Merge pull request #1814 from flatcar/buildbot/monthly-glsa-metadata-updates-2024-04-01

Monthly GLSA metadata 2024-04-01

Author: dongsupark

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 563604 BLAKE2B d497f4e02c0349649ea1fd84297af45ff253c185da14e6dba30f010f40d1ab86fdeb750087d23d7e892d4b2a6c45bb36baacd75348d2a50c0dc3c70213c1836e SHA512 c8b2f6bb87969de216a6075f22dc589f34d03bc0cd503b9bbedb9672f2aa19209f4d1236cd3f9aaf54428705e66f266c37a1f0bdb30c6fdae78df87761e4d8da
-TIMESTAMP 2024-02-01T06:41:25Z
+MANIFEST Manifest.files.gz 569494 BLAKE2B 475196fd0ff28d6023f45e6c22284bded2028bbe891778e3828fb75c3727438168bcd5ab63fe48683bb5874710c096e12470eee93163ae90c07d1f9d79810710 SHA512 94822c7f83b3b68b28e1885c442c2d9b5794eb5f861b8a0862162601a2c2b03cdc2bb6144d8b4a1d61befedf2ff1952e540c518e34c7f15ff5af14b7dc567fcb
+TIMESTAMP 2024-04-01T06:40:39Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmW7PRVfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYKVudfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klB4QRAAmmnYvk0FaooM922vBqTuhwuoLVbDtysDcvBsJHLxoL+AQlp+0romn4tJ
-rHDAcIPSjxMPzei60/FKb8/lWyAwDtRJJ6W0NLOBe5K0SRUKTLKQz4OZ3aHFNl2t
-Yp18kfnUgMyZ7l3v2CrKEE3oC+hWpULJ9GF+uuvpSHUXDOqIkbm6vhWQWRzDwCrA
-0RacuWPedLm34CiqwiZSEsnzOzvBb8A7tbmKtSyqhBTKyam7wy0/Tn99Wp5tnDGu
-Vtp7rgT1wMmGFOEYt2I+QM1fWGxf/GN3CNPNrNRQoQHcs9BadB8hn+auklc8zOc2
-RxEgAaESWhDLSsHkI1xp4osi9OTBqME1wUcjHPQr8d9JAdzsg5L8wW7rJE8YflM6
-uUrchSczds2gc34nG/ZYBC88EpvnU6U2AqZZ22LwOCi5qWo3GQZOc4jZqIuumogi
-faLkvuNCX2JKYKZdQQ4Byz9WMN+4X5dWLnQfJT9nHc0F/rTsV4ZcpDUApBCiqCD0
-lHY6ZPKcVL7d8cqQ2h6SjRkO0FrytUbBZm97g861/jX/evt1wY8Jx1e+FAxQksq+
-uPTXpriBil+N5YWzpHbuOZYjAQ7fv7fx50HM3RVNz2wwa7OUxhIFaE7/vBNbPL1F
-axrmSl59VEi9APSEmapOVVZR5tloRvDacB0elAhfpbqCb2BCO9E=
-=EZVX
+klBWrg//cxk8dWFEYLuuzfXLVmmEZmb3IPhBpMDKhQkoNbb4yGkCNuZUP42QdZzt
+f9qKIN4MD71/C9n5pt3UQBYH2fw2BBPDi2mpIVAdSQxydQCOimOF1BVTGDBBvNXd
+W64uDqqLnLAUVikdexeTCfHFvoOrqI8xALviM7U+EaXq+9a5s0CjvCFvYWkCKR0B
+ytl9J6eD0u7MWWQoNa5wrolHgRidVFtKfIbiOwAOmkWeXrcZ5s5h5eJg+UF9+UxS
+i7+sh9NZ4OAoTXszcf9x4L4RGkqWbTHpG6MBqhATI8N6jVsxXtJv3TlvS/OKi9Yn
+Dj+GUuok7WdbFGARfAASDGwolspDCacYXj618kioIySnaQrKuUTwFWPveAkfNLWc
+k79bwmBbmc6ILRhaYCpuN4hAC14gkL6xxrwGfuY7VxtjRockWTSUTLm9ACnjI7SY
+7r4dVvgQQqqu7F5+mpN8gV9yfu7hXvhAaZU8ptzJV6stjEpK/MW0h1BDimMArowI
+sGVSPMVkp80BNSHIPwiVM4sQTK1tDsdx9AjHz9hn/UV4uHSobiYvKE5/TUzhJoUO
+ERD9VRcyvpat+jNkmQD8a3ZBSbnK8rRee3sC5LhbOh/YeeZwCCBo3ai6LoeFkH4W
+c7yTtKfDg7Vb7tODZRG4DdVIHMxDUIT7v8Qi65Rntj6IxFlnMhQ=
+=BHZC
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz

@@ -5,16 +5,16 @@
     <synopsis>Multiple vulnerabilities have been discovered in the GNU C Library, the worst of which could result in denial of service.</synopsis>
     <product type="ebuild">glibc</product>
     <announced>2022-08-14</announced>
-    <revised count="1">2022-08-14</revised>
+    <revised count="2">2024-02-18</revised>
     <bug>803437</bug>
     <bug>807935</bug>
     <bug>831096</bug>
     <bug>831212</bug>
     <access>remote</access>
     <affected>
         <package name="sys-libs/glibc" auto="yes" arch="*">
-            <unaffected range="ge">2.34</unaffected>
-            <vulnerable range="lt">2.34</vulnerable>
+            <unaffected range="ge">2.34-r7</unaffected>
+            <vulnerable range="lt">2.34-r7</vulnerable>
         </package>
     </affected>
     <background>
@@ -47,4 +47,4 @@
     </references>
     <metadata tag="requester" timestamp="2022-08-14T14:29:01.578271Z">ajak</metadata>
     <metadata tag="submitter" timestamp="2022-08-14T14:29:01.583276Z">sam</metadata>
-</glsa>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202208-24.xml

@@ -5,7 +5,7 @@
     <synopsis>Multiple vulnerabilities have been discovered in systemd, the worst of which could result in denial of service.</synopsis>
     <product type="ebuild">systemd,systemd-tmpfiles,systemd-utils,udev</product>
     <announced>2023-05-03</announced>
-    <revised count="1">2023-05-03</revised>
+    <revised count="2">2024-02-11</revised>
     <bug>880547</bug>
     <bug>830967</bug>
     <access>remote</access>
@@ -15,14 +15,14 @@
             <vulnerable range="lt">251.3</vulnerable>
         </package>
         <package name="sys-apps/systemd-tmpfiles" auto="yes" arch="*">
-            <vulnerable range="lt">250</vulnerable>
+            <vulnerable range="le">250</vulnerable>
         </package>
         <package name="sys-apps/systemd-utils" auto="yes" arch="*">
             <unaffected range="ge">251.3</unaffected>
             <vulnerable range="lt">251.3</vulnerable>
         </package>
         <package name="sys-fs/udev" auto="yes" arch="*">
-            <vulnerable range="lt">250</vulnerable>
+            <vulnerable range="le">250</vulnerable>
         </package>
     </affected>
     <background>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202305-15.xml

@@ -8,6 +8,7 @@
     <revised count="1">2024-01-31</revised>
     <bug>915222</bug>
     <bug>918667</bug>
+    <bug>920667</bug>
     <access>remote</access>
     <affected>
         <package name="net-libs/webkit-gtk" auto="yes" arch="*">
@@ -54,4 +55,4 @@
     </references>
     <metadata tag="requester" timestamp="2024-01-31T14:29:39.449978Z">graaff</metadata>
     <metadata tag="submitter" timestamp="2024-01-31T14:29:39.452391Z">graaff</metadata>
-</glsa>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202401-33.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-01">
+    <title>glibc: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities in glibc could result in Local Privilege Escalation.</synopsis>
+    <product type="ebuild">glibc</product>
+    <announced>2024-02-02</announced>
+    <revised count="1">2024-02-02</revised>
+    <bug>918412</bug>
+    <bug>923352</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="sys-libs/glibc" auto="yes" arch="*">
+            <unaffected range="ge">2.38-r10</unaffected>
+            <vulnerable range="lt">2.38-r10</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>glibc is a package that contains the GNU C library.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All glibc users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.38-r10"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5156">CVE-2023-5156</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6246">CVE-2023-6246</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6779">CVE-2023-6779</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6780">CVE-2023-6780</uri>
+        <uri>GLIBC-SA-2024-0001</uri>
+        <uri>GLIBC-SA-2024-0002</uri>
+        <uri>GLIBC-SA-2024-0003</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-02T03:02:44.468870Z">sam</metadata>
+    <metadata tag="submitter" timestamp="2024-02-02T03:02:44.472185Z">sam</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-01.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-02">
+    <title>SDDM: Privilege Escalation</title>
+    <synopsis>A vulnerability has been discovered in SDDM which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">sddm</product>
+    <announced>2024-02-03</announced>
+    <revised count="1">2024-02-03</revised>
+    <bug>753104</bug>
+    <access>local</access>
+    <affected>
+        <package name="x11-misc/sddm" auto="yes" arch="*">
+            <unaffected range="ge">0.18.1-r6</unaffected>
+            <vulnerable range="lt">0.18.1-r6</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>SDDM is a modern display manager for X11 and Wayland sessions aiming to be fast, simple and beautiful. It uses modern technologies like QtQuick, which in turn gives the designer the ability to create smooth, animated user interfaces.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in SDDM. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>SDDM passes the -auth and -displayfd command line arguments when
+starting the Xserver. It then waits for the display number to be
+received from the Xserver via the `displayfd`, before the Xauthority
+file specified via the `-auth` parameter is actually written. This
+results in a race condition, creating a time window in which no valid
+Xauthority file is existing while the Xserver is already running.
+
+The X.Org server, when encountering a non-existing, empty or
+corrupt/incomplete Xauthority file, will grant any connecting client
+access to the Xorg display. A local unprivileged attacker can thus
+create an unauthorized connection to the Xserver and grab e.g. keyboard
+input events from other legitimate users accessing the Xserver.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All SDDM users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=x11-misc/sddm-0.18.1-r6"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-28049">CVE-2020-28049</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-03T06:18:59.426090Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-03T06:18:59.429353Z">ajak</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-02.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-03">
+    <title>QtGui: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in QtGui which can lead to remote code execution.</synopsis>
+    <product type="ebuild">qtgui</product>
+    <announced>2024-02-03</announced>
+    <revised count="1">2024-02-03</revised>
+    <bug>808531</bug>
+    <bug>907119</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-qt/qtgui" auto="yes" arch="*">
+            <unaffected range="ge">5.15.9-r1</unaffected>
+            <vulnerable range="lt">5.15.9-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>QtGui is a module for the Qt toolkit.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in QtGui. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All QtGui users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-qt/qtgui-5.15.9-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-38593">CVE-2021-38593</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32763">CVE-2023-32763</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-03T06:19:26.894264Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-03T06:19:26.896389Z">ajak</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-03.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-04">
+    <title>GNAT Ada Suite: Remote Code Execution</title>
+    <synopsis>A vulnerability has been discovered in GNAT Ada Suite which can lead to remote code execution.</synopsis>
+    <product type="ebuild">gnat-suite-bin</product>
+    <announced>2024-02-03</announced>
+    <revised count="2">2024-02-11</revised>
+    <bug>787440</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-ada/gnat-suite-bin" auto="yes" arch="*">
+            <vulnerable range="le">2019-r2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>The GNAT Ada Suite is an Ada development environment.</p>
+    </background>
+    <description>
+        <p>A vulnerability has been discovered in GNAT Ada Suite. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>Gentoo has discontinued support for GNAT Ada Suite. We recommend that users unmerge it:</p>
+        
+        <code>
+          # emerge --ask --depclean "dev-ada/gnat-suite-bin"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2020-27619">CVE-2020-27619</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-03T06:20:11.020220Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-03T06:20:11.022709Z">ajak</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202402-04.xml

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202402-05">
+    <title>Microsoft Edge: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in Microsoft Edge, the worst of which could lead to remote code execution.</synopsis>
+    <product type="ebuild">microsoft-edge</product>
+    <announced>2024-02-03</announced>
+    <revised count="1">2024-02-03</revised>
+    <bug>907817</bug>
+    <bug>908518</bug>
+    <bug>918586</bug>
+    <bug>919495</bug>
+    <access>remote</access>
+    <affected>
+        <package name="www-client/microsoft-edge" auto="yes" arch="*">
+            <unaffected range="ge">120.0.2210.61</unaffected>
+            <vulnerable range="lt">120.0.2210.61</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Microsoft Edge. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Microsoft Edge users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-120.0.2210.61"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-29345">CVE-2023-29345</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33143">CVE-2023-33143</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-33145">CVE-2023-33145</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-35618">CVE-2023-35618</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36022">CVE-2023-36022</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36029">CVE-2023-36029</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36034">CVE-2023-36034</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36409">CVE-2023-36409</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36559">CVE-2023-36559</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36562">CVE-2023-36562</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36727">CVE-2023-36727</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36735">CVE-2023-36735</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36741">CVE-2023-36741</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36787">CVE-2023-36787</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-36880">CVE-2023-36880</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-38174">CVE-2023-38174</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-02-03T08:00:41.979777Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-02-03T08:00:41.982534Z">graaff</metadata>
+</glsa>