mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 21:11:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #492 from dm0-/glsa

Browse Source 
bump(metadata/glsa): sync with upstream
This commit is contained in:
David Michael 2016-12-05 11:40:55 -08:00 committed by GitHub
commit fbc933baf0
16 changed files with 822 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201606-18.xml vendored
View File

@ -19,6 +19,7 @@
<unaffected range="ge">7.2.6.6-r1</unaffected> <unaffected range="ge">7.2.6.6-r1</unaffected>
<unaffected range="rge">3.0.1</unaffected> <unaffected range="rge">3.0.1</unaffected>
<unaffected range="rge">3.1.0</unaffected> <unaffected range="rge">3.1.0</unaffected>
<unaffected range="rge">3.2.0</unaffected>
<vulnerable range="lt">7.2.6.6-r1</vulnerable> <vulnerable range="lt">7.2.6.6-r1</vulnerable>
</package> </package>
</affected> </affected>

1
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201610-10.xml vendored
View File

@ -17,6 +17,7 @@
<unaffected range="ge">23.0.0.205</unaffected> <unaffected range="ge">23.0.0.205</unaffected>
<unaffected range="rge">11.2.202.635</unaffected> <unaffected range="rge">11.2.202.635</unaffected>
<unaffected range="rge">11.2.202.643</unaffected> <unaffected range="rge">11.2.202.643</unaffected>
<unaffected range="rge">11.2.202.644</unaffected>
<vulnerable range="lt">23.0.0.205</vulnerable> <vulnerable range="lt">23.0.0.205</vulnerable>
</package> </package>
</affected> </affected>

65
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-21.xml vendored Normal file
View File

@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-21">
<title>ImageMagick: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in ImageMagick, the worst
of which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">imagemagick</product>
<announced>November 30, 2016</announced>
<revised>November 30, 2016: 1</revised>
<bug>581990</bug>
<bug>593526</bug>
<bug>593530</bug>
<bug>593532</bug>
<bug>595200</bug>
<bug>596002</bug>
<bug>596004</bug>
<access>remote</access>
<affected>
<package name="media-gfx/imagemagick" auto="yes" arch="*">
<unaffected range="ge">6.9.6.2</unaffected>
<vulnerable range="lt">6.9.6.2</vulnerable>
</package>
</affected>
<background>
<p>ImageMagick is a collection of tools and libraries for many image
formats.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in ImageMagick. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All ImageMagick users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-gfx/imagemagick-6.9.6.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3714">CVE-2016-3714</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3715">CVE-2016-3715</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3716">CVE-2016-3716</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3717">CVE-2016-3717</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3718">CVE-2016-3718</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5010">CVE-2016-5010</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5842">CVE-2016-5842</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6491">CVE-2016-6491</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7799">CVE-2016-7799</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7906">CVE-2016-7906</uri>
</references>
<metadata tag="requester" timestamp="Tue, 11 Oct 2016 12:32:33 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 30 Nov 2016 21:42:34 +0000">b-man</metadata>
</glsa>

97
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201611-22.xml vendored Normal file
View File

@ -0,0 +1,97 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201611-22">
<title>PHP: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in PHP, the worst of which
could lead to arbitrary code execution or cause a Denial of Service
condition.
</synopsis>
<product type="ebuild">php</product>
<announced>November 30, 2016</announced>
<revised>November 30, 2016: 1</revised>
<bug>578734</bug>
<bug>581834</bug>
<bug>584204</bug>
<bug>587246</bug>
<bug>591710</bug>
<bug>594498</bug>
<bug>597586</bug>
<bug>599326</bug>
<access>remote</access>
<affected>
<package name="dev-lang/php" auto="yes" arch="*">
<unaffected range="ge">5.6.28</unaffected>
<vulnerable range="lt">5.6.28</vulnerable>
</package>
</affected>
<background>
<p>PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>An attacker can possibly execute arbitrary code or create a Denial of
Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All PHP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev=lang/php-5.6.28"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8865">CVE-2015-8865</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3074">CVE-2016-3074</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4071">CVE-2016-4071</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4072">CVE-2016-4072</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4073">CVE-2016-4073</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4537">CVE-2016-4537</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4538">CVE-2016-4538</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4539">CVE-2016-4539</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4540">CVE-2016-4540</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4541">CVE-2016-4541</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4542">CVE-2016-4542</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4543">CVE-2016-4543</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4544">CVE-2016-4544</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5385">CVE-2016-5385</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6289">CVE-2016-6289</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6290">CVE-2016-6290</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6291">CVE-2016-6291</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6292">CVE-2016-6292</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6294">CVE-2016-6294</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6295">CVE-2016-6295</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6296">CVE-2016-6296</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6297">CVE-2016-6297</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7124">CVE-2016-7124</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7125">CVE-2016-7125</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7126">CVE-2016-7126</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7127">CVE-2016-7127</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7128">CVE-2016-7128</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7129">CVE-2016-7129</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7130">CVE-2016-7130</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7131">CVE-2016-7131</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7132">CVE-2016-7132</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7133">CVE-2016-7133</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7134">CVE-2016-7134</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7411">CVE-2016-7411</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7412">CVE-2016-7412</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7413">CVE-2016-7413</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7414">CVE-2016-7414</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7416">CVE-2016-7416</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7417">CVE-2016-7417</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7418">CVE-2016-7418</uri>
</references>
<metadata tag="requester" timestamp="Sun, 19 Jun 2016 11:17:24 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Wed, 30 Nov 2016 21:46:26 +0000">b-man</metadata>
</glsa>

70
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-01.xml vendored Normal file
View File

@ -0,0 +1,70 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-01">
<title>GnuPG: RNG output is predictable</title>
<synopsis>Due to a design flaw, the output of GnuPG's Random Number Generator
(RNG) is predictable.
</synopsis>
<product type="ebuild">gnupg</product>
<announced>December 02, 2016</announced>
<revised>December 02, 2016: 1</revised>
<bug>591536</bug>
<access>local</access>
<affected>
<package name="app-crypt/gnupg" auto="yes" arch="*">
<unaffected range="ge">1.4.21</unaffected>
<vulnerable range="lt">1.4.21</vulnerable>
</package>
</affected>
<background>
<p>The GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of
cryptographic software.
</p>
</background>
<description>
<p>A long standing bug (since 1998) in Libgcrypt (see “GLSA 201610-04”
below) and GnuPG allows an attacker to predict the output from the
standard RNG. Please review the “Entropy Loss and Output Predictability
in the Libgcrypt PRNG” paper below for a deep technical analysis.
</p>
</description>
<impact type="normal">
<p>An attacker who obtains 580 bytes of the random number from the standard
RNG can trivially predict the next 20 bytes of output.
</p>
<p>This flaw does not affect the default generation of keys, because
running gpg for key creation creates at most 2 keys from the pool. For a
single 4096 bit RSA key, 512 bytes of random are required and thus for
the second key (encryption subkey), 20 bytes could be predicted from the
the first key.
</p>
<p>However, the security of an OpenPGP key depends on the primary key
(which was generated first) and thus the 20 predictable bytes should not
be a problem. For the default key length of 2048 bit nothing will be
predictable.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All GnuPG 1 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-crypt/gnupg-1.4.21"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6313">CVE-2016-6313</uri>
<uri link="http://formal.iti.kit.edu/~klebanov/pubs/libgcrypt-cve-2016-6313.pdf">
Entropy Loss and Output Predictability in the Libgcrypt PRNG
</uri>
<uri link="http://security.gentoo.org/glsa/201610-04">GLSA 201610-04</uri>
</references>
<metadata tag="requester" timestamp="Wed, 30 Nov 2016 18:28:25 +0000">whissi</metadata>
<metadata tag="submitter" timestamp="Fri, 02 Dec 2016 09:38:37 +0000">whissi</metadata>
</glsa>

64
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-02.xml vendored Normal file
View File

@ -0,0 +1,64 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-02">
<title>DavFS2: Local privilege escalation</title>
<synopsis>A vulnerability in DavFS2 allows local users to gain root
privileges.
</synopsis>
<product type="ebuild">davfs2</product>
<announced>December 02, 2016</announced>
<revised>December 02, 2016: 1</revised>
<bug>485232</bug>
<access>local</access>
<affected>
<package name="net-fs/davfs2" auto="yes" arch="*">
<unaffected range="ge">1.5.2</unaffected>
<vulnerable range="lt">1.5.2</vulnerable>
</package>
</affected>
<background>
<p>DavFS2 is a file system driver that allows you to mount a WebDAV server
as a local disk drive.
</p>
</background>
<description>
<p>DavFS2 installs “/usr/sbin/mount.davfs” as setuid root. This utility
uses “system()” to call “/sbin/modprobe”.
</p>
<p>While the call to “modprobe” itself cannot be manipulated, a local
authenticated user can set the “MODPROBE_OPTIONS” environment
variable to pass a user controlled path, allowing the loading of an
arbitrary kernel module.
</p>
</description>
<impact type="normal">
<p>A local user could gain root privileges.</p>
</impact>
<workaround>
<p>The system administrator should ensure that all modules the
“mount.davfs” utility tries to load are loaded upon system boot
before any local user can call the utility.
</p>
<p>An additional defense measure can be implemented by enabling the Linux
kernel module signing feature. This assists in the prevention of
arbitrary modules being loaded.
</p>
</workaround>
<resolution>
<p>All DavFS2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-fs/davfs2-1.5.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4362">CVE-2013-4362</uri>
</references>
<metadata tag="requester" timestamp="Mon, 07 Dec 2015 21:54:18 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Fri, 02 Dec 2016 13:32:55 +0000">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-03.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-03">
<title>libsndfile: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in libsndfile, the worst
of which might allow remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">libsndfile</product>
<announced>December 03, 2016</announced>
<revised>December 03, 2016: 1</revised>
<bug>533750</bug>
<bug>566682</bug>
<access>local, remote</access>
<affected>
<package name="media-libs/libsndfile" auto="yes" arch="*">
<unaffected range="ge">1.0.26</unaffected>
<vulnerable range="lt">1.0.26</vulnerable>
</package>
</affected>
<background>
<p>libsndfile is a C library for reading and writing files containing
sampled sound.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in libsndfile. Please
review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could entice a user to open a specially crafted file,
possibly resulting in the execution of arbitrary code with the privileges
of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All libsndfile users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/libsndfile-1.0.26"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9496">CVE-2014-9496</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7805">CVE-2015-7805</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 07:52:16 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sat, 03 Dec 2016 10:28:00 +0000">whissi</metadata>
</glsa>

59
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-04.xml vendored Normal file
View File

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-04">
<title>BusyBox: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in BusyBox, the worst of
which allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">busybox</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>564246</bug>
<bug>577610</bug>
<access>local, remote</access>
<affected>
<package name="sys-apps/busybox" auto="yes" arch="*">
<unaffected range="ge">1.24.2</unaffected>
<vulnerable range="lt">1.24.2</vulnerable>
</package>
</affected>
<background>
<p>BusyBox is a set of tools for embedded systems and is a replacement for
GNU Coreutils.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in BusyBox. Please review
the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time. However, on Gentoo, the
remote code execution vulnerability can be avoided if you dont use
BusyBoxs udhcpc or build the package without the “ipv6” USE flag
enabled.
</p>
</workaround>
<resolution>
<p>All BusyBox users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=sys-apps/busybox-1.24.2"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2147">CVE-2016-2147</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2148">CVE-2016-2148</uri>
</references>
<metadata tag="requester" timestamp="Thu, 31 Dec 2015 06:28:35 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 06:39:16 +0000">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-05.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-05">
<title>Pygments: Arbitrary code execution</title>
<synopsis>Pygments is vulnerable to remote code execution if an attacker is
allowed to specify the font name.
</synopsis>
<product type="ebuild">pygments</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>564478</bug>
<access>remote</access>
<affected>
<package name="dev-python/pygments" auto="yes" arch="*">
<unaffected range="ge">2.0.2-r1</unaffected>
<vulnerable range="lt">2.0.2-r1</vulnerable>
</package>
</affected>
<background>
<p>Pygments is a generic syntax highlighter suitable for use in code
hosting, forums, wikis or other applications that need to prettify source
code.
</p>
</background>
<description>
<p>A vulnerability in FontManagers _get_nix_font_path function allows
shell metacharacters to be passed in a font name.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Pygments users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=dev-python/pygments-2.0.2-r1"
</code>
</resolution>
<references>
<uri link="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8557">
CVE-2015-8557
</uri>
</references>
<metadata tag="requester" timestamp="Tue, 08 Dec 2015 00:25:56 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 06:50:34 +0000">whissi</metadata>
</glsa>

50
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-06.xml vendored Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-06">
<title>nghttp2: Heap-use-after-free</title>
<synopsis>Nghttp2 is vulnerable to a heap-use-after-free flaw in idle stream
handling code.
</synopsis>
<product type="ebuild">nghttp2</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>569518</bug>
<access>remote</access>
<affected>
<package name="net-libs/nghttp2" auto="yes" arch="*">
<unaffected range="ge">1.6.0</unaffected>
<vulnerable range="lt">1.6.0</vulnerable>
</package>
</affected>
<background>
<p>Nghttp2 is an implementation of HTTP/2 and its header compression
algorithm HPACK in C.
</p>
</background>
<description>
<p>A heap-use-after-free vulnerability has been discovered in nghttp2.
Please review the CVE identifier referenced below for details.
</p>
</description>
<impact type="normal">
<p>The impact of the vulnerability is still unknown.</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All nghttp2 users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-libs/nghttp2-1.6.0"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8659">CVE-2015-8659</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 07:09:46 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 10:59:07 +0000">whissi</metadata>
</glsa>

52
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-07.xml vendored Normal file
View File

@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-07">
<title>dpkg: Arbitrary code execution</title>
<synopsis>A vulnerability was discovered in dpkg which could potentially lead
to arbitrary code execution.
</synopsis>
<product type="ebuild">dpkg</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>567258</bug>
<access>local, remote</access>
<affected>
<package name="app-arch/dpkg" auto="yes" arch="*">
<unaffected range="ge">1.17.26</unaffected>
<vulnerable range="lt">1.17.26</vulnerable>
</package>
</affected>
<background>
<p>Debian package management system.</p>
</background>
<description>
<p>Gentoo Linux developer, Hanno Böck, discovered an off-by-one error in
the dpkg-deb component of dpkg, the Debian package management system,
which triggers a stack-based buffer overflow.
</p>
</description>
<impact type="normal">
<p>An attacker could potentially execute arbitrary code if an user or an
automated system were tricked into processing a specially crafted Debian
binary package (.deb).
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All dpkg users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-arch/dpkg-1.17.26"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0860">CVE-2015-0860</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 07:05:41 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 11:01:29 +0000">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-08.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-08">
<title>LinuxCIFS utils: Buffer overflow</title>
<synopsis>A vulnerability in LinuxCIFS utils' "cifscreds" PAM module might
allow remote attackers to have an unspecified impact via unknown vectors.
</synopsis>
<product type="ebuild">cifs-utils</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>552634</bug>
<access>remote</access>
<affected>
<package name="net-fs/cifs-utils" auto="yes" arch="*">
<unaffected range="ge">6.4</unaffected>
<vulnerable range="lt">6.4</vulnerable>
</package>
</affected>
<background>
<p>The LinuxCIFS utils are a collection of tools for managing Linux CIFS
Client Filesystems.
</p>
</background>
<description>
<p>A stack-based buffer overflow was discovered in cifskey.c or cifscreds.c
in LinuxCIFS, as used in “pam_cifscreds.”
</p>
</description>
<impact type="normal">
<p>A remote attacker could exploit this vulnerability to cause an
unspecified impact.
</p>
</impact>
<workaround>
<p>Dont use LinuxCIFS utils “cifscreds” PAM module. In Gentoo,
LinuxCIFS utils PAM support is disabled by default unless the
“pam” USE flag is enabled.
</p>
</workaround>
<resolution>
<p>All LinuxCIFS utils users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=net-fs/cifs-utils-6.4"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2830">CVE-2014-2830</uri>
</references>
<metadata tag="requester" timestamp="Thu, 25 Feb 2016 07:13:41 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 11:02:29 +0000">whissi</metadata>
</glsa>

55
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-09.xml vendored Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-09">
<title>GD: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in GD, the worst of which
allows remote attackers to execute arbitrary code.
</synopsis>
<product type="ebuild">gd</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>587662</bug>
<bug>587968</bug>
<bug>592720</bug>
<bug>592722</bug>
<access>local, remote</access>
<affected>
<package name="media-libs/gd" auto="yes" arch="*">
<unaffected range="ge">2.2.3</unaffected>
<vulnerable range="lt">2.2.3</vulnerable>
</package>
</affected>
<background>
<p>GD is a graphic library for fast image creation.</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in GD. Please review the
CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of Service condition.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All gd users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=media-libs/gd-2.2.3"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5766">CVE-2016-5766</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6128">CVE-2016-6128</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6132">CVE-2016-6132</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6207">CVE-2016-6207</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7568">CVE-2016-7568</uri>
</references>
<metadata tag="requester" timestamp="Fri, 11 Nov 2016 06:53:45 +0000">b-man</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 11:07:34 +0000">whissi</metadata>
</glsa>

62
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-10.xml vendored Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-10">
<title>libvirt: Directory traversal</title>
<synopsis>Libvirt is vulnerable to directory traversal when using Access
Control Lists (ACL).
</synopsis>
<product type="ebuild">libvirt</product>
<announced>December 04, 2016</announced>
<revised>December 04, 2016: 1</revised>
<bug>568870</bug>
<access>local</access>
<affected>
<package name="app-emulation/libvirt" auto="yes" arch="*">
<unaffected range="ge">1.2.21-r1</unaffected>
<vulnerable range="lt">1.2.21-r1</vulnerable>
</package>
</affected>
<background>
<p>libvirt is a C toolkit for manipulating virtual machines.</p>
</background>
<description>
<p>Normally, only privileged users can coerce libvirt into creating or
opening existing files using the virStorageVol APIs; and such users
already have full privilege to create any domain XML.
</p>
<p>But in the case of fine-grained ACLs, it is feasible that a user can be
granted storage_vol:create but not domain:write, and it violates
assumptions if such a user can abuse libvirt to access files outside of
the storage pool.
</p>
</description>
<impact type="normal">
<p>When fine-grained Access Control Lists (ACL) are in effect, an
authenticated local user with storage_vol:create permission but without
domain:write permission maybe able to create or access arbitrary files
outside of the storage pool.
</p>
</impact>
<workaround>
<p>Dont make use of fine-grained Access Control Lists (ACL) in libvirt;
In Gentoo, libvirts ACL support is disable by default unless you
enable the “policykit” USE flag.
</p>
</workaround>
<resolution>
<p>All libvirt users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-emulation/libvirt-1.2.21-r1"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5313">CVE-2015-5313</uri>
</references>
<metadata tag="requester" timestamp="Thu, 24 Dec 2015 05:15:17 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Sun, 04 Dec 2016 11:17:48 +0000">whissi</metadata>
</glsa>

80
sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-201612-11.xml vendored Normal file
View File

@ -0,0 +1,80 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201612-11">
<title>Chromium: Multiple vulnerabilities</title>
<synopsis>Multiple vulnerabilities have been found in the Chromium web
browser, the worst of which allows remote attackers to execute arbitrary
code.
</synopsis>
<product type="ebuild">chromium</product>
<announced>December 05, 2016</announced>
<revised>December 05, 2016: 1</revised>
<bug>601486</bug>
<access>remote</access>
<affected>
<package name="www-client/chromium" auto="yes" arch="*">
<unaffected range="ge">55.0.2883.75</unaffected>
<vulnerable range="lt">55.0.2883.75</vulnerable>
</package>
</affected>
<background>
<p>Chromium is an open-source browser project that aims to build a safer,
faster, and more stable way for all users to experience the web.
</p>
</background>
<description>
<p>Multiple vulnerabilities have been discovered in the Chromium web
browser. Please review the CVE identifiers referenced below for details.
</p>
</description>
<impact type="normal">
<p>A remote attacker could possibly execute arbitrary code with the
privileges of the process, cause a Denial of Service condition, obtain
sensitive information, or bypass security restrictions.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All Chromium users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose
"&gt;=www-client/chromium-55.0.2883.75"
</code>
</resolution>
<references>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5203">CVE-2016-5203</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5204">CVE-2016-5204</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5205">CVE-2016-5205</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5206">CVE-2016-5206</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5207">CVE-2016-5207</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5208">CVE-2016-5208</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5209">CVE-2016-5209</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5210">CVE-2016-5210</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5211">CVE-2016-5211</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5212">CVE-2016-5212</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5213">CVE-2016-5213</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5214">CVE-2016-5214</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5215">CVE-2016-5215</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5217">CVE-2016-5217</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5218">CVE-2016-5218</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5219">CVE-2016-5219</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5220">CVE-2016-5220</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5221">CVE-2016-5221</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5222">CVE-2016-5222</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5223">CVE-2016-5223</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5224">CVE-2016-5224</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5225">CVE-2016-5225</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5226">CVE-2016-5226</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9650">CVE-2016-9650</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9651">CVE-2016-9651</uri>
<uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9652">CVE-2016-9652</uri>
</references>
<metadata tag="requester" timestamp="Mon, 10 Aug 2015 14:25:29 +0000">
BlueKnight
</metadata>
<metadata tag="submitter" timestamp="Mon, 05 Dec 2016 00:47:06 +0000">whissi</metadata>
</glsa>

2
sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk vendored
View File

@ -1 +1 @@
Tue, 22 Nov 2016 19:13:27 +0000 Mon, 05 Dec 2016 01:13:17 +0000