Merge pull request #1453 from flatcar/buildbot/monthly-glsa-metadata-updates-2023-12-01

Monthly GLSA metadata 2023-12-01

Author: dongsupark

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 552633 BLAKE2B f04d03cfce30402b87d7525767633e29394130432fcdd26de705b95ca93788a70abca8abbeee435b946253f2ad9b75f01bf24da1998a529bb89a6bbf1fcfc16e SHA512 6b0fd8a9a899a613a7dbab3dc51f5953cd3a0d18a12e17a4fceca64f11be5c7f83763d742dfada845bf1aec1c1467db31c6df823b9bc683d59fbec9a516d285a
-TIMESTAMP 2023-11-01T06:40:04Z
+MANIFEST Manifest.files.gz 555493 BLAKE2B 9b9c68f6fcd5aa241244f03965d32d2bee2397eebacb0b4742f3b5eff9058f33cdb8d4c1f96505cd2a1acaed4347077a204862e5674effe944e54b05e7466726 SHA512 bf81aa35acfc8893b8a8ffc0d57915c1a8e6b54e9400f0d03f26dd199de30e2601f7a7c1060d2185e26c3276979665ae687fb8e8a1e2b4d537df4a3270e38d43
+TIMESTAMP 2023-12-01T06:40:02Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmVB8sRfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmVpf8JfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klDycxAArpKet3g/jSJskcceOF38byx5QitCsuFUiXggVy/3UtTs2F9QY0awzRyN
-daT6+MHgL/oMPDQKOF+Gdnxeks9iWhEENMsUGyi/C4gKb9BHe9KzMCKpz/5YuKLj
-mOZUsJjChrTMf97N9zuYFLPt+YhHlidKG2Nfa7oqEzUZed3nJK96QCWfHOKDBS8q
-Pa/JAQ1Gca5Lt4vrlVGYreMCWzb0/9QEFex3WpN8K1TVQi4ttwysOI0zNWaUPilr
-o4x1yu2z+Iel3khyazx6FpRFlHrqNBOklmz3vkFleok5r+21qfxy05pwUw5a9rJN
-FxwyFtflborCepZCEN4k9YrYILk3yxhfrTvCl9GPD2mhqLA8KW3Lek4RZPXur1HK
-laMy/d8Ziw/Z9/ksGim+LfVOJ7F0fgUFJxIJJ+eBLGZzz0RzLl64IKEugVxBnoCU
-h2S0XiUUQpGGHlMTkQ5LgcWfbtorgZyQbUX4m/iCo0DGg66+7MADow8yRKRXGNQl
-SN24MstUnhU7O/6plg35TRel9fhozl2vau5dWIpm/A3znHmyC3IT53Ffjo3dSwYW
-tHURmCy7Sz5K1gxB20PsQnt63L+WCya1vhTpF2kCzLivrYjypUXlIbuQXA7AGE7k
-ycBJqVGSz36DuCiEX0ckQbiIHreYqUQLjteVE85Y4XQyX4CSjZs=
-=bBmm
+klAidhAApvskqQHXNDKb23KYww5txqWvEIG7F3zNXzL2khrVh1PxoPhey6mf/bO5
+75lyy0i5D6MZuEUMJW2MEIrcqALpz7mmfPD8v2D/OT053XqP7UuLPBKeeTlQ2w+m
+KpCvgMohqFVQjMVlKbYtCAq1Fx3tvafo03JCTseKlZ2sF8xdxIo0sMJGBs2tSc5J
+vaxjkT2Wo4CSn0XT8G1g1d6iLIs4eIhKsDWy759WyCU/43g1TzGXqDGhIQSXEX0C
+oeJsKK/V1fLPLcP9CnoqRGQ46/L8LdjTDYfb9caKgQ8lCh/hqZce3Lqfyh4KRd2k
+uw51if5KABbRAQ4Qc12l1S8JQH4T0yR/BB70ywb50dIfxmQJQrzpr5ybhv5P66jz
+EJkpNShtvrZvuYxF71KpTYsuJWNnNuJLRUIrywtyj4f1rmxgqdBRDec+ycrjNGOl
+MzCrk3PgEb6lV6qvMicyVYakq6Yl861hVE9kquoh0djsm9velGXnV1l1+jcTLubH
+0pPS4luIVhkGuGzoej7UOwhdpUdeZjqPcPPF63+VeIJVZscAizlGnYP/IE7DNyYQ
+PBSphTSR5s50IRItmnuDdnzitwmGQM5ngWDFO7Y8T4icxN34GlxpV/LmODnweutd
+KNt68X7UTuhNoKV7+ifeunQ3fu7q/VdI5an9REaGKVg/eFoFvtk=
+=S+ig
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-01">
+    <title>GitPython: Code Execution via Crafted Input</title>
+    <synopsis>A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution</synopsis>
+    <product type="ebuild">GitPython</product>
+    <announced>2023-11-01</announced>
+    <revised count="1">2023-11-01</revised>
+    <bug>884623</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-python/GitPython" auto="yes" arch="*">
+            <unaffected range="ge">3.1.30</unaffected>
+            <vulnerable range="lt">3.1.30</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>GitPython is a Python library used to interact with Git repositories.</p>
+    </background>
+    <description>
+        <p>Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>An attacker may be able to trigger Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GitPython users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-python/GitPython-3.1.30"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-24439">CVE-2022-24439</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-01T12:20:26.255981Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-01T12:20:26.259121Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202311-01.xml

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-02">
+    <title>Netatalk: Multiple Vulnerabilities including root remote code execution</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Netatalk, which could lead to remote code execution</synopsis>
+    <product type="ebuild">netatalk</product>
+    <announced>2023-11-01</announced>
+    <revised count="1">2023-11-01</revised>
+    <bug>837623</bug>
+    <bug>881259</bug>
+    <bug>915354</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-fs/netatalk" auto="yes" arch="*">
+            <unaffected range="ge">3.1.18</unaffected>
+            <vulnerable range="lt">3.1.18</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Netatalk is a kernel level implementation of the AppleTalk Protocol Suite, which allows Unix hosts to act as file, print, and time servers for Apple computers. It includes several script utilities, including etc2ps.sh.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Netatalk. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Netatalk users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-fs/netatalk-3.1.18"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31439">CVE-2021-31439</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0194">CVE-2022-0194</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-22995">CVE-2022-22995</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23121">CVE-2022-23121</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23122">CVE-2022-23122</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23123">CVE-2022-23123</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23124">CVE-2022-23124</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-23125">CVE-2022-23125</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45188">CVE-2022-45188</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-01T14:46:24.671379Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-01T14:46:24.673441Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202311-02.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-03">
+    <title>SQLite: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in SQLite, the worst of which may lead to code execution.</synopsis>
+    <product type="ebuild">sqlite</product>
+    <announced>2023-11-24</announced>
+    <revised count="1">2023-11-24</revised>
+    <bug>886029</bug>
+    <bug>906114</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="dev-db/sqlite" auto="yes" arch="*">
+            <unaffected range="ge">3.42.0</unaffected>
+            <vulnerable range="lt">3.42.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>SQLite is a C library that implements an SQL database engine.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in SQLite. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All SQLite users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-db/sqlite-3.42.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-31239">CVE-2021-31239</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-46908">CVE-2022-46908</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-24T12:29:15.707023Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-24T12:29:15.709025Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202311-03.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-04">
+    <title>Zeppelin: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Zeppelin, the worst of which could lead to remote code execution.</synopsis>
+    <product type="ebuild">zeppelin-bin</product>
+    <announced>2023-11-24</announced>
+    <revised count="1">2023-11-24</revised>
+    <bug>811447</bug>
+    <access>remote</access>
+    <affected>
+        <package name="www-apps/zeppelin-bin" auto="yes" arch="*">
+            <unaffected range="ge">0.10.1</unaffected>
+            <vulnerable range="lt">0.10.1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Apache Zeppelin is a web-based notebook that enables data-driven, interactive data analytics and collaborative documents with SQL, Scala, Python, R and more.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Zeppelin. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Zeppelin users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=www-apps/zeppelin-bin-0.10.1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2019-10095">CVE-2019-10095</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-13929">CVE-2020-13929</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-27578">CVE-2021-27578</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-24T13:19:41.936818Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-24T13:19:41.939030Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202311-04.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-05">
+    <title>LinuxCIFS utils: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in LinuxCIFS utils, the worst of which can lead to local root privilege escalation.</synopsis>
+    <product type="ebuild">cifs-utils</product>
+    <announced>2023-11-24</announced>
+    <revised count="1">2023-11-24</revised>
+    <bug>842234</bug>
+    <access>local</access>
+    <affected>
+        <package name="net-fs/cifs-utils" auto="yes" arch="*">
+            <unaffected range="ge">6.15</unaffected>
+            <vulnerable range="lt">6.15</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>The LinuxCIFS utils are a collection of tools for managing Linux CIFS Client Filesystems.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in LinuxCIFS utils. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>A stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges.
+
+When verbose logging is enabled, invalid credentials file lines may be dumped to stderr. This may lead to information disclosure in particular conditions when the credentials file given is sensitive and contains &#39;=&#39; signs.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All LinuxCIFS utils users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-fs/cifs-utils-6.15"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-27239">CVE-2022-27239</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-29869">CVE-2022-29869</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-24T14:19:44.552258Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-24T14:19:44.554584Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202311-05.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-06">
+    <title>multipath-tools: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in multipath-tools, the worst of which can lead to root privilege escalation.</synopsis>
+    <product type="ebuild">multipath-tools</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>878763</bug>
+    <access>local</access>
+    <affected>
+        <package name="sys-fs/multipath-tools" auto="yes" arch="*">
+            <unaffected range="ge">0.9.3</unaffected>
+            <vulnerable range="lt">0.9.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>multipath-tools are used to drive the Device Mapper multipathing driver.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in multipath-tools. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All multipath-tools users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-fs/multipath-tools-0.9.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41973">CVE-2022-41973</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-41974">CVE-2022-41974</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T08:13:29.146678Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T08:13:29.148791Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202311-06.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202311-07">
+    <title>AIDE: Root Privilege Escalation</title>
+    <synopsis>A vulnerability has been found in AIDE which can lead to root privilege escalation.</synopsis>
+    <product type="ebuild">aide</product>
+    <announced>2023-11-25</announced>
+    <revised count="1">2023-11-25</revised>
+    <bug>831658</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-forensics/aide" auto="yes" arch="*">
+            <unaffected range="ge">0.17.4</unaffected>
+            <vulnerable range="lt">0.17.4</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker.
+
+It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in AIDE. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All AIDE users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-forensics/aide-0.17.4"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-45417">CVE-2021-45417</uri>
+    </references>
+    <metadata tag="requester" timestamp="2023-11-25T08:24:47.076936Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2023-11-25T08:24:47.079410Z">graaff</metadata>
+</glsa>