-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear FreeBSD community,
FreeBSD 8.4 and 8-STABLE have reached their end-of-life and will no longer be
supported by the FreeBSD Security Team. Users of FreeBSD 8.x are strongly
encouraged to upgrade to a newer release as soon as possible.
The currently supported branches and releases and their expected
end-of-life dates are:
+----------------------------------------------------------------------------+
| Branch | Release | Type | Release Date | Estimated EoL |
+-----------+------------+--------+------------------+-----------------------+
|stable/9 |n/a |n/a |n/a |last release + 2 years |
+-----------+------------+--------+------------------+-----------------------+
|releng/9.3 |9.3-RELEASE |Extended|July 16, 2014 |December 31, 2016 |
+-----------+------------+--------+------------------+-----------------------+
|stable/10 |n/a |n/a |n/a |last release + 2 years |
+-----------+------------+--------+------------------+-----------------------+
|releng/10.1|10.1-RELEASE|Extended|November 14, 2014 |December 31, 2016 |
+----------------------------------------------------------------------------+
Please refer to https://security.freebsd.org/ for an up-to-date list of
supported releases and the latest security advisories.
- --
Xin Li
FreeBSD Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVvBgUAAoJEO1n7NZdz2rn48QP/RZZd0ijZb1PQOuFdQuwUBcA
jyYCIoY+bsmypuOKpArR8icUIefvlQ+9Sty+IZrcac5dS71kZjY3tX95ReEz1KaK
ZoxCl6eUg12g3J5nkNYnaH2gC/H+FClR07vmgpn6SBGh+tZOESEehfTn8HZO/DsV
cwhnDm/xat5ZWst10xm+QaXyM/hzIwkxEfORXHCs0cdSmazvHmiqp/bKNn3l2bzI
GoBlMNB/I8gHBSGMQSWfFOFTs5F1N/CyZ+hY1/cg15qXe66Zmq9HmxyruNgkSJbn
Q34Nt9RvUA6F8EsxRxhEsOy2h8iJcqebQ7BnCGaGkbtS/AaGgzJW4U8UFgNSc36p
7zyYo1oPDs34u+BmgFtiFdcER7bsGQDovKLhNLYbpl2msZGTy+q8FeERfLRnXQ6M
xgrOL11KcuuKqdtV/9Xhv+SuzCSIAlJ6KvrMHCkmywveYBiCvzVyADGC+UaRsBHd
uEHJ8h3RIpMR5Qwdrd/rBAQNl8bovhoj3BICBY8HQpOwJYNZ+IdBa3T3I8oWXTZy
LHWJhoAlnDduHg/QkAv+XuAuD4kyEo/x4DtLqXvTVDUUBkUhYM4Casqee/Bxt7gS
GsjJ/iEiyBGwRK4vVSFhI7PvQlJ/gNaL15ROfuNBY8BBmeNnqirwIaWu5kDmmwFX
K2u9SsWaBeTwtT2yAvZu
=EnmG
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Friday, July 31, 2015
[FreeBSD-Announce] vBSDcon: September 11 - 13, 2015
Hi all,
vBSDcon is a technical conference for the various BSD communities that is hosted by Verisign for users and developers of BSD-based systems. vBSDcon 2015 is being held in Reston, VA from September 11 - 13, 2015 at the Sheraton Reston hotel. vBSDcon is an ideal event for systems and network administrators, developers, and engineers with a focus on BSD-based technologies. The early bird registration rate of $75.00 is available through August 13, 2015 at vBSDcon.com.
The vBSDcon program is a single track conference with plenary talks and unconference activities like Birds of A Feather sessions and Lightning Talks and, as a bonus, we are hosting The FreeBSD Foundation to operate a one-day FreeBSD Developer's Summit on September 11, 2015. Speakers from across North America and Europe will cover the topics below during plenary sessions:
FreeBSD Virtualization Options by Michael Dexter
Made to Measure: Network Performance Analysis in FreeBSD by George Neville-Neil and JimThompson
What is EdgeBSD by Pierre Pronchery
Blacklist'd: A NetBSD project by Christos Zoulas
getdns, A New Stub Resolver by Willem Toorop
Interesting Things You Didn't Know You Could Do With ZFS by Allan Jude
HardenedBSD Internals by Shawn Webb
Improving MemGuard support for UMA on FreeBSD by Chang-Hsien Tsai
Devio.us, the Free OpenBSD Shell Provider and Online BSD User Group: Technical and Social Lessons Learned from Half a Decade of Service by Brian Callahan and Bryce Chidester
vBSDcon provides space for a hacker lounge and doc sprint open to all BSD communities including, but not limited to, FreeBSD, OpenBSD, NetBSD, and more. The space is unmoderated so you can setup in these spaces following the conclusion of daily conference activities to accomplish work on your projects or documentation while away from the office.
We'd like to give a big shout out to all of our sponsors up to this point who have invested in you as a community...
Platinum Sponsor: XinuOS
Developer's Summit Sponsor: The FreeBSD Foundation
Gold Sponsor: Cisco Talos Security
Mid-Conference Social Sponsor: iXsystems, Inc
Tote Bag Sponsor: RootBSD
Silver Sponsor: Daemon Security
Sponsorship opportunities are still available. Organizations interested in support the event and community are encouraged to contact us at vBSDcon@verisign.com.
--
Vincent (Rick) Miller
Systems Engineer
vmiller@verisign.com
t: 703-948-4395 m: 703-581-3068
12061 Bluemont Way, Reston, VA 20190
http://www.vbsdcon.com
http://www.verisigninc.com
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
vBSDcon is a technical conference for the various BSD communities that is hosted by Verisign for users and developers of BSD-based systems. vBSDcon 2015 is being held in Reston, VA from September 11 - 13, 2015 at the Sheraton Reston hotel. vBSDcon is an ideal event for systems and network administrators, developers, and engineers with a focus on BSD-based technologies. The early bird registration rate of $75.00 is available through August 13, 2015 at vBSDcon.com.
The vBSDcon program is a single track conference with plenary talks and unconference activities like Birds of A Feather sessions and Lightning Talks and, as a bonus, we are hosting The FreeBSD Foundation to operate a one-day FreeBSD Developer's Summit on September 11, 2015. Speakers from across North America and Europe will cover the topics below during plenary sessions:
FreeBSD Virtualization Options by Michael Dexter
Made to Measure: Network Performance Analysis in FreeBSD by George Neville-Neil and JimThompson
What is EdgeBSD by Pierre Pronchery
Blacklist'd: A NetBSD project by Christos Zoulas
getdns, A New Stub Resolver by Willem Toorop
Interesting Things You Didn't Know You Could Do With ZFS by Allan Jude
HardenedBSD Internals by Shawn Webb
Improving MemGuard support for UMA on FreeBSD by Chang-Hsien Tsai
Devio.us, the Free OpenBSD Shell Provider and Online BSD User Group: Technical and Social Lessons Learned from Half a Decade of Service by Brian Callahan and Bryce Chidester
vBSDcon provides space for a hacker lounge and doc sprint open to all BSD communities including, but not limited to, FreeBSD, OpenBSD, NetBSD, and more. The space is unmoderated so you can setup in these spaces following the conclusion of daily conference activities to accomplish work on your projects or documentation while away from the office.
We'd like to give a big shout out to all of our sponsors up to this point who have invested in you as a community...
Platinum Sponsor: XinuOS
Developer's Summit Sponsor: The FreeBSD Foundation
Gold Sponsor: Cisco Talos Security
Mid-Conference Social Sponsor: iXsystems, Inc
Tote Bag Sponsor: RootBSD
Silver Sponsor: Daemon Security
Sponsorship opportunities are still available. Organizations interested in support the event and community are encouraged to contact us at vBSDcon@verisign.com.
--
Vincent (Rick) Miller
Systems Engineer
vmiller@verisign.com
t: 703-948-4395 m: 703-581-3068
12061 Bluemont Way, Reston, VA 20190
http://www.vbsdcon.com
http://www.verisigninc.com
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
reallost1.fbsd2233449 如何成为优秀的“业 务 主 管”
销售主管2天强化训练营
【时间地点】 2015年8月8-9深圳 8月15-16上海 8月22-23北京
【参加对象】 将被提升的销售精英、销售主任、销售经理、区域经理、业务经理、销售总监、总经理
【授课方式】 讲师讲授 + 视频演绎 + 案例研讨 +角色扮演 + 讲师点评
【学习费用】 3800元/2天/1人 (含课程讲义、午餐、茶点等)
垂询热线:上海:021-31006787、深圳:0755-6128-0006 ,北京:010-5129-9910
在线QQ:320588808 189-189-58501 许先生
注:如不需此类信件信息,请转发送"删除"至wytuixin@163.com,我们会及时处理,谢谢您的理解。
课程背景:
大部分销售主管都是从销售第一线被提拔上来,个人的销售能力都很强。但成为一个销售团队的主管后,经常出现的一个问题是管理能力与经验不足。销售管理工作千头万绪,销售主管每天都在忙碌、焦虑中度过,很少有时间去提升自己的管理技能。《销售主管2天强化训练营》,让销售主管在2天内进行强化训练,
学习必备的管理知识,理清基本的管理思路,解决管理中常见的问题。
1. 作为销售主管,以前没学习过管理知识,不知道如何管人,怎么办?
2. 销售主管当然应该有自己的销售任务吗?
3. 如何与下属相处?该严厉还是宽容?慈不掌兵还是爱兵如子?
4. 什么样的人才适合?应该如何挑选销售人员?
5. 试用期短,难以看到新人的业绩,试用期内如何评估考察?
6. 有人说"教会徒弟,饿死师傅",怎么办?还要去辅导业务员吗?
7. 销售业绩该如何抓? 销售主管做些什么工作才能真正提升业绩?
8. 销售人员每天出去后,是去拜访客户,还是逛街、去网吧玩游戏?不好管理,怎么办?
9. 有没有一种方法,不需增加投入,而又能马上帮助业务员提升业绩?
10. 业绩竞赛对销售人员似乎没什么效果,怎么办?如何去激励销售人员?
以上疑虑,在《销售主管2天强化训练营》将得到解答!
培训收益:
1. 明确销售主管的工作定位,知道如何把握工作重点;
2. 帮助销售主管理清思路,正确处理销售中的常见问题;
3. 了解如何组建销售团队,如何选人、育人、留人;
4. 明白销售过程管理的原理与方法;
5. 学会销售团队业绩考核指标设定的方法;
6.了解销售业务人员奖惩的基本原理;
7.学完《销售主管2天强化训练营》并掌握所学技巧方法,能有效提升销售团队业绩。
课程特色:
1. 得到市场验证的课程才是好课程!
——何炜东老师的销售主管强化训练营已经连续4年每月在北京、上海、深圳轮流主办公开课。
2. 得到学员认可的课程才是好课程!
——本课程已经得到数千名来自全国各行各业的销售主管好评见证。
3. 自主研发的课程才是好课程!
——本课程由何炜东老师自主研发,结合了何老师多年销售管理实战经验。
4. 原版的课程才是好课程!
——市面上已经出现抄袭课程,这样的课程你敢上吗?请认准何炜东老师的原创经典课程。
5. 能解答学员实际问题的老师才是好老师!
——何老师具有丰富的实际经验与理论基础,可在课程现场即时解答学员提出的实际工作中遇到的问题。
课程大纲:
第一部分、销售主管的工作与角色定位
一、销售主管该做什么?
1. 案例分析:这个主管该如何做?
2. 销售主管为什么这么忙?如何能不这么忙?
3. 销售主管的工作重点在哪里?
二、销售管理的几个注意点
1. 管理要注意度。案例分析:这个主管为什么会失败? (管理方法不是一成不变的)
2. 管理无大事,一切在细节(抓销量,也得从细节抓起)
3. 防火重于救火(预防更重要)
三、销售主管角色定位
1. 与公司、上司、同事的关系定位
2. 与下属的关系定位
——主管与下属能否成为真正的朋友?
——对下属该严厉还是宽容?
第二部分、销售团队的组建
一、销售人员的挑选
1. 选人比用人更重要,哪种销售人员适合你?什么性格好?
2. 面试销售人员要注意的问题
3. 试用期如何判断? 试用期要考察销售人员的2大点
二、销售人员的培育
1. 销售主管的主要职责:教师还是教练?
2. 培训成本太高?
3. 为什么培训效果不理想?
4. 指导下属时要注意的几个问题
——你说了他一定懂吗?
——他懂了一定做吗?
5. 辅导销售人员的5种主要方法
三、如何留住优秀销售人员?
1. 为什么优秀销售人员要走?
2. 如何留住优秀人才?
第三部分、销售人员管理与销售业绩管理
一、我们的工作重点应放在哪些人身上?
1. 销售经理的时间与精力不能平均分配,如何避免会哭的孩子有奶吃现象?
2. 销售人员的3大分类
3. 销售人员分类管理原则
二、销售业绩如何抓?
1. 为什么抓业绩,总是不见效果?
2. 抓业绩,要从三点入手
三、销售人员日常工作管理
1. 销售人员出去干嘛了,你知道吗?如何管理?
2. 销售人员日常工作管理三招。
——不用增加投入,让团队销售业绩提升的方法
四、销售目标设定与分解
1. 销售目标的设定原则
2. 销售人员的业绩指标分解方法
五、销售业绩考核
1、销售中的关键指标
——如何考核下属?先进的销售管理,必须做到量化
2. 关键业绩指标—KPI介绍
——考核销售人员的几个关键业绩指标
3. 运用关键业绩指标的几个注意点
第四部分,销售人员的激励与惩罚
一、必须了解的几个激励原理
1. 马斯洛需求层次理论
2. 公平理论 -- 案例分析
二、激励方法
1. 我两手空空,拿什么激励下属?
——几个低成本的激励方法
2. 提拔下属与激励
——业绩好就应该提拔?哪类人能提拔?扶上马,还得送一程
三、业绩竞赛与激励
1. 业绩竞赛一定合适吗? 业绩竞赛的利与弊
2. 如何避免业绩竞赛的弊端?
四、销售人员的惩罚
1. 有了胡萝卜,还需要大棒吗?单靠激励行吗?
2. 如何批评下属?批评下属的标准动作
第五部分、销售主管的自我提升
1. 我们为什么会被提升?我们的能力是否能胜任现在的工作?
2. 如何提升自己的管理技能?
——提高管理技能的3个途径
——管理者的学习,我们是否真的意识到学习的重要性?
——管理者如何学习?没有时间学习怎么办?
3. 销售主管要当心的陷阱
——案例分析:身经百战的她为什么失败?
——如何破解陷阱?
讲师介绍:【何炜东】
实战型销售管理培训专家
实战经验:
——可口可乐公司销售经理,曾主管三个营业所及两个销售部门,带领团队从无到有创立直销系统;
——通用电气(GE)华南大区销售经理,建立产品销售新渠道模式;
——和记黄埔集团之屈臣氏蒸馏水(Watsons Water)销售经理-南中国,建立健全产品分销体系;
——亦曾服务于民营企业,担任过培训中心、制造企业、科技公司培训总监、人力资源总监、销售总监等职;
——曾带领数百人的销售团队及主管华南四省销售业务,创造销量比上一年增长3倍的佳绩;
——从基层销售做起,经历从业务员到销售总监的过程,对各级销售主管所遇管理问题都有所了解;
——多年的销售管理经验积累,帮助学员了解知名外企在销售管理中的先进方法;
——经过正规的营销理论体系训练,海外知名商学院QUT工商管理硕士(MBA);
——北京大学、北京交通大学、上海交通大学、北京理工大学、西北工业大学深圳研究院特聘讲师;
——已出版书籍:《十项全能销售管理者》 。
——培训以互动、启发、情景式培训见长;将先进的管理理念结合讲师多年实战管理经验;注重受训人员的
感悟及参与;培训风格深入浅出、条理清晰;课堂气氛轻松、活跃、实战性强;通过各种实际案例及游戏等
方式充分调动参训人员的培训热情。为上千家企业提供销售培训与咨询,并被多家知名企业聘为销售团队辅
导顾问。
学员评价:
1. 启发式培训,较好地引导学员自己思考,让我们更容易理解与认识培训内容。何老师幽默风趣,课堂气氛很轻松。
——普利司通合成橡胶有限公司 销售课 苏经理
2. 课程很实用,内容都是针对销售管理日常工作中常见的问题。在关键知识点,何老师总是能收放自如地插入案例或者小游戏,令课程生动与容易理解。
——上海飞点网络科技有限公司 营运部 付经理
3. 用实际案例做分析,容易理解,课程内容通俗易懂。
——深圳联通达塑料有限公司 销售部 黄经理
4. 帮助我理清了思路,解决了以前工作中遇到过的很多困惑。实用性强。
—— 深圳格林升科技有限公司 外贸部 梁经理
Thursday, July 30, 2015
[USN-2701-1] Linux kernel (Trusty HWE) vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVutowAAoJEAUvNnAY1cPYFmYQAL7kr3PG5ce1Yc3RPyqCin47
Itv/yh/XnYlVuJ0jJLnNR+KORshoq0ErJTjO7YEHmNN7yxG7tIEFmxLuCW2fVDXl
l0bgUrMoL1o5nczoWFRbvtz/6kuaaSnhXLoHoVqq0+HTxeZrEItCN+tf+y0oOJgZ
+4KsTwJtJWLGTVjCUJAGBajY1pjEDxSz1YJGaSjZ1eUSGxx7MWcMDfXfSszkkxFV
muY2WjqZVHa/gc//asLt/0arFY1DgWb06JZhnOfAiI23VYGjDxgY5DTiASdUWtyr
MIwKPmosJYY4c71HicooGuGsTPYOPnBxCRybBSfgIi4PXi4a8P73ijLUKCKoW24T
OrtH9Wjzbzu4WKcC2ucqURZ/81mZRa+H7cOku0hMZ+/ZhsAJluQVBeJzNIu598xZ
0Nnx9AIpfCd9yw0sSRzNcD7cvbvxTZmO5MImFpnddmjqZcWKpzX34ig+Moyefn8/
O5s5h/u1qZeXmTpHplLFSDsiLS39Mdq+atTeM6cpuxXMMbQ9pe7I/DotFlbRILCL
aN0WrHscfFfJNODPvsrzjFXCgk+HqqEQEyhZQ6vNN5gojTuBildhHQBUcEVIYnWi
/ZgEYzBiRyWs1Etg/xEu/zAY3h3YrUPMGDw4HGxL6rfNGM12yS/jnX6PEX10k/Nv
eWo91MeA4diljx+fSLvm
=f9sA
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2701-1
July 31, 2015
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty
Details:
Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)
Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)
Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-61-generic 3.13.0-61.100~precise1
linux-image-3.13.0-61-generic-lpae 3.13.0-61.100~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2701-1
CVE-2015-3290, CVE-2015-3291, CVE-2015-5157
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-61.100~precise1
Version: GnuPG v1
iQIcBAEBCgAGBQJVutowAAoJEAUvNnAY1cPYFmYQAL7kr3PG5ce1Yc3RPyqCin47
Itv/yh/XnYlVuJ0jJLnNR+KORshoq0ErJTjO7YEHmNN7yxG7tIEFmxLuCW2fVDXl
l0bgUrMoL1o5nczoWFRbvtz/6kuaaSnhXLoHoVqq0+HTxeZrEItCN+tf+y0oOJgZ
+4KsTwJtJWLGTVjCUJAGBajY1pjEDxSz1YJGaSjZ1eUSGxx7MWcMDfXfSszkkxFV
muY2WjqZVHa/gc//asLt/0arFY1DgWb06JZhnOfAiI23VYGjDxgY5DTiASdUWtyr
MIwKPmosJYY4c71HicooGuGsTPYOPnBxCRybBSfgIi4PXi4a8P73ijLUKCKoW24T
OrtH9Wjzbzu4WKcC2ucqURZ/81mZRa+H7cOku0hMZ+/ZhsAJluQVBeJzNIu598xZ
0Nnx9AIpfCd9yw0sSRzNcD7cvbvxTZmO5MImFpnddmjqZcWKpzX34ig+Moyefn8/
O5s5h/u1qZeXmTpHplLFSDsiLS39Mdq+atTeM6cpuxXMMbQ9pe7I/DotFlbRILCL
aN0WrHscfFfJNODPvsrzjFXCgk+HqqEQEyhZQ6vNN5gojTuBildhHQBUcEVIYnWi
/ZgEYzBiRyWs1Etg/xEu/zAY3h3YrUPMGDw4HGxL6rfNGM12yS/jnX6PEX10k/Nv
eWo91MeA4diljx+fSLvm
=f9sA
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2701-1
July 31, 2015
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty
Details:
Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)
Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)
Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-61-generic 3.13.0-61.100~precise1
linux-image-3.13.0-61-generic-lpae 3.13.0-61.100~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2701-1
CVE-2015-3290, CVE-2015-3291, CVE-2015-5157
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-61.100~precise1
[USN-2700-1] Linux kernel vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVutoOAAoJEAUvNnAY1cPYDK4P/0YonXTqm+/oO87iZ1bvGHbL
nA/z/N5mnPa+z9pklZdT+DNsskrfdofDTUYkLVLUFjWJgio9ohjLvwXqyHp+7FnY
xvZpKjveBzUelN7QhYjZZMIaKS78KGk6TY4fn52UV8/hwKZsEv+MceqdCxxuQpeM
OWfCVntoEFZbF/nfsuwgIQZli291q5l2rpGzvlPBbMH1efIhO+OxT/NmADxfPSuH
aIXj5GspwwrkOBvaXnG6Pd7mUYQq9pK9XZgvzPeN5TKsVPtHtBaDzmxaK4m9wdOV
egyRJNXVw6SyTgyJT0VaKT5IbU7r1ktpawEPnm5IfKIDojgUYV3oldwFO1hDS6Y0
VSnqqVIK4cnPtZVsKP6VcYWnPnTt2GvsCU5q9CJcTw9z7kwbhMOBFTkW90gD/kEX
sb054Ep3CEMlkJh+agchul2WIpgn8rOYbblMCnffvQnsf61qMrM2Vnm4QruMd5jN
pAcbpD6M8eqwGZNvpscqFHMvUdJW61Va984xZ+NvdKfVoVXX1gX/h1g3pwmhcAtj
Dto9XYJFwJpi8wKY6wJIE3VthluuNp2FZl7g+dWue2w6Ai0Wsb49PtM1F+/0VL7s
AOlytGcywfOudeBAnFgNI6mkLQ2DUo4ivtbf3SuOKLPgn+Q45kw0eW3hn09Eug52
R4jb5Zw/89ogYdp9Pdhy
=+Ezi
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2700-1
July 31, 2015
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)
Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)
Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-61-generic 3.13.0-61.100
linux-image-3.13.0-61-generic-lpae 3.13.0-61.100
linux-image-3.13.0-61-lowlatency 3.13.0-61.100
linux-image-3.13.0-61-powerpc-e500 3.13.0-61.100
linux-image-3.13.0-61-powerpc-e500mc 3.13.0-61.100
linux-image-3.13.0-61-powerpc-smp 3.13.0-61.100
linux-image-3.13.0-61-powerpc64-emb 3.13.0-61.100
linux-image-3.13.0-61-powerpc64-smp 3.13.0-61.100
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2700-1
CVE-2015-3290, CVE-2015-3291, CVE-2015-5157
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-61.100
Version: GnuPG v1
iQIcBAEBCgAGBQJVutoOAAoJEAUvNnAY1cPYDK4P/0YonXTqm+/oO87iZ1bvGHbL
nA/z/N5mnPa+z9pklZdT+DNsskrfdofDTUYkLVLUFjWJgio9ohjLvwXqyHp+7FnY
xvZpKjveBzUelN7QhYjZZMIaKS78KGk6TY4fn52UV8/hwKZsEv+MceqdCxxuQpeM
OWfCVntoEFZbF/nfsuwgIQZli291q5l2rpGzvlPBbMH1efIhO+OxT/NmADxfPSuH
aIXj5GspwwrkOBvaXnG6Pd7mUYQq9pK9XZgvzPeN5TKsVPtHtBaDzmxaK4m9wdOV
egyRJNXVw6SyTgyJT0VaKT5IbU7r1ktpawEPnm5IfKIDojgUYV3oldwFO1hDS6Y0
VSnqqVIK4cnPtZVsKP6VcYWnPnTt2GvsCU5q9CJcTw9z7kwbhMOBFTkW90gD/kEX
sb054Ep3CEMlkJh+agchul2WIpgn8rOYbblMCnffvQnsf61qMrM2Vnm4QruMd5jN
pAcbpD6M8eqwGZNvpscqFHMvUdJW61Va984xZ+NvdKfVoVXX1gX/h1g3pwmhcAtj
Dto9XYJFwJpi8wKY6wJIE3VthluuNp2FZl7g+dWue2w6Ai0Wsb49PtM1F+/0VL7s
AOlytGcywfOudeBAnFgNI6mkLQ2DUo4ivtbf3SuOKLPgn+Q45kw0eW3hn09Eug52
R4jb5Zw/89ogYdp9Pdhy
=+Ezi
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2700-1
July 31, 2015
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Andy Lutomirski discovered a flaw in the Linux kernel's handling of nested
NMIs (non-maskable interrupts). An unprivileged local user could exploit
this flaw to cause a denial of service (system crash) or potentially
escalate their privileges. (CVE-2015-3290)
Andy Lutomirski discovered a flaw that allows user to cause the Linux
kernel to ignore some NMIs (non-maskable interrupts). A local unprivileged
user could exploit this flaw to potentially cause the system to miss
important NMIs resulting in unspecified effects. (CVE-2015-3291)
Andy Lutomirski and Petr Matousek discovered that an NMI (non-maskable
interrupt) that interrupts userspace and encounters an IRET fault is
incorrectly handled by the Linux kernel. An unprivileged local user could
exploit this flaw to cause a denial of service (kernel OOPs), corruption,
or potentially escalate privileges on the system. (CVE-2015-5157)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-61-generic 3.13.0-61.100
linux-image-3.13.0-61-generic-lpae 3.13.0-61.100
linux-image-3.13.0-61-lowlatency 3.13.0-61.100
linux-image-3.13.0-61-powerpc-e500 3.13.0-61.100
linux-image-3.13.0-61-powerpc-e500mc 3.13.0-61.100
linux-image-3.13.0-61-powerpc-smp 3.13.0-61.100
linux-image-3.13.0-61-powerpc64-emb 3.13.0-61.100
linux-image-3.13.0-61-powerpc64-smp 3.13.0-61.100
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2700-1
CVE-2015-3290, CVE-2015-3291, CVE-2015-5157
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-61.100
[CentOS-announce] CEBA-2015:1521 CentOS 7 less FASTTRACK BugFix Update
CentOS Errata and Bugfix Advisory 2015:1521
Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1521.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
94999b90a6ce0c291b86d07ffbd4400409c783b846b65d5c874667dc8938c492 less-458-9.el7.x86_64.rpm
Source:
cedc1c32bdf9f66401ceba704a168d2bdeae6d6671b1627bd51e1e1696a1c949 less-458-9.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1521.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
94999b90a6ce0c291b86d07ffbd4400409c783b846b65d5c874667dc8938c492 less-458-9.el7.x86_64.rpm
Source:
cedc1c32bdf9f66401ceba704a168d2bdeae6d6671b1627bd51e1e1696a1c949 less-458-9.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1526 Important CentOS 5 java-1.6.0-openjdk Security Update
CentOS Errata and Security Advisory 2015:1526 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1526.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
11a2635ffab652c45c63ac6aa128866507d5aa53d04ad7030b839f31c6a5f4df java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.i386.rpm
7597882cfdaf40f21aca2a6af73aedd1ac1bce73e18a316d6db23d56a40f44c6 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
a6ceae2f7957675fb06d209fe703019069257c1c31a48a7abf09b8933858077a java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.i386.rpm
94ec650562cec44847914ce52fb88a83937a8646ac58093aacbb89cc44200580 java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.i386.rpm
b44c48cbff3a0eb0fc713ff4bd5624cce7aa5abafa54bdd2994026f57c3542d4 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.i386.rpm
x86_64:
9d896fe3912a3feef0f0806d8ba0231beec02ecaaff0dd3062228c694a94acab java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
e5e5f98447cde6cf42dec41b2012ce03a2c4da60d149b2172f7bc594d3aeeb28 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
91996692b0932c47d3d3f37707bfd3d5e119d9bf091940d810b650cbb0984ce3 java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
1f4028f6cf0ea019a8d032e1860060e71939facfce1497574b2b4420829377ee java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
105b064767a936c604222364891240945104958b0af6fdc013dbc474aa489b66 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
Source:
a1823e46d30a1db8e7631e2a912f863f3bad7442db82f9d323dca26dc7cfa9d0 java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1526.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
11a2635ffab652c45c63ac6aa128866507d5aa53d04ad7030b839f31c6a5f4df java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.i386.rpm
7597882cfdaf40f21aca2a6af73aedd1ac1bce73e18a316d6db23d56a40f44c6 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
a6ceae2f7957675fb06d209fe703019069257c1c31a48a7abf09b8933858077a java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.i386.rpm
94ec650562cec44847914ce52fb88a83937a8646ac58093aacbb89cc44200580 java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.i386.rpm
b44c48cbff3a0eb0fc713ff4bd5624cce7aa5abafa54bdd2994026f57c3542d4 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.i386.rpm
x86_64:
9d896fe3912a3feef0f0806d8ba0231beec02ecaaff0dd3062228c694a94acab java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
e5e5f98447cde6cf42dec41b2012ce03a2c4da60d149b2172f7bc594d3aeeb28 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
91996692b0932c47d3d3f37707bfd3d5e119d9bf091940d810b650cbb0984ce3 java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
1f4028f6cf0ea019a8d032e1860060e71939facfce1497574b2b4420829377ee java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
105b064767a936c604222364891240945104958b0af6fdc013dbc474aa489b66 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
Source:
a1823e46d30a1db8e7631e2a912f863f3bad7442db82f9d323dca26dc7cfa9d0 java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1526 Important CentOS 7 java-1.6.0-openjdk Security Update
CentOS Errata and Security Advisory 2015:1526 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1526.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
5e91f94700cc94a8422277dcca5146e2f54a33547397d0b467e52e916ded811a java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
3e22027833fc703705aa7bbc9cb395733f2098320dc6538cd59bba7015d94745 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
7a3a1b5b8bcaf615fa3797b9c76660a11e6ecd8b43670a4da00d610fe7c32b1d java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
a2753379c1c1e628a155cd2af93a1c44ef7a44d164ce39fdddef0c51dbb53ad6 java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
a263d9da3f58f534699e226540180c7874fa38e7a60782a161902c1091e41eb8 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
Source:
41b960e8e0cd7a4acd59a1750fcd2129c95a69a68e92d898ee613e1ae000fef8 java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1526.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
5e91f94700cc94a8422277dcca5146e2f54a33547397d0b467e52e916ded811a java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
3e22027833fc703705aa7bbc9cb395733f2098320dc6538cd59bba7015d94745 java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
7a3a1b5b8bcaf615fa3797b9c76660a11e6ecd8b43670a4da00d610fe7c32b1d java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
a2753379c1c1e628a155cd2af93a1c44ef7a44d164ce39fdddef0c51dbb53ad6 java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
a263d9da3f58f534699e226540180c7874fa38e7a60782a161902c1091e41eb8 java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
Source:
41b960e8e0cd7a4acd59a1750fcd2129c95a69a68e92d898ee613e1ae000fef8 java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[USN-2698-1] SQLite vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVulwpAAoJEGVp2FWnRL6THH8QALXuYigCShuIL5XQsAFkFvEK
Zj+qh+bJJ6muElK2hOU5MIUKIBoAitwEU2JohePqdk7VI5PdLRfSCvmRUJXWViXz
2KSQvVMZo32Un+OjWxKbiVF0bKyEQZsqIgxHkgv2DTr8uvbVwKyIpfCaqU5tjocd
JLsDAZQOwjpRqBZuNURQ6Px/HInRJlRm+kqvggFd5g4mM36/ydPBo1O8L7D9L3Av
65YpeiqBK3P2Rvzc00OC5R2z9pvPna5Sc1mTop/EpKUqzGdn2osrKL+dvL9/NGaB
JtrASP7L/sH1klIY6DgzUw9biBUEAcHLWtAsN8cHenBP53SeOyQ2L3A+TOE2HB0n
EkNYA3W7IamWKeO1v+HtzadcSnCYkEX2WvknblLCopKb709RWRukVIXj1141N+i/
7LlbH+QSF2ig7jhxyEy2hSA5upfGNRnuOLgOUEYhqVQV7HOAKcKNBM0sz0ZN59uD
rnWACnbFMbbI4vKPqdfnqPNaSk/vO+iA8+gh3bCtYtjiGn1+73FckPYG8jLsjI3i
1gESHKAtA+T4TuWA1q5KlpWjBrmO/a30FJ1ERaDf+o+39dtEvRFOgzrnin93wr3m
Mrso8QtxBxWonqzQT53lmXF7NEVlhN/nUepL6y0OMGSD5tWl9InnumSvchdG9Jgo
tRmf9kRz2xx8ZRbWgIK2
=CQU4
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2698-1
July 30, 2015
sqlite3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
SQLite could be made to crash or run programs if it processed specially
crafted queries.
Software Description:
- sqlite3: C library that implements an SQL database engine
Details:
It was discovered that SQLite incorrectly handled skip-scan optimization.
An attacker could use this issue to cause applications using SQLite to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2013-7443)
Michal Zalewski discovered that SQLite incorrectly handled dequoting of
collation-sequence names. An attacker could use this issue to cause
applications using SQLite to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 15.04. (CVE-2015-3414)
Michal Zalewski discovered that SQLite incorrectly implemented comparison
operators. An attacker could use this issue to cause applications using
SQLite to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 15.04. (CVE-2015-3415)
Michal Zalewski discovered that SQLite incorrectly handle printf precision
and width values during floating-point conversions. An attacker could use
this issue to cause applications using SQLite to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2015-3416)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libsqlite3-0 3.8.7.4-1ubuntu0.1
Ubuntu 14.04 LTS:
libsqlite3-0 3.8.2-1ubuntu2.1
Ubuntu 12.04 LTS:
libsqlite3-0 3.7.9-2ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2698-1
CVE-2013-7443, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416
Package Information:
https://launchpad.net/ubuntu/+source/sqlite3/3.8.7.4-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.8.2-1ubuntu2.1
https://launchpad.net/ubuntu/+source/sqlite3/3.7.9-2ubuntu1.2
Version: GnuPG v1
iQIcBAEBCgAGBQJVulwpAAoJEGVp2FWnRL6THH8QALXuYigCShuIL5XQsAFkFvEK
Zj+qh+bJJ6muElK2hOU5MIUKIBoAitwEU2JohePqdk7VI5PdLRfSCvmRUJXWViXz
2KSQvVMZo32Un+OjWxKbiVF0bKyEQZsqIgxHkgv2DTr8uvbVwKyIpfCaqU5tjocd
JLsDAZQOwjpRqBZuNURQ6Px/HInRJlRm+kqvggFd5g4mM36/ydPBo1O8L7D9L3Av
65YpeiqBK3P2Rvzc00OC5R2z9pvPna5Sc1mTop/EpKUqzGdn2osrKL+dvL9/NGaB
JtrASP7L/sH1klIY6DgzUw9biBUEAcHLWtAsN8cHenBP53SeOyQ2L3A+TOE2HB0n
EkNYA3W7IamWKeO1v+HtzadcSnCYkEX2WvknblLCopKb709RWRukVIXj1141N+i/
7LlbH+QSF2ig7jhxyEy2hSA5upfGNRnuOLgOUEYhqVQV7HOAKcKNBM0sz0ZN59uD
rnWACnbFMbbI4vKPqdfnqPNaSk/vO+iA8+gh3bCtYtjiGn1+73FckPYG8jLsjI3i
1gESHKAtA+T4TuWA1q5KlpWjBrmO/a30FJ1ERaDf+o+39dtEvRFOgzrnin93wr3m
Mrso8QtxBxWonqzQT53lmXF7NEVlhN/nUepL6y0OMGSD5tWl9InnumSvchdG9Jgo
tRmf9kRz2xx8ZRbWgIK2
=CQU4
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2698-1
July 30, 2015
sqlite3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
SQLite could be made to crash or run programs if it processed specially
crafted queries.
Software Description:
- sqlite3: C library that implements an SQL database engine
Details:
It was discovered that SQLite incorrectly handled skip-scan optimization.
An attacker could use this issue to cause applications using SQLite to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.04 LTS. (CVE-2013-7443)
Michal Zalewski discovered that SQLite incorrectly handled dequoting of
collation-sequence names. An attacker could use this issue to cause
applications using SQLite to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 15.04. (CVE-2015-3414)
Michal Zalewski discovered that SQLite incorrectly implemented comparison
operators. An attacker could use this issue to cause applications using
SQLite to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 15.04. (CVE-2015-3415)
Michal Zalewski discovered that SQLite incorrectly handle printf precision
and width values during floating-point conversions. An attacker could use
this issue to cause applications using SQLite to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2015-3416)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libsqlite3-0 3.8.7.4-1ubuntu0.1
Ubuntu 14.04 LTS:
libsqlite3-0 3.8.2-1ubuntu2.1
Ubuntu 12.04 LTS:
libsqlite3-0 3.7.9-2ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2698-1
CVE-2013-7443, CVE-2015-3414, CVE-2015-3415, CVE-2015-3416
Package Information:
https://launchpad.net/ubuntu/+source/sqlite3/3.8.7.4-1ubuntu0.1
https://launchpad.net/ubuntu/+source/sqlite3/3.8.2-1ubuntu2.1
https://launchpad.net/ubuntu/+source/sqlite3/3.7.9-2ubuntu1.2
[USN-2699-1] HPLIP vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVulxFAAoJEGVp2FWnRL6T/AMQAJrD8+jTet1q0jKNm5FHjY2Y
K390oG90rmwIhq+Usg0TvRm0wqPLDnBbKOAMJRI4GDY+xEfLMqaJqyxln+awWS7P
946N8z/YAzpHeNLkuyD/YQOHFvnnmO6Y/ZolGgEuz30Bouuq8ICBtz5awADjj/Yg
GPqBtj1JGZLpw8GP5EjOQ0qXeiv4tbbFWmTGnlK5VknIo3+SH1BQp7bu20hJ2h6c
cXk6pFK1CkfBylPw5L5E5W06kF4nJgpR5zeGO8qIF6n4usifjYlu92akqvuXpS/f
Iiss8aQ49c1DPm4bfC0mTykpw301T0bDy7+WsuA0IS0RPtI8ov2sGcbjno3mHr1L
iMjvUX8bhrIfo2GYc5DA8FIkmyDlmRZPXhW5+GlJ/t38vnG6hEgHun8ztosrWAiH
iLvvRlT4I17wOWhpr5HGeMF86a+BADI4V+VGd0oo05ZCmBVU/JfMxPAVJ+LlvxmM
T4UDPiUiXSLoW1eDX2vhGAny5JN6YfrZcz1zwBHgUXEZvafnuutD5dLMM5Fqfqw6
H2mQwkMlXSkm0fn3n76x8qPXBtT6euuz3uFUCfjvEZf6XuI0UCyZmOUxPdo+Zylm
JD55iHFB8jBvRmS8fmBuAz+FeVE4wS9w44Ergd6I3NYkVp1ORW6Qore3l100hkEs
tZoUMiOkGNxZv4HWgken
=V2vE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2699-1
July 30, 2015
hplip vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
HPLIP could be tricked into downloading a different GPG key when
performing printer plugin installations.
Software Description:
- hplip: HP Linux Printing and Imaging System (HPLIP)
Details:
Enrico Zini discovered that HPLIP used a short GPG key ID when downloading
keys from the keyserver. An attacker could possibly use this to return a
different key with a duplicate short key id and perform a man-in-the-middle
attack on printer plugin installations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
hplip-data 3.15.2-0ubuntu4.2
Ubuntu 14.04 LTS:
hplip-data 3.14.3-0ubuntu3.4
Ubuntu 12.04 LTS:
hplip-data 3.12.2-1ubuntu3.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2699-1
CVE-2015-0839
Package Information:
https://launchpad.net/ubuntu/+source/hplip/3.15.2-0ubuntu4.2
https://launchpad.net/ubuntu/+source/hplip/3.14.3-0ubuntu3.4
https://launchpad.net/ubuntu/+source/hplip/3.12.2-1ubuntu3.5
Version: GnuPG v1
iQIcBAEBCgAGBQJVulxFAAoJEGVp2FWnRL6T/AMQAJrD8+jTet1q0jKNm5FHjY2Y
K390oG90rmwIhq+Usg0TvRm0wqPLDnBbKOAMJRI4GDY+xEfLMqaJqyxln+awWS7P
946N8z/YAzpHeNLkuyD/YQOHFvnnmO6Y/ZolGgEuz30Bouuq8ICBtz5awADjj/Yg
GPqBtj1JGZLpw8GP5EjOQ0qXeiv4tbbFWmTGnlK5VknIo3+SH1BQp7bu20hJ2h6c
cXk6pFK1CkfBylPw5L5E5W06kF4nJgpR5zeGO8qIF6n4usifjYlu92akqvuXpS/f
Iiss8aQ49c1DPm4bfC0mTykpw301T0bDy7+WsuA0IS0RPtI8ov2sGcbjno3mHr1L
iMjvUX8bhrIfo2GYc5DA8FIkmyDlmRZPXhW5+GlJ/t38vnG6hEgHun8ztosrWAiH
iLvvRlT4I17wOWhpr5HGeMF86a+BADI4V+VGd0oo05ZCmBVU/JfMxPAVJ+LlvxmM
T4UDPiUiXSLoW1eDX2vhGAny5JN6YfrZcz1zwBHgUXEZvafnuutD5dLMM5Fqfqw6
H2mQwkMlXSkm0fn3n76x8qPXBtT6euuz3uFUCfjvEZf6XuI0UCyZmOUxPdo+Zylm
JD55iHFB8jBvRmS8fmBuAz+FeVE4wS9w44Ergd6I3NYkVp1ORW6Qore3l100hkEs
tZoUMiOkGNxZv4HWgken
=V2vE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2699-1
July 30, 2015
hplip vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
HPLIP could be tricked into downloading a different GPG key when
performing printer plugin installations.
Software Description:
- hplip: HP Linux Printing and Imaging System (HPLIP)
Details:
Enrico Zini discovered that HPLIP used a short GPG key ID when downloading
keys from the keyserver. An attacker could possibly use this to return a
different key with a duplicate short key id and perform a man-in-the-middle
attack on printer plugin installations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
hplip-data 3.15.2-0ubuntu4.2
Ubuntu 14.04 LTS:
hplip-data 3.14.3-0ubuntu3.4
Ubuntu 12.04 LTS:
hplip-data 3.12.2-1ubuntu3.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2699-1
CVE-2015-0839
Package Information:
https://launchpad.net/ubuntu/+source/hplip/3.15.2-0ubuntu4.2
https://launchpad.net/ubuntu/+source/hplip/3.14.3-0ubuntu3.4
https://launchpad.net/ubuntu/+source/hplip/3.12.2-1ubuntu3.5
[USN-2697-1] Ghostscript vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVuh3hAAoJEGVp2FWnRL6TVAIQAJYucYIMzjpFUqE4U1325O46
SxFRhV+CAnKp902goOhPwUWS3YtwJp7rGoQ2IrfSZIHjyaR8NVf04ILX3sL8mik6
oos98UPAim0sd3fII2Fq5tVnwFrAZnqRQKA5c5oAdmFKiwbcSZGwkpw5RsnSGzrT
VEsIfUe1W+FCfzJeep3R6pSKtERh90zjcJ0ZyrO44nqU4ioy9gb7yCPF4YiPiymo
q/x+Enzn1OLcdltJvSB598JqP9WulKQ3DFwKzOLy3Ersmu0R2H7CjCFYuRhjqPJA
CsWWpULG4IMVKRDzB95mb4Dj7qJBruc1pLvGff6BJ2t0icCfn3nqcb653S0BpYWc
bkzVL+etFOApmcnrPe5Bo5dxtc3BaZvTY3Oq8q/CF0TJUIAhTTZKrQr8KTgEKKEF
PV/yI6Sp4vKd+LqRiQ19NJtlrwc8meZNW9uEP18nseINQEoSHWb4RAmk5xpRMZxk
dUBRDBX9ZUV59Gx6uQlrT1mDVk3jBZzpfukpITgEXFcrgbHBy50v08c42SdzLUyH
dWjnlzK1+7rSFpz/Rbq8Z6SClHt1nZQzbTT4U1GRDXqbtrFqPu96Kyw2R4RLncrW
XsPfS5OSRFofeWf9ZK0M1Z2DswuIzVYmghdmHygy6luzjXb90D3PMfbhlpe3scKZ
HM/CcFthKzR3PI30zEAU
=CUun
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2697-1
July 30, 2015
ghostscript vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Ghostscript could be made to crash or run programs if it processed a
specially crafted file.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
William Robinet and Stefan Cornelius discovered that Ghostscript did not
correctly handle certain Postscript files. If a user or automated system
were tricked into opening a specially crafted file, an attacker could cause
a denial of service or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libgs9 9.15+dfsg-0ubuntu2.1
Ubuntu 14.04 LTS:
libgs9 9.10~dfsg-0ubuntu10.4
Ubuntu 12.04 LTS:
libgs9 9.05~dfsg-0ubuntu4.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2697-1
CVE-2015-3228
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.15+dfsg-0ubuntu2.1
https://launchpad.net/ubuntu/+source/ghostscript/9.10~dfsg-0ubuntu10.4
https://launchpad.net/ubuntu/+source/ghostscript/9.05~dfsg-0ubuntu4.3
Version: GnuPG v1
iQIcBAEBCgAGBQJVuh3hAAoJEGVp2FWnRL6TVAIQAJYucYIMzjpFUqE4U1325O46
SxFRhV+CAnKp902goOhPwUWS3YtwJp7rGoQ2IrfSZIHjyaR8NVf04ILX3sL8mik6
oos98UPAim0sd3fII2Fq5tVnwFrAZnqRQKA5c5oAdmFKiwbcSZGwkpw5RsnSGzrT
VEsIfUe1W+FCfzJeep3R6pSKtERh90zjcJ0ZyrO44nqU4ioy9gb7yCPF4YiPiymo
q/x+Enzn1OLcdltJvSB598JqP9WulKQ3DFwKzOLy3Ersmu0R2H7CjCFYuRhjqPJA
CsWWpULG4IMVKRDzB95mb4Dj7qJBruc1pLvGff6BJ2t0icCfn3nqcb653S0BpYWc
bkzVL+etFOApmcnrPe5Bo5dxtc3BaZvTY3Oq8q/CF0TJUIAhTTZKrQr8KTgEKKEF
PV/yI6Sp4vKd+LqRiQ19NJtlrwc8meZNW9uEP18nseINQEoSHWb4RAmk5xpRMZxk
dUBRDBX9ZUV59Gx6uQlrT1mDVk3jBZzpfukpITgEXFcrgbHBy50v08c42SdzLUyH
dWjnlzK1+7rSFpz/Rbq8Z6SClHt1nZQzbTT4U1GRDXqbtrFqPu96Kyw2R4RLncrW
XsPfS5OSRFofeWf9ZK0M1Z2DswuIzVYmghdmHygy6luzjXb90D3PMfbhlpe3scKZ
HM/CcFthKzR3PI30zEAU
=CUun
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2697-1
July 30, 2015
ghostscript vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Ghostscript could be made to crash or run programs if it processed a
specially crafted file.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
William Robinet and Stefan Cornelius discovered that Ghostscript did not
correctly handle certain Postscript files. If a user or automated system
were tricked into opening a specially crafted file, an attacker could cause
a denial of service or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libgs9 9.15+dfsg-0ubuntu2.1
Ubuntu 14.04 LTS:
libgs9 9.10~dfsg-0ubuntu10.4
Ubuntu 12.04 LTS:
libgs9 9.05~dfsg-0ubuntu4.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2697-1
CVE-2015-3228
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.15+dfsg-0ubuntu2.1
https://launchpad.net/ubuntu/+source/ghostscript/9.10~dfsg-0ubuntu10.4
https://launchpad.net/ubuntu/+source/ghostscript/9.05~dfsg-0ubuntu4.3
[USN-2696-1] OpenJDK 7 vulnerabilities
==========================================================================
Ubuntu Security Notice USN-2696-1
July 30, 2015
openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenJDK 7.
Software Description:
- openjdk-7: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity, and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2015-2590, CVE-2015-2628, CVE-2015-4731,
CVE-2015-4732, CVE-2015-4733, CVE-2015-4760, CVE-2015-4748)
Several vulnerabilities were discovered in the cryptographic components
of the OpenJDK JRE. An attacker could exploit these to expose sensitive
data over the network. (CVE-2015-2601, CVE-2015-2808, CVE-2015-4000,
CVE-2015-2625, CVE-2015-2613)
As a security improvement, this update modifies OpenJDK behavior to
disable RC4 TLS/SSL cipher suites by default.
As a security improvement, this update modifies OpenJDK behavior to
reject DH key sizes below 768 bits by default, preventing a possible
downgrade attack.
Several vulnerabilities were discovered in the OpenJDK JRE related
to information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2015-2621, CVE-2015-2632)
A vulnerability was discovered with how the JNDI component of the
OpenJDK JRE handles DNS resolutions. A remote attacker could exploit
this to cause a denial of service. (CVE-2015-4749)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
icedtea-7-jre-jamvm 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jdk 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre-headless 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre-lib 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre-zero 7u79-2.5.6-0ubuntu1.15.04.1
Ubuntu 14.04 LTS:
icedtea-7-jre-jamvm 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jdk 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre-headless 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre-lib 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre-zero 7u79-2.5.6-0ubuntu1.14.04.1
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2696-1
CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2621,
CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-2808,
CVE-2015-4000, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732,
CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760,
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LogJam
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u79-2.5.6-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/openjdk-7/7u79-2.5.6-0ubuntu1.14.04.1
Ubuntu Security Notice USN-2696-1
July 30, 2015
openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in OpenJDK 7.
Software Description:
- openjdk-7: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity, and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2015-2590, CVE-2015-2628, CVE-2015-4731,
CVE-2015-4732, CVE-2015-4733, CVE-2015-4760, CVE-2015-4748)
Several vulnerabilities were discovered in the cryptographic components
of the OpenJDK JRE. An attacker could exploit these to expose sensitive
data over the network. (CVE-2015-2601, CVE-2015-2808, CVE-2015-4000,
CVE-2015-2625, CVE-2015-2613)
As a security improvement, this update modifies OpenJDK behavior to
disable RC4 TLS/SSL cipher suites by default.
As a security improvement, this update modifies OpenJDK behavior to
reject DH key sizes below 768 bits by default, preventing a possible
downgrade attack.
Several vulnerabilities were discovered in the OpenJDK JRE related
to information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2015-2621, CVE-2015-2632)
A vulnerability was discovered with how the JNDI component of the
OpenJDK JRE handles DNS resolutions. A remote attacker could exploit
this to cause a denial of service. (CVE-2015-4749)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
icedtea-7-jre-jamvm 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jdk 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre-headless 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre-lib 7u79-2.5.6-0ubuntu1.15.04.1
openjdk-7-jre-zero 7u79-2.5.6-0ubuntu1.15.04.1
Ubuntu 14.04 LTS:
icedtea-7-jre-jamvm 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jdk 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre-headless 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre-lib 7u79-2.5.6-0ubuntu1.14.04.1
openjdk-7-jre-zero 7u79-2.5.6-0ubuntu1.14.04.1
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2696-1
CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2621,
CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-2808,
CVE-2015-4000, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732,
CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760,
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LogJam
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u79-2.5.6-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/openjdk-7/7u79-2.5.6-0ubuntu1.14.04.1
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:16.openssh [REVISED]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28, revised on 2015-07-30
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE)
2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2015-02-25 Initial release.
v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when
keyboard interactive authentication is used.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
The security of the SSH connection relies on the server authenticating
itself to the client as well as the user authenticating itself to the
server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain
Name System Security (DNSSEC), by publishing the key fingerprint using
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
a signature by a trusted certification authority to bind a given public
key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS
SSHFP record check and require the user to perform manual host verification
of the host key fingerprint. This could allow man-in-the-middle attack
if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would
enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects
networks where DNSsec and SSHFP is properly configured. Users who uses
SSH should always check server host key fingerprints carefully when
prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the
problem described as CVE-2015-5600 at expense of losing features provided
by the PAM framework.
We recommend system administrators to disable password based authentication
completely, and use key based authentication exclusively in their SSH server
configuration, when possible. This would eliminate the possibility of being
ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended
but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended
but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
# gpg --verify openssh.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
# gpg --verify openssh-8.patch.asc
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc
# gpg --verify openssh-8-errata.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r286067
releng/8.4/ r286068
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD
bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko
K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck
2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ
ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP
INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja
BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ
j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC
PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT
I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5
ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE
r0z98qmTEPiTDi8dr+K/
=GsXJ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28, revised on 2015-07-30
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE)
2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision history
v1.0 2015-02-25 Initial release.
v1.1 2015-07-30 Revised patch for FreeBSD 8.x to address regression when
keyboard interactive authentication is used.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
The security of the SSH connection relies on the server authenticating
itself to the client as well as the user authenticating itself to the
server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain
Name System Security (DNSSEC), by publishing the key fingerprint using
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
a signature by a trusted certification authority to bind a given public
key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS
SSHFP record check and require the user to perform manual host verification
of the host key fingerprint. This could allow man-in-the-middle attack
if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would
enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects
networks where DNSsec and SSHFP is properly configured. Users who uses
SSH should always check server host key fingerprints carefully when
prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the
problem described as CVE-2015-5600 at expense of losing features provided
by the PAM framework.
We recommend system administrators to disable password based authentication
completely, and use key based authentication exclusively in their SSH server
configuration, when possible. This would eliminate the possibility of being
ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended
but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended
but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
# gpg --verify openssh.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
# gpg --verify openssh-8.patch.asc
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patc
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8-errata.patch.asc
# gpg --verify openssh-8-errata.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r286067
releng/8.4/ r286068
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVufuCAAoJEO1n7NZdz2rnHHAQALfjXH/WyrgpHxw1YFipwFSD
bl+HLbdvMVbfBxLV7eVBK9RPQiyoxwocmU0uMdiNEIWt2llczTLEl/wtUjj6f4Ko
K6E7AAOgOX4zdQxBd2502FvXC1oNbDEvK8X3M4MzPHAG4QRgXNffRGYvClmbayck
2i+bjcHdKAEwFJjHk4wXOQ0yhdF6Q36bH0N3kPV9z7sAt3tuzSWhvtX6QQSyeuCJ
ie2db9CdSUnFhYELJnVMpVTf3ppMqUT6QEe45LmsGA6F8yWdMaW2vtMdJq6xFVYP
INCUVyOlDRu0TibjLUpXu4KugeDgyTXy9oz4SRdnpcUWz33fM6aSgOkpiM1h05ja
BJrs0HZbkjCwtD+8a0buoyIKb9NBIsDKbrec5g8AEDkAHjRzraLGAXUYwkFeyqYJ
j+ll5r5iu5fc4s8QM+ySlGCW8V9Ix8FX7Rr7FhAWLSKEldDsnCRjG4EfrAcd1HiC
PleAnLv4uKwfSugIBIEs5ls7+TzWytW8nnEpMEerXUD894suFIycOT6eoUYF/CCT
I1nHWSITw4HSj8+wBvrhxwZCRqIMOAZB+3jzrwRE+QZkghoWnPnqrCn9uLkdndq5
ewgz6PiuYC8Zx0Z6trA72oV+XjTKu2d6eO5tRpe9aAmhPmfBWg3fXYltVzTzF9IE
r0z98qmTEPiTDi8dr+K/
=GsXJ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
reallost1.fbsd2233449 如何做好收货入库管理?
高效仓储管理与工厂物料配送
【时间地点】 2015年08月15-16日广州、9月8-9上海、9月19-20日深圳
【参加对象】 高层管理者、采购、品管、物流、财务等部门及其他相关部门的职业经理
【学习费用】 3200/2天/1人(含课程讲义、午餐、茶点等)
垂·询·热·线:上海:021-3100-6787 深圳:0755-6128-0006
在线QQ:320588808 值班手机:189 189 56595
注:如不需此类信件信息,请转发送"删除"至wytuixin@163.com,我们会及时处理,谢谢您的理解。
课程背景:
仓储物流管理的好坏对公司的影响有多大? 为什么进货环节经常出问题?为什么仓库的利用率低?盘点的作用有多大?为什么拣货配送需要那么多人?仓库损耗如何 降低?什么是现代化仓库?如何降低运输成本?如何管理好库存?条形码有用吗?
本课程从实战的角度,结合先进的工厂物流管理理念、众多企业的成功经验以及讲师在企业仓储物流方面多年的经验体会,教授如何管理物流仓储部门,提高仓库运营效率、提升部门绩效以及物流仓储部门在公司的影响。
培训收益:
1、当今物流仓储管理的挑战是什么?
2、如何做好收货入库管理?
3、如何做好储位管理?
4、如何提高盘点的有效性?
5、库存管理的挑战是什么?
6、如何做好库存的分类管理?
7、如何提高物料拣货配送的效率?
8、如何降低仓储管理的损耗?
9、如何选择与维护物流设备?
10、如何降低物流运输成本?
11、如何提高物流仓储的电子化水平?
讲师介绍:【张仲豪】
教育背景:
张老师是改革开放后早期海归派讲师。1986 年获美国 Gerber公司的奖学金赴美国密西州立大学 (MichiganState University )留学,硕士学位。毕业后,受聘于美国Heinz(亨氏)集团公司。
工作经历:
张老师曾先后受聘于美国亨氏公司、英国联合饼干公司、美国美赞臣公司等,曾任美赞臣公司的技术及运作总监。从2000年开始,张老师开始自己创业,从事于多行业的经营管理。所以,张老师既有世界500强 企业职业经理人的丰富阅历,又有作为企业老板的心得 体会。在二十多年的职业生涯中,张老师曾接受过各种国际国内的职业培训。曾赴加拿大、美国、英国、新加坡、泰国、菲律宾、马来西亚等国考察学习。
主讲课程:
降低采购成本及供应商谈判技巧
采购流程优化及供应商评估与管理
高效仓储管理与工厂物料配送
现代企业物流及供应链优化实战
PMC管理-生产计划、订单管理与库存控制
需求预测与库存控制
授课风格:
富有很强的激情, 风趣、幽默, 现场感染力强
采用循序渐进、深入浅出的教学方式、丰富生动的实战案例,帮助学员拓宽视野,提高思维能力,掌握相关的方法和工具
课件设计力求深度,实用、案例多为工具性案例,有很强的实操性。课程内容跨度大,尽量吸取各个行业的精
粹,具有高度的浓缩性。
课程大纲:
第一讲:当今物流仓储管理的挑战是什么?
仓库的类别有哪些
老板对仓储管理的最基本要求是什么?
谁是我们的'客户'?
'客户'对物流服务的要求有哪些-KPI?
不同'客户'的要求侧重点
储运管理的基本流程应该如何?
不同仓库的工作量侧重点?
组织架构设置(岗位设置)的原则
仓储(物流)岗位设置的依据
仓储(物流)岗位设置地图
岗位说明书的作用
岗位说明书应包括哪些内容
储运管理各环节的主要难度是什么?
物流管理的绩效考核体系
建立物流管理绩效考核体系的难度
第二讲:如何做好收货入库管理?
不同仓库的收货特点
收货入库的KPI指标?
收货作业的流程应该如何?
如何做好收货前的准备
卸货与检查
库存信息不准的仓库原因
填表为什么经常出错?
单证应该何时输入电脑?
为什么抽样方法很重要?
抽样的三类方法
如何抽样?
服装检验的抽样方法
抽样数量及判定标准
如何取样?
半成品库如何做好入库的点数
如何编写仓库的标准操作规程- SOP?
第三讲:如何做好储位管理?
储位管理的核心是什么?
三种仓库运作模式
储位管理的KPI指标有哪些
仓库的常规布局
如何计算仓库的利用率?
如何提高仓库的有效利用率
仓库合理布局的比例参考
立体仓与平面仓的比较
库区如何分配
各归类物品如何分配库区
如何摆放?
自建仓库还是外租仓库?
第四讲:如何提高盘点的有效性?
盘点的KPI指标有哪些?
盘点各KPI指标的关系?
盘点亏或盈应不应该罚
全面盘点的工作流程如何?
盘点准备工作做些什么?
盘点管理的难度是什么?
五种盘点方式的比较?
盘点的三种形式
盲盘与实盘的比较
车间物品怎么盘?
第五讲:库存管理的挑战是什么?
存放于仓库的物品都算库存吗
我们为什么要存库存
库存过高的缺点有哪些?
企业老总对库存管理有哪些要求?
企业老总对库存管理各目标的逻辑顺序?
什么是"零库存管理"?
周转率的类别
库存周转率的不同算法?
单库周转率与总周转率的区别?
库存周转率的计算案例
两种计算法的比较
第六讲:如何做好库存的分类管理?
库存管理的挑战是什么?
如何做好库存物品的分类管理?
如何进行原材料的分类?
饼干加工厂的原材料分类
本企业采购物品的分类
不同材料的库存管理策略
成品如何分类?
成品库存的分类管理策略
什么是Pareto(帕累托)分类法
如何进行帕累托分类?
第一步:对所需分析的指标,从大到小进行排序
第二步:计算每一物品占总体的百分率
第三步:计算每一物品的累积百分率
计算累积百分率的捷径法
计算累积百分率的意义
库存物品ABC分类的误解
如何应用帕累托法则
库存管理如何"盯死它"?
备件(耗材)如何备库存?
高值备件的库存管理特点
什么是备件生命期 —浴盆曲线
如何制定'资产类备件需求计划'?
第七讲:如何提高物料拣货配送的效率?
拣货(发料)的KPI?
哪些因素会影响拣货绩效?
如何建立拣货员的绩效工资制度
如何创建电子模板
拣货运作的流程如何?
各阶段会出什么问题?
领料计划单的大小如何确定
拣货计划为什么会下的太晚
如何合理分配拣货单
如何按照拣货时间分配拣货单
拣货的两种基本方法
如何实施播种法?
两种拣货方法的比较
如何避免拣(发)错货?
领料与发料
拣货与发货
如何做到"先进先出"
如何改进'掏式库位法'
硬件设施对拣货的帮助
成品出货的流程?
成品出货的主要问题?
如何解决数量'不准'的问题
第八讲:如何降低仓储管理的损耗?
仓储管理不当造成的损耗有哪些?
看不见型损耗的产生原因
看得见型损耗的缘由会有哪些?
不同存放物的仓储要求有哪些?
仓库的设计要求
仓库如何防潮?
双门制
仓库日常管理的侧重点?
板货标识的形式
完整板货标示的基本内容
板货标示的作用有哪些?
堆码操作要求
'堆码'为什么要定量?
非托盘式仓库如何定量
如何计算各物品的库容需求?
垛堆法图示
如何管理好待定物品和不能用物品
退货的管理
如何做好仓库的日常管理工作
安全管理的防范?
如何防治野蛮操作?
物流安全的国家相关规定
仓库日常巡查制度
第九讲:如何选择与维护物流设备?
第一节:货架设施的选择
设计货架所需考虑的因素
货架的一般分类
低位货架
低位货架图示
悬臂式货架
其他货架
中高位货架
机械手式VNA
各种特种货架的比较
第二节:叉车设备的选择及保养
如何选购叉车
叉车的动力分类
叉车的种类
叉车示意图
叉车应该如何保养?
第三节:其他设备
托盘类
托盘是租好还是买好
托盘国际标准共有6种规格
中国的托盘标准
其他器具
填充气袋
第十讲:如何降低物流运输成本?
第一节:降低运输成本的方法有哪些?
运输管理的挑战有哪些?
运输管理的KPI?
如何降低运输成本
四种运输工具的比较
我们应该选择哪种运输工具为好?
某物流公司各种运输形式的成本比较
本案例的要点
如何降低运输的损耗
第二节:如何实施物流外包的招投标?
物流招标的方式
如何实施物流外包招投标?
如何准备招标文件
仓储物流管理的电子模板工具
评标方法有哪两大类别?
某公司的评标案例
第一步:计算技术标的评分
第二步:计算平均报价值
第三步:计算商务标得分
第四步:计算综合评分值
综合评标法
如何评定技术标?
第三节:如何评估物流服务商?
物流企业分类与评估指标
运输型物流企业的评定内容?
经营状况
资产
设备设施
管理及服务
人员素质
信息化水平
什么是第四方物流?
物流商的愿望?
货运服务的类型
不同货运公司的评估侧重点
仓储服务商的设备设施
如何做好仓库的租赁或外包?
第十一讲:如何提高物流仓储的电子化水平?
四大信息管理系统
WMS系统-仓储管理系统
什么是物联网-Internet of things - IOT?
四种信息传感设备
为什么要用物流条码技术?
什么是条形码技术
条形码的分类
商品条形码和物流条形码
物流条码如何编制
一维码与二维码的区别
数据采集器的类别
手持终端的组成部分
什么是RF实时技术(无线局域网络)?
RF手持终端电子体系的费用
什么是射频识别技术?
为什么要用RFID?
三种拣货方式的比较
注:如不需此类信件信息,请转发送"删除"至wytuixin@163.com,我们会及时处理,谢谢您的理解。
hhj reallost1.fbsd2233449
reallost1.fbsd2233449 您 好
附件中给您发的是《沟通式管理——中高层管理快速成长的六项精进》
希望对您的工作有所帮助!
感谢您对我们工作的理解和支持,祝您事业腾飞,家庭幸福!
pco7i
Wednesday, July 29, 2015
F23 System Wide Change: DNF System Upgrades
= Proposed System Wide Change: DNF System Upgrades =
https://fedoraproject.org/wiki/Changes/DNF_System_Upgrades
Change owner(s):
* Will Woods (fedup author)
* Zbigniew Jędrzejewski-Szmek (systemd developer)
* Radek Holy (DNF developer)
== Detailed Description ==
While fedup worked well in many circumstances, there were a lot of
problems resulting from using upgrade.img. This has caused nasty,
hard-to-debug blocker bugs for every release since it was introduced.
It turns out that upgrade.img was relying on some undocumented,
unsupported systemd behavior. After F22 this was discussed on the
systemd-devel mailing list, and the conclusion was that fedup's boot
behavior is broken by design, and systemd can't (and won't) continue to
support it.
systemd already supports a simpler, more reliable method for performing
Offline System Updates; the systemd team suggests using that to perform
system upgrades.
Most of the remaining problems with fedup were caused by the fact that
it was separate from the system packaging tools, and therefore had
slight (and confusing) differences from the normal package update
mechanisms.
Therefore, we propose that system upgrades should be handled by the
system packaging tools, using systemd's Offline System Updates facility.
dnf-plugin-fedup is a proof-of-concept implementation; we propose to
integrate support for this into DNF itself.
== Scope ==
Proposal owners:
Make DNF able to send progress output to Plymouth (basically done; see
dnf #281 and #313)
Modify Offline System Updates spec as needed to support major system
upgrades (in progress, see this systemd-devel thread)
Support Offline System Updates in DNF (dnf-plugin-fedup does this, but
it could be integrated into DNF itself)
Add plugin to dnf-plugins-core or dnf
Write man pages and other documentation
Obsolete and retire fedup
Other developers:
Fix any conflicts with packagekit-offline-update.service
In the unlikely event that some kind of offline system migration is
necessary (like UsrMove), it should be handled the same way as UsrMove
- i.e. by a dracut script that runs the first time the new system boots after the upgrade.
Release engineering:
Drop upgrade.img from image builds
Policies and guidelines:
FedUp, Upgrading, and other documentation will need changes
https://fedoraproject.org/wiki/Changes/DNF_System_Upgrades
Change owner(s):
* Will Woods (fedup author)
* Zbigniew Jędrzejewski-Szmek (systemd developer)
* Radek Holy (DNF developer)
== Detailed Description ==
While fedup worked well in many circumstances, there were a lot of
problems resulting from using upgrade.img. This has caused nasty,
hard-to-debug blocker bugs for every release since it was introduced.
It turns out that upgrade.img was relying on some undocumented,
unsupported systemd behavior. After F22 this was discussed on the
systemd-devel mailing list, and the conclusion was that fedup's boot
behavior is broken by design, and systemd can't (and won't) continue to
support it.
systemd already supports a simpler, more reliable method for performing
Offline System Updates; the systemd team suggests using that to perform
system upgrades.
Most of the remaining problems with fedup were caused by the fact that
it was separate from the system packaging tools, and therefore had
slight (and confusing) differences from the normal package update
mechanisms.
Therefore, we propose that system upgrades should be handled by the
system packaging tools, using systemd's Offline System Updates facility.
dnf-plugin-fedup is a proof-of-concept implementation; we propose to
integrate support for this into DNF itself.
== Scope ==
Proposal owners:
Make DNF able to send progress output to Plymouth (basically done; see
dnf #281 and #313)
Modify Offline System Updates spec as needed to support major system
upgrades (in progress, see this systemd-devel thread)
Support Offline System Updates in DNF (dnf-plugin-fedup does this, but
it could be integrated into DNF itself)
Add plugin to dnf-plugins-core or dnf
Write man pages and other documentation
Obsolete and retire fedup
Other developers:
Fix any conflicts with packagekit-offline-update.service
In the unlikely event that some kind of offline system migration is
necessary (like UsrMove), it should be handled the same way as UsrMove
- i.e. by a dracut script that runs the first time the new system boots after the upgrade.
Release engineering:
Drop upgrade.img from image builds
Policies and guidelines:
FedUp, Upgrading, and other documentation will need changes
[USN-2695-1] HTML Tidy vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVuR7lAAoJEGVp2FWnRL6TOvwQALeD4A2BOsgYTAY/YXVHNjX/
QUns+vqp9O2Vu1WI8Ch/6iPiKfg5frGJ+UIqjAfosgOyCU0np5omuzz7oMrUEhZb
NUg4p6kDmOnvcnn+EpH0zdC3y5dTQwcxp1coKkAYvMmAh4BHL3kyDFjkjScBVEV9
cAM3DXgxPRUP9QtGQ6dq9znoItp/tv4zB8sTuKlwfi0Ap3ptCSSlAOB3gWwQ7X2X
jqk9tjpQJ9UPX/xLxfBPPZ4Rb7wgqjULffOBJro3PCbL/PCQY5xzBUBforH4szna
fTHn+zSutht9YhigNCGFdi3k8uJUTGsyhoccsprHIP+gJWtrz9IOEGD9uG7/KVJg
Oi5COhdS+4Kjl2sTTWHg9GkV0Uv940fpsFQLbXEkq4zb7Z/Z3lxZ6DG6o2RSHUHU
IkoZ7se8bBulRPIciMA15mbi64nz6UnctOOkx5TTfk7Rmdf3Xe07963RHGHQDG5+
n04GTr3SRbZXZFk9aOXe5BQ5RRlWT18a5MgCeD9B+6DqYQqpLliPNYkFj0kiv1Wl
YuM/lFb8D3nuPIlkyrJKfhVi6DCgwc/Oz4HIHF3bqxEPccMHugZt1bD0S6RiWfXz
zjiZ21TNcxSGrMsn/j5COE6Z32EwrsyTlu4y5zla1RCfqnSVwODLs8lyfstZCMj9
n+8id9qf3d9rK93H8z32
=CU3X
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2695-1
July 29, 2015
tidy vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
HTML Tidy could be made to crash or run programs if it processed specially
crafted data.
Software Description:
- tidy: HTML syntax checker and reformatter
Details:
Fernando Muñoz discovered that HTML Tidy incorrectly handled memory. If a
user or automated system were tricked into processing specially crafted
data, applications linked against HTML Tidy could be made to crash, leading
to a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libtidy-0.99-0 20091223cvs-1.4ubuntu0.1
Ubuntu 14.04 LTS:
libtidy-0.99-0 20091223cvs-1.2ubuntu1.1
Ubuntu 12.04 LTS:
libtidy-0.99-0 20091223cvs-1ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2695-1
CVE-2015-5522, CVE-2015-5523
Package Information:
https://launchpad.net/ubuntu/+source/tidy/20091223cvs-1.4ubuntu0.1
https://launchpad.net/ubuntu/+source/tidy/20091223cvs-1.2ubuntu1.1
https://launchpad.net/ubuntu/+source/tidy/20091223cvs-1ubuntu2.1
Version: GnuPG v1
iQIcBAEBCgAGBQJVuR7lAAoJEGVp2FWnRL6TOvwQALeD4A2BOsgYTAY/YXVHNjX/
QUns+vqp9O2Vu1WI8Ch/6iPiKfg5frGJ+UIqjAfosgOyCU0np5omuzz7oMrUEhZb
NUg4p6kDmOnvcnn+EpH0zdC3y5dTQwcxp1coKkAYvMmAh4BHL3kyDFjkjScBVEV9
cAM3DXgxPRUP9QtGQ6dq9znoItp/tv4zB8sTuKlwfi0Ap3ptCSSlAOB3gWwQ7X2X
jqk9tjpQJ9UPX/xLxfBPPZ4Rb7wgqjULffOBJro3PCbL/PCQY5xzBUBforH4szna
fTHn+zSutht9YhigNCGFdi3k8uJUTGsyhoccsprHIP+gJWtrz9IOEGD9uG7/KVJg
Oi5COhdS+4Kjl2sTTWHg9GkV0Uv940fpsFQLbXEkq4zb7Z/Z3lxZ6DG6o2RSHUHU
IkoZ7se8bBulRPIciMA15mbi64nz6UnctOOkx5TTfk7Rmdf3Xe07963RHGHQDG5+
n04GTr3SRbZXZFk9aOXe5BQ5RRlWT18a5MgCeD9B+6DqYQqpLliPNYkFj0kiv1Wl
YuM/lFb8D3nuPIlkyrJKfhVi6DCgwc/Oz4HIHF3bqxEPccMHugZt1bD0S6RiWfXz
zjiZ21TNcxSGrMsn/j5COE6Z32EwrsyTlu4y5zla1RCfqnSVwODLs8lyfstZCMj9
n+8id9qf3d9rK93H8z32
=CU3X
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2695-1
July 29, 2015
tidy vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
HTML Tidy could be made to crash or run programs if it processed specially
crafted data.
Software Description:
- tidy: HTML syntax checker and reformatter
Details:
Fernando Muñoz discovered that HTML Tidy incorrectly handled memory. If a
user or automated system were tricked into processing specially crafted
data, applications linked against HTML Tidy could be made to crash, leading
to a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libtidy-0.99-0 20091223cvs-1.4ubuntu0.1
Ubuntu 14.04 LTS:
libtidy-0.99-0 20091223cvs-1.2ubuntu1.1
Ubuntu 12.04 LTS:
libtidy-0.99-0 20091223cvs-1ubuntu2.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2695-1
CVE-2015-5522, CVE-2015-5523
Package Information:
https://launchpad.net/ubuntu/+source/tidy/20091223cvs-1.4ubuntu0.1
https://launchpad.net/ubuntu/+source/tidy/20091223cvs-1.2ubuntu1.1
https://launchpad.net/ubuntu/+source/tidy/20091223cvs-1ubuntu2.1
[USN-2694-1] PCRE vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVuQZBAAoJEGVp2FWnRL6T1qUP/0njbKoyBuF1hZQYyRt174QZ
yArumDNiDyMr9MTBRSoxerB6RXPNpS+xZq5HV2H6/jSrqIFjdIE/7hEXTdbvXysF
ejWJne157v3VwnkN7MZp93cdY/ewG4+fVZrHdgHca0HCXqbfjLOOL4pUcf0zvP5J
URNrdQEQ9AuFI9KMIF8o7J6HsoOhbqt5yDZS/nXJ+Svlrac7KGqhA/lQBNA0MUje
LzOT6CX83MbqyW1CZMT/hO0p1mHul7ieQ1ZxuPDo1qZN+r6MVpy39q8y+L9iEH45
9sQlyu2y7Oc5Z2vs+ChIzukTaDq/dPILCQxxIl6RKI4AXBS6w9a7LFZia98SKYoE
7G//w8zNaw9pKxH+mCQaJns3Ii78GE/Ujn3IviUrWFBnKPNGZhi9MxCBNeHbVg2f
AD1+pcBb0mmYwUFOCI/S8jXkgYwTm2OcdjyOrl3ckGThFZdIBW1YVqRb+8KYydqg
7Wxt7zLyqHGfw1m3KvT1HXVc4EfRBnSPTBy2gKmkaHDF4G9TVcdP1bJ/lGHWD8go
IdDX1qPDJaJs5jVFR35jCMtuQkri3WKMz2Ug2NiGrtVwyJwXfenGDYLM/8IA+A0T
ocpThud24mjGX79S9nYAfeNMuFpRwiKJHJxchj+5N2t5xLUnLYPb/d/QvorHsftk
vBiGz8haXRyH84vwDYb1
=3ug/
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2694-1
July 29, 2015
pcre3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
PCRE could be made to crash or run programs if it processed a
specially-crafted regular expression.
Software Description:
- pcre3: Perl 5 Compatible Regular Expression Library
Details:
Michele Spagnuolo discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-8964)
Kai Lu discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04.
(CVE-2015-2325, CVE-2015-2326)
Wen Guanxing discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 15.04. (CVE-2015-3210)
It was discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 12.04 LTS and 14.04 LTS.
(CVE-2015-5073)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libpcre3 2:8.35-3.3ubuntu1.1
Ubuntu 14.04 LTS:
libpcre3 1:8.31-2ubuntu2.1
Ubuntu 12.04 LTS:
libpcre3 8.12-4ubuntu0.1
After a standard system update you need to restart applications using PCRE,
such as the Apache HTTP server and Nginx, to make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-2694-1
CVE-2014-8964, CVE-2015-2325, CVE-2015-2326, CVE-2015-3210,
CVE-2015-5073
Package Information:
https://launchpad.net/ubuntu/+source/pcre3/2:8.35-3.3ubuntu1.1
https://launchpad.net/ubuntu/+source/pcre3/1:8.31-2ubuntu2.1
https://launchpad.net/ubuntu/+source/pcre3/8.12-4ubuntu0.1
Version: GnuPG v1
iQIcBAEBCgAGBQJVuQZBAAoJEGVp2FWnRL6T1qUP/0njbKoyBuF1hZQYyRt174QZ
yArumDNiDyMr9MTBRSoxerB6RXPNpS+xZq5HV2H6/jSrqIFjdIE/7hEXTdbvXysF
ejWJne157v3VwnkN7MZp93cdY/ewG4+fVZrHdgHca0HCXqbfjLOOL4pUcf0zvP5J
URNrdQEQ9AuFI9KMIF8o7J6HsoOhbqt5yDZS/nXJ+Svlrac7KGqhA/lQBNA0MUje
LzOT6CX83MbqyW1CZMT/hO0p1mHul7ieQ1ZxuPDo1qZN+r6MVpy39q8y+L9iEH45
9sQlyu2y7Oc5Z2vs+ChIzukTaDq/dPILCQxxIl6RKI4AXBS6w9a7LFZia98SKYoE
7G//w8zNaw9pKxH+mCQaJns3Ii78GE/Ujn3IviUrWFBnKPNGZhi9MxCBNeHbVg2f
AD1+pcBb0mmYwUFOCI/S8jXkgYwTm2OcdjyOrl3ckGThFZdIBW1YVqRb+8KYydqg
7Wxt7zLyqHGfw1m3KvT1HXVc4EfRBnSPTBy2gKmkaHDF4G9TVcdP1bJ/lGHWD8go
IdDX1qPDJaJs5jVFR35jCMtuQkri3WKMz2Ug2NiGrtVwyJwXfenGDYLM/8IA+A0T
ocpThud24mjGX79S9nYAfeNMuFpRwiKJHJxchj+5N2t5xLUnLYPb/d/QvorHsftk
vBiGz8haXRyH84vwDYb1
=3ug/
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2694-1
July 29, 2015
pcre3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
PCRE could be made to crash or run programs if it processed a
specially-crafted regular expression.
Software Description:
- pcre3: Perl 5 Compatible Regular Expression Library
Details:
Michele Spagnuolo discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-8964)
Kai Lu discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04.
(CVE-2015-2325, CVE-2015-2326)
Wen Guanxing discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 15.04. (CVE-2015-3210)
It was discovered that PCRE incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause applications
using PCRE to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affected Ubuntu 12.04 LTS and 14.04 LTS.
(CVE-2015-5073)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libpcre3 2:8.35-3.3ubuntu1.1
Ubuntu 14.04 LTS:
libpcre3 1:8.31-2ubuntu2.1
Ubuntu 12.04 LTS:
libpcre3 8.12-4ubuntu0.1
After a standard system update you need to restart applications using PCRE,
such as the Apache HTTP server and Nginx, to make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-2694-1
CVE-2014-8964, CVE-2015-2325, CVE-2015-2326, CVE-2015-3210,
CVE-2015-5073
Package Information:
https://launchpad.net/ubuntu/+source/pcre3/2:8.35-3.3ubuntu1.1
https://launchpad.net/ubuntu/+source/pcre3/1:8.31-2ubuntu2.1
https://launchpad.net/ubuntu/+source/pcre3/8.12-4ubuntu0.1
Fedora 23 Alpha Freeze
Hi all,
Today's an important day on the Fedora 23 schedule[1], with several
significant cut-offs. First of all today is the Bodhi activation point
[2]. That means that from now all Fedora 23 packages must be submitted
to updates-testing and pass the relevant requirements[3] before they
will be marked as 'stable' and moved to the fedora repository.
Today is also the Alpha freeze[4]. This means that only packages which
fix accepted blocker or freeze exception bugs[5][6] will be marked as
'stable' and included in the Alpha composes. Other builds will remain
in updates-testing until the Alpha release is approved, at which point
the Alpha freeze is lifted and packages can move to 'stable' as usual
until the Beta freeze.
Today is also the Software String freeze[7], which means that strings
marked for translation in Fedora-translated projects should not now
be changed for Fedora 23.
Finally, today is the 'completion deadline' Change Checkpoint[8],
meaning that Fedora 23 Changes must now be 'feature complete or close
enough to completion that a majority of its functionality can be
tested'.
Regards
Dennis
[1] https://fedoraproject.org/wiki/Releases/23/Schedule
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
[8] https://fedoraproject.org/wiki/Changes/Policy
Today's an important day on the Fedora 23 schedule[1], with several
significant cut-offs. First of all today is the Bodhi activation point
[2]. That means that from now all Fedora 23 packages must be submitted
to updates-testing and pass the relevant requirements[3] before they
will be marked as 'stable' and moved to the fedora repository.
Today is also the Alpha freeze[4]. This means that only packages which
fix accepted blocker or freeze exception bugs[5][6] will be marked as
'stable' and included in the Alpha composes. Other builds will remain
in updates-testing until the Alpha release is approved, at which point
the Alpha freeze is lifted and packages can move to 'stable' as usual
until the Beta freeze.
Today is also the Software String freeze[7], which means that strings
marked for translation in Fedora-translated projects should not now
be changed for Fedora 23.
Finally, today is the 'completion deadline' Change Checkpoint[8],
meaning that Fedora 23 Changes must now be 'feature complete or close
enough to completion that a majority of its functionality can be
tested'.
Regards
Dennis
[1] https://fedoraproject.org/wiki/Releases/23/Schedule
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
[8] https://fedoraproject.org/wiki/Changes/Policy
Tuesday, July 28, 2015
[CentOS-announce] CESA-2015:1514 Important CentOS 5 bind Security Update
CentOS Errata and Security Advisory 2015:1514 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1514.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
e94c5d303a687961e27faefb38542d43f85e8d50bfcb2eec97b29a4b401a7e94 bind-9.3.6-25.P1.el5_11.3.i386.rpm
2602a6619c15b9352753ca9a59f645ac19ec16eeb07c1186a1a48295b3dcba30 bind-chroot-9.3.6-25.P1.el5_11.3.i386.rpm
e90145a4e6f3bcbac6fb566d92385361c212af5171a429ac09680bf20996a70f bind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
67f04bc05d5ccb05e4c13f8b8fe4d65b1fc1b611c6d8510c85685235e2e07b4e bind-libbind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
ccf15a3e6dc0e09b007de214a97790d5d0f330994fc71a7fc31e61ab8959401a bind-libs-9.3.6-25.P1.el5_11.3.i386.rpm
5e964b2eeabebdcc277c67cb9c66ab948a1bab42ffa1709072672d0e31975c8e bind-sdb-9.3.6-25.P1.el5_11.3.i386.rpm
272cdaa8afedde309f4c056bf81bacd0040aba1ba9c6bd74b06c3447d19f5d79 bind-utils-9.3.6-25.P1.el5_11.3.i386.rpm
3a6ef4acad542497ad5dd4b9cf6f9a5f929f201c5da4ef0ea8edf08f36a42491 caching-nameserver-9.3.6-25.P1.el5_11.3.i386.rpm
x86_64:
121cd9c943ab2f9a2e2e3e9085df43ea552e62c31d2160f390a41779645ddf3c bind-9.3.6-25.P1.el5_11.3.x86_64.rpm
60939ff13f60f6bfe4e0fcfe176573c88b659b12b42755d389f5cc4b6ddcf7d2 bind-chroot-9.3.6-25.P1.el5_11.3.x86_64.rpm
e90145a4e6f3bcbac6fb566d92385361c212af5171a429ac09680bf20996a70f bind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
93b096322b3b84c88f7d193dd600098f5571e1257532d49fa27dfcc8a6488973 bind-devel-9.3.6-25.P1.el5_11.3.x86_64.rpm
67f04bc05d5ccb05e4c13f8b8fe4d65b1fc1b611c6d8510c85685235e2e07b4e bind-libbind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
c99671bfe37a76a782e93e046f96983080327bc00d721c5e9d7808585f14f373 bind-libbind-devel-9.3.6-25.P1.el5_11.3.x86_64.rpm
ccf15a3e6dc0e09b007de214a97790d5d0f330994fc71a7fc31e61ab8959401a bind-libs-9.3.6-25.P1.el5_11.3.i386.rpm
7cc7bb6a588e4ad88cfd7e230ae8b74d400e171d243b10bfbdb1106dd1773193 bind-libs-9.3.6-25.P1.el5_11.3.x86_64.rpm
be171ab4bcd0022a9d84ff36b68e38d5fd91d9d64e65527e6c3752a4cffdc2e0 bind-sdb-9.3.6-25.P1.el5_11.3.x86_64.rpm
a3ed13e15585701c1d9161d4e137d1492c740ef8601b9e9b1200cacf641c7830 bind-utils-9.3.6-25.P1.el5_11.3.x86_64.rpm
41ecfadef75c7f423f87e0fc32ee9ecb0f279db8167cbc16ffe985d17b3249eb caching-nameserver-9.3.6-25.P1.el5_11.3.x86_64.rpm
Source:
07f2f7dda39914aeef316af6aa9e48ca450dba8b39393b210073f4482a42ec42 bind-9.3.6-25.P1.el5_11.3.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1514.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
e94c5d303a687961e27faefb38542d43f85e8d50bfcb2eec97b29a4b401a7e94 bind-9.3.6-25.P1.el5_11.3.i386.rpm
2602a6619c15b9352753ca9a59f645ac19ec16eeb07c1186a1a48295b3dcba30 bind-chroot-9.3.6-25.P1.el5_11.3.i386.rpm
e90145a4e6f3bcbac6fb566d92385361c212af5171a429ac09680bf20996a70f bind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
67f04bc05d5ccb05e4c13f8b8fe4d65b1fc1b611c6d8510c85685235e2e07b4e bind-libbind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
ccf15a3e6dc0e09b007de214a97790d5d0f330994fc71a7fc31e61ab8959401a bind-libs-9.3.6-25.P1.el5_11.3.i386.rpm
5e964b2eeabebdcc277c67cb9c66ab948a1bab42ffa1709072672d0e31975c8e bind-sdb-9.3.6-25.P1.el5_11.3.i386.rpm
272cdaa8afedde309f4c056bf81bacd0040aba1ba9c6bd74b06c3447d19f5d79 bind-utils-9.3.6-25.P1.el5_11.3.i386.rpm
3a6ef4acad542497ad5dd4b9cf6f9a5f929f201c5da4ef0ea8edf08f36a42491 caching-nameserver-9.3.6-25.P1.el5_11.3.i386.rpm
x86_64:
121cd9c943ab2f9a2e2e3e9085df43ea552e62c31d2160f390a41779645ddf3c bind-9.3.6-25.P1.el5_11.3.x86_64.rpm
60939ff13f60f6bfe4e0fcfe176573c88b659b12b42755d389f5cc4b6ddcf7d2 bind-chroot-9.3.6-25.P1.el5_11.3.x86_64.rpm
e90145a4e6f3bcbac6fb566d92385361c212af5171a429ac09680bf20996a70f bind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
93b096322b3b84c88f7d193dd600098f5571e1257532d49fa27dfcc8a6488973 bind-devel-9.3.6-25.P1.el5_11.3.x86_64.rpm
67f04bc05d5ccb05e4c13f8b8fe4d65b1fc1b611c6d8510c85685235e2e07b4e bind-libbind-devel-9.3.6-25.P1.el5_11.3.i386.rpm
c99671bfe37a76a782e93e046f96983080327bc00d721c5e9d7808585f14f373 bind-libbind-devel-9.3.6-25.P1.el5_11.3.x86_64.rpm
ccf15a3e6dc0e09b007de214a97790d5d0f330994fc71a7fc31e61ab8959401a bind-libs-9.3.6-25.P1.el5_11.3.i386.rpm
7cc7bb6a588e4ad88cfd7e230ae8b74d400e171d243b10bfbdb1106dd1773193 bind-libs-9.3.6-25.P1.el5_11.3.x86_64.rpm
be171ab4bcd0022a9d84ff36b68e38d5fd91d9d64e65527e6c3752a4cffdc2e0 bind-sdb-9.3.6-25.P1.el5_11.3.x86_64.rpm
a3ed13e15585701c1d9161d4e137d1492c740ef8601b9e9b1200cacf641c7830 bind-utils-9.3.6-25.P1.el5_11.3.x86_64.rpm
41ecfadef75c7f423f87e0fc32ee9ecb0f279db8167cbc16ffe985d17b3249eb caching-nameserver-9.3.6-25.P1.el5_11.3.x86_64.rpm
Source:
07f2f7dda39914aeef316af6aa9e48ca450dba8b39393b210073f4482a42ec42 bind-9.3.6-25.P1.el5_11.3.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1515 Important CentOS 5 bind97 Security Update
CentOS Errata and Security Advisory 2015:1515 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1515.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
70be08407007ee373075a7f4c0e8f30f9ae9486cc6e86d758e145c7e0452fbba bind97-9.7.0-21.P2.el5_11.2.i386.rpm
4b4e40fca6cf07b64db40860a6b5c9102f4d1968d3996bd0cff8804a92273bce bind97-chroot-9.7.0-21.P2.el5_11.2.i386.rpm
2f4ca3bb619d4fb2a98e61d36b1a415a8f774da3ee48cdec5b36b3c2c4ae883e bind97-devel-9.7.0-21.P2.el5_11.2.i386.rpm
5e1cd26638a0ad32eb0e77c7bdff74283dc67eaf98d6b43883fecf1cbd8c1e8e bind97-libs-9.7.0-21.P2.el5_11.2.i386.rpm
a3d8ecd851aeb1600abc328b35b48e1afaa6f64b3ac9bae46033e7cfc1db7353 bind97-utils-9.7.0-21.P2.el5_11.2.i386.rpm
x86_64:
b826b3406eec2980fb56649f18d0b5372589d49ede9656ea0a8fcca3634e3943 bind97-9.7.0-21.P2.el5_11.2.x86_64.rpm
6a39f618114777091a0a35f879465d6fb7365b253a53f8802d4cb328d70fffaa bind97-chroot-9.7.0-21.P2.el5_11.2.x86_64.rpm
2f4ca3bb619d4fb2a98e61d36b1a415a8f774da3ee48cdec5b36b3c2c4ae883e bind97-devel-9.7.0-21.P2.el5_11.2.i386.rpm
415af4cc884957116f9b7111dbe75a65bdfe60fb52d9c864cb2718b04bf8711c bind97-devel-9.7.0-21.P2.el5_11.2.x86_64.rpm
5e1cd26638a0ad32eb0e77c7bdff74283dc67eaf98d6b43883fecf1cbd8c1e8e bind97-libs-9.7.0-21.P2.el5_11.2.i386.rpm
d8045281af26202376e42d47bed00998946e2005db418c114843da05b728bc05 bind97-libs-9.7.0-21.P2.el5_11.2.x86_64.rpm
93d966dcf44c39c8f07a3b46d74d46ae0cd57fa29d6ffab510fb0a5d1acbe7c8 bind97-utils-9.7.0-21.P2.el5_11.2.x86_64.rpm
Source:
baa5aa7d9bf6f235fdebe677c8e716c4495471bac02acec7f51b66ae7d20bdd0 bind97-9.7.0-21.P2.el5_11.2.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1515.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
70be08407007ee373075a7f4c0e8f30f9ae9486cc6e86d758e145c7e0452fbba bind97-9.7.0-21.P2.el5_11.2.i386.rpm
4b4e40fca6cf07b64db40860a6b5c9102f4d1968d3996bd0cff8804a92273bce bind97-chroot-9.7.0-21.P2.el5_11.2.i386.rpm
2f4ca3bb619d4fb2a98e61d36b1a415a8f774da3ee48cdec5b36b3c2c4ae883e bind97-devel-9.7.0-21.P2.el5_11.2.i386.rpm
5e1cd26638a0ad32eb0e77c7bdff74283dc67eaf98d6b43883fecf1cbd8c1e8e bind97-libs-9.7.0-21.P2.el5_11.2.i386.rpm
a3d8ecd851aeb1600abc328b35b48e1afaa6f64b3ac9bae46033e7cfc1db7353 bind97-utils-9.7.0-21.P2.el5_11.2.i386.rpm
x86_64:
b826b3406eec2980fb56649f18d0b5372589d49ede9656ea0a8fcca3634e3943 bind97-9.7.0-21.P2.el5_11.2.x86_64.rpm
6a39f618114777091a0a35f879465d6fb7365b253a53f8802d4cb328d70fffaa bind97-chroot-9.7.0-21.P2.el5_11.2.x86_64.rpm
2f4ca3bb619d4fb2a98e61d36b1a415a8f774da3ee48cdec5b36b3c2c4ae883e bind97-devel-9.7.0-21.P2.el5_11.2.i386.rpm
415af4cc884957116f9b7111dbe75a65bdfe60fb52d9c864cb2718b04bf8711c bind97-devel-9.7.0-21.P2.el5_11.2.x86_64.rpm
5e1cd26638a0ad32eb0e77c7bdff74283dc67eaf98d6b43883fecf1cbd8c1e8e bind97-libs-9.7.0-21.P2.el5_11.2.i386.rpm
d8045281af26202376e42d47bed00998946e2005db418c114843da05b728bc05 bind97-libs-9.7.0-21.P2.el5_11.2.x86_64.rpm
93d966dcf44c39c8f07a3b46d74d46ae0cd57fa29d6ffab510fb0a5d1acbe7c8 bind97-utils-9.7.0-21.P2.el5_11.2.x86_64.rpm
Source:
baa5aa7d9bf6f235fdebe677c8e716c4495471bac02acec7f51b66ae7d20bdd0 bind97-9.7.0-21.P2.el5_11.2.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1513 Important CentOS 7 bind Security Update
CentOS Errata and Security Advisory 2015:1513 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1513.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9c5c7ecb8477d65dbee21c713bc1682a186491a9b81885e5369fc85cf6db2ca1 bind-9.9.4-18.el7_1.3.x86_64.rpm
62eab23efa33dc6860cebfc4fa472778386c953783327068459cb832852aa470 bind-chroot-9.9.4-18.el7_1.3.x86_64.rpm
4d038f6059f4b05e0eef1d3e54ea0d30384e7184e484c7298c68de4d14a4ba34 bind-devel-9.9.4-18.el7_1.3.i686.rpm
3a6e11021ddadfecd3ae3ad6e44c9967655cbd03cbce5b3e81dec1894780bae6 bind-devel-9.9.4-18.el7_1.3.x86_64.rpm
c373ece790e2529f3712cf6b949a50560811381d1275bd4a8a395a91f1533aec bind-libs-9.9.4-18.el7_1.3.i686.rpm
412969a1cf5a64b6e2b76f61fbd80e0b398710091cc5675c83294ec5ea60a1b9 bind-libs-9.9.4-18.el7_1.3.x86_64.rpm
5ca41fdbb73ea32acfcc9ee32ea8732090165d131970ea6cba1df926f1c3a207 bind-libs-lite-9.9.4-18.el7_1.3.i686.rpm
06fcfad4fe46cf5bb869aeeaf5d2aa39e1252ce2d98164eef25595883ee3741c bind-libs-lite-9.9.4-18.el7_1.3.x86_64.rpm
b4bdecc323c44527ad29102062a902c61e0d49e19f90ec9a3a2c94e83cb33b7b bind-license-9.9.4-18.el7_1.3.noarch.rpm
f3bc495f2f068075712f59bb446ff262771371b9729d946ed58e2d380655326b bind-lite-devel-9.9.4-18.el7_1.3.i686.rpm
ba5e6f001722090f86e6d6f7c5f13a70aaa2fd83d494793da689324c2a7603d1 bind-lite-devel-9.9.4-18.el7_1.3.x86_64.rpm
091830f725b50163e503be86e4973ab95613b3cc9934a2151285305d79e3c4d0 bind-sdb-9.9.4-18.el7_1.3.x86_64.rpm
4b4bb1c576931457478a6f4864fd10c085ec5d612698650d029bb33a95919090 bind-sdb-chroot-9.9.4-18.el7_1.3.x86_64.rpm
0ec01671e720be4e5678b2ee2593668fe98d8b5db83215e94abc10b346bdd2c7 bind-utils-9.9.4-18.el7_1.3.x86_64.rpm
Source:
b0702c059ab0c337a06f36f078a2e036291bcb53fa53f6eea65a2bdc2c66b119 bind-9.9.4-18.el7_1.3.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1513.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9c5c7ecb8477d65dbee21c713bc1682a186491a9b81885e5369fc85cf6db2ca1 bind-9.9.4-18.el7_1.3.x86_64.rpm
62eab23efa33dc6860cebfc4fa472778386c953783327068459cb832852aa470 bind-chroot-9.9.4-18.el7_1.3.x86_64.rpm
4d038f6059f4b05e0eef1d3e54ea0d30384e7184e484c7298c68de4d14a4ba34 bind-devel-9.9.4-18.el7_1.3.i686.rpm
3a6e11021ddadfecd3ae3ad6e44c9967655cbd03cbce5b3e81dec1894780bae6 bind-devel-9.9.4-18.el7_1.3.x86_64.rpm
c373ece790e2529f3712cf6b949a50560811381d1275bd4a8a395a91f1533aec bind-libs-9.9.4-18.el7_1.3.i686.rpm
412969a1cf5a64b6e2b76f61fbd80e0b398710091cc5675c83294ec5ea60a1b9 bind-libs-9.9.4-18.el7_1.3.x86_64.rpm
5ca41fdbb73ea32acfcc9ee32ea8732090165d131970ea6cba1df926f1c3a207 bind-libs-lite-9.9.4-18.el7_1.3.i686.rpm
06fcfad4fe46cf5bb869aeeaf5d2aa39e1252ce2d98164eef25595883ee3741c bind-libs-lite-9.9.4-18.el7_1.3.x86_64.rpm
b4bdecc323c44527ad29102062a902c61e0d49e19f90ec9a3a2c94e83cb33b7b bind-license-9.9.4-18.el7_1.3.noarch.rpm
f3bc495f2f068075712f59bb446ff262771371b9729d946ed58e2d380655326b bind-lite-devel-9.9.4-18.el7_1.3.i686.rpm
ba5e6f001722090f86e6d6f7c5f13a70aaa2fd83d494793da689324c2a7603d1 bind-lite-devel-9.9.4-18.el7_1.3.x86_64.rpm
091830f725b50163e503be86e4973ab95613b3cc9934a2151285305d79e3c4d0 bind-sdb-9.9.4-18.el7_1.3.x86_64.rpm
4b4bb1c576931457478a6f4864fd10c085ec5d612698650d029bb33a95919090 bind-sdb-chroot-9.9.4-18.el7_1.3.x86_64.rpm
0ec01671e720be4e5678b2ee2593668fe98d8b5db83215e94abc10b346bdd2c7 bind-utils-9.9.4-18.el7_1.3.x86_64.rpm
Source:
b0702c059ab0c337a06f36f078a2e036291bcb53fa53f6eea65a2bdc2c66b119 bind-9.9.4-18.el7_1.3.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
http://lists.centos.org/mailman/listinfo/centos-announce
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:17.bind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:17.bind Security Advisory
The FreeBSD Project
Topic: BIND remote denial of service vulnerability
Category: contrib
Module: bind
Announced: 2015-07-28
Credits: ISC
Affects: FreeBSD 8.x and FreeBSD 9.x.
Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2015-5477
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
An error in the handling of TKEY queries can be exploited by an attacker
for use as a denial-of-service vector, as a constructed packet can use
the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
III. Impact
A remote attacker can trigger a crash of a name server. Both recursive and
authoritative servers are affected, and the exposure can not be mitigated
by either ACLs or configuration options limiting or denying service because
the exploitable code occurs early in the packet handling, before checks
enforcing those boundaries.
IV. Workaround
No workaround is available, but systems that are not running BIND are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01272>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
+B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
+2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
VfNsARSWl2y/t8Gnrfgx
=40iD
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-15:17.bind Security Advisory
The FreeBSD Project
Topic: BIND remote denial of service vulnerability
Category: contrib
Module: bind
Announced: 2015-07-28
Credits: ISC
Affects: FreeBSD 8.x and FreeBSD 9.x.
Corrected: 2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2015-5477
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
An error in the handling of TKEY queries can be exploited by an attacker
for use as a denial-of-service vector, as a constructed packet can use
the defect to trigger a REQUIRE assertion failure, causing BIND to exit.
III. Impact
A remote attacker can trigger a crash of a name server. Both recursive and
authoritative servers are affected, and the exposure can not be mitigated
by either ACLs or configuration options limiting or denying service because
the exploitable code occurs early in the packet handling, before checks
enforcing those boundaries.
IV. Workaround
No workaround is available, but systems that are not running BIND are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:17/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://kb.isc.org/article/AA-01272>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:17.bind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnmAQQAK66bHEYirTecgswG+eiePfU
lcX46GdLU/OQ/3MHpmc6XQKz9kpJ+Inh8K8IvAJ1SXH41zk/xOtUgqbkUcgkGrS1
gBVKUC8SF82ll/1FUlORoJc+g+TQgax00Il/GweRVoL0RpU9S/YSnc6OLc0nWzBq
osweYaHBNRL6lBmUtAHYu1tyvGvHLlfTNk6NCtUxtWeXKe+urYFx4ViJKCU8dJ+U
F26nQb/3vH93WOEaNjSDHYWypl9qtous5hpOtXr76ofhID67EyOKmPPEC5+6jP/6
wkdMu7loVewI5K7ZF+zaNxr8CQESurCRkMX3qJSBNCfSw55sdcfKl4BO65SCxLH7
vXoh+B+Wbof2n3xAcEJNufOdiRQfTxlP1UMWIy00wvdB+VcOCDdD7TUB1kksxzpy
aXxePRdKLjvkPDiWy17BBpxq8JIfy+41a+N7Fm/hDgUJOYGDAMr27WJLx8MHzY3k
+B014IVvTnHkf0yo5ue5raTpgUr0TVCfwD3eqJOM9iUuOI8vj9h44FpP6R8KNyQA
mVI/wikVJfYAgmAkHqqRVEHeA8aWJsVNkmrKLHFDkLDdw6umr7oOHfXQo1hk7k7V
+2JEa09kp2AYNGYZkiFG/7jiCZ9GLCvAzKW1v1g8fRsBl+QA1PjW0Rg7HcRmZiwM
VfNsARSWl2y/t8Gnrfgx
=40iD
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:15.tcp
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:15.tcp Security Advisory
The FreeBSD Project
Topic: Resource exhaustion in TCP reassembly
Category: core
Module: inet
Announced: 2015-07-28
Credits: Patrick Kelsey (Norse Corporation)
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2015-1417
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.
The underlying simple and potentially unreliable IP datagram
communication protocol may deliver segments out of order, therefore,
the TCP receiver would need to reassemble the segments into their
original sequence to provide a reliable octet stream. Because the
reassembly requires additional resources to keep the queued segments,
historically resource exhaustion in the TCP reassembly path has been
prevented by limiting the total number of segments that could belong
to reassembly queues to a small fraction (1/16) of the total number of
mbuf clusters in the system.
VNET is a technique to virtualize the network stack, first introduced in
FreeBSD 8.0. It changes global resources in the network stack into per
network stack resources, so that a virtual network stack can be attached
to a jailed prison and the prison can have unrestricted access to the
virtual network stack. VNET is not enabled by default and has to be
enabled by recompiling the kernel.
II. Problem Description
There is a mistake with the introduction of VNET, which converted the
global limit on the number of segments that could belong to reassembly
queues into a per-VNET limit. Because mbufs are allocated from a
global pool, in the presence of a sufficient number of VNETs, the
total number of mbufs attached to reassembly queues can grow to the
total number of mbufs in the system, at which point all network
traffic would cease.
III. Impact
An attacker who can establish concurrent TCP connections across a
sufficient number of VNETs and manipulate the inbound packet streams
such that the maximum number of mbufs are enqueued on each reassembly
queue can cause mbuf cluster exhaustion on the target system, resulting
in a Denial of Service condition.
As the default per-VNET limit on the number of segments that can
belong to reassembly queues is 1/16 of the total number of mbuf
clusters in the system, only systems that have 16 or more VNET
instances are vulnerable.
IV. Workaround
FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
(option VIMAGE) are not affected. The support has to be specifically
compiled into a custom kernel, so its use is not common.
For affected systems, the system administrators may consider reducing
the net.inet.tcp.reass.maxsegments tunable to the value of
kern.ipc.nmbclusters divided by one greater than the total number of
VNETs that are going to be used in the system in order to prevent a
Denial of Service via this vulnerability. For example, if there are
16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
should be set to kern.ipc.nmbclusters / 17.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
And reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
# gpg --verify tcp.patch.asc
[FreeBSD 9.3 and 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
# gpg --verify tcp-9.3-10.1.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
# gpg --verify tcp-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
2oio8OdZ8wwRuER4Jpq9
=PC1V
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-15:15.tcp Security Advisory
The FreeBSD Project
Topic: Resource exhaustion in TCP reassembly
Category: core
Module: inet
Announced: 2015-07-28
Credits: Patrick Kelsey (Norse Corporation)
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2015-1417
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.
The underlying simple and potentially unreliable IP datagram
communication protocol may deliver segments out of order, therefore,
the TCP receiver would need to reassemble the segments into their
original sequence to provide a reliable octet stream. Because the
reassembly requires additional resources to keep the queued segments,
historically resource exhaustion in the TCP reassembly path has been
prevented by limiting the total number of segments that could belong
to reassembly queues to a small fraction (1/16) of the total number of
mbuf clusters in the system.
VNET is a technique to virtualize the network stack, first introduced in
FreeBSD 8.0. It changes global resources in the network stack into per
network stack resources, so that a virtual network stack can be attached
to a jailed prison and the prison can have unrestricted access to the
virtual network stack. VNET is not enabled by default and has to be
enabled by recompiling the kernel.
II. Problem Description
There is a mistake with the introduction of VNET, which converted the
global limit on the number of segments that could belong to reassembly
queues into a per-VNET limit. Because mbufs are allocated from a
global pool, in the presence of a sufficient number of VNETs, the
total number of mbufs attached to reassembly queues can grow to the
total number of mbufs in the system, at which point all network
traffic would cease.
III. Impact
An attacker who can establish concurrent TCP connections across a
sufficient number of VNETs and manipulate the inbound packet streams
such that the maximum number of mbufs are enqueued on each reassembly
queue can cause mbuf cluster exhaustion on the target system, resulting
in a Denial of Service condition.
As the default per-VNET limit on the number of segments that can
belong to reassembly queues is 1/16 of the total number of mbuf
clusters in the system, only systems that have 16 or more VNET
instances are vulnerable.
IV. Workaround
FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
(option VIMAGE) are not affected. The support has to be specifically
compiled into a custom kernel, so its use is not common.
For affected systems, the system administrators may consider reducing
the net.inet.tcp.reass.maxsegments tunable to the value of
kern.ipc.nmbclusters divided by one greater than the total number of
VNETs that are going to be used in the system in order to prevent a
Denial of Service via this vulnerability. For example, if there are
16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
should be set to kern.ipc.nmbclusters / 17.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
And reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
# gpg --verify tcp.patch.asc
[FreeBSD 9.3 and 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
# gpg --verify tcp-9.3-10.1.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
# gpg --verify tcp-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
2oio8OdZ8wwRuER4Jpq9
=PC1V
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:16.openssh
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
The security of the SSH connection relies on the server authenticating
itself to the client as well as the user authenticating itself to the
server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain
Name System Security (DNSSEC), by publishing the key fingerprint using
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
a signature by a trusted certification authority to bind a given public
key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS
SSHFP record check and require the user to perform manual host verification
of the host key fingerprint. This could allow man-in-the-middle attack
if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would
enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects
networks where DNSsec and SSHFP is properly configured. Users who uses
SSH should always check server host key fingerprints carefully when
prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the
problem described as CVE-2015-5600 at expense of losing features provided
by the PAM framework.
We recommend system administrators to disable password based authentication
completely, and use key based authentication exclusively in their SSH server
configuration, when possible. This would eliminate the possibility of being
ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended
but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended
but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
# gpg --verify openssh.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
# gpg --verify openssh-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
E0SkAoNzIighyNk54U9p
=6PBw
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-15:16.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH multiple vulnerabilities
Category: contrib
Module: openssh
Announced: 2015-07-28
Affects: All supported versions of FreeBSD.
Corrected: 2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name: CVE-2014-2653, CVE-2015-5600
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access.
The security of the SSH connection relies on the server authenticating
itself to the client as well as the user authenticating itself to the
server. SSH servers uses host keys to verify their identity.
RFC 4255 has defined a method of verifying SSH host keys using Domain
Name System Security (DNSSEC), by publishing the key fingerprint using
DNS with "SSHFP" resource record. RFC 6187 has defined methods to use
a signature by a trusted certification authority to bind a given public
key to a given digital identity with X.509v3 certificates.
The PAM (Pluggable Authentication Modules) library provides a flexible
framework for user authentication and session setup / teardown.
OpenSSH uses PAM for password authentication by default.
II. Problem Description
OpenSSH clients does not correctly verify DNS SSHFP records when a server
offers a certificate. [CVE-2014-2653]
OpenSSH servers which are configured to allow password authentication
using PAM (default) would allow many password attempts.
III. Impact
A malicious server may be able to force a connecting client to skip DNS
SSHFP record check and require the user to perform manual host verification
of the host key fingerprint. This could allow man-in-the-middle attack
if the user does not carefully check the fingerprint. [CVE-2014-2653]
A remote attacker may effectively bypass MaxAuthTries settings, which would
enable them to brute force passwords. [CVE-2015-5600]
IV. Workaround
Systems that do not use OpenSSH are not affected.
There is no workaround for CVE-2014-2653, but the problem only affects
networks where DNSsec and SSHFP is properly configured. Users who uses
SSH should always check server host key fingerprints carefully when
prompted.
System administrators can set:
UsePAM no
In their /etc/ssh/sshd_config and restart sshd service to workaround the
problem described as CVE-2015-5600 at expense of losing features provided
by the PAM framework.
We recommend system administrators to disable password based authentication
completely, and use key based authentication exclusively in their SSH server
configuration, when possible. This would eliminate the possibility of being
ever exposed to password brute force attack.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
SSH service has to be restarted after the update. A reboot is recommended
but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
SSH service has to be restarted after the update. A reboot is recommended
but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3, 10.1, 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh.patch.asc
# gpg --verify openssh.patch.asc
[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:16/openssh-8.patch.asc
# gpg --verify openssh-8.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the SSH service, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r285977
releng/8.4/ r285980
stable/9/ r285977
releng/9.3/ r285980
stable/10/ r285976
releng/10.1/ r285979
releng/10.2/ r285978
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:16.openssh.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)
iQIcBAEBCgAGBQJVt+FdAAoJEO1n7NZdz2rnPxEQAIFMhBzUuAEEeG3GoO6o6DQn
7ZVPdd+EdijDk0VAZbaa3NyeVGTNSEQhjpL/lSkIQUQT+yEAUUsUCVWu0T8OpCN0
UT6JlYhV+AwQVyWujlTjspQ3Ba3Kn3o76MCzvdIQWPTzD1yCZqRmpZ1eSjonmySZ
ts+kVDCV2ZJyWACOdG2GXHSmTraIErn0J1YaLg++c8nHUvb+TNo2/8viBGJINhdP
bvA6fzYPpAzgaq5EEKevySLUnUfUE2Nx5LGD2CUx/hMu7K8y2h4SR2fKmpyBauNS
4VHSssX6KjxZCYctCEsUgCokWYzt9fepyBsCiS9Vx4mTwat8Vuiz2zB1lCOwM97v
iDbkcmR/ixElrXSBb5+wrhOpBLnYtHFTNPx8dRz39wdb1MxJQqyOOb8KtDSlFMmQ
l5Lk1vTEcZQjWvmCV9XjVlPqcHnX4wNnV+IgUnQTnhQlbe0YgszdLAi5XZDGBmtA
DHuLfBy1091KYBoP641GRuldsq6/r6DUzyZuQJ+p30BDUEfkUAptIEnQWA2l3Y8W
/10eels29WJhV9N7WWo4pbADA54+DLvi0T/46R9WRbM9bA/dsqK9G5wmREaKCqmX
ccQUFrruxJTn7TV4QbN69ABEkOFCyQjqecP2GqA2N/5AAUsV47WC/VtKgOPp4FZ6
E0SkAoNzIighyNk54U9p
=6PBw
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Subscribe to:
Posts (Atom)