Saturday, December 31, 2016
[FreeBSD-Announce] FreeBSD 9.3, 10.1 and 10.2 EoL
Hash: SHA512
Dear FreeBSD community,
As of January 1, 2017, FreeBSD 9.3, 10.1 and 10.2 have reached end-of-life
and will no longer be supported by the FreeBSD Security Officers Team.
Users of FreeBSD 9.3, 10.1 and 10.2 are strongly encouraged to upgrade to
a newer release as soon as possible.
The currently supported branches and releases and their expected
end-of-life dates are:
+--------------------------------------------------------------------------+
| Branch | Release | Type | Release Date | Estimated EoL |
+-----------+------------+--------+----------------+-----------------------+
|stable/10 |n/a |n/a |n/a |last release + 2 years |
+-----------+------------+--------+----------------+-----------------------+
|releng/10.3|10.3-RELEASE|Extended|April 4, 2016 |April 30, 2018 |
+--------------------------------------------------------------------------+
|stable/11 |n/a |n/a |n/a |last release + 2 years |
+-----------+------------+--------+----------------+-----------------------+
|releng/11.0|11.0-RELEASE|Standard|October 10, 2016|11.1-RELEASE + 3 months|
+--------------------------------------------------+-----------------------+
Please refer to https://security.freebsd.org/ for an up-to-date list of
supported releases and the latest security advisories.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.16 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhoTfYACgkQ7Wfs1l3P
aueXSA/8C0ao1KuGaB55oIVZwFTc6wHMKZsKdU40ddsV0y98+ZThkNXB2XG5Qrgl
LmxKbjoeyOVThgZfcoYKNKhaaUZ28MMcMxeJy/lnQsPk3lzGaC9f+shO6aw80EoF
TGTX9Pj/gIJA3S74G3yNq/r0PY2h55nLKM1bWPfrGRaszpbsSnNBg0QKj3S6GNne
arLLH0pPvjSkdeOkPzjK64vRDVa5yzi23pzdzgyDs344XHjOj8gWuFWvu40OUFDm
hlYFmNkn9Oq8zv7ufyOgCke4me3NC2L9FlHS0ikzTxHXiqlKoL0JdzvGvNT/fONW
Pgwclq+8lntNWCi/MecZKzZGrYclrC/Y69lMGVy8vzam54bEX6M/10Bll6ZZmU3s
0M33Ehf1E7f86yoxRLpLoyZ19tY75cTxQEoWI6Vfc6pdyoGgexUHX8R45eoi+O6H
xfVc5bsSiIvnNlOMeqzTtZuzlxiLnYoyrTs8D3mnS9Al7j9XxCVhaNZoepxvFIzF
roCdsWG3JNhnSvXc+kDMktIqyIIbU+AVpIVsMnU/BlDBm357dsDawkqwgYThshaj
sfz+Dj/HGjHXqfjJ/a9gIkT9LF2AqRZa0XAhhnT2+Mx6tHdcr2AT/y01kgdALrNT
0EZJZen1EXNzJwabxdeE5Y3moLQ4WI8+2dZv7Bt4y6BLwlcPd1Y=
=K1wA
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Friday, December 30, 2016
[arch-announce] OpenVPN 2.4.0 update requires administrative interaction
configurations. Take **special care** if you depend on VPN connectivity for
**remote access**! Administrative interaction is required:
* Configuration is expected in sub directories now. Move your files from
`/etc/openvpn/` to `/etc/openvpn/server/` or `/etc/openvpn/client/`.
* The plugin lookup path changed, remove extra `plugins/` from relative paths.
* The systemd unit `openvpn@.service` was replaced with `openvpn-
client@.service` and `openvpn-server@.service`. Restart and reenable
accordingly.
This does not affect the functionality of `networkmanager`, `connman` or
`qopenvpn`.
URL: https://www.archlinux.org/news/openvpn-240-update-requires-administrative-interaction/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce
Thursday, December 22, 2016
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:39.ntp
Hash: SHA512
=============================================================================
FreeBSD-SA-16:39.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: XXXX-XX-XX
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE)
2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6)
2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE)
2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15)
2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28)
2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45)
2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE)
2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53)
CVE Name: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
Trap is a mechanism to collect NTP daemon information from remote.
II. Problem Description
Multiple vulnerabilities have been discovered in the NTP suite:
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS
vector. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by
Matthew Van Gundy of Cisco ASIG.
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by
Matthew Van Gundy of Cisco ASIG.
CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass.
Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal().
Reported by Magnus Stubman.
CVE-2016-7426: Client rate limiting and server responses. Reported by
Miroslav Lichvar of Red Hat.
CVE-2016-7433: Reboot sync calculation problem. Reported independently
by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra
of Boston University.
III. Impact
A remote attacker who can send a specially crafted packet to cause a
NULL pointer dereference that will crash ntpd, resulting in a Denial of
Service. [CVE-2016-9311]
An exploitable configuration modification vulnerability exists in the
control mode (mode 6) functionality of ntpd. If, against long-standing
BCP recommendations, "restrict default noquery ..." is not specified,
a specially crafted control mode packet can set ntpd traps, providing
information disclosure and DDoS amplification, and unset ntpd traps,
disabling legitimate monitoring by an attacker from remote. [CVE-2016-9310]
An attacker with access to the NTP broadcast domain can periodically
inject specially crafted broadcast mode NTP packets into the broadcast
domain which, while being logged by ntpd, can cause ntpd to reject
broadcast mode packets from legitimate NTP broadcast servers.
[CVE-2016-7427]
An attacker with access to the NTP broadcast domain can send specially
crafted broadcast mode NTP packets to the broadcast domain which, while
being logged by ntpd, will cause ntpd to reject broadcast mode packets
from legitimate NTP broadcast servers. [CVE-2016-7428]
Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent
timestamp validation checks introduced a regression in the handling of
some Zero origin timestamp checks. [CVE-2016-7431]
If ntpd is configured to allow mrulist query requests from a server
that sends a crafted malicious packet, ntpd will crash on receipt of
that crafted malicious mrulist query packet. [CVE-2016-7434]
An attacker who knows the sources (e.g., from an IPv4 refid in server
response) and knows the system is (mis)configured in this way can
periodically send packets with spoofed source address to keep the rate
limiting activated and prevent ntpd from accepting valid responses
from its sources. [CVE-2016-7426]
Ntp Bug 2085 described a condition where the root delay was included
twice, causing the jitter value to be higher than expected. Due to
a misinterpretation of a small-print variable in The Book, the fix
for this problem was incorrect, resulting in a root distance that did
not include the peer dispersion. The calculations and formulas have
been reviewed and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Network administrators are advised to implement BCP-38,
which helps to reduce the risk associated with these attacks.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The ntpd service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The ntpd service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 11.0]
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-11.0.patch.asc
# gpg --verify ntp-11.0.patch.asc
[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-10.x.patch.asc
# gpg --verify ntp-10.x.patch.asc
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch
# fetch https://security.FreeBSD.org/patches/SA-16:39/ntp-9.3.patch.asc
# gpg --verify ntp-9.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r309009
releng/9.3/ r310419
stable/10/ r309008
releng/10.1/ r310419
releng/10.2/ r310419
releng/10.3/ r310419
stable/11/ r309007
releng/11.0/ r310419
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>
<URL:https://www.kb.cert.org/vuls/id/633847>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.16 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlhb/kAACgkQ7Wfs1l3P
audQRhAA02Xpoz4mSF1Cz1gCgWAKpTNpB2fG5z8Pqv1q8BqdArr+ZH/G1g2L4E/b
Id/g8WUvpZLozTeuWMx/6dm/XCbI+OhbzasZp46Cak3o2LMB6v3OC43qVX8fQiiO
9GgCltR6I8V939MVFKxo+cdflqIwmguKdLJHvnin8mv8MAjXOG7rrAx+FqcQjJ5i
oATuFLj/A9kWDiRH4TAQr/rVRmJGmIQY2GpEMt7oB/1ho5HFGhIdNZLCuriIcAGZ
HpZJoNKmDHV3mOfM+C03e4otBaoX6asid2TiY5lnDMx4j+a+Gxdv5tWnt72Bn0X/
EC5HWYjm7QFDg/hfrymBfT7cObuVKtdEJikkRw3huBy6RN6d4zsaTJFMIODl6sNs
zBE5+vrwcXiUrbic10RoVzeSEFdVh7C6Ji1OK/rsxXAbgs0zkoHua/nxO2fhdyHr
m3Mb59QE7TiM1zaMjks1QZXORo53CrGHrhE6Qi7sISO0SS4mWCOkulOZeNjXQ3xK
GFox3YV0WDZz4m7VjZQS6/pj+dO4sABVQ0mahydJJX35FVkdJuknv/98yxmYRuHG
jP9NTUEh6dGDT3w/57hGg7VIgTR47q3e6UbutrqNoxiV5Br465mb9LxMjngDW7bA
poe9XHFMCmFV96gYN2va2cENUM/PjWI8mHWjZShG5DCXMVnK64A=
=PDXk
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Wednesday, December 21, 2016
[CentOS-announce] CESA-2016:2974 Important CentOS 6 gstreamer-plugins-bad-free Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2974.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
134c13f30ed4597dd42f5e5b917dfd365d7c8b43c7b1afa956c5e421506ac53a gstreamer-plugins-bad-free-0.10.19-5.el6_8.i686.rpm
768a9b4e37d55a1a9c0d0369b14158a6cd0da550419af5598604f029e1825b8d gstreamer-plugins-bad-free-devel-0.10.19-5.el6_8.i686.rpm
db17e69599d5286b5d95a6051602e85f304eeba90d8392bd1c57abfac5698cac gstreamer-plugins-bad-free-devel-docs-0.10.19-5.el6_8.i686.rpm
49436aa5b15d337eedff3c6d53b1a64d6581fd9b5c025315311f5ec22730176d gstreamer-plugins-bad-free-extras-0.10.19-5.el6_8.i686.rpm
x86_64:
134c13f30ed4597dd42f5e5b917dfd365d7c8b43c7b1afa956c5e421506ac53a gstreamer-plugins-bad-free-0.10.19-5.el6_8.i686.rpm
773d8ca3084576493db216eecf93e7fb612ed66c8b0a5e31016ba376423c1582 gstreamer-plugins-bad-free-0.10.19-5.el6_8.x86_64.rpm
768a9b4e37d55a1a9c0d0369b14158a6cd0da550419af5598604f029e1825b8d gstreamer-plugins-bad-free-devel-0.10.19-5.el6_8.i686.rpm
0c484310f2d12f27e78adba4970d403d8773e78c92667f2a1698d5e9b3d6eccd gstreamer-plugins-bad-free-devel-0.10.19-5.el6_8.x86_64.rpm
b17cc0700bda8b607a87612f3d30ca971e6f0a3d16976bac0cc3de0a410719aa gstreamer-plugins-bad-free-devel-docs-0.10.19-5.el6_8.x86_64.rpm
49436aa5b15d337eedff3c6d53b1a64d6581fd9b5c025315311f5ec22730176d gstreamer-plugins-bad-free-extras-0.10.19-5.el6_8.i686.rpm
85f29473f691ccea8bdf506fefbe57dae053013de0f2459915bf6e199935790c gstreamer-plugins-bad-free-extras-0.10.19-5.el6_8.x86_64.rpm
Source:
b6f8449eb86454b85bd84c2ff7bdcd651e7765b754e36609b5e1eb98ca738190 gstreamer-plugins-bad-free-0.10.19-5.el6_8.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2975 Important CentOS 6 gstreamer-plugins-good Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2975.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
7fbce3b08f6717fcae7fd0342ef9cb606a6b27e91f443b9bf1496fe7a191501a gstreamer-plugins-good-0.10.23-4.el6_8.i686.rpm
13f7099fe8d5f24a30cf93fecd70679c00ac4e49da5bcd89e235d3e4b90b56a5 gstreamer-plugins-good-devel-0.10.23-4.el6_8.i686.rpm
x86_64:
7fbce3b08f6717fcae7fd0342ef9cb606a6b27e91f443b9bf1496fe7a191501a gstreamer-plugins-good-0.10.23-4.el6_8.i686.rpm
bfaef702f494f3c22b26553d8a57ca7a639c371907c16436437406339471804c gstreamer-plugins-good-0.10.23-4.el6_8.x86_64.rpm
13f7099fe8d5f24a30cf93fecd70679c00ac4e49da5bcd89e235d3e4b90b56a5 gstreamer-plugins-good-devel-0.10.23-4.el6_8.i686.rpm
9a05f8ac86fe1d1be78d644e88027d02ea0698a11e6a723c4a9c8e1dcb3d65f9 gstreamer-plugins-good-devel-0.10.23-4.el6_8.x86_64.rpm
Source:
1f3ad049215f2991999d07b4c5cee20bdbf59d12747e4bc81af22db132fde091 gstreamer-plugins-good-0.10.23-4.el6_8.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2972 Moderate CentOS 6 vim Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2972.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
b01b15ec916cbb7acfb4dae1d00536e3bd5454399fbc09882fb44c34ca59b6d8 vim-common-7.4.629-5.el6_8.1.i686.rpm
3a060bda378da2b2af4b315930c8ce0213e87ec029a30073925ede9cc971c1e6 vim-enhanced-7.4.629-5.el6_8.1.i686.rpm
595d628db770c874ea7619800c19d30932ff65ab01297acd7545318ccb9ba4b5 vim-filesystem-7.4.629-5.el6_8.1.i686.rpm
87ce30cd3daf01ec59d7045806fa2922e1ef7aed3930053194bbdc113cc5cb36 vim-minimal-7.4.629-5.el6_8.1.i686.rpm
e8611c3461d8123d85487f7df569781a4653d361fb885d7a47763cce16613f82 vim-X11-7.4.629-5.el6_8.1.i686.rpm
x86_64:
cd20302f10166fda6893127fe11a31dfa90bee983d301e4a34a2b294d5d26b20 vim-common-7.4.629-5.el6_8.1.x86_64.rpm
4afc6bd8769e45f9ac7fb28a3fd8e8b00f957cb3b447786ff7fd996fe78dafa9 vim-enhanced-7.4.629-5.el6_8.1.x86_64.rpm
75cde310d030f1f537c54dcfa09511659f16c7ae2410aa3afe71bca800efc57d vim-filesystem-7.4.629-5.el6_8.1.x86_64.rpm
f54c01ffaef043bcd108dd4bed4ba2dab7f36310d89ea8de3b200bd67b3a5826 vim-minimal-7.4.629-5.el6_8.1.x86_64.rpm
4704bc2cd890e12b96b6cea6f67994e494245eb83ec8632961a46da52ef0228d vim-X11-7.4.629-5.el6_8.1.x86_64.rpm
Source:
af0c0e885b4818927369afb5a33b62c8131b792733c39d5679aca4a625ca44ca vim-7.4.629-5.el6_8.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2973 Important CentOS 7 thunderbird Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2973.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
ed7cb4c72670f67eb12f9e904a9529a8053a53cc5551f75719484923c71417a6 thunderbird-45.6.0-1.el7.centos.x86_64.rpm
Source:
4e4035a33ea7dd337908115764760a5c35247118a769a29e1c24837070c4dd30 thunderbird-45.6.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2972 Moderate CentOS 7 vim Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2972.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
2f77332d8481b97bf7298c41c47113da8e1bc5d4f2169034459d4718c126d4c9 vim-common-7.4.160-1.el7_3.1.x86_64.rpm
68305225f41d8ba62f6c4125b1b587b8680e6383c15fa6a6594ccc1f8552ca08 vim-enhanced-7.4.160-1.el7_3.1.x86_64.rpm
a442ab1cc41d3f35478e9c08328a8cd3e6caa27675282072d75b75e5dd6544c2 vim-filesystem-7.4.160-1.el7_3.1.x86_64.rpm
754c509c530ab13ce697da88badd3deeab2eafa76415759c25571f697c93ba7d vim-minimal-7.4.160-1.el7_3.1.x86_64.rpm
0044b3d80f8f81b4c5106b8539c94c5a21e648fad5b204ddced6ef0263fa6007 vim-X11-7.4.160-1.el7_3.1.x86_64.rpm
Source:
e1c0a71068f49a77a492f257e189a39371dfa56571ac6c44b9d4abbffd917565 vim-7.4.160-1.el7_3.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2973 Important CentOS 6 thunderbird Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2973.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
8c91c61dd852242bfbb5978e0a408507ec0350ba6c9bc8e4087f156ba1126497 thunderbird-45.6.0-1.el6.centos.i686.rpm
x86_64:
1f871b22036c3d197a97d0ce3dfbacd0ffdd52098ecf1f4f1c1f836f5289263e thunderbird-45.6.0-1.el6.centos.x86_64.rpm
Source:
9b4f296a73d6974bdbfd9491f16905bf3d6d34346ac3d3b4cec9d8121fde1833 thunderbird-45.6.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2973 Important CentOS 5 thunderbird Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2973.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
68500438708f0e33a442e99c81208b99bd052055f291aaea4f696bdf271a79b8 thunderbird-45.6.0-1.el5.centos.i386.rpm
x86_64:
0a95da3511990f72243293d5a4b3d3757234a8e6cf606af1dacae5a4237b212f thunderbird-45.6.0-1.el5.centos.x86_64.rpm
Source:
c10d0d72fce28dcde43d2c25e4b10965b4240bbf9700a8cf2dc77a2faa3f6ecf thunderbird-45.6.0-1.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
F26 Self Contained Change: Fontconfig cache directory change
https://fedoraproject.org/wiki/Changes/FontconfigCacheDirChange
Change owner(s):
* Akira TAGOH <tagoh AT redhat DOT com>
The fontconfig cache files are placed onto /var/cache/fontconfig now.
this seems incompatible with the ostree model. so this is a proposal
to move it to /usr/lib/fontconfig/cache.
== Detailed Description ==
The fontconfig cache files are placed onto /var/cache/fontconfig now.
this seems incompatible with the ostree model. so this is a proposal
to move it to /usr/lib/fontconfig/cache as proposed at #1377367 [
https://bugzilla.redhat.com/show_bug.cgi?id=1377367 ]
== Scope ==
* Proposal owners: Rebuild the fontconfig package with the changes of
the proposed cache directory.
* Other developers: N/A (not a System Wide Change)
* Release engineering: N/A (not a System Wide Change)
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Tuesday, December 20, 2016
[USN-3162-2] Linux kernel (Raspberry Pi 2) vulnerabilities
Ubuntu Security Notice USN-3162-2
December 20, 2016
linux-raspi2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-raspi2: Linux kernel for Raspberry Pi 2
Details:
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)
Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)
Marco Grassi discovered that the TCP implementation in the Linux kernel
mishandles socket buffer (skb) truncation. A local attacker could use this
to cause a denial of service (system crash). (CVE-2016-8645)
It was discovered that the keyring implementation in the Linux kernel
improperly handled crypto registration in conjunction with successful key-
type registration. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-9313)
Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
linux-image-4.8.0-1021-raspi2 4.8.0-1021.24
linux-image-raspi2 4.8.0.1021.24
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3162-2
http://www.ubuntu.com/usn/usn-3162-1
CVE-2016-6213, CVE-2016-7097, CVE-2016-7425, CVE-2016-8630,
CVE-2016-8633, CVE-2016-8645, CVE-2016-9313, CVE-2016-9555
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi2/4.8.0-1021.24
[USN-3161-4] Linux kernel (Qualcomm Snapdragon) vulnerabilities
Ubuntu Security Notice USN-3161-4
December 20, 2016
linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-snapdragon: Linux kernel for Snapdragon Processors
Details:
Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the
TTY implementation in the Linux kernel. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2015-8964)
It was discovered that the Video For Linux Two (v4l2) implementation in the
Linux kernel did not properly handle multiple planes when processing a
VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2016-4568)
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)
Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)
Marco Grassi discovered that the TCP implementation in the Linux kernel
mishandles socket buffer (skb) truncation. A local attacker could use this
to cause a denial of service (system crash). (CVE-2016-8645)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)
It was discovered that the __get_user_asm_ex implementation in the Linux
kernel for x86/x86_64 contained extended asm statements that were
incompatible with the exception table. A local attacker could use this to
gain administrative privileges. (CVE-2016-9644)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1042-snapdragon 4.4.0-1042.46
linux-image-snapdragon 4.4.0.1042.34
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3161-4
http://www.ubuntu.com/usn/usn-3161-1
CVE-2015-8964, CVE-2016-4568, CVE-2016-6213, CVE-2016-7097,
CVE-2016-7425, CVE-2016-8630, CVE-2016-8633, CVE-2016-8645,
CVE-2016-8658, CVE-2016-9555, CVE-2016-9644
Package Information:
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1042.46
[USN-3162-1] Linux kernel vulnerabilities
Ubuntu Security Notice USN-3162-1
December 20, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)
Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)
Marco Grassi discovered that the TCP implementation in the Linux kernel
mishandles socket buffer (skb) truncation. A local attacker could use this
to cause a denial of service (system crash). (CVE-2016-8645)
It was discovered that the keyring implementation in the Linux kernel
improperly handled crypto registration in conjunction with successful key-
type registration. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-9313)
Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
linux-image-4.8.0-32-generic 4.8.0-32.34
linux-image-4.8.0-32-generic-lpae 4.8.0-32.34
linux-image-4.8.0-32-lowlatency 4.8.0-32.34
linux-image-4.8.0-32-powerpc-e500mc 4.8.0-32.34
linux-image-4.8.0-32-powerpc-smp 4.8.0-32.34
linux-image-4.8.0-32-powerpc64-emb 4.8.0-32.34
linux-image-generic 4.8.0.32.41
linux-image-generic-lpae 4.8.0.32.41
linux-image-lowlatency 4.8.0.32.41
linux-image-powerpc-e500mc 4.8.0.32.41
linux-image-powerpc-smp 4.8.0.32.41
linux-image-powerpc64-emb 4.8.0.32.41
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3162-1
CVE-2016-6213, CVE-2016-8630, CVE-2016-8633, CVE-2016-8645,
CVE-2016-9313, CVE-2016-9555
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.8.0-32.34
[USN-3161-2] Linux kernel (Xenial HWE) vulnerabilities
Ubuntu Security Notice USN-3161-2
December 20, 2016
linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3161-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the
TTY implementation in the Linux kernel. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2015-8964)
It was discovered that the Video For Linux Two (v4l2) implementation in the
Linux kernel did not properly handle multiple planes when processing a
VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2016-4568)
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)
Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)
Marco Grassi discovered that the TCP implementation in the Linux kernel
mishandles socket buffer (skb) truncation. A local attacker could use this
to cause a denial of service (system crash). (CVE-2016-8645)
Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-57-generic 4.4.0-57.78~14.04.1
linux-image-4.4.0-57-generic-lpae 4.4.0-57.78~14.04.1
linux-image-4.4.0-57-lowlatency 4.4.0-57.78~14.04.1
linux-image-4.4.0-57-powerpc-e500mc 4.4.0-57.78~14.04.1
linux-image-4.4.0-57-powerpc-smp 4.4.0-57.78~14.04.1
linux-image-4.4.0-57-powerpc64-emb 4.4.0-57.78~14.04.1
linux-image-4.4.0-57-powerpc64-smp 4.4.0-57.78~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.57.44
linux-image-generic-lts-xenial 4.4.0.57.44
linux-image-lowlatency-lts-xenial 4.4.0.57.44
linux-image-powerpc-e500mc-lts-xenial 4.4.0.57.44
linux-image-powerpc-smp-lts-xenial 4.4.0.57.44
linux-image-powerpc64-emb-lts-xenial 4.4.0.57.44
linux-image-powerpc64-smp-lts-xenial 4.4.0.57.44
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3161-2
http://www.ubuntu.com/usn/usn-3161-1
CVE-2015-8964, CVE-2016-4568, CVE-2016-6213, CVE-2016-8630,
CVE-2016-8633, CVE-2016-8645, CVE-2016-9555
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-57.78~14.04.1
[USN-3161-3] Linux kernel (Raspberry Pi 2) vulnerabilities
Ubuntu Security Notice USN-3161-3
December 20, 2016
linux-raspi2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-raspi2: Linux kernel for Raspberry Pi 2
Details:
Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the
TTY implementation in the Linux kernel. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2015-8964)
It was discovered that the Video For Linux Two (v4l2) implementation in the
Linux kernel did not properly handle multiple planes when processing a
VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2016-4568)
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)
Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)
Marco Grassi discovered that the TCP implementation in the Linux kernel
mishandles socket buffer (skb) truncation. A local attacker could use this
to cause a denial of service (system crash). (CVE-2016-8645)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
It was discovered that an information leak existed in __get_user_asm_ex()
in the Linux kernel. A local attacker could use this to expose sensitive
information. (CVE-2016-9178)
Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1038-raspi2 4.4.0-1038.45
linux-image-raspi2 4.4.0.1038.37
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3161-3
http://www.ubuntu.com/usn/usn-3161-1
CVE-2015-8964, CVE-2016-4568, CVE-2016-6213, CVE-2016-7042,
CVE-2016-7097, CVE-2016-7425, CVE-2016-8630, CVE-2016-8633,
CVE-2016-8645, CVE-2016-8658, CVE-2016-9178, CVE-2016-9555
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1038.45
[USN-3161-1] Linux kernel vulnerabilities
Ubuntu Security Notice USN-3161-1
December 20, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Tilman Schmidt and Sasha Levin discovered a use-after-free condition in the
TTY implementation in the Linux kernel. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2015-8964)
It was discovered that the Video For Linux Two (v4l2) implementation in the
Linux kernel did not properly handle multiple planes when processing a
VIDIOC_DQBUF ioctl(). A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2016-4568)
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
It was discovered that the KVM implementation for x86/x86_64 in the Linux
kernel could dereference a null pointer. An attacker in a guest virtual
machine could use this to cause a denial of service (system crash) in the
KVM host. (CVE-2016-8630)
Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
in the Linux kernel contained a buffer overflow when handling fragmented
packets. A remote attacker could use this to possibly execute arbitrary
code with administrative privileges. (CVE-2016-8633)
Marco Grassi discovered that the TCP implementation in the Linux kernel
mishandles socket buffer (skb) truncation. A local attacker could use this
to cause a denial of service (system crash). (CVE-2016-8645)
Andrey Konovalov discovered that the SCTP implementation in the Linux
kernel improperly handled validation of incoming data. A remote attacker
could use this to cause a denial of service (system crash). (CVE-2016-9555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-57-generic 4.4.0-57.78
linux-image-4.4.0-57-generic-lpae 4.4.0-57.78
linux-image-4.4.0-57-lowlatency 4.4.0-57.78
linux-image-4.4.0-57-powerpc-e500mc 4.4.0-57.78
linux-image-4.4.0-57-powerpc-smp 4.4.0-57.78
linux-image-4.4.0-57-powerpc64-emb 4.4.0-57.78
linux-image-4.4.0-57-powerpc64-smp 4.4.0-57.78
linux-image-generic 4.4.0.57.60
linux-image-generic-lpae 4.4.0.57.60
linux-image-lowlatency 4.4.0.57.60
linux-image-powerpc-e500mc 4.4.0.57.60
linux-image-powerpc-smp 4.4.0.57.60
linux-image-powerpc64-emb 4.4.0.57.60
linux-image-powerpc64-smp 4.4.0.57.60
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3161-1
CVE-2015-8964, CVE-2016-4568, CVE-2016-6213, CVE-2016-8630,
CVE-2016-8633, CVE-2016-8645, CVE-2016-9555
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-57.78
Fedora 23 End Of Life
for updates and support. No further updates, including security
updates, will be available for Fedora 23. A previous reminder was sent
on 28th of November 2016 [0]. Fedora 24 will continue to receive
updates until approximately one month after the release of Fedora 26.
The maintenance schedule of Fedora releases is documented on the
Fedora Project wiki [1]. The Fedora Project wiki also contains
instructions [2] on how to upgrade from a previous release of Fedora
to a version receiving updates.
Mohan Boddu.
[0]https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/HLHKRTIB33EDZXP624GHF2OZLHWAGKSJ/#Q5O44X4BEBOYEKAEVLSXVI44DSNVHBYG
[1]https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#Maintenance_Schedule
[2]https://fedoraproject.org/wiki/Upgrading?rd=DistributionUpgrades
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
[USN-3159-1] Linux kernel vulnerability
Ubuntu Security Notice USN-3159-1
December 20, 2016
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to expose sensitive information.
Software Description:
- linux: Linux kernel
Details:
It was discovered that a race condition existed in the procfs
environ_read function in the Linux kernel, leading to an integer
underflow. A local attacker could use this to expose sensitive
information (kernel memory).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-119-generic 3.2.0-119.162
linux-image-3.2.0-119-generic-pae 3.2.0-119.162
linux-image-3.2.0-119-highbank 3.2.0-119.162
linux-image-3.2.0-119-omap 3.2.0-119.162
linux-image-3.2.0-119-powerpc-smp 3.2.0-119.162
linux-image-3.2.0-119-powerpc64-smp 3.2.0-119.162
linux-image-3.2.0-119-virtual 3.2.0-119.162
linux-image-generic 3.2.0.119.134
linux-image-generic-pae 3.2.0.119.134
linux-image-highbank 3.2.0.119.134
linux-image-omap 3.2.0.119.134
linux-image-powerpc-smp 3.2.0.119.134
linux-image-powerpc64-smp 3.2.0.119.134
linux-image-virtual 3.2.0.119.134
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3159-1
CVE-2016-7916
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-119.162
[USN-3159-2] Linux kernel (OMAP4) vulnerability
Ubuntu Security Notice USN-3159-2
December 20, 2016
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to expose sensitive information.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
It was discovered that a race condition existed in the procfs
environ_read function in the Linux kernel, leading to an integer
underflow. A local attacker could use this to expose sensitive
information (kernel memory).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1497-omap4 3.2.0-1497.124
linux-image-omap4 3.2.0.1497.92
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3159-2
http://www.ubuntu.com/usn/usn-3159-1
CVE-2016-7916
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1497.124
[USN-3160-2] Linux kernel (Trusty HWE) vulnerabilities
Ubuntu Security Notice USN-3160-2
December 20, 2016
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise
Details:
USN-3160-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
It was discovered that a race condition existed in the procfs
environ_read function in the Linux kernel, leading to an integer
underflow. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2016-7916)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-106-generic 3.13.0-106.153~precise1
linux-image-3.13.0-106-generic-lpae 3.13.0-106.153~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.106.97
linux-image-generic-lts-trusty 3.13.0.106.97
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3160-2
http://www.ubuntu.com/usn/usn-3160-1
CVE-2016-6213, CVE-2016-7916
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-106.153~precise1
[USN-3160-1] Linux kernel vulnerabilities
Ubuntu Security Notice USN-3160-1
December 20, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
CAI Qian discovered that shared bind mounts in a mount namespace
exponentially added entries without restriction to the Linux kernel's mount
table. A local attacker could use this to cause a denial of service (system
crash). (CVE-2016-6213)
It was discovered that a race condition existed in the procfs
environ_read function in the Linux kernel, leading to an integer
underflow. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2016-7916)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-106-generic 3.13.0-106.153
linux-image-3.13.0-106-generic-lpae 3.13.0-106.153
linux-image-3.13.0-106-lowlatency 3.13.0-106.153
linux-image-3.13.0-106-powerpc-e500 3.13.0-106.153
linux-image-3.13.0-106-powerpc-e500mc 3.13.0-106.153
linux-image-3.13.0-106-powerpc-smp 3.13.0-106.153
linux-image-3.13.0-106-powerpc64-emb 3.13.0-106.153
linux-image-3.13.0-106-powerpc64-smp 3.13.0-106.153
linux-image-generic 3.13.0.106.114
linux-image-generic-lpae 3.13.0.106.114
linux-image-lowlatency 3.13.0.106.114
linux-image-powerpc-e500 3.13.0.106.114
linux-image-powerpc-e500mc 3.13.0.106.114
linux-image-powerpc-smp 3.13.0.106.114
linux-image-powerpc64-emb 3.13.0.106.114
linux-image-powerpc64-smp 3.13.0.106.114
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3160-1
CVE-2016-6213, CVE-2016-7916
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-106.153
[CentOS-announce] CESA-2016:2962 Important CentOS 5 kernel Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2962.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
5d69404633f8d2f60fc0e7d1a40ced26d37aa6c866da3ef1751ef82e389f7559 kernel-2.6.18-417.el5.i686.rpm
1d6969390c8c5db3f957d8960f5f4cd6877c0972121876837d0a2e3a04c8d6c9 kernel-debug-2.6.18-417.el5.i686.rpm
ef7d5666bcfd989c9a6dd89da70bf8559596d9623e192acce921f0588b30a15d kernel-debug-devel-2.6.18-417.el5.i686.rpm
b90d63c5ec0525016b0de727badee246b4eb3f58fb65d7789f722eab46c12d4d kernel-devel-2.6.18-417.el5.i686.rpm
c3121e0532cb3333c202c7c904089a431e4cc5d40212ea3c98ec1d53f66e38c3 kernel-doc-2.6.18-417.el5.noarch.rpm
a398a0c9b51012edbbb81ed99fad1240cf894fcb15e9b94dc4a0f6720fbb837c kernel-headers-2.6.18-417.el5.i386.rpm
fe825154419eeea085da0bfbbd088fca9422a32ba5cdafb5b53a723dc2d2804d kernel-PAE-2.6.18-417.el5.i686.rpm
8f3f08be4c169e44c76a8307d21b52bd75b0f40fd5e4e35dc22a9547fc370250 kernel-PAE-devel-2.6.18-417.el5.i686.rpm
acfe2b503ffcf5fb99b25f38ece409b7b855de03bae5213e6ed303c977f66c67 kernel-xen-2.6.18-417.el5.i686.rpm
5ca41d3cfa9d440176099dcbf7e71671e38905bad6294d08b145327bfea98a0a kernel-xen-devel-2.6.18-417.el5.i686.rpm
x86_64:
0b49bdc656d4fa588bffb2a08db1f957218404a60330612637d977447fba543b kernel-2.6.18-417.el5.x86_64.rpm
5c8630c73e0184d846cc1351acd49243c4fc705b6fb469e4c378db4a5ddf217c kernel-debug-2.6.18-417.el5.x86_64.rpm
b11bad75570b914c42e5b975b6305c8d2b7c433e3ed88e5008c54993541f0539 kernel-debug-devel-2.6.18-417.el5.x86_64.rpm
5a7631636c1117d114706d767c7fbef1f4254716df96455cc16570212d8a5f0d kernel-devel-2.6.18-417.el5.x86_64.rpm
c3121e0532cb3333c202c7c904089a431e4cc5d40212ea3c98ec1d53f66e38c3 kernel-doc-2.6.18-417.el5.noarch.rpm
4a97652b4e507aa3b06a742b88a10f0de6aae540a33ba7f1ca3adfce40a3978c kernel-headers-2.6.18-417.el5.x86_64.rpm
02df536f2152ce88bd30a43ebe2abd6111461d6120803670a188cd8b6522dfd5 kernel-xen-2.6.18-417.el5.x86_64.rpm
5998dfa81bc41200a4562c587f7b21b7a7f2ea421c928b9629ce32891ea79c72 kernel-xen-devel-2.6.18-417.el5.x86_64.rpm
Source:
7c1e80ff58a493f262c48dc80ba53d3276064ab22b5a9eb4e02713a3107d25c0 kernel-2.6.18-417.el5.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2963 Important CentOS 5 xen Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2963.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
2f13f1c8b55429e9ed1e4652cbcdf32f10b611fe329e7d5e8722bf4183cc6e55 xen-3.0.3-148.el5_11.i386.rpm
b4628bbdf7ce77a94d18412ba19e40da9b52a8ccd7358242f613cb125e4d5dde xen-devel-3.0.3-148.el5_11.i386.rpm
6676dc198f1e20aaf3022ba7febc18e618538b7d61f1d7554e5154741ab8e86e xen-libs-3.0.3-148.el5_11.i386.rpm
x86_64:
7aebf9aa212e6289f89e28d9575a1ec83b319206d0ddda050f721fe19f1c0c04 xen-3.0.3-148.el5_11.x86_64.rpm
b4628bbdf7ce77a94d18412ba19e40da9b52a8ccd7358242f613cb125e4d5dde xen-devel-3.0.3-148.el5_11.i386.rpm
10e915469aeaa3b177e939522cfe6c7ad8e4a3a90e2d2403b958f55798269a06 xen-devel-3.0.3-148.el5_11.x86_64.rpm
6676dc198f1e20aaf3022ba7febc18e618538b7d61f1d7554e5154741ab8e86e xen-libs-3.0.3-148.el5_11.i386.rpm
10711bb93f87c94e0933c5ad0f468f162471d4104b499bffe1313bb344ecdbb7 xen-libs-3.0.3-148.el5_11.x86_64.rpm
Source:
e09c3f66be0c6abb4935124d828bc50b256215451fcb3d9f673d790f298f2701 xen-3.0.3-148.el5_11.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Monday, December 19, 2016
Re: FAmSCo elections - December 2016/January 2017
Campaign period. For the 7 seats we have the following 13 candidates:
* Giannis Konstantinidis (giannisk)
* Itamar Reis Peixoto (itamarjp)
* Frederico Lima (fredlima)
* Daniel Lara (danniel)
* Marcel Ribeiro Dantas (mribeirodantas)
* Tulio Macedo (_Teseu_ / teseu)
* Lucas Landim (landim)
* Jona Azizaj (jonatoni)
* Sirko Kemter (gnokii)
* Sylvia Sanchez (Kohane / lailah)
* Zacharias Mitzelos (mitzie)
* Robert Mayr (robyduck)
* Gabriele Trombini (mailga)
Let me wish all the candidates who nominated for FAmSCo lot of
success. Their Campaign will end on January 9th, 2017 at 23:59 UTC.
Regards,
Jan
On Tue, Dec 13, 2016 at 1:02 AM, Jan Kurik <jkurik@redhat.com> wrote:
> Greetings,
>
> FAmSCo elections are now open and we're looking for new candidates:
> https://fedoraproject.org/wiki/Elections
>
> For FAmSCo we have opened seven seats:
> https://fedoraproject.org/wiki/FAmSCo_nominations
>
> The Elections schedule is as follows:
> * December 13 - December 19: Nomination period open (closes promptly at
> 23:59 UTC on December 19th)
> * December 20 - January 09: Campaign period. Individual blog posts, etc.
> encouraged. We will also have an interview with answers published on the
> Fedora Community Blog.
> * January 10 - January 16: Voting open (closes promptly at 23:59 UTC on
> January 16th)
> * January 17: Results announcement
>
> Elections Questionnaire needs more questions for email/Community blog
> interviews! If you have anything you would like to ask candidates to FAmSCo,
> please add it to the wiki.
> https://fedoraproject.org/wiki/Elections/Questionnaire#FAmSCo
>
> Read more about the FAmSCo at:
> https://fedoraproject.org/wiki/Fedora_Ambassadors_Steering_Committee
>
> Thanks for your support,
> Jan
> --
> Jan Kuřík
> Platform & Fedora Program Manager
> Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
[USN-3158-1] Samba vulnerabilities
Ubuntu Security Notice USN-3158-1
December 19, 2016
samba vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Samba.
Software Description:
- samba: SMB/CIFS file, print, and login server for Unix
Details:
Frederic Besler and others discovered that the ndr_pull_dnsp_nam
function in Samba contained an integer overflow. An authenticated
attacker could use this to gain administrative privileges. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10.
(CVE-2016-2123)
Simo Sorce discovered that that Samba clients always requested
a forwardable ticket when using Kerberos authentication. An
attacker could use this to impersonate an authenticated user or
service. (CVE-2016-2125)
Volker Lendecke discovered that Kerberos PAC validation implementation
in Samba contained multiple vulnerabilities. An authenticated attacker
could use this to cause a denial of service or gain administrative
privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04
LTS, and Ubuntu 16.10. (CVE-2016-2126)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libsmbclient 2:4.4.5+dfsg-2ubuntu5.2
samba 2:4.4.5+dfsg-2ubuntu5.2
winbind 2:4.4.5+dfsg-2ubuntu5.2
Ubuntu 16.04 LTS:
libsmbclient 2:4.3.11+dfsg-0ubuntu0.16.04.3
samba 2:4.3.11+dfsg-0ubuntu0.16.04.3
winbind 2:4.3.11+dfsg-0ubuntu0.16.04.3
Ubuntu 14.04 LTS:
libsmbclient 2:4.3.11+dfsg-0ubuntu0.14.04.4
samba 2:4.3.11+dfsg-0ubuntu0.14.04.4
winbind 2:4.3.11+dfsg-0ubuntu0.14.04.4
Ubuntu 12.04 LTS:
libsmbclient 2:3.6.25-0ubuntu0.12.04.5
samba 2:3.6.25-0ubuntu0.12.04.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3158-1
CVE-2016-2123, CVE-2016-2125, CVE-2016-2126
Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.4.5+dfsg-2ubuntu5.2
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.3
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.4
https://launchpad.net/ubuntu/+source/samba/2:3.6.25-0ubuntu0.12.04.5
i686 migrated to Alternative Architecture status
migrated to alternative architecture status. This completes a
transition that began with Fedora 24 where i686 was not being
prioritized at a kernel or Edition image level, and that continued
into Fedora 25 where i686 media was no longer blocking or created in
several Editions.
Specifically, i686 will continue to be built in koji as all
architectures are today under the new definitions of Alternative
Architectures [1], and will also still be present in x86_64 media and
repositories for multilib where applicable. The i686-only repositories
have been migrated off of the primary mirror location and will be
served from the alternative mirror location [2].
Community members that wish to continue development of i686 are
encouraged to form a SIG and collaborate to keep packages building and
well tested on such hardware.
--FESCo
[1] https://fedoraproject.org/wiki/Architectures/RedefiningSecondaryArchitectures
[2] http://dl.fedoraproject.org/pub/fedora-secondary/development/rawhide/
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Friday, December 16, 2016
[USN-3156-2] APT regression
Ubuntu Security Notice USN-3156-2
December 17, 2016
apt regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
USN-3156-1 introduced a regression in unattended-upgrades that may require
manual intervention to repair.
Software Description:
- apt: Advanced front-end for dpkg
Details:
USN-3156-1 fixed vulnerabilities in APT. It also caused a bug in
unattended-upgrades on that may require manual intervention to repair.
Users on Ubuntu 16.10 should run the following commands at a
terminal:
sudo dpkg --configure --pending
sudo apt-get -f install
This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jann Horn discovered that APT incorrectly handled InRelease files.
If a remote attacker were able to perform a man-in-the-middle attack,
this flaw could potentially be used to install altered packages.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
apt 1.3.3
After a standard system update you should run the following commands
to make all the necessary changes:
sudo dpkg --configure --pending
sudo apt-get -f install
References:
http://www.ubuntu.com/usn/usn-3156-2
http://www.ubuntu.com/usn/usn-3156-1
https://launchpad.net/bugs/1649959
Package Information:
https://launchpad.net/ubuntu/+source/apt/1.3.3
[CentOS-announce] CESA-2016:2946 Critical CentOS 5 firefox Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2946.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
05841bbe8a0c53eaca90941728d7d0c4065acbb635c0c3d7704a4a098aea4cef firefox-45.6.0-1.el5.centos.i386.rpm
x86_64:
05841bbe8a0c53eaca90941728d7d0c4065acbb635c0c3d7704a4a098aea4cef firefox-45.6.0-1.el5.centos.i386.rpm
520c15f59fbe25a57eea76d2f71aceeb070a4ed96cad57fa9b1cd3dc7cb00d5b firefox-45.6.0-1.el5.centos.x86_64.rpm
Source:
7cbb37ecab2cb61dc8c6bc21b2a0b69c74d6a3f4f4ef63e8d3d042112348ee5f firefox-45.6.0-1.el5.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2946 Critical CentOS 7 firefox Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2946.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
5afee9ca4f6e98a7119b4357f86ae73095ba96d73abe765a71ad54c003f5d73d firefox-45.6.0-1.el7.centos.i686.rpm
915f7b6a4b40f998d6036b9b919cc572ba81c5b9beff841ff308d5aa96f1e268 firefox-45.6.0-1.el7.centos.x86_64.rpm
Source:
c2fc8a1f20d3efdc9c438e624ecd0200e1c027a2bcdab2bf1d23a184b5e6e863 firefox-45.6.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2946 Critical CentOS 6 firefox Security Update
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2946.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
dba846c43628caac19968046676e2bf70699f0d4746f6fd2757455f8595d1ac5 firefox-45.6.0-1.el6.centos.i686.rpm
x86_64:
dba846c43628caac19968046676e2bf70699f0d4746f6fd2757455f8595d1ac5 firefox-45.6.0-1.el6.centos.i686.rpm
196c0f5af66c2808b1bbb9b5462dc3fe57e46e12be5008278f1cebd827063d23 firefox-45.6.0-1.el6.centos.x86_64.rpm
Source:
a6234d1b91129e1decc78b16d74c3b1066d33b5caafd1e8d155f339531b57747 firefox-45.6.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Thursday, December 15, 2016
Planned outage: pagure.io - 2016-12-16 16:00 UTC
last approximately 4 hours.
To convert UTC to your local time, take a look at
https://fedoraproject.org/wiki/UTCHowto
or run:
date -d '2016-12-16 16:00 UTC'
Reason for outage:
We will be moving backend storage for pagure.org to a larger volume and
increasing it's size to handle further growth in the coming year.
Affected Services:
All services on .pagure.org / .pagure.io
Contact Information: infrastructure @lists.fedoraproject.org
Please join #fedora-admin in irc.freenode.net or add comments to the
ticket for this outage above.
Wednesday, December 14, 2016
[USN-3157-1] Apport vulnerabilities
Ubuntu Security Notice USN-3157-1
December 14, 2016
apport vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Apport could be made to run programs as your login if it opened a
specially crafted file.
Software Description:
- apport: automatically generate crash reports for debugging
Details:
Donncha O Cearbhaill discovered that the crash file parser in Apport
improperly treated the CrashDB field as python code. An attacker could
use this to convince a user to open a maliciously crafted crash file
and execute arbitrary code with the privileges of that user. This issue
only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9949)
Donncha O Cearbhaill discovered that Apport did not properly sanitize the
Package and SourcePackage fields in crash files before processing package
specific hooks. An attacker could use this to convince a user to open a
maliciously crafted crash file and execute arbitrary code with the
privileges of that user. (CVE-2016-9950)
Donncha O Cearbhaill discovered that Apport would offer to restart an
application based on the contents of the RespawnCommand or ProcCmdline
fields in a crash file. An attacker could use this to convince a user to
open a maliciously crafted crash file and execute arbitrary code with the
privileges of that user. (CVE-2016-9951)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
apport 2.20.3-0ubuntu8.2
apport-gtk 2.20.3-0ubuntu8.2
apport-kde 2.20.3-0ubuntu8.2
python-apport 2.20.3-0ubuntu8.2
python3-apport 2.20.3-0ubuntu8.2
Ubuntu 16.04 LTS:
apport 2.20.1-0ubuntu2.4
apport-gtk 2.20.1-0ubuntu2.4
apport-kde 2.20.1-0ubuntu2.4
python-apport 2.20.1-0ubuntu2.4
python3-apport 2.20.1-0ubuntu2.4
Ubuntu 14.04 LTS:
apport 2.14.1-0ubuntu3.23
apport-gtk 2.14.1-0ubuntu3.23
apport-kde 2.14.1-0ubuntu3.23
python-apport 2.14.1-0ubuntu3.23
python3-apport 2.14.1-0ubuntu3.23
Ubuntu 12.04 LTS:
apport 2.0.1-0ubuntu17.15
apport-gtk 2.0.1-0ubuntu17.15
apport-kde 2.0.1-0ubuntu17.15
python-apport 2.0.1-0ubuntu17.15
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3157-1
CVE-2016-9949, CVE-2016-9950, CVE-2016-9951
Package Information:
https://launchpad.net/ubuntu/+source/apport/2.20.3-0ubuntu8.2
https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.4
https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.23
https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.15
[CentOS-announce] Release for CentOS userland 7(1611) on armhfp
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlhRVrUACgkQnVkHo1a+xU69BgCgg2C3xl15TsDElZLi4zHkGi4q
7sYAn0Za5s1Ug6Tb29UWtjQ2l406rqPn
=ACNS
-----END PGP SIGNATURE-----
I am pleased to announce the general availability of CentOS Linux 7
(1611) for armhfp compatible machines.
This is the current release for CentOS Linux
7 and is tagged as 1611, derived from Red Hat Enterprise Linux 7.3
== Download
You can download new images for armhfp boards on
http://mirror.centos.org/altarch/7/isos/armhfp/
Images and sha256sums :
067b147ebdbaf7df04e8338e51de72dea87343992f1c29a03950ecf65a598869
CentOS-Userland-7-armv7hl-Minimal-1611-BananaPi.img.xz
81472c2b8497081b18d53a5cc07815df015eb9efd4303c228713c7b497ed637b
CentOS-Userland-7-armv7hl-Minimal-1611-Cubieboard.img.xz
2ff7fad419a629f96fd9400e0cbaf96632d981de8e7d6f29b4b48999d0c7cfe4
CentOS-Userland-7-armv7hl-Minimal-1611-CubieTruck.img.xz
2237b41107707428c442e40fcea1ee594ab534644df3760d491fdbbfa7535603
CentOS-Userland-7-armv7hl-Minimal-1611-RaspberryPi2.img.xz
deb8ec2e74d4cd084a566434652a95bf33c8e4edcb5d4a1e04435a0b6fce9dfb
CentOS-Userland-7-armv7hl-Minimal-1611-RaspberryPi3.img.xz
== What's new (specific to armhfp)
As before, CentOS 7 userland for armhfp is still built from the CentOS 7
distribution, with some modified, added (or removed) packages.
Here are some highlights for the 7.3.1611 release :
- Kernel (for both rpi2/2 and generic boards) was bumped to 4.4.x (LTS
version) to also follow the i386 AltArch kernel.
- uboot images were updated to version 2016.09
- rootfs-resize (unmaintained) had issue when resizing FS bigger than
32Gb, and has been replaced by cloud-utils-growpart
- default image[s] for rpi2/rpi3 now also support selinux directly
More informations/details on the dedicated wiki page :
https://wiki.centos.org/SpecialInterestGroup/AltArch/Arm32
== Getting help
If you are searching for help, or would like to help the CentOS
altarch/armhfp ecosystem, feel free to subscribe to the CentOS arm-dev
list (https://lists.centos.org/mailman/listinfo/arm-dev) or chat with us
in #centos-arm on irc.freenode.net
--
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
Tuesday, December 13, 2016
[USN-3155-1] Firefox vulnerabilities
Version: GnuPG v2
iQEcBAEBCAAGBQJYUHX0AAoJEGEfvezVlG4PJ5kH/2S0WGdLtYPw9UKOj/G78ZF+
nyp5krtfvFOgWVBo3ZVwyapLDFo9MiBZNVrZG8VPI00HSuAUNuvZKoyPaT+enwDd
Y5NYxFhwDCII7f4I4lTOCtlSy3MGpwsh41cjRX3wiByPRIXkMWQvUCn5Am/Qcrw8
elX+9UpG4FDUrcZjS8J5ylO4R3KEYkDJrTY3qf68gWD4P+HdBKr4lWvxGQ2wZnSa
Z1fGZsR0ytNf8YnDoLq+oKRXzh2D2yDVW8kythktXwECiLvHlmzAB5fe9J91WVM3
arpcoj85tsG2Nj7MDJldo7x+xMFpnbFPdkhRSey66wh0lfmtqzdknJP7WkO1StM=
=rJeN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3155-1
December 13, 2016
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security vulnerabilities were discovered in Firefox. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
obtain sensitive information, cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9080, CVE-2016-9893,
CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898,
CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903,
CVE-2016-9904)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
firefox 50.1.0+build2-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 50.1.0+build2-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 50.1.0+build2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox 50.1.0+build2-0ubuntu0.12.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3155-1
CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895,
CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899,
CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903,
CVE-2016-9904
Package Information:
https://launchpad.net/ubuntu/+source/firefox/50.1.0+build2-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/firefox/50.1.0+build2-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/50.1.0+build2-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/firefox/50.1.0+build2-0ubuntu0.12.04.1
Announcement: Fedora Docker Layered Image Build Service is GO!
of the Fedora Docker Layered Image Build Service[0] to the Fedora Contributor
Community!
With this announcement we are opening availability of the Docker Layered
Image Build Service for the Docker Layered Images[1] that the Fedora Cloud
SIG[2] has been the primary maintainers[3] of on GitHub into DistGit as
official components of Fedora. From there we will be extending an invitation
to all Fedora Contributors to maintain Docker Layered Image Containers for
official release by the Fedora Project. Currently this effort is to enable
the Fedora Cloud/Atomic WG[2] goals which target Fedora Atomic Host[4] as a
primary deliverable to power the future of Cloud. This is also to enable the
Fedora Modularity[5] work be delivered as Containers in the future as Fedora
becomes fundamentally more modular in nature.
How do I get started?
Contributors will go through a simliar process as what they currently do
with RPM Review Requests. There will be Container Reviews as well as
Container Guidelines:
https://fedoraproject.org/wiki/Container:Review_Process
https://fedoraproject.org/wiki/Container:Guidelines
At this time the Cloud/Atomic WG[2] will maintain the Guidelines as well as
the Review Process along with input from all Fedora Contributors. This may
change later with the formation of a Fedora Container Committee (similar to
the Fedora Packaging Committee[6]).
Please note that both the Guidelines and the Review Process are likely to
evolve along with the Container technologies as we move into the future so
we encourage community members to check the documentation for updates.
For more information, please see the following Fedora Community Blog:
https://communityblog.fedoraproject.org/fedora-docker-layered-image-build-service-now-available/
[0] - https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
[1] - https://fedoraproject.org/wiki/Cloud
[2] - https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/
[3] - https://github.com/fedora-cloud/Fedora-Dockerfiles
[4] - https://getfedora.org/en/atomic/download/
[5] - https://fedoraproject.org/wiki/Modularity
[6] - https://fedoraproject.org/wiki/Packaging_Committee
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org