5 files changed, 61 insertions, 17 deletions

diff --git a/metadata/glsa/Manifest b/metadata/glsa/Manifest
index eafe88e508d9..cb3a17ea5143 100644
--- a/metadata/glsa/Manifest
+++ b/metadata/glsa/Manifest
@@ -1,23 +1,23 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA512
 
-MANIFEST Manifest.files.gz 596819 BLAKE2B 63522f06337573996c66aa3c0b81ef535020898b18e1885eee805fd1835f056debd8871c1b871e9129a2cfd9138cdf6cb96404b2859059f0e8906b7e44fbcee9 SHA512 87fcb2c073963a66ce8ec1e356d102364b832e77939304f57faeeda9b592eab9192b225eb977ad168b619ca3b7f0da1061763084ff671cea0d6a094c478551f0
-TIMESTAMP 2025-04-04T23:41:00Z
+MANIFEST Manifest.files.gz 596980 BLAKE2B eddb25532154bba44bb35623eb68543626c56c08b4a9b70673d678e12e2e9d223dee9cf4d0203ab7966bfde59e62bbac75b407365fffaffd689f74499226bdef SHA512 63607f6c6d89e0de89c2ed0d49a183cf3ebf144547b6b6c3a675072d222d42a76895e60d6f7b099c2762d742420925f50f5f0705f64f212c92b5228a8c6aac91
+TIMESTAMP 2025-04-05T23:31:04Z
 -----BEGIN PGP SIGNATURE-----
 
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmfwbgxfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmfxvTlfFIAAAAAALgAo
 aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
 RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klAxQhAAgt5N4a7Kd/gbOgtM3ynnPyOrIO96KagmYE2P5TgRfX+rvin4i5Y2GS9k
-ajw+6HHNXcL3DJ2rEjWpWGS6twOC8/c9ZcqKLLg+cvXdAgfoR79+hK9CIyUzrSTV
-GURfK4SfdwcfBk35u0gRaU6cnSvw2c80KL0HSo03Hv5b2BevnRwS0J5SP8xLyU/5
-3Iz5Rup4eGiSaFwGTyfwuQ9KhHi0imSvTPj1jEoYTw61/hl1RWSrAmpVjL0H7h+S
-06IE8MqsS0PzVvGaQZYspAveXiKtUuRnFPfb6Xc+kbW5Q38ejA5UcZhYRDPg4UCj
-QXTDvoPYpnB1PUyDQxnPydlkOc/Lak1WgEmqbiPjZX6eNpmD+m9XVZMQWNT3tHf7
-Wxu8zoNF01xHqdGmkn3KTTc3bHfceFbKXoOagW4qtRbyYNtQE5o6ICCCAfCFyFrY
-U/cePw5hvqdITCa/ioIl2QeMBSzR32hvk9VNhlmNzfVfzVumupmdLXOb4l1U9U26
-TeJ3Cc7rJwHJa4RMZ6hpC9iyrGX1k0UzbMF9aAx0JYkFmnrV/BuuI74R1iFSTcAf
-+X+4du7YHMlHn5Qeo8NYnU0HXQ5V63hBlW/hD4JEeuH0P0viEjxHi9T1zjpEASIP
-JcjOqvrufi6DgttqiliK67sWrLSGlxT32bOVRj9DoqYOqifk2os=
-=/d9J
+klBspxAAsoEZ9nWx6tYmCfxBKHQy0E2KUtGiKKMVD8TsdljQrMKKBF9JQaor2hE5
+Zw86FghCB8CXxfVsfpkq5EdEsOmajFOFfEvHrHJR/K3SbSDf2TLOvaFTJNm+qQV5
+e5Aj+aL9Wc5prE5NOEkBWDI5UAMAE4ypBfb4VH4tg0/oK/SXA3dETpVjClQL+4ks
+uN0YIAu1exB+0CamUfQgeW+jaCa2NnWS/oVjoSpBAn82q+LYgK6Wb1eIIyVIrlwr
+t6JJWmOLmwZo1ZnfxTyYBl5gE0k38ZvGtSm5o+pBdgEwBrezZ1h2cCTGyLV/M5UI
+A5gLz0fyDdVWIuNmPug/Zu87MKhY8BW0XmS9WwtPVpHHOlsLZ8i0hdEvU5QG8hpE
+TapdeiH8He/L4VZpKeuEVXzC78bv1MVAOtGTnaxhtLPSB5PIf+j6eltcCe2pq0Ia
+mKiCTgsUBJkw5kSJI5/W4ZfR3M+sxkq3w1M7+mISO1sQtCeLhEDQ+NAGtDLHrLCI
+LDNXrn6e+WtTnQ9ehxp+alOZJS3HYaU/e46l3YEDDgc7H4yxzBkd3/j4uNCgS5Px
+a5Ny4q4+3iOa6jv/OjtIBWhcxr2gmZlK+mA9w/Qo70cyMprngJXK6awSQ0q1849p
+0P7e186/zjPUVbqfwLS9wnun5bvr8Hci+3oL12oGhJJYdrb1ABE=
+=xLbZ
 -----END PGP SIGNATURE-----
diff --git a/metadata/glsa/Manifest.files.gz b/metadata/glsa/Manifest.files.gz
index 3253252d39dd..174f96b7d262 100644
--- a/metadata/glsa/Manifest.files.gz
+++ b/metadata/glsa/Manifest.files.gz
diff --git a/metadata/glsa/glsa-202504-01.xml b/metadata/glsa/glsa-202504-01.xml
new file mode 100644
index 000000000000..1e80046976b4
--- /dev/null
+++ b/metadata/glsa/glsa-202504-01.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="202504-01">
+    <title>XZ Utils: Use after free</title>
+    <synopsis>A vulnerability has been discovered in XZ Utils, which could lead to denial of service.</synopsis>
+    <product type="ebuild">xz-utils</product>
+    <announced>2025-04-05</announced>
+    <revised count="1">2025-04-05</revised>
+    <bug>953086</bug>
+    <access>remote</access>
+    <affected>
+        <package name="app-arch/xz-utils" auto="yes" arch="*">
+            <unaffected range="ge">5.6.4-r1</unaffected>
+            <vulnerable range="lt">5.6.4-r1</vulnerable>
+        </package>
+    </affected>
+    <background>
+        <p>XZ Utils is free general-purpose data compression software with a high compression ratio.</p>
+    </background>
+    <description>
+        <p>A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details.</p>
+    </description>
+    <impact type="normal">
+        <p>The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected.

+

+It&#39;s unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default.</p>
+    </impact>
+    <workaround>
+        <p>There is no known workaround at this time.</p>
+    </workaround>
+    <resolution>
+        <p>All XZ utils users should upgrade to the latest version:</p>
+        
+        <code>
+          # emerge --sync
+          # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.6.4-r1"
+        </code>
+    </resolution>
+    <references>
+        <uri link="https://nvd.nist.gov/vuln/detail/CVE-2025-31115">CVE-2025-31115</uri>
+    </references>
+    <metadata tag="requester" timestamp="2025-04-05T00:42:34.287919Z">sam</metadata>
+    <metadata tag="submitter" timestamp="2025-04-05T00:42:34.291736Z">sam</metadata>
+</glsa>
\ No newline at end of file
diff --git a/metadata/glsa/timestamp.chk b/metadata/glsa/timestamp.chk
index 03d79ced845b..b49ea21c5684 100644
--- a/metadata/glsa/timestamp.chk
+++ b/metadata/glsa/timestamp.chk
@@ -1 +1 @@
-Fri, 04 Apr 2025 23:40:56 +0000
+Sat, 05 Apr 2025 23:29:40 +0000
diff --git a/metadata/glsa/timestamp.commit b/metadata/glsa/timestamp.commit
index ad34d21cfea9..d4c903585d6b 100644
--- a/metadata/glsa/timestamp.commit
+++ b/metadata/glsa/timestamp.commit
@@ -1 +1 @@
-8c44a0fc9958fea4290f5cca3cda73137cf7786a 1743192053 2025-03-28T20:00:53Z
+da2df533a0a1b5799029686bc64ece18ac31947e 1743813771 2025-04-05T00:42:51Z