Friday, February 28, 2014

libgcrypt soname bump in rawhide

I'm rebasing libgcrypt in rawhide to libgcrypt-1.6.1. The new upstream
release contains many improvements over the old one especially in terms
of new crypto algorithm support and performance improvements.

Unfortunately the rebase bumps soname to libgcrypt.so.20 due to dropping
some long-ago deprecated API calls. This should not break builds of any
reasonably current software. I've included the temporary old shared
library so the buildroots are not broken.

I will try to rebuild the dependencies eventually.

Regards,

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)

_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

Thursday, February 27, 2014

[CentOS-announce] CESA-2014:0221 Moderate postgresql92-postgresql SCL Security Update

CentOS Errata and Security Advisory 2014:0221 (CentOS Software Collections)

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

-----------------------------
X86_64
-----------------------------

152d24ed52c389ee697cbba988bad52eee8bc9858aec79bad7fa118533ed68dc postgresql92-postgresql-9.2.7-1.1.el6.centos.alt.x86_64.rpm
56c89cfbf2e3cf26864ab893ad205a0fe56d949f11b79a2dfab94120f325156f postgresql92-postgresql-contrib-9.2.7-1.1.el6.centos.alt.x86_64.rpm
33bf9b980f07d97fa44ff1a07a9758833cb8ef2943d30d634bfa8f3c55b19bc8 postgresql92-postgresql-devel-9.2.7-1.1.el6.centos.alt.x86_64.rpm
75625203d93a4739be2223891ea50323fe41d01ee2c11f03fa8fde16a2763f56 postgresql92-postgresql-docs-9.2.7-1.1.el6.centos.alt.x86_64.rpm
279d4931b6576b94e0ee42b775073244fbc7afc491f5890cc1a53528b9c9be03 postgresql92-postgresql-libs-9.2.7-1.1.el6.centos.alt.x86_64.rpm
10bd301e44e8b44620f2eb4450ca670c15509b8d94bc2c0f43cffc5a6a5af507 postgresql92-postgresql-plperl-9.2.7-1.1.el6.centos.alt.x86_64.rpm
001f7549da67dc0f49664fb510c0802459899d64a9125b60ea0db349a546554c postgresql92-postgresql-plpython-9.2.7-1.1.el6.centos.alt.x86_64.rpm
62a43b5e27ffce3c3d7c0fe5a797d2630e28da4613fd70a1541ac58422fbbd0e postgresql92-postgresql-pltcl-9.2.7-1.1.el6.centos.alt.x86_64.rpm
bf20c814707456f1dfd0f8e82047be07cb82fc64a79a42aa35c03a35c3c5d0bc postgresql92-postgresql-server-9.2.7-1.1.el6.centos.alt.x86_64.rpm
c991d49b122b10fe4974156bcf986887d500bfcec4b2affaab114c540eb4adb2 postgresql92-postgresql-test-9.2.7-1.1.el6.centos.alt.x86_64.rpm
5d959e1ea6ec227ef0aee5bbb2f1d7b5d8af1eabfcdc551d6223569f88e4e9a9 postgresql92-postgresql-upgrade-9.2.7-1.1.el6.centos.alt.x86_64.rpm

-----------------------------
Source:
-----------------------------

7b8d9922670f0a5a70f8615a6b6ab298f2a7b82afd09e76ace2adb0f2176d717 postgresql92-postgresql-9.2.7-1.1.el6.centos.alt.src.rpm

=====================================================

The following upstream security issues are addressed in this update:

https://rhn.redhat.com/errata/RHSA-2014-0221.html

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2014:0222 Moderate CentOS 6 libtiff Update

CentOS Errata and Security Advisory 2014:0222 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0222.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
da3a998c6169d15e3db4280c64e7595a4a5e83c2afd106db8bcaba4c56430565 libtiff-3.9.4-10.el6_5.i686.rpm
0792c44602b4493f0103841f17b3e0c46941d4a8f3dcf033bd696ae46c3c65d5 libtiff-devel-3.9.4-10.el6_5.i686.rpm
1a60c948b9c9bbdb971bceb84ef597873d1d47956fe1b97e595fc2549f208364 libtiff-static-3.9.4-10.el6_5.i686.rpm

x86_64:
da3a998c6169d15e3db4280c64e7595a4a5e83c2afd106db8bcaba4c56430565 libtiff-3.9.4-10.el6_5.i686.rpm
720e58adbb1f8a477c48d74ea35b5ed153e0daf8334402cf8c090497a6bd8b64 libtiff-3.9.4-10.el6_5.x86_64.rpm
0792c44602b4493f0103841f17b3e0c46941d4a8f3dcf033bd696ae46c3c65d5 libtiff-devel-3.9.4-10.el6_5.i686.rpm
e15a36a12a7f8a69ad0489fd5a3c81c07409916dba86cc49dddc4d6113ec7b09 libtiff-devel-3.9.4-10.el6_5.x86_64.rpm
1bb57cc43907ef94bf00ee7612f07034b2e18083cc45710f37adf6dc0b7fb622 libtiff-static-3.9.4-10.el6_5.x86_64.rpm

Source:
f86c5ce4adf609108553cf772def54b27b1555eda290a8b40202a96f366e9c52 libtiff-3.9.4-10.el6_5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2014:0223 Moderate CentOS 5 libtiff Update

CentOS Errata and Security Advisory 2014:0223 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0223.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
8496d6215fe6546344befab52366d65f44f7bee22f677b940c6543e9764f4d50 libtiff-3.8.2-19.el5_10.i386.rpm
b4b444c8a92d885595105c919d74149af41ede7e76c6b2e5dd5e0ccc382f1e46 libtiff-devel-3.8.2-19.el5_10.i386.rpm

x86_64:
8496d6215fe6546344befab52366d65f44f7bee22f677b940c6543e9764f4d50 libtiff-3.8.2-19.el5_10.i386.rpm
6b512ce51b796f98aa0e0c012a4ea6a7999f1726c0f5432e604042de32e87a29 libtiff-3.8.2-19.el5_10.x86_64.rpm
b4b444c8a92d885595105c919d74149af41ede7e76c6b2e5dd5e0ccc382f1e46 libtiff-devel-3.8.2-19.el5_10.i386.rpm
4b014a26664cb32a6886c9e574e39be42e811be9bf4b7d1a44da1ee17307328c libtiff-devel-3.8.2-19.el5_10.x86_64.rpm

Source:
bc524fdc3e3bc6bff3b40d6445efb6a6f333630a7f2c3d322657d7fa3b00e4bc libtiff-3.8.2-19.el5_10.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[USN-2124-1] OpenJDK 6 vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTD7BgAAoJEFHb3FjMVZVzIs4P/20TdVhRarKJX7RQrmwBHCvS
UTdR9fb5l0Mh3chQU7NYMjeQfAEntgRSROEqJImT1SWNVbjJbaH7YxSixT5zpIpi
PkofBoTE8bgWNALImez/MYdC6VAqz0qzRIXPP/Yu6a9l9s9k46GmawEFGjUG8JTo
k4atCaBRJ12sN0tN3CjFwSIlU2EssbgJbOm22zpSPR3sGx4TqcwuwOW5m8fGS7gW
UA9hmkcocEZsEwrVGs3Stl57/arVjnbNIdwp/EJbH/EEK6LpavxjoAjgc7zO+iKh
rHkKbwdCLYVTGIOPT50XYNUj40ZtD9JCCM8gBvG/nF/ZRj81OyOEoWjHKEOZiWWV
N4Gld35+w3BmMekMgD4tmjxmmlOdNubFOXMp1A8dsl0b8HqHV06tmhV8nDMXgAw2
uXVorD5EduAwNckDK7tp9J4g68VAYs/Zh6C7/Mf5JdD/6NSZRbUf7wtgLPK4R6eG
hU4W0wE5N/86SR5I6zfY9Iv4ILmzJkfNT4xpzHJbqZ04A/1D2TTaKr28WJz0N0KV
mBnurIHodBpHXRIUgM9ShGU9rtu180wbamjDrjxoLjxMbfNMUiuZtqDFzp0txOk/
I1sunNikOkusVEF+gOapF0NB6IwmQGN+zaLvmnMOacbGIgxreRpgjeEwY5nLRdxH
i9W7maP9RaZqrrGZ1H8M
=0p40
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2124-1
February 27, 2014

openjdk-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in OpenJDK 6.

Software Description:
- openjdk-6: Open Source Java implementation

Details:

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to expose
sensitive data over the network. (CVE-2014-0411)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-5878, CVE-2013-5907, CVE-2014-0373, CVE-2014-0422,
CVE-2014-0428)

Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2013-5884, CVE-2014-0368)

Two vulnerabilities were discovered in the OpenJDK JRE related to
availability. An attacker could exploit these to cause a denial of service.
(CVE-2013-5896, CVE-2013-5910)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-0376, CVE-2014-0416)

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and availability. An attacker could exploit this to expose
sensitive data over the network or cause a denial of service.
(CVE-2014-0423)

In addition to the above, USN-2033-1 fixed several vulnerabilities and bugs
in OpenJDK 6. This update introduced a regression which caused an exception
condition in javax.xml when instantiating encryption algorithms. This
update fixes the problem. We apologize for the inconvenience.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b30-1.13.1-1ubuntu2~0.12.04.1
icedtea-6-jre-jamvm 6b30-1.13.1-1ubuntu2~0.12.04.1
openjdk-6-jre 6b30-1.13.1-1ubuntu2~0.12.04.1
openjdk-6-jre-headless 6b30-1.13.1-1ubuntu2~0.12.04.1
openjdk-6-jre-lib 6b30-1.13.1-1ubuntu2~0.12.04.1
openjdk-6-jre-zero 6b30-1.13.1-1ubuntu2~0.12.04.1

Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b30-1.13.1-1ubuntu2~0.10.04.1
openjdk-6-jre 6b30-1.13.1-1ubuntu2~0.10.04.1
openjdk-6-jre-headless 6b30-1.13.1-1ubuntu2~0.10.04.1
openjdk-6-jre-lib 6b30-1.13.1-1ubuntu2~0.10.04.1
openjdk-6-jre-zero 6b30-1.13.1-1ubuntu2~0.10.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2124-1
CVE-2013-5878, CVE-2013-5884, CVE-2013-5896, CVE-2013-5907,
CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376,
CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423,
CVE-2014-0428, https://launchpad.net/bugs/1283828

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-6/6b30-1.13.1-1ubuntu2~0.12.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b30-1.13.1-1ubuntu2~0.10.04.1

F21 System Wide Change: System-wide crypto policy

= Proposed System Wide Change: System-wide crypto policy =
https://fedoraproject.org/wiki/Changes/CryptoPolicy

Change owner(s): Nikos Mavrogiannopoulos <nmav@redhat.com>

Unify the crypto policies used by different applications and libraries. That is
allow setting a consistent security level for crypto on all applications in a
Fedora system.

== Detailed Description ==
The idea is to have some predefined security levels such as LEVEL-80,
LEVEL-128, LEVEL-256,
or ENISA-LEGACY, ENISA-FUTURE, SUITEB-128, SUITEB-256. These will be the
security levels
that the administrator of the system will be able to configure by modifying
/usr/lib/crypto-profiles/config
/etc/crypto-profiles/config

and being applied after executing update-crypto-profiles.
(Note: it would be better to have a daemon that watches those files and
runs update-crypto-profiles automatically)

After that the administrator should be assured that any application
that uses the system settings will follow a policy that adheres to
the configured profile.

Ideally setting a profile should be setting:
* the acceptable TLS/SSL (and DTLS) versions
* the acceptable ciphersuites and the preferred order
* acceptable parameters in certificates and key exchange, i.e.:
** the minimum acceptable size of parameters (DH,ECDH,RSA,DSA,ECDSA)
** the acceptable elliptic curves (ECDH,ECDSA)
** the acceptable signature hash functions
* other TLS options such as:
** safe renegotiation

An idea of how this will be implemented is to have each Fedora application's
configuration
file or compilation option will set a system default option. That is for
example for
applications that use GnuTLS or OpenSSL a priority string or cipher named
"SYSTEM".
Then the shipped library will make sure that once the "SYSTEM" option is
encountered
the preconfigured system settings will be applied.

The preconfigured settings for each SSL library will be auto-generated
from the default profile in
/etc/crypto-profiles/generated/$(libname)/config

== Scope ==
There are changes required in GnuTLS, OpenSSL and NSS libraries. On a second
phase non-SSL crypto libraries could use these settings.

* Proposal owners: For GnuTLS and OpenSSL the "SYSTEM" cipher needs to be
understood and behave as described. For NSS the NSS_SetDomesticPolicy() can be
overloaded to behave as above.

After that a mechanism to specify crypto policies for Fedora has to be
devised, as well as the extraction to each libraries' settings.

* Other developers: Packages that use SSL crypto libraries should, after the
previous change is complete, start replacing the default cipher strings with
SYSTEM.

* Release engineering: This feature does not require coordination with release
engineering.

* Policies and guidelines: After the change is complete the packaging
guidelines, should mention above replacing the default cipher strings with
"SYSTEM". This of course need not affect programs that do not have a mechanism
for setting ciphers/modes that is already in wide use (e.g., browsers). It
mostly targets applications that use some reasonable (or unreasonable)
defaults and the user/administrator has little control of them.
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

F21 System Wide Change: Ruby 2.1

= Proposed System Wide Change: Ruby 2.1 =
https://fedoraproject.org/wiki/Changes/Ruby_2.1

Change owner(s): Vít Ondruch <vondruch@redhat.com>

Ruby 2.1 is the latest stable version of Ruby, with major increases in speed,
memory efficiency and reliability. With this major update from Ruby 2.0.0 in
Fedora 20 to Ruby 2.1 in Fedora 21, alongside JRuby, Fedora becomes the
superior Ruby development platform.

== Detailed Description ==
Ruby 2.1 is upstream's new major release of Ruby. Notable changes are:
* VM (method cache)
* RGenGC
* refinements
* syntax changes
** Rational/Complex Literal
** def's return value
* Bignum use GMP
* String#scrub
* Socket.getifaddrs
* RDoc 4.1.0 and RubyGems 2.2.0
* "literal".freeze is now optimized
* add Exception#cause
* update libraries like BigDecimal, JSON, NKF and Rake
* remove curses

Please also note, that Ruby moved to semantic versioning since this version.

Yet, it is source level backward compatible with Ruby 2.0.0, so your software
will continue to work.

== Scope ==
* Proposal owners:
** Update of Packaging Guidelines for Ruby packages. This needs to reflect
recent changes introduced by recent version of RubyGems shipped with Ruby 2.1.
** Rebuilding of Ruby packages providing native extensions (i.e. packages
which depends on libruby), including changes needed by updated packaging
guidelines.

* Other developers: N/A

* Release engineering:
** Rebuilding of Ruby packages providing native extensions (i.e. packages
which depends on libruby), including changes needed by updated packaging
guidelines.

* Policies and guidelines:
** Update of Packaging Guidelines for Ruby packages. This needs to reflect
recent changes introduced by recent version of RubyGems shipped with Ruby 2.1.

_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

F21 System Wide Change: Access control in PCSC

= Proposed System Wide Change: Access control in PCSC =
https://fedoraproject.org/wiki/Changes/PcscAccessControl

Change owner(s): Nikos Mavrogiannopoulos <nmav@redhat.com>

Add access control to PC/SC smart cards available in the system. Adding access
control would (a) prevent unauthorized processes/users from reading data on a
smart card, (b) prevent unauthorized processes/users from erasing a smart
card, (c) prevent unauthorized processes/users from talking to the smart card
firmware.

== Detailed Description ==
Add access control to PC/SC smart cards available in the system. Currently
smart cards may provide their own access control for certain elements of a
card such as a private key. Their access control method is typically a PIN,
but can also be a biometric based one. That however, is not sufficient to
prevent certain actions on the non-PIN protected elements. For example cards
that provide a PKCS #15 filesystem can be modified by anyone that has access in
the system (e.g., erased using pkcs15-init -E).

The default settings allowed should be similar to the default settings for
hard disks, i.e., root and the user in console should be able to access the
smart card.

Adding access control would
* prevent unauthorized processes/users from reading data on a smart card
* prevent unauthorized processes/users from erasing a smart card
* prevent unauthorized processes/users from talking to the smart card firmware

The way access control will be implemented is using polkit which is already
being used to control access to hard disks. As smart cards share a lot with
hard disks (e.g., a filesystem, and are inserted by the console user), sharing
the same access control method is beneficial.

== Scope ==
polkit support has to be added to PC/SC daemon. An initial version has already
been developed and communicated upstream

* Proposal owners: The polkit support has to be merged with the Fedora
package. That requires changes to the pcsc daemon only, but indirectly all
packages that potentially may use smart cards are affected (opensc, firefox,
...).

* Other developers: Packages that use PC/SC smart cards must be checked that
they work as expected after the access control change.

* Release engineering: No coordination is required.

* Policies and guidelines: If there is any security policy documentation
should be updated to include the new policies on smart cards (I couldn't find
any such documentation though)
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

F21 System Wide Change: Remove python-setuptools-devel

= Proposed System Wide Change: Remove python-setuptools-devel =
https://fedoraproject.org/wiki/Changes/Remove_Python-setuptools-devel

Change owner(s): Toshio Kuratomi <toshio@fedoraproject.org>

The python-setuptools package has carried a virtual Provide for python-
setuptools-devel since 2009 for backwards compatibility. We're going to remove
this virtual Provide. Packages which still BuildRequire python-setuptools-
devel will need to be updated to Require: python-setuptools instead.

== Detailed description ==
In November of 2009, in time for Fedora 13, we solved a packaging issue in the
main python package that allowed us to remove a split in our python-setuptools
package. Instead of needing a separate python-setuptools-devel subpackage for
easy_install the python-setuptools package could now contain all of the
functionality of python-setuptools. To ease with package migration we added an
Obsoletes and Provides tag to the python-setuptools package at that time so
that packages, kickstarts, etc which required python-setuptools-devel would
not break.

Fast forward to the present day:

It's December of 2013. Rawhide is Fedora 21. I'd like to drop the backwards
compatibility Provides (and Obsoletes) from the python-setuptools package.
However, there are currently 151 packages BuildRequire'ing python-setuptools-
devel. This Change exists to make people aware that they need to update their
packages.

== Scope ==
* Proposal owners: Remove the Provides: and Obsoletes: python-setuptools-devel
in the python-setuptools package and rebuild. This will take approximately 30
minutes.

* Other developers: Owners of packagers that BuildRequire: python-setuptools-
devel need to change to BuildRequire: python-setuptools and rebuild.
Individually, this takes approximately 30 minutes per package (but largely
waiting on builds to finish successfully). There are approximately 151 packages
in the

* Release engineering: No action needed by rel-eng. Until other developers
update their BuildRequires, their packages would fail to rebuild in a mass
rebuild.

* Policies and guidelines: No action needed. The packaging guidelines have
already been changed to use BuildRequires: python-setuptools rather than
python-setuptools-devel.
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

PRDs/Tech Specs to formal Change Proposals and Change submission deadline

Hi,
at yesterday's FESCo meeting, it was agreed on setting deadlines
for Change submission for Fedora 21 [1] and to process PRDs into
Change proposals.

"AGREED: Fedora Changes Process submission deadline for system-wide
changes is April 7th. Deadline for true standalone changes will be
sometime later than that. Changes to how fedora is produced for
fedora.next are still due on March 3rd. (+7,0,0) (nirik, 18:29:42)"

Current deadlines:
* March 3rd: Technical Specifications for products & and changes needed
for products and deliverables --- very soon!
* April 7th: System Wide Changes submission deadline

Working Groups teams, please, try to "transform" required changes for
your products from PRDs/Technical Specifications into standalone
Change proposals (between March 3rd and April 7th). It will help
us to scope the release. Also all changes would be trackable the
standard way we do it and it's going to help transparency (as
Change announcements are being to be part of the process).

Self Contained Changes submission deadline will be set later,
after the System Wide deadline. If you expect your proposed Self
Contained Change will be on the edge and could be escalated to the
System Wide, please try to submit it as early as possible too.

As some Fedora.next details will be clarified later in the process,
System Wide Changes submitted after the deadline will be approved
case by case, even after submission deadline.

For the details about the Change process, see my previous email
to the devel announce list [2].

Thank you for your help with Change process and let me know in
case of any questions.

Jaroslav

[1] https://fedorahosted.org/fesco/ticket/1178
[2] https://lists.fedoraproject.org/pipermail/devel-announce/2014-February/001304.html
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

Wednesday, February 26, 2014

[FreeBSD-Announce] EuroBSDCon 2014 - Call for Papers

EuroBSDcon 2014: September 25-28 in Sofia, Bulgaria

EuroBSDcon is the European technical conference for users and
developers of BSD-based systems. The conference will take place
September 25 to 28 at InterExpo Congress Center in Sofia (see
http://iec.bg/en/). Tutorials will be held on thursday and friday,
while the shorter talks and papers program is on saturday and sunday.


Call for Talk and Presentation Proposals (CFP)

The EuroBSDcon program committee is inviting BSD developers and users
to submit innovative and original talk proposals not previously
presented at other European conferences. Topics of interest to the
conference include, but are not limited to applications, architecture,
implementation, performance and security of BSD-based operating
systems, as well as topics concerning the economic or organizational
aspects of BSD use. Presentations are expected to be 45 minutes and
are to be delivered in English.


Call for Tutorial Proposals

The EuroBSDcon program committee is also inviting qualified
practitioners in their field to submit proposals for half or full day
tutorials on topics relevant to development, implementation and use of
BSD-based systems.

Half-day tutorials are expected to be 2.5 to 3 hours and full-day
tutorials 5 to 6 hours. Tutorials are to be held in English.

Submissions

Proposals should be sent by email to submission at eurobsdcon.org.

They should contain a short and concise text description in about 100
words. The submission should also include a short CV of the speaker
and an estimate of the expected travel expenses. Please submit each
proposal as a separate email.

Important dates

The EuroBSDcon program committee is accepting talk and tutorial
proposals until May 19th, 2014. Speakers will be informed of
acceptance status by June 10th, 2014. Other important dates will be
announced soon at the conference website http://2014.EuroBSDcon.org/ .

Program Committee

This year's program committee is

Peter Hansteen (Chair, representing OpenBSD, peter at bsdly dot net)
Janne Johansson (representing OpenBSD, jj at OpenBSD dot org)
Vasil Dimov (representing FreeBSD, vd at FreeBSD dot org)
Ollivier Robert (representing FreeBSD, roberto at FreeBSD dot net)
Martin Husemann (representing NetBSD, martin at NetBSD dot org)
Marc Balmer (representing NetBSD, mbalmer at NetBSD dot org)
Shteryana Shopova (OC liaison, syrinx at FreeBSD dot org)

I am looking forward to your submissions and hope to see you in Sofia,
Shteryana Shopova
On the behalf of EuroBSDcon 2014 Program Committee
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[USN-2123-1] file vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTDiDeAAoJEGVp2FWnRL6TIoIQALsXcCAYl1ZJzgdpRqi+oJIa
493hIfmZ9OIphu3lNbVda3ITKTtmLv8jvMDjti3ADD5YE/kYjUd6eQsOUCnKw6gt
dqiCByMczVE0+IRGZMCwnYGlsWzbBBv+qyehpCz/NBY/H/62PMojCWQTA6wtOoT0
sav7G1X/mXPGsRoPaUsS8qtFznQMj0JNu45V1K6DYLLvt5e9UdEOKdXL1Gnd9uqJ
LoJrMp221WKObaBo4Ug0rriXXUf0RXrONbkznROsijFHUdqg2eL03odXvYHsZIUT
BlNzVXCsKcZ/md5P6U1XBq5KpqQVJkNexLPCAN4yL8tj6d+eG2x3FPdPlSUPnRg9
JnTbXczSLRuEqS7vTJI1TJlXXYPMlwRfjO94FnhXI3SK5qfXC5vpBuq3Q6K3/+gm
LDuiZpbxJVKgh6A20lQDF80dU+Hz8ilo1mvXqcp7/YQ7ZoNTsMtNcOXPsR0lLfkK
suh2Nfo33hWa5iy1UI3s6icy0BEfQdxVcHVEN2bwDQC3MjWgcqWN32hzmgpiqzcI
9qWwV2J+HStqbtXI05qaiiy8056ECJaZNGj5Au5bdCtcuQTghVbfhHxw4woaXEyw
JJvMTTQXT5M2sy/wyr/bdysc6uhT6dvXb0TZvwo+J3ZZ38HLfwtqsjJDfjeWSJwG
qdwR+j37Qbhl95u7jZhI
=Cd3X
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2123-1
February 26, 2014

file vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

File could be made to crash if it processed a specially crafted file.

Software Description:
- file: Tool to determine file types

Details:

It was discovered that file incorrectly handled Composite Document files.
An attacker could use this issue to cause file to crash, resulting in a
denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu
12.04 LTS. (CVE-2012-1571)

Bernd Melchers discovered that file incorrectly handled indirect offset
values. An attacker could use this issue to cause file to consume resources
or crash, resulting in a denial of service. (CVE-2014-1943)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
file 5.11-2ubuntu4.1
libmagic1 5.11-2ubuntu4.1

Ubuntu 12.10:
file 5.11-2ubuntu0.1
libmagic1 5.11-2ubuntu0.1

Ubuntu 12.04 LTS:
file 5.09-2ubuntu0.2
libmagic1 5.09-2ubuntu0.2

Ubuntu 10.04 LTS:
file 5.03-5ubuntu1.1
libmagic1 5.03-5ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2123-1
CVE-2012-1571, CVE-2014-1943

Package Information:
https://launchpad.net/ubuntu/+source/file/5.11-2ubuntu4.1
https://launchpad.net/ubuntu/+source/file/5.11-2ubuntu0.1
https://launchpad.net/ubuntu/+source/file/5.09-2ubuntu0.2
https://launchpad.net/ubuntu/+source/file/5.03-5ubuntu1.1

[CentOS-announce] CESA-2014:0189 Moderate mariadb55-mariadb SCL Security Update

CentOS Errata and Security Advisory 2014:0189 (CentOS Software Collections)

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

-----------------------------
X86_64
-----------------------------

1b5db1c117589d18c186235cd8427d3d5af2ef1064aa6ecacdb18df54b3529fc mariadb55-mariadb-5.5.35-1.1.el6.centos.alt.x86_64.rpm
2f71a6abda960faefe43708ea16f27d5b7fa8d2f58b5c3e20950ae93d4274eff mariadb55-mariadb-bench-5.5.35-1.1.el6.centos.alt.x86_64.rpm
86703029bb44a1c1babd633693f3a390bc7d184052c5917bb5263e54581e9ec4 mariadb55-mariadb-devel-5.5.35-1.1.el6.centos.alt.x86_64.rpm
556fd4db54595a3309eebfca88ae90d5b6ec5fe8a975243948c04289a6955458 mariadb55-mariadb-libs-5.5.35-1.1.el6.centos.alt.x86_64.rpm
de209217e2f57f99dd650d9b26385234a8784a74bdb8b8ed05ee9127ca70c455 mariadb55-mariadb-server-5.5.35-1.1.el6.centos.alt.x86_64.rpm
3f2801d08c6bd41cd254c10d4d4d17fc7ae16f2796a914dacbc92cd2d62f58af mariadb55-mariadb-test-5.5.35-1.1.el6.centos.alt.x86_64.rpm


-----------------------------
Source:
-----------------------------

53579641f00337845f184b5a1148006f31e2b031ac3b967087396236fe94393b mariadb55-mariadb-5.5.35-1.1.el6.centos.alt.src.rpm

=====================================================

The following upstream security issues are addressed in this update:

https://rhn.redhat.com/errata/RHSA-2014-0189.html

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[USN-2122-1] FreeRADIUS vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTDe9xAAoJEGVp2FWnRL6TtO8P/0GtyUEiAjT/YagW3ARutX/n
0D71cu64Yy5Jdz7NK4hFTRNODkuRKENQpqolRZeqvR08ZFZTZmPzNMdSm9jvYXbx
d0HaRwfO7o3z5fVsPcYB7/2CNroo92Dx59mguKSrL9kL+O/WJ3wBqB/e0kcgrBrq
QghZhRk644dCYyhjR8a/2rq/43KtpULSzQk+GlLpTzpw89CXGgLUbrCq+ZXpm1TS
4iSl2dgHn8H7ff/2YRzjlLmuWOGzBOdnwfkqa2finsHS+oUu3B0ECubCx+JCZEz7
ppd96THbO7+DZ5Ldw0+uvb5BQ9AmuHzjO2NbyQnSJPHs48ei2wVryqndqblRH32X
p0m4k4My97QxVX55J7GP/TF9kO6rrzjkKAgUj6/OmOwst4MD3EFzYICQiylh9XyD
OWFw7syw0Hgt6nGQTm7cuhOTSU/s5I8VOpTvpvh9+BzGEAPuV8yvmGPb6FGW0Lwz
rCRQ3RkUOnyZir1myir3eWcg6Rtkvrk4TviUPC7MwsGwOZA/vVm2XuxljsgPsICc
qSbuJ2AxnwNMvYwphXiavGVUXpAf1PVsDEQDFeKqFEZjM2rc8fqp8CKEMFnI64Jt
8Wmgh8m1dfo+O75vN9IJOcU4WGS8WnkKx47IgbFjRP8WrdBTFS17JnpdJOqi0rhe
VLombOO3ucHzp96/Q5mJ
=a09R
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2122-1
February 26, 2014

freeradius vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in FreeRADIUS.

Software Description:
- freeradius: high-performance and highly configurable RADIUS server

Details:

It was discovered that FreeRADIUS incorrectly handled unix authentication.
A remote user could successfully authenticate with an expired password.
(CVE-2011-4966)

Pierre Carrier discovered that FreeRADIUS incorrectly handled rlm_pap
hash processing. An authenticated user could use this issue to cause
FreeRADIUS to crash, resulting in a denial of service, or possibly execute
arbitrary code. The default compiler options for affected releases should
reduce the vulnerability to a denial of service. (CVE-2014-2015)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
freeradius 2.1.12+dfsg-1.2ubuntu5.1

Ubuntu 12.10:
freeradius 2.1.12+dfsg-1.1ubuntu0.1

Ubuntu 12.04 LTS:
freeradius 2.1.10+dfsg-3ubuntu0.12.04.2

Ubuntu 10.04 LTS:
freeradius 2.1.8+dfsg-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2122-1
CVE-2011-4966, CVE-2014-2015

Package Information:
https://launchpad.net/ubuntu/+source/freeradius/2.1.12+dfsg-1.2ubuntu5.1
https://launchpad.net/ubuntu/+source/freeradius/2.1.12+dfsg-1.1ubuntu0.1
https://launchpad.net/ubuntu/+source/freeradius/2.1.10+dfsg-3ubuntu0.12.04.2
https://launchpad.net/ubuntu/+source/freeradius/2.1.8+dfsg-1ubuntu1.1

Tuesday, February 25, 2014

[CentOS-announce] CESA-2014:0211 Important CentOS 6 postgresql Update

CentOS Errata and Security Advisory 2014:0211 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0211.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
6ca3a1beea5f113655e4abdf43ba3447ae836639bff9381e372bc6cc9d2172ab postgresql-8.4.20-1.el6_5.i686.rpm
3a93327982fbec95696d04999d389bd165df4cedbd09fc313078d2b604ab4448 postgresql-contrib-8.4.20-1.el6_5.i686.rpm
15439f46f6990322e5db410da13c921d0197431d5d649e89b2e0a18c592ebfe2 postgresql-devel-8.4.20-1.el6_5.i686.rpm
5860a013e3da886ef92a0401028d04fed792126fe2b2d6f02e3e32651f5ca022 postgresql-docs-8.4.20-1.el6_5.i686.rpm
beb186643ae59aa2f17081ea31223ae45a337bc2904f44eac315792a68bc7934 postgresql-libs-8.4.20-1.el6_5.i686.rpm
c3e82e9b38f6f10b9433bb24d10fff5ab5648e47b33931ce03b7f3c5c225fd25 postgresql-plperl-8.4.20-1.el6_5.i686.rpm
4f1b2c436b1783ffc04194097521902943b28e29c4518c37cf28d348680b428b postgresql-plpython-8.4.20-1.el6_5.i686.rpm
450303af11c1f25ccb7873e2c431fe7033d442df188caadad3652956459bd18e postgresql-pltcl-8.4.20-1.el6_5.i686.rpm
c23bfc4907c496aeeff2b82e3a30aeb19112f0a5210da8048881b080e69affd4 postgresql-server-8.4.20-1.el6_5.i686.rpm
034f5304a05d4670277f9da4a96f9199fcf69ed4dcbc936bc36df16cddc5d2bd postgresql-test-8.4.20-1.el6_5.i686.rpm

x86_64:
6ca3a1beea5f113655e4abdf43ba3447ae836639bff9381e372bc6cc9d2172ab postgresql-8.4.20-1.el6_5.i686.rpm
2a284b22b8afafd7a6f16f7db7c67f7b17f9e7be50ac37c43f2b59227c5f4d97 postgresql-8.4.20-1.el6_5.x86_64.rpm
21fe297d24de7e93dd6ae0950749a50618c3fbb704fd2ad1c8dcaf45f6d9d92c postgresql-contrib-8.4.20-1.el6_5.x86_64.rpm
15439f46f6990322e5db410da13c921d0197431d5d649e89b2e0a18c592ebfe2 postgresql-devel-8.4.20-1.el6_5.i686.rpm
c0da427fb8219741103ad2fe919aea9d060d2da03385771017b8d5e5d0cc4e2b postgresql-devel-8.4.20-1.el6_5.x86_64.rpm
2d9d306319d7ee86a526f91d00bee3455c5a8c8c49e2343b32d737600e18342e postgresql-docs-8.4.20-1.el6_5.x86_64.rpm
beb186643ae59aa2f17081ea31223ae45a337bc2904f44eac315792a68bc7934 postgresql-libs-8.4.20-1.el6_5.i686.rpm
e2203720a040325d3c183824d8df3f5b9d880a99a4809ee63e2b20de12d78e11 postgresql-libs-8.4.20-1.el6_5.x86_64.rpm
98fe31dee60e993e8c9df5c1c80ca810f6aec0526e47276e7b322bf4c79e89f3 postgresql-plperl-8.4.20-1.el6_5.x86_64.rpm
844dc266ab14390fef30daff86726bda3787899ca5c5cb870c12d12065fa5f3d postgresql-plpython-8.4.20-1.el6_5.x86_64.rpm
554b63e19495731fe21542e792cbeed39b76662615a6642cb080577a7388d7e8 postgresql-pltcl-8.4.20-1.el6_5.x86_64.rpm
2882d480ac89a6baf8bbdf366a31546096a00281a5a64f4cc6c0af8309ca3190 postgresql-server-8.4.20-1.el6_5.x86_64.rpm
3859e3665b6bd487f3399f77e787dd5da1cab563fbd207e9c8a6f5857fddca4b postgresql-test-8.4.20-1.el6_5.x86_64.rpm

Source:
e4d547ceb2c6dbc5a8586ac598f5d4b51208fa6d892738764932acf613d15bc5 postgresql-8.4.20-1.el6_5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2014:0211 Important CentOS 5 postgresql84 Update

CentOS Errata and Security Advisory 2014:0211 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0211.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
9aa9db9f115b70f4c618965603df24f7b07b9927a774f0805370d13337f3ec81 postgresql84-8.4.20-1.el5_10.i386.rpm
ad8d61face165aea047692c57a8534d086a037f42af67713f8fcb91e6b164ed2 postgresql84-contrib-8.4.20-1.el5_10.i386.rpm
07b28e6c04587130a90ed9319c3b798dab8873cc24ff7b48b4407c86867a6bf0 postgresql84-devel-8.4.20-1.el5_10.i386.rpm
c839783c95847f613b52915eb3bf29d91d1a07787e4c972272ceff33b30ff73f postgresql84-docs-8.4.20-1.el5_10.i386.rpm
f0f5503b0c0ad1b251f2fbed4f4ea70d267104de90caced22008f63a282135e6 postgresql84-libs-8.4.20-1.el5_10.i386.rpm
d68b6c6d82058071c6ffc327796bb5156b49ce41b774dfcd9e21e3c509a623ed postgresql84-plperl-8.4.20-1.el5_10.i386.rpm
8da2329fae4cbc022ec425c5dc9a53befed4c57b78ef12d41788adbea62789d7 postgresql84-plpython-8.4.20-1.el5_10.i386.rpm
f0c47d03c86e197ebf2b799a6967c96b2a2c95ca4898346e7dc43c8755d1cafb postgresql84-pltcl-8.4.20-1.el5_10.i386.rpm
b75858dbe1be9462cec501504e7ef9525e352f064d0e5db969e38453cfe9690d postgresql84-python-8.4.20-1.el5_10.i386.rpm
81f53bc4efdbbc3f43b7bf3cfe66503f72fc9133d61d0ddeff3e27e1dddcb815 postgresql84-server-8.4.20-1.el5_10.i386.rpm
0092f1b38f61fb9d5a9ca3584a13492d61139659e469dadebe8c34147ba99585 postgresql84-tcl-8.4.20-1.el5_10.i386.rpm
dcb4c4dc2dbd81708a1bb354d0169241e8456b1345a12501f245b795f0c10af3 postgresql84-test-8.4.20-1.el5_10.i386.rpm

x86_64:
e452a66c22edd6f20b8b86f781f3652a9cb2e7f6d59735031430639fc3aa69ac postgresql84-8.4.20-1.el5_10.x86_64.rpm
fb6988db267632337ae90e2acb346e6a98cfd7ea87f7ff124388bf4dc9c7497b postgresql84-contrib-8.4.20-1.el5_10.x86_64.rpm
07b28e6c04587130a90ed9319c3b798dab8873cc24ff7b48b4407c86867a6bf0 postgresql84-devel-8.4.20-1.el5_10.i386.rpm
bf26bffd06779eb98a5de6944cc8d50d9baca71b9ac5a3dcfba6601bb51299bc postgresql84-devel-8.4.20-1.el5_10.x86_64.rpm
00e062d46aa5b9f479e428a3cf0f95aebf2b4263b23eae26c4d3abe33da23a54 postgresql84-docs-8.4.20-1.el5_10.x86_64.rpm
f0f5503b0c0ad1b251f2fbed4f4ea70d267104de90caced22008f63a282135e6 postgresql84-libs-8.4.20-1.el5_10.i386.rpm
d3d847dca42c4dcae76a2aca7ff5982fbb9a85eb2fc387237303c52b13f5aa1b postgresql84-libs-8.4.20-1.el5_10.x86_64.rpm
ad5483f5e6232a4c4ca6146f5853b01dde62cd40d2115739db7a0ec7ecd887f7 postgresql84-plperl-8.4.20-1.el5_10.x86_64.rpm
0694196099f6ff8a8e1fd8ba67a612f6ec3bed077e5d893f42cbb711ffe22341 postgresql84-plpython-8.4.20-1.el5_10.x86_64.rpm
e6c87437b3685119a65899e8a679375c7aa6f82af51cb7266057cb2d3a9832cd postgresql84-pltcl-8.4.20-1.el5_10.x86_64.rpm
357e3785294ae7afac7232872fe52b6fe68de30fec5584ba04bfd4c7c187766f postgresql84-python-8.4.20-1.el5_10.x86_64.rpm
0173010711b5e3a13ae399a7de719a50deafaf98cadcf6c326ead3093a68b39f postgresql84-server-8.4.20-1.el5_10.x86_64.rpm
2e2bfc61179a1172cbaddec08dc7bc00013871673e60fb41b9cbfbd31bb907b9 postgresql84-tcl-8.4.20-1.el5_10.x86_64.rpm
0305022e4c3571e9baedf4b9153f42ef6d4a1d9229be5138c51f4a5e188ce3f5 postgresql84-test-8.4.20-1.el5_10.x86_64.rpm

Source:
d4f819ab785741a289c42df5c332bd25d900eedb44bb3382a1d1cdf5de1c11ea postgresql84-8.4.20-1.el5_10.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[USN-2121-1] GnuTLS vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTDMiiAAoJEGVp2FWnRL6TwwkP/jv9DVQguk2SUwutEPWtWKnn
i1Qxq8rfsOkcJqGaMieWWF6+8ViFUme2sdS2KUp8wuG3RtNigagaqNfBTPUcNLeK
bjejEjTBbgewIYd4UsgAbcSBn0+oYUl1O2aCCC5T64Grc91e+lNsffT4c/yZGraR
jgmOqTuis4ZCgUTLTPjQ1TRGxvVUykmGCkY0CxmiT74O2LIpK7zATwh/fLmmE7TL
KNt2O1kRRSYGNRrt/ra+NIOEgHCkJianr2SXgYX6ZhAm0/lgBBTP9UyMuLsCEp2d
xqsmAGUOPpCZCGmtcnwZ9nGjhBdSNawwxOrpi6Dpk3aMbug7oyaTkTpFlTuxY+Xu
fekhham1TTQL2fieLK0EKytIyx2ti52lWrpFRbhPMtLZdY4rS4FQPYLoSqp1WhnL
58Egy9heOppPZlCjSF6QtNCX3ouFZmZvL0bMI0mWhWt7XsG4m2K6wXA7fNJVGg0y
7sMDlVmk4cqrOwFyr+S8iy2NWI3XeSapoxRSmjmA4B6T5zU99JGbWjxfKVbbtt46
pfdHBn/8t4n814A7Nbym0wgUbmvh1Q83rFAjBhTD+aGubVPIYoD74+wqAL3i4CPG
aio0chS0mvXELZOcCtd+5QLGBTOYLlu1OMB+9X1aSfoaH1P3K1Xa/i+r0xYUxRwH
CElMRCPzhQKK87sWJ9Mw
=awuS
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2121-1
February 25, 2014

gnutls26 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

GnuTLS incorrectly validated certain intermediate certificates.

Software Description:
- gnutls26: GNU TLS library

Details:

Suman Jana discovered that GnuTLS incorrectly handled version 1
intermediate certificates. This resulted in them being considered to be a
valid CA certificate by default, which was contrary to documented
behaviour.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
libgnutls26 2.12.23-1ubuntu4.1

Ubuntu 12.10:
libgnutls26 2.12.14-5ubuntu4.5

Ubuntu 12.04 LTS:
libgnutls26 2.12.14-5ubuntu3.6

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2121-1
CVE-2014-1959

Package Information:
https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-1ubuntu4.1
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.5
https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.6

[CentOS-announce] CESA-2014:X007 Moderate Xen4CentOS xen Security Update

CentOS Errata and Security Advisory 2014:X007 (Xen4CentOS)

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

-----------------------------
X86_64
-----------------------------

15f776704e68192108e8e407a6e6d0286c2551a424c67784a8cc4a9169181079 xen-4.2.4-29.el6.centos.alt.x86_64.rpm
3330715e1f48dc0aa979f81ba841d0e087b05bd5da13c109dcb1d3b3381fc300 xen-devel-4.2.4-29.el6.centos.alt.x86_64.rpm
639f1998ca247f17cd06c26919e2eac6924266552758bac0300211046b27789f xen-doc-4.2.4-29.el6.centos.alt.x86_64.rpm
73e9a9c449a10d77b4b6cf95b2d2fa4e6d5950de5e1e1b514f93cafd2ebb5769 xen-hypervisor-4.2.4-29.el6.centos.alt.x86_64.rpm
f78fb75de78d9898462eecfa30dbb03e8eac7ea1726d3c1ac059b857f806282f xen-libs-4.2.4-29.el6.centos.alt.x86_64.rpm
8cec09d45662b028252ea1dee4da99fb85af0942ab5112e6909512de1899850c xen-licenses-4.2.4-29.el6.centos.alt.x86_64.rpm
33708a684efca8b1824306e3c6375d5f1578363637762a8c6e184b93cbad4518 xen-ocaml-4.2.4-29.el6.centos.alt.x86_64.rpm
140a37e9d57dd05c3b5846bfed1e9638032e47fae7f549c68bfd9956c54fe613 xen-ocaml-devel-4.2.4-29.el6.centos.alt.x86_64.rpm
44f7eec809a5bcb5f7b17bdec8de7e14eb92db8ce0a4909eebb43c0f14e1b2ba xen-runtime-4.2.4-29.el6.centos.alt.x86_64.rpm


-----------------------------
Source:
-----------------------------

f2adc9f681cf04c62826888d05c2a5c219f7427a875b940676b38c29d77b5c2c xen-4.2.4-29.el6.centos.alt.src.rpm

=====================================================

xen Changelog info from the SPEC file:

* Sun Feb 23 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-29.el6.centos
- cleaned up older patches, removed qemu-xen upstream git (Source 100)
tarball as it is part of the xen-4.2.4.tar.gz tarball now

* Sat Feb 22 2014 Johnny Hughes <johnny@centos.org> - 4.2.4-28.el6.centos
- upgrade to upstream version 4.2.4

=====================================================

The following Release info is available from the Xen site regarding Xen-4.2.4:

http://blog.xen.org/index.php/2014/02/18/announcing-xen-4-3-2-and-4-2-4-releases/

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2014:X006 Xen4CentOS kernel bugfix Update

CentOS Errata and Bugfix Advisory 2014:X006 (Xen4CentOS)

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

-----------------------------
X86_64
-----------------------------

99609095645c86a8b6fcee4abd01da4366d9d73307be262dd82c735d6ea60014 e1000e-2.5.4-3.10.32.2.el6.centos.alt.x86_64.rpm
e3637c9f6e36bac51da78641c7a4638742ecbdbbafa728a856edfe1548749ba6 kernel-3.10.32-11.el6.centos.alt.x86_64.rpm
2103b414398ce55cfb42bfea6316db7a96bdba505ff34c1b6eeef0d9e5d006e2 kernel-devel-3.10.32-11.el6.centos.alt.x86_64.rpm
6032b29f8895dbe487308fb3d4f12d6b3b02a051c6c29fe5b29e4623247c7491 kernel-doc-3.10.32-11.el6.centos.alt.noarch.rpm
c090b1fa4842f26965935566e5cbf010230db6359473bf375b9d6a022773783e kernel-firmware-3.10.32-11.el6.centos.alt.noarch.rpm
5d5d66d30c32a586cbcce74a6ba1b45f98c7c24cb338de4b5cd64532fb2ad75d kernel-headers-3.10.32-11.el6.centos.alt.x86_64.rpm
6bcb07455d1c3d41b44b1163e7da228a2ec7ace336665e14367d7f8258fb8a92 perf-3.10.32-11.el6.centos.alt.x86_64.rpm

-----------------------------
Source:
-----------------------------

92c5b2feb51a77a01de79c03ee3a7d6a07438c50045ed3b0f1224c7ae50dae69 e1000e-2.5.4-3.10.32.2.el6.centos.alt.src.rpm
765168d4a6ad0dbcf609c53b1dc07d8eb7364a6be463e562421509a2e008808e kernel-3.10.32-11.el6.centos.alt.src.rpm


=====================================================

Kernel Changelog info from the SPEC file:
* Sun Feb 23 2014 Johnny Hughes <johnny@centos.org> - 3.10.32-11
- upgrade to upstream 3.10.32


e1000e Changelog info from the SPEC file:
* Sun Feb 23 2014 Johnny Hughes <johnny@centos.org> - 2.5.4-3.10.32.2.el6.centos.alt
- build against version 3.10.32 kernel

=====================================================

The following kernel changelogs are available from kernel.org since the previous kernel:

https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.32
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.31
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.30

=====================================================

The following security issues are addressed in this update:

NONE (bugfix release only)

=====================================================

NOTE: You must run /usr/bin/grub-bootxen.sh to update the file
/boot/grub/grub.conf (or you must update that file manually)
to boot the new kernel on a dom0 xen machine. See for info:
http://wiki.centos.org/HowTos/Xen/Xen4QuickStart

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

Fedora 21 Change Planning Process

Hi!
As FESCo agreed on the last meeting to continue with current Change
process as is for Fedora 21 [1] and work on "final" schedule is ongoing
(see Stephan Gallagher's mail earlier), please participate and
submit your Change proposals as soon as possible.

With Fedora.next in mind, I'd like to ask even non development teams
to participate in the process. So the progress can be tracked and also
we need better transparency and coordination. Initially, the submission
deadline has not yet been set as we can expect many interdependencies
between Changes and many Changes could be proposed once we will have
more answers from Working Groups and other teams.

Empty template with comments how to fill it properly is available at
https://fedoraproject.org/wiki/Changes/EmptyTemplate
And the process itself is described at
https://fedoraproject.org/wiki/Changes/Policy

I'm going to restart processing Fedora 21 Change proposals asap,
expect pings from me to clarify bits, adjust proposals etc. ;-).

Approved Change Proposals would be available on the Change Set
Page: https://fedoraproject.org/wiki/Releases/21/ChangeSet

Don't hesitate to ask any question, I'll be more than happy to
answer it and help you!

Your Change Wrangler,
Jaroslav

[1] https://fedorahosted.org/fesco/ticket/1236

_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

Monday, February 24, 2014

[CentOS-announce] CESA-2014:0206 Moderate CentOS 5 openldap Update

CentOS Errata and Security Advisory 2014:0206 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0206.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
6cba76a0dd1ef32cc168ec8fe64e402e2c2db9d5a0497b99876d9f286bbfb287 compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm
0a7d4df3156b7d9686e662c400355b0174f82b02a43e1794c2bc2ec0d96206b2 openldap-2.3.43-27.el5_10.i386.rpm
ddea16bc11c802f55604e97b1c4c5d5317a5c85ff78b3422d1b5f3fbcef2c301 openldap-clients-2.3.43-27.el5_10.i386.rpm
5e3e08c8aefea27505bf109ccbfd19b33f3807a20965827ffdeebc048960e12d openldap-devel-2.3.43-27.el5_10.i386.rpm
11724a0d07a82379c6045d32073e42737a96b25bd041c1d2a27a0acb9c76d877 openldap-servers-2.3.43-27.el5_10.i386.rpm
5e8e8b9c9dae54af0aa9b4f9ba71fcc36c4eb47cd0fe001a32940a21b53658a5 openldap-servers-overlays-2.3.43-27.el5_10.i386.rpm
5039b10b8371fcc9633002d559a63c0c9b7241633394865b4b5ec3f6d1e3bd09 openldap-servers-sql-2.3.43-27.el5_10.i386.rpm

x86_64:
6cba76a0dd1ef32cc168ec8fe64e402e2c2db9d5a0497b99876d9f286bbfb287 compat-openldap-2.3.43_2.2.29-27.el5_10.i386.rpm
71b46e2a5ff7dc75303c8e26c641f57025ece63f1c3d0afa5412abbefd348ffd compat-openldap-2.3.43_2.2.29-27.el5_10.x86_64.rpm
0a7d4df3156b7d9686e662c400355b0174f82b02a43e1794c2bc2ec0d96206b2 openldap-2.3.43-27.el5_10.i386.rpm
81f2f34f57d9e5f02e18e715e52b195455ebaef3ea3e5dafa01d7ff9c0065042 openldap-2.3.43-27.el5_10.x86_64.rpm
4c55b52a0aac0009d5c0ccc1a5115c7a7e676ce28c16aeba8c0183d5a239ca25 openldap-clients-2.3.43-27.el5_10.x86_64.rpm
5e3e08c8aefea27505bf109ccbfd19b33f3807a20965827ffdeebc048960e12d openldap-devel-2.3.43-27.el5_10.i386.rpm
d56b74a85f04312b8f2a04c734efc38fee4f7dda5f5cce0d62bd0c3b3973bc8a openldap-devel-2.3.43-27.el5_10.x86_64.rpm
c330bf7fac71a862f08e14c689c2826a6411fb7d778cef2c8ed99d89c2b968dd openldap-servers-2.3.43-27.el5_10.x86_64.rpm
58c3cf4506d89abb7a3ef5404cc29659d3c3777edb87f1d39a66b676d6cc5252 openldap-servers-overlays-2.3.43-27.el5_10.x86_64.rpm
9b9ae74620fc2059090f9119609c706197f3c42ac02921c5220545c80694fbfd openldap-servers-sql-2.3.43-27.el5_10.x86_64.rpm

Source:
cbbbf8778b574b1b050f45a9e9576914442ab52a129a5952c689b7fa7bc5131f openldap-2.3.43-27.el5_10.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2014:0201 CentOS 6 qt Update

CentOS Errata and Bugfix Advisory 2014:0201

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0201.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
727dc3b50f032ae08c8d130621aceb876cced3a08e182011d6f9c2dae1ea7c73 phonon-backend-gstreamer-4.6.2-28.el6_5.i686.rpm
1686e6fd2945f1f60a0ce1ebda82478df6e5add704ff53094f7229291696c37d qt-4.6.2-28.el6_5.i686.rpm
e7c3aa1bca0836229870fc134639f8ae259a005c6ddeea485359e0eb8a933ffb qt-demos-4.6.2-28.el6_5.i686.rpm
cf7ef9207864269a4d7883ffe7528fd00c72dafa5737e764dff7d3861377084c qt-devel-4.6.2-28.el6_5.i686.rpm
5f703f88837affd78d5fbc0b05fc5bf0d148ffeecc22712727f22cf11ef74e02 qt-doc-4.6.2-28.el6_5.noarch.rpm
2731f1ca31c1f6469f2a9d733e938fd2502bbcb163a84eb1f0b79dfe416ec010 qt-examples-4.6.2-28.el6_5.i686.rpm
ffb305458cd1486a12cde230d9bd952177df23bc62f4b882e5c06963733ed241 qt-mysql-4.6.2-28.el6_5.i686.rpm
4749bee519b98cf8562b063f612d7bfba8c08e65841e5d3066f44ddb03e22bee qt-odbc-4.6.2-28.el6_5.i686.rpm
5ff539e2db4be62ec136fd5229593599b151c3e1586d6de4f84be9d23bd0702b qt-postgresql-4.6.2-28.el6_5.i686.rpm
c8501d46f4ffcd00c5a5970b9972c7a75082755cdaaa1a905ba6016acf74a770 qt-sqlite-4.6.2-28.el6_5.i686.rpm
37ac4ce2721ed117a55453b99ac411e9a07801772f963f97737ed3c1b3a10f7b qt-x11-4.6.2-28.el6_5.i686.rpm

x86_64:
727dc3b50f032ae08c8d130621aceb876cced3a08e182011d6f9c2dae1ea7c73 phonon-backend-gstreamer-4.6.2-28.el6_5.i686.rpm
8021cb284cbbd9d00900e973c2114405ddc9fc77bd68b419ef9fcdc15771157c phonon-backend-gstreamer-4.6.2-28.el6_5.x86_64.rpm
1686e6fd2945f1f60a0ce1ebda82478df6e5add704ff53094f7229291696c37d qt-4.6.2-28.el6_5.i686.rpm
84e3f84d7e79e1427872642b447d0b55c328c2a672290ab707dfc9ef3a140366 qt-4.6.2-28.el6_5.x86_64.rpm
6e66a68daa4f49bd27badca716c43ce953f9a83a9b502fa00988961c8fecfc99 qt-demos-4.6.2-28.el6_5.x86_64.rpm
cf7ef9207864269a4d7883ffe7528fd00c72dafa5737e764dff7d3861377084c qt-devel-4.6.2-28.el6_5.i686.rpm
aa0ee3a37dd6f8b3d5856146eec1ad56107c521376de8efd8449185b982e64f2 qt-devel-4.6.2-28.el6_5.x86_64.rpm
5f703f88837affd78d5fbc0b05fc5bf0d148ffeecc22712727f22cf11ef74e02 qt-doc-4.6.2-28.el6_5.noarch.rpm
9c3325346b36e34f1606c64a915d1fa980697f22ee99706c04bbd2559c5b7faa qt-examples-4.6.2-28.el6_5.x86_64.rpm
ffb305458cd1486a12cde230d9bd952177df23bc62f4b882e5c06963733ed241 qt-mysql-4.6.2-28.el6_5.i686.rpm
7a43fbf4339b413d8936ed2cb55f7250213788c25d1510ec4f9d02f5fee85c1a qt-mysql-4.6.2-28.el6_5.x86_64.rpm
4749bee519b98cf8562b063f612d7bfba8c08e65841e5d3066f44ddb03e22bee qt-odbc-4.6.2-28.el6_5.i686.rpm
d684b43ad68a25f3577239b665a20255d292fff7acfaabaca127571d3943c2ec qt-odbc-4.6.2-28.el6_5.x86_64.rpm
5ff539e2db4be62ec136fd5229593599b151c3e1586d6de4f84be9d23bd0702b qt-postgresql-4.6.2-28.el6_5.i686.rpm
b1288c6b526092b641b044ebe68769b6c56affe268dd7f51e9036dbd74f00e66 qt-postgresql-4.6.2-28.el6_5.x86_64.rpm
c8501d46f4ffcd00c5a5970b9972c7a75082755cdaaa1a905ba6016acf74a770 qt-sqlite-4.6.2-28.el6_5.i686.rpm
2dfd1adce9551aa453130c21bf6855ff56e8e4f5050b51976cba70b04b4864a3 qt-sqlite-4.6.2-28.el6_5.x86_64.rpm
37ac4ce2721ed117a55453b99ac411e9a07801772f963f97737ed3c1b3a10f7b qt-x11-4.6.2-28.el6_5.i686.rpm
2d9e0c2368254386685c5dca0418b7cc8a03189de26d62e3a066ae7cea7316ad qt-x11-4.6.2-28.el6_5.x86_64.rpm

Source:
e47a7f9cd170d887fd523562cffcf3bc679cc4453c27daebe5b1b7ed4efcad78 qt-4.6.2-28.el6_5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

Help Wanted: Fedora.next schedule estimation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tl;dr: FESCo needs to know what is going to need extra time to deliver
Fedora.next in the Fedora 21 cycle.


Now that the Fedora.next product PRDs have been approved, the next
phase is to plan our execution. First of all, this will mean planning
out how to deliver Fedora 21.

In order to accurately scope the Fedora 21 effort, FESCo needs input
from the working groups and the community at large to identify the
major efforts that we will need to account for during this cycle. We
would like to operate under the expectation that we can deliver at
least a first pass at all three of these Products in the Fedora 21
timeframe.

In the previous round of discussion, we agreed that we would have a
F21 release no sooner than August, to guarantee at least that amount
of time for QA and Rel Eng projects. Now it's time to fill in the
details and make the timeline specific.

The goal here is for us to prepare a list of significant material
changes to existing Fedora Project processes in order to deliver this
first pass of Fedora.next products. (If you shouted "Bingo!" while
reading that sentence, I don't blame you). To define this more
clearly, we need to identify what portions of the Fedora community
will need more time than usual to build out tooling or simply execute
more manual steps in order to deliver on three products as opposed to
our more traditional methods. We're not just looking for "we will need
moar testing time!" here. We want specific information and ideally
novel ways to minimize such additional efforts.

For example, if someone told us that QA would have to spend three
times as much effort to validate three Products, we would also want to
hear statements about how much of that work is duplicated and
theoretically automateable. Then we would also want to know how much
additional time would be needed to do that automation in this cycle
(thereby saving much more time in future cycles). FESCo is amenable to
extending the Fedora 21 schedule (within reason) to simplify life in
the future.

As a non-exhaustive list of example things we expect will need
attention and would like input (particularly time-estimates) on:

* Quality Assurance: Coverage increases and automation such as
Task-o-Tron[1]
* Release Engineering: Re-tooling and automation.
* Documentation Team: Impact on creating documentation for three
products.
* Ambassadors: How do we market these new products and do we need to
account for time to deliver marketing materials?
* Websites Team: What sort of redesign work will we need to go through?
* Working Groups: How long to deliver new technologies?
* Marketing: What to distribute to folks at conferences, how to convey
fedora.next to our users.
* Translators: Need to be kept in the loop on any new stuff added that
requires translations.
* Infrastructure: applications changes to meet fedora.next needs or new
applications development to help do so. (bodhi changes, etc)
* Design: consider logos and other needs of products and what it might
take to make them happen.


These are just a few examples. We expect there to be plenty of other
cases that need to be addressed, which is why we would like to hear
them as soon as possible. FESCo will be attempting to determine a
Fedora 21 schedule in the near future and would prefer not to make
this decision in ignorance.

We do not have a formal process in place for organizing such planning
efforts, but as a provisional one, we'd like to take the following steps:

1. Product working groups report on changes they want
2. Other groups also note similar changes they want to see
3. Discussion about what can realistically be done this time around
with various stakeholders (including the list above)
4. Negotiation of how that will affect the product release plans for
f21
5. FESCo will create and publish the schedule

PRDs, Discussion Lists and Freenode IRC Channels:

Fedora Cloud:
https://fedoraproject.org/wiki/Cloud_PRD
cloud@lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/cloud
#fedora-cloud

Fedora Server:
https://fedoraproject.org/wiki/Server/Product_Requirements_Document
server@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/server
#fedora-server

Fedora Workstation:
https://fedoraproject.org/wiki/Workstation/Workstation_PRD
desktop@lists.fedoraproject.org
https://lists.fedoraproject.org/mailman/listinfo/desktop
#fedora-workstation

[1] https://fedoraproject.org/wiki/User:Tflink/taskotron_development_plan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMLhRkACgkQeiVVYja6o6OkMgCeJ674UNPKoS542bfN8eGzErS/
EFgAnA4K4/nmGezRbhQFIqFNpBmGz56U
=Bqdm
-----END PGP SIGNATURE-----
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

[USN-2120-1] PostgreSQL vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTC1lpAAoJEGVp2FWnRL6TclwQAIC1xO2sxp+wIfW1T8uYYqHR
UEonZIBvUXqnDFodO26acw+9grAkduWk1Y3gZB+LmnIpH/TivHdv/llIRvBkKvj1
+rKvSFsuZOrets8uo9o6Ct/oMByJg4ak6SURpnPCCFMFvCUtcyu2zDxeefWSl2DY
+H7oXm3y/Afc9Q+L7WUJqhdsVhsGjMB1f8M8BcclRqLkCwVH4LKN+D/acFHjhQKn
ZxlpM5URQNobLnxc4voXlF7LPGw4iyXOo02D5u6BxYU3u2DHyb4zFPvUtpUHDvNS
BdASXf/zzOtpzUYfCP+LzuHsVAVtjakgKFuMiYtD36vq/k2a09fEIGkiscgRy7zL
Ft8EAX9ybifbzsNseYLnNIdwDNeDMAKx7aiG7LOicIMRBqbAH8f/CzL+fRbqOvDe
5ZLbtnJlDEQfeY3mHoSzNQbcaI2MYbbdFHeo6ypyDYu3QMIKrPZkRUk4ie50gI4w
wDBurqWfVkZYleMS7gHH6UIUCQy8CwlDdajbMC+W4m3YcHJm1OZrCsx0Vj0Jse8l
9WOoRUA+BRAxF2AJIX6PRa3m2jMVlATLC6PWxDICDszJapzcOLPpqjqEf4g46Qzu
Y3HjE44Av2dkx7RPKQGTuTeuO+i0zRCXSVBzYcBhS96q7h6iOyZBxl6lcHCIjo22
Jx2j+28um9mho/MQSLZY
=GPgb
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2120-1
February 24, 2014

postgresql-8.4, postgresql-9.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in PostgreSQL.

Software Description:
- postgresql-9.1: Object-relational SQL database
- postgresql-8.4: Object-relational SQL database

Details:

Noah Misch and Jonas Sundman discovered that PostgreSQL did not correctly
enforce ADMIN OPTION restrictions. An authenticated attacker could use this
issue to possibly revoke access from others, contrary to expected
permissions. (CVE-2014-0060)

Andres Freund discovered that PostgreSQL incorrectly handled validator
functions. An authenticated attacker could possibly use this issue to
escalate their privileges. (CVE-2014-0061)

Andres Freund discovered that PostgreSQL incorrectly handled concurrent
CREATE INDEX statements. An authenticated attacker could possibly use this
issue to obtain access to restricted data, bypassing intended privileges.
(CVE-2014-0062)

Daniel Schüssler discovered that PostgreSQL incorrectly handled datetime
input. An authenticated attacker could possibly use this issue to cause
PostgreSQL to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2014-0063)

It was discovered that PostgreSQL incorrectly handled certain size
calculations. An authenticated attacker could possibly use this issue to
cause PostgreSQL to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2014-0064)

Peter Eisentraut and Jozef Mlich discovered that PostgreSQL incorrectly
handled certain buffer sizes. An authenticated attacker could possibly use
this issue to cause PostgreSQL to crash, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2014-0065)

Honza Horak discovered that PostgreSQL incorrectly used the crypt() library
function. This issue could possibly cause PostgreSQL to crash, resulting in
a denial of service (CVE-2014-0066)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
postgresql-9.1 9.1.12-0ubuntu0.13.10

Ubuntu 12.10:
postgresql-9.1 9.1.12-0ubuntu0.12.10

Ubuntu 12.04 LTS:
postgresql-9.1 9.1.12-0ubuntu0.12.04

Ubuntu 10.04 LTS:
postgresql-8.4 8.4.20-0ubuntu010.04

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
http://www.ubuntu.com/usn/usn-2120-1
CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063,
CVE-2014-0064, CVE-2014-0065, CVE-2014-0066

Package Information:
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.12-0ubuntu0.13.10
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.12-0ubuntu0.12.10
https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.12-0ubuntu0.12.04
https://launchpad.net/ubuntu/+source/postgresql-8.4/8.4.20-0ubuntu010.04

[CentOS-announce] CEBA-2014:0203 CentOS 6 upstart Update

CentOS Errata and Bugfix Advisory 2014:0203

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0203.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
7106e07c74ae089bc82d0db6281d611767c1dee8174d8a501b0b23f715bb1760 upstart-0.6.5-13.el6_5.2.i686.rpm

x86_64:
d72256cdea3ac828edd342b768d1776147bb3a1b874cb0d72181b6244b54eb3a upstart-0.6.5-13.el6_5.2.x86_64.rpm

Source:
d3f220ea9b89d990704504a841c70f70ae57b46692876a628cc3881f612e1e99 upstart-0.6.5-13.el6_5.2.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2014:0199 CentOS 6 psmisc Update

CentOS Errata and Bugfix Advisory 2014:0199

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0199.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
1170157e8007a92b41414570564f664cd41e537ab066873ac013b5c8ae0cf223 psmisc-22.6-19.el6_5.i686.rpm

x86_64:
4e9e713ea928bd50fa12eb6ad830dde2df2052eca085336f81ce512a8748edd6 psmisc-22.6-19.el6_5.x86_64.rpm

Source:
9d372e6de68a5d29a0c00b4e0e665b772da0625273f4e377783b69f53437b508 psmisc-22.6-19.el6_5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2014:0198 CentOS 5 am-utils Update

CentOS Errata and Bugfix Advisory 2014:0198

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0198.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
fa262a7f55c06f92f03b7bca9dc49d48763243b25b0a7c22899f29ee48077f83 am-utils-6.1.5-9.el5_10.i386.rpm

x86_64:
60833fa25ebea8ac74a6f6903dd067f05e53ee0e9c5cc46b63d3a7a1fd914a73 am-utils-6.1.5-9.el5_10.x86_64.rpm

Source:
044f7106e95f814cdd9b0b1d82946d539ef57de1aa02916981d18080ae21fe42 am-utils-6.1.5-9.el5_10.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

Saturday, February 22, 2014

[FreeBSD-Announce] BSDCan 2014 schedule released

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAlMJA2oACgkQCgsXFM/7nTzETQCg2JP70Yx27Uz47GDHfsF5W/fr
O3gAnjRvL6kzr8RjLg8vIMVjzudEWl89
=BMj5
-----END PGP SIGNATURE-----
Hello,

The schedule for BSDCan 2014 has been released. You can view the details here:

http://www.bsdcan.org/2014/schedule/events.en.html

For more information about the conference, see http://www.bsdcan.org/2014/


Our keynote this year will be by Karl Lehenbauer, CTO of FlightAware.


With thanks to our sponsors

EMC - http://www.emc.com/

Follow us:

Google+: https://plus.google.com/u/0/b/101572035005283336149/
Facebook: http://www.facebook.com/group.php?gid=272755641371
Twitter: http://www.twitter.com/bsdcan

--
Dan Langille - http://langille.org

Fedora.next update + panel discussion video from DevConf

Video from my presentation about Fedora.next (where it comes from, what it
means to address, why it's important, what we're doing, what you can do,
etc.) and the follow-up panel discussion moderated by Stephen Gallagher and
featuring FESCo WG liaisons (Stephen, Josh Boyer, Marcela Mašláňov, Phil
Knirsch, me):

<http://www.youtube.com/playlist?list=PLzd8cXxlZ8KOcJrNpkZx3trBjaStGIB0s>

I'm working on an article-style summary of this for Fedora Magazine, which
I'll also post to Fedora mailing lists for easier inline discussion, not to
mention faster skimming. But here's the video for now.

There are also a number of other incredibly-relevant and interesting
recordings from the conference at
<http://www.youtube.com/user/RedHatCzech/videos>, many about Fedora
directly, and others about interesting related open source software.


--
Matthew Miller -- Fedora Project -- <mattdm@fedoraproject.org>
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce

Friday, February 21, 2014

[arch-announce] Linux 3.13 WARNING: PS/2 keyboard support is now modular

Thomas Bächler wrote:

It has been requested that we make support for the i8042 keyboard and mouse
controller modular. Some people get weird error messages because they don't have
one and the manual probing slows down their boot. Tom took care of this on the
kernel side (thank you) and the result finally landed in 3.13.

In order to get keyboard input during early init, if you don't have it already,
add the `keyboard` hook to the `HOOKS=` line in `/etc/mkinitcpio.conf` and run
`mkinitcpio -P`. It has been in the default configuration for some time.

**WARNING**: There's a downside to all this: On some motherboards (mostly
ancient ones, but also a few new ones), the i8042 controller cannot be
automatically detected. It's rare, but some people will surely be without
keyboard. You can detect this situation in advance:


$ dmesg -t | grep '^i8042'

i8042: PNP: No PS/2 controller found. Probing ports directly.


If you have a PS/2 port and get this message, add `atkbd` to the `MODULES=` line
in `mkinitcpio.conf` and run `mkinitcpio -P`. If you just noticed that you are
without keyboard after rebooting, fear not! Simply add


earlymodules=atkbd modules-load=atkbd


to your kernel command line in your bootloader.

I will move Linux 3.13 to [core] a few hours from now, to give everyone a chance
to read this before upgrading. I apologize for any inconvenience this transition
may cause.

URL: https://www.archlinux.org/news/linux-313-warning-ps2-keyboard-support-is-now-modular/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://mailman.archlinux.org/mailman/listinfo/arch-announce

Thursday, February 20, 2014

[CentOS-announce] CEBA-2014:0190 CentOS 6 initscripts Update

CentOS Errata and Bugfix Advisory 2014:0190

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0190.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
aa360fd0c9db26e8f4e777a2702a9d6a5603520688826b6c4cea1417953fd83e debugmode-9.03.40-2.el6.centos.1.i686.rpm
9c34ed5a53acb2d02a209d85325d457ba391f23b3eeb4a94c1dc1e8f32675aa7 initscripts-9.03.40-2.el6.centos.1.i686.rpm

x86_64:
772f1e1cd0c956505b61e2a443618b6ddf8918a619333c9cd733f0284127eb91 debugmode-9.03.40-2.el6.centos.1.x86_64.rpm
88def6dc91e77a1dfd6dce9c67a1b27a60d919e1dfdce62ec65a60bd87a606d0 initscripts-9.03.40-2.el6.centos.1.x86_64.rpm

Source:
49558ba5efe723368db70a2d855f0485e7229eab69ed9e12290d30ecb6744ddc initscripts-9.03.40-2.el6.centos.1.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2014:0193 CentOS 6 libvirt Update

CentOS Errata and Bugfix Advisory 2014:0193

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0193.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
a854eb336c4993d3eb96b85d0883106b81782e8f9c9b27c24cad24f61de07068 libvirt-0.10.2-29.el6_5.4.i686.rpm
4600f1faaafb2bcd72f55ee52d740202d12a3c8b423e3aa32577d1e3db1cb47c libvirt-client-0.10.2-29.el6_5.4.i686.rpm
f5d7c4fe4c1361cea68c2d830e45c1fae267ca0192c6cf5e0b77d5eba9038a92 libvirt-devel-0.10.2-29.el6_5.4.i686.rpm
3ac8d188f164881ce6a1411facf9fee330d0dcf5e3813c32aa962489f4b66590 libvirt-python-0.10.2-29.el6_5.4.i686.rpm

x86_64:
effa26a853e805dcdf922584591d716e316e88bc996e92e53aa5d1be6ba5838d libvirt-0.10.2-29.el6_5.4.x86_64.rpm
4600f1faaafb2bcd72f55ee52d740202d12a3c8b423e3aa32577d1e3db1cb47c libvirt-client-0.10.2-29.el6_5.4.i686.rpm
a30c8104228cff0fd83cc618a50d2c83fc9fb23177d3f4b75707e52252c4d266 libvirt-client-0.10.2-29.el6_5.4.x86_64.rpm
f5d7c4fe4c1361cea68c2d830e45c1fae267ca0192c6cf5e0b77d5eba9038a92 libvirt-devel-0.10.2-29.el6_5.4.i686.rpm
2e3b3badebec3160f699ea904ced1dd6f3d0ce19376b4a615e302e4256daec81 libvirt-devel-0.10.2-29.el6_5.4.x86_64.rpm
0c73745a62bacf86dfc7666af2ed99da8b7d16c5f56ef9706e5a928c3778f9a0 libvirt-lock-sanlock-0.10.2-29.el6_5.4.x86_64.rpm
0956b31a9c4cf253d3279f9edc63d944f4db44f1cd1b44ebddf9c37f4a5851f1 libvirt-python-0.10.2-29.el6_5.4.x86_64.rpm

Source:
bf47c06c4cfa9cf067a236bb496e2da4f7cab45881ddf9f3c5275344fe71a4a0 libvirt-0.10.2-29.el6_5.4.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2014:0191 CentOS 6 postfix Update

CentOS Errata and Bugfix Advisory 2014:0191

Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0191.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
dc6929fc12329033b74a336b1b4686ff3e0dd0dd9a7883000934aaabcae2ec0a postfix-2.6.6-6.el6_5.i686.rpm
30aff82e8b1f6fdc847568c842100b327218d8b0a1f86e61011d7e0658090a84 postfix-perl-scripts-2.6.6-6.el6_5.i686.rpm

x86_64:
47c5fa2ebd6e5d13a6f8b7ba192f58cea943383742f5d8825573bf415ca45262 postfix-2.6.6-6.el6_5.x86_64.rpm
fcd47553e9cbbdccec4e322d524d6b412b2df5e5d525fe6beeca2bccef24542b postfix-perl-scripts-2.6.6-6.el6_5.x86_64.rpm

Source:
9933dbca6400315694b5cf5c35cb447f20e973432e7d40f1fc0531a95f3c4d3a postfix-2.6.6-6.el6_5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

Wednesday, February 19, 2014

[USN-2102-2] Firefox regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTBOx4AAoJEGEfvezVlG4PnLAH/j/ATe8dFgtulfvkgbbcFnPe
V3sInorSXuu6pWmC7Vn7ex2vWPcEaHzJQhSjYncDADtL+4PBHHolGKmFEaeP2WVV
PZaC5gTk0Wvh97tvjKpJvfkix/SAz40MX2uLqOS864TvLEC9F+oQtpy/+074bfZ7
HwIY/VSdNgPb0bTe1RPka8MJsGkKvdfELKNvxWh5V7vM7loeeII51PBOrQa5CBF2
ogTDA1usEDq3l/OzabyGXpF1c0TJlf4ozC2YpUGdCY2tWDzzkKH7+F3CZOOXDdOQ
PnoHGLbBP9JJQfOaeK+OcGCiP4MlYaWAQ7U2cKfIpkhIGl5BT3pnvtqv0GzUjJw=
=Pr9f
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2102-2
February 19, 2014

firefox regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

USN-2102-1 introduced a regression in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-2102-1 fixed vulnerabilities in Firefox. The update introduced a
regression which could make Firefox crash under some circumstances. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric
Rescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Carsten Book,
Andrew Sutherland, Byron Campen, Nicholas Nethercote, Paul Adenot, David
Baron, Julian Seward and Sotaro Ikeda discovered multiple memory safety
issues in Firefox. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit these to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1477,
CVE-2014-1478)

Cody Crews discovered a method to bypass System Only Wrappers. An attacker
could potentially exploit this to steal confidential data or execute code
with the privileges of the user invoking Firefox. (CVE-2014-1479)

Jordi Chancel discovered that the downloads dialog did not implement a
security timeout before button presses are processed. An attacker could
potentially exploit this to conduct clickjacking attacks. (CVE-2014-1480)

Fredrik Lönnqvist discovered a use-after-free in Firefox. An attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code with the priviliges of the
user invoking Firefox. (CVE-2014-1482)

Jordan Milne discovered a timing flaw when using document.elementFromPoint
and document.caretPositionFromPoint on cross-origin iframes. An attacker
could potentially exploit this to steal confidential imformation.
(CVE-2014-1483)

Frederik Braun discovered that the CSP implementation in Firefox did not
handle XSLT stylesheets in accordance with the specification, potentially
resulting in unexpected script execution in some circumstances
(CVE-2014-1485)

Arthur Gerkis discovered a use-after-free in Firefox. An attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the priviliges of the user invoking
Firefox. (CVE-2014-1486)

Masato Kinugawa discovered a cross-origin information leak in web worker
error messages. An attacker could potentially exploit this to steal
confidential information. (CVE-2014-1487)

Yazan Tommalieh discovered that web pages could activate buttons on the
default Firefox startpage (about:home) in some circumstances. An attacker
could potentially exploit this to cause data loss by triggering a session
restore. (CVE-2014-1489)

Soeren Balko discovered a crash in Firefox when terminating web workers
running asm.js code in some circumstances. An attacker could potentially
exploit this to execute arbitrary code with the priviliges of the user
invoking Firefox. (CVE-2014-1488)

Several issues were discovered with ticket handling in NSS. An attacker
could potentially exploit these to cause a denial of service or bypass
cryptographic protection mechanisms. (CVE-2014-1490, CVE-2014-1491)

Boris Zbarsky discovered that security restrictions on window objects
could be bypassed under certain circumstances. (CVE-2014-1481)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
firefox 27.0.1+build1-0ubuntu0.13.10.1

Ubuntu 12.10:
firefox 27.0.1+build1-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
firefox 27.0.1+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2102-2
http://www.ubuntu.com/usn/usn-2102-1
https://launchpad.net/bugs/1274468

Package Information:
https://launchpad.net/ubuntu/+source/firefox/27.0.1+build1-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/firefox/27.0.1+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/firefox/27.0.1+build1-0ubuntu0.12.04.1

[CentOS-announce] Updates Included in CentOS Software Collections

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlME62AACgkQTKkMgmrBY7OFUwCdGiw1OZvqtydp7uID4N/N5GMv
FmAAmwbPWBVRJaQ8MSS24wMbwLf8Y00x
=7Ida
-----END PGP SIGNATURE-----
The following updates are included in the initial release of CentOS
Software Collections:

https://rhn.redhat.com/errata/RHSA-2013-1842.html

https://rhn.redhat.com/errata/RHSA-2013-1815.html

https://rhn.redhat.com/errata/RHSA-2013-1794.html

https://rhn.redhat.com/errata/RHSA-2013-1763.html

https://rhn.redhat.com/errata/RHSA-2013-1427.html

https://rhn.redhat.com/errata/RHBA-2013-1239.html

The software collection Source RPMS are obtained from:

ftp://ftp.redhat.com/redhat/linux/enterprise/6Server/en/RHSCL/SRPMS/

[CentOS-announce] CESA-2014:0173 Moderate mysql55-mysql SCL Security Update

CentOS Errata and Security Advisory 2014:0173 (CentOS Software Collections)

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

-----------------------------
X86_64
-----------------------------

a197891754a4b8c2434dd46d7e67ff4786cecc4697307097bfbbee3f05fac4af mysql55-mysql-5.5.36-1.1.el6.centos.alt.x86_64.rpm
03ca04f595486f784318b42e6991d3fdd6a4ac0a384ad6e2ef47ff9694c1effc mysql55-mysql-bench-5.5.36-1.1.el6.centos.alt.x86_64.rpm
5a4ef8508071315b3a8b6f07e8a467423dd8f013d4251f56e63c623a8d3945b4 mysql55-mysql-devel-5.5.36-1.1.el6.centos.alt.x86_64.rpm
1dc205b9b98b5606b9de3a1b3fd18b4bc40e12d657c07dbf2489fcd4f640b70a mysql55-mysql-libs-5.5.36-1.1.el6.centos.alt.x86_64.rpm
47ebfe6ff5efff99205ec050d5b9feb95984673020cf0189bb99ff0a7fdde457 mysql55-mysql-server-5.5.36-1.1.el6.centos.alt.x86_64.rpm
f64c870d23a34d4c8a7635e0e138b863833402f10a2a1ff1e6c600ce9920c479 mysql55-mysql-test-5.5.36-1.1.el6.centos.alt.x86_64.rpm


-----------------------------
Source:
-----------------------------

a89a4e7c1623845c68ad98e7834f413cbc0a7b6c3d76ea5b1045188d12606672 mysql55-mysql-5.5.36-1.1.el6.centos.alt.src.rpm

=====================================================

The following upstream security issues are addressed in this update:

https://rhn.redhat.com/errata/RHSA-2014-0173.html

--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos at irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce

[USN-2119-1] Thunderbird vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTBOkxAAoJEGEfvezVlG4PCfIH/A8YLnzvMXNVCT4Wm5c5UqRK
zafLvSJGnqzsstQh4N57K6jh0qi1vKXBcItvTEsQFjpGBBkp9bYkXHZns03Jl0av
7wXcVh5jzlbTlXS5FK0a+Hagt5qD9CsFpZLZUSPq/Or9K/szMCrqRiwlw5Zu0M7L
SwWvcGU17gonpNKwG1FWLFZwzLKi9U8EpOa7jqlkG1I83bTOUUUcdetfjSfY7UC0
0UUfiAYwJx+bsM4MLm7XcZjxP8Oz9XNBHNoSIRjZAJ/fz0XczDEjTMBR8ONl/fj1
EaJIZ/IdGitzv/J8YXCNxedCJSJKUYouKfq33h3q+gOztA9UGA/aVGapGn3yabs=
=qN1R
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2119-1
February 19, 2014

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric
Rescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen and Sotaro Ikeda
discovered multiple memory safety issues in Thunderbird. If a user were
tricked in to opening a specially crafted message with scripting enabled,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Thunderbird. (CVE-2014-1477)

Cody Crews discovered a method to bypass System Only Wrappers. If a user
had enabled scripting, an attacker could potentially exploit this to steal
confidential data or execute code with the privileges of the user invoking
Thunderbird. (CVE-2014-1479)

Fredrik Lönnqvist discovered a use-after-free in Thunderbird. If a user
had enabled scripting, an attacker could potentially exploit this to cause
a denial of service via application crash, or execute arbitrary code with
the priviliges of the user invoking Thunderbird. (CVE-2014-1482)

Arthur Gerkis discovered a use-after-free in Thunderbird. If a user had
enabled scripting, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the priviliges of the user invoking Thunderbird. (CVE-2014-1486)

Masato Kinugawa discovered a cross-origin information leak in web worker
error messages. If a user had enabled scripting, an attacker could
potentially exploit this to steal confidential information.
(CVE-2014-1487)

Several issues were discovered with ticket handling in NSS. An attacker
could potentially exploit these to cause a denial of service or bypass
cryptographic protection mechanisms. (CVE-2014-1490, CVE-2014-1491)

Boris Zbarsky discovered that security restrictions on window objects
could be bypassed under certain circumstances. (CVE-2014-1481)

Fabián Cuchietti and Ateeq ur Rehman Khan discovered that it was possible
to bypass Javascript execution restrictions when replying to or forwarding
mail messages in certain circumstances. An attacker could potentially
exploit this to steal confidential information or modify message content.
(CVE-2013-6674)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.10:
thunderbird 1:24.3.0+build2-0ubuntu0.13.10.1

Ubuntu 12.10:
thunderbird 1:24.3.0+build2-0ubuntu0.12.10.1

Ubuntu 12.04 LTS:
thunderbird 1:24.3.0+build2-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2119-1
CVE-2013-6674, CVE-2014-1477, CVE-2014-1479, CVE-2014-1481,
CVE-2014-1482, CVE-2014-1486, CVE-2014-1487, CVE-2014-1490,
CVE-2014-1491, https://launchpad.net/bugs/1274894

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:24.3.0+build2-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.3.0+build2-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.3.0+build2-0ubuntu0.12.04.1