bump(metadata/glsa): sync with upstream

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 448845 BLAKE2B 24feded351e2c02762000f35c6c58ac935b2383bf6acdd7450f974e16e15fe0935d3f657233d5cd4ab87639ad5f410b8ea36fd5c019b93bfbfc47983ef01dbdc SHA512 569d13495f7e4953afefd29435d7953d3afa1815ae86459c1f4f84726efaaedc5598835f415738d792d2d1060be50cf8ad9140b7fcf124dd7f9ea681a55957ab
-TIMESTAMP 2019-09-11T01:08:54Z
+MANIFEST Manifest.files.gz 449647 BLAKE2B 8803d7d7f47c464cfd8f60beebc66a2a666a58eced0da3542b3aa3258b2801c9603a06ee88dc1b3d88b18763967fd4df415a2267ef2059485f617f508c374276 SHA512 19ad2e1287d270dc62f5d69c91b20e5b243af42fac29e8d0aef1d81bebaee04f64f471f8dadc1f923158b7380eb0face42df28d6a6f48575d0150c58354966e3
+TIMESTAMP 2019-11-22T17:38:48Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl14SSZfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl3YHShfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klDZSBAAqoFwooNC4OtE9pVq2cfjdzGkK9W5/lJi+aVvllk3srr5BHd8jakr9IJq
-DaXZNkdcNs+ZSU2pW8wF3KG7r6b5Ib0KTTYHuMCSXJHSYNLBW60x1YHOUoQYdPGb
-K26I7l61X742gFzmeGjXUaqUbN4Z99iYBTLD7VnYQCSMDPLirNF+0Mi35lrXA8OO
-9nX63kLgvrmRpArBhjeR41JlfjqC5yqES3KWYYuzMO+V7L7smP9zmgf2NI9lZfCm
-HIh4exi0xmHr0ZgW4wZgvLFuAxHE4BoMO+z5mW1Qb7CkTdEeizWsMxdQiGRgOT12
-WTUV3qW5QfHYTNuDHxhfrfRPQ6/+EhosLRrxWO0EHoYh/GNUJ/TdQATADJa+whLy
-sXm9tuX/LriOlB1bPx6SakW2BNbTmve4XwocNKUh2Th02C9WsTiK4hNARnct+644
-FUuKCiCXK8/r1isozPY0YcnwDuQvBAS3diYo9b641BpCCSlhPqJuZDvl/9CFnqLF
-z4LydlDnarNKWY1HXcrQnlzwwyPxpDHjfp2Mugrc4P0Nyr99/Vboale/rjIlZXFi
-idIDlJZqTsznd1bM7vdZ4rzEsAbwS2DtWgfDk5xzHP9uYjt7srjrwT8PPHXf3fDn
-MT6ZGrkgpOHqC/LswBWMNvzRJqTp1Zod08wjwJbr6XLWTK+z+vE=
-=OjnX
+klB87w//UoGHDGr8v7UijB9Op29ia5ExY66P8cQLQah48TTTzUFJuhW+1cxaxuM8
+8TtUbHf7n6HwmFs35WrsjI3zDMYxz67gKQtu4sCEDBvq0k/7wOmVomxa6Idt+ADC
+BfmkdbYLiRDpnBc3l/uLgMCrocUTmrCoH/BjDAlh0tW8ViuQ1ah72dtmhwOPtkkK
+mH4PPzOFPujoIGwn7lgQE2MPinExpgQ1x31mMNUvqld2OXMmm1VrjcF7LD6WxjuL
+gAFcPnVf8ru/H/gMD14/VZ1Lkf7a7jV3aDOZk7dj+0+G9rDRWMcnLga+N3nnlizk
+8I2E3mGM6U858gc7TZkPxycsV35PGCCOWg9HoHRDkjfe5gCR97tVHrREBPnUa8hT
+fbSRic6HO0fLb4tX3w7y4GdiUDeQ9IarZngkbWpy8ZDRFhIonYDj8N1drWfSQu15
+lwGu3s7R2HAhGfO3HxhXuHpbmxf3TQlayBASyXofp3zx+hCCUdKXD/O+NwfqNveE
+57SQ3lW0kEWL2jQgvocn4LiMzrDuMImAiwubcY5nfXaQZWwjSIV1T+MVcC/kb9Yt
+JzKWlTFOl8eaNnjiXA8wMU4cLNFW4v9OQfrqrKUT8kO3nWkB20aiqPJxp0XRRA+B
+jR1SxQVNdu2P2JmJOpuS0m5ybAubZ0oIG0Y0VtqRYIboolBXjFQ=
+=uGfw
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201910-01.xml

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201910-01">
+  <title>PHP: Arbitrary code execution</title>
+  <synopsis>A vulnerability in PHP might allow an attacker to execute arbitrary
+    code.
+  </synopsis>
+  <product type="ebuild">php</product>
+  <announced>2019-10-25</announced>
+  <revised count="2">2019-11-19</revised>
+  <bug>698452</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-lang/php" auto="yes" arch="*">
+      <unaffected range="ge">7.1.33</unaffected>
+      <unaffected range="ge">7.2.24</unaffected>
+      <unaffected range="ge">7.3.11</unaffected>
+      <unaffected range="ge">5.6.40-r7</unaffected>
+      <vulnerable range="lt">7.1.33</vulnerable>
+      <vulnerable range="lt">7.2.24</vulnerable>
+      <vulnerable range="lt">7.3.11</vulnerable>
+      <vulnerable range="lt">5.6.40-r7</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>PHP is an open source general-purpose scripting language that is
+      especially suited for web development.
+    </p>
+  </background>
+  <description>
+    <p>A underflow in env_path_info in PHP-FPM under certain configurations can
+      be exploited to gain remote code execution.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A remote attacker, by sending special crafted HTTP requests, could
+      possibly execute arbitrary code with the privileges of the process, or
+      cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>If patching is not feasible, the suggested workaround is to include
+      checks to verify whether or not a file exists before passing to PHP.
+    </p>
+  </workaround>
+  <resolution>
+    <p>All PHP 5.6 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-lang/php-5.6.40-r7"
+    </code>
+    
+    <p>All PHP 7.1 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.1.33"
+    </code>
+    
+    <p>All PHP 7.2 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.2.24"
+    </code>
+    
+    <p>All PHP 7.3 users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-lang/php-7.3.11"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-11043">CVE-2019-11043</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-10-24T23:39:18Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-19T10:48:24Z">whissi</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201911-01.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-01">
+  <title>OpenSSH: Integer overflow</title>
+  <synopsis>An integer overflow in OpenSSH might allow an attacker to execute
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">openssh</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>697046</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/openssh" auto="yes" arch="*">
+      <unaffected range="ge">8.0_p1-r4</unaffected>
+      <vulnerable range="ge">8.0_p1-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSSH is a complete SSH protocol implementation that includes SFTP
+      client and server support.
+    </p>
+  </background>
+  <description>
+    <p>OpenSSH, when built with “xmss” USE flag enabled, has a
+      pre-authentication integer overflow if a client or server is configured
+      to use a crafted XMSS key.
+    </p>
+    
+    <p>NOTE: This USE flag is disabled by default!</p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could connect to a vulnerable OpenSSH server using a
+      special crafted XMSS key possibly resulting in execution of arbitrary
+      code with the privileges of the process or a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>Disable XMSS key type.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSSH users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=net-misc/openssh/openssh-8.0_p1-r4"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-16905">CVE-2019-16905</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-10-26T14:48:28Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:01:23Z">whissi</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201911-02.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-02">
+  <title>pump: User-assisted execution of arbitrary code</title>
+  <synopsis>A buffer overflow in pump might allow remote attacker to execute
+    arbitrary code.
+  </synopsis>
+  <product type="ebuild">pump</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>694314</bug>
+  <access>remote</access>
+  <affected>
+    <package name="net-misc/pump" auto="yes" arch="*">
+      <vulnerable range="le">0.8.24-r4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>BOOTP and DHCP client for automatic IP configuration.</p>
+  </background>
+  <description>
+    <p>It was discovered that there was an arbitrary code execution
+      vulnerability in the pump DHCP/BOOTP client.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to connect to a malicious server,
+      could cause the execution of arbitrary code with the privileges of the
+      user running pump DHCP/BOOTP client.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>Gentoo has discontinued support for pump. We recommend that users
+      unmerge pump:
+    </p>
+    
+    <code>
+      # emerge --unmerge "net-misc/pump"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://bugs.debian.org/933674">Debian Bug Report 933674</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-10-26T18:02:26Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:05:32Z">whissi</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201911-03.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-03">
+  <title>Oniguruma: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Oniguruma, the worst of
+    which could result in the arbitrary execution of code.
+  </synopsis>
+  <product type="ebuild">oniguruma</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>691832</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="dev-libs/oniguruma" auto="yes" arch="*">
+      <unaffected range="ge">6.9.3</unaffected>
+      <vulnerable range="lt">6.9.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Oniguruma is a regular expression library.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Oniguruma. Please
+      review the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="high">
+    <p>A remote attacker, by enticing a user to process a specially crafted
+      string using an application linked against Oniguruma, could possibly
+      execute arbitrary code with the privileges of the process or cause a
+      Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Oniguruma users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-libs/oniguruma-6.9.3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13224">CVE-2019-13224</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-13225">CVE-2019-13225</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-09-12T21:09:00Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:07:37Z">whissi</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201911-04.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201911-04">
+  <title>OpenSSL: Multiple vulnerabilities</title>
+  <synopsis>Multiple information disclosure vulnerabilities in OpenSSL allow
+    attackers to obtain sensitive information.
+  </synopsis>
+  <product type="ebuild">openssl</product>
+  <announced>2019-11-07</announced>
+  <revised count="1">2019-11-07</revised>
+  <bug>694162</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="dev-libs/openssl" auto="yes" arch="*">
+      <unaffected range="ge">1.0.2t</unaffected>
+      <vulnerable range="lt">1.0.2t</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
+      (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
+      purpose cryptography library.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in OpenSSL. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="low">
+    <p>Please review the referenced CVE identifiers for details.</p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All OpenSSL users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-libs/openssl-1.0.2t"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1547">CVE-2019-1547</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-1563">CVE-2019-1563</uri>
+  </references>
+  <metadata tag="requester" timestamp="2019-09-12T14:09:32Z">whissi</metadata>
+  <metadata tag="submitter" timestamp="2019-11-07T19:09:02Z">whissi</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk

@@ -1 +1 @@
-Wed, 11 Sep 2019 01:08:51 +0000
+Fri, 22 Nov 2019 17:38:45 +0000

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit

@@ -1 +1 @@
-0d8b041795d355b2f8da9b84725a62150a91dc13 1567964538 2019-09-08T17:42:18+00:00
+435541275775881e78e6acc96aca7536a5955224 1574160598 2019-11-19T10:49:58+00:00