadata tag="requester" timestamp="2017-01-24T18:44:55Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:07:45Z">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-68.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-68">
<title>FreeImage: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in FreeImage, the worst of
which may allow execution of arbitrary code
</synopsis>
<product type="ebuild">freeimage</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>559006</bug>
<bug>596350</bug>
<access>remote</access>
<affected>
<package name="media-libs/freeimage" auto="yes" arch="*">
<unaffected range="ge">3.15.4-r1</unaffected>
<vulnerable range="lt">3.15.4-r1</vulnerable>
</package>
</affected>
<background>
<p>FreeImage is an Open Source library project for developers who would
like to support popular graphics image formats like PNG, BMP, JPEG, TIFF
and others as needed by todays multimedia applications.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in in FreeImage. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted
image file, could possibly execute arbitrary code with the privileges of
the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FreeImage users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/freeimage-3.15.4-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0852">CVE-2015-0852</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5684">CVE-2016-5684</uri>
</references>
<metadata tag="requester" timestamp="2017-01-23T08:24:46Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:12:52Z">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-69.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-69">
<title>Ark: Unintended execution of scripts and executable files</title>
<synopsis>A vulnerability in Ark might allow remote attackers to execute
arbitrary code.
</synopsis>
<product type="ebuild">ark</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>604846</bug>
<access>remote</access>
<affected>
<package name="kde-apps/ark" auto="yes" arch="*">
<unaffected range="ge">16.08.3-r1</unaffected>
<vulnerable range="lt">16.08.3-r1</vulnerable>
</package>
</affected>
<background>
<p>Ark is a graphical file compression/decompression utility with support
for multiple formats.
</p>
</background>
<description>
<p>A vulnerability was discovered in how Ark handles executable files while
browsing a compressed archive. A user could unintentionally execute a
malicious script which has the executable bit set inside of the archive.
This is due to Ark not displaying what files are executable and running
the associated applications for the file type upon execution.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by coercing a user to browse a malicious archive file
within Ark and execute certain files, could execute arbitrary code with
the privileges of the user.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ark users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=kde-apps/ark-16.08.3-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5330">CVE-2017-5330</uri>
</references>
<metadata tag="requester" timestamp="2017-01-20T15:24:35Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:19:07Z">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-70.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-70">
<title>Firewalld: Improper authentication methods</title>
<synopsis>A vulnerability in Firewalld allows firewall configurations to be
modified by unauthenticated users.
</synopsis>
<product type="ebuild">firewalld</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>591458</bug>
<access>local</access>
<affected>
<package name="net-firewall/firewalld" auto="yes" arch="*">
<unaffected range="ge">0.4.3.3</unaffected>
<vulnerable range="lt">0.4.3.3</vulnerable>
</package>
</affected>
<background>
<p>Firewalld provides a dynamically managed firewall with support for
network/firewall zones to define the trust level of network connections
or interfaces.
</p>
</background>
<description>
<p>A flaw in Firewalld allows any locally logged in user to tamper with or
change firewall settings. This is due to how Firewalld handles
authentication via polkit which is not properly applied to 5 particular
functions to include: addPassthrough, removePassthrough, addEntry,
removeEntry, and setEntries.
</p>
</description>
<impact type="normal">
<p>A local attacker could tamper or change firewall settings leading to the
additional exposure of systems to include unauthorized remote access.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Firewalld users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-firewall/firewalld-0.4.3.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5410">CVE-2016-5410</uri>
</references>
<metadata tag="requester" timestamp="2017-01-04T03:14:04Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:21:27Z">b-man</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-71.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-71">
<title>FFmpeg: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in FFmpeg, the worst of
which may allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">ffmpeg</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>596760</bug>
<access>remote</access>
<affected>
<package name="media-video/ffmpeg" auto="yes" arch="*">
<unaffected range="ge">2.8.10</unaffected>
<vulnerable range="lt">2.8.10</vulnerable>
</package>
</affected>
<background>
<p>FFmpeg is a complete, cross-platform solution to record, convert and
stream audio and video.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in FFmpeg. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers could cause a Denial of Service condition via various
crafted media file types or have other unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All FFmpeg users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-video/ffmpeg-2.8.10"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7122">CVE-2016-7122</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7450">CVE-2016-7450</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7502">CVE-2016-7502</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7555">CVE-2016-7555</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7562">CVE-2016-7562</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7785">CVE-2016-7785</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7905">CVE-2016-7905</uri>
</references>
<metadata tag="requester" timestamp="2017-01-19T09:23:50Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:22:37Z">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-72.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-72">
<title>libXpm: Remote execution of arbitrary code</title>
<synopsis>An integer overflow in libXpm might allow remote attackers to
execute arbitrary code or cause a Denial of Service Condition.
</synopsis>
<product type="ebuild">libxpm</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>602782</bug>
<access>remote</access>
<affected>
<package name="x11-libs/libXpm" auto="yes" arch="*">
<unaffected range="ge">3.5.12</unaffected>
<vulnerable range="lt">3.5.12</vulnerable>
</package>
</affected>
<background>
<p>The X PixMap image format is an extension of the monochrome X BitMap
format specified in the X protocol, and is commonly used in traditional X
applications.
</p>
</background>
<description>
<p>An integer overflow was discovered in libXpms src/CrDatFrI.c file.
On 64 bit systems, this allows an overflow to occur on 32 bit integers
while parsing XPM extensions in a file.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted XPM
file, could execute arbitrary code with the privileges of the process or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libXpm users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=x11-libs/libXpm-3.5.12"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10164">
CVE-2016-10164
</uri>
</references>
<metadata tag="requester" timestamp="2017-01-26T15:22:27Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:58:23Z">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-73.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-73">
<title>SQUASHFS: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been discovered in SQUASHFS, the
worst of which may allow execution of arbitrary code
</synopsis>
<product type="ebuild">squashfs</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>552484</bug>
<access>remote</access>
<affected>
<package name="sys-fs/squashfs-tools" auto="yes" arch="*">
<unaffected range="ge">4.3-r1</unaffected>
<vulnerable range="lt">4.3-r1</vulnerable>
</package>
</affected>
<background>
<p>Squashfs is a compressed read-only filesystem for Linux. Squashfs is
intended for general read-only filesystem use, for archival use (i.e. in
cases where a .tar.gz file may be used), and in constrained block
device/memory systems (e.g. embedded systems) where low overhead is
needed.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in SQUASHFS. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers, by enticing a user to process a specially crafted
SQUASHFS image, could execute arbitrary code with the privileges of the
process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All SQUASHFS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-fs/squashfs-tools-4.3-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4645">CVE-2015-4645</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4646">CVE-2015-4646</uri>
</references>
<metadata tag="requester" timestamp="2017-01-19T10:43:44Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-29T16:58:33Z">b-man</metadata>
</glsa>

72
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-74.xml vendored Normal file
View File

@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-74">
<title>libpng: Remote execution of arbitrary code</title>
<synopsis>A null pointer dereference in libpng might allow remote attackers
to execute arbitrary code.
</synopsis>
<product type="ebuild">libpng</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>604082</bug>
<access>remote</access>
<affected>
<package name="media-libs/libpng" auto="yes" arch="*">
<unaffected range="ge">1.6.27</unaffected>
<unaffected range="ge" slot="1.5">1.5.28</unaffected>
<unaffected range="ge" slot="1.2">1.2.57</unaffected>
<vulnerable range="lt">1.6.27</vulnerable>
</package>
</affected>
<background>
<p>libpng is a standard library used to process PNG (Portable Network
Graphics) images. It is used by several programs, including web browsers
and potentially server processes.
</p>
</background>
<description>
<p>A null pointer dereference was discovered in libpng in the
png_push_save_buffer function. In order to be vulnerable, an application
has to load a text chunk into the PNG structure, then delete all text,
then add another text chunk to the same PNG structure, which seems to be
an unlikely sequence, but it is possible.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted PNG
file, could execute arbitrary code with the privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libpng 1.6.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.6.27"
</code>
<p>All libpng 1.5.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.5.28:1.5"
</code>
<p>All libpng 1.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libpng-1.2.57:1.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10087">
CVE-2016-10087
</uri>
</references>
<metadata tag="requester" timestamp="2017-01-18T08:20:53Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-01-29T17:07:28Z">b-man</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-75.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-75">
<title>Perl: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Perl, the worst of
which could allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">perl</product>
<announced>2017-01-29</announced>
<revised>2017-01-29: 1</revised>
<bug>580612</bug>
<bug>588592</bug>
<bug>589680</bug>
<bug>606750</bug>
<bug>606752</bug>
<access>local, remote</access>
<affected>
<package name="dev-lang/perl" auto="yes" arch="*">
<unaffected range="ge">5.22.3_rc4</unaffected>
<vulnerable range="lt">5.22.3_rc4</vulnerable>
</package>
</affected>
<background>
<p>Perl is a highly capable, feature-rich programming language.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Perl. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, or
escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Perl users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/perl-5.22.3_rc4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8607">CVE-2015-8607</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8853">CVE-2015-8853</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1238">CVE-2016-1238</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2381">CVE-2016-2381</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6185">CVE-2016-6185</uri>
</references>
<metadata tag="requester" timestamp="2017-01-21T22:09:19Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-29T23:40:34Z">b-man</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-76.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-76">
<title>HarfBuzz: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in HarfBuzz, the worst of
which could allow remote attackers to cause a Denial of Service condition.
</synopsis>
<product type="ebuild">harfbuzz</product>
<announced>2017-01-31</announced>
<revised>2017-01-31: 1</revised>
<bug>572856</bug>
<access>remote</access>
<affected>
<package name="media-libs/harfbuzz" auto="yes" arch="*">
<unaffected range="ge">1.0.6</unaffected>
<vulnerable range="lt">1.0.6</vulnerable>
</package>
</affected>
<background>
<p>HarfBuzz is an OpenType text shaping engine.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in HarfBuzz. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>Remote attackers, through the use of crafted data, could cause a Denial
of Service condition or have other unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All HarfBuzz users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/harfbuzz-1.0.6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8947">CVE-2015-8947</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2052">CVE-2016-2052</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T02:23:28Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-31T12:22:13Z">b-man</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201701-77.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201701-77">
<title>Ansible: Remote execution of arbitrary code</title>
<synopsis>A vulnerability in Ansible may allow rogue clients to execute
commands on the Ansible controller.
</synopsis>
<product type="ebuild">ansible</product>
<announced>2017-01-31</announced>
<revised>2017-01-31: 1</revised>
<bug>605342</bug>
<access>remote</access>
<affected>
<package name="app-admin/ansible" auto="yes" arch="*">
<unaffected range="ge">2.1.4.0_rc3</unaffected>
<unaffected range="ge">2.2.1.0_rc5</unaffected>
<vulnerable range="lt">2.1.4.0_rc3</vulnerable>
<vulnerable range="lt">2.2.1.0_rc5</vulnerable>
</package>
</affected>
<background>
<p>Ansible is a radically simple IT automation platform.</p>
</background>
<description>
<p>An input validation vulnerability was found in Ansibles handling of
data sent from client systems.
</p>
</description>
<impact type="normal">
<p>An attacker with control over a client system being managed by Ansible
and the ability to send facts back to the Ansible server could execute
arbitrary code on the Ansible server using the Ansible-server privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ansible 2.1.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/ansible-2.1.4.0_rc3"
</code>
<p>All Ansible 2.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/ansible-2.2.1.0_rc5"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9587">CVE-2016-9587</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T01:33:48Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-01-31T15:20:20Z">whissi</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-01.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-01">
<title>PCSC-Lite: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PCSC-Lite, the worst of
which could lead to privilege escalation.
</synopsis>
<product type="ebuild">PCSC-Lite</product>
<announced>2017-02-01</announced>
<revised>2017-02-01: 1</revised>
<bug>604574</bug>
<access>local</access>
<affected>
<package name="sys-apps/pcsc-lite" auto="yes" arch="*">
<unaffected range="ge">1.8.20</unaffected>
<vulnerable range="lt">1.8.20</vulnerable>
</package>
</affected>
<background>
<p>PCSC-Lite is a middleware to access a smart card using the SCard API
(PC/SC).
</p>
</background>
<description>
<p>The SCardReleaseContext function normally releases resources associated
with the given handle (including “cardsList”) and clients should
cease using this handle. However, a malicious client can make the daemon
invoke SCardReleaseContext and continue issuing other commands that use
“cardsList”, resulting in a use-after-free. When SCardReleaseContext
is invoked multiple times it additionally results in a double-free of
“cardsList”.
</p>
</description>
<impact type="normal">
<p>A local attacker could use a malicious client to connect to pcscds
Unix socket, possibly resulting in a Denial of Service condition or
privilege escalation since the daemon is running as root.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PCSC-Lite users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/pcsc-lite-1.8.20"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10109">
CVE-2016-10109
</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T01:16:33Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-01T02:32:53Z">whissi</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-02.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-02">
<title>RTMPDump: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in RTMPDump, the worst of
which could lead to arbitrary code execution.
</synopsis>
<product type="ebuild">rtmpdump</product>
<announced>2017-02-06</announced>
<revised>2017-02-06: 1</revised>
<bug>570242</bug>
<access>remote</access>
<affected>
<package name="media-video/rtmpdump" auto="yes" arch="*">
<unaffected range="ge">2.4_p20161210</unaffected>
<vulnerable range="lt">2.4_p20161210</vulnerable>
</package>
</affected>
<background>
<p>RTMPDump is an RTMP client intended to stream audio or video flash
content
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in RTMPDump.</p>
<p>The following is a list of vulnerabilities fixed:</p>
<ul>
<li>Additional decode input size checks</li>
<li>Ignore zero-length packets</li>
<li>Potential integer overflow in RTMPPacket_Alloc().</li>
<li>Obsolete RTMPPacket_Free() call left over from original C++ to C
rewrite
</li>
<li>AMFProp_GetObject must make sure the prop is actually an object</li>
</ul>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted media
flash file using RTMPDump. This could possibly result in the execution of
arbitrary code with the privileges of the process or a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All RTMPDump users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=media-video/rtmpdump-2.4_p20161210"
</code>
</resolution>
<references>
<uri link="http://www.openwall.com/lists/oss-security/2015/12/30/1">OSS ML
CVE Request
</uri>
</references>
<metadata tag="requester" timestamp="2017-01-27T06:35:09Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-02-06T02:08:12Z">BlueKnight</metadata>
</glsa>

67
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-03.xml vendored Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-03">
<title>Firejail: Privilege escalation</title>
<synopsis>Firejail is vulnerable to the escalation of privileges due to an
incomplete fix for CVE-2017-5180.
</synopsis>
<product type="ebuild">firejail</product>
<announced>2017-02-09</announced>
<revised>2017-02-09: 1</revised>
<bug>607382</bug>
<access>local</access>
<affected>
<package name="sys-apps/firejail" auto="yes" arch="*">
<unaffected range="ge">0.9.44.8</unaffected>
<vulnerable range="lt">0.9.44.8</vulnerable>
</package>
<package name="sys-apps/firejail-lts" auto="yes" arch="*">
<unaffected range="ge">0.9.38.10</unaffected>
<vulnerable range="lt">0.9.38.10</vulnerable>
</package>
</affected>
<background>
<p>A SUID program that reduces the risk of security breaches by restricting
the running environment of untrusted applications using Linux namespaces
and seccomp-bpf.
</p>
</background>
<description>
<p>The unaffected packages listed in GLSA 201612-48 had an incomplete fix
as reported by Sebastian Krahmer of SuSE. This has been properly patched
in the latest releases.
</p>
</description>
<impact type="high">
<p>An attacker could possibly bypass sandbox protection, cause a Denial of
Service condition, or escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Firejail users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/firejail-0.9.44.8"
</code>
<p>All Firejail-lts users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/firejail-lts-0.9.38.10"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5940">CVE-2017-5940</uri>
<uri link="https://firejail.wordpress.com/download-2/release-notes/">
Firejail Release Notes
</uri>
<uri link="https://security.gentoo.org/glsa/201612-48">GLSA 201612-48</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T13:28:16Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-09T15:35:45Z">b-man</metadata>
</glsa>

54
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-04.xml vendored Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-04">
<title>GnuTLS: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GnuTLS, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">gnutls</product>
<announced>2017-02-10</announced>
<revised>2017-02-10: 1</revised>
<bug>605238</bug>
<access>remote</access>
<affected>
<package name="net-libs/gnutls" auto="yes" arch="*">
<unaffected range="ge">3.3.26</unaffected>
<vulnerable range="lt">3.3.26</vulnerable>
</package>
</affected>
<background>
<p>GnuTLS is an Open Source implementation of the TLS and SSL protocols.</p>
</background>
<description>
<p>Multiple heap and stack overflows and double free vulnerabilities have
been discovered in GnuTLS by the OSS-Fuzz project. Please review the CVE
identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user or automated system to process a
specially crafted certificate using an application linked against GnuTLS.
This could possibly result in the execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GnuTLS users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/gnutls-3.3.26"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5334">CVE-2017-5334</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5335">CVE-2017-5335</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5336">CVE-2017-5336</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5337">CVE-2017-5337</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T01:21:19Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-10T23:04:35Z">whissi</metadata>
</glsa>

47
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-05.xml vendored Normal file
View File

@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-05">
<title>Lsyncd: Remote execution of arbitrary code</title>
<synopsis>A vulnerability in Lsyncd allows execution of arbitrary code.</synopsis>
<product type="ebuild">lsyncd</product>
<announced>2017-02-10</announced>
<revised>2017-02-10: 1</revised>
<bug>529678</bug>
<access>local, remote</access>
<affected>
<package name="app-admin/lsyncd" auto="yes" arch="*">
<unaffected range="ge">2.1.6</unaffected>
<vulnerable range="lt">2.1.6</vulnerable>
</package>
</affected>
<background>
<p>A daemon to synchronize local directories using rsync.</p>
</background>
<description>
<p>default-rsyncssh.lua in Lsyncd performed insufficient sanitising of
filenames.
</p>
</description>
<impact type="normal">
<p>An attacker, able to control files processed by Lsyncd, could possibly
execute arbitrary code with the privileges of the process or cause a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Lsyncd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-admin/lsyncd-2.1.6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8990">CVE-2014-8990</uri>
</references>
<metadata tag="requester" timestamp="2017-02-01T09:30:15Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-10T23:08:07Z">whissi</metadata>
</glsa>

51
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-06.xml vendored Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-06">
<title>Graphviz: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Graphviz and the extent
of these vulnerabilities are unspecified.
</synopsis>
<product type="ebuild">graphviz</product>
<announced>2017-02-10</announced>
<revised>2017-02-10: 1</revised>
<bug>497274</bug>
<access>remote</access>
<affected>
<package name="media-gfx/graphviz" auto="yes" arch="*">
<unaffected range="ge">2.36.0</unaffected>
<vulnerable range="lt">2.36.0</vulnerable>
</package>
</affected>
<background>
<p>Graphviz is an open source graph visualization software.</p>
</background>
<description>
<p>Multiple vulnerabilities in Graphviz were discovered. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, able to control input matched against a regular
expression or by enticing a user to process a specially crafted file,
could cause unspecified impacts.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Graphviz users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-gfx/graphviz-2.36.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0978">CVE-2014-0978</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1235">CVE-2014-1235</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1236">CVE-2014-1236</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T01:53:41Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-10T23:14:56Z">b-man</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-07.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-07">
<title>OpenSSL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in OpenSSL, the worst of
which might allow attackers to access sensitive information.
</synopsis>
<product type="ebuild">openssl</product>
<announced>2017-02-14</announced>
<revised>2017-02-14: 1</revised>
<bug>607318</bug>
<access>remote</access>
<affected>
<package name="dev-libs/openssl" auto="yes" arch="*">
<unaffected range="ge">1.0.2k</unaffected>
<vulnerable range="lt">1.0.2k</vulnerable>
</package>
</affected>
<background>
<p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker is able to crash applications linked against OpenSSL
or could obtain sensitive private-key information via an attack against
the Diffie-Hellman (DH) ciphersuite.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenSSL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-libs/openssl-1.0.2k"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7055">CVE-2016-7055</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3730">CVE-2017-3730</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3731">CVE-2017-3731</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3732">CVE-2017-3732</uri>
</references>
<metadata tag="requester" timestamp="2017-02-13T01:30:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-14T12:34:58Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-08.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-08">
<title>VirtualBox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in VirtualBox, the worst
of which might allow unauthorized changes to some critical or all
accessible data.
</synopsis>
<product type="ebuild">virtualbox</product>
<announced>2017-02-14</announced>
<revised>2017-02-14: 1</revised>
<bug>607674</bug>
<access>local, remote</access>
<affected>
<package name="app-emulation/virtualbox" auto="yes" arch="*">
<unaffected range="ge">5.0.32</unaffected>
<vulnerable range="lt">5.0.32</vulnerable>
</package>
</affected>
<background>
<p>VirtualBox is a powerful virtualization product from Oracle.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in VirtualBox. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>An attacker could cause a Denial of Service condition. Additionally, an
attacker could create, delete or modify critical or all accessible data.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All VirtualBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/virtualbox-5.0.32"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5545">CVE-2016-5545</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3290">CVE-2017-3290</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3316">CVE-2017-3316</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3332">CVE-2017-3332</uri>
</references>
<metadata tag="requester" timestamp="2017-02-13T02:06:40Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-14T12:37:26Z">whissi</metadata>
</glsa>

67
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-09.xml vendored Normal file
View File

@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-09">
<title>ImageMagick: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ImageMagick, the worst
of which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">imagemagick</product>
<announced>2017-02-17</announced>
<revised>2017-02-17: 2</revised>
<bug>599744</bug>
<bug>606654</bug>
<access>remote</access>
<affected>
<package name="media-gfx/imagemagick" auto="yes" arch="*">
<unaffected range="ge">6.9.7.4</unaffected>
<vulnerable range="lt">6.9.7.4</vulnerable>
</package>
</affected>
<background>
<p>ImageMagick is a collection of tools and libraries for many image
formats.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ImageMagick. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by enticing a user to process a specially crafted
image file, could execute arbitrary code with the privileges of the
process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ImageMagick users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-gfx/imagemagick-6.9.7.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10144">
CVE-2016-10144
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10145">
CVE-2016-10145
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10146">
CVE-2016-10146
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9298">CVE-2016-9298</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5506">CVE-2017-5506</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5507">CVE-2017-5507</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5508">CVE-2017-5508</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5509">CVE-2017-5509</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5510">CVE-2017-5510</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5511">CVE-2017-5511</uri>
</references>
<metadata tag="requester" timestamp="2017-01-21T00:45:48Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-17T08:09:06Z">b-man</metadata>
</glsa>

58
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-10.xml vendored Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-10">
<title>NTFS-3G: Privilege escalation</title>
<synopsis>A vulnerability in NTFS-3G allows local users to gain root
privileges.
</synopsis>
<product type="ebuild">ntfs-3g</product>
<announced>2017-02-19</announced>
<revised>2017-02-19: 1</revised>
<bug>607912</bug>
<access>local</access>
<affected>
<package name="sys-fs/ntfs3g" auto="yes" arch="*">
<unaffected range="ge">2016.2.22-r2</unaffected>
<vulnerable range="lt">2016.2.22-r2</vulnerable>
</package>
</affected>
<background>
<p>NTFS-3G is a stable, full-featured, read-write NTFS driver for various
operating systems.
</p>
</background>
<description>
<p>The NTFS-3G driver does not properly clear environment variables before
invoking mount or umount.
</p>
<p>This flaw is similar to the vulnerability described in
“GLSA-201701-19” and “GLSA-201603-04” referenced below but is now
implemented in the NTFS-3G driver itself.
</p>
</description>
<impact type="normal">
<p>A local user could gain root privileges.</p>
</impact>
<workaround>
<p>There is no known workaround at this time. However, on Gentoo when the
“suid” USE flag is not set (which is the default) an attacker cannot
exploit the flaw.
</p>
</workaround>
<resolution>
<p>All NTFS-3G users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-fs/ntfs3g-2016.2.22-r2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0358">CVE-2017-0358</uri>
<uri link="https://security.gentoo.org/glsa/201603-04">GLSA-201603-04</uri>
<uri link="https://security.gentoo.org/glsa/201701-19">GLSA-201701-19</uri>
</references>
<metadata tag="requester" timestamp="2017-02-04T11:49:00Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-19T12:03:15Z">whissi</metadata>
</glsa>

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-11.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-11">
<title>GNU C Library: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in the GNU C Library, the
worst of which allows context-dependent attackers to execute arbitrary
code.
</synopsis>
<product type="ebuild">glibc</product>
<announced>2017-02-19</announced>
<revised>2017-02-19: 1</revised>
<bug>560420</bug>
<bug>560526</bug>
<bug>572416</bug>
<bug>576726</bug>
<bug>578602</bug>
<access>local, remote</access>
<affected>
<package name="sys-libs/glibc" auto="yes" arch="*">
<unaffected range="ge">2.23-r3</unaffected>
<vulnerable range="lt">2.23-r3</vulnerable>
</package>
</affected>
<background>
<p>The GNU C library is the standard C library used by Gentoo Linux
systems.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in the GNU C Library.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A context-dependent attacker could possibly execute arbitrary code with
the privileges of the process, disclose sensitive information, or cause a
Denial of Service condition via multiple vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GNU C Library users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-libs/glibc-2.23-r3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9761">CVE-2014-9761</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5277">CVE-2015-5277</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8776">CVE-2015-8776</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8777">CVE-2015-8777</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8778">CVE-2015-8778</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8779">CVE-2015-8779</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1234">CVE-2016-1234</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3075">CVE-2016-3075</uri>
</references>
<metadata tag="requester" timestamp="2016-11-29T21:44:07Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-19T12:31:09Z">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-12.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-12">
<title>MuPDF: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in MuPDF, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">mupdf</product>
<announced>2017-02-19</announced>
<revised>2017-02-19: 1</revised>
<bug>589826</bug>
<bug>590480</bug>
<bug>608702</bug>
<bug>608712</bug>
<access>remote</access>
<affected>
<package name="app-text/mupdf" auto="yes" arch="*">
<unaffected range="ge">1.10a-r1</unaffected>
<vulnerable range="lt">1.10a-r1</vulnerable>
</package>
</affected>
<background>
<p>A lightweight PDF, XPS, and E-book viewer.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in MuPDF. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted PDF
document using MuPDF possibly resulting in the execution of arbitrary
code, with the privileges of the process, or a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MuPDF users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-text/mupdf-1.10a-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6265">CVE-2016-6265</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6525">CVE-2016-6525</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5896">CVE-2017-5896</uri>
</references>
<metadata tag="requester" timestamp="2017-02-05T22:42:31Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-19T12:47:00Z">whissi</metadata>
</glsa>

75
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-13.xml vendored Normal file
View File

@ -0,0 +1,75 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-13">
<title>Mozilla Thunderbird: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Thunderbird,
the worst of which could lead to the execution of arbitrary code.
</synopsis>
<product type="ebuild">thunderbird</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>607310</bug>
<access>remote</access>
<affected>
<package name="mail-client/thunderbird" auto="yes" arch="*">
<unaffected range="ge">45.7.0</unaffected>
<vulnerable range="lt">45.7.0</vulnerable>
</package>
<package name="mail-client/thunderbird-bin" auto="yes" arch="*">
<unaffected range="ge">45.7.0</unaffected>
<vulnerable range="lt">45.7.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Thunderbird is a popular open-source email client from the
Mozilla project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A remote attacker, by enticing a user to open a specially crafted email
or web page, could possibly execute arbitrary code with the privileges of
the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Thunderbird users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=mail-client/thunderbird-45.7.0"
</code>
<p>All Mozilla Thunderbird binary users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=mail-client/thunderbird-bin-45.7.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373">CVE-2017-5373</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375">CVE-2017-5375</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376">CVE-2017-5376</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378">CVE-2017-5378</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380">CVE-2017-5380</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383">CVE-2017-5383</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390">CVE-2017-5390</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396">CVE-2017-5396</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/">
Mozilla Foundation Security Advisory 2017-03
</uri>
</references>
<metadata tag="requester" timestamp="2017-02-10T22:02:00Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:12:29Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-14.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-14">
<title>PyCrypto: Remote execution of arbitrary code</title>
<synopsis>A heap-based buffer overflow in PyCrypto might allow remote
attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">pycrypto</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>576494</bug>
<access>remote</access>
<affected>
<package name="dev-python/pycrypto" auto="yes" arch="*">
<unaffected range="ge">2.6.1-r2</unaffected>
<vulnerable range="lt">2.6.1-r2</vulnerable>
</package>
</affected>
<background>
<p>The Python Cryptography Toolkit (PyCrypto) is a collection of both
secure hash functions (such as SHA256 and RIPEMD160), and various
encryption algorithms (AES, DES, RSA, ElGamal, etc.).
</p>
</background>
<description>
<p>A heap-based buffer overflow vulnerability has been discovered in
PyCrypto. Please review the CVE identifier referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, able to control the mode of operation in PyCryptos
AES module, could possibly execute arbitrary code with the privileges of
the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PyCrypto users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-python/pycrypto-2.6.1-r2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7459">CVE-2013-7459</uri>
</references>
<metadata tag="requester" timestamp="2017-02-06T00:09:22Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:17:13Z">whissi</metadata>
</glsa>

66
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-15.xml vendored Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-15">
<title>OCaml: Buffer overflow and information disclosure</title>
<synopsis>A buffer overflow in OCaml might allow remote attackers to obtain
sensitive information or crash an OCaml-based application.
</synopsis>
<product type="ebuild">ocaml</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>581946</bug>
<access>remote</access>
<affected>
<package name="dev-lang/ocaml" auto="yes" arch="*">
<unaffected range="ge">4.04.0</unaffected>
<vulnerable range="lt">4.04.0</vulnerable>
</package>
</affected>
<background>
<p>OCaml is a high-level, strongly-typed, functional, and object-oriented
programming language from the ML family of languages.
</p>
</background>
<description>
<p>It was discovered that OCaml was vulnerable to a runtime bug that, on
64-bit platforms, causes size arguments to internal memmove calls to be
sign-extended from 32- to 64-bits before being passed to the memmove
function. This leads to arguments between 2GiB and 4GiB being interpreted
as larger than they are (specifically, a bit below 2^64), causing a
buffer overflow. Further, arguments between 4GiB and 6GiB are interpreted
as 4GiB smaller than they should be causing a possible information leak.
</p>
</description>
<impact type="normal">
<p>A remote attacker, able to interact with an OCaml-based application,
could possibly obtain sensitive information or cause a Denial of Service
condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OCaml users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/ocam-4.04.0"
</code>
<p>Packages which depend on OCaml may need to be recompiled. Tools such as
qdepends (included in app-portage/portage-utils) may assist in
identifying these packages:
</p>
<code>
# emerge --oneshot --ask --verbose $(qdepends -CQ dev-lang/ocaml | sed
's/^/=/')
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8869">CVE-2015-8869</uri>
</references>
<metadata tag="requester" timestamp="2017-02-13T00:59:45Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:19:06Z">whissi</metadata>
</glsa>

63
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-16.xml vendored Normal file
View File

@ -0,0 +1,63 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-16">
<title>Redis: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Redis, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">redis</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>551274</bug>
<bug>565188</bug>
<bug>595730</bug>
<access>remote</access>
<affected>
<package name="dev-db/redis" auto="yes" arch="*">
<unaffected range="ge">3.2.5</unaffected>
<unaffected range="ge">3.0.7</unaffected>
<vulnerable range="lt">3.2.5</vulnerable>
</package>
</affected>
<background>
<p>Redis is an open source (BSD licensed), in-memory data structure store,
used as a database, cache and message broker.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Redis. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, able to connect to a Redis instance, could issue
malicious commands possibly resulting in the execution of arbitrary code
with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Redis 3.0.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/redis-3.0.7"
</code>
<p>All Redis 3.2.x users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/redis-3.2.5"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4335">CVE-2015-4335</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8080">CVE-2015-8080</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8339">CVE-2016-8339</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T02:05:41Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:26:41Z">whissi</metadata>
</glsa>

71
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-17.xml vendored Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-17">
<title>MySQL: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in MySQL, the worst of
which could lead to privilege escalation.
</synopsis>
<product type="ebuild">mysql</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>606254</bug>
<access>local, remote</access>
<affected>
<package name="dev-db/mysql" auto="yes" arch="*">
<unaffected range="ge">5.6.35</unaffected>
<vulnerable range="lt">5.6.35</vulnerable>
</package>
</affected>
<background>
<p>MySQL is a popular multi-threaded, multi-user SQL server. MariaDB is an
enhanced, drop-in replacement for MySQL.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in MySQL. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>An attacker could possibly escalate privileges, gain access to critical
data or complete access to all MySQL server accessible data, or cause a
Denial of Service condition via unspecified vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MySQL users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/mysql-5.6.35"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8318">CVE-2016-8318</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8327">CVE-2016-8327</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3238">CVE-2017-3238</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3243">CVE-2017-3243</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3244">CVE-2017-3244</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3251">CVE-2017-3251</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3256">CVE-2017-3256</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3257">CVE-2017-3257</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3258">CVE-2017-3258</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3265">CVE-2017-3265</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3273">CVE-2017-3273</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3291">CVE-2017-3291</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3312">CVE-2017-3312</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3313">CVE-2017-3313</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3317">CVE-2017-3317</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3318">CVE-2017-3318</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3319">CVE-2017-3319</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3320">CVE-2017-3320</uri>
<uri link="https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL">
Oracle Critical Patch Update Advisory - January 2017
</uri>
</references>
<metadata tag="requester" timestamp="2017-02-12T18:49:15Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:27:11Z">whissi</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-18.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-18">
<title>MariaDB: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in MariaDB, the worst of
which could lead to privilege escalation.
</synopsis>
<product type="ebuild">mariadb</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>606258</bug>
<access>local, remote</access>
<affected>
<package name="dev-db/mariadb" auto="yes" arch="*">
<unaffected range="ge">10.0.29</unaffected>
<vulnerable range="lt">10.0.29</vulnerable>
</package>
</affected>
<background>
<p>MariaDB is an enhanced, drop-in replacement for MySQL.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in MariaDB. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>An attacker could possibly escalate privileges, gain access to critical
data or complete access to all MariaDB Server accessible data, or cause a
Denial of Service condition via unspecified vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MariaDB users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-db/mariadb-10.0.29"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6664">CVE-2016-6664</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3238">CVE-2017-3238</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3243">CVE-2017-3243</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3244">CVE-2017-3244</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3257">CVE-2017-3257</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3258">CVE-2017-3258</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3265">CVE-2017-3265</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3291">CVE-2017-3291</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3312">CVE-2017-3312</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3317">CVE-2017-3317</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3318">CVE-2017-3318</uri>
</references>
<metadata tag="requester" timestamp="2017-02-13T00:33:47Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:27:31Z">whissi</metadata>
</glsa>

49
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-19.xml vendored Normal file
View File

@ -0,0 +1,49 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-19">
<title>TigerVNC: Buffer overflow</title>
<synopsis>A buffer overflow in TigerVNC might allow remote attackers to
execute arbitrary code.
</synopsis>
<product type="ebuild">tigervnc</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>606998</bug>
<access>remote</access>
<affected>
<package name="net-misc/tigervnc" auto="yes" arch="*">
<unaffected range="ge">1.7.1</unaffected>
<vulnerable range="lt">1.7.1</vulnerable>
</package>
</affected>
<background>
<p>TigerVNC is a high-performance VNC server/client.</p>
</background>
<description>
<p>A buffer overflow vulnerability in ModifiablePixelBuffer::fillRect in
vncviewer was found.
</p>
</description>
<impact type="normal">
<p>A remote attacker, utilizing a malicious VNC server, could execute
arbitrary code with the privileges of the user running the client or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All TigerVNC users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/tigervnc-1.7.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5581">CVE-2017-5581</uri>
</references>
<metadata tag="requester" timestamp="2017-02-13T02:16:26Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:29:04Z">whissi</metadata>
</glsa>

77
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-20.xml vendored Normal file
View File

@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-20">
<title>Adobe Flash Player: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">flash</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>605314</bug>
<bug>609330</bug>
<access>remote</access>
<affected>
<package name="www-plugins/adobe-flash" auto="yes" arch="*">
<unaffected range="ge">24.0.0.221</unaffected>
<vulnerable range="lt">24.0.0.221</vulnerable>
</package>
</affected>
<background>
<p>The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or bypass security restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Adobe Flash users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-plugins/adobe-flash-24.0.0.221"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2925">CVE-2017-2925</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2926">CVE-2017-2926</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2927">CVE-2017-2927</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2928">CVE-2017-2928</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2930">CVE-2017-2930</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2931">CVE-2017-2931</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2932">CVE-2017-2932</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2933">CVE-2017-2933</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2934">CVE-2017-2934</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2935">CVE-2017-2935</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2936">CVE-2017-2936</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2937">CVE-2017-2937</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2938">CVE-2017-2938</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2982">CVE-2017-2982</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2984">CVE-2017-2984</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2985">CVE-2017-2985</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2986">CVE-2017-2986</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2987">CVE-2017-2987</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2988">CVE-2017-2988</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2990">CVE-2017-2990</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2991">CVE-2017-2991</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2992">CVE-2017-2992</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2993">CVE-2017-2993</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2994">CVE-2017-2994</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2995">CVE-2017-2995</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2996">CVE-2017-2996</uri>
</references>
<metadata tag="requester" timestamp="2017-02-16T12:43:25Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:44:37Z">whissi</metadata>
</glsa>

71
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-21.xml vendored Normal file
View File

@ -0,0 +1,71 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-21">
<title>Opus: User-assisted execution of arbitrary code</title>
<synopsis>A vulnerability in Opus could cause memory corruption.</synopsis>
<product type="ebuild">opus</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>605894</bug>
<access>remote</access>
<affected>
<package name="media-libs/opus" auto="yes" arch="*">
<unaffected range="ge">1.1.3-r1</unaffected>
<vulnerable range="lt">1.1.3-r1</vulnerable>
</package>
</affected>
<background>
<p>Opus is a totally open, royalty-free, highly versatile audio codec.</p>
</background>
<description>
<p>A large NLSF values could cause the stabilization code in
silk/NLSF_stabilize.c to wrap-around and have the last value in
NLSF_Q15[] to be negative, close to -32768.
</p>
<p>Under normal circumstances, the code will simply read from the wrong
table resulting in an unstable LPC filter. The filter would then go
through the LPC stabilization code at the end of silk_NLSF2A().
</p>
<p>Ultimately, the output audio would be garbage, but no worse than with
any other harmless bad packet.
</p>
<p>Please see the referenced upstream patch and Debian bug report below for
a detailed analysis.
</p>
<p>However, the original report was about a successful exploitation of
Androids Mediaserver in conjunction with this vulnerability.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted media
stream, possibly resulting in execution of arbitrary code with the
privileges of the process, or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Opus users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/opus-1.1.3-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0381">CVE-2017-0381</uri>
<uri link="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612#10">
Debian Bug 851612
</uri>
<uri link="https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b">
Upstream patch
</uri>
</references>
<metadata tag="requester" timestamp="2017-02-16T12:24:20Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:45:02Z">whissi</metadata>
</glsa>

74
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-22.xml vendored Normal file
View File

@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-22">
<title>Mozilla Firefox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Mozilla Firefox, the
worst of which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">firefox</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>607138</bug>
<access>remote</access>
<affected>
<package name="www-client/firefox" auto="yes" arch="*">
<unaffected range="ge">45.7.0</unaffected>
<vulnerable range="lt">45.7.0</vulnerable>
</package>
<package name="www-client/firefox-bin" auto="yes" arch="*">
<unaffected range="ge">45.7.0</unaffected>
<vulnerable range="lt">45.7.0</vulnerable>
</package>
</affected>
<background>
<p>Mozilla Firefox is a popular open-source web browser from the Mozilla
Project.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, bypass
access restriction, access otherwise protected information, or spoof
content via multiple vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Mozilla Firefox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-45.7.0"
</code>
<p>All Mozilla Firefox binary users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=www-client/firefox-bin-45.7.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5373">CVE-2017-5373</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5375">CVE-2017-5375</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5376">CVE-2017-5376</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5378">CVE-2017-5378</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5380">CVE-2017-5380</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5383">CVE-2017-5383</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5386">CVE-2017-5386</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5390">CVE-2017-5390</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5396">CVE-2017-5396</uri>
<uri link="https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/">
Mozilla Foundation Security Advisory 2017-02
</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T01:26:06Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:45:18Z">whissi</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-23.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-23">
<title>Dropbear: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Dropbear, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">dropbear</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>605560</bug>
<access>remote</access>
<affected>
<package name="net-misc/dropbear" auto="yes" arch="*">
<unaffected range="ge">2016.74</unaffected>
<vulnerable range="lt">2016.74</vulnerable>
</package>
</affected>
<background>
<p>Dropbear is an SSH server and client designed with a small memory
footprint.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Dropbear. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with root
privileges if usernames containing special characters can be created on a
system. Also, a dbclient user who can control username or host arguments
could potentially run arbitrary code with the privileges of the process.
</p>
<p>In addition, a remote attacker could entice a user to process a
specially crafted SSH key using dropbearconvert, possibly resulting in
execution of arbitrary code with the privileges of the process or a
Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Dropbear users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/dropbear-2016.74"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7406">CVE-2016-7406</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7407">CVE-2016-7407</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7408">CVE-2016-7408</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7409">CVE-2016-7409</uri>
</references>
<metadata tag="requester" timestamp="2017-02-05T22:53:36Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:45:39Z">whissi</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-24.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-24">
<title>LibVNCServer/LibVNCClient: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in
LibVNCServer/LibVNCClient, the worst of which allows remote attackers to
execute arbitrary code when connecting to a malicious server.
</synopsis>
<product type="ebuild">libvncserver</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>605326</bug>
<access>remote</access>
<affected>
<package name="net-libs/libvncserver" auto="yes" arch="*">
<unaffected range="ge">0.9.11</unaffected>
<vulnerable range="lt">0.9.11</vulnerable>
</package>
</affected>
<background>
<p>LibVNCServer/LibVNCClient are cross-platform C libraries that allow you
to easily implement VNC server or client functionality in your program.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in LibVNCServer and
LibVNCClient. Please review the CVE identifiers referenced below for
details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to connect to a malicious VNC
server or leverage Man-in-the-Middle attacks to cause the execution of
arbitrary code with the privileges of the user running a VNC client
linked against LibVNCClient.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All LibVNCServer/LibVNCClient users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/libvncserver-0.9.11"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9941">CVE-2016-9941</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9942">CVE-2016-9942</uri>
</references>
<metadata tag="requester" timestamp="2017-02-05T22:55:00Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:45:56Z">whissi</metadata>
</glsa>

53
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-25.xml vendored Normal file
View File

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-25">
<title>libass: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libass, the worst of
which have unknown impacts.
</synopsis>
<product type="ebuild">libass</product>
<announced>2017-02-20</announced>
<revised>2017-02-20: 1</revised>
<bug>596422</bug>
<access>remote</access>
<affected>
<package name="media-libs/libass" auto="yes" arch="*">
<unaffected range="ge">0.13.4</unaffected>
<vulnerable range="lt">0.13.4</vulnerable>
</package>
</affected>
<background>
<p>libass is a portable subtitle renderer for the ASS/SSA (Advanced
Substation Alpha/Substation Alpha) subtitle format.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libass. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could cause a Denial of Service condition or other
unknown impacts via unknown attack vectors.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libass users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libass-0.13.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7969">CVE-2016-7969</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7970">CVE-2016-7970</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7971">CVE-2016-7971</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7972">CVE-2016-7972</uri>
</references>
<metadata tag="requester" timestamp="2017-02-05T23:35:59Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-20T23:46:16Z">whissi</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-26.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-26">
<title>Nagios: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Nagios, the worst of
which could lead to privilege escalation.
</synopsis>
<product type="ebuild">nagios</product>
<announced>2017-02-21</announced>
<revised>2017-02-21: 1</revised>
<bug>595194</bug>
<bug>598104</bug>
<bug>600864</bug>
<bug>602216</bug>
<access>local, remote</access>
<affected>
<package name="net-analyzer/nagios-core" auto="yes" arch="*">
<unaffected range="ge">4.2.4</unaffected>
<vulnerable range="lt">4.2.4</vulnerable>
</package>
</affected>
<background>
<p>Nagios is an open source host, service and network monitoring program.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Nagios. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="high">
<p>A local attacker, who either is already Nagioss system user or
belongs to Nagioss group, could potentially escalate privileges.
</p>
<p>In addition, a remote attacker could read or write to arbitrary files by
spoofing a crafted response from the Nagios RSS feed server.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Nagios users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/nagios-core-4.2.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4796">CVE-2008-4796</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7313">CVE-2008-7313</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8641">CVE-2016-8641</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9565">CVE-2016-9565</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9566">CVE-2016-9566</uri>
</references>
<metadata tag="requester" timestamp="2017-01-30T01:56:03Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-21T00:04:00Z">b-man</metadata>
</glsa>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-27.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-27">
<title>Xen: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
could lead to the execution of arbitrary code on the host system.
</synopsis>
<product type="ebuild">xen</product>
<announced>2017-02-21</announced>
<revised>2017-02-21: 1</revised>
<bug>607840</bug>
<bug>609160</bug>
<access>local</access>
<affected>
<package name="app-emulation/xen" auto="yes" arch="*">
<unaffected range="ge">4.7.1-r5</unaffected>
<vulnerable range="lt">4.7.1-r5</vulnerable>
</package>
<package name="app-emulation/xen-tools" auto="yes" arch="*">
<unaffected range="ge">4.7.1-r6</unaffected>
<vulnerable range="lt">4.7.1-r6</vulnerable>
</package>
</affected>
<background>
<p>Xen is a bare-metal hypervisor.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Xen. Please review the
CVE identifiers and Xen Security Advisory referenced below for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could potentially execute arbitrary code with
privileges of Xen (QEMU) process on the host, gain privileges on the host
system, cause a Denial of Service condition, or obtain sensitive
information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Xen users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.7.1-r5"
</code>
<p>All Xen Tools users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-emulation/xen-tools-4.7.1-r6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615">CVE-2017-2615</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-207.html">XSA-207</uri>
<uri link="https://xenbits.xen.org/xsa/advisory-208.html">XSA-208</uri>
</references>
<metadata tag="requester" timestamp="2017-02-16T18:01:38Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-21T00:04:19Z">whissi</metadata>
</glsa>

72
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-28.xml vendored Normal file
View File

@ -0,0 +1,72 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-28">
<title>QEMU: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in QEMU, the worst of
which could lead to the execution of arbitrary code on the host system.
</synopsis>
<product type="ebuild">qemu</product>
<announced>2017-02-21</announced>
<revised>2017-02-21: 1</revised>
<bug>606264</bug>
<bug>606720</bug>
<bug>606722</bug>
<bug>607000</bug>
<bug>607100</bug>
<bug>607766</bug>
<bug>608034</bug>
<bug>608036</bug>
<bug>608038</bug>
<bug>608520</bug>
<bug>608728</bug>
<access>local</access>
<affected>
<package name="app-emulation/qemu" auto="yes" arch="*">
<unaffected range="ge">2.8.0-r1</unaffected>
<vulnerable range="lt">2.8.0-r1</vulnerable>
</package>
</affected>
<background>
<p>QEMU is a generic and open source machine emulator and virtualizer.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in QEMU. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A local attacker could potentially execute arbitrary code with
privileges of QEMU process on the host, gain privileges on the host
system, cause a Denial of Service condition, or obtain sensitive
information.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All QEMU users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/qemu-2.8.0-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10155">
CVE-2016-10155
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2615">CVE-2017-2615</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5525">CVE-2017-5525</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5552">CVE-2017-5552</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5578">CVE-2017-5578</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5579">CVE-2017-5579</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5667">CVE-2017-5667</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5856">CVE-2017-5856</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5857">CVE-2017-5857</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5898">CVE-2017-5898</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5931">CVE-2017-5931</uri>
</references>
<metadata tag="requester" timestamp="2017-02-16T18:41:09Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-21T00:04:45Z">whissi</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-29.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-29">
<title>PHP: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PHP, the worst of which
could lead to arbitrary code execution or cause a Denial of Service
condition.
</synopsis>
<product type="ebuild">php</product>
<announced>2017-02-21</announced>
<revised>2017-02-21: 1</revised>
<bug>604776</bug>
<bug>606626</bug>
<access>remote</access>
<affected>
<package name="dev-lang/php" auto="yes" arch="*">
<unaffected range="ge" slot="5.6">5.6.30</unaffected>
<vulnerable range="lt" slot="5.6">5.6.30</vulnerable>
</package>
</affected>
<background>
<p>PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker could possibly execute arbitrary code or create a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PHP 5.6 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-lang/php-5.6.30:5.6"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10158">
CVE-2016-10158
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10159">
CVE-2016-10159
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10160">
CVE-2016-10160
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10161">
CVE-2016-10161
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9935">CVE-2016-9935</uri>
</references>
<metadata tag="requester" timestamp="2017-01-18T23:06:15Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-21T00:05:07Z">whissi</metadata>
</glsa>

89
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-30.xml vendored Normal file
View File

@ -0,0 +1,89 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-30">
<title>tcpdump: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in tcpdump, the worst of
which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">tcpdump</product>
<announced>2017-02-21</announced>
<revised>2017-02-21: 1</revised>
<bug>606516</bug>
<access>remote</access>
<affected>
<package name="net-analyzer/tcpdump" auto="yes" arch="*">
<unaffected range="ge">4.9.0</unaffected>
<vulnerable range="lt">4.9.0</vulnerable>
</package>
</affected>
<background>
<p>tcpdump is a tool for network monitoring and data acquisition.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in tcpdump. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker, by sending a specially crafted network package, could
possibly execute arbitrary code with the privileges of the process or
cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All tcpdump users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-analyzer/tcpdump-4.9.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7922">CVE-2016-7922</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7923">CVE-2016-7923</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7924">CVE-2016-7924</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7925">CVE-2016-7925</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7926">CVE-2016-7926</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7927">CVE-2016-7927</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7928">CVE-2016-7928</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7929">CVE-2016-7929</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7930">CVE-2016-7930</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7931">CVE-2016-7931</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7932">CVE-2016-7932</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7933">CVE-2016-7933</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7934">CVE-2016-7934</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7935">CVE-2016-7935</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7936">CVE-2016-7936</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7937">CVE-2016-7937</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7938">CVE-2016-7938</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7939">CVE-2016-7939</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7940">CVE-2016-7940</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7973">CVE-2016-7973</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7974">CVE-2016-7974</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7975">CVE-2016-7975</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7983">CVE-2016-7983</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7984">CVE-2016-7984</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7985">CVE-2016-7985</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7986">CVE-2016-7986</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7992">CVE-2016-7992</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7993">CVE-2016-7993</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8574">CVE-2016-8574</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8575">CVE-2016-8575</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5202">CVE-2017-5202</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5203">CVE-2017-5203</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5204">CVE-2017-5204</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5205">CVE-2017-5205</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5341">CVE-2017-5341</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5342">CVE-2017-5342</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5482">CVE-2017-5482</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5483">CVE-2017-5483</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5484">CVE-2017-5484</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5485">CVE-2017-5485</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5486">CVE-2017-5486</uri>
</references>
<metadata tag="requester" timestamp="2017-02-05T22:50:53Z">b-man</metadata>
<metadata tag="submitter" timestamp="2017-02-21T00:35:31Z">whissi</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-31.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-31">
<title>GPL Ghostscript: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GPL Ghostscript, the
worst of which may allow execution of arbitrary code.
</synopsis>
<product type="ebuild">ghostscript</product>
<announced>2017-02-22</announced>
<revised>2017-02-22: 1</revised>
<bug>596576</bug>
<bug>607190</bug>
<access>remote</access>
<affected>
<package name="app-text/ghostscript-gpl" auto="yes" arch="*">
<unaffected range="ge">9.20-r1</unaffected>
<vulnerable range="lt">9.20-r1</vulnerable>
</package>
</affected>
<background>
<p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GPL Ghostscript and the
bundled OpenJPEG. Please review the CVE identifiers and GLSA-201612-26
(OpenJPEG) referenced below for additional information.
</p>
<p>Note: GPL Ghostscript in Gentoo since app-text/ghostscript-gpl-9.20-r1
no longer bundles OpenJPEG.
</p>
</description>
<impact type="normal">
<p>A context-dependent attacker could entice a user to open a specially
crafted PostScript file or PDF using GPL Ghostscript possibly resulting
in the execution of arbitrary code with the privileges of the process or
a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GPL Ghostscript users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=app-text/ghostscript-gpl-9.20-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7976">CVE-2016-7976</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7977">CVE-2016-7977</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7978">CVE-2016-7978</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7979">CVE-2016-7979</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8602">CVE-2016-8602</uri>
<uri link="https://security.gentoo.org/glsa/201612-26">GLSA-201612-26</uri>
</references>
<metadata tag="requester" timestamp="2017-02-21T18:24:37Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-22T11:12:25Z">whissi</metadata>
</glsa>

57
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201702-32.xml vendored Normal file
View File

@ -0,0 +1,57 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201702-32">
<title>Ruby Archive::Tar::Minitar: Directory traversal</title>
<synopsis>Ruby Archive::Tar::Minitar is vulnerable to a directory traversal
attack.
</synopsis>
<product type="ebuild">archive-tar-minitar</product>
<announced>2017-02-22</announced>
<revised>2017-02-22: 1</revised>
<bug>607110</bug>
<access>remote</access>
<affected>
<package name="dev-ruby/archive-tar-minitar" auto="yes" arch="*">
<unaffected range="ge">0.6.1</unaffected>
<vulnerable range="lt">0.6.1</vulnerable>
</package>
</affected>
<background>
<p>Archive::Tar::Minitar is a pure-Ruby library and command-line utility
that provides the ability to deal with POSIX tar(1) archive files.
</p>
</background>
<description>
<p>Michal Marek discovered that Ruby Archive::Tar::Minitar is vulnerable to
a directory traversal vulnerability.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user or an automated system to process
a specially crafted archive using Ruby Archive::Tar::Minitar possibly
allowing the writing of arbitrary files with the privileges of the
process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Ruby Archive::Tar::Minitar users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=dev-ruby/archive-tar-minitar-0.6.1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10173">
CVE-2016-10173
</uri>
</references>
<metadata tag="requester" timestamp="2017-02-21T18:53:16Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-02-22T11:12:42Z">whissi</metadata>
</glsa>

56
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-01.xml vendored Normal file
View File

@ -0,0 +1,56 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201703-01">
<title>OpenOffice: User-assisted execution of arbitrary code</title>
<synopsis>A vulnerability in OpenOffice Impress could cause memory
corruption.
</synopsis>
<product type="ebuild">openoffice</product>
<announced>2017-03-19</announced>
<revised>2017-03-19: 1</revised>
<bug>597080</bug>
<access>remote</access>
<affected>
<package name="app-office/openoffice-bin" auto="yes" arch="*">
<unaffected range="ge">4.1.3</unaffected>
<vulnerable range="lt">4.1.3</vulnerable>
</package>
</affected>
<background>
<p>Apache OpenOffice is an open-source office software suite for word
processing, spreadsheets, presentations, graphics, databases and more.
</p>
</background>
<description>
<p>An exploitable out-of-bounds vulnerability exists in OpenOffice Impress
when handling MetaActions.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted
OpenDocument Presentation .ODP or Presentation Template .OTP file using
OpenOffice Impress, possibly resulting in execution of arbitrary code
with the privileges of the process or a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All OpenOffice users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-office/openoffice-bin-4.1.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1513">CVE-2016-1513</uri>
<uri link="http://www.talosintelligence.com/reports/TALOS-2016-0051/">
TALOS-2016-0051
</uri>
</references>
<metadata tag="requester" timestamp="2017-02-13T01:25:25Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-03-19T18:32:36Z">whissi</metadata>
</glsa>

61
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-02.xml vendored Normal file
View File

@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201703-02">
<title>Adobe Flash Player: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
worst of which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">adobe-flash</product>
<announced>2017-03-19</announced>
<revised>2017-03-19: 1</revised>
<bug>612588</bug>
<access>remote</access>
<affected>
<package name="www-plugins/adobe-flash" auto="yes" arch="*">
<unaffected range="ge">25.0.0.127</unaffected>
<vulnerable range="lt">25.0.0.127</vulnerable>
</package>
</affected>
<background>
<p>The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or bypass security restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Adobe Flash users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-plugins/adobe-flash-25.0.0.127"
</code>
</resolution>
<references>
<uri link="https://helpx.adobe.com/security/products/flash-player/apsb17-07.html">
APSB17-07
</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2997">CVE-2017-2997</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2998">CVE-2017-2998</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2999">CVE-2017-2999</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3000">CVE-2017-3000</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3001">CVE-2017-3001</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3002">CVE-2017-3002</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3003">CVE-2017-3003</uri>
</references>
<metadata tag="requester" timestamp="2017-03-16T08:44:22Z">whissi</metadata>
<metadata tag="submitter" timestamp="2017-03-19T18:32:52Z">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201703-03.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201703-03">
<title>PuTTY: Buffer overflow </title>
<synopsis>A buffer overflow in PuTTY might allow remote attackers to execute
arbitrary code or cause a denial of service.
</synopsis>
<product type="ebuild">PuTTY</product>
<announced>2017-03-19</announced>
<revised>2017-03-19: 1</revised>
<bug>610552</bug>
<access>remote</access>
<affected>
<package name="net-misc/putty" auto="yes" arch="*">
<unaffected range="ge">0.68</unaffected>
<vulnerable range="lt">0.68</vulnerable>
</package>
</affected>
<background>
<p>PuTTY is a free implementation of Telnet and SSH for Windows and Unix
platforms, along with an xterm terminal emulator.
</p>
</background>
<description>
<p>A heap-corrupting buffer overflow bug in the ssh_agent_channel_data
function of PuTTY was found.
</p>
</description>
<impact type="normal">
<p>A remote attacker, utilizing the SSH agent forwarding of an SSH server,
could execute arbitrary code with the privileges of the user running the
client or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PuTTY users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-misc/putty-0.68"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6542">CVE-2017-6542</uri>
</references>
<metadata tag="requester" timestamp="2017-03-07T21:53:38Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2017-03-19T18:47:02Z">BlueKnight</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Tue, 24 Jan 2017 22:13:22 +0000
Tue, 21 Mar 2017 21:38:55 +0000