Merge pull request #2069 from flatcar/buildbot/monthly-glsa-metadata-updates-2024-07-01

Monthly GLSA metadata 2024-07-01

Author: dongsupark

build_library/test_image_content.sh

@@ -4,6 +4,7 @@
 
 GLSA_ALLOWLIST=(
 	201412-09 # incompatible CA certificate version numbers
+	202407-05 # ebuild of sys-auth/sssd already has a custom patch to fix CVE-2021-3621
 )
 
 glsa_image() {

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 569494 BLAKE2B 475196fd0ff28d6023f45e6c22284bded2028bbe891778e3828fb75c3727438168bcd5ab63fe48683bb5874710c096e12470eee93163ae90c07d1f9d79810710 SHA512 94822c7f83b3b68b28e1885c442c2d9b5794eb5f861b8a0862162601a2c2b03cdc2bb6144d8b4a1d61befedf2ff1952e540c518e34c7f15ff5af14b7dc567fcb
-TIMESTAMP 2024-05-01T06:40:25Z
+MANIFEST Manifest.files.gz 576950 BLAKE2B 88011af22fa4be4dd32deb6beef67152498dbf9a935f1735cb732a1cff2286ecaac7ff10b0cd4cc26890af67573dfd9f41b1b3d976e69dc012ee35c219644c8d SHA512 c652e80fb194ffb2de3f33c3046f525f887396de843ab0761ad5fa21d9949f6b62a1a16747b833821d7307bc10a7d9679651980cd85f6673c854e9dc8e09f5af
+TIMESTAMP 2024-07-01T06:40:32Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmYx49lfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmaCT2BfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klBi7hAAsuDk2RK0sZb8tOFUPYo57qATO0xjYxhNlanBfW1axPgWMJ+IOjccLs3+
-Fxrq3c9Op1U0jEa/dP/4zBV/iqvXy3gth382qmG9eqUkpxjaKLWeWJ6xkx2wcKKe
-HBxAIHSs/45bBIQhnAoHSSjfp8eRrB6iRZA7+71FFuN3bEDFbaQzKg6jqet0qBjb
-Addmc9ykRSTsIVZKl7gpk5kr5VWSAyp1gTderZfU+osYWpo65pMQiErkyDWq6pgu
-PsF8cdtWvRTZ397Sayips6CDs9h9SIjAM3HT7oz0aXGBSGVjzLmM44iA1UA6qTDL
-bP5TwwiBIOF5UZnr93if3rKwuq3RQVORVaGvkJ8a0M8WyhKZruiPILCJmMBtX+E2
-C0jPVJYzR65/CuCyndUvomDW7E82dofWMwgwHUgdnN5HQdl3+IzxDSX8/ydqxcpK
-q/k7MfKKLSasP9/db+ejcWCUCqTizF2Z2RGFov+Ae5kA9c05lJD+XQ/OFSNvfnQo
-lpeQ1JnDQAGsO1oT/uXgyTV11006MXeCm+GEAiNsxixql0pVoj6km45/TrxQUDDC
-PiT60S1R1mQymz/hU5FfYCVSJGXsrUAmYHg+0UrXsU+lbcXq4slIXErHz8uL+d2X
-8bzTjPEreXOLxMsZWPlf82NACoOAm+nHHpqxnPdgHGnLSdpbh1I=
-=q6/O
+klCqxxAAlJUoGJYKzxQA/H3JQnjWSmIGVKL5XLmsWRPghQ9J5hsLgQURe8wGtoIU
+9oCNhRJesjAkA5l72Aa+HyEonUAiOqZD8R17ek9ipDLA9VFM9T9yNhk+nwnDu8Yi
+nWRjh3GB3OlcZbJDZ0ORE3ze65a8AMHlnWyCCq1QSZYXAqYDhbBz+i0y2hOtsBLP
+KiJKyh1uFON30dzDNbvY8taSw5ktaV5x4uuvmh7fmw2PpfoqK838me3YuQq8hVt4
+/haj/FoAfT8imrL8f52v01gUxz9EP5gRuzfML4v728TcQjDlmyuk/EuSm0PjFKxn
+zto2xmY/6/4AL/VKGOmzw3zpjapWjyiydVsh+l0hec1aZTxdgheh/dN7TfMJgmTV
+MUIyeLOX+qMvFph1ZITVNi3iQW5VO9Ho4exzvMgHVthli0Kqjqdx7rC966zHN3Ao
+3QuNtof4D+0ChqOyJpfdIrrRQct7M/Jp+2ZSx0T3luZ2mxSvVH+aIBBo/w37i5hM
+3612fcZWMDtzUvT0sbhuf9j1o7S7T24V66cs0BxpMC8t2Gh3pF4TL8CDDFH1rrv6
+8b9TU/3t/qk1haW42KmYXeUq6wEUWw1Z49wb80JEI6ZlTtm74CEdTYm27eisb+Wq
+H7DiQc0WDdZm5i7wVEN/nyVEf04Qv5IhfYS3MDaPDnck2pVaPtc=
+=IEvJ
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz

@@ -5,13 +5,15 @@
     <synopsis>A backdoor has been discovered in XZ utils that could lead to remote compromise of systems.</synopsis>
     <product type="ebuild">xz-utils</product>
     <announced>2024-03-29</announced>
-    <revised count="1">2024-03-29</revised>
+    <revised count="2">2024-05-29</revised>
     <bug>928134</bug>
     <access>remote</access>
     <affected>
         <package name="app-arch/xz-utils" auto="yes" arch="*">
             <unaffected range="lt">5.6.0</unaffected>
-            <vulnerable range="ge">5.6.0</vulnerable>
+            <unaffected range="gt">5.6.1</unaffected>
+            <vulnerable range="eq">5.6.0</vulnerable>
+            <vulnerable range="eq">5.6.1</vulnerable>
         </package>
     </affected>
     <background>
@@ -32,8 +34,12 @@ Analysis is still ongoing, however, and additional vectors may still be identifi
         <p>There is no known workaround at this time.</p>
     </workaround>
     <resolution>
-        <p>All XZ utils users should downgrade to the latest version before the backdoor was introduced:</p>
+        <p>All XZ utils users should upgrade to the latest fixed version, or downgrade to the latest version before the backdoor was introduced:</p>
 
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose "&gt;app-arch/xz-utils-5.6.1"
+        </code>
         <code>
           # emerge --sync
           # emerge --ask --oneshot --verbose "&lt;app-arch/xz-utils-5.6.0"

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202403-04.xml

@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-01">
+    <title>Python, PyPy3: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulberabilities have been discovered in Python and PyPy3, the worst of which can lead to privilege escalation.</synopsis>
+    <product type="ebuild">pypy3,pypy3_10,pypy3_9,python</product>
+    <announced>2024-05-04</announced>
+    <revised count="1">2024-05-04</revised>
+    <bug>884653</bug>
+    <bug>897958</bug>
+    <bug>908018</bug>
+    <bug>912976</bug>
+    <bug>919475</bug>
+    <bug>927299</bug>
+    <access>remote</access>
+    <affected>
+        <package name="dev-lang/python" auto="yes" arch="*">
+            <unaffected range="ge" slot="3.12">3.12.1</unaffected>
+            <unaffected range="ge" slot="3.11">3.11.8</unaffected>
+            <unaffected range="ge" slot="3.10">3.10.14</unaffected>
+            <unaffected range="ge" slot="3.9">3.9.19</unaffected>
+            <unaffected range="ge" slot="3.8">3.8.19</unaffected>
+            <vulnerable range="lt" slot="3.12">3.12.1</vulnerable>
+            <vulnerable range="lt" slot="3.11">3.11.8</vulnerable>
+            <vulnerable range="lt" slot="3.10">3.10.14</vulnerable>
+            <vulnerable range="lt" slot="3.9">3.9.19</vulnerable>
+            <vulnerable range="lt" slot="3.8">3.8.19</vulnerable>
+        </package>
+        <package name="dev-python/pypy3" auto="yes" arch="*">
+            <unaffected range="ge">7.3.16</unaffected>
+            <vulnerable range="lt">7.3.16</vulnerable>
+        </package>
+        <package name="dev-python/pypy3_10" auto="yes" arch="*">
+            <unaffected range="ge">7.3.16</unaffected>
+            <vulnerable range="lt">7.3.16</vulnerable>
+        </package>
+        <package name="dev-python/pypy3_9" auto="yes" arch="*">
+            <unaffected range="ge">7.3.16</unaffected>
+            <vulnerable range="lt">7.3.16</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Python is an interpreted, interactive, object-oriented, cross-platform programming language.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in Python, PyPy3. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Python, PyPy3 users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-lang/python-3.12.1:3.12"
+          # emerge --ask --oneshot --verbose ">=dev-lang/python-3.11.9:3.11"
+          # emerge --ask --oneshot --verbose ">=dev-lang/python-3.10.14:3.10"
+          # emerge --ask --oneshot --verbose ">=dev-lang/python-3.9.19:3.9"
+          # emerge --ask --oneshot --verbose ">=dev-lang/python-3.8.19:3.8"
+          # emerge --ask --oneshot --verbose ">=dev-python/pypy3-7.3.16"
+          # emerge --ask --oneshot --verbose ">=dev-python/pypy3_10-7.3.16"
+          # emerge --ask --oneshot --verbose ">=dev-python/pypy3_9-7.3.16"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6507">CVE-2023-6507</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-6597">CVE-2023-6597</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-24329">CVE-2023-24329</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-40217">CVE-2023-40217</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-41105">CVE-2023-41105</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2024-0450">CVE-2024-0450</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-04T05:59:08.361678Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-04T05:59:08.364851Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202405-01.xml

@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-02">
+    <title>ImageMagick: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in ImageMagick, the worst of which can lead to remote code execution.</synopsis>
+    <product type="ebuild">imagemagick</product>
+    <announced>2024-05-04</announced>
+    <revised count="1">2024-05-04</revised>
+    <bug>835931</bug>
+    <bug>843833</bug>
+    <bug>852947</bug>
+    <bug>871954</bug>
+    <bug>893526</bug>
+    <bug>904357</bug>
+    <bug>908082</bug>
+    <bug>917594</bug>
+    <access>remote</access>
+    <affected>
+        <package name="media-gfx/imagemagick" auto="yes" arch="*">
+            <unaffected range="ge">6.9.13.0</unaffected>
+            <unaffected range="ge">7.1.1.22</unaffected>
+            <vulnerable range="lt">6.9.12.88</vulnerable>
+            <vulnerable range="lt">7.1.1.11</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>ImageMagick is a software suite to create, edit, and compose bitmap images, that can also read, write, and convert images in many other formats.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in ImageMagick. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="high">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All ImageMagick 6.x users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.9.13.0" =media-gfx/imagemagick-6*"
+        </code>
+        
+        <p>All ImageMagick 7.x users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-7.1.1.22"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-4219">CVE-2021-4219</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2021-20224">CVE-2021-20224</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-0284">CVE-2022-0284</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-1115">CVE-2022-1115</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-2719">CVE-2022-2719</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-3213">CVE-2022-3213</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-28463">CVE-2022-28463</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32545">CVE-2022-32545</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32546">CVE-2022-32546</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-32547">CVE-2022-32547</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44267">CVE-2022-44267</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-44268">CVE-2022-44268</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-1906">CVE-2023-1906</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-2157">CVE-2023-2157</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-5341">CVE-2023-5341</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34151">CVE-2023-34151</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2023-34153">CVE-2023-34153</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-04T06:13:28.990846Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-04T06:13:28.993140Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202405-02.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-03">
+    <title>Dalli: Code Injection</title>
+    <synopsis>A vulnerability has been discovered in Dalli, which can lead to code injection.</synopsis>
+    <product type="ebuild">dalli</product>
+    <announced>2024-05-04</announced>
+    <revised count="1">2024-05-04</revised>
+    <bug>882077</bug>
+    <access>local and remote</access>
+    <affected>
+        <package name="dev-ruby/dalli" auto="yes" arch="*">
+            <unaffected range="ge">3.2.3</unaffected>
+            <vulnerable range="lt">3.2.3</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>Dalli is a high performance pure Ruby client for accessing memcached servers.</p>
+    </background>
+    <description>
+        <p>A vulnerability was found in Dalli. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All Dalli users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=dev-ruby/dalli-3.2.3"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4064">CVE-2022-4064</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-04T06:43:24.230534Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-04T06:43:24.233626Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202405-03.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-04">
+    <title>systemd: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in systemd, the worst of which can lead to a denial of service.</synopsis>
+    <product type="ebuild">systemd</product>
+    <announced>2024-05-04</announced>
+    <revised count="1">2024-05-04</revised>
+    <bug>882769</bug>
+    <bug>887581</bug>
+    <access>local</access>
+    <affected>
+        <package name="sys-apps/systemd" auto="yes" arch="*">
+            <unaffected range="ge">252.4</unaffected>
+            <vulnerable range="lt">252.4</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>A system and service manager.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in systemd. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All systemd users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=sys-apps/systemd-252.4"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-4415">CVE-2022-4415</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-45873">CVE-2022-45873</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-04T07:18:38.700106Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-04T07:18:38.703836Z">graaff</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202405-04.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202405-05">
+    <title>MPlayer: Multiple Vulnerabilities</title>
+    <synopsis>Multiple vulnerabilities have been discovered in MPlayer, the worst of which can lead to arbitrary code execution.</synopsis>
+    <product type="ebuild">mplayer</product>
+    <announced>2024-05-04</announced>
+    <revised count="1">2024-05-04</revised>
+    <bug>870406</bug>
+    <access>local</access>
+    <affected>
+        <package name="media-video/mplayer" auto="yes" arch="*">
+            <unaffected range="ge">1.5</unaffected>
+            <vulnerable range="lt">1.5</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>MPlayer is a media player capable of handling multiple multimedia file formats.</p>
+    </background>
+    <description>
+        <p>Multiple vulnerabilities have been discovered in MPlayer. Please review the CVE identifiers referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>Please review the referenced CVE identifiers for details.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All MPlayer users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.5"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38600">CVE-2022-38600</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38850">CVE-2022-38850</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38851">CVE-2022-38851</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38853">CVE-2022-38853</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38855">CVE-2022-38855</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38856">CVE-2022-38856</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38858">CVE-2022-38858</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38860">CVE-2022-38860</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38861">CVE-2022-38861</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38862">CVE-2022-38862</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38863">CVE-2022-38863</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38864">CVE-2022-38864</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38865">CVE-2022-38865</uri>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2022-38866">CVE-2022-38866</uri>
+    </references>
+    <metadata tag="requester" timestamp="2024-05-04T07:42:15.329279Z">graaff</metadata>
+    <metadata tag="submitter" timestamp="2024-05-04T07:42:15.332064Z">graaff</metadata>
+</glsa>