Merge pull request #2616 from flatcar/buildbot/monthly-glsa-metadata-updates-2025-02-01

Monthly GLSA metadata 2025-02-01

Author: krnowak

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 594915 BLAKE2B 220d9175cb1796cb5045abb4a1dd895efa478aa604a6eb3dde800553a73ce6b12ecf630b6574e1fc834659bac119417be17231464d8355e60ed5ed18f51b8044 SHA512 db425e75cb49a2ea05358c8e7f4e366d86628930a1e26279cb8287fe250565842ac004358a56986eb2aa4342ed7217cf30c8f78d97a02ed24483cca80fd1b2eb
-TIMESTAMP 2025-01-01T06:40:41Z
+MANIFEST Manifest.files.gz 596663 BLAKE2B d03f77688298f7e2b1c117787c6f899250317779b0320cb4d08119535bbb454be5ff75faf4d4f6b88394f22fc5ce722770f4e51f537acca0853947165902a3ab SHA512 ca731da057a6d173058e289dcfa3c1e06f0e35cc32aa1f85102f6637f27eb4a9f2444a9eb532f9df30535ce50e36fc4a7976c85eb02dcc7f7b80b4a213ec6d2d
+TIMESTAMP 2025-02-01T06:42:06Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmd042lfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmedwj5fFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBoyg//VQm7GsyyuffSjKJO3H/YJF558ygX0IxnZPwgQweC9ERRd3NlONm2mlph
-TzmZhAC+PnRGN+QTZh3M/kNuxPytaf6bg9vSNs2v221CHcSqErbzbMAiDO8ZRPoj
-ToTfCC1jH2AoEAAmCWd120MK7nA1dzKx0DSvWhuTv02ssdS9Plj+SJ0SY6stjE3w
-vfyYTvVjsz90UppvVl9zdKPQa5st2ojC9/tJxCFEjTxV1ubGJDI/7TdArgyTTSDg
-rx4Bbc5su4ANjXbYHofhar2X0/YYF6l/bglDMhCJIn8OwOyzWqXufgrmhmnCrCgt
-V6FLxXqWimOmIiIL1YUwUgc3p0JYNuYAwGt5I6Tf/gX2h/4aHOxUvgDdvRf+hoUl
-9USr4sw5qovn+pFdDNwYrZ2+Uat83IYET85Mnlc8sqf3wH8I17lPKOzLtcgtkRND
-i062wD9kU6gCen6fM80vuW4k40UphiAkrLhy8nMaWjBBVbRdXpGddGdOuPk0yX+b
-g+qjOXnkY/rZPek+u0lpS1MPU661IFJgXQs9wFaV9++VXpcpVCyFoyUNhhaIxEH9
-KEQwa8bz2DkoBCeJMYjH3xigcXMavQ9KTrRqkl2lUk1tLf/dBwY3d7Ao8rpCkirO
-AF2w3sJ5hbD7PXm4OEDG3EYt1uQftsnV/UcNB26SVu8UT1tfmR0=
-=IQdp
+klBlXBAAr4sY5iEDzYLEfvubrkiF3uuAHKfIwYSEXfmUWd0Ltv+skBym3Rmr5yp0
+4/+OTE+9CqgqdbnWdlFbQcaBf+dLmZ6Q/CUZ054dbW5EjVchTx1VsKb+zSCyUSky
+Vm4uCHniPN7UgODv/NX8kttdQLojIR+HW0DvAJ6cDb9GFOYpvyilYezK0HuGNkje
+vXWoiBRERytYJ74cigATfNaQ6aVgZAhWB/CMqC4EWW4d9o8e0XIi6TSq2cNgraAu
++Mxa4n7LrMaBFHKy+TNdeirztkHJSKdAAFwscpBZwngl8XwmOR3EIIJyzuvZ9jtY
+uOkoLN+sn16Pz0zyuuonYn5aTu0TkazdEh6MVR2YTz8CcifTt1HcPivRiiB2Wa+e
+50csAbppVN9UvCKMaR+Z+/JBnFP2BcuYNIdW+qUlzGHecB01PBLYBN9AI2HK9Ujn
+AgtQ8uwX49PDief0RQcUlAQ1xQ4wRu4HOgZHxT6XL9LTLVSMedm9/R4CK7uc1s4S
+U5uuC7xkPHXVi8s26wCf4+g7Rx2vVtxCEmevgnnBETD0B9OxECfqf+ZQfqqfwbL3
+JhT2rMejK7WWJC/Owp2syiWwEHEg8pR8XeyqwTSVmeqceJClQGWt0d4cIYSBUW2b
+efiUP+na+uWMxVbQm92Q/UKCrJe/cp9FvHDUyYeGuxun/1u1gXw=
+=4Nub
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-01">
+    <title>rsync: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in rsync, the worst of which could lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">rsync</product>
+    <announced>2025-01-15</announced>
+    <revised count="1">2025-01-15</revised>
+    <bug>948106</bug>
+    <access>remote</access>
+    <affected>
+        <package name="net-misc/rsync" auto="yes" arch="*">
+            <unaffected range="ge">3.3.0-r2</unaffected>
+            <vulnerable range="lt">3.3.0-r2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>rsync is a server and client utility that provides fast incremental file transfers. It is used to efficiently synchronize files between hosts and is used by emerge to fetch Gentoo&#39;s Portage tree.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in rsync. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All rsync users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.3.0-r2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12084">CVE-2024-12084</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12085">CVE-2024-12085</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12086">CVE-2024-12086</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12087">CVE-2024-12087</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12088">CVE-2024-12088</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-12747">CVE-2024-12747</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-15T17:18:08.215935Z">sam</metadata>
+    <metadata tag="submitter" timestamp="2025-01-15T17:18:08.218034Z">sam</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-01.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-02">
+    <title>GIMP: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in GIMP, the worst of which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">gimp</product>
+    <announced>2025-01-17</announced>
+    <revised count="2">2025-01-18</revised>
+    <bug>845402</bug>
+    <bug>856283</bug>
+    <bug>917406</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-gfx/gimp" auto="yes" arch="*">
+            <unaffected range="ge">2.10.36</unaffected>
+            <vulnerable range="lt">2.10.36</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>GIMP is the GNU Image Manipulation Program. XCF is the native image file format used by GIMP.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in GIMP. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GIMP users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-gfx/gimp-2.10.36"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-30067">CVE-2022-30067</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32990">CVE-2022-32990</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44441">CVE-2023-44441</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44442">CVE-2023-44442</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44443">CVE-2023-44443</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-44444">CVE-2023-44444</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-17T07:05:31.622583Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-17T07:05:31.625362Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-02.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-03">
+    <title>pip: arbitrary configuration injection</title>
+    <synopsis>A vulnerability has been discovered in pip, which could lead to arbitrary configuration options being injected.</synopsis>
+    <product type="ebuild">pip</product>
+    <announced>2025-01-17</announced>
+    <revised count="1">2025-01-17</revised>
+    <bug>918427</bug>
+    <access>local</access>
+    <affected>
+        <package name="dev-python/pip" auto="yes" arch="*">
+            <unaffected range="ge">23.3</unaffected>
+            <vulnerable range="lt">23.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>pip is a tool for installing and managing Python packages.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in pip. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>When installing a package from a Mercurial VCS URL  (ie &#34;pip install hg+...&#34;), the specified Mercurial revision could be used to inject arbitrary configuration options to the &#34;hg clone&#34; call (ie &#34;--config&#34;). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren&#39;t installing from Mercurial.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All pip users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-python/pip-23.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5752">CVE-2023-5752</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-17T07:08:02.410954Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-17T07:08:02.413296Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-03.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-04">
+    <title>Yubico pam-u2f: Partial Authentication Bypass</title>
+    <synopsis>A vulnerability has been discovered in Yubico pam-u2f, which can lead to a partial authentication bypass.</synopsis>
+    <product type="ebuild">pam_u2f</product>
+    <announced>2025-01-23</announced>
+    <revised count="1">2025-01-23</revised>
+    <bug>948201</bug>
+    <access>local</access>
+    <affected>
+        <package name="sys-auth/pam_u2f" auto="yes" arch="*">
+            <unaffected range="ge">1.3.2</unaffected>
+            <vulnerable range="lt">1.3.2</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Depending on specific settings and usage scenarios the result of the pam-u2f module may be altered or ignored.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Yubico pam-u2f users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-23013">CVE-2025-23013</uri>
+        <uri link="https://www.yubico.com/support/security-advisories/YSA-2025-01">YSA-2025-01</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-23T06:15:02.537459Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-23T06:15:02.541001Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-04.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-05">
+    <title>libuv: Hostname Truncation</title>
+    <synopsis>A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.</synopsis>
+    <product type="ebuild">libuv</product>
+    <announced>2025-01-23</announced>
+    <revised count="1">2025-01-23</revised>
+    <bug>924127</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-libs/libuv" auto="yes" arch="*">
+            <unaffected range="ge">1.48.0</unaffected>
+            <vulnerable range="lt">1.48.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>libuv is a multi-platform support library with a focus on asynchronous I/O.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libuv users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-libs/libuv-1.48.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-24806">CVE-2024-24806</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-23T06:16:58.811764Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-23T06:16:58.815474Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-05.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-06">
+    <title>GPL Ghostscript: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">ghostscript-gpl</product>
+    <announced>2025-01-23</announced>
+    <revised count="1">2025-01-23</revised>
+    <bug>942639</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-text/ghostscript-gpl" auto="yes" arch="*">
+            <unaffected range="ge">10.04.0</unaffected>
+            <vulnerable range="lt">10.04.0</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Ghostscript is an interpreter for the PostScript language and for PDF.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All GPL Ghostscript users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-10.04.0"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46951">CVE-2024-46951</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46952">CVE-2024-46952</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46953">CVE-2024-46953</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46954">CVE-2024-46954</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46955">CVE-2024-46955</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-46956">CVE-2024-46956</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-23T06:18:34.082233Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-23T06:18:34.085244Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202501-06.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202501-07">
+    <title>libgsf: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in libgsf, the worst of which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">libgsf</product>
+    <announced>2025-01-23</announced>
+    <revised count="1">2025-01-23</revised>
+    <bug>940777</bug>
+    <access>remote</access>
+    <affected>
+        <package name="gnome-extra/libgsf" auto="yes" arch="*">
+            <unaffected range="ge">1.14.53</unaffected>
+            <vulnerable range="lt">1.14.53</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>The GNOME Structured File Library is an I/O library that can read and write common file types and handle structured formats that provide file-system-in-a-file semantics.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in libgsf. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All libgsf users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=gnome-extra/libgsf-1.14.53"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-36474">CVE-2024-36474</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-42415">CVE-2024-42415</uri>
+        <uri>TALOS-2024-2068</uri>
+        <uri>TALOS-2024-2069</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-01-23T06:25:02.419159Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2025-01-23T06:25:02.421783Z">graaff</metadata>
+</glsa>