Skip to content

Commit b016fc0

Browse files
t-lot-lo
authored
Merge pull request #1319 from flatcar/buildbot/monthly-glsa-metadata-updates-2023-11-01
Monthly GLSA metadata 2023-11-01
2 parents 87d198d + 570c055 commit b016fc0

27 files changed

+1184
-17
lines changed

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,23 @@
11
-----BEGIN PGP SIGNED MESSAGE-----
22
Hash: SHA512
33

4-
MANIFEST Manifest.files.gz 548981 BLAKE2B 81700173ea02c0d006e3065367bd4b6801ae8e0cad7f0b23c4d86a41c1b860a4cbdeb3051fb86eb2d3f114b8ba0353d6e09e279718eed8ed2607a21c4e7ec67d SHA512 a987e0e64b2dbf1006cecbff251dc3524b4d244d2e54417a697139ac9ee5a97d21aefdfb0fb940e1890076d7fa18c793f4f7a60db6960004ade2253826320f19
5-
TIMESTAMP 2023-10-01T06:40:07Z
4+
MANIFEST Manifest.files.gz 552633 BLAKE2B f04d03cfce30402b87d7525767633e29394130432fcdd26de705b95ca93788a70abca8abbeee435b946253f2ad9b75f01bf24da1998a529bb89a6bbf1fcfc16e SHA512 6b0fd8a9a899a613a7dbab3dc51f5953cd3a0d18a12e17a4fceca64f11be5c7f83763d742dfada845bf1aec1c1467db31c6df823b9bc683d59fbec9a516d285a
5+
TIMESTAMP 2023-11-01T06:40:04Z
66
-----BEGIN PGP SIGNATURE-----
77

8-
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmUZFEdfFIAAAAAALgAo
8+
iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmVB8sRfFIAAAAAALgAo
99
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
1010
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
11-
klAXgg/9GGU9Zsh5GEuYoepVc11NhqztXU2fyrn8g4OkbIUFdOq45C/NDOzzmYkS
12-
vve4BAhQZkGn6ixII2dbDqQHmvE4x4NFyobSXLRIYFFAbbQBSRUmib3HbDkxoMhb
13-
nTbnNXX5kOq1m6nb3ydnjOKxfgew50dQYT0Yp+Uh9rRtU7sP74KYkseV9p5z+fp1
14-
+PKY7Nn0G9qANHMgf1YrxC1cgt4WWXXnXJI7YvjcQ/XZJTrAX2oEEGYee8GsLnAn
15-
uGchKTPCbgBG1Dm9vM3jTctUpXKQ1s3B+T0ynciPHzb8IC0M0BvLdCVA1ZM99rCY
16-
CcCJFkITrSBuUrJl3NJUzlYe1XQUH29c0kQe+mR0F4gDjav7gZBE1mKb9lqw/r2A
17-
vLnm4/kF7IYdxVSFgO2B8GvpPvFQW0hiEAkz+GDRnqYeinVmPTRkBR4VqQfQql1T
18-
rBuhQV9wQ/y/NIZq41X/rljjTdTpvtzB5ZSAxg9fOMmgo3WH6wb/k/6fgEK/WSGf
19-
aTH44QoasTboF9kMrgfR+dB/aaTGAuFWC8Ulkjkxh4wE+HsLats2stAYsAnJfXL9
20-
jiW3dO8vdIvXYeI0Smmuxv6hHIz1ZJn8jvQv+iv+yonIbZEDQsgIBxxFPW5NrhiJ
21-
a1oJARWuMGvHTeYaqAkfPbS7/ew6b5jLWN3174qxqX6HCsnIyF8=
22-
=otvP
11+
klDycxAArpKet3g/jSJskcceOF38byx5QitCsuFUiXggVy/3UtTs2F9QY0awzRyN
12+
daT6+MHgL/oMPDQKOF+Gdnxeks9iWhEENMsUGyi/C4gKb9BHe9KzMCKpz/5YuKLj
13+
mOZUsJjChrTMf97N9zuYFLPt+YhHlidKG2Nfa7oqEzUZed3nJK96QCWfHOKDBS8q
14+
Pa/JAQ1Gca5Lt4vrlVGYreMCWzb0/9QEFex3WpN8K1TVQi4ttwysOI0zNWaUPilr
15+
o4x1yu2z+Iel3khyazx6FpRFlHrqNBOklmz3vkFleok5r+21qfxy05pwUw5a9rJN
16+
FxwyFtflborCepZCEN4k9YrYILk3yxhfrTvCl9GPD2mhqLA8KW3Lek4RZPXur1HK
17+
laMy/d8Ziw/Z9/ksGim+LfVOJ7F0fgUFJxIJJ+eBLGZzz0RzLl64IKEugVxBnoCU
18+
h2S0XiUUQpGGHlMTkQ5LgcWfbtorgZyQbUX4m/iCo0DGg66+7MADow8yRKRXGNQl
19+
SN24MstUnhU7O/6plg35TRel9fhozl2vau5dWIpm/A3znHmyC3IT53Ffjo3dSwYW
20+
tHURmCy7Sz5K1gxB20PsQnt63L+WCya1vhTpF2kCzLivrYjypUXlIbuQXA7AGE7k
21+
ycBJqVGSz36DuCiEX0ckQbiIHreYqUQLjteVE85Y4XQyX4CSjZs=
22+
=bBmm
2323
-----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz

3.57 KB
Binary file not shown.

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-01.xml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202310-01">
4+
<title>ClamAV: Multiple Vulnerabilities</title>
5+
<synopsis>Multiple vulnerabilities have been discovered in ClamAV, the worst of which could result in remote code execution.</synopsis>
6+
<product type="ebuild">clamav</product>
7+
<announced>2023-10-01</announced>
8+
<revised count="1">2023-10-01</revised>
9+
<bug>831083</bug>
10+
<bug>842813</bug>
11+
<bug>894672</bug>
12+
<access>remote</access>
13+
<affected>
14+
<package name="app-antivirus/clamav" auto="yes" arch="*">
15+
<unaffected range="ge">0.103.7</unaffected>
16+
<vulnerable range="lt">0.103.7</vulnerable>
17+
</package>
18+
</affected>
19+
<background>
20+
<p>ClamAV is a GPL virus scanner.</p>
21+
</background>
22+
<description>
23+
<p>Multiple vulnerabilities have been discovered in ClamAV. Please review the CVE identifiers referenced below for details.</p>
24+
</description>
25+
<impact type="normal">
26+
<p>Please review the referenced CVE identifiers for details.</p>
27+
</impact>
28+
<workaround>
29+
<p>There is no known workaround at this time.</p>
30+
</workaround>
31+
<resolution>
32+
<p>All ClamAV users should upgrade to the latest version:</p>
33+
34+
<code>
35+
# emerge --sync
36+
# emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.103.7"
37+
</code>
38+
</resolution>
39+
<references>
40+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20698">CVE-2022-20698</uri>
41+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20770">CVE-2022-20770</uri>
42+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20771">CVE-2022-20771</uri>
43+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20785">CVE-2022-20785</uri>
44+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20792">CVE-2022-20792</uri>
45+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20796">CVE-2022-20796</uri>
46+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-20803">CVE-2022-20803</uri>
47+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-20032">CVE-2023-20032</uri>
48+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-20052">CVE-2023-20052</uri>
49+
</references>
50+
<metadata tag="requester" timestamp="2023-10-01T08:37:37.977976Z">ajak</metadata>
51+
<metadata tag="submitter" timestamp="2023-10-01T08:37:37.980167Z">graaff</metadata>
52+
</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-02.xml

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202310-02">
4+
<title>NVIDIA Drivers: Multiple Vulnerabilities</title>
5+
<synopsis>Multiple vulnerabilities have been discovered in NVIDIA Drivers, the worst of which could result in root privilege escalation.</synopsis>
6+
<product type="ebuild">nvidia-drivers</product>
7+
<announced>2023-10-03</announced>
8+
<revised count="1">2023-10-03</revised>
9+
<bug>764512</bug>
10+
<bug>784596</bug>
11+
<bug>803389</bug>
12+
<bug>832867</bug>
13+
<bug>845063</bug>
14+
<bug>866527</bug>
15+
<bug>881341</bug>
16+
<bug>884045</bug>
17+
<bug>903614</bug>
18+
<access>remote</access>
19+
<affected>
20+
<package name="x11-drivers/nvidia-drivers" auto="yes" arch="*">
21+
<unaffected range="ge">470.182.03</unaffected>
22+
<unaffected range="ge">515.105.01</unaffected>
23+
<unaffected range="ge">525.105.17</unaffected>
24+
<unaffected range="ge">530.41.03</unaffected>
25+
<vulnerable range="lt">470.182.03</vulnerable>
26+
<vulnerable range="lt">515.105.01</vulnerable>
27+
<vulnerable range="lt">525.105.17</vulnerable>
28+
<vulnerable range="lt">530.41.03</vulnerable>
29+
</package>
30+
</affected>
31+
<background>
32+
<p>NVIDIA Drivers are NVIDIA&#39;s accelerated graphics driver.</p>
33+
</background>
34+
<description>
35+
<p>Multiple vulnerabilities have been discovered in NVIDIA Drivers. Please review the CVE identifiers referenced below for details.</p>
36+
</description>
37+
<impact type="normal">
38+
<p>Please review the referenced CVE identifiers for details.</p>
39+
</impact>
40+
<workaround>
41+
<p>There is no known workaround at this time.</p>
42+
</workaround>
43+
<resolution>
44+
<p>All NVIDIA Drivers 470 users should upgrade to the latest version:</p>
45+
46+
<code>
47+
# emerge --sync
48+
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-470.182.03:0/470"
49+
</code>
50+
51+
<p>All NVIDIA Drivers 515 users should upgrade to the latest version:</p>
52+
53+
<code>
54+
# emerge --sync
55+
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-515.105.01:0/515"
56+
</code>
57+
58+
<p>All NVIDIA Drivers 525 users should upgrade to the latest version:</p>
59+
60+
<code>
61+
# emerge --sync
62+
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-525.105.17:0/525"
63+
</code>
64+
65+
<p>All NVIDIA Drivers 530 users should upgrade to the latest version:</p>
66+
67+
<code>
68+
# emerge --sync
69+
# emerge --ask --oneshot --verbose ">=x11-drivers/nvidia-drivers-530.41.03:0/530"
70+
</code>
71+
</resolution>
72+
<references>
73+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1052">CVE-2021-1052</uri>
74+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1053">CVE-2021-1053</uri>
75+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1056">CVE-2021-1056</uri>
76+
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2021‑1076">CVE‑2021‑1076</uri>
77+
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2021‑1077">CVE‑2021‑1077</uri>
78+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1090">CVE-2021-1090</uri>
79+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1093">CVE-2021-1093</uri>
80+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1094">CVE-2021-1094</uri>
81+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-1095">CVE-2021-1095</uri>
82+
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑21813">CVE‑2022‑21813</uri>
83+
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑21814">CVE‑2022‑21814</uri>
84+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28181">CVE-2022-28181</uri>
85+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28183">CVE-2022-28183</uri>
86+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28184">CVE-2022-28184</uri>
87+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28185">CVE-2022-28185</uri>
88+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31607">CVE-2022-31607</uri>
89+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31608">CVE-2022-31608</uri>
90+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-31615">CVE-2022-31615</uri>
91+
<uri link="https://nvd.nist.gov/vuln/detail/CVE‑2022‑34665">CVE‑2022‑34665</uri>
92+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34666">CVE-2022-34666</uri>
93+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34670">CVE-2022-34670</uri>
94+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34673">CVE-2022-34673</uri>
95+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34674">CVE-2022-34674</uri>
96+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34676">CVE-2022-34676</uri>
97+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34677">CVE-2022-34677</uri>
98+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34678">CVE-2022-34678</uri>
99+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34679">CVE-2022-34679</uri>
100+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34680">CVE-2022-34680</uri>
101+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34682">CVE-2022-34682</uri>
102+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-34684">CVE-2022-34684</uri>
103+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42254">CVE-2022-42254</uri>
104+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42255">CVE-2022-42255</uri>
105+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42256">CVE-2022-42256</uri>
106+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42257">CVE-2022-42257</uri>
107+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42258">CVE-2022-42258</uri>
108+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42259">CVE-2022-42259</uri>
109+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42260">CVE-2022-42260</uri>
110+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42261">CVE-2022-42261</uri>
111+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42263">CVE-2022-42263</uri>
112+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42264">CVE-2022-42264</uri>
113+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-42265">CVE-2022-42265</uri>
114+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0180">CVE-2023-0180</uri>
115+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0181">CVE-2023-0181</uri>
116+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0183">CVE-2023-0183</uri>
117+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0184">CVE-2023-0184</uri>
118+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0185">CVE-2023-0185</uri>
119+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0187">CVE-2023-0187</uri>
120+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0188">CVE-2023-0188</uri>
121+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0189">CVE-2023-0189</uri>
122+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0190">CVE-2023-0190</uri>
123+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0191">CVE-2023-0191</uri>
124+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0194">CVE-2023-0194</uri>
125+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0195">CVE-2023-0195</uri>
126+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0198">CVE-2023-0198</uri>
127+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-0199">CVE-2023-0199</uri>
128+
</references>
129+
<metadata tag="requester" timestamp="2023-10-03T12:45:00.352577Z">ajak</metadata>
130+
<metadata tag="submitter" timestamp="2023-10-03T12:45:00.356374Z">graaff</metadata>
131+
</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-03.xml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202310-03">
4+
<title>glibc: Multiple vulnerabilities</title>
5+
<synopsis>Multiple vulnerabilities in glibc could result in Local Privilege Escalation.</synopsis>
6+
<product type="ebuild">glibc</product>
7+
<announced>2023-10-04</announced>
8+
<revised count="1">2023-10-04</revised>
9+
<bug>867952</bug>
10+
<bug>914281</bug>
11+
<bug>915127</bug>
12+
<access>local and remote</access>
13+
<affected>
14+
<package name="sys-libs/glibc" auto="yes" arch="*">
15+
<unaffected range="ge">2.37-r7</unaffected>
16+
<vulnerable range="lt">2.37-r7</vulnerable>
17+
</package>
18+
</affected>
19+
<background>
20+
<p>glibc is a package that contains the GNU C library.</p>
21+
</background>
22+
<description>
23+
<p>Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details.</p>
24+
</description>
25+
<impact type="high">
26+
<p>An attacker could elevate privileges from a local user to root.</p>
27+
</impact>
28+
<workaround>
29+
<p>There is no known workaround at this time.</p>
30+
</workaround>
31+
<resolution>
32+
<p>All glibc users should upgrade to the latest version:</p>
33+
34+
<code>
35+
# emerge --sync
36+
# emerge --ask --oneshot --verbose ">=sys-libs/glibc-2.37-r7"
37+
</code>
38+
</resolution>
39+
<references>
40+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-39046">CVE-2022-39046</uri>
41+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4527">CVE-2023-4527</uri>
42+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4806">CVE-2023-4806</uri>
43+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-4911">CVE-2023-4911</uri>
44+
</references>
45+
<metadata tag="requester" timestamp="2023-10-04T08:02:08.857868Z">sam</metadata>
46+
<metadata tag="submitter" timestamp="2023-10-04T08:02:08.860070Z">sam</metadata>
47+
</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-04.xml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202310-04">
4+
<title>libvpx: Multiple Vulnerabilities</title>
5+
<synopsis>Multiple vulnerabilities have been discovered in libvpx, the worst of which could result in arbitrary code execution.</synopsis>
6+
<product type="ebuild">libvpx</product>
7+
<announced>2023-10-04</announced>
8+
<revised count="1">2023-10-04</revised>
9+
<bug>914875</bug>
10+
<bug>914987</bug>
11+
<access>remote</access>
12+
<affected>
13+
<package name="media-libs/libvpx" auto="yes" arch="*">
14+
<unaffected range="ge">1.13.1</unaffected>
15+
<vulnerable range="lt">1.13.1</vulnerable>
16+
</package>
17+
</affected>
18+
<background>
19+
<p>libvpx is the VP8 codec SDK used to encode and decode video streams, typically within a WebM format media file.</p>
20+
</background>
21+
<description>
22+
<p>Multiple vulnerabilities have been discovered in libvpx. Please review the CVE identifiers referenced below for details.</p>
23+
</description>
24+
<impact type="high">
25+
<p>Please review the referenced CVE identifiers for details.</p>
26+
</impact>
27+
<workaround>
28+
<p>There is no known workaround at this time.</p>
29+
</workaround>
30+
<resolution>
31+
<p>All libvpx users should upgrade to the latest version:</p>
32+
33+
<code>
34+
# emerge --sync
35+
# emerge --ask --oneshot --verbose ">=media-libs/libvpx-1.13.1"
36+
</code>
37+
</resolution>
38+
<references>
39+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5217">CVE-2023-5217</uri>
40+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44488">CVE-2023-44488</uri>
41+
</references>
42+
<metadata tag="requester" timestamp="2023-10-04T10:49:17.755721Z">sam</metadata>
43+
<metadata tag="submitter" timestamp="2023-10-04T10:49:17.758091Z">sam</metadata>
44+
</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202310-05.xml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
3+
<glsa id="202310-05">
4+
<title>dav1d: Denial of Service</title>
5+
<synopsis>A vulnerability has been found in dav1d which could result in denial of service.</synopsis>
6+
<product type="ebuild">dav1d</product>
7+
<announced>2023-10-08</announced>
8+
<revised count="1">2023-10-08</revised>
9+
<bug>906107</bug>
10+
<access>remote</access>
11+
<affected>
12+
<package name="media-libs/dav1d" auto="yes" arch="*">
13+
<unaffected range="ge">1.2.0</unaffected>
14+
<vulnerable range="lt">1.2.0</vulnerable>
15+
</package>
16+
</affected>
17+
<background>
18+
<p>dav1d is an AV1 decoder.</p>
19+
</background>
20+
<description>
21+
<p>In some circumstances, dav1d might treat an invalid frame as valid, resulting in a crash.</p>
22+
</description>
23+
<impact type="low">
24+
<p>Malformed frame data can result in a denial of service.</p>
25+
</impact>
26+
<workaround>
27+
<p>Users should avoid parsing untrusted video with dav1d.</p>
28+
</workaround>
29+
<resolution>
30+
<p>All dav1d users should upgrade to the latest version:</p>
31+
32+
<code>
33+
# emerge --sync
34+
# emerge --ask --oneshot --verbose ">=media-libs/dav1d-1.2.0"
35+
</code>
36+
</resolution>
37+
<references>
38+
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-32570">CVE-2023-32570</uri>
39+
</references>
40+
<metadata tag="requester" timestamp="2023-10-08T05:41:28.434632Z">ajak</metadata>
41+
<metadata tag="submitter" timestamp="2023-10-08T05:41:28.437198Z">sam</metadata>
42+
</glsa>

0 commit comments

Comments
 (0)