Thursday, February 28, 2013

[USN-1729-2] Firefox regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRMCv7AAoJEFHb3FjMVZVzC4QP/3SISbwF3a4a50whRjkA592Q
fXRwkKl4et7rnsLHgoczAu3pyLudc4SLWtGcp+5BLPV3PD8cn2cOGmZS4B3JYgez
3W5whgrdkg618r4TBE79u8L7yO48QJCdhcp1EVabijsAXX2fZzBj/W8pScJFMiZM
2MY7vasdqYAAXn7iTP9HAscOP/vgokgprmVWzFkaEIhNj7lKmoF3J4WiCF9q8XT4
kV4xcW5e/VhlnZdBZzP/7SeEwTymjIEav0YGIrml4uiiYuTHINgDXBQZ1OYOzXi4
1Bz5Ol424ks9EdAAB29CUuzE9rzf5aKVi8uCMFmkhjob9uvzvIXn2tftiLQb7mow
HSTkhJom/6yXN7VVs1fLuhXRJh7Q7CF6PFiJ8BpVc51KhN54v3fYroVuchYJ+cXj
yOpD7/ySEfgrnPUkDvFhY2/VRT2xdsJOyRc10Oulv0cv8pkoEbo34fJUW7eSBx96
MijbLkWoGpeNIxhS8RZlaArUSmGpe5V+D1/OO+RRyiLY6Vw4fHrA+8Ojgxt8cpsn
V384Cn90kz7sBbxT5iSiTOKMSMdkTfDfLXEW/ZxeYDh5DNNt3y5kwZ51OCpumOYw
fytQ1f7Ol5OwdlKcvzlKgQjwq85uQMt6HH6VIkOGOHDJ/8vrm42ux0ExXi+cPHTH
nOeGdokivjiiUNwjesTr
=Pa5H
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1729-2
March 01, 2013

firefox regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

Due to a regression, Firefox might crash or freeze under normal use.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-1729-1 fixed vulnerabilities in Firefox. This update introduced a
regression which sometimes resulted in freezes and crashes when using
multiple tabs with images displayed. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Firefox. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit these to cause a denial of service via application crash.
(CVE-2013-0783, CVE-2013-0784)

Atte Kettunen discovered that Firefox could perform an out-of-bounds read
while rendering GIF format images. An attacker could exploit this to crash
Firefox. (CVE-2013-0772)

Boris Zbarsky discovered that Firefox did not properly handle some wrapped
WebIDL objects. If the user were tricked into opening a specially crafted
page, an attacker could possibly exploit this to cause a denial of service
via application crash, or potentially execute code with the privileges of
the user invoking Firefox. (CVE-2013-0765)

Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page, a remote attacker could exploit this to bypass security
protections to obtain sensitive information or potentially execute code
with the privileges of the user invoking Firefox. (CVE-2013-0773)

Frederik Braun discovered that Firefox made the location of the active
browser profile available to JavaScript workers. (CVE-2013-0774)

A use-after-free vulnerability was discovered in Firefox. An attacker could
potentially exploit this to execute code with the privileges of the user
invoking Firefox. (CVE-2013-0775)

Michal Zalewski discovered that Firefox would not always show the correct
address when cancelling a proxy authentication prompt. A remote attacker
could exploit this to conduct URL spoofing and phishing attacks.
(CVE-2013-0776)

Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Firefox. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
firefox 19.0+build1-0ubuntu0.12.10.2

Ubuntu 12.04 LTS:
firefox 19.0+build1-0ubuntu0.12.04.2

Ubuntu 11.10:
firefox 19.0+build1-0ubuntu0.11.10.2

After a standard system update you need to restart Firefox to make all the
necessary changes.

References:
http://www.ubuntu.com/usn/usn-1729-2
http://www.ubuntu.com/usn/usn-1729-1
https://launchpad.net/bugs/1134409

Package Information:
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.10.2
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.12.04.2
https://launchpad.net/ubuntu/+source/firefox/19.0+build1-0ubuntu0.11.10.2

[CentOS-announce] CESA-2013:0581 Moderate CentOS 5 libxml2 Update

CentOS Errata and Security Advisory 2013:0581 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2013-0581.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
37744da0abe7d75464da9498d9ad2575c550e875cf068f0d00e30d8c9221b0b5 libxml2-2.6.26-2.1.21.el5_9.1.i386.rpm
4a444273456b1fdba7330b37e6033715b7d471530e14c2d6f0e516fc6897f205 libxml2-devel-2.6.26-2.1.21.el5_9.1.i386.rpm
144b9741b82d70cb82de090609482987d34d6cdac657a9fbb9954f569cbdbaa0 libxml2-python-2.6.26-2.1.21.el5_9.1.i386.rpm

x86_64:
37744da0abe7d75464da9498d9ad2575c550e875cf068f0d00e30d8c9221b0b5 libxml2-2.6.26-2.1.21.el5_9.1.i386.rpm
a68601aad7a108fc5dce83d8d107a8e4850afcd58e378360a34123b6b639435b libxml2-2.6.26-2.1.21.el5_9.1.x86_64.rpm
4a444273456b1fdba7330b37e6033715b7d471530e14c2d6f0e516fc6897f205 libxml2-devel-2.6.26-2.1.21.el5_9.1.i386.rpm
f528e385046af9543854df65f50ab7214e2d62812752e52f3a2e98712ad4c268 libxml2-devel-2.6.26-2.1.21.el5_9.1.x86_64.rpm
cbe3c0ecbe4dd9f6696e440617862ee876999b7f4c3d7eab36214aee74008d01 libxml2-python-2.6.26-2.1.21.el5_9.1.x86_64.rpm

Source:
30a7bb607148784ac9bf6e76a4ab1914df94d4a2cbf2f5d23c7a4665aeef99c7 libxml2-2.6.26-2.1.21.el5_9.1.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2013:0575 CentOS 5 libvirt Update

CentOS Errata and Bugfix Advisory 2013:0575

Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-0575.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
5d226b37e3a94f164d50aef45b3f6b7b0a64788404270fe021f5c6efc9e37dba libvirt-0.8.2-29.el5_9.1.i386.rpm
0a581b651ae75683f2448834b6bf2121d8ce2387c496bbced6999680a2202f83 libvirt-devel-0.8.2-29.el5_9.1.i386.rpm
a8ff6a0b9fef2f20c5901bedaa2cb23d7d2350f607e9d04c8fe40949990f8540 libvirt-python-0.8.2-29.el5_9.1.i386.rpm

x86_64:
5d226b37e3a94f164d50aef45b3f6b7b0a64788404270fe021f5c6efc9e37dba libvirt-0.8.2-29.el5_9.1.i386.rpm
f0d871e9abda492ba0bfb48ae25a0c0594d73c361a95464a5511c4779c844f0d libvirt-0.8.2-29.el5_9.1.x86_64.rpm
0a581b651ae75683f2448834b6bf2121d8ce2387c496bbced6999680a2202f83 libvirt-devel-0.8.2-29.el5_9.1.i386.rpm
5fea1922e24b927f92abe455120d70bbee8251374af868c7af90c7ccee4e8bf5 libvirt-devel-0.8.2-29.el5_9.1.x86_64.rpm
7456a0536afef03552b2b92293017e8bae17fc60536dcd3bf4a6053e62628ba6 libvirt-python-0.8.2-29.el5_9.1.x86_64.rpm

Source:
5ca698b978950796c6098fb3c1d3ce8dd7f4f963663daa068cd744b3a4331a41 libvirt-0.8.2-29.el5_9.1.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2013:0568 Important CentOS 5 dbus-glib Update

CentOS Errata and Security Advisory 2013:0568 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2013-0568.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
0223ca642952e05ebc211d0a4c70d384c940ac27b099bc3d75b54ca68f9c0f90 dbus-glib-0.73-11.el5_9.i386.rpm
62777a9ce986e177104fe0e1a0f0426f301da6507598d498e9ce33fe2393455a dbus-glib-devel-0.73-11.el5_9.i386.rpm

x86_64:
0223ca642952e05ebc211d0a4c70d384c940ac27b099bc3d75b54ca68f9c0f90 dbus-glib-0.73-11.el5_9.i386.rpm
04b24df1ce6e666a9270a596a472f35feeaf6b838b8c243d4a84b9ca24de2520 dbus-glib-0.73-11.el5_9.x86_64.rpm
62777a9ce986e177104fe0e1a0f0426f301da6507598d498e9ce33fe2393455a dbus-glib-devel-0.73-11.el5_9.i386.rpm
884d110f0c5379c6ca1fffdfbba09f54d92945dd81e6d212139189c113a20f57 dbus-glib-devel-0.73-11.el5_9.x86_64.rpm

Source:
35b7f75cbbb1386b4e632c74925555778b07f0701066f92bc336f5e52f6c6fc9 dbus-glib-0.73-11.el5_9.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[USN-1732-2] OpenSSL regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRL6V3AAoJEGVp2FWnRL6TNnEP/19pptjoARsiyDs2912zdh+a
Svw730GLal9r4PGpiMe7bEWkOc1CBWkR82oOl2ja1kZ5EGX/k2Ym+xQ+sR0fa04M
NgTmwJ1sdOwHG3Ky95Zllm5fFWgMjUPWTe74f3LG2Ja8IdbqwQb6ESTmXAVTUF0d
su2SkuejnjS+z5DU52neAATRPpcgwQQx1cZFiInRb7vG5CN3N479Ohy+eAnvl8vJ
CNGJ4zaH0fUoKSndX+Br3uMTsR0PIe3UEJLl2KaMXAL+x9C6b7v8XMtcCRENds8w
0EZ5kEe7den/KABI+4MdlglRLT5SNJiIOVfpdWZ2XXnpp9m6hnj8Pn/upKKGgLqJ
iG/pi5Vk4fuYyoV6EG4tliWtqOJwiWTxx+KJh5Dwl23MKCaaSpm+A2Elcy6pe65M
RV3OLU3g9M+Q3E88aeAa5+64t3qDyPesTsLMoNSTJuhcaguXenRvOiL4pzGvsDRk
uKES3LEUXLvkMxOOn6u/F5Rm4BZpdtaCX6iWXCzerxZ0fmONzmu9/Mtdsjriq+Xz
xYCPwVBycW7aN5KcFLR3AEzD6h1wCHS5GKBfv0hxtisKA2CVNA4/cfZfhd8Myc7E
Jnd1bV3flqcsqHu2uzWQG6Pppgq8uY23AqpBMsAZ1Xi0tXgv/1Hh5P+GvmFKSKva
Iuiky6qmJ4s4bL88GqHR
=6ilu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1732-2
February 28, 2013

openssl regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

USN-1732-1 introduced a regression in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0166 and
CVE-2012-2686 introduced a regression causing decryption failures on
hardware supporting AES-NI. This update temporarily reverts the security
fix pending further investigation. We apologize for the inconvenience.

Original advisory details:

Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as
used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libssl1.0.0 1.0.1c-3ubuntu2.2
openssl 1.0.1c-3ubuntu2.2

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.7
openssl 1.0.1-4ubuntu5.7

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1732-2
http://www.ubuntu.com/usn/usn-1732-1
https://launchpad.net/bugs/1133333

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.1c-3ubuntu2.2
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.7

[USN-1754-1] Sudo vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRL1onAAoJEGVp2FWnRL6T4YkP/325kNnRQFC4DSruIzEw+J3L
Pj+usQ0gvGXEm7KlrACVNSnfhuajfxIyEvtzhI8Qh3TsJ1j626qF2cX5/9lpkWMM
r0rdQRwcE9kZYty0I9ALVV9Knb4g5x+EgWZtG/gNyFClpnHZaL8MLG25vcwzPmxs
ZUs4d9wW6UD+9GBdooXnTmzIX4e26vCIPg/FKHrzDgjuGDq3GRMXERcFL4DPnG1W
s+oTW3Xvc2dCrMBulYH79nNeyXCcEFJpZUwSLZbz0/RkYfZHa7HNbRJqk2/AVjud
o/pG4hetgA68jYrC8/FCabrIhoVKDGOE4ajAtaK+Sxajnr1Jdt0Jw2jqc1qg7CSO
vx3U7fccozz5ZVQneOxXigNabXB51Tj9M0OaPGk1WHAsnSOWrlqez5Lwk2e6P2Nw
FgKvG04IeF5fpJIl2mGVt8r26tiFQRMroaHVhmG3ezlcrlGvXNCEk8NyNrMPyBeu
uQHqopikL7zwyLOY/giQI5drAFNcZMASCs8V7AuN3YwJVJjcrI2Jka3DV8r0kBov
mtn64V6SRRwij5bgRf4QvN8LKi+pcDfvhoZn3mpGEFy7vuMUbqqbqJlqEFGPa2VU
VSuobqGD0Ry/HASiwF90qpGV+JID1R1ng2ysPo8Bj1Yr3ykRtNORB4meCJII3O6e
Uo7MljsyEmQVzkAK0AyE
=D09n
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1754-1
February 28, 2013

sudo vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

Sudo could be made to run programs as the administrator without a password
prompt.

Software Description:
- sudo: Provide limited super user privileges to specific users

Details:

Marco Schoepl discovered that Sudo incorrectly handled time stamp files
when the system clock is set to epoch. A local attacker could use this
issue to run Sudo commands without a password prompt.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
sudo 1.8.5p2-1ubuntu1.1
sudo-ldap 1.8.5p2-1ubuntu1.1

Ubuntu 12.04 LTS:
sudo 1.8.3p1-1ubuntu3.4
sudo-ldap 1.8.3p1-1ubuntu3.4

Ubuntu 11.10:
sudo 1.7.4p6-1ubuntu2.2
sudo-ldap 1.7.4p6-1ubuntu2.2

Ubuntu 10.04 LTS:
sudo 1.7.2p1-1ubuntu5.6
sudo-ldap 1.7.2p1-1ubuntu5.6

Ubuntu 8.04 LTS:
sudo 1.6.9p10-1ubuntu3.10
sudo-ldap 1.6.9p10-1ubuntu3.10

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1754-1
CVE-2013-1775

Package Information:
https://launchpad.net/ubuntu/+source/sudo/1.8.5p2-1ubuntu1.1
https://launchpad.net/ubuntu/+source/sudo/1.8.3p1-1ubuntu3.4
https://launchpad.net/ubuntu/+source/sudo/1.7.4p6-1ubuntu2.2
https://launchpad.net/ubuntu/+source/sudo/1.7.2p1-1ubuntu5.6
https://launchpad.net/ubuntu/+source/sudo/1.6.9p10-1ubuntu3.10

Wednesday, February 27, 2013

Maintainers wanted for packages from 2013-02-27 FESCo Meeting

Greetings,

At today's FESCo meeting there were two tickets which had the end result
of needing to have new maintainers and comaintainers for some packages:

== https://fedorahosted.org/fesco/ticket/1028 ==

tor package was reassigned to a new maintainer. Former maintainer dropped
ownership of his other packages. Those are now orphaned and in need of a
new owner. Note to potential new maintainers: although not mandatory, you
may want to open an optional re-review request as the spec files for some
of these may be very out of sync with the current Fedora Packaging Guidelines

* clamav
* dhcp-forwarder
* fedora-usermgmt (epel branches still owned by ensc)
* gif2png
* hunt
* ip-sentinel
* kismet
* libextractor
* libtasn1
* milter-greylist
* mimetic
* util-vserver
* x11-ssh-askpass
* xmlrpc-c
* dietlibc (devel is still owned by ensc but maybe that was an oversight)

== https://fedorahosted.org/fesco/ticket/1091 ==

Non Responsive Maintainer ticket for mediawiki. The mediawiki package was
assigned a new maintainer due to nonresponse. The former owner owns other
packages as well. Fesco asks that comaintainers be solicited for these
packages. If package maintainer is nonresponsive for more packages,
consider performing the Mass Orphaning clause of the Nonresponsive
Maintainers Policy:

http://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers#Notes_for_Mass_Orphaning

* apt -- Debian's Advanced Packaging Tool with RPM support
* arpack -- Fortran77 subroutines for solving large scale eigenvalue problems
* chrpath -- Modify rpath of compiled programs
* fail2ban -- Ban IPs that make too many password failures
* fakechroot -- Gives a fake chroot environment
* fakeroot -- Gives a fake root environment
* fedora-package-config-apt -- Fedora configuration files for the apt-rpm package manager
* fedora-package-config-smart -- Fedora configuration files for the Smart package manager
* freenx-client -- Free client libraries and binaries for the NX protocol
* freenx-server -- Free Software (GPL) Implementation of the NX Server
* greylistd -- Greylisting daemon
* ivtv-firmware -- Firmware for the Hauppauge PVR 250/350/150/500/USB2 model series
* ivtv-utils -- Tools for the iTVC15/16 and CX23415/16 driver
* libcdaudio -- Control operation of a CD-ROM when playing audio CDs
* maildrop -- Mail delivery agent with filtering abilities
* mediawiki-openid -- The OpenID extension for MediaWiki
* nx -- Proxy system for X11
* perl-Text-CharWidth -- Get number of occupied columns of a string on terminal
* perl-Text-WrapI18N -- Line wrapping with support for several locale setups
* php-pear-Auth-OpenID -- PHP OpenID
* po4a -- A tool maintaining translations anywhere
* smart -- Next generation package handling tool
* synaptic -- Graphical frontend for APT package manager.
* vtk -- The Visualization Toolkit - A high level 3D visualization library
* vtkdata -- Example data file for VTK

Please let FESCo know via a ticket if you need any help becoming a comaintainer
because the owner is nonresponsive.

Thanks,

Toshio

[USN-1753-1] DBus-GLib vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRLlkUAAoJEGVp2FWnRL6Tma4P/0UaCkzyppToAsW1c9RBLddI
nHVaqG6Bntte5aID46Y53naUc25BmGSNKvMxc7jcMXtNuAsxFdmjNP+quujobPsz
WSfSl7eNpquK+29HVJX/3CWUKVszuDCYe+5v9A2S2EZUOOkIwm7JtdHGWf22xECN
9KtZHCRn+sAvGtNGswOEjeDP9TFE0qoqpzwj+ZravFjhbw8a0rVTOFGLUOe4cbLz
9QZuGV2LBG3ZWiYub7I2Un5rlS6IKV1eHmXM3B7Frm2au57vuwqrtoqOy8H0wn1G
iBSSiVpMDxPkTTtojD+l/uKcXoYCMpYpuoL1aF5KvKfXM+08chT80+6ZJ2ltq6SZ
GHBvaOQFxzAH+Xw49xH+PBlIuLrhRNkaRYNaUPRUPRaXA3PRUOgLOYGFJL+MYXi3
qhyc9hA6Xb0haob9IR8rjfzugBuGfAyBCetgIot36jLo5G/p1ncc2ji0A8ghhyzv
jKzLVUTaMe3ebYXmbZCy/zlVwsf7P5uBJEJ7MiMhZT/5vlib/Ajysltf6H6fmHAz
rE9WLmk5JrXkRQZspPygGSVIIemcWHscX9fux5isG6ZZP6XGiPGlW6R//a1KoiWj
cFqfLVsIDPiGY77ha9IWivTmL+EmKAaMRrlRlfpFS3sT16wSBctsugi7pgQ2F+5K
Zcd2q/FVdZddFn57sIMM
=pysY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1753-1
February 27, 2013

dbus-glib vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

An attacker could send crafted input to applications using DBus-GLib and
possibly escalate privileges.

Software Description:
- dbus-glib: simple interprocess messaging system

Details:

Sebastian Krahmer and Bastien Nocera discovered that DBus-GLib did not
properly validate the message sender when the "NameOwnerChanged" signal was
received. A local attacker could possibly use this issue to escalate their
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libdbus-glib-1-2 0.100-1ubuntu0.1

Ubuntu 12.04 LTS:
libdbus-glib-1-2 0.98-1ubuntu1.1

Ubuntu 11.10:
libdbus-glib-1-2 0.94-4ubuntu0.1

Ubuntu 10.04 LTS:
libdbus-glib-1-2 0.84-1ubuntu0.3

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1753-1
CVE-2013-0292

Package Information:
https://launchpad.net/ubuntu/+source/dbus-glib/0.100-1ubuntu0.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.98-1ubuntu1.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.94-4ubuntu0.1
https://launchpad.net/ubuntu/+source/dbus-glib/0.84-1ubuntu0.3

[USN-1752-1] GnuTLS vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRLhAIAAoJEGVp2FWnRL6TfVsP/2RrfhRI4BMxHR/g2ALF8q1B
rb/M9upCSwIieVkJ3KwQyTMMCpvKL3d70xQQ03RrBRxnIGNoywkDk+q+CvVA2n5i
WcrYTrVRNtEVzgRNiNJrcME6soDMJ5MrqJs82hLKX9XcXMUWPP6KE6MZ95B/rglH
NjtkBS9lOXEiX2tYIR7YDH+7ZD17z/GOKecl8NaN/yOut47DOo7wujJuOqYykz9J
ojc6jKPPML77hIhyLnK0HJ+eu6YYw87UVylhgodNNreOidZ28VRB1XnTgVmIv2Ze
1pC4AbK/pDhrplJykunaPgZcZs37wsO63d6UGqGvrIASeqjTYTg0IztEhEAqK1x3
xt25U9lXI30C73njQ8Wm+gRd7cJyA/ZxkItCC0xaFanZUTaD2Wnz4qCTd/XEco0w
Z+7N8Yu3EY9HwQjykMkYEWm/kDQ/ilJYuu1VQ6HO5HtvtHiwfkgA/pPHMRlY9rDl
p4r5Yhb0mgcF5EVEhLzAIbuFJRgUyBN8dBYWLOETsJ8W7qKGwO0HLseGXJlghx1q
uzTdMMWUP6alGHwRwBphckCiblc0l+l+QDOyLEJVq+C/zhDEZYoKjR8ZoF2gkXL7
hFKwZ0A+qIFGA/XgJjrRT0RhyxceujRetg9EyCAOjOi5TU8ihpXKW0qoT1wWuUvz
Vp3pXbKcP0gxDJFD1ckI
=2OaR
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1752-1
February 27, 2013

gnutls13, gnutls26 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

GnuTLS could be made to expose sensitive information over the network.

Software Description:
- gnutls26: GNU TLS library
- gnutls13: GNU TLS library

Details:

Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in GnuTLS was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libgnutls26 2.12.14-5ubuntu4.2

Ubuntu 12.04 LTS:
libgnutls26 2.12.14-5ubuntu3.2

Ubuntu 11.10:
libgnutls26 2.10.5-1ubuntu3.3

Ubuntu 10.04 LTS:
libgnutls26 2.8.5-2ubuntu0.3

Ubuntu 8.04 LTS:
libgnutls13 2.0.4-1ubuntu2.9

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1752-1
CVE-2013-1619

Package Information:
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.2
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.2
https://launchpad.net/ubuntu/+source/gnutls26/2.10.5-1ubuntu3.3
https://launchpad.net/ubuntu/+source/gnutls26/2.8.5-2ubuntu0.3
https://launchpad.net/ubuntu/+source/gnutls13/2.0.4-1ubuntu2.9

[USN-1751-1] Linux kernel (OMAP4) vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRLbYOAAoJEAUvNnAY1cPYwpIP/A1Eo6Fnh7vdM44fNqUD8X3K
1srKd1F49FS8RJpDzX2Y8axxucE4Y+XV3XDhLOb9lbubtK1KDtJzKX+8MFssiFDA
lq67Qd4umq6gkbfdLBhpl58iXY2Tnl6KAvrv8mPOFoi69ZC6UdOWCMSarAHyvBlZ
TqwVJC/nEIVbzO4twYpVe9LVnFYKMnPsxdGPnGhIPwRxWPqJJktov9gPYM0sNULG
21BW6OnXNnfste+jME0nw7zV/dfvs1w7BhYLntoLSpoWymJeNbIZlojmotmSmKbG
yqgwCMOn1rla2tgytMffcPnB5MYZ3RAs9eUqpm01ay4cmcZZ+o13xxrNakzUdAdj
O6SfzEs6URwc2mYZ1c9xxAe3D4NesdERhkNXuQEAu3OeRTgHl2WoXdCS5b1fXxSK
wH9HwqHKgN3wAT3PmBdNMt61KzVlZC+g0zq1X2R5gK5SRQjGR27dHzkjrrExh/DZ
LiDt3Qgz11KzdM4Dj3fNzENJaLA4/x8kU1NvF/gLwd+zEQDRe0HJAyPXz//HtgBj
Co48ox7HiKnUMRA3Aekjco9bFRMbv0upEfAy2j7TF3rluoDU5mZf1rC/sDCzL+mJ
h/siYLqFN+BTixO2DiU6lZLthNuHN1/Kz3s6la7rGz6xa7wUoz55nSqifE3k1pRa
xZ1EFMVhKjudTbf55yzq
=m8vz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1751-1
February 27, 2013

linux-ti-omap4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Mathias Krause discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.29

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1751-1
CVE-2013-1763

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.29

Tuesday, February 26, 2013

[opensuse-announce] Notification of removal of GNOME:Apps SLE_11_SP1

We will be removing GNOME:Apps SLE_11_SP1 build-target and repository in
about a week.

Please switch to GNOME:Apps SLE_11_SP2 for continued use of GNOME:Apps
on SUSE SLED/S.

We are doing this to save build power and HD space on our beloved OBS
service.

On behalf of your friendly Gnome maintainers,

Zaitor / Bjørn Lie






--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org

[FreeBSD-Announce] FreeBSD Foundation Announces Newly Funded Project!

Dear FreeBSD Community,

The FreeBSD Foundation is pleased to announce that Semihalf, an
embedded solutions company, has been awarded a grant to develop
transparent superpages support for the FreeBSD/arm architecture.
Semihalf is co-sponsoring the project with the foundation.

The ARM architecture is already common in the mobile and embedded
markets, and is becoming more prevalent in the server market. Among
the more interesting industry trends emerging recently is the 64-bit
ARMv8 architecture, which as an "ARM server" concept. Many top tier
companies have started developing systems or are announcing products
with this architecture.

One of the features needed for FreeBSD to be successful in this area
is transparent super pages. This provides improved performance and
scalability by allowing TLB translations to dynamically cover large
physical memory regions.

The project is expected to complete in mid July 2013.

The FreeBSD Foundation
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[USN-1750-1] Linux kernel vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRLPgeAAoJEAUvNnAY1cPY74EP/iF+4i1bC4ah4wq2a726qEjV
UNfne6BIiFJ13Of9PqNiqBRJO0Yl4x6zAmTal2f5ZteheXtCBbTw83At/IrMT4Gw
qgMD87s9N/gt9fvMg209T4nCLAtLCxH1HjSZRQM9QtFgQWRL97fLnG7uIWvSNei5
a++Xww7BA6tjD+Y8/h8zCQnaw9okvZI82h/Cr5NAgJnGbQVRRqbL5oHFl73l3saV
Q/AS1KgBV5iUcw2IjcOC3faHluO0wvHFs4THZxPuPoTlXv8yIv1nY6dtg7Kzmeyp
vIBw7QsZg8OTfkEfeSyP9Ty7MlKC6ZIOtVo/1xHBhGdczpmZx8JYz2HrI9QmCa+Q
LllL+o/mksPwPO3ZxLb+zlGuPNtcuYcnDzxb095ujoPIXoxRgYCWXO4iyQlvbF3v
hVyPbQ07mdm4Yq6Kcp3dMT8k7BPfKsXqYqz8A4j/wK2sjJDFInDHFEJwRSeIpgzn
b1eJwOA3r8UA4m7aGlB+WIrLWNOykiM0DjlAXOrbEZb0UrWM4cYeUledOdROjY96
CAVlqABS8Kumbxakk6ci4xSTOWwoDGStHSVXpOw4DmWbMdkJ6wTdM+J8q7g6jiWN
7zym0twiXZ/eoT7TP76cDsVUtOnBdZY9YWwPycR4R1HCHouWbUrDg7dOI1qwgnEo
UHIfDmStwCC5UCCBtVbK
=N4M7
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1750-1
February 26, 2013

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.39
linux-image-3.5.0-25-highbank 3.5.0-25.39
linux-image-3.5.0-25-omap 3.5.0-25.39
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.39
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.39

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1750-1
CVE-2013-1763

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.39

[CentOS-announce] CEBA-2013:0559 CentOS 5 rgmanager Update

CentOS Errata and Bugfix Advisory 2013:0559

Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-0559.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
10d6ad046b53a8e55920ddb5ea4c34f09e9405250143d716021da5004b22a856 rgmanager-2.0.52-37.el5.centos.1.i386.rpm

x86_64:
cf91e9ffdc1ab8ae24a7dfba2216ccce1be18f478f472a413999aade839cec47 rgmanager-2.0.52-37.el5.centos.1.x86_64.rpm

Source:
09f520aaea478ed93c8845aceb98b3b8f3432c5a96e5fc80cbb27faecb6f7e80 rgmanager-2.0.52-37.el5.centos.1.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2013:0558 CentOS 5 rpm Update

CentOS Errata and Bugfix Advisory 2013:0558

Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-0558.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
e1b9f740f247c2d2d5f12d994dfa20e060dd9cb4ecaf3f49a7178e3d269b1e5e popt-1.10.2.3-32.el5_9.i386.rpm
4754bbb37ef0cbbf93713f2c36db85bfd17b6ef4f20d592a2a326247c83b019e rpm-4.4.2.3-32.el5_9.i386.rpm
709aae2dcecd69d9f618ff2df6b2287a66ad19f70b49e71d6466b2728677f4f3 rpm-apidocs-4.4.2.3-32.el5_9.i386.rpm
0bf2abc1f4a4f8a5cd8c1b9640ae0dbc93ab494ca4871f74a1a6f92ad25004f1 rpm-build-4.4.2.3-32.el5_9.i386.rpm
7ca0a6635cc98a70b68f3d219634f7058d510fa94f0ff10094cf66a5a5133068 rpm-devel-4.4.2.3-32.el5_9.i386.rpm
639b54e492116f6ae6f5ad5d68b6369e0af9115ca19a4b7552cbd28af6abe0e9 rpm-libs-4.4.2.3-32.el5_9.i386.rpm
5311dcd963e3e5a886b667c8aaace683cb7d28cb74007e055c1af0920a6d2c7d rpm-python-4.4.2.3-32.el5_9.i386.rpm

x86_64:
e1b9f740f247c2d2d5f12d994dfa20e060dd9cb4ecaf3f49a7178e3d269b1e5e popt-1.10.2.3-32.el5_9.i386.rpm
2b80a4055de8dac4be3000e6e04c5413c975c30feeae12057a149944e93c571c popt-1.10.2.3-32.el5_9.x86_64.rpm
b709444ee4c7009046de6d64616bc2769c7b9aa2b88018e2ac982c5bd8fe869c rpm-4.4.2.3-32.el5_9.x86_64.rpm
66e2627515c37e20400d202d5bff7eeee54737871ec0689d9c3cacfac88dbd25 rpm-apidocs-4.4.2.3-32.el5_9.x86_64.rpm
df76ed1cb1d24996aecf644861f1f0ba7a309fc5ccdaaebf7f28cfb05fe52d53 rpm-build-4.4.2.3-32.el5_9.x86_64.rpm
7ca0a6635cc98a70b68f3d219634f7058d510fa94f0ff10094cf66a5a5133068 rpm-devel-4.4.2.3-32.el5_9.i386.rpm
990430a8952296ac879c0230071e0d3fbceab301265308ba10dd3af5d604a06e rpm-devel-4.4.2.3-32.el5_9.x86_64.rpm
639b54e492116f6ae6f5ad5d68b6369e0af9115ca19a4b7552cbd28af6abe0e9 rpm-libs-4.4.2.3-32.el5_9.i386.rpm
78d97ed81dd2bfb324611dc8b57ced8e74fbac94ba54e8b76a5db904939e3be3 rpm-libs-4.4.2.3-32.el5_9.x86_64.rpm
9a4ff6fd6ee5af2fe19a4a2ef59c8bf7e5e8af5576060c1f6134cf130e7d380e rpm-python-4.4.2.3-32.el5_9.x86_64.rpm

Source:
042c0e851da369e1557facc1b87ecfeb6bd2b4a22dc9d767b7eedd44366428e5 rpm-4.4.2.3-32.el5_9.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[USN-1749-1] Linux kernel (Quantal HWE) vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRLH4jAAoJEAUvNnAY1cPYHm4P/1q8fa11iOF30l9rX+uuuBgB
XKobvUC8FK3uuMwcumv+Ezz2Z06AQ5Y6F+NNqiLr7tJ9ppN4lPBqlaSHvD4VBbpi
a8aVpU9kp3s110V3MfQWqZ5f2p0/K5hidhT2mKC8EE9ZjVYP/L3vit56gPFsrQzx
8VirzmV19jw6p9/42ro4Q73rBw0oXTDyJQcIUIsw+P0AQWuNkXXbDmm8jiwsdPQc
OHjo6U2WDx01g6L4nRdKixS0yYfMGvJnobEbhI60wIiGavFdq+gGf/hDmf+YM0rj
yuIY24XSV0elzjVk8F3UJiwk+BETKUzyIn38YXMUMb83AfQN2gcUXn50gfPoTuaA
fvxuUvDHStKVWtszd5fJO5rlf4WS1ezFhNPDJobtGEPKcESxTycN2I/4v8rsZVD5
XJrFkCzuZZ4q0QWJhR92cFDMZsQomzhyrzHYQtMu09hEQ7Zr4oU+cXq6mguw0Ydq
b1EMH1MNK8ThnlMPfbOXK2U0NzJskXYCJaOMgdAzHqURsMc6lGLb4nrplwk46D6v
q8FdPjIOnMOZKHTUfKm4IF/WUTeFzoKBBHAOsVO76NIktkg6IK1uKXbFhfaTV33W
wiK3GdC4/HW43MQxsSO/LVXoOd03rfi5l+5EF8nzcgYZ1qPhsx8euSbCvbrs3vsn
qylaTdA093tdStr+fvSg
=Z/Hy
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1749-1
February 26, 2013

linux-lts-quantal vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

Brad Spengler discovered a bounds checking error for netlink messages
requesting SOCK_DIAG_BY_FAMILY. An unprivileged local user could exploit
this flaw to crash the system or run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.39~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1749-1
CVE-2013-1763

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.39~precise1

Monday, February 25, 2013

[USN-1748-1] Thunderbird vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRK/1MAAoJEFHb3FjMVZVzgzYP/jz3wJm2YNa0tiK+Tv8wqsuN
msmdVZbihsGxKqFnvRqKyfjWkqTPJF4Qn6qGYB5v/MVjvToMw4toq0v7XxSdnSr4
khUP4aD0+eZXPm/DPEXAWfmAT9nRIKDCeOZnt2pjHCABkNWpkVP+U0GcHDpfl5Pq
TXf45G+F/1I2UI6ivGBtSNHGLGLNCS/Hd8sE5d+gFxRnv6zf9b0aBXJPVa8CFiJF
Z6zIqD62IdMJHRKiL7jNZ3R54CvHNaMktJQwilgGoaDf3+OEhaH9wLzmlI+irc2O
Ojp0r03Bt9QLGruu0DaMjKB2C9qEQ3N4irKdUWXXysB7ctia+5jkpeySulrAqGVu
vfmIliXiDiNC0fTXJT65waojwh9p87s/OFvDjS0dVjCog21QmhJy7nOi2dez0jhM
cMiP+cqQL9K7MGmOyFvOf6d9+Hzm/KKOP47PyTGN1HbzVlHG7F0DBaKdKlAhGk34
jmy5dslIA5yPSHSMGRfLeDBloB+o55KUbfeYNJC5w+aBZknwb+mrlFT9VaHAgaP+
mrVlFl3CMMUFrxGjSt78JUO7mAzzaEh46V6ekVEc7gRuiKoAK4bNKtjRmFT9IRC8
OCkbS9PKsJKXV4jZ+mZ0msBl8ffRsLxnk+pbTlBGMGu1f9engAjYSZz+ZANYY2Px
EfJPfNwjINkySMviqk8n
=ha1A
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1748-1
February 25, 2013

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Bobby Holley discovered vulnerabilities in Chrome Object Wrappers (COW) and
System Only Wrappers (SOW). If a user were tricked into opening a specially
crafted page and had scripting enabled, a remote attacker could exploit
this to bypass security protections to obtain sensitive information or
potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0773)

Frederik Braun discovered that Thunderbird made the location of the active
browser profile available to JavaScript workers. Scripting for Thunderbird
is disabled by default in Ubuntu. (CVE-2013-0774)

A use-after-free vulnerability was discovered in Thunderbird. An attacker
could potentially exploit this to execute code with the privileges of the
user invoking Thunderbird if scripting were enabled. (CVE-2013-0775)

Michal Zalewski discovered that Thunderbird would not always show the
correct address when cancelling a proxy authentication prompt. A remote
attacker could exploit this to conduct URL spoofing and phishing attacks
if scripting were enabled.
(CVE-2013-0776)

Abhishek Arya discovered several problems related to memory handling. If
the user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via application
crash, or potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782)

Olli Pettay, Christoph Diehl, Gary Kwong, Jesse Ruderman, Andrew McCreight,
Joe Drew, Wayne Mery, Alon Zakai, Christian Holler, Gary Kwong, Luke
Wagner, Terrence Cole, Timothy Nikkel, Bill McCloskey, and Nicolas Pierron
discovered multiple memory safety issues affecting Thunderbird. If a user
had scripting enabled and was tricked into opening a specially crafted
page, an attacker could possibly exploit these to cause a denial of service
via application crash. (CVE-2013-0783, CVE-2013-0784)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
thunderbird 17.0.3+build1-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.12.04.1

Ubuntu 11.10:
thunderbird 17.0.3+build1-0ubuntu0.11.10.1

Ubuntu 10.04 LTS:
thunderbird 17.0.3+build1-0ubuntu0.10.04.1

After a standard system update you need to restart Thunderbird to make all
the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1748-1
CVE-2013-0773, CVE-2013-0774, CVE-2013-0775, CVE-2013-0776,
CVE-2013-0777, CVE-2013-0778, CVE-2013-0779, CVE-2013-0780,
CVE-2013-0781, CVE-2013-0782, CVE-2013-0783, CVE-2013-0784,
https://launchpad.net/bugs/1131110

Package Information:

https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.10.1

https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.12.04.1

https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.11.10.1

https://launchpad.net/ubuntu/+source/thunderbird/17.0.3+build1-0ubuntu0.10.04.1

Planned Outage: Host reboots - 2013-02-27 22:00 UTC

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBCgAGBQJRK6ZnAAoJEEs3sNgP+7teSPgP/1vkKL1l4jRXL3sBfXlAIzvi
K7NRDgGWTZaTQ1GmlUlQRy0fy+SASnCh0rvm6If3iBCM1KbCJYLACB+fOGTH6onY
m01e5CecDGpp6zYFt4D37IfdWgG0dBJ75I6nXHygMaA3P3MNHxzrMLsavUnv29yW
GdO3MiZmFnrLcpuXzKdqZdD38yDwX0/wg0fQadPyIFONfYiw+8oHGzkjtiBnks7i
2ySbw2Uo7ePsmRmTVRetD+hulkAT9etpPrDjnQuFioUSbgc/yw161z/fK6DOw0l9
wWBwhfPFk6+g5PqCTP2BcmUlQYGh0BPBrjvItPyG8DGDoy1P/l7h5VtT7GbCi/A6
45zDk1RFXDwgiAgEscw1nww+qKPFcfAClD4fkPTPWdrerzi+gyzTqlLUaiP91YkQ
Ho8f4xDL9ACGcWZ04rqmnI0cNYmEYsfzPLepM+XBZCBUt9hYMk6DcasjcrUl+NVa
7Gf//pXNP7Hm/YuYcnaj3OphkJrEto7VHf7IzvPewnqDKjGMc3n9e08IHvAl2RHE
mav0zBCLeQ8aMGpDT8/yflseU+bsoRiusbMxUsN/lBZGVTMMFH7A4Ah1LNiPjr1u
Gn1+XcCEC+ntDIKSLywliXi1Ozhe7qWToWaWdRbDBL/zU397/9AENwq1vkWX0WoP
3nX8FrihS1q0oF1cmk4i
=7+pY
-----END PGP SIGNATURE-----
Outage: Host reboots - 2013-02-27 22:00 UTC

There will be an outage starting at 2013-02-27 22:00 UTC, which will
last approximately 3 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2013-02-27 22:00 UTC'

Reason for outage:

We will be rebooting servers to pick up the latest updates. During the
outage window, only particular services should be down as their hosts
are rebooted. Outages for particular services should be small.

Affected Services:

Ask Fedora - http://ask.fedoraproject.org/

BFO - http://boot.fedoraproject.org/

Bodhi - https://admin.fedoraproject.org/updates/

Buildsystem - http://koji.fedoraproject.org/

GIT / Source Control

DNS - ns1.fedoraproject.org, ns2.fedoraproject.org

Email system

Fedora Account System - https://admin.fedoraproject.org/accounts/

Fedora Community - https://admin.fedoraproject.org/community/

Fedora Hosted - https://fedorahosted.org/

Fedora People - http://fedorapeople.org/

Main Website - http://fedoraproject.org/

Mirror Manager - https://admin.fedoraproject.org/mirrormanager/

Package Database - https://admin.fedoraproject.org/pkgdb/

Secondary Architectures

Torrent - http://torrent.fedoraproject.org/

Wiki - http://fedoraproject.org/wiki/

Unaffected Services:

Docs - http://docs.fedoraproject.org/

Spins - http://spins.fedoraproject.org/

Start - http://start.fedoraproject.org/

Mirror List - https://mirrors.fedoraproject.org/

QA Services

Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/3681

Contact Information:

Please join #fedora-admin or #fedora-noc on irc.freenode.net or add
comments to the ticket for this outage above.

[USN-1747-1] Transmission vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRK3/8AAoJEGVp2FWnRL6TZbAP/0fsubzL0356lnBzBKjqNWHq
6/Z5Dk7XupaL9ZsUr42SiMT3s+zVrNCSF92pT2TXzj4fPHaWUVQhsQMBBZbx5Hq7
fvxDc00BcEBBj08bBbTFJFAereoCJVctUFmGeK0cWOVsRTxKMA9MGsEpUCiegBiL
3nXn1JLTBzDJHu86VBs5Hw7hXG2HhQVkD4zMT2FdB3Q1TaxfebI1C/xirzfGxxvO
0pfgkZE/uK9iRw31CW7EcNXA0ZBMrXkpm95BGgSxbg6vDjWTqqpdpziaT2BkW5xH
RCj0lD5GPgrRZaf0sJLSl3OPIMmeqgoS6FK0/pQIrgp/EGwJlrmeG8GfisUb1Qut
T6gKN/12hgY/bqyw6Kju2pqqoE8TaTk6GBafypIKmRWVAxXJ8jk3/y0OK8+DJUkS
6e/fo8RiZ8K9kbhDGGNL48WQVOfBhWIY8+UHPc5sUEHhmrKvSIauqFZZbQqGOBdi
I5+7qYmKqZzom4p4cYVuI7uhntVrICXIWXAHDTssCOu/BqvJW0Qc+nZJJdpjwxCl
CBLt1IK8QjEWuJwx4qrfrd7PJw4W7jgFsN+1WY2GbdDichwiihYaV+jDTQe/yq02
bWoMBg1+GW/l3XhQXPheRsQRxA48wr/XlvRxICHjWpMmZ3hZU7ZFw4Fbtgs55MTe
RKx7SvNQdIemalM/BrrF
=GMAE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1747-1
February 25, 2013

transmission vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10

Summary:

Transmission could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- transmission: lightweight BitTorrent client

Details:

It was discovered that Transmission incorrectly handled certain micro
transport protocol packets. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
transmission-common 2.61-0ubuntu2.2

Ubuntu 12.04 LTS:
transmission-common 2.51-0ubuntu1.3

Ubuntu 11.10:
transmission-common 2.33-0ubuntu2.1

After a standard system update you need to restart Transmission to make all
the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1747-1
CVE-2012-6129

Package Information:
https://launchpad.net/ubuntu/+source/transmission/2.61-0ubuntu2.2
https://launchpad.net/ubuntu/+source/transmission/2.51-0ubuntu1.3
https://launchpad.net/ubuntu/+source/transmission/2.33-0ubuntu2.1

[USN-1746-1] Pidgin vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRK3S2AAoJEGVp2FWnRL6TmXsP+wTrVvQf+s8ixS/5LXo8bnch
6fKVkybgJz1sviSR7/spwTLfaKo5A6XuUag+P/XECXlVvdrEOzYyoziE8sEPBWSr
P4VLPp/6vdnB9NYq+jW9vLbxekn7L8Aqwk2PqJMLNuq3PQVH8egGSVPBvXySH+Z3
cFG6B7tZPwMLsejFHSA9EFD0qAvUIBWvC7/HuzvAHbKBNVwpe1n2YlFHMuR2bRUL
xWwftnikBKWeYTSBxIbdApvDiekWn85XMpCH2/+j3VAadFwEoh2tpqLiYYiIInYj
AeuwVFGE6rkoQd1G7zHjGns/41DZ+Z0NjdV3dGDYK/28ZeqRM0R/toM4socg43NN
lQVfj7HczwD550pgdPm9xuVZKz92yY3m9lrCblKcQHpLrdBdOUctOSgoIcdK41Gu
VRhGj7Sp/hc92L3Ce+tt8xumLUSBFR10gEh7XAbUXrbrH165feOjL87Qp9WP4noM
hRsYeR6O7136HqwjWB+kbqrRceIZG7ALnKGf6UHRu/MwX0UlNB9Iiq3r2eO7XUMz
CxILUaXRDcTn9CuifaEVc1dww+uDFbYVmq5lur+TW7WmoPUoCoEWiQE1ZBCl5YV9
KJFkDUasugitw/QvRGNe3E+6pplvYtHdws7qcnQw9RP9iTu2tJtgjk8+fKMaDnXV
iD6zHRNWB79JBA11kqhs
=/1ka
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1746-1
February 25, 2013

pidgin vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Pidgin.

Software Description:
- pidgin: graphical multi-protocol instant messaging client for X

Details:

Chris Wysopal discovered that Pidgin incorrectly handled file transfers in
the MXit protocol handler. A remote attacker could use this issue to create
or overwrite arbitrary files. This issue only affected Ubuntu 11.10,
Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2013-0271)

It was discovered that Pidgin incorrectly handled long HTTP headers in the
MXit protocol handler. A malicious remote server could use this issue to
execute arbitrary code. (CVE-2013-0272)

It was discovered that Pidgin incorrectly handled long user IDs in the
Sametime protocol handler. A malicious remote server could use this issue
to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-0273)

It was discovered that Pidgin incorrectly handled long strings when
processing UPnP responses. A remote attacker could use this issue to cause
Pidgin to crash, resulting in a denial of service. (CVE-2013-0274)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
libpurple0 1:2.10.6-0ubuntu2.2
pidgin 1:2.10.6-0ubuntu2.2

Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.3
pidgin 1:2.10.3-0ubuntu1.3

Ubuntu 11.10:
libpurple0 1:2.10.0-0ubuntu2.2
pidgin 1:2.10.0-0ubuntu2.2

Ubuntu 10.04 LTS:
libpurple0 1:2.6.6-1ubuntu4.6
pidgin 1:2.6.6-1ubuntu4.6

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References:
http://www.ubuntu.com/usn/usn-1746-1
CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274

Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.3
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.0-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.6.6-1ubuntu4.6

Sunday, February 24, 2013

[Guidelines Change] Changes to the Packaging Guidelines

Some more changes to the Fedora Packaging Guidelines have been made:

---

The Packaging Guidelines covering Desktop files have been amended to say
that for Fedora 19 and beyond, the vendor tag must not be used. If it
was being used in a previous release, it may continue to be used for
that previous release, but must be removed in Fedora 19. New packages
must not add the vendor tag for any release. Packagers are reminded that
they must not change the name of the desktop file in a stable Fedora
release.

https://fedoraproject.org/wiki/Packaging:Guidelines#desktop-file-install_usage

---
The Ruby Guidelines have been updated to prepare for JRuby integration
in Fedora (and new macros to assist in this).

https://fedoraproject.org/wiki/Packaging:Ruby

---

The Java Guidelines have been changed to reflect BuildRequires:
maven-local (instead of maven).

https://fedoraproject.org/wiki/Packaging:Java#maven_3

---

These guideline changes were approved by the Fedora Packaging
Committee (FPC).

Many thanks to Bohuslav Kabrda, Parag Nemade, Stanislav Ochotnicky, and
all of the members of the FPC, for assisting in drafting, refining, and
passing these guidelines.

As a reminder: The Fedora Packaging Guidelines are living documents! If
you find something missing, incorrect, or in need of revision, you can
suggest a draft change. The procedure for this is documented here:
https://fedoraproject.org/wiki/Packaging/Committee#GuidelineChangeProcedure

Thanks,

~tom
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

Saturday, February 23, 2013

Updated Debian 6.0: 6.0.7 released

------------------------------------------------------------------------
The Debian Project http://www.debian.org/
Updated Debian 6.0: 6.0.7 released press@debian.org
February 23rd, 2013 http://www.debian.org/News/2013/20130223
------------------------------------------------------------------------


The Debian project is pleased to announce the seventh update of its
stable distribution Debian 6.0 (codename "squeeze"). This update mainly
adds corrections for security problems to the stable release, along with
a few adjustments for serious problems. Security advisories were already
published separately and are referenced where available.

Please note that this update does not constitute a new version of Debian
6.0 but only updates some of the packages included. There is no need to
throw away 6.0 CDs or DVDs but only to update via an up-to-date Debian
mirror after an installation, to cause any out of date packages to be
updated.

Those who frequently install updates from security.debian.org won't have
to update many packages and most updates from security.debian.org are
included in this update.

New installation media and CD and DVD images containing updated packages
will be available soon at the regular locations.

Upgrading to this revision online is usually done by pointing the
aptitude (or apt) package tool (see the sources.list(5) manual page) to
one of Debian's many FTP or HTTP mirrors. A comprehensive list of
mirrors is available at:

http://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

Package Reason

apt-show-versions Fix detection of squeeze-updates and
squeeze; update official
distribution list

base-files  Update for the point release

bcron  Don't allow jobs access to other
jobs' temporary files

bind9  Update IP for "D" root server

bugzilla  Add dependency on liburi-perl, used
during package configuration

choose-mirror  Update URL for master mirror list

clamav  New upstream version

claws-mail  Fix NULL pointer dereference

clive  Adapt for youtube.com changes

cups  Ship cups-files.conf's manpage

dbus  Avoid code execution in setuid/
setgid binaries

dbus-glib  Fix authentication bypass through
insufficient checks (CVE-2013-0292)

debian-installer  Rebuild for 6.0.7

debian-installer-netboot- Rebuild against debian-installer
images  20110106+squeeze4+b3

dtach  Properly handle close request
(CVE-2012-3368)

ettercap  Fix hosts list parsing (CVE-2013-
0722)

fglrx-driver  Fix diversion-related issues with
upgrades from lenny

flashplugin-nonfree  Use gpg --verify

fusionforge  Lenny to squeeze upgrade fix

gmime2.2  Add Conflicts: libgmime2.2-cil to
fix upgrades from lenny

gzip  Avoid using memcpy on overlapping
regions

ia32-libs  Update included packages from
stable / security.d.o

ia32-libs-core  Update included packages from
stable / security.d.o

kfreebsd-8  Fix CVE-2012-4576: memory access
without proper validation in linux
compat system

libbusiness-onlinepayment- Backport changes to IPPay gateway's
ippay-perl  server name and path

libproc-processtable- Fix unsafe temporary file usage
perl  (CVE-2011-4363)

libzorpll  Add missing Breaks/Replaces:
libzorp2-dev to libzorpll-dev

linux-2.6  Update to stable release 2.6.32.60.
Backport hpsa, isci and megaraid_sas
driver updates. Fix r8169 hangs

linux-kernel-di-amd64- Rebuild against linux-2.6 2.6.32-48
2.6 

linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
armel-2.6 

linux-kernel-di-i386- Rebuild against linux-2.6 2.6.32-48
2.6 

linux-kernel-di-ia64- Rebuild against linux-2.6 2.6.32-48
2.6 

linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
mips-2.6 

linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
mipsel-2.6 

linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
powerpc-2.6 

linux-kernel-di-s390- Rebuild against linux-2.6 2.6.32-48
2.6 

linux-kernel-di- Rebuild against linux-2.6 2.6.32-48
sparc-2.6 

magpierss  Fix upgrade issue

maradns  Fix CVE-2012-1570 (deleted domain
record cache persistence flaw)

mediawiki  Prevent session fixation in
Special:UserLogin (CVE-2012-5391);
prevent linker regex from exceeding
backtrack limit

moodle  Multiple security fixes

nautilus  Add Breaks: samba-common (<< 2:3.5)
to fix a lenny to squeeze upgrade
issue

openldap  Dump the database in prerm on
upgrades to help upgrades to
releases with newer libdb versions

openssh  Improve DoS resistance (CVE-2010-
5107)

pam-pgsql  Fix issue with NULL passwords

pam-shield  Correctly block IPs when
allow_missing_dns is "no"

perl  Fix misparsing of maketext strings
(CVE-2012-6329)

poppler  Security fixes; CVE-2010-0206,
CVE-2010-0207, CVE-2012-4653; fix
GooString::insert, correctly
initialise variables

portmidi  Fix crash

postgresql-8.4  New upstream micro-release

sdic  Move bzip2 from Suggests to Depends
as it is used during installation

snack  Fix buffer overflow (CVE-2012-6303)

sphinx  Fix incompatibility with jQuery>=
1.4

swath  Fix potential buffer overflow in
Mule mode

swi-prolog  Fix buffer overruns

ttf-ipafont  Fix removal of alternatives

tzdata  New upstream version; fix DST for
America/Bahia (Brazil)

unbound  Update IP address hints for D.ROOT-
SERVERS.NET

xen  Fix clock breakage

xnecview  Fix FTBFS on armel




Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:


Advisory ID Package Correction(s)

DSA-2550  asterisk  Multiple issues

DSA-2551  isc-dhcp  Denial of service

DSA-2552  tiff  Multiple issues

DSA-2553  iceweasel  Multiple issues

DSA-2554  iceape  Multiple issues

DSA-2555  libxslt  Multiple issues

DSA-2556  icedove  Multiple issues

DSA-2557  hostapd  Denial of service

DSA-2558  bacula  Information disclosure

DSA-2559  libexif  Multiple issues

DSA-2560  bind9  Denial of service

DSA-2561  tiff  Buffer overflow

DSA-2562  cups-pk-helper  Privilege escalation

DSA-2563  viewvc  Multiple issues

DSA-2564  tinyproxy  Denial of service

DSA-2565  iceweasel  Multiple issues

DSA-2566  exim4  Heap overflow

DSA-2567  request-tracker3.8 Multiple issues

DSA-2568  rtfm  Privilege escalation

DSA-2569  icedove  Multiple issues

DSA-2570  openoffice.org  Multiple issues

DSA-2571  libproxy  Buffer overflow

DSA-2572  iceape  Multiple issues

DSA-2573  radsecproxy  SSL certificate
verification weakness

DSA-2574  typo3-src  Multiple issues

DSA-2575  tiff  Heap overflow

DSA-2576  trousers  Denial of service

DSA-2577  libssh  Multiple issues

DSA-2578  rssh  Multiple issues

DSA-2579  apache2  Multiple issues

DSA-2580  libxml2  Buffer overflow

DSA-2582  xen  Denial of service

DSA-2583  iceweasel  Multiple issues

DSA-2584  iceape  Multiple issues

DSA-2585  bogofilter  Heap-based buffer
overflow

DSA-2586  perl  Multiple issues

DSA-2587  libcgi-pm-perl  HTTP header injection

DSA-2588  icedove  Multiple issues

DSA-2589  tiff  Buffer overflow

DSA-2590  wireshark  Multiple issues

DSA-2591  mahara  Multiple issues

DSA-2592  elinks  Programming error

DSA-2593  moin  Multiple issues

DSA-2594  virtualbox-ose  Programming error

DSA-2595  ghostscript  Buffer overflow

DSA-2596  mediawiki- Cross-site scripting in
extensions  RSSReader extension

DSA-2597  rails  Input validation error

DSA-2598  weechat  Multiple issues

DSA-2599  nss  Mis-issued intermediates

DSA-2600  cups  Privilege escalation

DSA-2601  gnupg2  Missing input sanitation

DSA-2601  gnupg  Missing input sanitation

DSA-2602  zendframework  XML external entity
inclusion

DSA-2603  emacs23  Programming error

DSA-2604  rails  Insufficient input
validation

DSA-2605  asterisk  Multiple issues

DSA-2606  proftpd-dfsg  Symlink race

DSA-2607  qemu-kvm  Buffer overflow

DSA-2608  qemu  Buffer overflow

DSA-2609  rails  SQL query manipulation

DSA-2610  ganglia  Remote code execution

DSA-2611  movabletype- Multiple issues
opensource 

DSA-2612  ircd-ratbox  Remote crash

DSA-2613  rails  Insufficient input
validation

DSA-2614  libupnp  Multiple issues

DSA-2615  libupnp4  Multiple issues

DSA-2616  nagios3  Buffer overflow
vulnerability

DSA-2617  samba  Multiple issues

DSA-2618  ircd-hybrid  Denial of service

DSA-2619  xen-qemu-dm-4.0  Buffer overflow

DSA-2620  rails  Multiple issues

DSA-2621  openssl  Multiple issues

DSA-2622  polarssl  Multiple issues

DSA-2623  openconnect  Buffer overflow

DSA-2624  ffmpeg  Multiple issues

DSA-2625  wireshark  Multiple issues

DSA-2626  lighttpd  Multiple issues

DSA-2627  nginx  Information leak


Debian Installer
----------------

The installer has been rebuilt to include the fixes incorporated into
stable by the point release.

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

Package Reason

elmerfem  License problems (GPL + non-GPL)


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/squeeze/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates/


stable distribution information (release notes, errata etc.):

http://www.debian.org/releases/stable/


Security announcements and information:

http://security.debian.org/ 


About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
http://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.

Thursday, February 21, 2013

[USN-1745-1] Linux kernel (OMAP4) vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRJwbLAAoJEAUvNnAY1cPYzVAP/229fJ57sGSvwYPZSoLtPMRF
ZXW5CNamKl2dM5lfaQZcoBO3WXNyk2sJPwWCDio/ioqgVJeXQ4w2KlZblu/wRojR
G9fUKfNVt9u1NxYORe/9hRbEmZtkslqE9NoMftdnVXNYR+Lxu9azTih1f6s+PyfN
iHwIaTaEeoVVIcSS31XmRnBFvEnKan0Vsmwg3AyS3bPpSOhc6ImtIzoaigPgBsQc
gIzc6psQLK7DZADPS9I20mRybFkoN/Lm76xhNbZ6xQWEVQ8oxU2QbL+9dLGHnvqu
51tbI9QBTm34Ur34mBWMi8/LcnDpWCydzI+jz5jiOiPTe34EoRdDU9ygN3jrFGJZ
BapgN2RQTI+fFEfQXWKjZUGz42iUSL9KXPSJoW0HgCJYGyVBLBYeTrofEZPd9OzO
avcJe3XFKD+KyvaRilSqGXn5K0pfhfMLVb7yPyyFOzLX7O+yZV2V6E/gjn0wnIYw
AxXDvYo1RZg9XxlPQCL1AWtqqn23UekmE2v4LoD9jPmK7oWAmGQxyyZs3bqwQYXY
o7hGd056EjWV6BLPfgHicRl/HGhJcxvk9kRDZhdQjx9TL2ANpAlH9saKwQpkDYDf
k3Ts8J9nD4X8QhcxDYALnu23SYEGqxo9DFOw5fcvz45j6N56a/SSOzthkzxf+ivy
M2VABZgfP9GSa7IcsB9d
=CTZj
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1745-1
February 22, 2013

linux-ti-omap4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-220-omap4 3.5.0-220.28

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1745-1
CVE-2013-0871

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.5.0-220.28

[USN-1744-1] Linux kernel vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRJwVzAAoJEAUvNnAY1cPYAAcQAJ1D4U6GaMCSr9nHToHq8nKV
up2X4lHYwsxopcUN5x/yA3IVS34S+PZkeJLUFuNBoPr0OEjyIMoNsYBklpzBIJVz
zxzmhC0Ocnkmsm4xA3VcBshAsNzZAAXitWfktWsOjyDabfiaUim0RB6nQKRLtj1Y
9eDq2laXOhhEoUmrB6wxmvXmZ0SOxVVfcerT+xYtIznv2FVavbKQCpsQgRL5Cqxm
YEv45vDMoZKokdNlAygbohCpR+Om1s38+HmQk1yT+LCOSbWtE/z2Vo3yhGWe/Zex
yUbH5JSJ1cR/pXKUBwtsIT8mUA+9ebvbQIxhGoscn8MBTjZUahMWS0fRd09VQ9er
e5kNiK7CM16fJy1VlSgnCRKmF1NXmJWcN/2+Fxs+1FCP4JYMNEHD7bHf4WoSNbaH
0uK8RRF6msyE0Hj5dDi8RrKYtzmS6mDPU48e2aA8TxD7lhgs8JbGWRML0nx4eXrA
Ru3rHk9LyxtV5ybgTCF/I6Uot2UQIiQzps5IIAEgXb4gxfca8HrrOTdqv6RN3oz8
O6DJpqFG86TtUVT3OH7nwTeX5dqqE+Tbq160h3DIPl1IgWdjPBjv55pAbxRyCmCE
BvAfP/FV3m30Q2pHWRnkK484R7ao9rgNCQAPqgxBdqLoMWRJSLZZOA4TXSE8jqr4
CNVsmfK6MFmOPdmk4Y7U
=RZcU
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1744-1
February 22, 2013

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux: Linux kernel

Details:

Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
linux-image-3.5.0-25-generic 3.5.0-25.38
linux-image-3.5.0-25-highbank 3.5.0-25.38
linux-image-3.5.0-25-omap 3.5.0-25.38
linux-image-3.5.0-25-powerpc-smp 3.5.0-25.38
linux-image-3.5.0-25-powerpc64-smp 3.5.0-25.38

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1744-1
CVE-2013-0871

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.5.0-25.38

[USN-1743-1] Linux kernel (Quantal HWE) vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRJwETAAoJEAUvNnAY1cPYfAEP/RxUJdhfyPMVQEx9BgRyiPhr
0v4EP0NRtFwsapj4nZ6epkGM7a90cyU/ZMWn3hHknHcjm/GakQBuJtP8r+BOfMDL
OWnrlLyrMjRnEOgr1lY6ecqcICKtAq1nmlv0l9NTo7ALrEsASbtI5sQZgkEBHrrk
5LYcKXOZq1yt+oSRSL436cRUrcAf6OqVRJzESZE8CqYmDczkubsMIc6Qmvxm693w
m9NwsNiAh3MNf3z+kfoisCLRukusDkExJQ5BzUqZ89Qhsrl31M+L0ZD4J362meGo
QaGc3bzWLkLPCKrdFeghnvI4RNQ1pUiWlXZolw/8FbOGdwrqYROowV0H+7UohynU
QYCLeZzn5Cqf8zKVpDRQVsJD7I0Xh0gLXsjx84ckZKgxD5EBY0e0xtM48//71Nyu
DT1849z+JftiFk99G2smArC/4lS1LmYlr2vazXi54ptofmdfPo7ugD0QvVBFxjNL
LHioo6h9d6ra1T1FkZRVoiu9NXvXy2eOCgtKetLlFmJqcboGbx+U6x4JNZzjcADP
Tu+C0ZHGcb7LozS+0KhZ4U5cGXqUArl5xtdZdpmS5Jamjr9Zswj3DRA9zv+qjPH8
hmmSd4ggyG0+iAolOxywSSr4tCH54ZcyR87JorNVX6HNULM+tmuWJTBH9mtt+/W+
C82w0qR8kTtackpkznSV
=AQkK
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1743-1
February 22, 2013

linux-lts-quantal vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-lts-quantal: Linux hardware enablement kernel from Quantal

Details:

Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.5.0-25-generic 3.5.0-25.38~precise1

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1743-1
CVE-2013-0871

Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-quantal/3.5.0-25.38~precise1

[USN-1742-1] Linux kernel (OMAP4) vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRJv+HAAoJEAUvNnAY1cPYn+0P/1f4tyMfHfn4yy6UfyNDjn+I
Nls6Rau88OTUgi+q2ZV/FlenL0oTaEP4n2t5t7Un+ybFrAZmVqU5sYUYC0GxCGOM
piZj0jiy+vA25i16gr0ObN9fdXwF6MBcudUsYTxktq0OB7FuWg976Uh/amo3Gtej
hEO1pJGdH0voMTARoyfngXEgD6zRIylq2vck3xmJw9nqmsyd9TbDzvlTNJA0glrt
7eCgGbkS7YWC+Pa2NZm1lOvPwv7a8rXy/2Ee+O8n6DjCiZcjfi/uIwu7MCQTFHbq
byXZoeFktTZKUtPl/U/y47CJ5uQsemW7NOHQNv2WoU3gfsoLK+qaxl+sU2zq2t8W
RGFhT1dIvuk6ZjJGtpbMbpQGPxL0osa66zV18fRtlZGaMwLvHgK/tlDGnxO1iTL0
cdT/Dxc1UduGfU7EGWXHTQSRHQxszFNzjo41LQPCEpSCZcISLXGIh9X85NiPRs2Y
M/5SV9TXhQXeKzdd6pWZcxplkluldyZ5fy8yOebKuNj8sEeQqN/HKJW58pqLT2rl
HLdxDV4Iwv9FrlCshxpd1TGTXdLzRZspkCfdLxYI1Boy1KPNUkzFPRB2q/l4s0WU
Vcecom/G70LU8s08xp0HoPo2ve7Jo5IsqVyHU4/zApbvhcfmOOZoSD68daH3Zehs
+ufCVcH6rsfMKqIjJAKA
=9Qva
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1742-1
February 22, 2013

linux-ti-omap4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

Suleiman Souhlal, Salman Qazi, Aaron Durbin and Michael Davidson discovered
a race condition in the Linux kernel's ptrace syscall. An unprivileged
local attacker could exploit this flaw to run programs as an administrator.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1426-omap4 3.2.0-1426.35

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References:
http://www.ubuntu.com/usn/usn-1742-1
CVE-2013-0871

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1426.35