-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWDEZcAAoJEGVp2FWnRL6TqcgQALRKnNspBNM81Qch88tDWZK8
FoPRwvw2VGJkNusA9iaRaZQqkQBe16Q4Zzp+u1G6haAqYIEbsM2eMcjG52GkjrhR
volA5jzwIf1J+RrFaQHYwegBt48wbeTJD8BfU1AOKZLGyJ1w1sDILq1PaQtfzh9c
ZNaquPPCTsTLAKaT4gh+5QTgUOJnUJca+Ebkjelhs1otYl6Oq4tFYyPA5/LsaTFw
9p6/J6nWQwcIs9+hvTheejVfRGspwQEOFFeLILvtSsaG/zZs4L96byuG8MNNO3K1
Iyf89FqE72m9Mf4Zfm/rqFzz3aCl/ULDSp8Apf0QX3vw0wOuwG//PNmpnWQFYcfZ
Mf54RKRRmQiXUiY3AcwDBAdcP4eEBDYSP3COqJf+lkjnluKJgFcgQ0ixm8RzDbID
Yst8BAZuLUYDPRvkceXQS5Pd+wOa/3cLPLZZ7e+Qkqm40ECRjAtX/h8CY3F/MHoQ
9YNgbflYXcqJ/zgbBi9hf8tp5kH+N5R1EanzAfuFxHpZRQ19i7IYZgMWkQGPdZao
0S1XfGVCcMjs35/7hf1X/Khtc1Ppzbn7C/9B5nrQUa8RQmMlpIl+K6uVLDpjhe4c
R44NRm0/sfQvQzoMP6+WCnBKKx/6uSqbKCLljTbMgRwL+rbG6nONA36cnlk8xv0S
e64dUHEH7A2fYPL1eAX2
=Bpj5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2758-1
September 30, 2015
php5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in PHP.
Software Description:
- php5: HTML-embedded scripting language interpreter
Details:
It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)
It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835
Sean Heelan discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6832)
It was discovered that the PHP phar extension incorrectly handled certain
archives. A remote attacker could use this issue to cause files to be
placed outside of the destination directory. (CVE-2015-6833)
Andrea Palazzo discovered that the PHP Soap client incorrectly validated
data types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6836)
It was discovered that the PHP XSLTProcessor class incorrectly handled
certain data. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-6837)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.3
php5-cgi 5.6.4+dfsg-4ubuntu6.3
php5-cli 5.6.4+dfsg-4ubuntu6.3
php5-fpm 5.6.4+dfsg-4ubuntu6.3
Ubuntu 14.04 LTS:
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.13
php5-cgi 5.5.9+dfsg-1ubuntu4.13
php5-cli 5.5.9+dfsg-1ubuntu4.13
php5-fpm 5.5.9+dfsg-1ubuntu4.13
Ubuntu 12.04 LTS:
libapache2-mod-php5 5.3.10-1ubuntu3.20
php5-cgi 5.3.10-1ubuntu3.20
php5-cli 5.3.10-1ubuntu3.20
php5-fpm 5.3.10-1ubuntu3.20
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2758-1
CVE-2015-5589, CVE-2015-5590, CVE-2015-6831, CVE-2015-6832,
CVE-2015-6833, CVE-2015-6834, CVE-2015-6835, CVE-2015-6836,
CVE-2015-6837, CVE-2015-6838
Package Information:
https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.3
https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.13
https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.20
Wednesday, September 30, 2015
[USN-2753-2] LXC regression
==========================================================================
Ubuntu Security Notice USN-2753-2
September 30, 2015
lxc regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
USN-2753-1 introduced a regression in LXC.
Software Description:
- lxc: Linux Containers userspace tools
Details:
USN-2753-1 fixed a vulnerability in LXC. The update caused a regression that
prevented some containers from starting. This regression only affected
containers that had an absolute path specified as a bind mount target in their
configuration file. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Roman Fiedler discovered a directory traversal flaw in lxc-start. A local
attacker with access to an LXC container could exploit this flaw to run
programs inside the container that are not confined by AppArmor or expose
unintended files in the host to the container.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
lxc 1.0.7-0ubuntu0.6
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2753-2
http://www.ubuntu.com/usn/usn-2753-1
https://launchpad.net/bugs/1501310
Package Information:
https://launchpad.net/ubuntu/+source/lxc/1.0.7-0ubuntu0.6
Ubuntu Security Notice USN-2753-2
September 30, 2015
lxc regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
USN-2753-1 introduced a regression in LXC.
Software Description:
- lxc: Linux Containers userspace tools
Details:
USN-2753-1 fixed a vulnerability in LXC. The update caused a regression that
prevented some containers from starting. This regression only affected
containers that had an absolute path specified as a bind mount target in their
configuration file. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Roman Fiedler discovered a directory traversal flaw in lxc-start. A local
attacker with access to an LXC container could exploit this flaw to run
programs inside the container that are not confined by AppArmor or expose
unintended files in the host to the container.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
lxc 1.0.7-0ubuntu0.6
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2753-2
http://www.ubuntu.com/usn/usn-2753-1
https://launchpad.net/bugs/1501310
Package Information:
https://launchpad.net/ubuntu/+source/lxc/1.0.7-0ubuntu0.6
[USN-2755-1] Cyrus SASL vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWDBq+AAoJEGVp2FWnRL6TelIP/08O56GCMwv1zQc2Rti6ffbx
HvHOEvbBCuimnO9biJn96pgzSnoZQSX1Ig3iMU8FnFIaP5thW4Uo9XCdJF/CiEWX
0goK4ECl9fmvAluTscNRAwRqWg6Mq3TL/8d7eB4B8erfcr3IhPjgki4nfa9VghJ7
iJVgT6AmL+RNMsrIpmN6mT/bpSwsO+htlwPPDlKmkzXrUNq/F82wJrzSMILJzJir
ZsG/EgOy7TM2jkykBrzxM0ZTROQclvb86zTr3maWlg8nfG+v5sL+XEzHMHoauzvW
EZLYvDbRjZAyNQPUXPyhur/aM46sA8gbS3mUxl3dx9yz5RmM/HTqlYiXAk8J66Xz
/RWfxLc/KU18XVkOh/53PlGCSPYRRo1Hnc3F21v9Qc7mG9xkuXeCHs5RIa/oUdGw
vdN0gx0+6b9C1YG/8uP40JwhJZXyp9HmxVz+4Hj2g4t/OQ9tNNpUxxNdnUFzogSR
2VWF4AmIpFlRYggCXRzv3tinGF5VR5Q5ItWwF1FRh/DzCFMllceaLPbqSxZ3/D5T
8dk3YCc7JskXwnFnHZIgRf4KpjWSIm42xO+mFZ7V4aMtCYEOZgSXujZWZoM4ZzBc
7my1F6pZfC+cYaFOM9rPVdygnVCLEye0VAmU74R8LKVSr8gu95+0hm2hG8QEghaX
V86ccDSa9ypprmFU7XPD
=+5rL
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2755-1
September 30, 2015
cyrus-sasl2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
Summary:
Cyrus SASL could be made to crash if it processed specially crafted input.
Software Description:
- cyrus-sasl2: Cyrus Simple Authentication and Security Layer
Details:
It was discovered that Cyrus SASL incorrectly handled certain invalid
password salts. An attacker could use this issue to cause Cyrus SASL to
crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libsasl2-2 2.1.26.dfsg1-13ubuntu0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2755-1
CVE-2013-4122
Package Information:
https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.26.dfsg1-13ubuntu0.1
Version: GnuPG v2
iQIcBAEBCgAGBQJWDBq+AAoJEGVp2FWnRL6TelIP/08O56GCMwv1zQc2Rti6ffbx
HvHOEvbBCuimnO9biJn96pgzSnoZQSX1Ig3iMU8FnFIaP5thW4Uo9XCdJF/CiEWX
0goK4ECl9fmvAluTscNRAwRqWg6Mq3TL/8d7eB4B8erfcr3IhPjgki4nfa9VghJ7
iJVgT6AmL+RNMsrIpmN6mT/bpSwsO+htlwPPDlKmkzXrUNq/F82wJrzSMILJzJir
ZsG/EgOy7TM2jkykBrzxM0ZTROQclvb86zTr3maWlg8nfG+v5sL+XEzHMHoauzvW
EZLYvDbRjZAyNQPUXPyhur/aM46sA8gbS3mUxl3dx9yz5RmM/HTqlYiXAk8J66Xz
/RWfxLc/KU18XVkOh/53PlGCSPYRRo1Hnc3F21v9Qc7mG9xkuXeCHs5RIa/oUdGw
vdN0gx0+6b9C1YG/8uP40JwhJZXyp9HmxVz+4Hj2g4t/OQ9tNNpUxxNdnUFzogSR
2VWF4AmIpFlRYggCXRzv3tinGF5VR5Q5ItWwF1FRh/DzCFMllceaLPbqSxZ3/D5T
8dk3YCc7JskXwnFnHZIgRf4KpjWSIm42xO+mFZ7V4aMtCYEOZgSXujZWZoM4ZzBc
7my1F6pZfC+cYaFOM9rPVdygnVCLEye0VAmU74R8LKVSr8gu95+0hm2hG8QEghaX
V86ccDSa9ypprmFU7XPD
=+5rL
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2755-1
September 30, 2015
cyrus-sasl2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
Summary:
Cyrus SASL could be made to crash if it processed specially crafted input.
Software Description:
- cyrus-sasl2: Cyrus Simple Authentication and Security Layer
Details:
It was discovered that Cyrus SASL incorrectly handled certain invalid
password salts. An attacker could use this issue to cause Cyrus SASL to
crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libsasl2-2 2.1.26.dfsg1-13ubuntu0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2755-1
CVE-2013-4122
Package Information:
https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.26.dfsg1-13ubuntu0.1
[USN-2756-1] rpcbind vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWDBrQAAoJEGVp2FWnRL6T0ecP+wQkNkejYXka35f+mKZF8BNG
IFdHGPfAAml2zbGn1V73+gGWzm/Zs0iJydnAQ5dqS+Bs8KzZNcQz6tl7FmozHPAt
k2nq71VGK9FmLdCzL0Jp4xgZAf+o2wBMECTg7lvzMJeVhdQ5P4yTFHP6UF32Om96
eOLYTFWMkIKEWD1Zza8SwBHs2ZDWLL2xNec0SNiPxsIdPRAjuXaGPpih5DOxxaZk
hhjW4A+lPURRrYDfIzXBJqNZ2vcUH7REcDgKrOfJ7dj3UjLfzLZjbkwb/7c2012N
VxJDm9oG+4lxxqVAVHUWQa4tvs97qE8uar4HWmlpj1BXEa1gmXhEbXIv1hFg8B5h
GcTOE7PLUuI+CxRykGen7ybz2U4AbqAXHIrieOSbZq//Mn7L+T51dJwhBzl9pSx8
TjuYZkoBrDB7niPXNDcF7GS4FxoboXdCLYCSmfMzXwxeVahXDYgtwUghp0YCzejX
0/nY1Sncn+VE1wtQpFs/KyAbryvrxzCbMMJxlk2bzaIoP8WUyyAHdnYkU1dB5HsK
9K9EFTlnRsIgtbpK4tsAb/QbcnzQpJ8N9loIlkz5XthSYGELOZz5YybZvG++rV/Z
fnmqqWWnvu3WkHQF0Zcz4oSh6nMfdnQ3nCh4DFhruFHVxsE+8ENVawsaHDgU6bgH
jcLVv8sm64F8elh7T38X
=2cut
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2756-1
September 30, 2015
rpcbind vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
rpcbind could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- rpcbind: converts RPC program numbers into universal addresses
Details:
It was discovered that rpcbind incorrectly handled certain memory
structures. A remote attacker could use this issue to cause rpcbind to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
rpcbind 0.2.1-6ubuntu3.1
Ubuntu 14.04 LTS:
rpcbind 0.2.1-2ubuntu2.2
Ubuntu 12.04 LTS:
rpcbind 0.2.0-7ubuntu1.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2756-1
CVE-2015-7236
Package Information:
https://launchpad.net/ubuntu/+source/rpcbind/0.2.1-6ubuntu3.1
https://launchpad.net/ubuntu/+source/rpcbind/0.2.1-2ubuntu2.2
https://launchpad.net/ubuntu/+source/rpcbind/0.2.0-7ubuntu1.3
Version: GnuPG v2
iQIcBAEBCgAGBQJWDBrQAAoJEGVp2FWnRL6T0ecP+wQkNkejYXka35f+mKZF8BNG
IFdHGPfAAml2zbGn1V73+gGWzm/Zs0iJydnAQ5dqS+Bs8KzZNcQz6tl7FmozHPAt
k2nq71VGK9FmLdCzL0Jp4xgZAf+o2wBMECTg7lvzMJeVhdQ5P4yTFHP6UF32Om96
eOLYTFWMkIKEWD1Zza8SwBHs2ZDWLL2xNec0SNiPxsIdPRAjuXaGPpih5DOxxaZk
hhjW4A+lPURRrYDfIzXBJqNZ2vcUH7REcDgKrOfJ7dj3UjLfzLZjbkwb/7c2012N
VxJDm9oG+4lxxqVAVHUWQa4tvs97qE8uar4HWmlpj1BXEa1gmXhEbXIv1hFg8B5h
GcTOE7PLUuI+CxRykGen7ybz2U4AbqAXHIrieOSbZq//Mn7L+T51dJwhBzl9pSx8
TjuYZkoBrDB7niPXNDcF7GS4FxoboXdCLYCSmfMzXwxeVahXDYgtwUghp0YCzejX
0/nY1Sncn+VE1wtQpFs/KyAbryvrxzCbMMJxlk2bzaIoP8WUyyAHdnYkU1dB5HsK
9K9EFTlnRsIgtbpK4tsAb/QbcnzQpJ8N9loIlkz5XthSYGELOZz5YybZvG++rV/Z
fnmqqWWnvu3WkHQF0Zcz4oSh6nMfdnQ3nCh4DFhruFHVxsE+8ENVawsaHDgU6bgH
jcLVv8sm64F8elh7T38X
=2cut
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2756-1
September 30, 2015
rpcbind vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
rpcbind could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- rpcbind: converts RPC program numbers into universal addresses
Details:
It was discovered that rpcbind incorrectly handled certain memory
structures. A remote attacker could use this issue to cause rpcbind to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
rpcbind 0.2.1-6ubuntu3.1
Ubuntu 14.04 LTS:
rpcbind 0.2.1-2ubuntu2.2
Ubuntu 12.04 LTS:
rpcbind 0.2.0-7ubuntu1.3
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2756-1
CVE-2015-7236
Package Information:
https://launchpad.net/ubuntu/+source/rpcbind/0.2.1-6ubuntu3.1
https://launchpad.net/ubuntu/+source/rpcbind/0.2.1-2ubuntu2.2
https://launchpad.net/ubuntu/+source/rpcbind/0.2.0-7ubuntu1.3
[CentOS-announce] [Infra] dev.centos.org redirection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The CentOS Infra team would like you to know that the old node hosting
the dev.centos.org vhost has been replaced.
As all actual testing artifacts (RPM packages, iso images, cloud
images, arm images, etc) are now pushed to buildlogs.centos.org, we've
decided to just redirect dev.centos.org to buildlogs nodes.
Should you encounter an issue, feel free to either report it on
https://bugs.centos.org, or in #centos-devel on irc.freenode.net.
on behalf of the Infra team,
- --
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlYLuRgACgkQnVkHo1a+xU7k7gCfd1A52o+VSUK4pwJUaAEtsnyN
tA0AoJVybXm5SAT+hpbnMaqbpA6Ub0xm
=aJai
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Hash: SHA1
The CentOS Infra team would like you to know that the old node hosting
the dev.centos.org vhost has been replaced.
As all actual testing artifacts (RPM packages, iso images, cloud
images, arm images, etc) are now pushed to buildlogs.centos.org, we've
decided to just redirect dev.centos.org to buildlogs nodes.
Should you encounter an issue, feel free to either report it on
https://bugs.centos.org, or in #centos-devel on irc.freenode.net.
on behalf of the Infra team,
- --
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlYLuRgACgkQnVkHo1a+xU7k7gCfd1A52o+VSUK4pwJUaAEtsnyN
tA0AoJVybXm5SAT+hpbnMaqbpA6Ub0xm
=aJai
-----END PGP SIGNATURE-----
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Tuesday, September 29, 2015
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:24.rpcbind Security Advisory
The FreeBSD Project
Topic: rpcbind(8) remote denial of service
Category: core
Module: rpcbind
Announced: 2015-09-29
Affects: All supported versions of FreeBSD.
Corrected: 2015-09-29 18:06:27 UTC (stable/10, 10.2-STABLE)
2015-09-29 18:07:18 UTC (releng/10.2, 10.2-RELEASE-p4)
2015-09-29 18:07:18 UTC (releng/10.1, 10.1-RELEASE-p21)
2015-09-29 18:06:27 UTC (stable/9, 9.3-STABLE)
2015-09-29 18:07:18 UTC (releng/9.3, 9.3-RELEASE-p27)
CVE Name: CVE-2015-7236
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
Sun RPC is a remote procedure call framework which allows clients to invoke
procedures in a server process over a network transparently.
The rpcbind(8) utility is a server that converts RPC program numbers into
universal addresses. It must be running on the host to be able to make RPC
calls on a server on that machine.
The Sun RPC framework uses a netbuf structure to represent the transport
specific form of a universal transport address. The structure is expected
to be opaque to consumers. In the current implementation, the structure
contains a pointer to a buffer that holds the actual address.
II. Problem Description
In rpcbind(8), netbuf structures are copied directly, which would result in
two netbuf structures that reference to one shared address buffer. When one
of the two netbuf structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the rpcbind(8) daemon.
III. Impact
A remote attacker who can send specifically crafted packets to the rpcbind(8)
daemon can cause it to crash, resulting in a denial of service condition.
IV. Workaround
No workaround is available, but systems that do not provide the rpcbind(8)
service to untrusted systems, or do not provide any RPC services are not
vulnerable. On FreeBSD, typical RPC based services includes NIS and NFS.
Alternatively, rpcbind(8) can be configured to bind on specific IP
address(es) by using the '-h' option. This may be used to reduce the attack
vector when the system has multiple network interfaces and when some of them
would face an untrusted network.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the applicable daemons, or reboot the system. Because rpcbind(8)
is an essential service to all RPC service daemons, these daemons may also
need to be restarted.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the applicable daemons, or reboot the system. Because rpcbind(8)
is an essential service to all RPC service daemons, these daemons may also
need to be restarted.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc
# gpg --verify rpcbind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r288384
releng/9.3/ r288385
stable/10/ r288384
releng/10.1/ r288385
releng/10.2/ r288385
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236>
<URL:https://bugzilla.suse.com/show_bug.cgi?id=946204>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:24.rpcbind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAEBCgAGBQJWCtQJAAoJEO1n7NZdz2rnqrcQAMpVQGhgOE2Qz7seLSeKyorU
lYjMQteAxsYFF7t6BCQxMcfnKVYS9fTUwega6bvBMVQqG7bWg3IKr/esH/pExC22
XbVemdOKot63Qvu+qdQ33DMr0mb4B9NqWQDV4cFu2sj1yHtZjwufFsvTDC8B89Za
OfJsKrdxFbR57uOPnm1jhbb/m46O2q6HnD0GsPCXAA9SWAAk6hrjtVsRURjs654e
iuHa6umSADKeVj0FYiFOyrBM0FgyxmSpBikJD3aaLJa1qCFTPDrGG29283krtSlp
JgbWm0+dj9O6pl9NapuE2dKtXmp/bdjLzWKnj2qDWMpsX31uqLFSzcP6/AxxiIiI
S9Uvb9ucQJRqidJ5jgQkicLd7IIM20HWXOltA4uMovoqF8xOVkCyLZ5Nyg4Yiueg
vsjQ5lQipsOJQBtDO11HjLhZTm4a8c3pHASt0HadvxstNYjB0Kqtm2YySQGdk9H/
/mvjsWE227fJkqwayBlmUviOX39Cz/9AzpkPtaQYsYKNUEOy0hr04i/yIF40RH/Z
wIChfTR10KkRvr4dAWT7Kg2bm2Xd0Gs6bEI5YX3PE3aROVwnwmVWCd/rpdkrnVsV
Pi5MWtPHNATPwRa2UmKbYtwB9mF3GXuBOSssW3K+DfPS+0/ZfYa5CedyeHA3aDGW
f5ih6/YFCvSB/NURgvcU
=WO98
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-15:24.rpcbind Security Advisory
The FreeBSD Project
Topic: rpcbind(8) remote denial of service
Category: core
Module: rpcbind
Announced: 2015-09-29
Affects: All supported versions of FreeBSD.
Corrected: 2015-09-29 18:06:27 UTC (stable/10, 10.2-STABLE)
2015-09-29 18:07:18 UTC (releng/10.2, 10.2-RELEASE-p4)
2015-09-29 18:07:18 UTC (releng/10.1, 10.1-RELEASE-p21)
2015-09-29 18:06:27 UTC (stable/9, 9.3-STABLE)
2015-09-29 18:07:18 UTC (releng/9.3, 9.3-RELEASE-p27)
CVE Name: CVE-2015-7236
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
Sun RPC is a remote procedure call framework which allows clients to invoke
procedures in a server process over a network transparently.
The rpcbind(8) utility is a server that converts RPC program numbers into
universal addresses. It must be running on the host to be able to make RPC
calls on a server on that machine.
The Sun RPC framework uses a netbuf structure to represent the transport
specific form of a universal transport address. The structure is expected
to be opaque to consumers. In the current implementation, the structure
contains a pointer to a buffer that holds the actual address.
II. Problem Description
In rpcbind(8), netbuf structures are copied directly, which would result in
two netbuf structures that reference to one shared address buffer. When one
of the two netbuf structures is freed, access to the other netbuf structure
would result in an undefined result that may crash the rpcbind(8) daemon.
III. Impact
A remote attacker who can send specifically crafted packets to the rpcbind(8)
daemon can cause it to crash, resulting in a denial of service condition.
IV. Workaround
No workaround is available, but systems that do not provide the rpcbind(8)
service to untrusted systems, or do not provide any RPC services are not
vulnerable. On FreeBSD, typical RPC based services includes NIS and NFS.
Alternatively, rpcbind(8) can be configured to bind on specific IP
address(es) by using the '-h' option. This may be used to reduce the attack
vector when the system has multiple network interfaces and when some of them
would face an untrusted network.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart the applicable daemons, or reboot the system. Because rpcbind(8)
is an essential service to all RPC service daemons, these daemons may also
need to be restarted.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart the applicable daemons, or reboot the system. Because rpcbind(8)
is an essential service to all RPC service daemons, these daemons may also
need to be restarted.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:24/rpcbind.patch.asc
# gpg --verify rpcbind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r288384
releng/9.3/ r288385
stable/10/ r288384
releng/10.1/ r288385
releng/10.2/ r288385
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236>
<URL:https://bugzilla.suse.com/show_bug.cgi?id=946204>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:24.rpcbind.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAEBCgAGBQJWCtQJAAoJEO1n7NZdz2rnqrcQAMpVQGhgOE2Qz7seLSeKyorU
lYjMQteAxsYFF7t6BCQxMcfnKVYS9fTUwega6bvBMVQqG7bWg3IKr/esH/pExC22
XbVemdOKot63Qvu+qdQ33DMr0mb4B9NqWQDV4cFu2sj1yHtZjwufFsvTDC8B89Za
OfJsKrdxFbR57uOPnm1jhbb/m46O2q6HnD0GsPCXAA9SWAAk6hrjtVsRURjs654e
iuHa6umSADKeVj0FYiFOyrBM0FgyxmSpBikJD3aaLJa1qCFTPDrGG29283krtSlp
JgbWm0+dj9O6pl9NapuE2dKtXmp/bdjLzWKnj2qDWMpsX31uqLFSzcP6/AxxiIiI
S9Uvb9ucQJRqidJ5jgQkicLd7IIM20HWXOltA4uMovoqF8xOVkCyLZ5Nyg4Yiueg
vsjQ5lQipsOJQBtDO11HjLhZTm4a8c3pHASt0HadvxstNYjB0Kqtm2YySQGdk9H/
/mvjsWE227fJkqwayBlmUviOX39Cz/9AzpkPtaQYsYKNUEOy0hr04i/yIF40RH/Z
wIChfTR10KkRvr4dAWT7Kg2bm2Xd0Gs6bEI5YX3PE3aROVwnwmVWCd/rpdkrnVsV
Pi5MWtPHNATPwRa2UmKbYtwB9mF3GXuBOSssW3K+DfPS+0/ZfYa5CedyeHA3aDGW
f5ih6/YFCvSB/NURgvcU
=WO98
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[USN-2753-1] LXC vulnerability
==========================================================================
Ubuntu Security Notice USN-2753-1
September 29, 2015
lxc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
LXC could be made to start containers without AppArmor confinement or access
the host filesystem.
Software Description:
- lxc: Linux Containers userspace tools
Details:
Roman Fiedler discovered a directory traversal flaw in lxc-start. A local
attacker with access to an LXC container could exploit this flaw to run
programs inside the container that are not confined by AppArmor or expose
unintended files in the host to the container.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
lxc 1.1.2-0ubuntu3.2
Ubuntu 14.04 LTS:
lxc 1.0.7-0ubuntu0.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2753-1
CVE-2015-1335
Package Information:
https://launchpad.net/ubuntu/+source/lxc/1.1.2-0ubuntu3.2
https://launchpad.net/ubuntu/+source/lxc/1.0.7-0ubuntu0.5
Ubuntu Security Notice USN-2753-1
September 29, 2015
lxc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
LXC could be made to start containers without AppArmor confinement or access
the host filesystem.
Software Description:
- lxc: Linux Containers userspace tools
Details:
Roman Fiedler discovered a directory traversal flaw in lxc-start. A local
attacker with access to an LXC container could exploit this flaw to run
programs inside the container that are not confined by AppArmor or expose
unintended files in the host to the container.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
lxc 1.1.2-0ubuntu3.2
Ubuntu 14.04 LTS:
lxc 1.0.7-0ubuntu0.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2753-1
CVE-2015-1335
Package Information:
https://launchpad.net/ubuntu/+source/lxc/1.1.2-0ubuntu3.2
https://launchpad.net/ubuntu/+source/lxc/1.0.7-0ubuntu0.5
[CentOS-announce] CESA-2015:1840 Important CentOS 7 openldap Security Update
CentOS Errata and Security Advisory 2015:1840 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1840.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
c0fbed4f2b242cde4830df33b394a226e705eae993e17e38f90e663f511fe6fd openldap-2.4.39-7.el7.centos.i686.rpm
960f62ded3dfa6c3f92f3e466ebc07c0b4f30465c3fefd4ea302128152c936e0 openldap-2.4.39-7.el7.centos.x86_64.rpm
1c1853339b71aa16592859b80f670a450a0b45cc713ccca4c3d770a76ee096a8 openldap-clients-2.4.39-7.el7.centos.x86_64.rpm
51dc10dfcfc9ba0ff965256477d789b692f942772c54845edbc8fc5f8f1e5450 openldap-devel-2.4.39-7.el7.centos.i686.rpm
d906620f31cdd8a5866dfac65bcfc42fc0fec7a7b826922da0afd29d2c8dfd2b openldap-devel-2.4.39-7.el7.centos.x86_64.rpm
49d45cc17bd198d65ba8fea53944e4f8e8525ec61eaf91b9f03da839acf530c4 openldap-servers-2.4.39-7.el7.centos.x86_64.rpm
99d31fc1f35404da6a32b2ca4239a124966d3f51388c35fafa06dcf0018bd864 openldap-servers-sql-2.4.39-7.el7.centos.x86_64.rpm
Source:
5ff494cb8637ecc22d9a5299d51bbd6a1dd646f75a4cd97315c9f303259f0438 openldap-2.4.39-7.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1840.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
c0fbed4f2b242cde4830df33b394a226e705eae993e17e38f90e663f511fe6fd openldap-2.4.39-7.el7.centos.i686.rpm
960f62ded3dfa6c3f92f3e466ebc07c0b4f30465c3fefd4ea302128152c936e0 openldap-2.4.39-7.el7.centos.x86_64.rpm
1c1853339b71aa16592859b80f670a450a0b45cc713ccca4c3d770a76ee096a8 openldap-clients-2.4.39-7.el7.centos.x86_64.rpm
51dc10dfcfc9ba0ff965256477d789b692f942772c54845edbc8fc5f8f1e5450 openldap-devel-2.4.39-7.el7.centos.i686.rpm
d906620f31cdd8a5866dfac65bcfc42fc0fec7a7b826922da0afd29d2c8dfd2b openldap-devel-2.4.39-7.el7.centos.x86_64.rpm
49d45cc17bd198d65ba8fea53944e4f8e8525ec61eaf91b9f03da839acf530c4 openldap-servers-2.4.39-7.el7.centos.x86_64.rpm
99d31fc1f35404da6a32b2ca4239a124966d3f51388c35fafa06dcf0018bd864 openldap-servers-sql-2.4.39-7.el7.centos.x86_64.rpm
Source:
5ff494cb8637ecc22d9a5299d51bbd6a1dd646f75a4cd97315c9f303259f0438 openldap-2.4.39-7.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1840 Important CentOS 6 openldap Security Update
CentOS Errata and Security Advisory 2015:1840 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1840.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
ce59a16e8d9f797feff522711be61aa9bd976ddcd0e629c260a9e1120b1abda4 openldap-2.4.40-6.el6_7.i686.rpm
90cfd98aa85f7e6b816f3b9472a8bbd26979a1224fce84390d784da68f582d20 openldap-clients-2.4.40-6.el6_7.i686.rpm
afa5499f0434b52f57fe96d70489d195e73f9ef59ca22f6a4b12c304ebb43635 openldap-devel-2.4.40-6.el6_7.i686.rpm
80b87de3386d0b711597554cce65d8b4e4cdea909425675562ccef2d28402453 openldap-servers-2.4.40-6.el6_7.i686.rpm
be985035faf4b5b8dbee232a00eb9631659a99106d14b2044f82d8ccec34dd8a openldap-servers-sql-2.4.40-6.el6_7.i686.rpm
x86_64:
ce59a16e8d9f797feff522711be61aa9bd976ddcd0e629c260a9e1120b1abda4 openldap-2.4.40-6.el6_7.i686.rpm
b8658e6e57809577463a9f168656d9ccbb1f2d9e5d480d77ace7eac594789350 openldap-2.4.40-6.el6_7.x86_64.rpm
516d525207917340a6fc22b4cc3d1fd6d9398a0ce79ef746579155d95aac9325 openldap-clients-2.4.40-6.el6_7.x86_64.rpm
afa5499f0434b52f57fe96d70489d195e73f9ef59ca22f6a4b12c304ebb43635 openldap-devel-2.4.40-6.el6_7.i686.rpm
655274004efc40a05c9947af3cb1ff654b8038cbd083fc44e25190a18f2c776d openldap-devel-2.4.40-6.el6_7.x86_64.rpm
678906aa40444064d8188d74ca33591dcc34da97723f3aff762524798b28500c openldap-servers-2.4.40-6.el6_7.x86_64.rpm
d8fcc13e67551c0893f0826e1f986930094dc5efffd9cce2af0577612281d597 openldap-servers-sql-2.4.40-6.el6_7.x86_64.rpm
Source:
63c1dcfee015ccec322361e78080c686e7f14a51b7cf331726b3017c1c760a67 openldap-2.4.40-6.el6_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1840.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
ce59a16e8d9f797feff522711be61aa9bd976ddcd0e629c260a9e1120b1abda4 openldap-2.4.40-6.el6_7.i686.rpm
90cfd98aa85f7e6b816f3b9472a8bbd26979a1224fce84390d784da68f582d20 openldap-clients-2.4.40-6.el6_7.i686.rpm
afa5499f0434b52f57fe96d70489d195e73f9ef59ca22f6a4b12c304ebb43635 openldap-devel-2.4.40-6.el6_7.i686.rpm
80b87de3386d0b711597554cce65d8b4e4cdea909425675562ccef2d28402453 openldap-servers-2.4.40-6.el6_7.i686.rpm
be985035faf4b5b8dbee232a00eb9631659a99106d14b2044f82d8ccec34dd8a openldap-servers-sql-2.4.40-6.el6_7.i686.rpm
x86_64:
ce59a16e8d9f797feff522711be61aa9bd976ddcd0e629c260a9e1120b1abda4 openldap-2.4.40-6.el6_7.i686.rpm
b8658e6e57809577463a9f168656d9ccbb1f2d9e5d480d77ace7eac594789350 openldap-2.4.40-6.el6_7.x86_64.rpm
516d525207917340a6fc22b4cc3d1fd6d9398a0ce79ef746579155d95aac9325 openldap-clients-2.4.40-6.el6_7.x86_64.rpm
afa5499f0434b52f57fe96d70489d195e73f9ef59ca22f6a4b12c304ebb43635 openldap-devel-2.4.40-6.el6_7.i686.rpm
655274004efc40a05c9947af3cb1ff654b8038cbd083fc44e25190a18f2c776d openldap-devel-2.4.40-6.el6_7.x86_64.rpm
678906aa40444064d8188d74ca33591dcc34da97723f3aff762524798b28500c openldap-servers-2.4.40-6.el6_7.x86_64.rpm
d8fcc13e67551c0893f0826e1f986930094dc5efffd9cce2af0577612281d597 openldap-servers-sql-2.4.40-6.el6_7.x86_64.rpm
Source:
63c1dcfee015ccec322361e78080c686e7f14a51b7cf331726b3017c1c760a67 openldap-2.4.40-6.el6_7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1840 Important CentOS 5 openldap Security Update
CentOS Errata and Security Advisory 2015:1840 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1840.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
cc181bbfac7f8256afb84c7345aeeabe02967ce32d0b19980e3d10ab7eff941d compat-openldap-2.3.43_2.2.29-29.el5_11.i386.rpm
b22b59b70a24b9d81e3636dd64c13bcb31837d0fc585e8d40d3c42b09addc982 openldap-2.3.43-29.el5_11.i386.rpm
3071dbeb025e46da4b8ebb3cf697871525e0ff3f319c062f989d6538b4b6a3d3 openldap-clients-2.3.43-29.el5_11.i386.rpm
f42c1033d9c8749d85358d8ed2636c5f43a06bc15561dca4d00adc69483044bf openldap-devel-2.3.43-29.el5_11.i386.rpm
7dee4dd6721f9222268e9c11d96db5d0624ec0067d7924b0eeebf78791cad6ee openldap-servers-2.3.43-29.el5_11.i386.rpm
a738a621d1fff4855f994c2eb316dd277cda9f20c74c3437c7718f21ddad7901 openldap-servers-overlays-2.3.43-29.el5_11.i386.rpm
f902ae9ff4405241871cbe51bdf94064a4b1759d7fbce279df5d8be04d26d074 openldap-servers-sql-2.3.43-29.el5_11.i386.rpm
x86_64:
cc181bbfac7f8256afb84c7345aeeabe02967ce32d0b19980e3d10ab7eff941d compat-openldap-2.3.43_2.2.29-29.el5_11.i386.rpm
5757fda05767444bb1642a8191c3b6f2d76745ba30132ea9d3fd766379f99e2b compat-openldap-2.3.43_2.2.29-29.el5_11.x86_64.rpm
b22b59b70a24b9d81e3636dd64c13bcb31837d0fc585e8d40d3c42b09addc982 openldap-2.3.43-29.el5_11.i386.rpm
e6dd51c4f2f4a23fec2be3f298b76abc87b3930e2fa0f3c0ad440f5ef70da35e openldap-2.3.43-29.el5_11.x86_64.rpm
a7bdd364235403770fac7632b572323bda2565b3c9f23d371768ab859dfc5137 openldap-clients-2.3.43-29.el5_11.x86_64.rpm
f42c1033d9c8749d85358d8ed2636c5f43a06bc15561dca4d00adc69483044bf openldap-devel-2.3.43-29.el5_11.i386.rpm
32164d50ac497028e5c24f8bb1535c37abdf78cd230922cc63bb0c8ac7cf65af openldap-devel-2.3.43-29.el5_11.x86_64.rpm
818492aef0cad81ecc9ea66f4eeff8a4a44a23ed223927d601e4b555d3499e51 openldap-servers-2.3.43-29.el5_11.x86_64.rpm
d21a9d33c3559b97ee2a295c04ce723b4eae3ed46846baafe760e0cd495f5945 openldap-servers-overlays-2.3.43-29.el5_11.x86_64.rpm
13db919bbc3c414f54fb656b7e127f8cfb8700830ef261bd16b4d65e162c9f52 openldap-servers-sql-2.3.43-29.el5_11.x86_64.rpm
Source:
7092b7f27ed18b2fc5496587940b14f1d223762cf8182f282a65db3c4296bc13 openldap-2.3.43-29.el5_11.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1840.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
cc181bbfac7f8256afb84c7345aeeabe02967ce32d0b19980e3d10ab7eff941d compat-openldap-2.3.43_2.2.29-29.el5_11.i386.rpm
b22b59b70a24b9d81e3636dd64c13bcb31837d0fc585e8d40d3c42b09addc982 openldap-2.3.43-29.el5_11.i386.rpm
3071dbeb025e46da4b8ebb3cf697871525e0ff3f319c062f989d6538b4b6a3d3 openldap-clients-2.3.43-29.el5_11.i386.rpm
f42c1033d9c8749d85358d8ed2636c5f43a06bc15561dca4d00adc69483044bf openldap-devel-2.3.43-29.el5_11.i386.rpm
7dee4dd6721f9222268e9c11d96db5d0624ec0067d7924b0eeebf78791cad6ee openldap-servers-2.3.43-29.el5_11.i386.rpm
a738a621d1fff4855f994c2eb316dd277cda9f20c74c3437c7718f21ddad7901 openldap-servers-overlays-2.3.43-29.el5_11.i386.rpm
f902ae9ff4405241871cbe51bdf94064a4b1759d7fbce279df5d8be04d26d074 openldap-servers-sql-2.3.43-29.el5_11.i386.rpm
x86_64:
cc181bbfac7f8256afb84c7345aeeabe02967ce32d0b19980e3d10ab7eff941d compat-openldap-2.3.43_2.2.29-29.el5_11.i386.rpm
5757fda05767444bb1642a8191c3b6f2d76745ba30132ea9d3fd766379f99e2b compat-openldap-2.3.43_2.2.29-29.el5_11.x86_64.rpm
b22b59b70a24b9d81e3636dd64c13bcb31837d0fc585e8d40d3c42b09addc982 openldap-2.3.43-29.el5_11.i386.rpm
e6dd51c4f2f4a23fec2be3f298b76abc87b3930e2fa0f3c0ad440f5ef70da35e openldap-2.3.43-29.el5_11.x86_64.rpm
a7bdd364235403770fac7632b572323bda2565b3c9f23d371768ab859dfc5137 openldap-clients-2.3.43-29.el5_11.x86_64.rpm
f42c1033d9c8749d85358d8ed2636c5f43a06bc15561dca4d00adc69483044bf openldap-devel-2.3.43-29.el5_11.i386.rpm
32164d50ac497028e5c24f8bb1535c37abdf78cd230922cc63bb0c8ac7cf65af openldap-devel-2.3.43-29.el5_11.x86_64.rpm
818492aef0cad81ecc9ea66f4eeff8a4a44a23ed223927d601e4b555d3499e51 openldap-servers-2.3.43-29.el5_11.x86_64.rpm
d21a9d33c3559b97ee2a295c04ce723b4eae3ed46846baafe760e0cd495f5945 openldap-servers-overlays-2.3.43-29.el5_11.x86_64.rpm
13db919bbc3c414f54fb656b7e127f8cfb8700830ef261bd16b4d65e162c9f52 openldap-servers-sql-2.3.43-29.el5_11.x86_64.rpm
Source:
7092b7f27ed18b2fc5496587940b14f1d223762cf8182f282a65db3c4296bc13 openldap-2.3.43-29.el5_11.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
F24 System Wide Change: Python 3.5
= Proposed System Wide Change: Python 3.5 =
https://fedoraproject.org/wiki/Changes/python3.5
https://fedoraproject.org/wiki/Changes/python3.5
Change owner(s):
* Robert Kuska <rkuska at redhat dot com>
* Matej Stuchlik <mstuchli at redhat dot com>
Update the Python 3 stack in Fedora from Python 3.4 to Python 3.5.
== Detailed Description ==
Python 3.5 adds numerous features and optimizations. See the upstream
notes at What's new in 3.5.
== Scope ==
As Python3.5 was already released as a final release and Debian had
already updated their Python to v3.5 we could expect all the core
(most used) Python modules to be already Python3.5 compatible.
There is 973 packages that (Build)Requires python3 (in F24). Also it
is important to note that Python3 is now the default interpreter for
Fedora therefore it is crucial part of the distribution (anaconda and
dnf run on Python).
* Proposal owners:
** Make a request to create a f24-python3 side-tag for Python3.5 rebuild.
** Rebuild gdb without python3 support to have minimal buildroot
python3 free as we can't have (currently) simultaneously installed
both Python3.4 and Python3.5 versions within the buildroot.
** Build Python3.5.
** Rebuild gdb and all the packages marked as core within this tag. We
consider all packages shipped by default (and their dependencies) on
Fedora DVD to be core packages.
** Rebuild rest of the packages in mass rebuild
* Other developers:
Owners of packages that fail to rebuild will be asked using bugzilla
to fix or remove their packages from the distribution. They can
rebuild their packages themselves if interested using fedpkg build
--target f24-python3. We will keep the list of rebuilt
packages/packages in queue publicly accessible.
* Release engineering:
Mass rebuild rest of the packages.
* Policies and guidelines:
None
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list
devel-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
[USN-2752-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-2752-1
September 29, 2015
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
linux-image-3.19.0-30-generic 3.19.0-30.33
linux-image-3.19.0-30-generic-lpae 3.19.0-30.33
linux-image-3.19.0-30-lowlatency 3.19.0-30.33
linux-image-3.19.0-30-powerpc-e500mc 3.19.0-30.33
linux-image-3.19.0-30-powerpc-smp 3.19.0-30.33
linux-image-3.19.0-30-powerpc64-emb 3.19.0-30.33
linux-image-3.19.0-30-powerpc64-smp 3.19.0-30.33
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2752-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.19.0-30.33
Ubuntu Security Notice USN-2752-1
September 29, 2015
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
linux-image-3.19.0-30-generic 3.19.0-30.33
linux-image-3.19.0-30-generic-lpae 3.19.0-30.33
linux-image-3.19.0-30-lowlatency 3.19.0-30.33
linux-image-3.19.0-30-powerpc-e500mc 3.19.0-30.33
linux-image-3.19.0-30-powerpc-smp 3.19.0-30.33
linux-image-3.19.0-30-powerpc64-emb 3.19.0-30.33
linux-image-3.19.0-30-powerpc64-smp 3.19.0-30.33
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2752-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.19.0-30.33
[USN-2751-1] Linux kernel (Vivid HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-2751-1
September 29, 2015
linux-lts-vivid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-vivid: Linux hardware enablement kernel from Vivid
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.19.0-30-generic 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-generic-lpae 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-lowlatency 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc-e500mc 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc-smp 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc64-emb 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc64-smp 3.19.0-30.33~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2751-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-vivid/3.19.0-30.33~14.04.1
Ubuntu Security Notice USN-2751-1
September 29, 2015
linux-lts-vivid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-vivid: Linux hardware enablement kernel from Vivid
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.19.0-30-generic 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-generic-lpae 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-lowlatency 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc-e500mc 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc-smp 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc64-emb 3.19.0-30.33~14.04.1
linux-image-3.19.0-30-powerpc64-smp 3.19.0-30.33~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2751-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-vivid/3.19.0-30.33~14.04.1
[USN-2750-1] Linux kernel (Utopic HWE) vulnerability
==========================================================================
Ubuntu Security Notice USN-2750-1
September 29, 2015
linux-lts-utopic vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-lts-utopic: Linux hardware enablement kernel from Utopic
Details:
It was discovered that an integer overflow error existed in the SCSI
generic (sg) driver in the Linux kernel. A local attacker with write
permission to a SCSI generic device could use this to cause a denial of
service (system crash) or potentially escalate their privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.16.0-50-generic 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-generic-lpae 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-lowlatency 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc-e500mc 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc-smp 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc64-emb 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc64-smp 3.16.0-50.66~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2750-1
CVE-2015-5707
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-utopic/3.16.0-50.66~14.04.1
Ubuntu Security Notice USN-2750-1
September 29, 2015
linux-lts-utopic vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-lts-utopic: Linux hardware enablement kernel from Utopic
Details:
It was discovered that an integer overflow error existed in the SCSI
generic (sg) driver in the Linux kernel. A local attacker with write
permission to a SCSI generic device could use this to cause a denial of
service (system crash) or potentially escalate their privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.16.0-50-generic 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-generic-lpae 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-lowlatency 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc-e500mc 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc-smp 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc64-emb 3.16.0-50.66~14.04.1
linux-image-3.16.0-50-powerpc64-smp 3.16.0-50.66~14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2750-1
CVE-2015-5707
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-utopic/3.16.0-50.66~14.04.1
[USN-2749-1] Linux kernel (Trusty HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-2749-1
September 29, 2015
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-65-generic 3.13.0-65.105~precise1
linux-image-3.13.0-65-generic-lpae 3.13.0-65.105~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2749-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-65.105~precise1
Ubuntu Security Notice USN-2749-1
September 29, 2015
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-65-generic 3.13.0-65.105~precise1
linux-image-3.13.0-65-generic-lpae 3.13.0-65.105~precise1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2749-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-65.105~precise1
relayd maintainance diff for OpenBSD 5.7
OpenBSD 5.7 errata:
http://www.openbsd.org/errata57.html#015_relayd
015: RELIABILITY FIX: September 28, 2015 All architectures
Various problems were identified in relayd and merged back from current to
5.7 in this maintanance update.
This patch is for 5.7 only, it fixes reliability problems that where
identified during the OpenBSD 5.8 release cycle.
http://www.openbsd.org/errata57.html#015_relayd
015: RELIABILITY FIX: September 28, 2015 All architectures
Various problems were identified in relayd and merged back from current to
5.7 in this maintanance update.
This patch is for 5.7 only, it fixes reliability problems that where
identified during the OpenBSD 5.8 release cycle.
reallost1.fbsd2233449 您好,请将工作文件转交贵公司培训部负责人
尊敬的:reallost1.fbsd2233449 您好
请将附件转交给贵公司相关负责人,谢谢!
秋天将至,望您在工作,游玩的同时,别忘了保护好自己的身体!
敖夜萱
敬启
Monday, September 28, 2015
uvm errata for 5.7 and 5.8
Earlier this month, kettenis identified a bug in uvm from an incompletely
reverted change. Clearing the wrong bit on a page would sometimes result in
the page queues being corrupted, and then eventually the system would crash or
panic.
This issue affects 5.7 and the forthcoming 5.8 release.
Patches are available. Apply the patch, rebuild the kernel, and reboot.
5.7:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/016_uvm.patch.sig
5.8:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/003_uvm.patch.sig
reverted change. Clearing the wrong bit on a page would sometimes result in
the page queues being corrupted, and then eventually the system would crash or
panic.
This issue affects 5.7 and the forthcoming 5.8 release.
Patches are available. Apply the patch, rebuild the kernel, and reboot.
5.7:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/016_uvm.patch.sig
5.8:
http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/003_uvm.patch.sig
[USN-2748-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-2748-1
September 28, 2015
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-65-generic 3.13.0-65.105
linux-image-3.13.0-65-generic-lpae 3.13.0-65.105
linux-image-3.13.0-65-lowlatency 3.13.0-65.105
linux-image-3.13.0-65-powerpc-e500 3.13.0-65.105
linux-image-3.13.0-65-powerpc-e500mc 3.13.0-65.105
linux-image-3.13.0-65-powerpc-smp 3.13.0-65.105
linux-image-3.13.0-65-powerpc64-emb 3.13.0-65.105
linux-image-3.13.0-65-powerpc64-smp 3.13.0-65.105
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2748-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-65.105
Ubuntu Security Notice USN-2748-1
September 28, 2015
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Benjamin Randazzo discovered an information leak in the md (multiple
device) driver when the bitmap_info.file is disabled. A local privileged
attacker could use this to obtain sensitive information from the kernel.
(CVE-2015-5697)
Marc-André Lureau discovered that the vhost driver did not properly
release the userspace provided log file descriptor. A privileged attacker
could use this to cause a denial of service (resource exhaustion).
(CVE-2015-6252)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-65-generic 3.13.0-65.105
linux-image-3.13.0-65-generic-lpae 3.13.0-65.105
linux-image-3.13.0-65-lowlatency 3.13.0-65.105
linux-image-3.13.0-65-powerpc-e500 3.13.0-65.105
linux-image-3.13.0-65-powerpc-e500mc 3.13.0-65.105
linux-image-3.13.0-65-powerpc-smp 3.13.0-65.105
linux-image-3.13.0-65-powerpc64-emb 3.13.0-65.105
linux-image-3.13.0-65-powerpc64-smp 3.13.0-65.105
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.
References:
http://www.ubuntu.com/usn/usn-2748-1
CVE-2015-5697, CVE-2015-6252
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-65.105
[USN-2747-1] NVIDIA graphics drivers vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWCVI7AAoJEGVp2FWnRL6TFs0QAKaMkjkufp1g36Dx3zMosOEC
RYOynGrg15kGazs9paLW4UgTk6CWZ9I8sFoT/Cw8mo5VvfxluiziUjF7puzX2Y/b
TsdpA2BswSdhKsD1nr7FuhDfiUsSHTvTxIpmDI+VX5MqeKmIX2v1fWcnZM/T5Qd/
3qqCDpfarVcyfdJ3JZd4Q/YYHgHp5TTVcWy6GZTZolO6+eqkijLzYxtK08NRES4G
m5pF3tBsdwschdf2JEsjgm6ZfnQemhjSNGub90I8SHAALsIM0NHvGRsVm2gdwPz/
lODEoXl64nb33R8Q1kWOshYbonM+iPXzwDiBlZT3Ncm3mtmarfa/2e4lx8ZHOkdT
97LY/ajrcayN2d6Xmb22oCeEDkZ+deHUKu1QpG4h1g6y1OquRrD76BwbiM5jjc/T
HDLMWLheoSw2PkZi0WRbLjeEs4UQ07U+fSOwA6JgUU9WppTyWc3KiDEAxyZMcXC2
8+wSnedHJjZKyaONKlIX/PeDWXfnbvJlJDYmjAUn7Z5rIE5zEeTIXFy3cf9xOrJl
FycQrb3VUczfpNiPN0JavIii2Lxw/76dTPWFPMeBf9JxM3yDz2oLrJfRW6iluuUd
QIjKsBc3DVuCuRrYQVgKMEkAtmkzqrpXuASK+fR6nZ50ggx0snV0p247+hoXGpyb
iVFb1LOiJkSTBbE0n8vX
=9g/m
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2747-1
September 28, 2015
nvidia-graphics-drivers-304, nvidia-graphics-drivers-304-updates,
nvidia-graphics-drivers-340, nvidia-graphics-drivers-340-updates,
nvidia-graphics-drivers-346, nvidia-graphics-drivers-346-updates, jockey
vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
NVIDIA graphics drivers could be made to run programs as an administrator.
Software Description:
- nvidia-graphics-drivers-304: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-304-updates: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-340: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-340-updates: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-346: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-346-updates: NVIDIA binary X.Org driver
- jockey: user interface and desktop integration for driver management
Details:
Dario Weisser discovered that the NVIDIA graphics drivers incorrectly
handled certain IOCTL writes. A local attacker could use this issue to
possibly gain root privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
nvidia-304 304.128-0ubuntu0.1
nvidia-304-updates 304.128-0ubuntu0.1
nvidia-340 340.93-0ubuntu0.1
nvidia-340-updates 340.93-0ubuntu0.1
nvidia-346 346.96-0ubuntu0.1
nvidia-346-updates 346.96-0ubuntu0.1
Ubuntu 14.04 LTS:
nvidia-304 304.128-0ubuntu0.0.1
nvidia-304-updates 304.128-0ubuntu0.0.1
nvidia-340 340.93-0ubuntu0.0.1
nvidia-340-updates 340.93-0ubuntu0.0.1
nvidia-346 346.96-0ubuntu0.0.1
nvidia-346-updates 346.96-0ubuntu0.0.1
Ubuntu 12.04 LTS:
jockey-common 0.9.7-0ubuntu7.16
nvidia-304 304.128-0ubuntu0.0.0.1
nvidia-304-updates 304.128-0ubuntu0.0.0.1
nvidia-340 340.93-0ubuntu0.0.0.1
nvidia-340-updates 340.93-0ubuntu0.0.0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2747-1
CVE-2015-5950
Package Information:
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346/346.96-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346-updates/346.96-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346/346.96-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346-updates/346.96-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/jockey/0.9.7-0ubuntu7.16
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.0.0.1
Version: GnuPG v2
iQIcBAEBCgAGBQJWCVI7AAoJEGVp2FWnRL6TFs0QAKaMkjkufp1g36Dx3zMosOEC
RYOynGrg15kGazs9paLW4UgTk6CWZ9I8sFoT/Cw8mo5VvfxluiziUjF7puzX2Y/b
TsdpA2BswSdhKsD1nr7FuhDfiUsSHTvTxIpmDI+VX5MqeKmIX2v1fWcnZM/T5Qd/
3qqCDpfarVcyfdJ3JZd4Q/YYHgHp5TTVcWy6GZTZolO6+eqkijLzYxtK08NRES4G
m5pF3tBsdwschdf2JEsjgm6ZfnQemhjSNGub90I8SHAALsIM0NHvGRsVm2gdwPz/
lODEoXl64nb33R8Q1kWOshYbonM+iPXzwDiBlZT3Ncm3mtmarfa/2e4lx8ZHOkdT
97LY/ajrcayN2d6Xmb22oCeEDkZ+deHUKu1QpG4h1g6y1OquRrD76BwbiM5jjc/T
HDLMWLheoSw2PkZi0WRbLjeEs4UQ07U+fSOwA6JgUU9WppTyWc3KiDEAxyZMcXC2
8+wSnedHJjZKyaONKlIX/PeDWXfnbvJlJDYmjAUn7Z5rIE5zEeTIXFy3cf9xOrJl
FycQrb3VUczfpNiPN0JavIii2Lxw/76dTPWFPMeBf9JxM3yDz2oLrJfRW6iluuUd
QIjKsBc3DVuCuRrYQVgKMEkAtmkzqrpXuASK+fR6nZ50ggx0snV0p247+hoXGpyb
iVFb1LOiJkSTBbE0n8vX
=9g/m
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2747-1
September 28, 2015
nvidia-graphics-drivers-304, nvidia-graphics-drivers-304-updates,
nvidia-graphics-drivers-340, nvidia-graphics-drivers-340-updates,
nvidia-graphics-drivers-346, nvidia-graphics-drivers-346-updates, jockey
vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
NVIDIA graphics drivers could be made to run programs as an administrator.
Software Description:
- nvidia-graphics-drivers-304: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-304-updates: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-340: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-340-updates: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-346: NVIDIA binary X.Org driver
- nvidia-graphics-drivers-346-updates: NVIDIA binary X.Org driver
- jockey: user interface and desktop integration for driver management
Details:
Dario Weisser discovered that the NVIDIA graphics drivers incorrectly
handled certain IOCTL writes. A local attacker could use this issue to
possibly gain root privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
nvidia-304 304.128-0ubuntu0.1
nvidia-304-updates 304.128-0ubuntu0.1
nvidia-340 340.93-0ubuntu0.1
nvidia-340-updates 340.93-0ubuntu0.1
nvidia-346 346.96-0ubuntu0.1
nvidia-346-updates 346.96-0ubuntu0.1
Ubuntu 14.04 LTS:
nvidia-304 304.128-0ubuntu0.0.1
nvidia-304-updates 304.128-0ubuntu0.0.1
nvidia-340 340.93-0ubuntu0.0.1
nvidia-340-updates 340.93-0ubuntu0.0.1
nvidia-346 346.96-0ubuntu0.0.1
nvidia-346-updates 346.96-0ubuntu0.0.1
Ubuntu 12.04 LTS:
jockey-common 0.9.7-0ubuntu7.16
nvidia-304 304.128-0ubuntu0.0.0.1
nvidia-304-updates 304.128-0ubuntu0.0.0.1
nvidia-340 340.93-0ubuntu0.0.0.1
nvidia-340-updates 340.93-0ubuntu0.0.0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2747-1
CVE-2015-5950
Package Information:
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346/346.96-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346-updates/346.96-0ubuntu0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346/346.96-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-346-updates/346.96-0ubuntu0.0.1
https://launchpad.net/ubuntu/+source/jockey/0.9.7-0ubuntu7.16
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.128-0ubuntu0.0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.128-0ubuntu0.0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.93-0ubuntu0.0.0.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.93-0ubuntu0.0.0.1
Friday, September 25, 2015
[USN-2746-2] Simple Streams regression
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWBZWpAAoJEGVp2FWnRL6T8UYP/jqBgr2F0YNUyOi2LcFaRxQS
P96viX4Mxf/zoEamm/woQpseNFk3q9NJ6XzbJqcvBiznWalcOufe1FE57UB711RH
j8G6pMwEHgDDBUY7F8acLSEIMrdRlsuElB1kMdAccLp6r3BpOvXG/1Wg7cIjjBjC
uXqQ33d9DxB/9fYlJUDjBQGtdhRodY59tjok1zDZzLzhF4fK2pVK1TghAz0i26oN
M87IMZLIdqpDb6MpSN6kvBWS/f+a3mOwEF50RMs5woYKluUD7PGTmQP9eljk6MJR
BRGXaEg5p+SQzpIsatWgnTdGq6zHWM6a812GlaOzzLdvGYeA3T7aIaph1NQsyXUu
glN8OFbfVdcjls9UST7s7cRqX0WYnWme5B2ySRxeR7jTMJ9wn9qu7Q8ZDY3+g2yQ
k5y3rGu+FputdYL8pOODmrWWTUPcm+iaUI75uXkAq/xEyM7xA6non79O1dbT2Nh4
U1QdkAday7UAeVzMaaiMWRsnusoL5vyHfMideFi+B6DPxkHgeGbbhbCCgncGjbNx
z97hHSuuVxkeOiAJxfBscahrNX13tkAMmKDimbjkziVLkHHpXGYE5V4WGrvZEoBo
qqZLD3nizvEkdGJC7CJH4mN7vjJhY/GFcAipUss6ObfvWsxO3nYdyaaH4as5Zwz/
WYhT/zilBYDgawdUpQDb
=aJxb
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2746-2
September 25, 2015
simplestreams regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
USN-2746-1 introduced a regression in Simple Streams.
Software Description:
- simplestreams: Library and tools for using Simple Streams data
Details:
USN-2746-1 fixed a vulnerability in Simple Streams. The update caused a
regression preventing MAAS from downloading PXE images. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Simple Streams did not properly perform gpg
verification in some situations. A remote attacker could use this to
perform a man-in-the-middle attack and inject malicious content into
the stream.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
python-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
python-simplestreams-openstack 0.1.0~bzr354-0ubuntu1.15.04.2
python3-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
Ubuntu 14.04 LTS:
python-simplestreams 0.1.0~bzr341-0ubuntu2.3
python-simplestreams-openstack 0.1.0~bzr341-0ubuntu2.3
python3-simplestreams 0.1.0~bzr341-0ubuntu2.3
simplestreams 0.1.0~bzr341-0ubuntu2.3
After a standard system update you need to restart any services that
make use of python-simplestreams or python3-simplestreams to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2746-2
http://www.ubuntu.com/usn/usn-2746-1
https://launchpad.net/bugs/1499749
Package Information:
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr354-0ubuntu1.15.04.2
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr341-0ubuntu2.3
Version: GnuPG v2
iQIcBAEBCgAGBQJWBZWpAAoJEGVp2FWnRL6T8UYP/jqBgr2F0YNUyOi2LcFaRxQS
P96viX4Mxf/zoEamm/woQpseNFk3q9NJ6XzbJqcvBiznWalcOufe1FE57UB711RH
j8G6pMwEHgDDBUY7F8acLSEIMrdRlsuElB1kMdAccLp6r3BpOvXG/1Wg7cIjjBjC
uXqQ33d9DxB/9fYlJUDjBQGtdhRodY59tjok1zDZzLzhF4fK2pVK1TghAz0i26oN
M87IMZLIdqpDb6MpSN6kvBWS/f+a3mOwEF50RMs5woYKluUD7PGTmQP9eljk6MJR
BRGXaEg5p+SQzpIsatWgnTdGq6zHWM6a812GlaOzzLdvGYeA3T7aIaph1NQsyXUu
glN8OFbfVdcjls9UST7s7cRqX0WYnWme5B2ySRxeR7jTMJ9wn9qu7Q8ZDY3+g2yQ
k5y3rGu+FputdYL8pOODmrWWTUPcm+iaUI75uXkAq/xEyM7xA6non79O1dbT2Nh4
U1QdkAday7UAeVzMaaiMWRsnusoL5vyHfMideFi+B6DPxkHgeGbbhbCCgncGjbNx
z97hHSuuVxkeOiAJxfBscahrNX13tkAMmKDimbjkziVLkHHpXGYE5V4WGrvZEoBo
qqZLD3nizvEkdGJC7CJH4mN7vjJhY/GFcAipUss6ObfvWsxO3nYdyaaH4as5Zwz/
WYhT/zilBYDgawdUpQDb
=aJxb
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2746-2
September 25, 2015
simplestreams regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
USN-2746-1 introduced a regression in Simple Streams.
Software Description:
- simplestreams: Library and tools for using Simple Streams data
Details:
USN-2746-1 fixed a vulnerability in Simple Streams. The update caused a
regression preventing MAAS from downloading PXE images. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Simple Streams did not properly perform gpg
verification in some situations. A remote attacker could use this to
perform a man-in-the-middle attack and inject malicious content into
the stream.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
python-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
python-simplestreams-openstack 0.1.0~bzr354-0ubuntu1.15.04.2
python3-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
simplestreams 0.1.0~bzr354-0ubuntu1.15.04.2
Ubuntu 14.04 LTS:
python-simplestreams 0.1.0~bzr341-0ubuntu2.3
python-simplestreams-openstack 0.1.0~bzr341-0ubuntu2.3
python3-simplestreams 0.1.0~bzr341-0ubuntu2.3
simplestreams 0.1.0~bzr341-0ubuntu2.3
After a standard system update you need to restart any services that
make use of python-simplestreams or python3-simplestreams to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2746-2
http://www.ubuntu.com/usn/usn-2746-1
https://launchpad.net/bugs/1499749
Package Information:
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr354-0ubuntu1.15.04.2
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr341-0ubuntu2.3
Thursday, September 24, 2015
[USN-2746-1] Simple Streams vulnerability
==========================================================================
Ubuntu Security Notice USN-2746-1
September 24, 2015
simplestreams vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
Applications using Simple Streams could be made to crash or run
programs if it received specially crafted network traffic.
Software Description:
- simplestreams: Library and tools for using Simple Streams data
Details:
It was discovered that Simple Streams did not properly perform gpg
verification in some situations. A remote attacker could use this to
perform a man-in-the-middle attack and inject malicious content into
the stream.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
python-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.1
python-simplestreams-openstack 0.1.0~bzr354-0ubuntu1.15.04.1
python3-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.1
simplestreams 0.1.0~bzr354-0ubuntu1.15.04.1
Ubuntu 14.04 LTS:
python-simplestreams 0.1.0~bzr341-0ubuntu2.2
python-simplestreams-openstack 0.1.0~bzr341-0ubuntu2.2
python3-simplestreams 0.1.0~bzr341-0ubuntu2.2
simplestreams 0.1.0~bzr341-0ubuntu2.2
After a standard system update you need to restart any services that
make use of python-simplestreams or python3-simplestreams to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2746-1
CVE-2015-1337
Package Information:
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr354-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr341-0ubuntu2.2
Ubuntu Security Notice USN-2746-1
September 24, 2015
simplestreams vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
Applications using Simple Streams could be made to crash or run
programs if it received specially crafted network traffic.
Software Description:
- simplestreams: Library and tools for using Simple Streams data
Details:
It was discovered that Simple Streams did not properly perform gpg
verification in some situations. A remote attacker could use this to
perform a man-in-the-middle attack and inject malicious content into
the stream.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
python-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.1
python-simplestreams-openstack 0.1.0~bzr354-0ubuntu1.15.04.1
python3-simplestreams 0.1.0~bzr354-0ubuntu1.15.04.1
simplestreams 0.1.0~bzr354-0ubuntu1.15.04.1
Ubuntu 14.04 LTS:
python-simplestreams 0.1.0~bzr341-0ubuntu2.2
python-simplestreams-openstack 0.1.0~bzr341-0ubuntu2.2
python3-simplestreams 0.1.0~bzr341-0ubuntu2.2
simplestreams 0.1.0~bzr341-0ubuntu2.2
After a standard system update you need to restart any services that
make use of python-simplestreams or python3-simplestreams to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2746-1
CVE-2015-1337
Package Information:
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr354-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr341-0ubuntu2.2
Ubuntu 15.10 (Wily Werewolf) Final Beta released
The Ubuntu team is pleased to announce the final beta release of Ubuntu
15.10 Desktop, Server, Cloud, and Core products.
Codenamed "Wily Werewolf", 15.10 continues Ubuntu's proud tradition
of integrating the latest and greatest open source technologies into a
high-quality, easy-to-use Linux distribution. The team has been hard at
work through this cycle, introducing new features and fixing bugs.
This beta release includes images from not only the Ubuntu Desktop,
Server, Cloud, and Core products, but also the Kubuntu, Lubuntu,
Ubuntu GNOME, Ubuntu MATE, Ubuntu Kylin, Ubuntu Studio, and Xubuntu
flavours.
The beta images are known to be reasonably free of showstopper CD build
or installer bugs, while representing a very recent snapshot of 15.10
that should be representative of the features intended to ship with the
final release expected on October 22nd, 2015.
There is, however, one bug in this beta serious enough that it's worth
calling it out in the release announcement. This bug affects all
flavours, and will be fixed before release:
1) Depending on your location, Ubiquity may trigger a ubi-timezone
error during install. If you encounter this, the recommended
work-around is to install without an active network connection.
Ubuntu, Ubuntu Server, Ubuntu Core, Cloud Images:
Utopic Final Beta includes updated versions of most of our core set of
packages, including a current 4.2.1 kernel, and much more.
To upgrade to Ubuntu 15.10 Final Beta from Ubuntu 15.04, follow these
instructions:
https://help.ubuntu.com/community/WilyUpgrades
The Ubuntu 15.10 Final Beta images can be downloaded at:
http://releases.ubuntu.com/15.10/ (Ubuntu and Ubuntu Server)
Additional images can be found at the following links:
http://cloud-images.ubuntu.com/releases/15.10/beta-2/ (Cloud Images)
http://cdimage.ubuntu.com/releases/15.10/beta-2/ (Community Supported)
http://cdimage.ubuntu.com/ubuntu-core/releases/15.10/beta-2/ (Core)
http://cdimage.ubuntu.com/netboot/15.10/ (Netboot)
The full release notes for Ubuntu 15.10 Final Beta can be found at:
https://wiki.ubuntu.com/WilyWerewolf/ReleaseNotes
Kubuntu:
Kubuntu is the KDE based flavour of Ubuntu. It uses the Plasma desktop
and includes a wide selection of tools from the KDE project.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/kubuntu/releases/15.10/beta-2/
More information on Kubuntu Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/Kubuntu
Lubuntu:
Lubuntu is a flavor of Ubuntu that targets to be lighter, less
resource hungry and more energy-efficient by using lightweight
applications and LXDE, The Lightweight X11 Desktop Environment,
as its default GUI.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/lubuntu/releases/15.10/beta-2/
More information on Lubuntu Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/Lubuntu
Ubuntu GNOME:
Ubuntu GNOME is a flavor of Ubuntu featuring the GNOME desktop
environment.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-gnome/releases/15.10/beta-2/
More information on Ubuntu GNOME Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/UbuntuGNOME
UbuntuKylin:
UbuntuKylin is a flavor of Ubuntu that is more suitable for Chinese
users.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntukylin/releases/15.10/beta-2/
More information on UbuntuKylin Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/UbuntuKylin
Ubuntu MATE:
Ubuntu MATE is a flavor of Ubuntu featuring the MATE desktop
environment.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-mate/releases/15.10/beta-2/
More information on UbuntuMATE Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/UbuntuMATE
Ubuntu Studio:
Ubuntu Studio is a flavor of Ubuntu that provides a full range of
multimedia content creation applications for each key workflows:
audio, graphics, video, photography and publishing.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntustudio/releases/15.10/beta-2/
Xubuntu:
Xubuntu is a flavor of Ubuntu that comes with Xfce, which is a stable,
light and configurable desktop environment.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/xubuntu/releases/15.10/beta-2/
Regular daily images for Ubuntu, and all flavours, can be found at:
http://cdimage.ubuntu.com
Ubuntu is a full-featured Linux distribution for clients, servers and
clouds, with a fast and easy installation and regular releases. A
tightly-integrated selection of excellent applications is included, and
an incredible variety of add-on software is just a few clicks away.
Professional technical support is available from Canonical Limited and
hundreds of other companies around the world. For more information
about support, visit http://www.ubuntu.com/support
If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at: http://www.ubuntu.com/community/participate
Your comments, bug reports, patches and suggestions really help us to
improve this and future releases of Ubuntu. Instructions can be
found at: https://help.ubuntu.com/community/ReportingBugs
You can find out more about Ubuntu and about this beta release on our
website, IRC channel and wiki.
To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:
http://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
On behalf of the Ubuntu Release Team,
Adam Conrad
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
15.10 Desktop, Server, Cloud, and Core products.
Codenamed "Wily Werewolf", 15.10 continues Ubuntu's proud tradition
of integrating the latest and greatest open source technologies into a
high-quality, easy-to-use Linux distribution. The team has been hard at
work through this cycle, introducing new features and fixing bugs.
This beta release includes images from not only the Ubuntu Desktop,
Server, Cloud, and Core products, but also the Kubuntu, Lubuntu,
Ubuntu GNOME, Ubuntu MATE, Ubuntu Kylin, Ubuntu Studio, and Xubuntu
flavours.
The beta images are known to be reasonably free of showstopper CD build
or installer bugs, while representing a very recent snapshot of 15.10
that should be representative of the features intended to ship with the
final release expected on October 22nd, 2015.
There is, however, one bug in this beta serious enough that it's worth
calling it out in the release announcement. This bug affects all
flavours, and will be fixed before release:
1) Depending on your location, Ubiquity may trigger a ubi-timezone
error during install. If you encounter this, the recommended
work-around is to install without an active network connection.
Ubuntu, Ubuntu Server, Ubuntu Core, Cloud Images:
Utopic Final Beta includes updated versions of most of our core set of
packages, including a current 4.2.1 kernel, and much more.
To upgrade to Ubuntu 15.10 Final Beta from Ubuntu 15.04, follow these
instructions:
https://help.ubuntu.com/community/WilyUpgrades
The Ubuntu 15.10 Final Beta images can be downloaded at:
http://releases.ubuntu.com/15.10/ (Ubuntu and Ubuntu Server)
Additional images can be found at the following links:
http://cloud-images.ubuntu.com/releases/15.10/beta-2/ (Cloud Images)
http://cdimage.ubuntu.com/releases/15.10/beta-2/ (Community Supported)
http://cdimage.ubuntu.com/ubuntu-core/releases/15.10/beta-2/ (Core)
http://cdimage.ubuntu.com/netboot/15.10/ (Netboot)
The full release notes for Ubuntu 15.10 Final Beta can be found at:
https://wiki.ubuntu.com/WilyWerewolf/ReleaseNotes
Kubuntu:
Kubuntu is the KDE based flavour of Ubuntu. It uses the Plasma desktop
and includes a wide selection of tools from the KDE project.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/kubuntu/releases/15.10/beta-2/
More information on Kubuntu Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/Kubuntu
Lubuntu:
Lubuntu is a flavor of Ubuntu that targets to be lighter, less
resource hungry and more energy-efficient by using lightweight
applications and LXDE, The Lightweight X11 Desktop Environment,
as its default GUI.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/lubuntu/releases/15.10/beta-2/
More information on Lubuntu Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/Lubuntu
Ubuntu GNOME:
Ubuntu GNOME is a flavor of Ubuntu featuring the GNOME desktop
environment.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-gnome/releases/15.10/beta-2/
More information on Ubuntu GNOME Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/UbuntuGNOME
UbuntuKylin:
UbuntuKylin is a flavor of Ubuntu that is more suitable for Chinese
users.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntukylin/releases/15.10/beta-2/
More information on UbuntuKylin Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/UbuntuKylin
Ubuntu MATE:
Ubuntu MATE is a flavor of Ubuntu featuring the MATE desktop
environment.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntu-mate/releases/15.10/beta-2/
More information on UbuntuMATE Final Beta can be found here:
https://wiki.ubuntu.com/WilyWerewolf/Beta2/UbuntuMATE
Ubuntu Studio:
Ubuntu Studio is a flavor of Ubuntu that provides a full range of
multimedia content creation applications for each key workflows:
audio, graphics, video, photography and publishing.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/ubuntustudio/releases/15.10/beta-2/
Xubuntu:
Xubuntu is a flavor of Ubuntu that comes with Xfce, which is a stable,
light and configurable desktop environment.
The Final Beta images can be downloaded at:
http://cdimage.ubuntu.com/xubuntu/releases/15.10/beta-2/
Regular daily images for Ubuntu, and all flavours, can be found at:
http://cdimage.ubuntu.com
Ubuntu is a full-featured Linux distribution for clients, servers and
clouds, with a fast and easy installation and regular releases. A
tightly-integrated selection of excellent applications is included, and
an incredible variety of add-on software is just a few clicks away.
Professional technical support is available from Canonical Limited and
hundreds of other companies around the world. For more information
about support, visit http://www.ubuntu.com/support
If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at: http://www.ubuntu.com/community/participate
Your comments, bug reports, patches and suggestions really help us to
improve this and future releases of Ubuntu. Instructions can be
found at: https://help.ubuntu.com/community/ReportingBugs
You can find out more about Ubuntu and about this beta release on our
website, IRC channel and wiki.
To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:
http://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
On behalf of the Ubuntu Release Team,
Adam Conrad
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
[USN-2745-1] QEMU vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWBEQqAAoJEGVp2FWnRL6TWQMP/0It8cb2HDXTF0ds3qBYrPH2
5dEUaADXOiw/aqqWr3la6o5s5e+8YDqCSqnQBMtS6UqsVaFVqnnBuayjW2pGobYZ
/jCZH8B8O8ZZt3CXRMI36kffudyBUXVRJNkWEyhZks02VoOWNGgVAu+dUKDgHeJH
dJG6JhVvbVk1+DUcYbRhpNiC0E9AzN/8BXe328h1ZPDTubizfhvDJ91cZi2V6obc
b/wHOB6fvqF2Taxa+iByoNIp3TCLB3fai4kYyLBOUX09LucB7qn1Or1RCVKHFxqw
U2clJSn43Yfyw8Cw6vj2ZXY9sxGLGr1uDFj05BigZ378OqtmXBzeixidkfJfPq5l
xYqGdp6gcWHShPubny2vFb8YTHkF/OO4ZU+hmhSDWzEodgaLB48kBQphl0Gf1Wrn
5JDjM3u1i5x0xDcp2virpdOADjiKnBBbgr+F67kjKUf1Ek+AruSXHRoTS5K63QSx
Kn6TDhnaTFx83/RYEEgpbbnLdVvsJBD/ZZYETJoRQC9tFSiljCyZOI3xVSpqak7V
FYEQFcwBwWD5ud5Bm75WUwBDm/r/k//appojxACTt3M9JeUGlVLC5qo3xK7MMGXg
1UQZjNEKzSuPw0MiyFuM27cXhTK4XAl1RXupwUyi0Hl8hfc+PxALmY5ruh9INpPH
8KaOXkLVl3BrhOzT7Fna
=YhhL
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2745-1
September 24, 2015
qemu, qemu-kvm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
- qemu-kvm: Machine emulator and virtualizer
Details:
Lian Yihan discovered that QEMU incorrectly handled certain payload
messages in the VNC display driver. A malicious guest could use this issue
to cause the QEMU process to hang, resulting in a denial of service. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-5239)
Qinghao Tang discovered that QEMU incorrectly handled receiving certain
packets in the NE2000 network driver. A malicious guest could use this
issue to cause the QEMU process to hang, resulting in a denial of service.
(CVE-2015-5278)
Qinghao Tang discovered that QEMU incorrectly handled receiving certain
packets in the NE2000 network driver. A malicious guest could use this
issue to cause a denial of service, or possibly execute arbitrary code on
the host as the user running the QEMU process. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile. (CVE-2015-5279)
Qinghao Tang discovered that QEMU incorrectly handled transmit descriptor
data when sending network packets. A malicious guest could use this issue
to cause the QEMU process to hang, resulting in a denial of service.
(CVE-2015-6815)
Qinghao Tang discovered that QEMU incorrectly handled ATAPI command
permissions. A malicious guest could use this issue to cause the QEMU
process to crash, resulting in a denial of service. (CVE-2015-6855)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
qemu-system 1:2.2+dfsg-5expubuntu9.5
qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.5
qemu-system-arm 1:2.2+dfsg-5expubuntu9.5
qemu-system-mips 1:2.2+dfsg-5expubuntu9.5
qemu-system-misc 1:2.2+dfsg-5expubuntu9.5
qemu-system-ppc 1:2.2+dfsg-5expubuntu9.5
qemu-system-sparc 1:2.2+dfsg-5expubuntu9.5
qemu-system-x86 1:2.2+dfsg-5expubuntu9.5
Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.19
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.19
qemu-system-arm 2.0.0+dfsg-2ubuntu1.19
qemu-system-mips 2.0.0+dfsg-2ubuntu1.19
qemu-system-misc 2.0.0+dfsg-2ubuntu1.19
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.19
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.19
qemu-system-x86 2.0.0+dfsg-2ubuntu1.19
Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.25
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2745-1
CVE-2015-5239, CVE-2015-5278, CVE-2015-5279, CVE-2015-6815,
CVE-2015-6855
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.5
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.19
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.25
Version: GnuPG v2
iQIcBAEBCgAGBQJWBEQqAAoJEGVp2FWnRL6TWQMP/0It8cb2HDXTF0ds3qBYrPH2
5dEUaADXOiw/aqqWr3la6o5s5e+8YDqCSqnQBMtS6UqsVaFVqnnBuayjW2pGobYZ
/jCZH8B8O8ZZt3CXRMI36kffudyBUXVRJNkWEyhZks02VoOWNGgVAu+dUKDgHeJH
dJG6JhVvbVk1+DUcYbRhpNiC0E9AzN/8BXe328h1ZPDTubizfhvDJ91cZi2V6obc
b/wHOB6fvqF2Taxa+iByoNIp3TCLB3fai4kYyLBOUX09LucB7qn1Or1RCVKHFxqw
U2clJSn43Yfyw8Cw6vj2ZXY9sxGLGr1uDFj05BigZ378OqtmXBzeixidkfJfPq5l
xYqGdp6gcWHShPubny2vFb8YTHkF/OO4ZU+hmhSDWzEodgaLB48kBQphl0Gf1Wrn
5JDjM3u1i5x0xDcp2virpdOADjiKnBBbgr+F67kjKUf1Ek+AruSXHRoTS5K63QSx
Kn6TDhnaTFx83/RYEEgpbbnLdVvsJBD/ZZYETJoRQC9tFSiljCyZOI3xVSpqak7V
FYEQFcwBwWD5ud5Bm75WUwBDm/r/k//appojxACTt3M9JeUGlVLC5qo3xK7MMGXg
1UQZjNEKzSuPw0MiyFuM27cXhTK4XAl1RXupwUyi0Hl8hfc+PxALmY5ruh9INpPH
8KaOXkLVl3BrhOzT7Fna
=YhhL
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2745-1
September 24, 2015
qemu, qemu-kvm vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
- qemu-kvm: Machine emulator and virtualizer
Details:
Lian Yihan discovered that QEMU incorrectly handled certain payload
messages in the VNC display driver. A malicious guest could use this issue
to cause the QEMU process to hang, resulting in a denial of service. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-5239)
Qinghao Tang discovered that QEMU incorrectly handled receiving certain
packets in the NE2000 network driver. A malicious guest could use this
issue to cause the QEMU process to hang, resulting in a denial of service.
(CVE-2015-5278)
Qinghao Tang discovered that QEMU incorrectly handled receiving certain
packets in the NE2000 network driver. A malicious guest could use this
issue to cause a denial of service, or possibly execute arbitrary code on
the host as the user running the QEMU process. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile. (CVE-2015-5279)
Qinghao Tang discovered that QEMU incorrectly handled transmit descriptor
data when sending network packets. A malicious guest could use this issue
to cause the QEMU process to hang, resulting in a denial of service.
(CVE-2015-6815)
Qinghao Tang discovered that QEMU incorrectly handled ATAPI command
permissions. A malicious guest could use this issue to cause the QEMU
process to crash, resulting in a denial of service. (CVE-2015-6855)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
qemu-system 1:2.2+dfsg-5expubuntu9.5
qemu-system-aarch64 1:2.2+dfsg-5expubuntu9.5
qemu-system-arm 1:2.2+dfsg-5expubuntu9.5
qemu-system-mips 1:2.2+dfsg-5expubuntu9.5
qemu-system-misc 1:2.2+dfsg-5expubuntu9.5
qemu-system-ppc 1:2.2+dfsg-5expubuntu9.5
qemu-system-sparc 1:2.2+dfsg-5expubuntu9.5
qemu-system-x86 1:2.2+dfsg-5expubuntu9.5
Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.19
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.19
qemu-system-arm 2.0.0+dfsg-2ubuntu1.19
qemu-system-mips 2.0.0+dfsg-2ubuntu1.19
qemu-system-misc 2.0.0+dfsg-2ubuntu1.19
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.19
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.19
qemu-system-x86 2.0.0+dfsg-2ubuntu1.19
Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.25
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2745-1
CVE-2015-5239, CVE-2015-5278, CVE-2015-5279, CVE-2015-6815,
CVE-2015-6855
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.2+dfsg-5expubuntu9.5
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.19
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.25
[USN-2743-3] Unity Integration for Firefox, Unity Websites Integration and Ubuntu Online Accounts extension update
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWBCXYAAoJEGEfvezVlG4P8HEH/ihKLpnN2geI5edLnAHNacKc
j9f2DIYcOH7YIlGZlZvWp30P8FyZhC/l7WujvpqymFssHbOlS8RCEpWcBlZhcuHm
WxadQR9LEps8l7l/PrAG7XdBKlktBr/asUYht2Cc8I1O6urCPqKasTgdaq+3ZNc+
DDkQsTbVoO6UgUPr1HJHKyz5N3U52wKntL2w0F4j1UVNbus1S2bdQjAZ06N7LC/f
2lYDqthLj9vKxQ5talgNuhSiG39mCxbB5H/KbxMys48L9CW3RtUg8dlw0F4wE+xy
tYE+6OrxfDruP4D3j8MPwo6m3razVrchO3Mmgweso3PmcoP7XoX0WmX2b2j3Dok=
=Qq2v
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2743-3
September 24, 2015
unity-firefox-extension, webapps-greasemonkey, webaccounts-browser-extension update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
This update provides compatible packages for Firefox 41
Software Description:
- unity-firefox-extension: Unity Integration for Firefox
- webaccounts-browser-extension: Ubuntu Online Accounts extension for chromium
- webapps-greasemonkey: Firefox extension: Website Integration
Details:
USN-2743-1 fixed vulnerabilities in Firefox. Future Firefox updates will
require all addons be signed and unity-firefox-extension, webapps-greasemonkey
and webaccounts-browser-extension will not go through the signing process.
Because these addons currently break search engine installations (LP:
#1069793), this update permanently disables the addons by removing them from
the system.
We apologize for any inconvenience.
Original advisory details:
Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4500, CVE-2015-4501)
André Bargull discovered that when a web page creates a scripted proxy
for the window with a handler defined a certain way, a reference to the
inner window will be passed, rather than that of the outer window.
(CVE-2015-4502)
Felix Gröbert discovered an out-of-bounds read in the QCMS color
management library in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or obtain
sensitive information. (CVE-2015-4504)
Khalil Zhani discovered a buffer overflow when parsing VP9 content in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-4506)
Spandan Veggalam discovered a crash while using the debugger API in some
circumstances. If a user were tricked in to opening a specially crafted
website whilst using the debugger, an attacker could potentially exploit
this to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4507)
Juho Nurminen discovered that the URL bar could display the wrong URL in
reader mode in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
conduct URL spoofing attacks. (CVE-2015-4508)
A use-after-free was discovered when manipulating HTML media content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-4509)
Looben Yang discovered a use-after-free when using a shared worker with
IndexedDB in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2015-4510)
Francisco Alonso discovered an out-of-bounds read during 2D canvas
rendering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information. (CVE-2015-4512)
Jeff Walden discovered that changes could be made to immutable properties
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to execute
arbitrary script in a privileged scope. (CVE-2015-4516)
Ronald Crane reported multiple vulnerabilities. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,
CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)
Mario Gomes discovered that dragging and dropping an image after a
redirect exposes the redirected URL to scripts. An attacker could
potentially exploit this to obtain sensitive information. (CVE-2015-4519)
Ehsan Akhgari discovered 2 issues with CORS preflight requests. An
attacker could potentially exploit these to bypass CORS restrictions.
(CVE-2015-4520)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
xul-ext-unity 3.0.0+14.04.20140416-0ubuntu1.15.04.1
xul-ext-webaccounts 0.5-0ubuntu4.15.04.1
xul-ext-websites-integration 2.3.6+14.10.20140701-0ubuntu1.15.04.1
Ubuntu 14.04 LTS:
xul-ext-unity 3.0.0+14.04.20140416-0ubuntu1.14.04.1
xul-ext-webaccounts 0.5-0ubuntu2.14.04.1
xul-ext-websites-integration 2.3.6+13.10.20130920.1-0ubuntu1.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2743-3
http://www.ubuntu.com/usn/usn-2743-1
https://launchpad.net/bugs/1069793, https://launchpad.net/bugs/1498681
Package Information:
https://launchpad.net/ubuntu/+source/unity-firefox-extension/3.0.0+14.04.20140416-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/webaccounts-browser-extension/0.5-0ubuntu4.15.04.1
https://launchpad.net/ubuntu/+source/webapps-greasemonkey/2.3.6+14.10.20140701-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/unity-firefox-extension/3.0.0+14.04.20140416-0ubuntu1.14.04.1
https://launchpad.net/ubuntu/+source/webaccounts-browser-extension/0.5-0ubuntu2.14.04.1
https://launchpad.net/ubuntu/+source/webapps-greasemonkey/2.3.6+13.10.20130920.1-0ubuntu1.2
Version: GnuPG v2
iQEcBAEBCAAGBQJWBCXYAAoJEGEfvezVlG4P8HEH/ihKLpnN2geI5edLnAHNacKc
j9f2DIYcOH7YIlGZlZvWp30P8FyZhC/l7WujvpqymFssHbOlS8RCEpWcBlZhcuHm
WxadQR9LEps8l7l/PrAG7XdBKlktBr/asUYht2Cc8I1O6urCPqKasTgdaq+3ZNc+
DDkQsTbVoO6UgUPr1HJHKyz5N3U52wKntL2w0F4j1UVNbus1S2bdQjAZ06N7LC/f
2lYDqthLj9vKxQ5talgNuhSiG39mCxbB5H/KbxMys48L9CW3RtUg8dlw0F4wE+xy
tYE+6OrxfDruP4D3j8MPwo6m3razVrchO3Mmgweso3PmcoP7XoX0WmX2b2j3Dok=
=Qq2v
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2743-3
September 24, 2015
unity-firefox-extension, webapps-greasemonkey, webaccounts-browser-extension update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
This update provides compatible packages for Firefox 41
Software Description:
- unity-firefox-extension: Unity Integration for Firefox
- webaccounts-browser-extension: Ubuntu Online Accounts extension for chromium
- webapps-greasemonkey: Firefox extension: Website Integration
Details:
USN-2743-1 fixed vulnerabilities in Firefox. Future Firefox updates will
require all addons be signed and unity-firefox-extension, webapps-greasemonkey
and webaccounts-browser-extension will not go through the signing process.
Because these addons currently break search engine installations (LP:
#1069793), this update permanently disables the addons by removing them from
the system.
We apologize for any inconvenience.
Original advisory details:
Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4500, CVE-2015-4501)
André Bargull discovered that when a web page creates a scripted proxy
for the window with a handler defined a certain way, a reference to the
inner window will be passed, rather than that of the outer window.
(CVE-2015-4502)
Felix Gröbert discovered an out-of-bounds read in the QCMS color
management library in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or obtain
sensitive information. (CVE-2015-4504)
Khalil Zhani discovered a buffer overflow when parsing VP9 content in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-4506)
Spandan Veggalam discovered a crash while using the debugger API in some
circumstances. If a user were tricked in to opening a specially crafted
website whilst using the debugger, an attacker could potentially exploit
this to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4507)
Juho Nurminen discovered that the URL bar could display the wrong URL in
reader mode in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
conduct URL spoofing attacks. (CVE-2015-4508)
A use-after-free was discovered when manipulating HTML media content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-4509)
Looben Yang discovered a use-after-free when using a shared worker with
IndexedDB in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2015-4510)
Francisco Alonso discovered an out-of-bounds read during 2D canvas
rendering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information. (CVE-2015-4512)
Jeff Walden discovered that changes could be made to immutable properties
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to execute
arbitrary script in a privileged scope. (CVE-2015-4516)
Ronald Crane reported multiple vulnerabilities. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,
CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)
Mario Gomes discovered that dragging and dropping an image after a
redirect exposes the redirected URL to scripts. An attacker could
potentially exploit this to obtain sensitive information. (CVE-2015-4519)
Ehsan Akhgari discovered 2 issues with CORS preflight requests. An
attacker could potentially exploit these to bypass CORS restrictions.
(CVE-2015-4520)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
xul-ext-unity 3.0.0+14.04.20140416-0ubuntu1.15.04.1
xul-ext-webaccounts 0.5-0ubuntu4.15.04.1
xul-ext-websites-integration 2.3.6+14.10.20140701-0ubuntu1.15.04.1
Ubuntu 14.04 LTS:
xul-ext-unity 3.0.0+14.04.20140416-0ubuntu1.14.04.1
xul-ext-webaccounts 0.5-0ubuntu2.14.04.1
xul-ext-websites-integration 2.3.6+13.10.20130920.1-0ubuntu1.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2743-3
http://www.ubuntu.com/usn/usn-2743-1
https://launchpad.net/bugs/1069793, https://launchpad.net/bugs/1498681
Package Information:
https://launchpad.net/ubuntu/+source/unity-firefox-extension/3.0.0+14.04.20140416-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/webaccounts-browser-extension/0.5-0ubuntu4.15.04.1
https://launchpad.net/ubuntu/+source/webapps-greasemonkey/2.3.6+14.10.20140701-0ubuntu1.15.04.1
https://launchpad.net/ubuntu/+source/unity-firefox-extension/3.0.0+14.04.20140416-0ubuntu1.14.04.1
https://launchpad.net/ubuntu/+source/webaccounts-browser-extension/0.5-0ubuntu2.14.04.1
https://launchpad.net/ubuntu/+source/webapps-greasemonkey/2.3.6+13.10.20130920.1-0ubuntu1.2
[USN-2744-1] Apport vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWA+uLAAoJEGVp2FWnRL6T6K0QAI1icocP/cPSeRBQdd72HIzN
aNrwiaAurBeoohNev1G42xUaN4X48dL8hH0amqFwkYfXdGlKsxtOjKYCt/nJdEE1
KeyTnPpZjl9laxuJqaRkzBYFSYdblzxXfbMK+VbN4jEfWwtbeMd4WGtyfF5/VhWl
5PWlMxJl/R4PnunD48hzei0Nm0ez9P0IjR/otVrNZ/DZSaVX71j66c/Kzp7Zsek1
YroP9lfdsSRM9RBnE7swxX4Plb0zZf6+WH5vDPpxM9yLCIDhZOct8MwRo/F7slAO
uC8vKR6VPciOWpsgyLOa4mewkzDerQOxXJ6EXFAIwtRfuo91hniwPQ7ZpG/IgMzY
YpGjZBOzNXRtpAPgZLg1ObzgR1pLrad8CAm0wHX40Vc9+DFENqQn+K2JHb4drtYx
wCePwTgk1hnyQczZhF8MWl74JOe/cuYLO2IJUozUODlq36s78F5nD0f1XDi516kX
+f1ooUJRkkxT7UkeEoHAQeXeKNsRzRBkxILFEqJGjH0dYPevCbmPJZD/NXLEjXTf
O6cX0O1XcmYHTwel3kiplm0lrbpojmbTiGqGpK/+EOzXJ/7HtZpXN6XiY0rAJp0y
VlJVEQeij+FGQOyKFFg12sE9HvrvkHo0T9+irIvcumK4kaf0wbNGNxXexasVj7wi
h0L6421todr9bolYT3K4
=3MEP
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2744-1
September 24, 2015
apport vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Apport could be made to crash or overwrite files as an administrator.
Software Description:
- apport: automatically generate crash reports for debugging
Details:
Halfdog discovered that Apport incorrectly handled kernel crash dump files.
A local attacker could use this issue to cause a denial of service, or
possibly elevate privileges. The default symlink protections for affected
releases should reduce the vulnerability to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
apport 2.17.2-0ubuntu1.5
Ubuntu 14.04 LTS:
apport 2.14.1-0ubuntu3.15
Ubuntu 12.04 LTS:
apport 2.0.1-0ubuntu17.10
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2744-1
CVE-2015-1338
Package Information:
https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.5
https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.15
https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.10
Version: GnuPG v2
iQIcBAEBCgAGBQJWA+uLAAoJEGVp2FWnRL6T6K0QAI1icocP/cPSeRBQdd72HIzN
aNrwiaAurBeoohNev1G42xUaN4X48dL8hH0amqFwkYfXdGlKsxtOjKYCt/nJdEE1
KeyTnPpZjl9laxuJqaRkzBYFSYdblzxXfbMK+VbN4jEfWwtbeMd4WGtyfF5/VhWl
5PWlMxJl/R4PnunD48hzei0Nm0ez9P0IjR/otVrNZ/DZSaVX71j66c/Kzp7Zsek1
YroP9lfdsSRM9RBnE7swxX4Plb0zZf6+WH5vDPpxM9yLCIDhZOct8MwRo/F7slAO
uC8vKR6VPciOWpsgyLOa4mewkzDerQOxXJ6EXFAIwtRfuo91hniwPQ7ZpG/IgMzY
YpGjZBOzNXRtpAPgZLg1ObzgR1pLrad8CAm0wHX40Vc9+DFENqQn+K2JHb4drtYx
wCePwTgk1hnyQczZhF8MWl74JOe/cuYLO2IJUozUODlq36s78F5nD0f1XDi516kX
+f1ooUJRkkxT7UkeEoHAQeXeKNsRzRBkxILFEqJGjH0dYPevCbmPJZD/NXLEjXTf
O6cX0O1XcmYHTwel3kiplm0lrbpojmbTiGqGpK/+EOzXJ/7HtZpXN6XiY0rAJp0y
VlJVEQeij+FGQOyKFFg12sE9HvrvkHo0T9+irIvcumK4kaf0wbNGNxXexasVj7wi
h0L6421todr9bolYT3K4
=3MEP
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2744-1
September 24, 2015
apport vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Apport could be made to crash or overwrite files as an administrator.
Software Description:
- apport: automatically generate crash reports for debugging
Details:
Halfdog discovered that Apport incorrectly handled kernel crash dump files.
A local attacker could use this issue to cause a denial of service, or
possibly elevate privileges. The default symlink protections for affected
releases should reduce the vulnerability to a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
apport 2.17.2-0ubuntu1.5
Ubuntu 14.04 LTS:
apport 2.14.1-0ubuntu3.15
Ubuntu 12.04 LTS:
apport 2.0.1-0ubuntu17.10
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2744-1
CVE-2015-1338
Package Information:
https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.5
https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.15
https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.10
Wednesday, September 23, 2015
LibreSSL 2.3.0 Released
We have released LibreSSL 2.3.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This release is the first snapshot based on the development OpenBSD 5.9
branch. As such, it is likely to change more compared to the stable
2.2.x and 2.1.x branches. The ABI/API for the LibreSSL 2.3.x series
will be declared stable around March 2016.
See http://www.libressl.org/releases.html for more details.
As in previous releases, LibreSSL 2.3.0 removes more unsafe or
obsolete algorithms and protocols. To help in the transition, we have
begun tracking some of the more common software that needs patches or
new releases in order to build properly without these removed features.
See http://www.libressl.org/patches.html for information.
Notable features in this release:
* SSLv3 is now permanently removed from the tree.
* The libtls API is changed from the 2.2.x series:
The tls_read/write functions now work better with external event
libraries. See the tls_init man page for examples of using libtls
correctly in asynchronous mode.
Client-side verification is now supported, with the client supplying
the certificate to the server.
Also, when using tls_connect_fds, tls_connect_socket or
tls_accept_fds, libtls no longer implicitly closes the passed in
sockets. The caller is responsible for closing them in this case.
* When loading a DSA key from an raw (without DH parameters) ASN.1
serialization, perform some consistency checks on its `p' and `q'
values, and return an error if the checks failed.
Thanks for Georgi Guninski (guninski at guninski dot com) for
mentioning the possibility of a weak (non prime) q value and
providing a test case.
See
https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
for a longer discussion.
* Fixed a bug in ECDH_compute_key that can lead to silent truncation
of the result key without error. A coding error could cause software
to use much shorter keys than intended.
* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
longer supported.
* The engine command and parameters are removed from the openssl(1).
Previous releases removed dynamic and builtin engine support
already.
* SHA-0 is removed, which was withdrawn shortly after publication 20
years ago.
* Added Certplus CA root certificate to the default cert.pem file.
* New interface OPENSSL_cpu_caps is provided that does not allow
software to inadvertently modify cpu capability flags.
OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
* The out_len argument of AEAD changed from ssize_t to size_t.
* Deduplicated DTLS code, sharing bugfixes and improvements with
TLS.
* Converted 'nc' to use libtls for client and server operations; it is
included in the libressl-portable distribution as an example of how
to use the libtls library. This is intended to be a simpler and more
robust replacement for 'openssl s_client' and 'openssl s_server' for
day-to-day operations.
The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible. Special thanks to FreeBSD's Bernard Spil and
the OpenBSD Ports team, who have been instrumental through the SSLv3
transition.
LibreSSL directory of your local OpenBSD mirror soon.
This release is the first snapshot based on the development OpenBSD 5.9
branch. As such, it is likely to change more compared to the stable
2.2.x and 2.1.x branches. The ABI/API for the LibreSSL 2.3.x series
will be declared stable around March 2016.
See http://www.libressl.org/releases.html for more details.
As in previous releases, LibreSSL 2.3.0 removes more unsafe or
obsolete algorithms and protocols. To help in the transition, we have
begun tracking some of the more common software that needs patches or
new releases in order to build properly without these removed features.
See http://www.libressl.org/patches.html for information.
Notable features in this release:
* SSLv3 is now permanently removed from the tree.
* The libtls API is changed from the 2.2.x series:
The tls_read/write functions now work better with external event
libraries. See the tls_init man page for examples of using libtls
correctly in asynchronous mode.
Client-side verification is now supported, with the client supplying
the certificate to the server.
Also, when using tls_connect_fds, tls_connect_socket or
tls_accept_fds, libtls no longer implicitly closes the passed in
sockets. The caller is responsible for closing them in this case.
* When loading a DSA key from an raw (without DH parameters) ASN.1
serialization, perform some consistency checks on its `p' and `q'
values, and return an error if the checks failed.
Thanks for Georgi Guninski (guninski at guninski dot com) for
mentioning the possibility of a weak (non prime) q value and
providing a test case.
See
https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
for a longer discussion.
* Fixed a bug in ECDH_compute_key that can lead to silent truncation
of the result key without error. A coding error could cause software
to use much shorter keys than intended.
* Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
longer supported.
* The engine command and parameters are removed from the openssl(1).
Previous releases removed dynamic and builtin engine support
already.
* SHA-0 is removed, which was withdrawn shortly after publication 20
years ago.
* Added Certplus CA root certificate to the default cert.pem file.
* New interface OPENSSL_cpu_caps is provided that does not allow
software to inadvertently modify cpu capability flags.
OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
* The out_len argument of AEAD changed from ssize_t to size_t.
* Deduplicated DTLS code, sharing bugfixes and improvements with
TLS.
* Converted 'nc' to use libtls for client and server operations; it is
included in the libressl-portable distribution as an example of how
to use the libtls library. This is intended to be a simpler and more
robust replacement for 'openssl s_client' and 'openssl s_server' for
day-to-day operations.
The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible. Special thanks to FreeBSD's Bernard Spil and
the OpenBSD Ports team, who have been instrumental through the SSLv3
transition.
Tuesday, September 22, 2015
[CentOS-announce] CEBA-2015:1827 CentOS 6 kernel BugFix Update
CentOS Errata and Bugfix Advisory 2015:1827
Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1827.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
b92fe0b2b37e45d24d94a869ef24c38d0e415d9dbec122834409973b06ffa550 kernel-2.6.32-573.7.1.el6.i686.rpm
4604d03db10a65c6a7fd42127a0fde427f7e039e3c0abcfddf51eaa5c3f24248 kernel-abi-whitelists-2.6.32-573.7.1.el6.noarch.rpm
d1495ed4bdeadc9b95bd0c3aa648668db9b747505e86eaffe9539e77071d0c33 kernel-debug-2.6.32-573.7.1.el6.i686.rpm
2981ed4f4e52348bc896dcc82e731519bb7e170b80e793fd76b6b8de8e4237bb kernel-debug-devel-2.6.32-573.7.1.el6.i686.rpm
244d5c5416fe86e5fc72782bcac76c56781de1858c7e9e40443aa4bec0dd7228 kernel-devel-2.6.32-573.7.1.el6.i686.rpm
8ee59ef84778fd5fb5e5b38d48eef13aa162674e2c81a3882062be59a6738aa2 kernel-doc-2.6.32-573.7.1.el6.noarch.rpm
ff6f44de69d644737ffa8227afd3cec403c51030ed88fe128087d6331d6e777b kernel-firmware-2.6.32-573.7.1.el6.noarch.rpm
3afc157dd6f5aae5d345d47286f506cc5990158b515757c42affecf5a9777835 kernel-headers-2.6.32-573.7.1.el6.i686.rpm
8f68a87eeb8499822246e786dde320d58b976a9e3bd71c534bb15bcb6043324e perf-2.6.32-573.7.1.el6.i686.rpm
999151ff5072de298c198d09a2e9250441fdde47c8d85200a868f03b5c4bce59 python-perf-2.6.32-573.7.1.el6.i686.rpm
x86_64:
86dee3590cd4d0b9314a6d0c179906193da413bfb47409612eebaa8ef384b6bc kernel-2.6.32-573.7.1.el6.x86_64.rpm
4604d03db10a65c6a7fd42127a0fde427f7e039e3c0abcfddf51eaa5c3f24248 kernel-abi-whitelists-2.6.32-573.7.1.el6.noarch.rpm
2fa77db911cb09a861210eb49598938105f6a4cc497c824430e5ca3143904de9 kernel-debug-2.6.32-573.7.1.el6.x86_64.rpm
2981ed4f4e52348bc896dcc82e731519bb7e170b80e793fd76b6b8de8e4237bb kernel-debug-devel-2.6.32-573.7.1.el6.i686.rpm
0d417511a1688e9be97f8cdc786c35fdb4df1095905d8dc9313ac0d7511acab4 kernel-debug-devel-2.6.32-573.7.1.el6.x86_64.rpm
42410a009bf3f99a89b3405f1ed14737f940582cfb3b635653469a3c755a5e09 kernel-devel-2.6.32-573.7.1.el6.x86_64.rpm
8ee59ef84778fd5fb5e5b38d48eef13aa162674e2c81a3882062be59a6738aa2 kernel-doc-2.6.32-573.7.1.el6.noarch.rpm
ff6f44de69d644737ffa8227afd3cec403c51030ed88fe128087d6331d6e777b kernel-firmware-2.6.32-573.7.1.el6.noarch.rpm
25f57d1e14dccf01cf3b5985e725e6488ea35cf496e7502292153b041504bc1a kernel-headers-2.6.32-573.7.1.el6.x86_64.rpm
373adb0f0c0b1a28bf67e5c6890f4bcc68b2dfefc0c0ba084dcd89d00cb7eeb9 perf-2.6.32-573.7.1.el6.x86_64.rpm
cad2c0c727790d5f2231aef8c6b4b2d7b58e28592e507ed103f7b1a36afdf096 python-perf-2.6.32-573.7.1.el6.x86_64.rpm
Source:
0fc4befb89b58cb8e85ac5af4804a0e794cb9277450df329cd0374def56b601e kernel-2.6.32-573.7.1.el6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-1827.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
b92fe0b2b37e45d24d94a869ef24c38d0e415d9dbec122834409973b06ffa550 kernel-2.6.32-573.7.1.el6.i686.rpm
4604d03db10a65c6a7fd42127a0fde427f7e039e3c0abcfddf51eaa5c3f24248 kernel-abi-whitelists-2.6.32-573.7.1.el6.noarch.rpm
d1495ed4bdeadc9b95bd0c3aa648668db9b747505e86eaffe9539e77071d0c33 kernel-debug-2.6.32-573.7.1.el6.i686.rpm
2981ed4f4e52348bc896dcc82e731519bb7e170b80e793fd76b6b8de8e4237bb kernel-debug-devel-2.6.32-573.7.1.el6.i686.rpm
244d5c5416fe86e5fc72782bcac76c56781de1858c7e9e40443aa4bec0dd7228 kernel-devel-2.6.32-573.7.1.el6.i686.rpm
8ee59ef84778fd5fb5e5b38d48eef13aa162674e2c81a3882062be59a6738aa2 kernel-doc-2.6.32-573.7.1.el6.noarch.rpm
ff6f44de69d644737ffa8227afd3cec403c51030ed88fe128087d6331d6e777b kernel-firmware-2.6.32-573.7.1.el6.noarch.rpm
3afc157dd6f5aae5d345d47286f506cc5990158b515757c42affecf5a9777835 kernel-headers-2.6.32-573.7.1.el6.i686.rpm
8f68a87eeb8499822246e786dde320d58b976a9e3bd71c534bb15bcb6043324e perf-2.6.32-573.7.1.el6.i686.rpm
999151ff5072de298c198d09a2e9250441fdde47c8d85200a868f03b5c4bce59 python-perf-2.6.32-573.7.1.el6.i686.rpm
x86_64:
86dee3590cd4d0b9314a6d0c179906193da413bfb47409612eebaa8ef384b6bc kernel-2.6.32-573.7.1.el6.x86_64.rpm
4604d03db10a65c6a7fd42127a0fde427f7e039e3c0abcfddf51eaa5c3f24248 kernel-abi-whitelists-2.6.32-573.7.1.el6.noarch.rpm
2fa77db911cb09a861210eb49598938105f6a4cc497c824430e5ca3143904de9 kernel-debug-2.6.32-573.7.1.el6.x86_64.rpm
2981ed4f4e52348bc896dcc82e731519bb7e170b80e793fd76b6b8de8e4237bb kernel-debug-devel-2.6.32-573.7.1.el6.i686.rpm
0d417511a1688e9be97f8cdc786c35fdb4df1095905d8dc9313ac0d7511acab4 kernel-debug-devel-2.6.32-573.7.1.el6.x86_64.rpm
42410a009bf3f99a89b3405f1ed14737f940582cfb3b635653469a3c755a5e09 kernel-devel-2.6.32-573.7.1.el6.x86_64.rpm
8ee59ef84778fd5fb5e5b38d48eef13aa162674e2c81a3882062be59a6738aa2 kernel-doc-2.6.32-573.7.1.el6.noarch.rpm
ff6f44de69d644737ffa8227afd3cec403c51030ed88fe128087d6331d6e777b kernel-firmware-2.6.32-573.7.1.el6.noarch.rpm
25f57d1e14dccf01cf3b5985e725e6488ea35cf496e7502292153b041504bc1a kernel-headers-2.6.32-573.7.1.el6.x86_64.rpm
373adb0f0c0b1a28bf67e5c6890f4bcc68b2dfefc0c0ba084dcd89d00cb7eeb9 perf-2.6.32-573.7.1.el6.x86_64.rpm
cad2c0c727790d5f2231aef8c6b4b2d7b58e28592e507ed103f7b1a36afdf096 python-perf-2.6.32-573.7.1.el6.x86_64.rpm
Source:
0fc4befb89b58cb8e85ac5af4804a0e794cb9277450df329cd0374def56b601e kernel-2.6.32-573.7.1.el6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1834 Critical CentOS 5 firefox Security Update
CentOS Errata and Security Advisory 2015:1834 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1834.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
a8f505047679a55383623de4619722c08f4cbc1451f0985efe3a4005a4447a72 firefox-38.3.0-2.el5.centos.i386.rpm
x86_64:
a8f505047679a55383623de4619722c08f4cbc1451f0985efe3a4005a4447a72 firefox-38.3.0-2.el5.centos.i386.rpm
7552c47343e9f9e3f490b9f5fbe1c66413e8e6e9b8458bb5aaa98f3035a26c0c firefox-38.3.0-2.el5.centos.x86_64.rpm
Source:
a04e2ec4b441bc6fa739fcbb3477f9bf5596868a6e399f939b02197da7505f32 firefox-38.3.0-2.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1834.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
a8f505047679a55383623de4619722c08f4cbc1451f0985efe3a4005a4447a72 firefox-38.3.0-2.el5.centos.i386.rpm
x86_64:
a8f505047679a55383623de4619722c08f4cbc1451f0985efe3a4005a4447a72 firefox-38.3.0-2.el5.centos.i386.rpm
7552c47343e9f9e3f490b9f5fbe1c66413e8e6e9b8458bb5aaa98f3035a26c0c firefox-38.3.0-2.el5.centos.x86_64.rpm
Source:
a04e2ec4b441bc6fa739fcbb3477f9bf5596868a6e399f939b02197da7505f32 firefox-38.3.0-2.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2015:1834 Critical CentOS 6 firefox Security Update
CentOS Errata and Security Advisory 2015:1834 Critical
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1834.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
d6d11136c88446527f96dddab02f45bc5b33a5847150aadc8fdd4aeb0da2d574 firefox-38.3.0-2.el6.centos.i686.rpm
x86_64:
d6d11136c88446527f96dddab02f45bc5b33a5847150aadc8fdd4aeb0da2d574 firefox-38.3.0-2.el6.centos.i686.rpm
0d8e633b4f9e576aeb6452804e2d14a5d59a4c0c89eca93f0d0dad6678f1f538 firefox-38.3.0-2.el6.centos.x86_64.rpm
Source:
5033d28c5ebad5b1a683f431b14e1b9cb3430636d257025ec0743aff48c84e56 firefox-38.3.0-2.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1834.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
d6d11136c88446527f96dddab02f45bc5b33a5847150aadc8fdd4aeb0da2d574 firefox-38.3.0-2.el6.centos.i686.rpm
x86_64:
d6d11136c88446527f96dddab02f45bc5b33a5847150aadc8fdd4aeb0da2d574 firefox-38.3.0-2.el6.centos.i686.rpm
0d8e633b4f9e576aeb6452804e2d14a5d59a4c0c89eca93f0d0dad6678f1f538 firefox-38.3.0-2.el6.centos.x86_64.rpm
Source:
5033d28c5ebad5b1a683f431b14e1b9cb3430636d257025ec0743aff48c84e56 firefox-38.3.0-2.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[USN-2743-2] Ubufox update
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWAdU6AAoJEGEfvezVlG4PISoH/jyBVQUhi/qSFGKZZwMmATpo
+nF/AlieIXX8qiIqMfexPxx+r+QvRdQxoGyxHkx/W7UrW0EGxplQgrfHUpUROtcM
EHmDp8T3tavIgEY1a5ixXy5wdVBRmnwofBETzzRIxQry2c0L6mfG/iTPsrCz0hh2
mGvQwEOMAg7TxLaDqtMrS55mLVxyYm7dcc6SsKx3KfRCJE82leY8GTEOoOgpMHAa
Vi/PNT5YhzYEd3Is1ODnmUlbwLDEXUWTUB8dYHY7+V23+Rk36EGpzti8LCh0wTcA
jlHkjWR1MxwJn121KjHwM367InC0o2inffzgrBm/2yWmiLlMntNoHEfNMsUoZ24=
=CIUl
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2743-2
September 22, 2015
ubufox update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
This update provides compatible packages for Firefox 41
Software Description:
- ubufox: Ubuntu Firefox specific configuration defaults and apt support
Details:
USN-2743-1 fixed vulnerabilities in Firefox. This update provides the
corresponding update for Ubufox.
Original advisory details:
Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4500, CVE-2015-4501)
André Bargull discovered that when a web page creates a scripted proxy
for the window with a handler defined a certain way, a reference to the
inner window will be passed, rather than that of the outer window.
(CVE-2015-4502)
Felix Gröbert discovered an out-of-bounds read in the QCMS color
management library in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or obtain
sensitive information. (CVE-2015-4504)
Khalil Zhani discovered a buffer overflow when parsing VP9 content in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-4506)
Spandan Veggalam discovered a crash while using the debugger API in some
circumstances. If a user were tricked in to opening a specially crafted
website whilst using the debugger, an attacker could potentially exploit
this to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4507)
Juho Nurminen discovered that the URL bar could display the wrong URL in
reader mode in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
conduct URL spoofing attacks. (CVE-2015-4508)
A use-after-free was discovered when manipulating HTML media content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-4509)
Looben Yang discovered a use-after-free when using a shared worker with
IndexedDB in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2015-4510)
Francisco Alonso discovered an out-of-bounds read during 2D canvas
rendering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information. (CVE-2015-4512)
Jeff Walden discovered that changes could be made to immutable properties
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to execute
arbitrary script in a privileged scope. (CVE-2015-4516)
Ronald Crane reported multiple vulnerabilities. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,
CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)
Mario Gomes discovered that dragging and dropping an image after a
redirect exposes the redirected URL to scripts. An attacker could
potentially exploit this to obtain sensitive information. (CVE-2015-4519)
Ehsan Akhgari discovered 2 issues with CORS preflight requests. An
attacker could potentially exploit these to bypass CORS restrictions.
(CVE-2015-4520)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
xul-ext-ubufox 3.2-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
xul-ext-ubufox 3.2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
xul-ext-ubufox 3.2-0ubuntu0.12.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2743-2
http://www.ubuntu.com/usn/usn-2743-1
https://launchpad.net/bugs/1498681
Package Information:
https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.15.04.1
https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.12.04.1
Version: GnuPG v2
iQEcBAEBCAAGBQJWAdU6AAoJEGEfvezVlG4PISoH/jyBVQUhi/qSFGKZZwMmATpo
+nF/AlieIXX8qiIqMfexPxx+r+QvRdQxoGyxHkx/W7UrW0EGxplQgrfHUpUROtcM
EHmDp8T3tavIgEY1a5ixXy5wdVBRmnwofBETzzRIxQry2c0L6mfG/iTPsrCz0hh2
mGvQwEOMAg7TxLaDqtMrS55mLVxyYm7dcc6SsKx3KfRCJE82leY8GTEOoOgpMHAa
Vi/PNT5YhzYEd3Is1ODnmUlbwLDEXUWTUB8dYHY7+V23+Rk36EGpzti8LCh0wTcA
jlHkjWR1MxwJn121KjHwM367InC0o2inffzgrBm/2yWmiLlMntNoHEfNMsUoZ24=
=CIUl
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-2743-2
September 22, 2015
ubufox update
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
This update provides compatible packages for Firefox 41
Software Description:
- ubufox: Ubuntu Firefox specific configuration defaults and apt support
Details:
USN-2743-1 fixed vulnerabilities in Firefox. This update provides the
corresponding update for Ubufox.
Original advisory details:
Andrew Osmond, Olli Pettay, Andrew Sutherland, Christian Holler, David
Major, Andrew McCreight, Cameron McCormack, Bob Clary and Randell Jesup
discovered multiple memory safety issues in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4500, CVE-2015-4501)
André Bargull discovered that when a web page creates a scripted proxy
for the window with a handler defined a certain way, a reference to the
inner window will be passed, rather than that of the outer window.
(CVE-2015-4502)
Felix Gröbert discovered an out-of-bounds read in the QCMS color
management library in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or obtain
sensitive information. (CVE-2015-4504)
Khalil Zhani discovered a buffer overflow when parsing VP9 content in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Firefox. (CVE-2015-4506)
Spandan Veggalam discovered a crash while using the debugger API in some
circumstances. If a user were tricked in to opening a specially crafted
website whilst using the debugger, an attacker could potentially exploit
this to execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4507)
Juho Nurminen discovered that the URL bar could display the wrong URL in
reader mode in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
conduct URL spoofing attacks. (CVE-2015-4508)
A use-after-free was discovered when manipulating HTML media content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking Firefox. (CVE-2015-4509)
Looben Yang discovered a use-after-free when using a shared worker with
IndexedDB in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary code
with the privileges of the user invoking Firefox. (CVE-2015-4510)
Francisco Alonso discovered an out-of-bounds read during 2D canvas
rendering in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information. (CVE-2015-4512)
Jeff Walden discovered that changes could be made to immutable properties
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to execute
arbitrary script in a privileged scope. (CVE-2015-4516)
Ronald Crane reported multiple vulnerabilities. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4517, CVE-2015-4521, CVE-2015-4522, CVE-2015-7174,
CVE-2015-7175, CVE-2015-7176, CVE-2015-7177, CVE-2015-7180)
Mario Gomes discovered that dragging and dropping an image after a
redirect exposes the redirected URL to scripts. An attacker could
potentially exploit this to obtain sensitive information. (CVE-2015-4519)
Ehsan Akhgari discovered 2 issues with CORS preflight requests. An
attacker could potentially exploit these to bypass CORS restrictions.
(CVE-2015-4520)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
xul-ext-ubufox 3.2-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
xul-ext-ubufox 3.2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
xul-ext-ubufox 3.2-0ubuntu0.12.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2743-2
http://www.ubuntu.com/usn/usn-2743-1
https://launchpad.net/bugs/1498681
Package Information:
https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.15.04.1
https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/ubufox/3.2-0ubuntu0.12.04.1
Subscribe to:
Posts (Atom)