Ubuntu announced its 12.10 (Quantal Quetzal) release more than 18 months
ago, on October 18, 2012. Since changes to the Ubuntu support cycle
mean that Ubuntu 13.04 has reached end of life before Ubuntu 12.10, the
support cycle for Ubuntu 12.10 has been extended slightly to overlap
with the release of Ubuntu 14.04 LTS. This will allow users to move
directly from Ubuntu 12.10 to Ubuntu 14.04 LTS (via Ubuntu 13.10).
This period of overlap is now coming to a close, and we will be retiring
Ubuntu 12.10 on Friday, May 16, 2014. At that time, Ubuntu Security
Notices will no longer include information or updated packages for
Ubuntu 12.10.
The supported upgrade path from Ubuntu 12.10 is via Ubuntu 13.10, though
we highly recommend that once you've upgraded to 13.10, you continue to
upgrade through to 14.04, as 13.10's support will end in July.
Instructions and caveats for the upgrade may be found at:
https://help.ubuntu.com/community/SaucyUpgrades
https://help.ubuntu.com/community/TrustyUpgrades
Ubuntu 13.10 and 14.04 continue to be actively supported with security
updates and select high-impact bug fixes. Announcements of security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customize or alter their software in order to meet their needs.
On behalf of the Ubuntu Release Team,
Adam Conrad
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
Wednesday, April 30, 2014
Ubuntu 12.10 (Quantal Quetzal) reaches End of Life on May 16 2014
Ubuntu announced its 12.10 (Quantal Quetzal) release more than 18 months
ago, on October 18, 2012. Since changes to the Ubuntu support cycle
mean that Ubuntu 13.04 has reached end of life before Ubuntu 12.10, the
support cycle for Ubuntu 12.10 has been extended slightly to overlap
with the release of Ubuntu 14.04 LTS. This allowing users to move
directly from Ubuntu 12.10 to Ubuntu 14.04 LTS (via Ubuntu 13.10).
This period of overlap is now coming to a close, and we will be retiring
Ubuntu 12.10 on Friday, May 16, 2014. At that time, Ubuntu Security
Notices will no longer include information or updated packages for
Ubuntu 12.10.
The supported upgrade path from Ubuntu 12.10 is via Ubuntu 13.10, though
we highly recommend that once you've upgraded to 13.10, you continue to
upgrade through to 14.04, as 13.10's support will end in July.
Instructions and caveats for the upgrade may be found at:
https://help.ubuntu.com/community/SaucyUpgrades
https://help.ubuntu.com/community/TrustyUpgrades
Ubuntu 13.10 and 14.04 continue to be actively supported with security
updates and select high-impact bug fixes. Announcements of security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customize or alter their software in order to meet their needs.
On behalf of the Ubuntu Release Team,
Adam Conrad
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
ago, on October 18, 2012. Since changes to the Ubuntu support cycle
mean that Ubuntu 13.04 has reached end of life before Ubuntu 12.10, the
support cycle for Ubuntu 12.10 has been extended slightly to overlap
with the release of Ubuntu 14.04 LTS. This allowing users to move
directly from Ubuntu 12.10 to Ubuntu 14.04 LTS (via Ubuntu 13.10).
This period of overlap is now coming to a close, and we will be retiring
Ubuntu 12.10 on Friday, May 16, 2014. At that time, Ubuntu Security
Notices will no longer include information or updated packages for
Ubuntu 12.10.
The supported upgrade path from Ubuntu 12.10 is via Ubuntu 13.10, though
we highly recommend that once you've upgraded to 13.10, you continue to
upgrade through to 14.04, as 13.10's support will end in July.
Instructions and caveats for the upgrade may be found at:
https://help.ubuntu.com/community/SaucyUpgrades
https://help.ubuntu.com/community/TrustyUpgrades
Ubuntu 13.10 and 14.04 continue to be actively supported with security
updates and select high-impact bug fixes. Announcements of security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customize or alter their software in order to meet their needs.
On behalf of the Ubuntu Release Team,
Adam Conrad
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
[USN-2189-1] Thunderbird vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTYX+FAAoJEGEfvezVlG4PAC4IAJXUMZSTB5QCZNqOQtca8tJk
IIs9fgf/CjRQFc2zgoRJwJ7UGY5Mg7Pqno0ADYw65HyC1Qs6kC2tRRFhwNEbni/6
QGFsLNJhF1r+j+Xf/W4JqXdiLR7eyuShynMN9+tIpi4BZYhtzt9bD1KSYAomPujY
v4XjyY6cJF5p9h4ZdEX0QqCCN/mH4etO7KtZbiK7C4krsnh1ryZkTeKlwU2NldJ/
TShvNW1SqCCoH0f7OGBXCIJwvIYwLXx+y07ShCB9E3la7FEon6224KdCAH/jvi/v
6H3Z10+UIcjC8yDXD3ofYZhpqS3CFHIzi0tryP2O+3RaQR12G/FFyI1z8UkBUhM=
=X2uZ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2189-1
April 30, 2014
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij,
Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple
memory safety issues in Thunderbird. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1518)
Abhishek Arya discovered an out of bounds read when decoding JPG images.
An attacker could potentially exploit this to cause a denial of service
via application crash. (CVE-2014-1523)
Abhishek Arya discovered a buffer overflow when a script uses a non-XBL
object as an XBL object. If a user had enabled scripting, an attacker
could potentially exploit this to execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1524)
Mariusz Mlynski discovered that sites with notification permissions can
run script in a privileged context in some circumstances. If a user had
enabled scripting, an attacker could exploit this to execute arbitrary
code with the privileges of the user invoking Thunderbird. (CVE-2014-1529)
It was discovered that browser history navigations could be used to load
a site with the addressbar displaying the wrong address. If a user had
enabled scripting, an attacker could potentially exploit this to conduct
cross-site scripting or phishing attacks. (CVE-2014-1530)
A use-after-free was discovered when resizing images in some
circumstances. If a user had enabled scripting, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1531)
Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during
host resolution in some circumstances. An attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
thunderbird 1:24.5.0+build1-0ubuntu0.14.04.1
Ubuntu 13.10:
thunderbird 1:24.5.0+build1-0ubuntu0.13.10.1
Ubuntu 12.10:
thunderbird 1:24.5.0+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
thunderbird 1:24.5.0+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2189-1
CVE-2014-1518, CVE-2014-1523, CVE-2014-1524, CVE-2014-1529,
CVE-2014-1530, CVE-2014-1531, CVE-2014-1532, https://launchpad.net/bugs/1313886
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.04.1
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTYX+FAAoJEGEfvezVlG4PAC4IAJXUMZSTB5QCZNqOQtca8tJk
IIs9fgf/CjRQFc2zgoRJwJ7UGY5Mg7Pqno0ADYw65HyC1Qs6kC2tRRFhwNEbni/6
QGFsLNJhF1r+j+Xf/W4JqXdiLR7eyuShynMN9+tIpi4BZYhtzt9bD1KSYAomPujY
v4XjyY6cJF5p9h4ZdEX0QqCCN/mH4etO7KtZbiK7C4krsnh1ryZkTeKlwU2NldJ/
TShvNW1SqCCoH0f7OGBXCIJwvIYwLXx+y07ShCB9E3la7FEon6224KdCAH/jvi/v
6H3Z10+UIcjC8yDXD3ofYZhpqS3CFHIzi0tryP2O+3RaQR12G/FFyI1z8UkBUhM=
=X2uZ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2189-1
April 30, 2014
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij,
Jesse Ruderman, Nathan Froyd and Christian Holler discovered multiple
memory safety issues in Thunderbird. If a user were tricked in to opening
a specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1518)
Abhishek Arya discovered an out of bounds read when decoding JPG images.
An attacker could potentially exploit this to cause a denial of service
via application crash. (CVE-2014-1523)
Abhishek Arya discovered a buffer overflow when a script uses a non-XBL
object as an XBL object. If a user had enabled scripting, an attacker
could potentially exploit this to execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1524)
Mariusz Mlynski discovered that sites with notification permissions can
run script in a privileged context in some circumstances. If a user had
enabled scripting, an attacker could exploit this to execute arbitrary
code with the privileges of the user invoking Thunderbird. (CVE-2014-1529)
It was discovered that browser history navigations could be used to load
a site with the addressbar displaying the wrong address. If a user had
enabled scripting, an attacker could potentially exploit this to conduct
cross-site scripting or phishing attacks. (CVE-2014-1530)
A use-after-free was discovered when resizing images in some
circumstances. If a user had enabled scripting, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1531)
Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during
host resolution in some circumstances. An attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1532)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
thunderbird 1:24.5.0+build1-0ubuntu0.14.04.1
Ubuntu 13.10:
thunderbird 1:24.5.0+build1-0ubuntu0.13.10.1
Ubuntu 12.10:
thunderbird 1:24.5.0+build1-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
thunderbird 1:24.5.0+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2189-1
CVE-2014-1518, CVE-2014-1523, CVE-2014-1524, CVE-2014-1529,
CVE-2014-1530, CVE-2014-1531, CVE-2014-1532, https://launchpad.net/bugs/1313886
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.13.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:24.5.0+build1-0ubuntu0.12.04.1
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:09.openssl [REVISED]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:09.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL use-after-free vulnerability
Category: contrib
Module: openssl
Announced: 2014-04-30
Affects: FreeBSD 10.x.
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2010-5298
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
0. Revision History
v1.0 2014-04-30 Initial release.
v1.1 2014-04-30 Added patch applying step in Solutions section.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
requests the library to release the memory it holds when a read or write buffer
is no longer needed for the context.
II. Problem Description
The buffer may be released before the library have finished using it. It is
possible that a different SSL connection in the same process would use the
released buffer and write data into it.
III. Impact
An attacker may be able to inject data to a different connection that they
should not be able to.
IV. Workaround
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.
The FreeBSD base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
mode to reduce their memory footprint and may therefore be affected by this
issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig>
<URL:https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYUi5AAoJEO1n7NZdz2rnk/8QAMUvAUQzbd0PE8QYH2ZlnHuO
fhY8xeIxXzK7/e4WOpXDmC68phxLcGQF4YRtX7Wu/yEchIk7cJPocx6kkht8CpCG
t7BpgQOyWY7QRHkIg+hzcooWJFK8nS9miXrwI0vOgWNIbI+iNaSZwNcBsrqF45hI
U1/Z6EWFqmEq+VJBtzpp6F7etYYn8OomBF0XFj13Dtr1UnuG+QqOF0c7FH4o0oiL
+LpTPlgpubOR1wIx/7nR4j5VeXUwHK3Lrv9X5395YmLVca6pHzeG3pFjGuJJMf8E
9t4Y13EfnetO1AEX7Up86i2h28P8nTqmse+m60LAAwMuHpTRvzruQNvzBguv5Nb7
kVoZKbHb8Ji2rrUEQ//tEYcp57iry0ukvP3uzyvA8q17FeGvx/aJl9Wcc6s+Untd
n2WbVvYLnGGNWWI35Yi5eo7TCKcj8z/s0Wgb0omWh7cz7YCjveoG/2x9BHwVGunf
VxEmhXPW8HKSEVf/w/yEIAJIechpRv3q9y+Yh5vgMzVqwoP3nXESuQxpzm6Bx/2P
0ZV+IQNAGRXIBQWqjDqC0yZJ/8QNkp+NDRE8ZZHjxnJeQZCayCaEBmjQZcU9qRHP
Y2eHu+AiDSi5j2hKyWwY59xlUJ+hBCejzSc0kGiuNq1GWIKltGZ48dnN+H4d4Z6C
ZYF6H9F0ykvTxWFfVlFx
=H1mN
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-14:09.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL use-after-free vulnerability
Category: contrib
Module: openssl
Announced: 2014-04-30
Affects: FreeBSD 10.x.
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2010-5298
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
0. Revision History
v1.0 2014-04-30 Initial release.
v1.1 2014-04-30 Added patch applying step in Solutions section.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
requests the library to release the memory it holds when a read or write buffer
is no longer needed for the context.
II. Problem Description
The buffer may be released before the library have finished using it. It is
possible that a different SSL connection in the same process would use the
released buffer and write data into it.
III. Impact
An attacker may be able to inject data to a different connection that they
should not be able to.
IV. Workaround
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.
The FreeBSD base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
mode to reduce their memory footprint and may therefore be affected by this
issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc
# gpg --verify openssl.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig>
<URL:https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYUi5AAoJEO1n7NZdz2rnk/8QAMUvAUQzbd0PE8QYH2ZlnHuO
fhY8xeIxXzK7/e4WOpXDmC68phxLcGQF4YRtX7Wu/yEchIk7cJPocx6kkht8CpCG
t7BpgQOyWY7QRHkIg+hzcooWJFK8nS9miXrwI0vOgWNIbI+iNaSZwNcBsrqF45hI
U1/Z6EWFqmEq+VJBtzpp6F7etYYn8OomBF0XFj13Dtr1UnuG+QqOF0c7FH4o0oiL
+LpTPlgpubOR1wIx/7nR4j5VeXUwHK3Lrv9X5395YmLVca6pHzeG3pFjGuJJMf8E
9t4Y13EfnetO1AEX7Up86i2h28P8nTqmse+m60LAAwMuHpTRvzruQNvzBguv5Nb7
kVoZKbHb8Ji2rrUEQ//tEYcp57iry0ukvP3uzyvA8q17FeGvx/aJl9Wcc6s+Untd
n2WbVvYLnGGNWWI35Yi5eo7TCKcj8z/s0Wgb0omWh7cz7YCjveoG/2x9BHwVGunf
VxEmhXPW8HKSEVf/w/yEIAJIechpRv3q9y+Yh5vgMzVqwoP3nXESuQxpzm6Bx/2P
0ZV+IQNAGRXIBQWqjDqC0yZJ/8QNkp+NDRE8ZZHjxnJeQZCayCaEBmjQZcU9qRHP
Y2eHu+AiDSi5j2hKyWwY59xlUJ+hBCejzSc0kGiuNq1GWIKltGZ48dnN+H4d4Z6C
ZYF6H9F0ykvTxWFfVlFx
=H1mN
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[USN-2184-2] Unity vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYUXnAAoJEGVp2FWnRL6TA1kP/RsbM3SFTF+9ZScWHk/15BaZ
ebZg+xAYWqotQJ1SfCp30tnHUi0ZO99cEp4y5TpSd/Pbtf9JK1fdwImicf6hCAKO
VyAugSE/TPjOvpc9nG12xg1HDmjcsG1+xKIAA7/U58cLH0+wlqktTFC7JZxSCIZw
SKjAlm9gKpG16JxDZxGVRrlo7tX7kIHwmIlyxP9c7baX4JLPHdx9pCsGJrfUQ62X
eVbiTZYD+Jy1kOSz2IybHMtUku8yHKviFViUlzmlAboCSYjtYR8ON9XieMN6WB0q
W0E9XBTUd4aAs3LdOOWtj2m3hqy6zp6Z1AhnVp/1s8+zFtY0322PEhDInA3Dt+N5
pkzhsZwK8MqGQOPcBJKGOcO/bXWs7GQ0ShV9yFQOTDqpW6mb/95brwBA4g4FdLVb
2YnHjfMW0+uv9Rys4neNSCaSOvTbllw8Qj5YpeYOBbtkKPM6Bb3YpnxKtstHmGWQ
0KQVhXyd76zpdQbj2xq2GxBv0Q4MIJYvHazmcTS1v5y2yT426Z0sYqc4kGWUw6bu
VlejbQEzqH9ZEcpxeQnz3vw2zGp36kPI17UUl3/dNkO4fjt5emdKWeT1wFSvDuiW
PxFBg28deuwzyOEBed60vaimXs3WvY3NxqyN3BrbyXxzAO1Tj0Cy7Zmzs7997/vI
EmKMUfHraof3TCeuc5jM
=u4FA
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2184-2
April 30, 2014
unity vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The Unity lock screen could be bypassed.
Software Description:
- unity: Interface designed for efficiency of space and interaction.
Details:
USN-2184-1 fixed lock screen vulnerabilities in Unity. Further testing has
uncovered more issues which have been fixed in this update. This update
also fixes a regression with the shutdown dialogue.
We apologize for the inconvenience.
Original advisory details:
Frédéric Bardy discovered that Unity incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Giovanni Mellini discovered that Unity could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
unity 7.2.0+14.04.20140423-0ubuntu1.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2184-2
http://www.ubuntu.com/usn/usn-2184-1
https://launchpad.net/bugs/1314247
Package Information:
https://launchpad.net/ubuntu/+source/unity/7.2.0+14.04.20140423-0ubuntu1.2
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYUXnAAoJEGVp2FWnRL6TA1kP/RsbM3SFTF+9ZScWHk/15BaZ
ebZg+xAYWqotQJ1SfCp30tnHUi0ZO99cEp4y5TpSd/Pbtf9JK1fdwImicf6hCAKO
VyAugSE/TPjOvpc9nG12xg1HDmjcsG1+xKIAA7/U58cLH0+wlqktTFC7JZxSCIZw
SKjAlm9gKpG16JxDZxGVRrlo7tX7kIHwmIlyxP9c7baX4JLPHdx9pCsGJrfUQ62X
eVbiTZYD+Jy1kOSz2IybHMtUku8yHKviFViUlzmlAboCSYjtYR8ON9XieMN6WB0q
W0E9XBTUd4aAs3LdOOWtj2m3hqy6zp6Z1AhnVp/1s8+zFtY0322PEhDInA3Dt+N5
pkzhsZwK8MqGQOPcBJKGOcO/bXWs7GQ0ShV9yFQOTDqpW6mb/95brwBA4g4FdLVb
2YnHjfMW0+uv9Rys4neNSCaSOvTbllw8Qj5YpeYOBbtkKPM6Bb3YpnxKtstHmGWQ
0KQVhXyd76zpdQbj2xq2GxBv0Q4MIJYvHazmcTS1v5y2yT426Z0sYqc4kGWUw6bu
VlejbQEzqH9ZEcpxeQnz3vw2zGp36kPI17UUl3/dNkO4fjt5emdKWeT1wFSvDuiW
PxFBg28deuwzyOEBed60vaimXs3WvY3NxqyN3BrbyXxzAO1Tj0Cy7Zmzs7997/vI
EmKMUfHraof3TCeuc5jM
=u4FA
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2184-2
April 30, 2014
unity vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The Unity lock screen could be bypassed.
Software Description:
- unity: Interface designed for efficiency of space and interaction.
Details:
USN-2184-1 fixed lock screen vulnerabilities in Unity. Further testing has
uncovered more issues which have been fixed in this update. This update
also fixes a regression with the shutdown dialogue.
We apologize for the inconvenience.
Original advisory details:
Frédéric Bardy discovered that Unity incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Giovanni Mellini discovered that Unity could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
unity 7.2.0+14.04.20140423-0ubuntu1.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2184-2
http://www.ubuntu.com/usn/usn-2184-1
https://launchpad.net/bugs/1314247
Package Information:
https://launchpad.net/ubuntu/+source/unity/7.2.0+14.04.20140423-0ubuntu1.2
Re: Mass bug: packages should not auto-enable systemd units
Due to some confusion around how alternatives worked, I screwed up the
list of packages here. I've updated it below. I'll give it a few
more days before filing the actual bugs.
list of packages here. I've updated it below. I'll give it a few
more days before filing the actual bugs.
On Wed, Apr 23, 2014 at 4:59 PM, Andrew Lutomirski <luto@mit.edu> wrote:
> Hi everyone-
>
> This is a notice in accordance with the mass bug filing procedure.
>
> A number of packages install systemd units and enable them
> automatically. They should not. Please update these packages to use the
> macroized scriptlet
> (https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd).
>
> If your package has an exception from FESCo permitting it to enable
> itself, please make sure that the service in question is listed in the
> appropriate preset file.
>
> There is a general exception described here:
>
> https://fedoraproject.org/wiki/Starting_services_by_default
>
> If your package falls under the general exception, then it is possible
> that no change is required. Nevertheless, if you are relying on the
> exception, please make sure that your rpm scripts are sensible. The
> exception is:
>
> In addition, any service which does not remain persistent on the
> system (aka, it "runs once then goes away"), does not listen to
> incoming connections during initialization, and does not require
> configuration to be functional may be enabled by default (but is not
> required to do so). An example of "runs once then goes away" service
> is iptables.
>
> Given that this issue can affect Fedora 20 users who install your
> package as a dependency, these bugs should be fixed in Fedora 20 and
> Rawhide.
>
> The tracker bug is here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1090684
>
> I created it early because three of the bugs are pre-existing. Next
> week, I'll file bugs against the packages below. If you fix your
> package in the mean time, please let me know.
>
> After three weeks, provenpackagers may step in and fix these issues.
>
abrt
acpid
aeolus-audrey-agent
aeolus-configserver
audit
avahi
bluez
bootchart
cherokee
cloud-init
deltacloud-core
dmapd
dnssec-trigger
glusterfs
gnome-initial-setup
gpsd
ipmiutil
iptables
kexec-tools
libstoragemgmt
libvirt
lttng-tools
monit
NetworkManager
nfs-utils
nss-pam-ldapd
olpc-kbdshim
olpc-powerd
openct
pcsc-lite
qemu
qpid-cpp
rootfs-resize
rpcbind
sendmail
soundmodem
spacenavd
subscription-manager
supervisor
systemd
targetcli
util-linux
vdsm
xen
--Andy
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
[USN-2188-1] elfutils vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYRB1AAoJEGVp2FWnRL6TK14P/2OI62O+Bz2+d74nyXLhrcyj
neJRhmKXwfQCq7ksM8DvqmXHLGwzFqUt0V10J4sCR3nkhX4yaShCspR2pJf+hrQp
CrzEKstQQ+yCB2BKyREb4YgeI40jL8uM6mtBr6d1OiHih3ZLI394cog37UxqrNPG
zrq1tTx0aLs1BEhHc0WWgFD2bykjpdQaABy0kE+/hBVkKWM4tsV+R6PaZNlitSt1
qAE1v16Z0rHJyrpLK+l0JHSxBOLOM0/8SRs9vFFCpwYkbLN0FIcO5QgJLjBmIyOc
dWXvFLvTmSa/fxuLORsQtHGwBopM9im01eGn306ZvtpQxlUTUcojIofYE/0aQ3zY
HrLTHSd5gaUGBfSZzlJXGybHNAbD0XSpKnD8cBB2KAma3vtIvlDhv/EFgqkXrrwc
Dhlvcf+w2nTvOexYzTTl3Z/bpe6hIDzmKuwwCH88sKX5+m5MSVmL0FqvEqqsfe7c
rJ9AilSh97syeqKsP7zZXauckJh9MWfdvCma6bAxuQCVQcftBdUos8fRO/R1ItXR
SF0kMSNvOdlaJSPgpFXvUBE75IqYFEFjomtsc81rMVhJ68KMXhwbPsHNDK9EFkMJ
peGb8w9bDUIvgsecwNQSv4SRo2I3nZNqfmKbapIwFlWR1miLcrs0pdfQvB+AieQ6
+i5XCnpL8FJteXeZKs4w
=NMa1
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2188-1
April 30, 2014
elfutils vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
Summary:
elfutils could be made to crash or run programs if it processed a specially
crafted file.
Software Description:
- elfutils: collection of utilities to handle ELF objects
Details:
Florian Weimer discovered that the elfutils libdw library incorrectly
handled malformed compressed debug sections in ELF files. If a user or
automated system were tricked into processing a specially crafted ELF file,
applications linked against libdw could be made to crash, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libdw1 0.158-0ubuntu5.1
Ubuntu 13.10:
libdw1 0.157-1ubuntu1.1
Ubuntu 12.10:
libdw1 0.153-1ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2188-1
CVE-2014-0172
Package Information:
https://launchpad.net/ubuntu/+source/elfutils/0.158-0ubuntu5.1
https://launchpad.net/ubuntu/+source/elfutils/0.157-1ubuntu1.1
https://launchpad.net/ubuntu/+source/elfutils/0.153-1ubuntu1.1
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYRB1AAoJEGVp2FWnRL6TK14P/2OI62O+Bz2+d74nyXLhrcyj
neJRhmKXwfQCq7ksM8DvqmXHLGwzFqUt0V10J4sCR3nkhX4yaShCspR2pJf+hrQp
CrzEKstQQ+yCB2BKyREb4YgeI40jL8uM6mtBr6d1OiHih3ZLI394cog37UxqrNPG
zrq1tTx0aLs1BEhHc0WWgFD2bykjpdQaABy0kE+/hBVkKWM4tsV+R6PaZNlitSt1
qAE1v16Z0rHJyrpLK+l0JHSxBOLOM0/8SRs9vFFCpwYkbLN0FIcO5QgJLjBmIyOc
dWXvFLvTmSa/fxuLORsQtHGwBopM9im01eGn306ZvtpQxlUTUcojIofYE/0aQ3zY
HrLTHSd5gaUGBfSZzlJXGybHNAbD0XSpKnD8cBB2KAma3vtIvlDhv/EFgqkXrrwc
Dhlvcf+w2nTvOexYzTTl3Z/bpe6hIDzmKuwwCH88sKX5+m5MSVmL0FqvEqqsfe7c
rJ9AilSh97syeqKsP7zZXauckJh9MWfdvCma6bAxuQCVQcftBdUos8fRO/R1ItXR
SF0kMSNvOdlaJSPgpFXvUBE75IqYFEFjomtsc81rMVhJ68KMXhwbPsHNDK9EFkMJ
peGb8w9bDUIvgsecwNQSv4SRo2I3nZNqfmKbapIwFlWR1miLcrs0pdfQvB+AieQ6
+i5XCnpL8FJteXeZKs4w
=NMa1
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2188-1
April 30, 2014
elfutils vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
Summary:
elfutils could be made to crash or run programs if it processed a specially
crafted file.
Software Description:
- elfutils: collection of utilities to handle ELF objects
Details:
Florian Weimer discovered that the elfutils libdw library incorrectly
handled malformed compressed debug sections in ELF files. If a user or
automated system were tricked into processing a specially crafted ELF file,
applications linked against libdw could be made to crash, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libdw1 0.158-0ubuntu5.1
Ubuntu 13.10:
libdw1 0.157-1ubuntu1.1
Ubuntu 12.10:
libdw1 0.153-1ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2188-1
CVE-2014-0172
Package Information:
https://launchpad.net/ubuntu/+source/elfutils/0.158-0ubuntu5.1
https://launchpad.net/ubuntu/+source/elfutils/0.157-1ubuntu1.1
https://launchpad.net/ubuntu/+source/elfutils/0.153-1ubuntu1.1
[USN-2187-1] OpenJDK 7 vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYQ6FAAoJEFHb3FjMVZVz4scP+wUEgOCI10S4SPArHVFaZwIF
FbOWSufPP3pr3Ybl9955YUMjDgRyG/ujIc8Fcsvv0auXpFNq1b3wupGnd+NjKQZ8
NVed3Q6/JANYwzwmCztev+pauRCKhyBJKwhdLCMnkuPxQmzJ+Ee+Y4JOjyxsSEv+
cb3sbWLxKn9hiBX627NBNTm8Zm7ppuXM8bwZhWLMI1eczUAccj7jqs1CewfT9H6R
sDiD469LmmqZkOR+VKZ0hf+7tKFtMKnWBrNIbF1kB7BSKE6n7jTekrLPRifd3Dvk
XSma7NS5qJIF50LjPod25cjIuub/R5fmlnjxWhlZpATK2cX0WPJC8ZnZCIMWkY/7
g2TG+bdBDHVGkYo9xcUUN69S30MVLpfJP4k2ZYHm0vqkgWeowYH7SxUPBxvu4qFQ
LJ+rANDIZPGKLuUWfeJe5SH1THbQnmp9ftJ1D2d1dt201anGr+lpwS0I4eY1tqkh
x7+WlbQCMogwyZ4mMS1yKU6M8VUa7gSAYXKPhz29pWNHuxkZm7meWT77kefeIIA/
JcUoOvdGvvNZEtUrMK7niZYF22txFgohE0W1/3cBHKjZCCkRJ30QIoNLqbcx5hTO
ON2mgGvYPNi2A1PrTRj4FJp20uNw6mfgQDp7DIpwH9205nbU/9g6CDqAOigo7g+l
xvr1xsItQTlhMrC+j+dw
=AxdG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2187-1
April 30, 2014
openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
Summary:
Several security issues were fixed in OpenJDK 7.
Software Description:
- openjdk-7: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458,
CVE-2014-0461, CVE-2014-2397, CVE-2014-2402, CVE-2014-2412, CVE-2014-2414,
CVE-2014-2421, CVE-2014-2423, CVE-2014-2427)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-0459)
Jakub Wilk discovered that the OpenJDK JRE incorrectly handled temporary
files. A local attacker could possibly use this issue to overwrite
arbitrary files. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2014-1876)
Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-2398, CVE-2014-2413)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure. An attacker could exploit this to expose sensitive data over
the network. (CVE-2014-2403)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1
openjdk-7-jre 7u55-2.4.7-1ubuntu1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1
Ubuntu 13.10:
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1~0.13.10.1
Ubuntu 12.10:
icedtea-7-jre-cacao 7u55-2.4.7-1ubuntu1~0.12.10.1
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1~0.12.10.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2187-1
CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456,
CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460,
CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398,
CVE-2014-2402, CVE-2014-2403, CVE-2014-2412, CVE-2014-2413,
CVE-2014-2414, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,
https://launchpad.net/bugs/1283828
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1~0.13.10.1
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1~0.12.10.1
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYQ6FAAoJEFHb3FjMVZVz4scP+wUEgOCI10S4SPArHVFaZwIF
FbOWSufPP3pr3Ybl9955YUMjDgRyG/ujIc8Fcsvv0auXpFNq1b3wupGnd+NjKQZ8
NVed3Q6/JANYwzwmCztev+pauRCKhyBJKwhdLCMnkuPxQmzJ+Ee+Y4JOjyxsSEv+
cb3sbWLxKn9hiBX627NBNTm8Zm7ppuXM8bwZhWLMI1eczUAccj7jqs1CewfT9H6R
sDiD469LmmqZkOR+VKZ0hf+7tKFtMKnWBrNIbF1kB7BSKE6n7jTekrLPRifd3Dvk
XSma7NS5qJIF50LjPod25cjIuub/R5fmlnjxWhlZpATK2cX0WPJC8ZnZCIMWkY/7
g2TG+bdBDHVGkYo9xcUUN69S30MVLpfJP4k2ZYHm0vqkgWeowYH7SxUPBxvu4qFQ
LJ+rANDIZPGKLuUWfeJe5SH1THbQnmp9ftJ1D2d1dt201anGr+lpwS0I4eY1tqkh
x7+WlbQCMogwyZ4mMS1yKU6M8VUa7gSAYXKPhz29pWNHuxkZm7meWT77kefeIIA/
JcUoOvdGvvNZEtUrMK7niZYF22txFgohE0W1/3cBHKjZCCkRJ30QIoNLqbcx5hTO
ON2mgGvYPNi2A1PrTRj4FJp20uNw6mfgQDp7DIpwH9205nbU/9g6CDqAOigo7g+l
xvr1xsItQTlhMrC+j+dw
=AxdG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2187-1
April 30, 2014
openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
Summary:
Several security issues were fixed in OpenJDK 7.
Software Description:
- openjdk-7: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0454, CVE-2014-0455, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458,
CVE-2014-0461, CVE-2014-2397, CVE-2014-2402, CVE-2014-2412, CVE-2014-2414,
CVE-2014-2421, CVE-2014-2423, CVE-2014-2427)
Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-0453, CVE-2014-0460)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-0459)
Jakub Wilk discovered that the OpenJDK JRE incorrectly handled temporary
files. A local attacker could possibly use this issue to overwrite
arbitrary files. In the default installation of Ubuntu, this should be
prevented by the Yama link restrictions. (CVE-2014-1876)
Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-2398, CVE-2014-2413)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure. An attacker could exploit this to expose sensitive data over
the network. (CVE-2014-2403)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1
openjdk-7-jre 7u55-2.4.7-1ubuntu1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1
Ubuntu 13.10:
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1~0.13.10.1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1~0.13.10.1
Ubuntu 12.10:
icedtea-7-jre-cacao 7u55-2.4.7-1ubuntu1~0.12.10.1
icedtea-7-jre-jamvm 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-headless 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-lib 7u55-2.4.7-1ubuntu1~0.12.10.1
openjdk-7-jre-zero 7u55-2.4.7-1ubuntu1~0.12.10.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2187-1
CVE-2014-0429, CVE-2014-0446, CVE-2014-0451, CVE-2014-0452,
CVE-2014-0453, CVE-2014-0454, CVE-2014-0455, CVE-2014-0456,
CVE-2014-0457, CVE-2014-0458, CVE-2014-0459, CVE-2014-0460,
CVE-2014-0461, CVE-2014-1876, CVE-2014-2397, CVE-2014-2398,
CVE-2014-2402, CVE-2014-2403, CVE-2014-2412, CVE-2014-2413,
CVE-2014-2414, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427,
https://launchpad.net/bugs/1283828
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1~0.13.10.1
https://launchpad.net/ubuntu/+source/openjdk-7/7u55-2.4.7-1ubuntu1~0.12.10.1
[CentOS-announce] CESA-2014:0449 Important CentOS 5 thunderbird Update
CentOS Errata and Security Advisory 2014:0449 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0449.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
a897dbd0573b3fa611805f8db40c9a90e53e2f3c8f283cd085b035e21c1269a5 thunderbird-24.5.0-1.el5.centos.i386.rpm
x86_64:
d22792c4ad7764d64bc3a19c9f22a4b1fb4a1c3984f6e0fe3f0cfdb20024d61f thunderbird-24.5.0-1.el5.centos.x86_64.rpm
Source:
b4a35c5371ee13496c6a51cdb04e2c819a53f948d59ba874f5c80be3b900a756 thunderbird-24.5.0-1.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0449.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
a897dbd0573b3fa611805f8db40c9a90e53e2f3c8f283cd085b035e21c1269a5 thunderbird-24.5.0-1.el5.centos.i386.rpm
x86_64:
d22792c4ad7764d64bc3a19c9f22a4b1fb4a1c3984f6e0fe3f0cfdb20024d61f thunderbird-24.5.0-1.el5.centos.x86_64.rpm
Source:
b4a35c5371ee13496c6a51cdb04e2c819a53f948d59ba874f5c80be3b900a756 thunderbird-24.5.0-1.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2014:0451 CentOS 6 rsync FASTTRACK Update
CentOS Errata and Bugfix Advisory 2014:0451
Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0451.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
49819eb910ffb469278c81b3680124915986217668b94d79e98a47ef8100b499 rsync-3.0.6-12.el6.i686.rpm
x86_64:
a6e054b254d1c3978c8f06bd96f23b5d7a130f7c922de550bc96d8cae49d35ac rsync-3.0.6-12.el6.x86_64.rpm
Source:
3b0f02cc7a51c63d5ab5c745c6119e0d44726f21d5bb20151418b51dd5893f67 rsync-3.0.6-12.el6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0451.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
49819eb910ffb469278c81b3680124915986217668b94d79e98a47ef8100b499 rsync-3.0.6-12.el6.i686.rpm
x86_64:
a6e054b254d1c3978c8f06bd96f23b5d7a130f7c922de550bc96d8cae49d35ac rsync-3.0.6-12.el6.x86_64.rpm
Source:
3b0f02cc7a51c63d5ab5c745c6119e0d44726f21d5bb20151418b51dd5893f67 rsync-3.0.6-12.el6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
F21 Self Contained Change: MariaDB 10.0
= Proposed Self Contained Change: MariaDB 10.0 =
https://fedoraproject.org/wiki/Changes/MariaDB10
https://fedoraproject.org/wiki/Changes/MariaDB10
Change owner(s): Jakub Dorňák <jdornak@redhat.com>
Update MariaDB to version 10.0
== Detailed Description ==
MariaDB 10.0 is the current stable (GA) release of MariaDB. It is built on the
MariaDB 5.5 series with backported features from MySQL 5.6 and entirely new
features not found anywhere else.
The libraries provided by MariaDB 10.0 packages remain compatible. There is no
need to rebuild other packages.
== Scope ==
* Proposal owners: rebase MariaDB to version 10.0.10
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
There is no need to rebuild other packages.
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
F21 Self Contained Change: The Shogun Machine Learning Toolbox
= Proposed Self Contained Change: The Shogun Machine Learning Toolbox =
https://fedoraproject.org/wiki/Changes/shogun
https://fedoraproject.org/wiki/Changes/shogun
Change owner(s): Björn Esser <besser82@fedoraproject.org>
SHOGUN is a large Scale Machine Learning Toolbox, being implemented in C++ and
offering interfaces to C#, Java, Lua, Octave, Perl, Python, R and Ruby.
== Detailed Description ==
* Homepage: The SHOGUN Machine Learning Toolbox [1]
* SCM-repo: on GitHub [2]
* Documentation: is available here [3]
* further Information: on Wikipedia [4]
The machine learning toolbox's focus is on large scale kernel methods and
especially on Support Vector Machines (SVM). It provides a generic SVM object
interfacing to several different SVM implementations, among them the state of
the art LibSVM. Each of the SVMs can be combined with a variety of kernels.
The toolbox not only provides efficient implementations of the most common
kernels, like the Linear, Polynomial, Gaussian and Sigmoid Kernel but also
comes with a number of recent string kernels as e.g. the Locality Improved,
Fischer, TOP, Spectrum, Weighted Degree Kernel (with shifts). For the latter
the efficient LINADD optimizations are implemented. Also SHOGUN offers the
freedom of working with custom pre-computed kernels. One of its key features
is the "combined kernel" which can be constructed by a weighted linear
combination of a number of sub-kernels, each of which not necessarily working
on the same domain. An optimal sub-kernel weighting can be learned using
Multiple Kernel Learning. Currently SVM 2-class classification and regression
problems can be dealt with. However SHOGUN also implements a number of linear
methods like Linear Discriminant Analysis (LDA), Linear Programming Machine
(LPM), (Kernel) Perceptrons and features algorithms to train hidden Markov-
models. The input feature-objects can be dense, sparse or strings and of type
int/short/double/char and can be converted into different feature types.
Chains of "pre-processors" (e.g. subtracting the mean) can be attached to each
feature object allowing for on-the-fly pre-processing.
== Scope ==
* Proposal owners: Create the rpm-spec and file a review bug. Have the package
build after review was granted.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
[1] http://shogun-toolbox.org/
[2] https://github.com/shogun-toolbox/shogun
[3] http://shogun-toolbox.org/doc/en/current/
[4] http://en.wikipedia.org/wiki/Shogun_%28toolbox%29
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
[USN-2186-1] Date and Time Indicator vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYPCyAAoJEGVp2FWnRL6TvjQP/jD8itIu4Wr+bCpUqI6i1zpa
pbfUra2db/pig11hFTjt03mcvQB8NAa2T2dIlD/emNNUMqgRsY+L95kp//zzVSfu
zkz+LTs1E4/sjgljfaHZfyV7wLgX4QolUjdCiBrPq5Uj8LF2+tySjiJ1UUx85+PN
jtLfQQuNAE9bqSmMO163MsUTTjoqG/ceb77CBmuLTt0e7QBbCp29FJmDk4BYsfAB
MzI9i9kRbV/A+JlMR8WyHi3Rpai1qa5TAX5JlgsenH1MYZlhe/3kO5Lzvuv5/1Ey
PsXlTL2BZUoaWwUzMlQLJi3m7dzjRZl6ta13rWQYs0n2PmEIi720JSsgB3XGpohu
5MNM/+HVrBkmzLWGbJnSkpBgpMRhv+G1HWDuUt+LFVrredLWT21dgBlGDPsX9zgO
q3PM0i7SLmg6tKvLZMduSKmWLZwcNUq3jLpy98tRECqCqQ2/CnrVUkZC0DW4G+AW
fU8lRHDJOsS45a4RtRk4pXwAEUz8VPJCwUVnypJzeviTfp86jDe+bLCzS91WUUFq
unZUnlKdP/z5Qblk6ummmEgvRb/7c4OAI7jNkbtfhiOwQujtL4vIg1Sgo0t8upcj
0UECiw0ydMm4hrRipydl11x7OSN6Q4EeMqOuzcXlRqaX1Q8wqUhxJ9NIxHSwtDUO
yvrXZieqUOBax+UyqvRT
=qVVy
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2186-1
April 30, 2014
indicator-datetime vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
Summary:
The Date and Time Indicator would allow unintended access.
Software Description:
- indicator-datetime: Simple clock
Details:
It was discovered that the Date and Time Indicator incorrectly allowed
Evolution to be opened at the greeter screen. An attacker could use this
issue to possibly gain unexpected access to applications such as a web
browser with privileges of the greeter user.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
indicator-datetime 13.10.0+13.10.20131023.2-0ubuntu1.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2186-1
CVE-2013-7374
Package Information:
https://launchpad.net/ubuntu/+source/indicator-datetime/13.10.0+13.10.20131023.2-0ubuntu1.1
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTYPCyAAoJEGVp2FWnRL6TvjQP/jD8itIu4Wr+bCpUqI6i1zpa
pbfUra2db/pig11hFTjt03mcvQB8NAa2T2dIlD/emNNUMqgRsY+L95kp//zzVSfu
zkz+LTs1E4/sjgljfaHZfyV7wLgX4QolUjdCiBrPq5Uj8LF2+tySjiJ1UUx85+PN
jtLfQQuNAE9bqSmMO163MsUTTjoqG/ceb77CBmuLTt0e7QBbCp29FJmDk4BYsfAB
MzI9i9kRbV/A+JlMR8WyHi3Rpai1qa5TAX5JlgsenH1MYZlhe/3kO5Lzvuv5/1Ey
PsXlTL2BZUoaWwUzMlQLJi3m7dzjRZl6ta13rWQYs0n2PmEIi720JSsgB3XGpohu
5MNM/+HVrBkmzLWGbJnSkpBgpMRhv+G1HWDuUt+LFVrredLWT21dgBlGDPsX9zgO
q3PM0i7SLmg6tKvLZMduSKmWLZwcNUq3jLpy98tRECqCqQ2/CnrVUkZC0DW4G+AW
fU8lRHDJOsS45a4RtRk4pXwAEUz8VPJCwUVnypJzeviTfp86jDe+bLCzS91WUUFq
unZUnlKdP/z5Qblk6ummmEgvRb/7c4OAI7jNkbtfhiOwQujtL4vIg1Sgo0t8upcj
0UECiw0ydMm4hrRipydl11x7OSN6Q4EeMqOuzcXlRqaX1Q8wqUhxJ9NIxHSwtDUO
yvrXZieqUOBax+UyqvRT
=qVVy
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2186-1
April 30, 2014
indicator-datetime vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.10
Summary:
The Date and Time Indicator would allow unintended access.
Software Description:
- indicator-datetime: Simple clock
Details:
It was discovered that the Date and Time Indicator incorrectly allowed
Evolution to be opened at the greeter screen. An attacker could use this
issue to possibly gain unexpected access to applications such as a web
browser with privileges of the greeter user.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
indicator-datetime 13.10.0+13.10.20131023.2-0ubuntu1.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2186-1
CVE-2013-7374
Package Information:
https://launchpad.net/ubuntu/+source/indicator-datetime/13.10.0+13.10.20131023.2-0ubuntu1.1
[CentOS-announce] CESA-2014:0448 Critical CentOS 5 firefox Update
CentOS Errata and Security Advisory 2014:0448 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0448.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
cd7fb2914457b55281d212820970dd3a24431f4771b4173bd12d2b08e2183cb2 firefox-24.5.0-1.el5.centos.i386.rpm
x86_64:
cd7fb2914457b55281d212820970dd3a24431f4771b4173bd12d2b08e2183cb2 firefox-24.5.0-1.el5.centos.i386.rpm
829e2cae410d131956145f034669010a2eeb9683ba89158ec3fb454179af9c72 firefox-24.5.0-1.el5.centos.x86_64.rpm
Source:
7291216fddb0f0a96008754dc73c239752752099954d506dcc4b5e4c0983e0fc firefox-24.5.0-1.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0448.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
cd7fb2914457b55281d212820970dd3a24431f4771b4173bd12d2b08e2183cb2 firefox-24.5.0-1.el5.centos.i386.rpm
x86_64:
cd7fb2914457b55281d212820970dd3a24431f4771b4173bd12d2b08e2183cb2 firefox-24.5.0-1.el5.centos.i386.rpm
829e2cae410d131956145f034669010a2eeb9683ba89158ec3fb454179af9c72 firefox-24.5.0-1.el5.centos.x86_64.rpm
Source:
7291216fddb0f0a96008754dc73c239752752099954d506dcc4b5e4c0983e0fc firefox-24.5.0-1.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2014:0448 Critical CentOS 6 firefox Update
CentOS Errata and Security Advisory 2014:0448 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0448.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
f604914eab407ecede9dc432862d683e447ead9d1ca6233bba6ccea1fae2fb8c firefox-24.5.0-1.el6.centos.i686.rpm
x86_64:
f604914eab407ecede9dc432862d683e447ead9d1ca6233bba6ccea1fae2fb8c firefox-24.5.0-1.el6.centos.i686.rpm
e052b9047b7b3d46ce5448fdf0f55f9b3a48313ada620b19f517f60ecebdbb02 firefox-24.5.0-1.el6.centos.x86_64.rpm
Source:
1dc3e4c8c8e693c639708f58c088a5dd63e8788ebbbfbc46a7e6da5a7a726036 firefox-24.5.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0448.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
f604914eab407ecede9dc432862d683e447ead9d1ca6233bba6ccea1fae2fb8c firefox-24.5.0-1.el6.centos.i686.rpm
x86_64:
f604914eab407ecede9dc432862d683e447ead9d1ca6233bba6ccea1fae2fb8c firefox-24.5.0-1.el6.centos.i686.rpm
e052b9047b7b3d46ce5448fdf0f55f9b3a48313ada620b19f517f60ecebdbb02 firefox-24.5.0-1.el6.centos.x86_64.rpm
Source:
1dc3e4c8c8e693c639708f58c088a5dd63e8788ebbbfbc46a7e6da5a7a726036 firefox-24.5.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2014:0449 Important CentOS 6 thunderbird Update
CentOS Errata and Security Advisory 2014:0449 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0449.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
bfdd789dfb646ac2fd1a581c08df197893df8589b7e8a1558810538b012f7502 thunderbird-24.5.0-1.el6.centos.i686.rpm
x86_64:
6fb01246c4f72fce153c0ab9eb3e53c7b054fc477d16b9c5e203040ef22844ba thunderbird-24.5.0-1.el6.centos.x86_64.rpm
Source:
6068612b0fbb1e3f7e6e830b19c2480d6776e9876b4572d1814dc116d1c88b98 thunderbird-24.5.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2014-0449.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
bfdd789dfb646ac2fd1a581c08df197893df8589b7e8a1558810538b012f7502 thunderbird-24.5.0-1.el6.centos.i686.rpm
x86_64:
6fb01246c4f72fce153c0ab9eb3e53c7b054fc477d16b9c5e203040ef22844ba thunderbird-24.5.0-1.el6.centos.x86_64.rpm
Source:
6068612b0fbb1e3f7e6e830b19c2480d6776e9876b4572d1814dc116d1c88b98 thunderbird-24.5.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
poppler soname bump in rawhide
Hi,
I plan to rebase poppler in rawhide to poppler-0.26.0 at 12th of May.
There are several API changes.
I've prepared a scratch build of poppler-0.26.0 against which you can
test your packages. You can find the build here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=6798518
and here:
http://mkasik.fedorapeople.org/poppler/
Regards
Marek
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Tuesday, April 29, 2014
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:09.openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:09.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL use-after-free vulnerability
Category: contrib
Module: openssl
Announced: 2014-04-30
Affects: FreeBSD 10.x.
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2010-5298
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
requests the library to release the memory it holds when a read or write buffer
is no longer needed for the context.
II. Problem Description
The buffer may be released before the library have finished using it. It is
possible that a different SSL connection in the same process would use the
released buffer and write data into it.
III. Impact
An attacker may be able to inject data to a different connection that they
should not be able to.
IV. Workaround
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.
The FreeBSD base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
mode to reduce their memory footprint and may therefore be affected by this
issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc
# gpg --verify openssl.patch.asc
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig>
<URL:https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rn2EsP+wYlobS4EiYtgspXAFgKLha1
0aeA7UokUs21QRTV9tIiFD0Se5HwdmHdh94bRJMRFraU22QYbAelG5GPsZPdRCt4
0ECLKUBDK6ng2M7UNyKhkstsL0+wBq6y5dzKjpR49QX4Vh2zEUYw5BcC5vrIk+YK
Qazq8l1t5bl9ebm9rIDmd2uCv/Qe1MgnMlAczeH9HckfzMiH6NhnAuiYpP7K0mIL
By6gpSxsHPeQShgJN/5kJjVGkdQK1/A1q0KnNf5r/itQdSC96NazKpCCpkud6RMm
k9aPxI5As5Scl70zuCUDAS6vbNI3dvzCU46k8t65/FTeYQO2lxje0QZpqaDiB3+2
tbN5kDviQdWHlJyygCeNK3jxdv0H3+zUZidjPuo158Zcbhb4ckTEZtMtgTn0fRoY
alG8qLn3hLj51fPHQK3Ff96xL+1DrhT+3D18OYIbjx7LKtsJJbnorB3jrbW68Ggr
h0bW+8yAm1jDFM4kPQw6gcrmtyjxNhnVRLoeoBPSIkmS9cm+12YcXufbSyLm/WqG
hkpPCrvUXibZmLi0CDlRMhLkjaOUhEXQsV3OR0gCmuFtN52gncyrIoPaxs79HZ1A
g2JxLp7b56B2XOyakEmNc+rqJJkzi+LV8HTp5DcrbXjAunYk9ipfxPakqXFDD6jV
L3ElC6aFDJ2UchtmjBRk
=Y+tE
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-14:09.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL use-after-free vulnerability
Category: contrib
Module: openssl
Announced: 2014-04-30
Affects: FreeBSD 10.x.
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2010-5298
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
requests the library to release the memory it holds when a read or write buffer
is no longer needed for the context.
II. Problem Description
The buffer may be released before the library have finished using it. It is
possible that a different SSL connection in the same process would use the
released buffer and write data into it.
III. Impact
An attacker may be able to inject data to a different connection that they
should not be able to.
IV. Workaround
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.
The FreeBSD base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this
mode to reduce their memory footprint and may therefore be affected by this
issue.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc
# gpg --verify openssl.patch.asc
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig>
<URL:https://rt.openssl.org/Ticket/Display.html?id=2167&user=guest&pass=guest>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rn2EsP+wYlobS4EiYtgspXAFgKLha1
0aeA7UokUs21QRTV9tIiFD0Se5HwdmHdh94bRJMRFraU22QYbAelG5GPsZPdRCt4
0ECLKUBDK6ng2M7UNyKhkstsL0+wBq6y5dzKjpR49QX4Vh2zEUYw5BcC5vrIk+YK
Qazq8l1t5bl9ebm9rIDmd2uCv/Qe1MgnMlAczeH9HckfzMiH6NhnAuiYpP7K0mIL
By6gpSxsHPeQShgJN/5kJjVGkdQK1/A1q0KnNf5r/itQdSC96NazKpCCpkud6RMm
k9aPxI5As5Scl70zuCUDAS6vbNI3dvzCU46k8t65/FTeYQO2lxje0QZpqaDiB3+2
tbN5kDviQdWHlJyygCeNK3jxdv0H3+zUZidjPuo158Zcbhb4ckTEZtMtgTn0fRoY
alG8qLn3hLj51fPHQK3Ff96xL+1DrhT+3D18OYIbjx7LKtsJJbnorB3jrbW68Ggr
h0bW+8yAm1jDFM4kPQw6gcrmtyjxNhnVRLoeoBPSIkmS9cm+12YcXufbSyLm/WqG
hkpPCrvUXibZmLi0CDlRMhLkjaOUhEXQsV3OR0gCmuFtN52gncyrIoPaxs79HZ1A
g2JxLp7b56B2XOyakEmNc+rqJJkzi+LV8HTp5DcrbXjAunYk9ipfxPakqXFDD6jV
L3ElC6aFDJ2UchtmjBRk
=Y+tE
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:08.tcp Security Advisory
The FreeBSD Project
Topic: TCP reassembly vulnerability
Category: core
Module: inet
Announced: 2014-04-30
Credits: Jonathan Looney
Affects: All supported versions of FreeBSD.
Corrected: 2014-04-30 04:04:20 UTC (stable/8, 8.4-STABLE)
2014-04-30 04:05:47 UTC (releng/8.4, 8.4-RELEASE-p9)
2014-04-30 04:05:47 UTC (releng/8.3, 8.3-RELEASE-p16)
2014-04-30 04:04:20 UTC (stable/9, 9.2-STABLE)
2014-04-30 04:05:47 UTC (releng/9.2, 9.2-RELEASE-p5)
2014-04-30 04:05:47 UTC (releng/9.1, 9.1-RELEASE-p12)
2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2014-3000
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. When network packets making up a TCP stream (``TCP
segments'') are received out-of-sequence, they are maintained in a
reassembly queue by the destination system until they can be re-ordered
and re-assembled.
II. Problem Description
FreeBSD may add a reassemble queue entry on the stack into the segment list
when the reassembly queue reaches its limit. The memory from the stack is
undefined after the function returns. Subsequent iterations of the
reassembly function will attempt to access this entry.
III. Impact
An attacker who can send a series of specifically crafted packets with a
connection could cause a denial of service situation by causing the kernel
to crash.
Additionally, because the undefined on stack memory may be overwritten by
other kernel threads, while extremely difficult, it may be possible for
an attacker to construct a carefully crafted attack to obtain portion of
kernel memory via a connected socket. This may result in the disclosure of
sensitive information such as login credentials, etc. before or even
without crashing the system.
IV. Workaround
It is possible to defend to these attacks by doing traffic normalization
using a firewall. This can be done by including the following /etc/pf.conf
configuration:
scrub in all
This requires pf(4) to be enabled, and have the mentioned configuration
loaded.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch
# fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r265123
releng/8.3/ r265125
releng/8.4/ r265125
stable/9/ r265123
releng/9.1/ r265125
releng/9.2/ r265125
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3000>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:08.tcp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rngywP/joAE0afufOlFvOsSxeeXUWg
kNhtEQV5iXgsbu8QPwM/ikmAgg2ONGLQ47A7w7vHF98qg8jk6W1aZCcRE5lIg8hg
WP5boSFvzvTXIQCo8EsIdcbnNBEA6CrtVQOIvWtuow2z8T0MtSou78Ctq2SO0O+8
7lY9pFYguFBgUNmVC6jpChIGJS9uZtdz2Vn697B4fOyv1pn6wenW7teOsyN+4Dyj
7Wq/qppZDrYSnd+YdveUAFCyCoYIXcsLXbeeIVJC2g8x6LlDw8swZElZL6refX6L
UPDBViI3ctAcjEgzAP1fN3d9FpA5oGJ67J9QcDxYIfTj5YrQiYoTs49ER9FD7k9Q
UxrgLamZ45/D762/IpmLHCwD+FWdzhl9wufklUptrHNIyNyovwMxQDNnoGZUIKeZ
x1fAfctXRAztISyQ5xqVw3nKLauPCSG6IniyyZ12BcFxmDvoEcyOFLqB1eN+l5DB
aJvfiA4PjWIV1nVU+w4MKKAQbHQSgh9bu8EvYUuwNrGOtP49RV1HejWD85ePSgtr
KOQ0HU8CGmTpWOMkDQBl8Ap1boP9iUOTRp/WuIxwMi+AqoKRuDrWs0sOAXIksu2s
0sgGnbI0lrg77lBW4FPvMaCg1dlzlfv4J9AExAh6Ur52qxh5GaOcI2NhYWbxvijh
5wgOBszZXV2kPRDAaJTa
=uhXC
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-14:08.tcp Security Advisory
The FreeBSD Project
Topic: TCP reassembly vulnerability
Category: core
Module: inet
Announced: 2014-04-30
Credits: Jonathan Looney
Affects: All supported versions of FreeBSD.
Corrected: 2014-04-30 04:04:20 UTC (stable/8, 8.4-STABLE)
2014-04-30 04:05:47 UTC (releng/8.4, 8.4-RELEASE-p9)
2014-04-30 04:05:47 UTC (releng/8.3, 8.3-RELEASE-p16)
2014-04-30 04:04:20 UTC (stable/9, 9.2-STABLE)
2014-04-30 04:05:47 UTC (releng/9.2, 9.2-RELEASE-p5)
2014-04-30 04:05:47 UTC (releng/9.1, 9.1-RELEASE-p12)
2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2014-3000
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service. When network packets making up a TCP stream (``TCP
segments'') are received out-of-sequence, they are maintained in a
reassembly queue by the destination system until they can be re-ordered
and re-assembled.
II. Problem Description
FreeBSD may add a reassemble queue entry on the stack into the segment list
when the reassembly queue reaches its limit. The memory from the stack is
undefined after the function returns. Subsequent iterations of the
reassembly function will attempt to access this entry.
III. Impact
An attacker who can send a series of specifically crafted packets with a
connection could cause a denial of service situation by causing the kernel
to crash.
Additionally, because the undefined on stack memory may be overwritten by
other kernel threads, while extremely difficult, it may be possible for
an attacker to construct a carefully crafted attack to obtain portion of
kernel memory via a connected socket. This may result in the disclosure of
sensitive information such as login credentials, etc. before or even
without crashing the system.
IV. Workaround
It is possible to defend to these attacks by doing traffic normalization
using a firewall. This can be done by including the following /etc/pf.conf
configuration:
scrub in all
This requires pf(4) to be enabled, and have the mentioned configuration
loaded.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch
# fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r265123
releng/8.3/ r265125
releng/8.4/ r265125
stable/9/ r265123
releng/9.1/ r265125
releng/9.2/ r265125
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3000>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:08.tcp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rngywP/joAE0afufOlFvOsSxeeXUWg
kNhtEQV5iXgsbu8QPwM/ikmAgg2ONGLQ47A7w7vHF98qg8jk6W1aZCcRE5lIg8hg
WP5boSFvzvTXIQCo8EsIdcbnNBEA6CrtVQOIvWtuow2z8T0MtSou78Ctq2SO0O+8
7lY9pFYguFBgUNmVC6jpChIGJS9uZtdz2Vn697B4fOyv1pn6wenW7teOsyN+4Dyj
7Wq/qppZDrYSnd+YdveUAFCyCoYIXcsLXbeeIVJC2g8x6LlDw8swZElZL6refX6L
UPDBViI3ctAcjEgzAP1fN3d9FpA5oGJ67J9QcDxYIfTj5YrQiYoTs49ER9FD7k9Q
UxrgLamZ45/D762/IpmLHCwD+FWdzhl9wufklUptrHNIyNyovwMxQDNnoGZUIKeZ
x1fAfctXRAztISyQ5xqVw3nKLauPCSG6IniyyZ12BcFxmDvoEcyOFLqB1eN+l5DB
aJvfiA4PjWIV1nVU+w4MKKAQbHQSgh9bu8EvYUuwNrGOtP49RV1HejWD85ePSgtr
KOQ0HU8CGmTpWOMkDQBl8Ap1boP9iUOTRp/WuIxwMi+AqoKRuDrWs0sOAXIksu2s
0sgGnbI0lrg77lBW4FPvMaCg1dlzlfv4J9AExAh6Ur52qxh5GaOcI2NhYWbxvijh
5wgOBszZXV2kPRDAaJTa
=uhXC
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:07.devfs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:07.devfs Security Advisory
The FreeBSD Project
Topic: devfs rules not applied by default for jails
Category: core
Module: etc_rc.d
Announced: 2014-04-30
Affects: FreeBSD 10.0
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2014-3001
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace.
The devfs(5) rule subsystem provides a way for the administrator of a system
to control the attributes of DEVFS nodes. Each DEVFS mount-point has a
``ruleset'', or a list of rules, associated with it, allowing the
administrator to change the properties, including the visibility, of certain
nodes.
II. Problem Description
The default devfs rulesets are not loaded on boot, even when jails are used.
Device nodes will be created in the jail with their normal default access
permissions, while most of them should be hidden and inaccessible.
III. Impact
Jailed processes can get access to restricted resources on the host system.
For jailed processes running with superuser privileges this implies access
to all devices on the system. This level of access could lead to information
leakage and privilege escalation.
IV. Workaround
Systems that do not run jails are not affected.
The system administrator can do the following to load the default ruleset:
/etc/rc.d/devfs onestart
Then apply the default ruleset for jails on a devfs mount using:
devfs -m ${devfs_mountpoint} rule -s 4 applyset
Or, alternatively, the following command will apply the ruleset over all devfs
mountpoints except the host one:
mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | \
xargs -n 1 -J % devfs -m % rule -s 4 applyset
After this, the system administrator should add the following configuration
to /etc/rc.conf to make it permanent, so the above operations do not have
to be done each time the host system reboots.
devfs_load_rulesets="YES"
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch
# fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch.asc
# gpg --verify devfs.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# install -o root -g wheel -m 444 etc/defaults/rc.conf /etc/defaults/
Follow the steps described in the "Workaround" section, or reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3001>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:07.devfs.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYHsGAAoJEO1n7NZdz2rnXsQP/iInaOcBlBDIsZokdpQCgAoF
eSKuD5ihYTnlUew9l7lsizOn9se8Lj692FOXWsAjVqodp+A+ew8mUYNBjrOZnPDq
HMo/yV7iYHNMUFHOOa7baeUO5M84KIGwTvaWIhMtb7QsRIn3KkJaxBL75LbTjtAa
odBrXv+/3K2aG0s7rVGtykmWaWmmo/fln27wtZTo0jzLikw3l/iSNsW7qy3RZWKh
g48nf+yNlFPhUpcNnvtjdziw04aCT9KGLfJ8csY5inM5LgLs9TcXCYoHyFqyNWeD
f0+dEbUDTp/ATppz6cCovjpFbBS6wKfg1k3JoVBNtrVOyu7+qgTQi58JnVpmLdBx
s7msIWf/LlIiA9Jz0RKEdFbRBw1UVc45Zxse8gzVRnCxIwywFEuXDPQ0a3UxnQ1c
Te0/QQ/rodS/WpELhhu3DGq3aONbznuP/NzQRSQpe1Oqr56+ATiiUo7ITXjm7fpW
iqJ9I0BfeyrP/mI3cs2D8V6hOHqrlgdOSgoUwjpNcZCkO2yo/vl0Sk/NEhMhfHYO
Wn3Dc/dQYwgFjqL1UW4WGKe/j/SW/JFLyb0+r/mIDq8Z2en1kBSHWBtvRu2hoFc+
mMZ2UpwxBXF71zeslajuGIZ/tfIsHmGLjj6BsRQcdbinEodwIJnlDb5y/KmsBV0w
Yyigteth/aK/m3ikDCGs
=qxER
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-14:07.devfs Security Advisory
The FreeBSD Project
Topic: devfs rules not applied by default for jails
Category: core
Module: etc_rc.d
Announced: 2014-04-30
Affects: FreeBSD 10.0
Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE)
2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2)
CVE Name: CVE-2014-3001
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace.
The devfs(5) rule subsystem provides a way for the administrator of a system
to control the attributes of DEVFS nodes. Each DEVFS mount-point has a
``ruleset'', or a list of rules, associated with it, allowing the
administrator to change the properties, including the visibility, of certain
nodes.
II. Problem Description
The default devfs rulesets are not loaded on boot, even when jails are used.
Device nodes will be created in the jail with their normal default access
permissions, while most of them should be hidden and inaccessible.
III. Impact
Jailed processes can get access to restricted resources on the host system.
For jailed processes running with superuser privileges this implies access
to all devices on the system. This level of access could lead to information
leakage and privilege escalation.
IV. Workaround
Systems that do not run jails are not affected.
The system administrator can do the following to load the default ruleset:
/etc/rc.d/devfs onestart
Then apply the default ruleset for jails on a devfs mount using:
devfs -m ${devfs_mountpoint} rule -s 4 applyset
Or, alternatively, the following command will apply the ruleset over all devfs
mountpoints except the host one:
mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | \
xargs -n 1 -J % devfs -m % rule -s 4 applyset
After this, the system administrator should add the following configuration
to /etc/rc.conf to make it permanent, so the above operations do not have
to be done each time the host system reboots.
devfs_load_rulesets="YES"
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch
# fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch.asc
# gpg --verify devfs.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# install -o root -g wheel -m 444 etc/defaults/rc.conf /etc/defaults/
Follow the steps described in the "Workaround" section, or reboot the
system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r265122
releng/10.0/ r265124
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3001>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:07.devfs.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTYHsGAAoJEO1n7NZdz2rnXsQP/iInaOcBlBDIsZokdpQCgAoF
eSKuD5ihYTnlUew9l7lsizOn9se8Lj692FOXWsAjVqodp+A+ew8mUYNBjrOZnPDq
HMo/yV7iYHNMUFHOOa7baeUO5M84KIGwTvaWIhMtb7QsRIn3KkJaxBL75LbTjtAa
odBrXv+/3K2aG0s7rVGtykmWaWmmo/fln27wtZTo0jzLikw3l/iSNsW7qy3RZWKh
g48nf+yNlFPhUpcNnvtjdziw04aCT9KGLfJ8csY5inM5LgLs9TcXCYoHyFqyNWeD
f0+dEbUDTp/ATppz6cCovjpFbBS6wKfg1k3JoVBNtrVOyu7+qgTQi58JnVpmLdBx
s7msIWf/LlIiA9Jz0RKEdFbRBw1UVc45Zxse8gzVRnCxIwywFEuXDPQ0a3UxnQ1c
Te0/QQ/rodS/WpELhhu3DGq3aONbznuP/NzQRSQpe1Oqr56+ATiiUo7ITXjm7fpW
iqJ9I0BfeyrP/mI3cs2D8V6hOHqrlgdOSgoUwjpNcZCkO2yo/vl0Sk/NEhMhfHYO
Wn3Dc/dQYwgFjqL1UW4WGKe/j/SW/JFLyb0+r/mIDq8Z2en1kBSHWBtvRu2hoFc+
mMZ2UpwxBXF71zeslajuGIZ/tfIsHmGLjj6BsRQcdbinEodwIJnlDb5y/KmsBV0w
Yyigteth/aK/m3ikDCGs
=qxER
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[USN-2185-1] Firefox vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTYAEfAAoJEGEfvezVlG4PsJcIAJl5eVvmYj09MjLenYqg23Xx
bMXAn92hDOODsjhzRD+SlqHtJVXm1MAG6fWLwiC0qmqHzPtuq38MWqu+H8xXi75R
ScRTp3HHJQGhOryfCuKXvUGSIkVM6ZEpl2d2dVyo0vUiN31a1fHXYhg2asZ4RA3H
WBGWjc8OKWin1w53hjq4TvLO4tkIba+/uVlzDKXVcnQ9ui8R9OUq5m7grd6LCgFj
+sgoyY/2tXO3bqJTbeP/O0HrPMntBT1ez4qaNZdPVAF/QaUXC8Oo4ofUJ4NUYRm6
Un9gywF2GpzHodrywkZvqxrR8ufg1aAQGtAUU4pnpQGmV8zXYz95TILye9LxZp4=
=ZhoM
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2185-1
April 29, 2014
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij,
Jesse Ruderman, Nathan Froyd, John Schoenick, Karl Tomlinson, Vladimir
Vukicevic and Christian Holler discovered multiple memory safety issues in
Firefox. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2014-1518, CVE-2014-1519)
An out of bounds read was discovered in Web Audio. An attacker could
potentially exploit this cause a denial of service via application crash
or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2014-1522)
Abhishek Arya discovered an out of bounds read when decoding JPG images.
An attacker could potentially exploit this to cause a denial of service
via application crash. (CVE-2014-1523)
Abhishek Arya discovered a buffer overflow when a script uses a non-XBL
object as an XBL object. An attacker could potentially exploit this to
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1524)
Abhishek Arya discovered a use-after-free in the Text Track Manager when
processing HTML video. An attacker could potentially exploit this to cause
a denial of service via application crash or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1525)
Jukka Jylänki discovered an out-of-bounds write in Cairo when working
with canvas in some circumstances. An attacker could potentially exploit
this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1528)
Mariusz Mlynski discovered that sites with notification permissions can
run script in a privileged context in some circumstances. An attacker
could exploit this to execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1529)
It was discovered that browser history navigations could be used to load
a site with the addressbar displaying the wrong address. An attacker could
potentially exploit this to conduct cross-site scripting or phishing
attacks. (CVE-2014-1530)
A use-after-free was discovered when resizing images in some
circumstances. An attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2014-1531)
Christian Heimes discovered that NSS did not handle IDNA domain prefixes
correctly for wildcard certificates. An attacker could potentially exploit
this by using a specially crafted certificate to conduct a man-in-the-middle
attack. (CVE-2014-1492)
Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during
host resolution in some circumstances. An attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1532)
Boris Zbarsky discovered that the debugger bypassed XrayWrappers for some
objects. If a user were tricked in to opening a specially crafted website
whilst using the debugger, an attacker could potentially exploit this to
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1526)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
firefox 29.0+build1-0ubuntu0.14.04.2
Ubuntu 13.10:
firefox 29.0+build1-0ubuntu0.13.10.3
Ubuntu 12.10:
firefox 29.0+build1-0ubuntu0.12.10.3
Ubuntu 12.04 LTS:
firefox 29.0+build1-0ubuntu0.12.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2185-1
CVE-2014-1492, CVE-2014-1518, CVE-2014-1519, CVE-2014-1522,
CVE-2014-1523, CVE-2014-1524, CVE-2014-1525, CVE-2014-1526,
CVE-2014-1528, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531,
CVE-2014-1532, https://launchpad.net/bugs/1313464
Package Information:
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.14.04.2
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.13.10.3
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.12.10.3
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.12.04.2
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTYAEfAAoJEGEfvezVlG4PsJcIAJl5eVvmYj09MjLenYqg23Xx
bMXAn92hDOODsjhzRD+SlqHtJVXm1MAG6fWLwiC0qmqHzPtuq38MWqu+H8xXi75R
ScRTp3HHJQGhOryfCuKXvUGSIkVM6ZEpl2d2dVyo0vUiN31a1fHXYhg2asZ4RA3H
WBGWjc8OKWin1w53hjq4TvLO4tkIba+/uVlzDKXVcnQ9ui8R9OUq5m7grd6LCgFj
+sgoyY/2tXO3bqJTbeP/O0HrPMntBT1ez4qaNZdPVAF/QaUXC8Oo4ofUJ4NUYRm6
Un9gywF2GpzHodrywkZvqxrR8ufg1aAQGtAUU4pnpQGmV8zXYz95TILye9LxZp4=
=ZhoM
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2185-1
April 29, 2014
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 12.10
- Ubuntu 12.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Bobby Holley, Carsten Book, Christoph Diehl, Gary Kwong, Jan de Mooij,
Jesse Ruderman, Nathan Froyd, John Schoenick, Karl Tomlinson, Vladimir
Vukicevic and Christian Holler discovered multiple memory safety issues in
Firefox. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2014-1518, CVE-2014-1519)
An out of bounds read was discovered in Web Audio. An attacker could
potentially exploit this cause a denial of service via application crash
or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2014-1522)
Abhishek Arya discovered an out of bounds read when decoding JPG images.
An attacker could potentially exploit this to cause a denial of service
via application crash. (CVE-2014-1523)
Abhishek Arya discovered a buffer overflow when a script uses a non-XBL
object as an XBL object. An attacker could potentially exploit this to
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1524)
Abhishek Arya discovered a use-after-free in the Text Track Manager when
processing HTML video. An attacker could potentially exploit this to cause
a denial of service via application crash or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2014-1525)
Jukka Jylänki discovered an out-of-bounds write in Cairo when working
with canvas in some circumstances. An attacker could potentially exploit
this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1528)
Mariusz Mlynski discovered that sites with notification permissions can
run script in a privileged context in some circumstances. An attacker
could exploit this to execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1529)
It was discovered that browser history navigations could be used to load
a site with the addressbar displaying the wrong address. An attacker could
potentially exploit this to conduct cross-site scripting or phishing
attacks. (CVE-2014-1530)
A use-after-free was discovered when resizing images in some
circumstances. An attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2014-1531)
Christian Heimes discovered that NSS did not handle IDNA domain prefixes
correctly for wildcard certificates. An attacker could potentially exploit
this by using a specially crafted certificate to conduct a man-in-the-middle
attack. (CVE-2014-1492)
Tyson Smith and Jesse Schwartzentruber discovered a use-after-free during
host resolution in some circumstances. An attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1532)
Boris Zbarsky discovered that the debugger bypassed XrayWrappers for some
objects. If a user were tricked in to opening a specially crafted website
whilst using the debugger, an attacker could potentially exploit this to
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2014-1526)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
firefox 29.0+build1-0ubuntu0.14.04.2
Ubuntu 13.10:
firefox 29.0+build1-0ubuntu0.13.10.3
Ubuntu 12.10:
firefox 29.0+build1-0ubuntu0.12.10.3
Ubuntu 12.04 LTS:
firefox 29.0+build1-0ubuntu0.12.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2185-1
CVE-2014-1492, CVE-2014-1518, CVE-2014-1519, CVE-2014-1522,
CVE-2014-1523, CVE-2014-1524, CVE-2014-1525, CVE-2014-1526,
CVE-2014-1528, CVE-2014-1529, CVE-2014-1530, CVE-2014-1531,
CVE-2014-1532, https://launchpad.net/bugs/1313464
Package Information:
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.14.04.2
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.13.10.3
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.12.10.3
https://launchpad.net/ubuntu/+source/firefox/29.0+build1-0ubuntu0.12.04.2
[arch-announce] screen-4.2.1 cannot reattach older instances either
Gaetan Bisson wrote:
Upstream improvements in screen-4.2.1 will make users unable to reattach
instances created with version 4.2.0 or older. Please upgrade to screen-4.2.1-2
only when they are unneeded. Apologies again for the inconvenience.
URL: https://www.archlinux.org/news/screen-421-cannot-reattach-older-instances-either/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://mailman.archlinux.org/mailman/listinfo/arch-announce
Upstream improvements in screen-4.2.1 will make users unable to reattach
instances created with version 4.2.0 or older. Please upgrade to screen-4.2.1-2
only when they are unneeded. Apologies again for the inconvenience.
URL: https://www.archlinux.org/news/screen-421-cannot-reattach-older-instances-either/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://mailman.archlinux.org/mailman/listinfo/arch-announce
[CentOS-announce] CEBA-2014:0444 CentOS 5 openscap Update
CentOS Errata and Bugfix Advisory 2014:0444
Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0444.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
61865fc3e66d3d869857420958340b09b48b5fe0d31954eec1228ed1f5121594 openscap-1.0.8-1.el5_10.i386.rpm
97cdd7c63bf60f96fefcdb8a5a38ec482f01cfafc8a818dd8a8988008c4e8bb7 openscap-devel-1.0.8-1.el5_10.i386.rpm
9587afe5985816355b8c4ca9abe30ee5bd8f61f74591c2155447cd745f31d2a1 openscap-engine-sce-1.0.8-1.el5_10.i386.rpm
cc710769358b975a34673c3886f6a8efd878f4afc8cba5c0e8e77c3357db1daa openscap-engine-sce-devel-1.0.8-1.el5_10.i386.rpm
60b369f28879a9b8ac881d6b9aed816bf6eade980faa0f0a6b970bc9e8a24b02 openscap-extra-probes-1.0.8-1.el5_10.i386.rpm
c15aaa940591c788f014965886442adf64ad216428dc68a66dd7ad363711c958 openscap-python-1.0.8-1.el5_10.i386.rpm
a9d5daebfd09c2b012ebd72ec5d14ee8d027f88073a0b2ce72fddb19c8812bb9 openscap-utils-1.0.8-1.el5_10.i386.rpm
x86_64:
61865fc3e66d3d869857420958340b09b48b5fe0d31954eec1228ed1f5121594 openscap-1.0.8-1.el5_10.i386.rpm
c17c3d2bcc983e804d8122b9385c11ea87694a3e50feefe6061c27936fbc6067 openscap-1.0.8-1.el5_10.x86_64.rpm
97cdd7c63bf60f96fefcdb8a5a38ec482f01cfafc8a818dd8a8988008c4e8bb7 openscap-devel-1.0.8-1.el5_10.i386.rpm
e8c478c77bb4c640a16a5af8c9a40aa6649fe985a63b0c3b8eb2aa82c5012651 openscap-devel-1.0.8-1.el5_10.x86_64.rpm
da1d7472355396422228d7659e7babb231cfa06d0a6ba7d04f94c0234a1b0c26 openscap-engine-sce-1.0.8-1.el5_10.x86_64.rpm
dc275fa7fa4304bd904a641e719ec82efb0964cfaa052ee94b55cfe6435bf298 openscap-engine-sce-devel-1.0.8-1.el5_10.x86_64.rpm
0117e89839cfee9f868987e26bc2c2b92608c5f192ee142448a52d3a5638cae3 openscap-extra-probes-1.0.8-1.el5_10.x86_64.rpm
0720bc6e5aa2f90a99d3552362442c051297497058d979e5856f289deea04d3a openscap-python-1.0.8-1.el5_10.x86_64.rpm
0885e8b4ad005dbc0555076996fb87cffd3d7a1bf6c9f8986a527931fdf89c5c openscap-utils-1.0.8-1.el5_10.x86_64.rpm
Source:
c04e919a970c1904e8c99686dc484f98443983a2553f1792c948077bf02727f2 openscap-1.0.8-1.el5_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHBA-2014-0444.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
61865fc3e66d3d869857420958340b09b48b5fe0d31954eec1228ed1f5121594 openscap-1.0.8-1.el5_10.i386.rpm
97cdd7c63bf60f96fefcdb8a5a38ec482f01cfafc8a818dd8a8988008c4e8bb7 openscap-devel-1.0.8-1.el5_10.i386.rpm
9587afe5985816355b8c4ca9abe30ee5bd8f61f74591c2155447cd745f31d2a1 openscap-engine-sce-1.0.8-1.el5_10.i386.rpm
cc710769358b975a34673c3886f6a8efd878f4afc8cba5c0e8e77c3357db1daa openscap-engine-sce-devel-1.0.8-1.el5_10.i386.rpm
60b369f28879a9b8ac881d6b9aed816bf6eade980faa0f0a6b970bc9e8a24b02 openscap-extra-probes-1.0.8-1.el5_10.i386.rpm
c15aaa940591c788f014965886442adf64ad216428dc68a66dd7ad363711c958 openscap-python-1.0.8-1.el5_10.i386.rpm
a9d5daebfd09c2b012ebd72ec5d14ee8d027f88073a0b2ce72fddb19c8812bb9 openscap-utils-1.0.8-1.el5_10.i386.rpm
x86_64:
61865fc3e66d3d869857420958340b09b48b5fe0d31954eec1228ed1f5121594 openscap-1.0.8-1.el5_10.i386.rpm
c17c3d2bcc983e804d8122b9385c11ea87694a3e50feefe6061c27936fbc6067 openscap-1.0.8-1.el5_10.x86_64.rpm
97cdd7c63bf60f96fefcdb8a5a38ec482f01cfafc8a818dd8a8988008c4e8bb7 openscap-devel-1.0.8-1.el5_10.i386.rpm
e8c478c77bb4c640a16a5af8c9a40aa6649fe985a63b0c3b8eb2aa82c5012651 openscap-devel-1.0.8-1.el5_10.x86_64.rpm
da1d7472355396422228d7659e7babb231cfa06d0a6ba7d04f94c0234a1b0c26 openscap-engine-sce-1.0.8-1.el5_10.x86_64.rpm
dc275fa7fa4304bd904a641e719ec82efb0964cfaa052ee94b55cfe6435bf298 openscap-engine-sce-devel-1.0.8-1.el5_10.x86_64.rpm
0117e89839cfee9f868987e26bc2c2b92608c5f192ee142448a52d3a5638cae3 openscap-extra-probes-1.0.8-1.el5_10.x86_64.rpm
0720bc6e5aa2f90a99d3552362442c051297497058d979e5856f289deea04d3a openscap-python-1.0.8-1.el5_10.x86_64.rpm
0885e8b4ad005dbc0555076996fb87cffd3d7a1bf6c9f8986a527931fdf89c5c openscap-utils-1.0.8-1.el5_10.x86_64.rpm
Source:
c04e919a970c1904e8c99686dc484f98443983a2553f1792c948077bf02727f2 openscap-1.0.8-1.el5_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
F21 Self Contained Change: LVM Cache Logical Volumes
= Proposed Self Contained Change: LVM Cache Logical Volumes =
https://fedoraproject.org/wiki/Changes/Cache_Logical_Volumes
https://fedoraproject.org/wiki/Changes/Cache_Logical_Volumes
Change owner(s): Alasdair G. Kergon <agk@redhat.com>, David Cantrell
<dcantrel@redhat.com>, Dave Lehman <dlehman@fedoraproject.org>
LVM can now use fast block devices (e.g. SSDs and PCIe Flash) to improve the
performance of larger but slower block devices. These hierarchical or layered
logical volumes are called Cache Logical Volumes in LVM.
== Detailed Description ==
LVM is now capable of using fast block devices (e.g. SSDs) as write-back or
write-though caches for larger slower block devices. Users can create cache
logical volumes to improve the performance of their existing logical volumes
or create new cache logical volumes composed of a small and fast device
coupled with a large and slow device. These cache logical volumes can be used
with most LVM segment types, including RAID 1/4/5/6/10, linear, stripe and
thin pools.
== Scope ==
* Proposal owners:
The LVM team must deliver the lvm2 package implementing cache LV (already
included in release 2.02.106)
* Other developers: N/A (not a System Wide Change)
The Anaconda team must develop a UI for configuring cache LVs during
installation. If Anaconda support is not provided, users will have to
configure cache LVs after installation or by dropping into a command line.
Also, Anaconda could fail if installing a new OS onto an existing cache LV if
support is not provided.
Anaconda team signed as co-owners of this Change.
The dracut team must provide boot support. If dracut does not provide
support, cache LVs will not be usable as root devices.
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
F21 Self Contained Change: Docker Cloud Image
= Proposed Self Contained Change: Docker Cloud Image =
https://fedoraproject.org/wiki/Changes/Docker_Cloud_Image
https://fedoraproject.org/wiki/Changes/Docker_Cloud_Image
Change owner(s): Cloud SIG / Sandro Mathys <red@fedoraproject.org>
New Fedora product: Fedora Docker Cloud Image - Docker host ready to go.
== Detailed Description ==
Fedora Cloud agreed to make a base image plus several tailored to specific
purposes. This is one of the tailored ones — Docker host ready to go. While
basically that simply means only just adding docker-io to the base image, this
is (also) intended to be our response to CoreOS. Therefore, depending on
further discussion and user input, we might also add etcd [1] and fleet [2] to
the mix.
Furthermore, the Cloud SIG considers this their most radical image, riding the
very front of the leading edge. (Yeehaw!) Several approaches (read: bonus
objectives) are under consideration but not crucial to the product itself:
* Fedora Atomic Initiative [3] (aka rpm-ostree) to allow for atomic updates.
We might further choose to remove yum/dnf from the image in favor of ostree.
* Replace cloud-init with min-metadata-service, CoreOS' cloud-init or other
alternatives. We'd like to find a leaner solution (read: less Requires) and
one that is better (or easier) tailored to Fedora.
* Remove Python from this image to reduce the footprint. Note, that this can
only be achieved if yum/dnf AND cloud-init are replaced by other solutions as
explained in the above points.
It should be noted that most of these tools are currently under heavy
construction but might be ready in time. If they are, it's still up to
discussion whether they will be included. If they aren't, we might punt them
to F22 or later. Either way, they won't impact the completion of this change's
main goals and are only listed for completeness' sake.
== Scope ==
* Proposal owners: Regarding the core objective, it's just about creating a
new kickstart file (probably even %include-ing the base one) add some minor
stuff and make sure it gets built into a new image. Also, for added security,
we'd like to see Docker and SELinux integrate better. There's already work
going on about this.
** The bonus objectives (i.e. leading edge approaches) further require:
*** ostree to work with SELinux
*** Creating a filesystem tree for ostree that equals the filesystem of the
image as created by traditional means
*** min-metadata-service to gain the ability to execute scripts just like
cloud-init does
*** CoreOS' cloud-init or other alternatives to be packages (and possibly
tailored) for Fedora
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
[1] https://github.com/coreos/etcd
[2] https://github.com/coreos/fleet
[3] http://rpm-ostree.cloud.fedoraproject.org/
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
F21 System Wide Change: Default Local DNS Resolver
= Proposed System Wide Change: Default Local DNS Resolver =
https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
Change owner(s): P J P <pjp@fedoraproject.org>, Pavel Šimerda
<pavlix@pavlix.net>, Tomas Hozza <thozza@redhat.com>
To install a local DNS resolver trusted for the DNSSEC validation running on
127.0.0.1:53. This must be the only name server entry in /etc/resolv.conf.
The automatic name server entries received via dhcp/vpn/wireless
configurations should be stored separately, as transitory name servers to be
used by the trusted local resolver. In all cases, DNSSEC validation will be
done locally.
This change was submitted after the Submission deadline.
== Detailed Description ==
There are growing instances of discussions and debates about the need for a
trusted DNSSEC validating local resolver running on 127.0.0.1:53. There are
multiple reasons for having such a resolver, importantly security & usability.
Security & protection of user's privacy becomes paramount with the backdrop of
the increasingly snooping governments and service providers world wide.
People use Fedora on portable/mobile devices which are connected to diverse
networks as and when required. The automatic DNS configurations provided by
these networks are never trustworthy for DNSSEC validation. As currently there
is no way to establish such trust.
Apart from trust, these name servers are often known to be flaky and
unreliable. Which only adds to the overall bad and at times even frustrating
user experience. In such a situation, having a trusted local DNS resolver not
only makes sense but is in fact badly needed. It has become a need of the
hour. (See: [1], [2], [3])
Going forward, as DNSSEC and IPv6 networks become more and more ubiquitous,
having a trusted local DNS resolver will not only be imperative but be
unavoidable. Because it will perform the most important operation of
establishing trust between two parties.
All DNS literature strongly recommends it. And amongst all discussions and
debates about issues involved in establishing such trust, it is unanimously
agreed upon and accepted that having a trusted local DNS resolver is the best
solution possible. It'll simplify and facilitate lot of other design decisions
and application development in future. (See: [1], [2], [3])
People:-
* Petr Spacek
* Paul Wouters
* Simo Sorce
* Dmitri Pal
* Carlos O'Donell
== Scope ==
* Proposal owners: Proposal owners shall have to
** define the syntax and semantics for new configuration parameters/files.
** persuade and coordinate with the other package owners to incorporate new
changes/workflow in their applications.
* Other developers: (especially NetworkManager and the likes)
** would have to implement the new features/workflow for their applications
adhering to the new configurations and assuming the availability of the
'''trusted''' local DNS resolver.
** NetworkManager already has features & capability to support local DNS
resolvers. Though few details are still under development, but are expected to
realize in near future. Please see [4]
* Release engineering:
** would have to ensure that trusted local DNS resolver is available
throughout the installation stage and the same is installed on all
installations including LiveCDs etc.
* Policies and guidelines:
** the chosen trusted DNS resolver package(ex dnsmasq or dnssec-trigger etc.)
would have to ensure that their DNS resolver starts at boot time and works out
of the box without any user intervention.
** NetworkManager and others would have to be told to not tamper with the
local nameserver entries in '/etc/resolv.conf' and save the dynamic nameserver
entries in a separate configuration file.
[1] https://www.ietf.org/mail-archive/web/dane/current/msg06469.html
[2] https://www.ietf.org/mail-archive/web/dane/current/msg06658.html
[3] https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
[4] https://lists.fedoraproject.org/pipermail/devel/2014-April/197848.html
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
[USN-2184-1] Unity vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTX5ekAAoJEGVp2FWnRL6TtCIP/Rl6GsKDhZQccL8TnJ/4lRpN
A1Wrjgfon5qGxBz97b23AwUx5UlLMj0vpiSfJC0Nxd4z2jEJob+aE+gbfrAJdjHA
BF+/TQpjRRNCgI7/CcfilpRrVs5oI+O8TdATgXBQAP30O5zIg7nL/4KVFnWs3oBf
q/bEGCTKXwvLAVzvvTXgfudA7YAU6HYOY6otQlTIC1OHfLPPJKZPQGkC+aqy4RVH
WrYOA5YD/np/zeQnHC/IvIxFQqg+YUoL47XfjqcgbDwZlF4Pj2emRUKOD4ZFWonU
86MXZ7cjG1ezyyVhFLDchL83m3y3EBqErVEOag3snHCqxXpuWr5ffkV8jsOU0ztH
YIpGj3WBjqtZwrKZVhA5iSt+NRMK67OCegHqZdgMe2FfS8ogyiW1RDr7UgykRfv1
PZmaZ3WaWIlEXjd48Hvt9+A0O5W/hY1VFAHjn3hV2IU9F+eBQuSfpf8rjuuxqPfk
NCtAw4zngO0rhiNomOIQHSPTvZa6uIWcWL2UVaeYtzCtOMIj8F/Me4ooMr7pXNQb
WHFTC0CrwKFU9VIuKXStAy8AuN38/4ieXyYiOqX68UsrbNvfj7Vo+5ERi4GxvBL0
NF7OSscdpbyNz13O/kypYNAAhf66iBgYC/WnCQW7kQ4sr3qAgSTyrn5Huor+5IKI
OjGLB3Wlt/v0cPGoShAh
=D1WU
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2184-1
April 29, 2014
unity vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The Unity lock screen could be bypassed.
Software Description:
- unity: Interface designed for efficiency of space and interaction.
Details:
Frédéric Bardy discovered that Unity incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Giovanni Mellini discovered that Unity could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
unity 7.2.0+14.04.20140423-0ubuntu1.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2184-1
https://launchpad.net/bugs/1308850, https://launchpad.net/bugs/1313885
Package Information:
https://launchpad.net/ubuntu/+source/unity/7.2.0+14.04.20140423-0ubuntu1.1
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCgAGBQJTX5ekAAoJEGVp2FWnRL6TtCIP/Rl6GsKDhZQccL8TnJ/4lRpN
A1Wrjgfon5qGxBz97b23AwUx5UlLMj0vpiSfJC0Nxd4z2jEJob+aE+gbfrAJdjHA
BF+/TQpjRRNCgI7/CcfilpRrVs5oI+O8TdATgXBQAP30O5zIg7nL/4KVFnWs3oBf
q/bEGCTKXwvLAVzvvTXgfudA7YAU6HYOY6otQlTIC1OHfLPPJKZPQGkC+aqy4RVH
WrYOA5YD/np/zeQnHC/IvIxFQqg+YUoL47XfjqcgbDwZlF4Pj2emRUKOD4ZFWonU
86MXZ7cjG1ezyyVhFLDchL83m3y3EBqErVEOag3snHCqxXpuWr5ffkV8jsOU0ztH
YIpGj3WBjqtZwrKZVhA5iSt+NRMK67OCegHqZdgMe2FfS8ogyiW1RDr7UgykRfv1
PZmaZ3WaWIlEXjd48Hvt9+A0O5W/hY1VFAHjn3hV2IU9F+eBQuSfpf8rjuuxqPfk
NCtAw4zngO0rhiNomOIQHSPTvZa6uIWcWL2UVaeYtzCtOMIj8F/Me4ooMr7pXNQb
WHFTC0CrwKFU9VIuKXStAy8AuN38/4ieXyYiOqX68UsrbNvfj7Vo+5ERi4GxvBL0
NF7OSscdpbyNz13O/kypYNAAhf66iBgYC/WnCQW7kQ4sr3qAgSTyrn5Huor+5IKI
OjGLB3Wlt/v0cPGoShAh
=D1WU
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2184-1
April 29, 2014
unity vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The Unity lock screen could be bypassed.
Software Description:
- unity: Interface designed for efficiency of space and interaction.
Details:
Frédéric Bardy discovered that Unity incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Giovanni Mellini discovered that Unity could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
unity 7.2.0+14.04.20140423-0ubuntu1.1
After a standard system update you need to restart your session to make all
the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2184-1
https://launchpad.net/bugs/1308850, https://launchpad.net/bugs/1313885
Package Information:
https://launchpad.net/ubuntu/+source/unity/7.2.0+14.04.20140423-0ubuntu1.1
F21 System Wide Change: Wayland
= Proposed System Wide Change: Wayland =
https://fedoraproject.org/wiki/Changes/Wayland
https://fedoraproject.org/wiki/Changes/Wayland
Change owner(s): Matthias Clasen and the desktop team <mclasen@redhat.com,
desktop@lists.fedoraproject.org>
Port the GNOME desktop to Wayland.
== Detailed Description ==
GNOME is being ported to Wayland. In particular GNOME shell is changed to run
as a Wayland compositor instead of an X11 compositor. Other components of
GNOME that currently talk directly to the X server, such as gnome-settings-
daemon or gnome-control-center, will be ported to corresponding Wayland
interfaces. Many GTK+ applications will just work, using the existing Wayland
backend. Applications that make use of X-specific APIs will be supported with
the xwayland X server, which is started on demand. gdm will be changed to
support both Wayland-based sessions and X-based sessions.
This change is targeted at F21. For F20, we aim for having an experimental
GNOME shell Wayland compositor available, without necessarily having all the
surrounding desktop infrastructure ported. To avoid destabilizing the X
compositor, mutter will ship two separate libraries, and gnome-shell will ship
two binaries that will link against them. Concretely, we plan to have a
separate mutter-wayland package.
For more details, see this page [1].
== Scope ==
* Proposal owners:
** Port GNOME shell to be a Wayland compositor
** Implement Wayland equivalents for X11 APIs such as XRANDR, XI2 and
accessibility features
** Port gnome-settings-daemon, gnome-control-center, gnome-desktop from X11
APIs to Wayland equivalents
** Enable gdm to launch Wayland sessions
** Complete the GTK+ Wayland backend to be on par with the X11 backend
** Package mutter-wayland as a separate package review [2] (DONE)
* Other developers:
** The X team needs to improve xwayland to be good enough for all X11
application - in practice this means we need X 1.16
** The X team needs to cooperate with us in reimplementing some X11 APIs
** The X team needs to package libevdev (DONE)
** The X team needs to package libinput (DONE)
** It is not necessary for all spins or all desktop environments in Fedora to
switch to Wayland at the same time (or ever)
* Release engineering:
** No tasks anticipated
* Policies and guidelines:
** Once we have a basic Wayland-based GNOME session, it would be good to
encourage testers and packagers to test their applications under Wayland
** For applications that are known not to work under Wayland, we will need
guidelines for how to ensure that they will transparently run under xwayland
[1] https://wiki.gnome.org/ThreePointNine/Features/WaylandSupport
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1007445
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
F21 System Wide Change: Application Installer Continued
= Proposed System Wide Change: Application Installer Continued =
https://fedoraproject.org/wiki/Changes/AppInstallerContinued
https://fedoraproject.org/wiki/Changes/AppInstallerContinued
Change owner(s): Richard Hughes for the implementation, Ryan Lerch and Allan
Day for the design <rhughes@redhat.com>
Fully integrate the new application installer with Fedora, and complete its
feature set.
== Detailed Description ==
gnome-software will support installing system add-ons such as fonts and
codecs. It will show additional metadata for applications: screenshots,
ratings, other details. We will also work with the Fedora infrastructure team
to obtain the metadata online for all applications instead of shipping it
statically for a limited set.
The metadata for application needs to be expanded and its quality monitored.
Screenshots need to be taken or updated.
The update monitoring and downloading functionality will be moved from the
gnome-settings-daemon updates plugin into gnome-software. To implement this,
gnome-software will be turned into a session service, and the updates plugin
will be removed from gnome-settings-daemon.
A gnome-shell search provider will offer installable applications as search
results.
gnome-software will allow to customize the app folders that are displayed in
the gnome-shell app picker.
We will switch to using the hawkey PackageKit backend.
We also want to try to integrate Fedora accounts for collecting ratings and
installed package lists, but this requires coordination with the Fedora
infrastructure team.
The priorities for gnome-software 3.12 are also tracked upstream [1].
== Scope ==
* Proposal owners:
** Add add-on support (DONE)
** Display additional metadata in details page (DONE)
** Implement a GNOME shell search provider (DONE)
** Turn gnome-software into a session service and take over updates plugin
functionality (DONE)
** Implement app folder configuration (DONE)
** Turn search into search-as-you-type
** Implement Fedora account integration
** Replace old gnome-packagekit package installation dialogs (DONE)
** Switch PackageKit to use the hawkey backend (DONE)
* Infrastructure:
** Extract metadata and icons when building packages in koji [2]
** Make metadata available for packaged applications in Fedora
** Make application icons available
** Make application screenshots available
** Make it possible to create Fedora accounts from the client-side
** Allow storing small amount of per-user data for users with a Fedora account
* Application packagers
** Add application metadata to their packages, ideally sending it upstream
* Marketing, documentation
** Assist with review and quality control of application metadata
** Assist with selecting featured applications
* Policies and guidelines:
** We want to use the hawkey backend in PackageKit while the default
commandline utility is still yum; this kind of separation was rejected by
Fesco in the past for zif, will need to ask again (DONE, approved
conditionally)
** The packaging guidelines for applications should be updated to require
application metadata in addition to a desktop file
** The update experience will also benefit from proposed changes to batch
updates, but batched updates are not a strict requirement for the new app
installer
[1] https://wiki.gnome.org/Apps/Software#Priorities_.26_Plans
[2] https://fedorahosted.org/rel-eng/ticket/5721 rel-eng ticket
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
Subscribe to:
Posts (Atom)