Weekly portage-stable package updates 2024-01-01

.github/workflows/portage-stable-packages-list

@@ -68,6 +68,7 @@ app-alternatives/bzip2
 app-alternatives/cpio
 app-alternatives/gzip
 app-alternatives/lex
+app-alternatives/ninja
 app-alternatives/sh
 app-alternatives/tar
 app-alternatives/yacc
@@ -134,6 +135,7 @@ app-misc/zisofs-tools
 
 app-portage/elt-patches
 app-portage/gentoolkit
+app-portage/getuto
 app-portage/portage-utils
 
 app-shells/bash
@@ -217,20 +219,20 @@ dev-libs/userspace-rcu
 dev-libs/xmlsec
 
 dev-perl/File-Slurp
-dev-perl/Locale-gettext
 dev-perl/Parse-Yapp
 
 dev-python/autocommand
 dev-python/boto
-dev-python/certifi
 dev-python/crcmod
 dev-python/cython
 dev-python/distro
 dev-python/docutils
+dev-python/editables
 dev-python/fasteners
 dev-python/flit-core
 dev-python/gentoo-common
 dev-python/gpep517
+dev-python/hatchling
 dev-python/inflect
 dev-python/installer
 dev-python/jaraco-context
@@ -244,7 +246,9 @@ dev-python/more-itertools
 dev-python/nspektr
 dev-python/ordered-set
 dev-python/packaging
+dev-python/pathspec
 dev-python/platformdirs
+dev-python/pluggy
 dev-python/pydecomp
 dev-python/pygments
 dev-python/pyparsing
@@ -253,6 +257,7 @@ dev-python/setuptools-scm
 dev-python/six
 dev-python/snakeoil
 dev-python/tomli
+dev-python/trove-classifiers
 dev-python/typing-extensions
 dev-python/wheel
 
@@ -479,7 +484,9 @@ sys-block/parted
 sys-block/thin-provisioning-tools
 
 sys-boot/efibootmgr
-sys-boot/gnu-efi
+# Updating to 3.0.17 breaks building of sys-boot/shim.
+#
+# sys-boot/gnu-efi
 
 sys-devel/autoconf
 sys-devel/autoconf-archive
@@ -568,6 +575,7 @@ virtual/perl-File-Spec
 virtual/perl-File-Temp
 virtual/perl-Getopt-Long
 virtual/perl-IO
+virtual/perl-Unicode-Collate
 virtual/pkgconfig
 virtual/service-manager
 virtual/ssh

changelog/security/2024-01-05-weekly-updates.md

@@ -0,0 +1,8 @@
+- vim ([CVE-2023-5344](https://nvd.nist.gov/vuln/detail/CVE-2023-5344), [CVE-2023-5441](https://nvd.nist.gov/vuln/detail/CVE-2023-5441), [CVE-2023-5535](https://nvd.nist.gov/vuln/detail/CVE-2023-5535), [CVE-2023-46246](https://nvd.nist.gov/vuln/detail/CVE-2023-46246))
+- perl ([CVE-2023-47038](https://nvd.nist.gov/vuln/detail/CVE-2023-47038))
+- libxml2 ([CVE-2023-45322](https://nvd.nist.gov/vuln/detail/CVE-2023-45322))
+- traceroute ([CVE-2023-46316](https://nvd.nist.gov/vuln/detail/CVE-2023-46316))
+- gnutls ([CVE-2023-5981](https://nvd.nist.gov/vuln/detail/CVE-2023-5981))
+- curl ([CVE-2023-46218](https://nvd.nist.gov/vuln/detail/CVE-2023-46218), [CVE-2023-46219](https://nvd.nist.gov/vuln/detail/CVE-2023-46219))
+- binutils ([CVE-2023-1972](https://nvd.nist.gov/vuln/detail/CVE-2023-1972))
+- zlib ([CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853))

changelog/updates/2024-01-05-weekly-updates.md

@@ -0,0 +1,32 @@
+- bash ([5.2_p21](https://git.savannah.gnu.org/cgit/bash.git/log/?id=2bb3cbefdb8fd019765b1a9cc42ecf37ff22fec6))
+- binutils ([2.41](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00009.html))
+- coreutils ([9.4](https://lists.gnu.org/archive/html/info-gnu/2023-08/msg00007.html))
+- curl ([8.5.0](https://curl.se/changes.html#8_5_0))
+- elfutils ([0.190](https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=0420d3b8376877c1b11712f1aad90a2e2b6f6d06;hb=c1058da5a450e33e72b72abb53bc3ffd7f6b361b))
+- gawk ([5.3.0](https://lwn.net/Articles/949829/))
+- gentoolkit ([0.6.3](https://gitweb.gentoo.org/proj/gentoolkit.git/log/?h=gentoolkit-0.6.3))
+- gettext ([0.22.4](https://savannah.gnu.org/news/?id=10544))
+- glib ([2.78.3](https://gitlab.gnome.org/GNOME/glib/-/blob/2.78.3/NEWS))
+- gnutls ([3.8.2](https://lists.gnupg.org/pipermail/gnutls-help/2023-November/004837.html))
+- groff ([1.23.0](https://lists.gnu.org/archive/html/info-gnu/2023-07/msg00001.html))
+- hwdata ([0.376](https://github.com/vcrhonek/hwdata/commits/v0.376))
+- iproute2 ([6.6.0](https://marc.info/?l=linux-netdev&m=169929000929786&w=2))
+- ipset ([7.19](https://git.netfilter.org/ipset/tree/ChangeLog?id=ce6db35a0ea950e850ebe7c50ce46908c1c3bb2b))
+- kbd ([2.6.4](https://github.com/legionus/kbd/releases/tag/v2.6.4))
+- kmod ([31](https://github.com/kmod-project/kmod/blob/v31/NEWS))
+- libarchive ([3.7.2](https://github.com/libarchive/libarchive/releases/tag/v3.7.2))
+- libksba ([1.6.5](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libksba.git;a=blob;f=NEWS;h=369cfb5d91bf232685a6c5b156453a624e11ed67;hb=7b3e4785e54280d1a13c5bc839bdc6722d898ac7))
+- libnsl ([2.0.1](https://github.com/thkukuk/libnsl/releases/tag/v2.0.1))
+- libxslt ([1.1.39](https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39))
+- lsof ([4.99.0](https://github.com/lsof-org/lsof/blob/4.99.0/00DIST#L5523))
+- SDK: perl ([5.38.2](https://perldoc.perl.org/5.38.2/perldelta))
+- portage ([3.0.59](https://gitweb.gentoo.org/proj/portage.git/tree/NEWS?h=portage-3.0.59))
+- python ([3.11.7](https://www.python.org/downloads/release/python-3117/))
+- readline ([8.2_p7](https://git.savannah.gnu.org/cgit/readline.git/log/?id=bfe9c573a9e376323929c80b2b71c59727fab0cc))
+- repo (2.37)
+- sqlite ([3.44.2](https://www.sqlite.org/releaselog/3_44_2.html))
+- traceroute ([2.1.3](https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/))
+- usbutils ([016](https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usbutils.git/tree/NEWS?h=v016))
+- util-linux ([2.39.2](https://github.com/util-linux/util-linux/blob/v2.39.2/Documentation/releases/v2.39.2-ReleaseNotes))
+- vim ([9.0.2092](https://github.com/vim/vim/commits/v9.0.2092/))
+- xmlsec ([1.3.2](https://github.com/lsh123/xmlsec/releases/tag/xmlsec_1_3_2))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -21,21 +21,20 @@
 # Needed to fix CVE-2023-36054.
 =app-crypt/mit-krb5-1.21.2 ~amd64 ~arm64
 
-# Needed to address CVE-2023-2609 and CVE-2023-2610.
-=app-editors/vim-9.0.1678 ~amd64 ~arm64
-=app-editors/vim-core-9.0.1678 ~amd64 ~arm64
-
 # Needed by arm64-native SDK.
 =app-emulation/open-vmdk-1.0 *
 
+# Needed for addressing CVE-2023-50246 and CVE-2023-50268.
+=app-misc/jq-1.7.1 ~amd64 ~arm64
+
 # Keep versions on both arches in sync.
 =app-misc/pax-utils-1.3.7 ~amd64
 
 # Needed for addressing CVE-2023-50246, CVE-2023-50268
 =app-misc/jq-1.7.1 ~amd64 ~arm64
 
 # Required for addressing CVE-2022-3715.
-=app-shells/bash-5.2_p15-r7 ~amd64 ~arm64
+=app-shells/bash-5.2_p21-r1 ~amd64 ~arm64
 
 # No keyword for arm64 yet.
 =coreos-devel/fero-client-0.1.1 **
@@ -44,9 +43,6 @@
 =dev-embedded/u-boot-tools-2021.04_rc2 ~arm64
 =dev-lang/nasm-2.15.05 ~arm64
 
-# Keep versions on both arches in sync.
-=dev-lang/python-3.11.6 ~amd64
-
 # Accept unstable host Rust compilers.
 =dev-lang/rust-1.75.0 ~amd64 ~arm64
 
@@ -55,42 +51,51 @@
 
 # Keep versions on both arches in sync.
 =dev-libs/ding-libs-0.6.2-r1 ~arm64
+=dev-libs/glib-2.78.3 ~arm64
+=dev-libs/gobject-introspection-1.78.1 ~arm64
+=dev-libs/gobject-introspection-common-1.78.1 ~arm64
 =dev-libs/libdnet-1.16.2 ~arm64
-=dev-libs/libgcrypt-1.10.2 ~arm64
-=dev-libs/libsodium-1.0.19-r1 ~arm64
 =dev-libs/libunistring-1.1-r1 ~arm64
+=dev-libs/libxml2-2.11.5-r1 ~amd64
 =dev-util/bpftool-6.5.7 ~arm64
+=dev-util/gdbus-codegen-2.78.3 ~arm64
+=dev-util/glib-utils-2.78.3 ~arm64
 =net-firewall/conntrack-tools-1.4.6-r1 ~arm64
 
-# Required for addressing CVE-2023-0361.
-=net-libs/gnutls-3.8.0 ~arm64
+# Required for addressing CVE-2023-0361 and CVE-2023-5981.
+=net-libs/gnutls-3.8.2 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
 =net-libs/libnetfilter_cthelper-1.0.1-r1 ~arm64
 =net-libs/libnetfilter_cttimeout-1.0.1 ~arm64
 
+# Needed for addressing CVE-2023-46218 and CVE-2023-46219
+=net-misc/curl-8.5.0 ~amd64 ~arm64
+
 # Required to allow us to override the sftp subsystem in sshd config.
 =net-misc/openssh-9.4_p1 ~amd64 ~arm64
 
 # Keep versions on both arches in sync.
 =net-nds/openldap-2.6.4-r1 ~amd64
+=sys-apps/coreutils-9.4 ~amd64
 =sys-apps/kexec-tools-2.0.24 ~arm64
-=sys-block/thin-provisioning-tools-1.0.6 ~amd64
+=sys-apps/util-linux-2.39.2-r1 ~amd64
 
 # Enable ipvsadm for arm64.
 =sys-cluster/ipvsadm-1.31-r1 ~arm64
 
 # Keep versions on both arches in sync.
-=sys-devel/binutils-2.40-r9 ~arm64
 =sys-firmware/edk2-aarch64-18.02 **
-=sys-libs/binutils-libs-2.40-r7 ~arm64
+
+# Keep linux headers in sync with used kernel
+=sys-kernel/linux-headers-6.6 ~amd64 ~arm64
 
 # Needed to fix CVE-2023-29491.
 =sys-libs/ncurses-6.4_p20230527 ~amd64 ~arm64
 
 # A dependency of app-shells/bash version that we need for security
 # fixes.
-=sys-libs/readline-8.2_p1 ~amd64 ~arm64
+=sys-libs/readline-8.2_p7 ~amd64 ~arm64
 
 # Needed to fix CVE-2023-4016.
 =sys-process/procps-4.0.4 ~amd64

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -39,7 +39,7 @@ net-firewall/ipset -modules
 dev-libs/glib -mime
 
 # keep grub build simple
-sys-boot/grub -multislot -nls -themes -fonts
+sys-boot/grub -multislot -themes -fonts
 
 # disable "high performance ssh" patch, turn on kerberos
 net-misc/openssh -hpn kerberos
@@ -73,9 +73,6 @@ sys-apps/portage -xattr -rsync-verify
 # Enable -M and -Z flags; -M is used by mayday
 sys-process/lsof rpc selinux
 
-# Prevent pulling in a ton of perl dependencies
-sys-apps/man-db -nls
-
 # Disable zstd to avoid adding it to prod images until something needs it
 sys-fs/btrfs-progs -zstd
 
@@ -136,10 +133,10 @@ sys-apps/util-linux -su
 net-fs/nfs-utils kerberos nfsv41 nfsv4 junction ldap libmount nfsdcld uuid
 net-libs/libtirpc kerberos
 
-# Disable enabled-by-default support for 16-bit characters, we didn't
-# need it before, so we don't need it now. Enable unicode support, as
-# glib requires it now.
-dev-libs/libpcre2 -pcre16 unicode
+# Disable enabled-by-default support for 16-bit and 32-bit characters,
+# we didn't need it before, so we don't need it now. Enable unicode
+# support, as glib requires it now.
+dev-libs/libpcre2 -pcre16 -pcre32 unicode
 
 # Disable extra stuff for tcpdump, there was no explanation why it was
 # enabled by upstream. Samba was enabled to make some tests pass. But

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use.force

@@ -9,6 +9,7 @@ app-alternatives/bzip2 reference
 app-alternatives/cpio gnu
 app-alternatives/gzip reference
 app-alternatives/lex flex
+app-alternatives/ninja reference
 app-alternatives/sh bash
 app-alternatives/tar gnu
 app-alternatives/yacc bison

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/use.mask

@@ -15,3 +15,7 @@ python_single_target_python3_12
 
 # Unmask selinux so it can be enabled selectively in package.use
 -selinux
+
+# We don't care about i10n, takes too much space, pulls in too many
+# extra dependencies.
+nls

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults

@@ -4,7 +4,7 @@
 USE="cros-debug acpi usb symlink-usr cryptsetup policykit"
 USE="${USE} -split-usr -cros_host -expat -cairo -X -man"
 USE="${USE} -acl -gpm -python"
-USE="${USE} -fortran -abiword -perl -cups -poppler-data -nls"
+USE="${USE} -fortran -abiword -perl -cups -poppler-data"
 
 # Exclude documentation
 FEATURES="nodoc noinfo noman"

sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.provided

@@ -5,7 +5,7 @@
 # disable them and we have no need/use for them in prod images.
 
 # pulled in by app-crypt/pinentry
-app-eselect/eselect-pinentry-0.7.2
+app-eselect/eselect-pinentry-0.7.3
 
 # pulled in by app-editors/vim
 app-eselect/eselect-vi-1.2

sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-1.4.26.ebuild → sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-1.4.26-r1.ebuild

@@ -19,11 +19,9 @@ SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 IUSE="doc emacs vim-syntax"
 
-DEPEND="sys-apps/sed
-	|| (
-		sys-apps/coreutils
-		app-misc/realpath
-	)"
+# coreutils for realpath
+DEPEND="sys-apps/coreutils
+	sys-apps/sed"
 RDEPEND="${DEPEND}
 	sys-apps/file
 	sys-libs/ncurses:0"

sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-1.4.27.ebuild → sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-1.4.27-r1.ebuild

@@ -19,11 +19,9 @@ SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 IUSE="doc emacs vim-syntax"
 
-DEPEND="sys-apps/sed
-	|| (
-		sys-apps/coreutils
-		app-misc/realpath
-	)"
+# coreutils for realpath
+DEPEND="sys-apps/coreutils
+	sys-apps/sed"
 RDEPEND="${DEPEND}
 	sys-apps/file
 	sys-libs/ncurses:0"

sdk_container/src/third_party/portage-stable/app-admin/eselect/eselect-9999.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -14,11 +14,9 @@ LICENSE="GPL-2+ || ( GPL-2+ CC-BY-SA-4.0 )"
 SLOT="0"
 IUSE="doc emacs vim-syntax"
 
-DEPEND="sys-apps/sed
-	|| (
-		sys-apps/coreutils
-		app-misc/realpath
-	)"
+# coreutils for realpath
+DEPEND="sys-apps/coreutils
+	sys-apps/sed"
 RDEPEND="${DEPEND}
 	sys-apps/file
 	sys-libs/ncurses:0"