Merge pull request #2862 from flatcar/buildbot/monthly-glsa-metadata-updates-2025-05-01

Monthly GLSA metadata 2025-05-01

Author: dongsupark

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest

@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 596819 BLAKE2B 63522f06337573996c66aa3c0b81ef535020898b18e1885eee805fd1835f056debd8871c1b871e9129a2cfd9138cdf6cb96404b2859059f0e8906b7e44fbcee9 SHA512 87fcb2c073963a66ce8ec1e356d102364b832e77939304f57faeeda9b592eab9192b225eb977ad168b619ca3b7f0da1061763084ff671cea0d6a094c478551f0
-TIMESTAMP 2025-04-01T06:10:43Z
+MANIFEST Manifest.files.gz 596980 BLAKE2B eddb25532154bba44bb35623eb68543626c56c08b4a9b70673d678e12e2e9d223dee9cf4d0203ab7966bfde59e62bbac75b407365fffaffd689f74499226bdef SHA512 63607f6c6d89e0de89c2ed0d49a183cf3ebf144547b6b6c3a675072d222d42a76895e60d6f7b099c2762d742420925f50f5f0705f64f212c92b5228a8c6aac91
+TIMESTAMP 2025-05-01T06:40:34Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmfrg2NfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmgTF2JfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klA/uw/+IQmu9DSSDbsEjnWyooGUNr+aXX5NjlQX2+8c7AWpFugIUJCqiHFXyM1Q
-oXe76kt/DK8I8za/2ouhAzauiSib4J1fdTxk+vzQS99EH+ocerbDWS5Twxb/7p7V
-/6n4YdRN1wIQUOScvCDui/o6hqXOFk9LdGXBaDr388USilca08DSx0kK1aK/UFX6
-ZVGltml3Qax5PgbFdYAD68tS2KKDYCwtCouUMQ0kG96P+EQfgWdH3FDZ9DZ3GbYs
-q7Q6Bj77vRKY5PFAQTlePRSsp1hpCsfeZESi3dTdgagiG5BRaOhGoMzkbnzSNXlu
-xRu713wcSFXTNgpZvXP08tb2HudB4bpvo7FT7pDhmJq2CmVqdoNenaiU5ewb3yKp
-I2YH/BqDKuYpFOOd/KfjRt6X+YtMM33KwMa3erWxk+G9ObTEV/iugleawiVPXBrr
-kN2OJCgt+Gz0oXdx3ieWvql95X7UDxGyYNvrZsOcVPct2MGRtsyjLS5Dbz00Viea
-huQ0t4CU6eJ093g88vKDfmMwTP7ViRX1z4447iAonb90tucRnGy+0WAWYmHq2uWQ
-rzLSlxBFxtsxxzRYXvb11V/MD7lxE968IYx1pB/n12vl7CoIVL+wfrDWYWZB/Vv5
-oS1SxZa7EBMHE0i35PhMeE1SMKMQFDKvwShtLW4cK4rz7D/G1NM=
-=m/Wp
+klDRMQ/+PAi2qYoR0sip4LFgbYOupfpmsR8tU5KJ1/74lCyKWzBeJXLv6ZpzzUfQ
+/zdiT7LTQTI/S+rLzGZ9iuru+SDj+TmSaqqe3/V47EMXrIUMQmi2/wpv4Xdz6SZv
+vaIEnBvxy7AcER2kd3SjuP7oqh49lY3M8lSxGzDcyLuKLMtA0GruuXoOHK8Kc32p
+e4MTmHiysNkwQ48mxpogteDz6UzMDz69H+RidhBJLcXj+VNi69jmLFUUWJ0WlINK
+BScxduFU4NdYew2iDUFohVSAvLshHnpWUg/S6WlJo1Kf7XSjROBnuNxbrHrRfBRh
+m4mx1fdXE73jM7QOpyx+BflrOEBmvrsGC2WJpI+YU5HmhRldkq9I1+amcPJEx/WD
+8lTul44UWczfeDxOjVSwQ4Ez0a3YzGxtvo/6aT/P/8u6lxZwXC73F4vPe9B/qQDn
+tCVkS4kDfMQf3zUlypFo3ny6eF54AcWzaT6XDIYVYJD1aSMXXqHhoffznAFB9Tjd
+gmYAjCPk/6Oi7WPKEg+TryBnQLv9GEL7TRpQDAAMf0vc8OXwsJbEfS1HO8msMjA7
++q4SVTPh7y9uKR62hu9MLuEXBxm3w4fS+U8e+62SVPIqwFsa5Q92Sh98AOPjK9yY
+ViFNSQ0SCOaoWbmk9YFaC7JywXnlIXpD7si1W5a4hQ9aIF+qLqs=
+=4GyX
 -----END PGP SIGNATURE-----

sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202504-01">
+    <title>XZ Utils: Use after free</title>
+    <synopsis>A vulnerability has been discovered in XZ Utils, which could lead to denial of service.</synopsis>
+    <product type="ebuild">xz-utils</product>
+    <announced>2025-04-05</announced>
+    <revised count="1">2025-04-05</revised>
+    <bug>953086</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/xz-utils" auto="yes" arch="*">
+            <unaffected range="ge">5.6.4-r1</unaffected>
+            <vulnerable range="lt">5.6.4-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>XZ Utils is free general-purpose data compression software with a high compression ratio.</p>
+    </background>
+    <description>
+        <p>A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected.
+
+It&#39;s unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All XZ utils users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.6.4-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-31115">CVE-2025-31115</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-04-05T00:42:34.287919Z">sam</metadata>
+    <metadata tag="submitter" timestamp="2025-04-05T00:42:34.291736Z">sam</metadata>
+</glsa>

sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml

@@ -1 +1 @@
-Tue, 01 Apr 2025 06:10:40 +0000
+Thu, 01 May 2025 06:40:32 +0000

sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk

@@ -1 +1 @@
-8c44a0fc9958fea4290f5cca3cda73137cf7786a 1743192053 2025-03-28T20:00:53Z
+da2df533a0a1b5799029686bc64ece18ac31947e 1743813771 2025-04-05T00:42:51Z