Re: [announce] [talk] NYC*BUG Nov 2: Ike on Infrastructure in a Post-Cloud Era

Hey All,

One more little bit for Wed. meeting:

ARIN 38!
If nobody objects, I'd like to give a brief report from ARIN proceedings, and a quick report on Internet and Numbers related issues the BSD community can strategically make a great impact with, (and how to help and engage!)

Unless there are any objections, I'll just plan to spend 5 (10) minutes on it!

Best,
.ike

> On Oct 27, 2016, at 3:00 PM, George Rosamond <george@ceetonetechnology.com> wrote:
>
> We are working on some upcoming meeting topics. Feel free to ping admin@
> if you have a potential meeting idea.
>
> Wednesday, November 2
> Infrastructure in a Post-Cloud Era, Isaac (.ike) Levy
> 18:45, Woolworth Building: 233 Broadway, 21st Floor
> Notice: Location Change
>
> Abstract
>
> With a *BSD-minded perspective, we'll walk through the money and
> administrative ends of deploying cloud infrastructure, and compare it to
> experiences in colocation.
>
> Building modern internet applications is challenging; so why are so many
> technology companies relinquishing control over their technology? The
> public clouds, after all, are just computers owned by somebody else.
>
> This presentation contains real data crunched by data scientists, to
> help cut through marketing hype. Also covered, strategies and approaches
> to help you keep your stack "infrastructure agnostic", as well as
> strategies to make cloud metered costs less opaque.
>
> Note: This material was previously presented at LHMK, April 2016 - and
> will be presented assuming a technical audience.
>
> Speaker Bio
>
> Standing on the shoulders of giants, ike's background includes
> partnering to run a Virtual Server ISP before anyone called it a cloud,
> as well as having a long history building internet-facing infrastructure
> with UNIX systems.
>
> NYC startup veteran, and a long-time community contributor to the *BSD
> UNIX family, ike has grown computing infrastructure from a hand-full of
> virtual servers, to full datacenter-scale internet-facing infrastructure
> for a number of growth stage startups.
>
> .ike has been a part of NYC*BUG since it was first launched in January
> 2004, was a long-time member of the Lower East Side Mac Unix User Group.
> He has spoken frequently on a number of UNIX and internet security
> topics at various venues, particularly on the topic of FreeBSD's
> jail(8), and his involvement in the OPNsense router firewall project.
>
> _______________________________________________
> talk mailing list
> talk@lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce

Readying the Fedora Join channels to receive newcomers

Hello everyone,


Like any FOSS community project, Fedora relies heavily on volunteers.
It is, therefore, no surprise that we're always looking to increase our
contributor base. There is always so much to be done. Of course, many
teams work in harmony to keep Fedora ticking. Each team tends to have
its own "on-boarding process" for newcomers, which if you've been
around recently, you'll have noticed CommOps[0] has been working on
improving one by one.

Where do we point newcomers now?
--------------------------------

We already have some tools that help people find the right team and
task to get started with. whatcanidoforfedora.org[1], for example, does
an excellent job of matching people to the right team based on
their skills and interests. Another great place to quickly find
something easy to work on is our easy fix ticket list[2]. Last, but not
least, the new Fedora Hubs project[3], which is still a work in
progress, is going to make it even easier to see what's going on in the
community and where one can pitch in.

Talking to a human
------------------

In spite of all the tooling, newcomers seem to respond better to human
interaction. Integration is much easier when you have people to speak
to or query. Even while they're still picking up on the tools and
processes of various teams, they already feel part of the community. It
gives them that bit of confidence needed to actively take part in
discussions or volunteer to take up tasks.

With this in mind, some of us came together to set up the Fedora Join
SIG[4]. Our goal? Simply to set up certain channels where newcomers and
contributors can mix. We've started small with the usual IRC and
mailing list. 

- #fedora-join on Freenode[5]
- fedora-join AT lists.fedoraproject.org[6]

We need your help too!
----------------------

Before we begin tweaking our public-facing resources to funnel
newcomers into these channels, we want to make sure that we have enough
contributors available here to receive queries. The purpose of this e-
mail is to ask you to please add these channels to the list that you
already monitor. The more contributors from different parts of the
project we have in the channel, the higher the chances are of newcomers
finding interesting people to work with, interesting things to work on,
all while making friends who mostly outlast the Fedora release.

So, please do hang out in our IRC channel and mailing list to help
newcomers when you can.

Tip: Most IRC clients let you monitor a channel for keywords. For
example, in irssi[7], the following command would monitor the channel
for the word "design":

/hilight -channels #fedora-join design


[0] https://fedoraproject.org/wiki/CommOps
[1] http://whatcanidoforfedora.org/
[2] https://fedoraproject.org/easyfix
[3] https://pagure.io/fedora-hubs
[4] https://fedoraproject.org/wiki/Fedora_Join_SIG
[5] https://webchat.freenode.net/?channels=#fedora-join
[6] https://lists.fedoraproject.org/admin/lists/fedora-join@lists.fedoraproject.org/
[7] https://irssi.org/

--
Thanks,
Regards,
Ankur Sinha "FranciscoD"

http://fedoraproject.org/wiki/User:Ankursinha

[arch-announce] ttf-dejavu 2.37 will require forced upgrade

ttf-dejavu 2.37 will change the way fontconfig configuration is installed. In
previous versions the configuration was symlinked from
post_install/post_upgrade, the new version will place the files inside the
package like it is done in fontconfig now.

For more information about this change: https://bugs.archlinux.org/task/32312

To upgrade to ttf-dejavu 2.37 it's recommended to upgrade the package on its
own: pacman -S --force ttf-dejavu

URL: https://www.archlinux.org/news/ttf-dejavu-237-will-require-forced-upgrade/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce

Re: ppc64 and ppc64le builds coming to rawhide

On Friday, October 28, 2016 2:54:19 PM CDT Dennis Gilmore wrote:
> Hi all,
>
> over the weekend we will be importing and enabling ppc64 and ppc64le builds
> in koji.fedoraproject.org as part of https://fedoraproject.org/wiki/
> Architectures/RedefiningSecondaryArchitectures The import and enablement of
> ppc64 and ppc64le is for rawhide only, we expect to add s390x sometime
> after f26 has branched
>
> We will be making changes to the compose process early next week to enable
> ppc64 and ppc64le in the rawhide compose, a reminder that i386 has been
> moved from /pub/fedora/ to /pub/fedora-secondary/
>
> A further announcement will come when building of ppc64 and ppc64le is
> enabled
>
>
> Thanks
>
> Dennis

The arches are imported and builds have been enabled. If you experience any
issues or have questions please ask releng or the power team, in #fedora-
releng #fedora-ppc on freenode or by filing an issue in pagure or sending an
email to the respective lists

Thanks

Dennis

ppc64 and ppc64le builds coming to rawhide

Hi all,

over the weekend we will be importing and enabling ppc64 and ppc64le builds in
koji.fedoraproject.org as part of https://fedoraproject.org/wiki/
Architectures/RedefiningSecondaryArchitectures The import and enablement of
ppc64 and ppc64le is for rawhide only, we expect to add s390x sometime after
f26 has branched

We will be making changes to the compose process early next week to enable
ppc64 and ppc64le in the rawhide compose, a reminder that i386 has been moved
from /pub/fedora/ to /pub/fedora-secondary/

A further announcement will come when building of ppc64 and ppc64le is enabled


Thanks

Dennis

[CentOS-announce] CESA-2016:2124 Important CentOS 5 kernel Security Update

CentOS Errata and Security Advisory 2016:2124 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2124.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
704498f1ec6f196882bf2dc25bf1f65d813ff84107a8476d5386663532f5206a kernel-2.6.18-416.el5.i686.rpm
0802fb601a7d1936e6607c747a0737c36791dcb2af156d6be30c81f2d0671465 kernel-debug-2.6.18-416.el5.i686.rpm
bc8956c899a7fce81f371e15e9d4293297b1abb64da75c214ba086d046c6a9bd kernel-debug-devel-2.6.18-416.el5.i686.rpm
db180509a4fa22d8e0151bed34f12dc1aa040b497f3ec0ba465388510a7b6df7 kernel-devel-2.6.18-416.el5.i686.rpm
fcfabae71ac655ffaeaf5ab5f3a4c64d214684ef6f738ce2a5666c950ec9fdbd kernel-doc-2.6.18-416.el5.noarch.rpm
8489c9c93257895eb1b69ecebb173249fcf501ed10518bc2547222ec1c75f482 kernel-headers-2.6.18-416.el5.i386.rpm
e7d00b03a37e0353c22343d3a996a33c893e220cccb1fb7f1981ba1d530b73ee kernel-PAE-2.6.18-416.el5.i686.rpm
36fefcec929f64c33b09d7e3f2924ce3c8b7d7a86d1272e7de731ad584a9b310 kernel-PAE-devel-2.6.18-416.el5.i686.rpm
ad35ea63d8275960cafd5844f59babeb5199f2f7ba10df6e35f58f5cc63f3aa6 kernel-xen-2.6.18-416.el5.i686.rpm
da05a5b93d8c3f1518ee7eb52792f655febc9b724301610bf7463fd91d14a41a kernel-xen-devel-2.6.18-416.el5.i686.rpm

x86_64:
cbedceb97046ac8274a6804c7da995dd8166c0d18f867e317e269091f197e68b kernel-2.6.18-416.el5.x86_64.rpm
31be4d5ec91c50abef7421dbdd3acd098d1d338b35a6b487cf4888071867852d kernel-debug-2.6.18-416.el5.x86_64.rpm
04a3c7d586ac2923ff1362cb1e72634cfe3aa54a5e84e175340043a51fa043ca kernel-debug-devel-2.6.18-416.el5.x86_64.rpm
b0ce136908b8fb2575bdc11e882a705e494a0b1b423435f7f3d984556b7afd38 kernel-devel-2.6.18-416.el5.x86_64.rpm
fcfabae71ac655ffaeaf5ab5f3a4c64d214684ef6f738ce2a5666c950ec9fdbd kernel-doc-2.6.18-416.el5.noarch.rpm
058216a53ff8b1bd75333ed1c700076f54365d209bfd4d54109299318edd1a49 kernel-headers-2.6.18-416.el5.x86_64.rpm
738534a54a6ca2d9b04e8116ec1147900eeff7b8a7b07f7fe6ca177ecaa51c66 kernel-xen-2.6.18-416.el5.x86_64.rpm
18a2ea3fe7513fd882ea8d9c84772bbfed55700e748a96fc0ebfacbab4da7380 kernel-xen-devel-2.6.18-416.el5.x86_64.rpm

Source:
724e9e10418be6bbb6a1408b12344edcab9f745373013f337be3180d3877c7f4 kernel-2.6.18-416.el5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-3112-1] Thunderbird vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYEn8ZAAoJEGEfvezVlG4PJq8H/38a7p+T+1rRqNNImXKhdUEB
UpnEBf/TJCe97R4igv5YP5vXCZRrVwLxHj+3kRdSslSxvmTzMj8SQ0b2pd8vwHbh
BwCfnLcZ8EhL74/pgPEtIKhNDvDyAebdDpNG5+blwJl20vYP/obbnHnNeIN8nl73
pwwL4oeTz6MTF0gqAIilQx22AM73VTrbzKHlTHC69mlZFDQr5yNHKeEvtpYJND3r
wuWGgyknXoqYLCLgV4gD0ZK7Ou3jFxGCRjqXvYN6nROLDF7xYSSHP3rcVZJapDl2
pEv1V8+CtHcjGBY6qlVJQ9Yo/evUVp+L2Hct5/2N9fXw1RAz6yMioJly58bQX4Y=
=wpAb
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3112-1
October 27, 2016

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Catalin Dumitru discovered that URLs of resources loaded after a
navigation start could be leaked to the following page via the Resource
Timing API. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5250)

Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard,
Steve Fink, Tyson Smith, and Carsten Book discovered multiple memory
safety issues in Thunderbird. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5257)

Atte Kettunen discovered a heap buffer overflow during text conversion
with some unicode characters. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5270)

Abhishek Arya discovered a bad cast when processing layout with input
elements in some circumstances. If a user were tricked in to opening a
specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-5272)

A use-after-free was discovered in web animations during restyling. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5274)

A use-after-free was discovered in accessibility. If a user were tricked
in to opening a specially crafted website in a browsing context, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2016-5276)

A use-after-free was discovered in web animations when destroying a
timeline. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-5277)

A buffer overflow was discovered when encoding image frames to images in
some circumstances. If a user were tricked in to opening a specially
crafted message, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-5278)

Mei Wang discovered a use-after-free when changing text direction. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5280)

Brian Carpenter discovered a use-after-free when manipulating SVG content
in some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2016-5281)

An issue was discovered with the preloaded Public Key Pinning (HPKP). If
a man-in-the-middle (MITM) attacker was able to obtain a fraudulent
certificate for a Mozilla site, they could exploit this by providing
malicious addon updates. (CVE-2016-5284)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
thunderbird 1:45.4.0+build1-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:
thunderbird 1:45.4.0+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
thunderbird 1:45.4.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
thunderbird 1:45.4.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3112-1
CVE-2016-5250, CVE-2016-5257, CVE-2016-5270, CVE-2016-5272,
CVE-2016-5274, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278,
CVE-2016-5280, CVE-2016-5281, CVE-2016-5284

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:45.4.0+build1-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.4.0+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.4.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.4.0+build1-0ubuntu0.12.04.1

[USN-3111-1] Firefox vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYEnOLAAoJEGEfvezVlG4PgvcH/iEeiAz1oavDsBb2+8Dk2MjS
9JGma85LigsgTyF7KRAxx1KJgZ0FLHti3wBd2jcgOCvTyCJEn8KZSgVCcDrsjLXP
J6nRv0T6gMVHDGwz8sxA0Fc9zGKud22AEQucGKsuWNonHcMtg9oF27iZmeoP9j2a
DHuPhI3+14C77Hi1MZt70RiE7EqmYNDXSmiiXVkxnp2Lgzz63+Qx+p01dF7ZiHHZ
AHElBs7cpOiqVwpffEtxb669SIqcYKoId56RwzP9+M8hR7swVru0Xh/GFXDnbBdm
qyzRQLaDELFqHBdTn57x5CZWXL/Lrym1iDc5xu9WxYzCSq5AL4X9pESJD5TjHn4=
=zIUh
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3111-1
October 27, 2016

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

A use-after-free was discovered in service workers. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via program crash, or execute
arbitrary code. (CVE-2016-5287)

It was discovered that web content could access information in the HTTP
cache in some circumstances. An attacker could potentially exploit this
to obtain sensitive information. (CVE-2016-5288)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
firefox 49.0.2+build2-0ubuntu0.16.10.2

Ubuntu 16.04 LTS:
firefox 49.0.2+build2-0ubuntu0.16.04.2

Ubuntu 14.04 LTS:
firefox 49.0.2+build2-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
firefox 49.0.2+build2-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3111-1
CVE-2016-5287, CVE-2016-5288

Package Information:
https://launchpad.net/ubuntu/+source/firefox/49.0.2+build2-0ubuntu0.16.10.2
https://launchpad.net/ubuntu/+source/firefox/49.0.2+build2-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/firefox/49.0.2+build2-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/firefox/49.0.2+build2-0ubuntu0.12.04.1

[announce] NYC*BUG Nov 2: Ike on Infrastructure in a Post-Cloud Era

We are working on some upcoming meeting topics. Feel free to ping admin@
if you have a potential meeting idea.

Wednesday, November 2
Infrastructure in a Post-Cloud Era, Isaac (.ike) Levy
18:45, Woolworth Building: 233 Broadway, 21st Floor
Notice: Location Change

Abstract

With a *BSD-minded perspective, we'll walk through the money and
administrative ends of deploying cloud infrastructure, and compare it to
experiences in colocation.

Building modern internet applications is challenging; so why are so many
technology companies relinquishing control over their technology? The
public clouds, after all, are just computers owned by somebody else.

This presentation contains real data crunched by data scientists, to
help cut through marketing hype. Also covered, strategies and approaches
to help you keep your stack "infrastructure agnostic", as well as
strategies to make cloud metered costs less opaque.

Note: This material was previously presented at LHMK, April 2016 - and
will be presented assuming a technical audience.

Speaker Bio

Standing on the shoulders of giants, ike's background includes
partnering to run a Virtual Server ISP before anyone called it a cloud,
as well as having a long history building internet-facing infrastructure
with UNIX systems.

NYC startup veteran, and a long-time community contributor to the *BSD
UNIX family, ike has grown computing infrastructure from a hand-full of
virtual servers, to full datacenter-scale internet-facing infrastructure
for a number of growth stage startups.

.ike has been a part of NYC*BUG since it was first launched in January
2004, was a long-time member of the Lower East Side Mac Unix User Group.
He has spoken frequently on a number of UNIX and internet security
topics at various venues, particularly on the topic of FreeBSD's
jail(8), and his involvement in the OPNsense router firewall project.

_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce

[USN-3114-2] nginx regression

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYEkKzAAoJEGVp2FWnRL6TXfkP/08847qWpKzxk17JcgBnjguG
58gy74Z2RuG/6sHdAsxYKNazI7Ftb40JJyfX5a4C7lD5ac8KArZZgfCewlZP6OBg
hYS816HBYDS26WnI/yDHhqD9rPi1BMfP39c2RoLervw7gj85Jy46YKAk5S6x3JLu
PqWVxQ/LLbEdwHbk8B0VSn9L004xjEFfnshYjU+j/DQgYhohKGkn2eivyBXf3lMY
dR/p4wrUnC/aUMdxhdCpEQO8CEoNUtR0ANN400pd7ON+ouwIoOiv79ErG4xUzIAt
VUW06rXoXhXoOrhPk3gnBI0v3DO/Lr9CZlSuumuI8gALO+GkIULZcIWhoNe9WmjT
aU2bli9LWStGVis9fMLlspb62FhH57uZ5x2ZnJsZtJ4xSDzm1vdtSOm3CTyJuK+0
CzbfAZUtb2z64oKF8VAicqe5Vestq1MLNv6qmHuVN77YmtgqYR9+rLEhKLhOgrsw
n+GkrLZ1MaogwdVm7s0Z4okQnzYlT5p5TE7M2Z2bIpSv4ACeCew1D5ufc95BMT3K
Bo06XuPmLjh+3LauIClmEaSZwhMvY7pAmM4FUCMVYbMDXmBO7sPSO1Iez+EBkZ0r
lOh8pfXW2etqXERPELgZhFoFODfDuIspmsocl2PnlSj0DuT/tIWmA3xJtvGtI9j5
4725CsVibvs4Rz1dEWhA
=cKOo
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3114-2
October 27, 2016

nginx regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3114-1 introduced a regression in nginx packaging.

Software Description:
- nginx: small, powerful, scalable web/proxy server

Details:

USN-3114-1 fixed a vulnerability in nginx. A packaging issue prevented
nginx from being reinstalled or upgraded to a subsequent release. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Dawid Golunski discovered that the nginx package incorrectly handled log
file permissions. A remote attacker could possibly use this issue to obtain
root privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
nginx-common 1.10.1-0ubuntu1.2
nginx-core 1.10.1-0ubuntu1.2
nginx-extras 1.10.1-0ubuntu1.2
nginx-full 1.10.1-0ubuntu1.2
nginx-light 1.10.1-0ubuntu1.2

Ubuntu 16.04 LTS:
nginx-common 1.10.0-0ubuntu0.16.04.4
nginx-core 1.10.0-0ubuntu0.16.04.4
nginx-extras 1.10.0-0ubuntu0.16.04.4
nginx-full 1.10.0-0ubuntu0.16.04.4
nginx-light 1.10.0-0ubuntu0.16.04.4

Ubuntu 14.04 LTS:
nginx-common 1.4.6-1ubuntu3.7
nginx-core 1.4.6-1ubuntu3.7
nginx-extras 1.4.6-1ubuntu3.7
nginx-full 1.4.6-1ubuntu3.7
nginx-light 1.4.6-1ubuntu3.7

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3114-2
http://www.ubuntu.com/usn/usn-3114-1
https://launchpad.net/bugs/1637058

Package Information:
https://launchpad.net/ubuntu/+source/nginx/1.10.1-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nginx/1.10.0-0ubuntu0.16.04.4
https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.7

[CentOS-announce] CESA-2016:2105 Important CentOS 6 kernel Security Update

CentOS Errata and Security Advisory 2016:2105 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2105.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
accab5355c8df90d69b9c0a510de38c8169f1ad3f68fb90a281a380bda814508 kernel-2.6.32-642.6.2.el6.i686.rpm
34f0fb180eb6366cfe4921bb2754cc5e1a71c653b4c8295f0d7c55b8fc2c5f22 kernel-abi-whitelists-2.6.32-642.6.2.el6.noarch.rpm
f5ee02aae55cd82ffb76592f075ae17b867e45719664c0fbba58c2ddaaef42e5 kernel-debug-2.6.32-642.6.2.el6.i686.rpm
bef23a94d5d10cbc9781973ccab1017608bc6fd4aaea4580e733291b4b1e5c0f kernel-debug-devel-2.6.32-642.6.2.el6.i686.rpm
c174e85e65af3f6f3e58c91d5496ba442fce86a2069b67e888290ac4bb5ab979 kernel-devel-2.6.32-642.6.2.el6.i686.rpm
a9b70c9690cd9cf1b3a5d8daf6405355d2fe036909702744a13c23aa6dadab24 kernel-doc-2.6.32-642.6.2.el6.noarch.rpm
a718ceea93ff199e1be06ccbbaee1f9904185350d4c3dde7d5efddee95a8e17f kernel-firmware-2.6.32-642.6.2.el6.noarch.rpm
a1390897ac937dfdc103e496723b3b46130d44b65f03661a9da7d923875d70ae kernel-headers-2.6.32-642.6.2.el6.i686.rpm
522934abb31cdcf2527d6be98e15c57f2d0449f3cb822d6f51fa8ab0ff802563 perf-2.6.32-642.6.2.el6.i686.rpm
8d26ca9e0f4274066d6f47a6444e53266398d1e2785c2ca7c30e782a930474a7 python-perf-2.6.32-642.6.2.el6.i686.rpm

x86_64:
e03a46c4ad13964946f4a0132514dd784718e64224318481449a9bac96c8a133 kernel-2.6.32-642.6.2.el6.x86_64.rpm
34f0fb180eb6366cfe4921bb2754cc5e1a71c653b4c8295f0d7c55b8fc2c5f22 kernel-abi-whitelists-2.6.32-642.6.2.el6.noarch.rpm
756b7fdf4e4c305ed0bcd5258b78333f2bd1dc0cc6183fcc7b49146237e50d6d kernel-debug-2.6.32-642.6.2.el6.x86_64.rpm
bef23a94d5d10cbc9781973ccab1017608bc6fd4aaea4580e733291b4b1e5c0f kernel-debug-devel-2.6.32-642.6.2.el6.i686.rpm
06d0b2dbfe10f04f636faf37fd907111777ead7c406c386eeef4a7dc96a8896b kernel-debug-devel-2.6.32-642.6.2.el6.x86_64.rpm
0b8195fa45b0dff3af0a7bf6b77e0e320b4674aaf4b57cecc726457f02f208d7 kernel-devel-2.6.32-642.6.2.el6.x86_64.rpm
a9b70c9690cd9cf1b3a5d8daf6405355d2fe036909702744a13c23aa6dadab24 kernel-doc-2.6.32-642.6.2.el6.noarch.rpm
a718ceea93ff199e1be06ccbbaee1f9904185350d4c3dde7d5efddee95a8e17f kernel-firmware-2.6.32-642.6.2.el6.noarch.rpm
f3f772ca476017a40222059108c2d2801ba6ea5ad3351cf03207fa2c99ce26f2 kernel-headers-2.6.32-642.6.2.el6.x86_64.rpm
a817b22e777013c4757d8d27dbbc12478bca40b04ddfebc7129ea030870faa0d perf-2.6.32-642.6.2.el6.x86_64.rpm
49d01cc50bde501b650b9d50c4ae0da5a9a53c6e588531a0c4699c21f11ad643 python-perf-2.6.32-642.6.2.el6.x86_64.rpm

Source:
c53ef890315b8699634652e8520af16805ea4b9da607d336d22a7a971ecf486d kernel-2.6.32-642.6.2.el6.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-3114-1] nginx vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYD7mHAAoJEGVp2FWnRL6TOlYP/3MkIY7aHHUvYX2w1xBa/D65
smRdHX+ggoBTcwHAm7GluC+OiH/hrwutbU2WATG9c+pZzYrrEBrNV3EIz26KicOk
ieorssSGDShy3HX6/EuecNnRUSFbThHp9iDv7K076GWlBDBPhvQB2kDZzV78CrLI
4DWJjh0Fmrmc9bNLfYj1JDJWwBhYIB76pi884oH0hjg/tjQf0zIRk9JOj9kx+NuC
nZ+jaTxXL7ezes203gXweARC70oGSj5dR7ZbWhQbEBsklo+C/QoTBOOLS2f9OWSP
0AVzR3I+5aR1jK6gNWdWgJTKyAPhFoys7sQl5bq4UI6U2a4QDeuJbSodrgsbZo4S
YmcuCmza6Ukuc8y1A7UILPIMQ23OBhbW15MYQt/5UYIlC8fJ9ukFYT1zjfx77Bqb
y9ox/b+jGs9WOp5N4kmulyTqE8ILFpqH2x3w/8IjP09nbgX9wo6R/lWkIzK4HkcO
iKw19DqWE12buBMANXdV/G5qjDYmeaSxc4aVsRfWa/k5OTip2tgQ5i6i7gBYVn8E
elsY+iAfdHu9l+9WlTFV2skTfiouQt+A4IPGKsdHeGHI5tBRO3YnGAt3bBWIpn/S
u2BfWRb5Bcc9YecRxWSrAROWBO2MoUGuGfhOF7Quje83E0nGuBPchzoz8B8ArCoR
4vFcGBOz1IfElNqoOpXP
=Tyym
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3114-1
October 25, 2016

nginx vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- nginx: small, powerful, scalable web/proxy server

Details:

Dawid Golunski discovered that the nginx package incorrectly handled log
file permissions. A remote attacker could possibly use this issue to obtain
root privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
nginx-common 1.10.1-0ubuntu1.1
nginx-core 1.10.1-0ubuntu1.1
nginx-extras 1.10.1-0ubuntu1.1
nginx-full 1.10.1-0ubuntu1.1
nginx-light 1.10.1-0ubuntu1.1

Ubuntu 16.04 LTS:
nginx-common 1.10.0-0ubuntu0.16.04.3
nginx-core 1.10.0-0ubuntu0.16.04.3
nginx-extras 1.10.0-0ubuntu0.16.04.3
nginx-full 1.10.0-0ubuntu0.16.04.3
nginx-light 1.10.0-0ubuntu0.16.04.3

Ubuntu 14.04 LTS:
nginx-common 1.4.6-1ubuntu3.6
nginx-core 1.4.6-1ubuntu3.6
nginx-extras 1.4.6-1ubuntu3.6
nginx-full 1.4.6-1ubuntu3.6
nginx-light 1.4.6-1ubuntu3.6

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3114-1
CVE-2016-1247

Package Information:
https://launchpad.net/ubuntu/+source/nginx/1.10.1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nginx/1.10.0-0ubuntu0.16.04.3
https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.6

[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:17.vm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-16:17.vm Errata Notice
The FreeBSD Project

Topic: Virtual Memory issues

Category: core
Module: Virtual Memory subsystem
Announced: 2016-10-25
Credits:
Affects: FreeBSD 10.3
Corrected: 2016-07-25 13:31:18 UTC (stable/10, 10.3-STABLE)
2016-10-25 16:45:55 UTC (releng/10.3, 10.3-RELEASE-p11)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security branches,
and the following sections, please visit
<URL:https://security.freebsd.org/>.

I. Background

The virtual memory subsystem manages address spaces of the processes, and
tightly cooperates with the file systems and process management to provide
the execution environment for the applications.

II. Problem Description

Due to increased parallelism and optimizations in several parts of the
system, the previously latent bugs in VM become much easier to trigger,
affecting a significant number of the FreeBSD users. The exact technical
details of the issues are provided in the commit messages of the merged
revisions, which are listed below with short summaries.

r301184 prevent parallel object collapses, fixes object lifecycle
r301436 do not leak the vm object lock, fixes overcommit disable
r302243 avoid the active object marking for vm.vmtotal sysctl, fixes
"vodead" hangs
r302513 vm_fault() race with the vm_object_collapse(), fixes spurious
SIGSEGV
r303291 postpone BO_DEAD, fixes panic on fast vnode reclaim

III. Impact

Due to the bugs, spurious SIGSEGV might be delivered to processes, causing
hangs on the "vodead" state on filesystem operations might be observed,
system might hang or panic during rapid UFS vnodes reclamation.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your present system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your present system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.3]
# fetch https://security.FreeBSD.org/patches/EN-16:17/vm.patch
# fetch https://security.FreeBSD.org/patches/EN-16:17/vm.patch.asc
# gpg --verify vm.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r303291
releng/10.3/ r307929
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204764>

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204426>

The latest revision of this Errata Notice is available at
https://security.FreeBSD.org/advisories/FreeBSD-EN-16:17.vm.asc
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYD5UUAAoJEO1n7NZdz2rnxWUQAJ/yL3KpTFuhaHnnOg84mpwE
KguSEpFB4BqxPVntuwuutyvRf1aibdrcjOESJ62U86Nw3Yn+umYFQaq6ySTzWhbY
6JlARZEGQa0kt+kP8etx1Z/AjCiplHFjhi1HSdq/nhnYwwVlrw5vu5IiN66Vu9vu
OyfjmC3Zxx9Zf8CByTk7S9qGzhrsJPZvlkgVnOgUEwEq+zbYFAYk+vNVvF7KwSI5
WxlOhkt6OdJUTUV+lOl5xZlGU3LlvE+2/+LpOOyNbgK/alAuPpt3JGiVnRYje6YI
lQnJXdM6Y5cITawkOhaePNRlgIphSKOjiomlVfpzDVKaoEvKTaTA0QNcTG7cF5vD
AeO/k2J15ARJQo/SRmTGE2/kOC7RSlAPBAYcBYy83LXDRxrhWtkz12LHzGu85IBy
TzgWgJX9IBiQDXKBg+7BLzkWAb4lX5sg38fZzGn80GD2EhkZ8vSnzjQyCgVQdxKD
T4XVVbiRSDywxelhRI9L/xLTM8kPNbL4ZQLrtS5VvQt/PSNubcFMkLgvP+lbOvKB
eE44FX8jQrs5YNbFamksOHJ6qDSzQk4Rxk6Nd6BlYAD/xFT+h5MnqydBtl4cWua1
zpaCUjqA2OxQHANiauFRj71fjjWfKF/pbEsfHaJmtyx55PyVwhgeATjbo02kuWug
sk7U5vuJxdMO+iRBHQKZ
=Jq+g
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-16:18.loader

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-16:18 Errata Notice
The FreeBSD Project

Topic: Loader may hang during boot

Category: core
Module: loader
Announced: 2016-10-25
Affects: FreeBSD 11.0
Corrected: 2016-10-08 00:01:07 UTC (stable/11, 11.0-STABLE)
2016-10-25 16:50:10 UTC (releng/11.0, 11.0-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I. Background

The loader is the final stage (boot3) of the boot process and is responsible
for loading the kernel and starting the operating system. GELIBoot is a
feature present in the loader that allows it to boot the system from an
encrypted disks.

II. Problem Description

A programming error in GELIBoot causes the loader to attempt to read past
the end of the disk if the size of the final partition is not a multiple of
4 kB.

III. Impact

On most systems, reading past the end of the disk will result in the read
failing, and the boot process will continue normally. On some systems, the
read past the end of the disk will be retried a number of times and will
result in the boot process being slower than usual. On Amazon EC2 instances,
and possibly other virtualization platforms, this issue causes the boot
process to hang and never complete.

IV. Workaround

No workaround is available, but systems with 4 kB aligned partitions will not
result in an attempt to read past the end of the disk.

V. Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.0]
# fetch https://security.FreeBSD.org/patches/EN-16:18/loader.patch
# fetch https://security.FreeBSD.org/patches/EN-16:18/loader.patch.asc
# gpg --verify loader.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r306834
releng/11.0/ r307930
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213196>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:18.loader.asc>
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYD5UZAAoJEO1n7NZdz2rnNNEQAL+Rdn8eEtmUU4AVfa1pnIrc
/+owfHzB6NS5N+qcsFJmWGyrP6X3HAgNTfiJuNdJBV8HgcAtCQCPie/jork9A/q1
U0ur8FDr91Y6Cr2H8BINmf7Oe3vwY6S7pPbwbHaHCzAAI/JyDtjGlN4VlEr7lKh/
3J6xizMDHTBj198SopMIDUWl+qFeLxEMb60WV0Z8NDRyQzV0yXbveUkg35FZhqaW
w/aAH0hTh3qhxjQCyh34GrJ/peuvPtWxZLfPP7zowIKKAGQR+PfFnN9PrGQFAzht
yQVk8WrvTrlzZbay6U5BGFcwaxVSgW8PLIHET01BAyd//HBGdfofEMcVXoiQqf5x
1kX0fdiop02JZX49rzknAGtLlUivniBSCZTnPZrFCjhOHE+TZhhhnqB/jT+RBazx
m5xFScvfcZZ8ZXK1e68Jn1/SpIOtX+lXmKpoFwE4HoPtJkZV3SDIRYgAsxuWRlMy
R0I7HuGc7RgJNSJWFhGWcUkyq0yZhy7+x0vVzV3tDZClYrv82ZbVxzTCSCH2se3L
TLnIruK3nPt4KPWPka7H0jaVzICjqJHzy30IsNMHYHZg8dQ0/CR7pYm2zgCu9B84
qbemY0YKlhsccM0/R/P9OMNDTcxP6l/Yhqb9A/upBhn2Vlw9OGamvuKfgX4WOTIE
gOcI7hQW4U/U3ioTTS1T
=vmGn
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:32.bhyve

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-16:32.bhyve Security Advisory
The FreeBSD Project

Topic: bhyve - privilege escalation vulnerability

Category: core
Module: bhyve
Announced: 2016-10-25
Credits: Ilja van Sprundel, IOActive
Affects: FreeBSD 11.0 amd64
Corrected: 2016-10-25 17:15:32 UTC (stable/11, 11.0-STABLE)
2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

bhyve is a BSD licensed hypervisor that supports running a variety of
virtual machines (guests).

II. Problem Description

An unchecked array reference in the VGA device emulation code could
potentially allow guests access to the heap of the bhyve process.
Since the bhyve process is running as root, this may allow guests to
obtain full control of the hosts they are running on.

III. Impact

For bhyve virtual machines with the "fbuf" framebuffer device
configured, if exploited, a malicious guest could obtain full access
to not just the host system, but to other virtual machines running on
the system.

IV. Workaround

No workaround is available, however systems not using bhyve for
virtualization are not vulnerable. Additionally systems using bhyve
but without the "fbuf" framebuffer device configured are not
vulnerable.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

No reboot is needed. Rather the bhyve process for vulnerable virtual
machines should be restarted.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 platforms
can be updated via the freebsd-update(8) utility.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch
# fetch https://security.FreeBSD.org/patches/SA-16:32/bhyve.patch.asc
# gpg --verify bhyve.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the bhyve process(es).

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r307939
releng/11.0/ r307935
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:32.bhyve.asc>
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYD5UbAAoJEO1n7NZdz2rnOAcP/03LJPbzVE05gIkN+j8z4jz5
Q/EX+zGgid5omIqslsiM6obDNupnH3HYE7Suv5sCJky9pyX8mv1g3jTkxXzm+32k
9rCcBtGdIviKKG8GNuMa56ZU5EvgUkwndn4qTi7KmZ/+1l8UGRCAsU04L6qQHwb2
Si7WcgZLse+epkYAgzyje+YFR/Ib2xc3vdXXpj+uxlQWs6U3RZ95v+6M5ARhBHes
YJ34QKphy/PaT02hI9AvLU6aB4hkN5XVE2uHgpciNRLp0DF3XwqHRYbDx2bACifS
ge7hbpsSCZuOayYWdtw8gcbzJXxX1fMv1q9ntj5XLh/a4av7coHWYPHDYmIC7Inb
RNAhynR8W9SWFZ1EqUEWhKeWPwpKgiy1e4+CpDm5wbnj+CzJLc08tMU77jIUV6In
ilJkZ04sv25mjOdnjSkjt6PnXmT1n+UrWdKjOYsAkaWiHpAUzGT2dSgRfn8zh5wv
hc1368Z2v2v43HJ+Y4x0M0VVuuEydEHB+sWBhn8evxlQ6KIAC2sdi7juP4TLAgkj
A1kA3Oob4+pGlxzTGgHDE+/HzHnGEfmoWHS/u0dmDiUuTlQDKQCdCEUnjfRdJYuc
3fbigdY70d2wx6igs4VZszSQLu4c4ranewy3ORS1OghpOjnvO7mvJVUbseusLaNC
fYkumZ2XfUaJuya63z7z
=gyCa
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-16:15.sysarch [REVISED]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-16:15.sysarch [REVISED] Security Advisory
The FreeBSD Project

Topic: Incorrect argument validation in sysarch(2)

Category: core
Module: kernel
Announced: 2016-10-25
Credits: Core Security, ahaha from Chaitin Tech
Affects: All supported versions of FreeBSD.
Corrected: 2016-10-25 17:14:50 UTC (stable/11, 11.0-STABLE)
2016-10-25 17:11:20 UTC (releng/11.0, 11.0-RELEASE-p2)
2016-10-25 17:16:08 UTC (stable/10, 10.3-STABLE)
2016-10-25 17:11:15 UTC (releng/10.3, 10.3-RELEASE-p11)
2016-10-25 17:11:11 UTC (releng/10.2, 10.2-RELEASE-p24)
2016-10-25 17:11:07 UTC (releng/10.1, 10.1-RELEASE-p41)
2016-10-25 17:16:58 UTC (stable/9, 9.3-STABLE)
2016-10-25 17:11:02 UTC (releng/9.3, 9.3-RELEASE-p49)
CVE Name: CVE-2016-1885

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0. Revision history

v1.0 2016-03-16 Initial release.
v1.1 2016-10-25 Revised patch to address a problem pointed out by
ahaha from Chaitin Tech.

I. Background

The IA-32 architecture allows programs to define segments, which provides
based and size-limited view into the program address space. The
memory-resident processor structure, called Local Descriptor Table,
usually abbreviated LDT, contains definitions of the segments. Since
incorrect or malicious segments would breach system integrity, operating
systems do not provide processes direct access to the LDT, instead
they provide system calls which allow controlled installation and removal
of segments.

II. Problem Description

A special combination of sysarch(2) arguments, specify a request to
uninstall a set of descriptors from the LDT. The start descriptor
is cleared and the number of descriptors are provided. Due to lack
of sufficient bounds checking during argument validity verification,
unbound zero'ing of the process LDT and adjacent memory can be initiated
from usermode.

III. Impact

This vulnerability could cause the kernel to panic. In addition it is
possible to perform a local Denial of Service against the system by
unprivileged processes.

IV. Workaround

No workaround is available, but only the amd64 architecture is affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Reboot is required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD platforms can be updated
via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Reboot is required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

[*** v1.1 NOTE ***] If your sources are not yet patched using the initially
published advisory patches, then you need to apply both sysarch.patch and
sysarch-01.patch. If your sources are already updated, or patched with
patches from the initial advisory, then you need to apply sysarch-01.patch
only.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[ FreeBSD system not patched with original SA-16:15 patch]
# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch
# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch.patch.asc
# gpg --verify sysarch.patch.asc

[ FreeBSD system that has been patched with original SA-16:15 patch]
# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch
# fetch https://security.FreeBSD.org/patches/SA-16:15/sysarch-01.patch.asc
# gpg --verify sysarch-01.patch.asc

b) Apply the patch(es). Execute the following commands as root for
every patch file downloaded:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r307941
releng/9.3/ r307931
stable/10/ r307940
releng/10.1/ r307932
releng/10.2/ r307933
releng/10.3/ r307934
stable/11/ r307938
releng/11.0/ r307935
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1885>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-16:15.sysarch.asc>
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYD5VZAAoJEO1n7NZdz2rnYT4QAMmnfUBnxiNHfzaEDMe2oU+H
WIVFzFtU5FTAm3wJ3JORU1euqhusDoB7D8nova30alM2bHHd86epBGgym1Q+hxR2
qTI+d8QimvQUWelz7DWPh0h3ZNlVfDxY8vKlr5SS0W/HOMjbG/O6U1AIw5p7cPaa
LkDpqo2IN8xBL6tJFUKNEQS/GzuU2HtfKhQK0/ojT4DW61AkOZn4SZzzYBz3iO4p
a8Otv4+aHzyNjTZRm/33SrFzdG0RZWyT/WXsEHlv5NiXVMPML+oY918jppqClkoO
pwjcneWTqgYrE4vvVOADKOlWyNa4jFmPQSW7MmNEaF4RMd8TMcE/cBTKOi41YuOp
la1JzvtWUnou7oQqy/xKr0S/Wa2x6ZhR4vBg28fkfrQhn55N+qqDicQ3F907dOm5
A0ERHKgImlWSGM+Sf2CJyrUJUNUye0bVQMhrM4e3psZ7Jr20IXjnhppr1mufCjTH
H+aEHv43o/1HuoltnjstiBZ/CZpFdIXkBpsHtzteZR2y+pmZFA9bB4uZeeML0mj3
/cxj8rgPRmcjk6nSsnLWhq2YEFAZBC/lv43wqSrXE9+BBpSh6zM5NCTPb50/dBqf
V553uuGEvJlHmOAoveXxYyxKcGpgZAcgJjWpAkCpoVxgdrbtLcPY5Z+8cy8fMO3G
YHOkZydbLPaXOXimZfut
=NWuL
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[USN-3109-1] MySQL vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYD1/PAAoJEGVp2FWnRL6TDeAP/0GR1inWpfuwDo8KB2SFuzQf
8aPRv8w4sD64GWKC6k5PpggsfHACME33styp7WXVZqRSyaCZ2j6omWzBj/k8q8mt
vWmphFM5HjgxiIHyI4na3KKomzILTredfMHZ+ceIOSJepckmIt3iIxibFmVgnkQP
BXB/fQ9J8erbliou5ArT6HS/TFCGWksTpL8oK05uISfu2ZbOEarpD1wAseb+uDO6
L7VeiLYSPkQ02+yRbKZpMWGeqx0HHMxYpewVUP5s1zvtpL1GT9wzsxKN7WgJDfww
O74JiGV8rXwyrj0jBs6hSL2jk7kgbqvY20uxSNCyAHyFxxHqaikqxCQmBiCxXfrM
98NilBmmKAbymyl1fMnU3EX/7IEAgLWRiOo/HbqeAi6nPX163VrjeajcMPupz23u
gbaJNxEWSHrqpK3sYbMa2QGgHKU7+t+cX+kvuPb+nzcvCNSnBjPkvTALuxIsEHpd
cLGnflPQLVa7V3sAuVqPPzcZ4gNmNwJf/2mLOC6xLezjHsphfjovBx3DNqoknY4Z
P+Z3gsj27gdcZXx777kV2RBNmsw2aekzmTVJKQt5nOA8yWqjzcVa+UbsIRRG66Cn
RIlSY6ffuNMnncswgyGZDAdOAAZHvXE8bzeIyLEmYiZWSOjzFrUIRXfnF9AnhMqj
fROsoz7x1eFuRRwrV+ev
=1bYx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3109-1
October 25, 2016

mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in MySQL.

Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database

Details:

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 5.5.53 in Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
Ubuntu 16.04 LTS and Ubuntu 16.10 have been updated to MySQL 5.7.16.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-53.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-16.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
mysql-server-5.7 5.7.16-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.16-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.53-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
mysql-server-5.5 5.5.53-0ubuntu0.12.04.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3109-1
CVE-2016-5584, CVE-2016-7440

Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.16-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.16-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.53-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.53-0ubuntu0.12.04.1

[USN-3110-1] Quagga vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYD1/kAAoJEGVp2FWnRL6TCg8QAI2fWazONaUZhZK7sFJBTc8V
kjTAneto4tRrw7BfpkOJ5veWUDe1Eg5AJ1h88F1hGK+5dQANej/Yyxt6Sb/cmxEx
2y+D5s+3yQ/H0vYa10W01VwOsWOWU9OA1PQd2K2gju6t0yQXsFKFNBRfDsv5khjS
0mIVYTtJFfplg5aDDDfuHkEhJISw3TFXKBF2SGT0JK4AC0WbnDbL51ejdwQSUln7
u5UGkl1qB9RU3CzsNNF9MX4j2uNsssz2aNsjCZoySVCUlrbd5cz0pkVK/j6lot3o
s5ECDPEPZslE53T/q03rkCkjEKwrbi5F6DL+9VgrLozNV3mEbp91eAMQS2wz/YH5
JNL1uQJc5VXOIZULwoiPQoJCMeLpTTBfwdKMt6n8FYjBqgwIr1ruGSuuVwTnH/Bb
QhiftloWo2LcmaVBgYamCi/kMmuFuJaHRUYMscsCo5yxIbVCkvqFy9Rq/Gg0hmcq
MGOZH7qbsUVTu6suVsjMlk8kmKihjw88ol/BmoxKJ+uOnkRDSeaD22V/6LZ04ZJd
iEwkda3pHfbAxbWZXrxmEx9+QrDonZ0LH2TYAwHluha3ELtT1bmezi/drjMt6mY0
c/viNv0i6e4w84yxU/Hu1/lygQTQ/cPYSfLTo3dynR15YWKWSiqcE8vnoqiTJhen
Xt+nDK2nu4Of2yh6gplS
=YhRS
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3110-1
October 25, 2016

quagga vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Quagga could be made to crash if it received specially crafted network
traffic.

Software Description:
- quagga: BGP/OSPF/RIP routing daemon

Details:

David Lamparter discovered that Quagga incorrectly handled certain IPv6
router advertisements. A remote attacker could possibly use this issue to
cause Quagga to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
quagga 1.0.20160315-2ubuntu0.1

Ubuntu 16.04 LTS:
quagga 0.99.24.1-2ubuntu1.2

Ubuntu 14.04 LTS:
quagga 0.99.22.4-3ubuntu1.3

Ubuntu 12.04 LTS:
quagga 0.99.20.1-0ubuntu0.12.04.6

After a standard system update you need to restart Quagga to make all the
necessary changes.

References:
http://www.ubuntu.com/usn/usn-3110-1
CVE-2016-1245

Package Information:
https://launchpad.net/ubuntu/+source/quagga/1.0.20160315-2ubuntu0.1
https://launchpad.net/ubuntu/+source/quagga/0.99.24.1-2ubuntu1.2
https://launchpad.net/ubuntu/+source/quagga/0.99.22.4-3ubuntu1.3
https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.12.04.6

[CentOS-announce] CESA-2016:2098 Important CentOS 7 kernel Security Update

CentOS Errata and Security Advisory 2016:2098 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2098.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
afb7e2a7c3a38185b99f092b70ec274888a5beb136a7e5077559cbd29b3f55d7 kernel-3.10.0-327.36.3.el7.x86_64.rpm
1b33324ee4de14c03dde2eefb91bdee83082dd4ced6c0b94f5ab3253690bce38 kernel-abi-whitelists-3.10.0-327.36.3.el7.noarch.rpm
000ccd89b45a28645202add878b5e37d9a482df68fd5cf12914611098724eea7 kernel-debug-3.10.0-327.36.3.el7.x86_64.rpm
430e59db8a03d01f25ff602e766b96b06157fb881db68ca0cb81f229ec2609d6 kernel-debug-devel-3.10.0-327.36.3.el7.x86_64.rpm
5522697d3b016509dd3744e714d61e5d177921d2a045588730c1cd41713ba2c1 kernel-devel-3.10.0-327.36.3.el7.x86_64.rpm
b3fb9f23b5a2427d90e286350b1e7ded8ce6c3c2c5f7e191ee15bb8a70c981aa kernel-doc-3.10.0-327.36.3.el7.noarch.rpm
ad0006f10828ff8890c5599982c57a5ed75a9fdc9aab90e0c8cba6422eb766ea kernel-headers-3.10.0-327.36.3.el7.x86_64.rpm
3639553b0daacf8b577a5576d732eadae1aeef30cf61ca15dd755e439b5a8578 kernel-tools-3.10.0-327.36.3.el7.x86_64.rpm
b66a1c39f21081605dc3f19afc73236b5cb23a1de8d1bd1b14718165663de7ac kernel-tools-libs-3.10.0-327.36.3.el7.x86_64.rpm
97f1708f020dc0c19c9abead5cabdf813aa56ffdf6f8956811669019d74980d8 kernel-tools-libs-devel-3.10.0-327.36.3.el7.x86_64.rpm
6101abe377f9c3f96f9a0b32840ccde2d60835af96ffbb1c787841e0a98bb755 perf-3.10.0-327.36.3.el7.x86_64.rpm
cd55f641ed83faeb33d35a7915c78f85f58a237612ffebdfd5f41e652472ce7b python-perf-3.10.0-327.36.3.el7.x86_64.rpm

Source:
fc7d9058db4d12308f80993c446175e0fd45e413ffafa7b9b2b0c38a432a4a3c kernel-3.10.0-327.36.3.el7.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-3107-2] Linux kernel (Raspberry Pi 2) vulnerability

==========================================================================
Ubuntu Security Notice USN-3107-2
October 24, 2016

linux-raspi2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-raspi2: Linux kernel for Raspberry Pi 2

Details:

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
linux-image-4.8.0-1017-raspi2 4.8.0-1017.20

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
http://www.ubuntu.com/usn/usn-3107-2
http://www.ubuntu.com/usn/usn-3107-1
CVE-2016-5195

Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi2/4.8.0-1017.20

[CentOS-announce] CEBA-2016:2096 CentOS 5 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2016:2096

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-2096.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
5f017688459d59931f6c59681406b5a2b064a12fa713668a487f62e039b32d3e tzdata-2016h-1.el5.i386.rpm
5dfb4fb30451fe97d0b897615d3cafd3d6e0893dd8d5ec88bcd6253778b9d90f tzdata-java-2016h-1.el5.i386.rpm

x86_64:
3d8b6021853f1f6b10da37209f7a27405118bd479aeb6e1f6a2f5b73da023dcf tzdata-2016h-1.el5.x86_64.rpm
94f250609aa3c4ef1a0f24e4dba952bb116664392878e9f9833ae2a0880de426 tzdata-java-2016h-1.el5.x86_64.rpm

Source:
5a7f8a9b948ad2fba327aebeec1bb4e6d894c104f83ae540e4f1a65802fcce30 tzdata-2016h-1.el5.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2016:2094 Important CentOS 5 bind97 Security Update

CentOS Errata and Security Advisory 2016:2094 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2094.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
bbb7a04f44606083f62ae69cea90bb29360a7e75716b3cc05f681d34b8e907a7 bind97-9.7.0-21.P2.el5_11.8.i386.rpm
01a297bc02856208edd495ef3eb03a754b8d63a4944547150a75a3293ec2cdb7 bind97-chroot-9.7.0-21.P2.el5_11.8.i386.rpm
339429fe3711f3a9f3f8cb00b5486286fc76c519eae1fa8c8f1bf52b62591aba bind97-devel-9.7.0-21.P2.el5_11.8.i386.rpm
908f02de2180a6c483046992fafd710f7361c3785d3606a479ba74e4b27f1ee8 bind97-libs-9.7.0-21.P2.el5_11.8.i386.rpm
9787163334d94a88b3cea8f1fb434ea0395787edb61307510a1aa0d249bcdb45 bind97-utils-9.7.0-21.P2.el5_11.8.i386.rpm

x86_64:
1b2296acb71cb6ee456daeb7a957aaa9bc3c573ba7151778f8132b466c80752e bind97-9.7.0-21.P2.el5_11.8.x86_64.rpm
aa9f002b79ce397438391b00c945cca4124bb70f034fd774572d771f14ee182f bind97-chroot-9.7.0-21.P2.el5_11.8.x86_64.rpm
339429fe3711f3a9f3f8cb00b5486286fc76c519eae1fa8c8f1bf52b62591aba bind97-devel-9.7.0-21.P2.el5_11.8.i386.rpm
61ce23c7b9f3765239a389a1543c3f85ac862084325e6f6c10297de933294630 bind97-devel-9.7.0-21.P2.el5_11.8.x86_64.rpm
908f02de2180a6c483046992fafd710f7361c3785d3606a479ba74e4b27f1ee8 bind97-libs-9.7.0-21.P2.el5_11.8.i386.rpm
18771645ae922c3bebe44aaf1e9376105509432713eaa37d6fcc07fd87dbeb1a bind97-libs-9.7.0-21.P2.el5_11.8.x86_64.rpm
f9526dbaa32e4d74e071d72255363b4fa53a92fabd5d8af00765c5f435fae840 bind97-utils-9.7.0-21.P2.el5_11.8.x86_64.rpm

Source:
4ddc9ccf10398546bfd8ed635e531368e4d02030de807b355f0b53f28bff1784 bind97-9.7.0-21.P2.el5_11.8.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2016:2093 Important CentOS 5 bind Security Update

CentOS Errata and Security Advisory 2016:2093 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2093.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
1c7927fec6b2966dd9e0b8c9c28bc8e384638db4dabea4f216f5fe649b65424e bind-9.3.6-25.P1.el5_11.10.i386.rpm
f05787e1d6d3824b875923a91f9b71c73342190fcacdf34ed7e426f88eda16d1 bind-chroot-9.3.6-25.P1.el5_11.10.i386.rpm
8328c709e2ac7203f2a33f5bc591262900fa4c3a4715f5224ed3fbe1848bc2d3 bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm
ac09b6c1a8368ed464a8bae61f4a2025b2e617c8f77bdd90b14ce5a3cd5010c3 bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm
73318c5eb63ea15dc6e31cf23fbb23e0012d860e9e3726c18a9bbec99df7a485 bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm
1b06ccd1b79c863c7459cb4cfa1a6d5cf18b06b20d141dbceac8be23275c3606 bind-sdb-9.3.6-25.P1.el5_11.10.i386.rpm
e5f0a486cb2b6808f3f1d5b81f42ebab2927d5e2d12abcf21a22d44106cac52e bind-utils-9.3.6-25.P1.el5_11.10.i386.rpm
592201761602a121208cefad75f7d955df9a89d58be06c0b9db978322f47fb94 caching-nameserver-9.3.6-25.P1.el5_11.10.i386.rpm

x86_64:
3cff5f207d927f99e5d342397badeb1513485699ae0aefda9a5562f99a51f560 bind-9.3.6-25.P1.el5_11.10.x86_64.rpm
5d41ef95a0fc3a3635421def7792c4971aef60fa968e31f050805998bdf530f6 bind-chroot-9.3.6-25.P1.el5_11.10.x86_64.rpm
8328c709e2ac7203f2a33f5bc591262900fa4c3a4715f5224ed3fbe1848bc2d3 bind-devel-9.3.6-25.P1.el5_11.10.i386.rpm
73ea232936f464e5eb90aff556e7b72d5fc43809596b7ba3edf006fa0c8ffd37 bind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm
ac09b6c1a8368ed464a8bae61f4a2025b2e617c8f77bdd90b14ce5a3cd5010c3 bind-libbind-devel-9.3.6-25.P1.el5_11.10.i386.rpm
6f7dfba454de9f05434380cfc30dc19558d7b5ea1b2e68688cd642140858b793 bind-libbind-devel-9.3.6-25.P1.el5_11.10.x86_64.rpm
73318c5eb63ea15dc6e31cf23fbb23e0012d860e9e3726c18a9bbec99df7a485 bind-libs-9.3.6-25.P1.el5_11.10.i386.rpm
a8233281551c9185260b88df6c0b5c0279986edfbf68042b46d2e023595f41ed bind-libs-9.3.6-25.P1.el5_11.10.x86_64.rpm
c503f14920c2853330733ab283c2e9099fc77a0815f6264f554fb61f77825f90 bind-sdb-9.3.6-25.P1.el5_11.10.x86_64.rpm
a4e2bc74b6044ce313b9897c2d9f2fbd1ebe372426e54db186125ac08669d2ef bind-utils-9.3.6-25.P1.el5_11.10.x86_64.rpm
47ca6185600538c59be505ecdbf0dd837344ca19ff68bef651a988b20f71cde4 caching-nameserver-9.3.6-25.P1.el5_11.10.x86_64.rpm

Source:
a87cf41ad9e8b99cd2f3fa1641d82d570b4b9ff81a35ca92c64549a08b7ef16a bind-9.3.6-25.P1.el5_11.10.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2016:2096 CentOS 7 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2016:2096

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-2096.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
81adad4d2e47225ac0063c0cb9cd0466fc625cb76098c9427ade10b6ad2b4ada tzdata-2016h-1.el7.noarch.rpm
6502b4d41d55440d0f706c6bb31b56e2bf480cfc9a0a207c190d7f1b22c5771c tzdata-java-2016h-1.el7.noarch.rpm

Source:
9dc0352fae7e07c4c56cc878ee3abef747ec79f67c837089ea6dfba607dbca9d tzdata-2016h-1.el7.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2016:2096 CentOS 6 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2016:2096

Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-2096.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
0052e3c0edefe1f8915fc34e779b24606c127af41012674831c14f87d51f7e16 tzdata-2016h-1.el6.noarch.rpm
ddbc1f33f59568dd99138f53deb8eb029383ec68d015461eeb63903afd05267e tzdata-java-2016h-1.el6.noarch.rpm

x86_64:
0052e3c0edefe1f8915fc34e779b24606c127af41012674831c14f87d51f7e16 tzdata-2016h-1.el6.noarch.rpm
ddbc1f33f59568dd99138f53deb8eb029383ec68d015461eeb63903afd05267e tzdata-java-2016h-1.el6.noarch.rpm

Source:
b0fb605d1e065f012f89b608e61a6ef121c5a73552f6dbce2be2c448b3370944 tzdata-2016h-1.el6.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2016:2093 Important CentOS 6 bind Security Update

CentOS Errata and Security Advisory 2016:2093 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2093.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
26593a0bc69f60721bfbe602702fed0b1b6a9052689c8a38c205d7990bcef96f bind-9.8.2-0.47.rc1.el6_8.2.i686.rpm
9fdf51a04607a7ae65ee4c1c6fd66baa8731dd46568cac59142dd058a2de36c3 bind-chroot-9.8.2-0.47.rc1.el6_8.2.i686.rpm
06815b94fb05c3aba8a7b46ceaf5d90cd9d7f218069e0692e657616976bf34e0 bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm
ffd6cac5b2e46c019c85a7d542d0697bf1f879fb98220fccb63df83a287bee18 bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm
12ee83e91fc71dd47fee86b28919b3be06cbdd0c9b788aafd1616d4d64e60653 bind-sdb-9.8.2-0.47.rc1.el6_8.2.i686.rpm
32208e49b5afc026bb1c370aee1f19c76be6290b54ddfa530d9d1619f64b12d8 bind-utils-9.8.2-0.47.rc1.el6_8.2.i686.rpm

x86_64:
80e27194242661a3531d16838ff345e8614418ead4367d74e8386f0a47eec445 bind-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm
415c2f5ca5d5699973739f86bd7fc06dc3c05631c75fd3890acba9f3c48b7132 bind-chroot-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm
06815b94fb05c3aba8a7b46ceaf5d90cd9d7f218069e0692e657616976bf34e0 bind-devel-9.8.2-0.47.rc1.el6_8.2.i686.rpm
647c07e08b0d72a9e272dbb2193c47e9f2a0402b9b4191bbeeef4b196f744919 bind-devel-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm
ffd6cac5b2e46c019c85a7d542d0697bf1f879fb98220fccb63df83a287bee18 bind-libs-9.8.2-0.47.rc1.el6_8.2.i686.rpm
9253860386f45cdb54a64f06b8622a0773923732993ccc0a75d23e1eb48d30e0 bind-libs-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm
2d7c635a0b0d89d7802d6658397513fc949a739713be929ed8e7110869ddacb0 bind-sdb-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm
312bbcea824c1bfe24d85dc0ba93cab754e516c726844a6fecbc83b44cff54e6 bind-utils-9.8.2-0.47.rc1.el6_8.2.x86_64.rpm

Source:
2b06618b10b7afb41bd17f9c270f45254cfe447ba815187915caed02dc07399c bind-9.8.2-0.47.rc1.el6_8.2.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-3108-1] Bind vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYCb6wAAoJEGVp2FWnRL6Tl48QAJzLw68jtTv5OzOlvP/F0UHn
ff8VfIU1Hh5pmZW/ZS+GRbykB95sW3i8dviNEKLtmAvn+oQut3grdFWE4ENgKyAY
e85lsexSXGi+QNhX+vakdHNlVM7893iyaw/UEXD3aKh8vjj9wQiQst3ClzfL/5gc
T0TQCLfxR5RmXTjxsCQW2R4Se9V+1ibNp32gceJWq1Zh9sg2czH3zCOHH0rot9M3
NKPnWjicHOuvB9uogjfmSKoaG9VzVmqppK79pOIynOAPu5rbjwJaof8hdt84x72k
NQbgJo4pCYSYPA7QaEqAtkvDko9a0VM/NFUtzWAKzMaKib/LyxUzNarg1l9UprWp
C1BJBkztZ3CgjVAX5ay+YYxpd7hmroPRDh3plKqDXxQ7QURJd/MQFxhGxbJKfSlk
/t27TL5hRtZNCkfHG0MZILIXDbsy06P+LttMwkmwJTUO9hBAwMluTHkdPvE/WQTK
Ay3f2bJ69xs0wk/xZV96tgF1rjgacIA90v+PWAj8xQQKFpHNGVUgeWeLG94T7tig
hs1pt6ILl+mRWwJvATq2Wlinxit91aRKOQsAbLm8tKydwmgozvcfu52G1WNI4Auh
AipXehAfiI/Rw9QzlIBpTtpQhiSVV2bdbEHN7J4nUVPOorl9RWHcLGuYNcETVtw8
So6xQs6QilxrKckjhh59
=HoOV
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3108-1
October 21, 2016

bind9 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Bind could be made to crash if it received specially crafted network
traffic.

Software Description:
- bind9: Internet Domain Name Server

Details:

Toshifumi Sakaguchi discovered that Bind incorrectly handled certain
packets with malformed options. A remote attacker could possibly use this
issue to cause Bind to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
bind9 1:9.8.1.dfsg.P1-4ubuntu0.18

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3108-1
CVE-2016-2848

Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.8.1.dfsg.P1-4ubuntu0.18

[LSN-0012-1] Linux kernel vulnerability

==========================================================================
Kernel Live Patch Security Notice LSN-0012-1
October 20, 2016

linux vulnerability
==========================================================================

A security issue affects these releases of Ubuntu:

| Series | Base kernel | Arch | flavors |
|------------------+--------------+----------+------------------|
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency |

Summary:

Several security issues were fixed in the kernel.

Software Description:
- linux: Linux kernel

Details:

Vladimír Beneš discovered an unbounded recursion in the VLAN and TEB
Generic Receive Offload (GRO) processing implementations in the Linux
kernel, A remote attacker could use this to cause a stack corruption,
leading to a denial of service (system crash). (CVE-2016-7039, CVE-2016-8666)

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges. (CVE-2016-5195)

Update instructions:

The problem can be corrected by updating your livepatches to the following
versions:

| Kernel | Version | flavors |
|-----------------+----------+--------------------------|
| 4.4.0-21.37 | 13.3 | generic, lowlatency |
| 4.4.0-22.39 | 13.3 | generic, lowlatency |
| 4.4.0-22.40 | 13.3 | generic, lowlatency |
| 4.4.0-24.43 | 13.3 | generic, lowlatency |
| 4.4.0-28.47 | 13.3 | generic, lowlatency |
| 4.4.0-31.50 | 13.3 | generic, lowlatency |
| 4.4.0-34.53 | 13.3 | generic, lowlatency |
| 4.4.0-36.55 | 13.3 | generic, lowlatency |
| 4.4.0-38.57 | 13.3 | generic, lowlatency |
| 4.4.0-42.62 | 13.3 | generic, lowlatency |
| 4.4.0-43.63 | 13.3 | generic, lowlatency |

Additionally, you should install an updated kernel with these fixes and
reboot at your convienience.

References:
CVE-2016-7039, CVE-2016-8666, CVE-2016-5195

F26 System Wide Change: Retire Synaptics Driver

= Proposed System Wide Change: Retire Synaptics Driver =
https://fedoraproject.org/wiki/Changes/RetireSynapticsDriver

Change owner(s):
* Peter Hutterer <peter DOT hutterer AT who-t DOT net>

Retire the xorg-x11-drv-synaptics driver and remove it from user's install.

== Detailed Description ==
xorg-x11-drv-synaptics has been the main X.Org touchpad driver for
over a decade. Since Fedora 22, it has been superseded by
xorg-x11-drv-libinput which aims to provide a better touchpad
experience.

The only way to assign X.Org drivers is via the xorg.conf.d
configuration system which is based on config file sort order. e.g.
evdev sorts as 10-evdev.conf, synaptics as 70-synaptics.conf, etc.
Whichever sorts last is assigned as driver for a device. Fedora 22 and
later shipped with libinput's config file sorting higher than all
other drivers to overwrite any previous matches.

Some users prefer the synaptics driver over libinput. This requires
the users to install the driver and then place a custom config snippet
or, more commonly, symlink to the synaptics config snippets with a
name that has a higher sort order than xorg-x11-drv-libinput.

The aim of this change is to ensure that the synaptics driver can
simply be installed when required without any further user
configuration. When installed, it should be assigned as the preferred
driver over xorg-x11-drv-libinput.

For historical reasons, a vast majority of users have the synaptics
driver installed, especially those updating from older releases.

We want to a) remove the xorg-x11-drv-synaptics driver from a user's
machine but b) make it possible to install where required.

== Scope ==
* Proposal owners:
- xorg-x11-drv-synaptics must be removed from comps (complete as of F25)
- xorg-x11-drivers must not include xorg-x11-drv-synaptics (complete as of F25)
- the X server needs to support a fallback input driver. This ensures
that when an xorg.conf snippet assigns the synaptics driver but that
driver is missing, the user still has a working touchpad. Complete as
of xorg-x11-server-1.18.4-5
- xorg-x11-drv-synaptics will get a subpackage
xorg-x11-drv-synaptics-legacy containing the actual driver
- xorg-x11-drv-libinput will obsolete/provide the current
xorg-x11-drv-synaptics version

* Other developers:
- packages that currently require xorg-x11-drv-synaptics need to
revisit and either require the new subpackage or drop the requirement
- Affected packages: mate-desktop, cinnamon-desktop

* Release engineering: Nothing required, the RE changes are complete as of F25

* Policies and guidelines: No update needed

* Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

[USN-3106-4] Linux kernel (Qualcomm Snapdragon) vulnerability

==========================================================================
Ubuntu Security Notice USN-3106-4
October 20, 2016

linux-snapdragon vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-snapdragon: Linux kernel for Snapdragon Processors

Details:

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1032-snapdragon 4.4.0-1032.36

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
http://www.ubuntu.com/usn/usn-3106-4
http://www.ubuntu.com/usn/usn-3106-1
CVE-2016-5195

Package Information:
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1032.36

[USN-3106-3] Linux kernel (Raspberry Pi 2) vulnerability

==========================================================================
Ubuntu Security Notice USN-3106-3
October 20, 2016

linux-raspi2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-raspi2: Linux kernel for Raspberry Pi 2

Details:

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1029-raspi2 4.4.0-1029.36

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
http://www.ubuntu.com/usn/usn-3106-3
http://www.ubuntu.com/usn/usn-3106-1
CVE-2016-5195

Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1029.36

[USN-3104-2] Linux kernel (OMAP4) vulnerability

==========================================================================
Ubuntu Security Notice USN-3104-2
October 20, 2016

linux-ti-omap4 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

The system could be made to run programs as an administrator.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4

Details:

It was discovered that a race condition existed in the memory manager of
the Linux kernel when handling copy-on-write breakage of private read-only
memory mappings. A local attacker could use this to gain administrative
privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1491-omap4 3.2.0-1491.118

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
http://www.ubuntu.com/usn/usn-3104-2
http://www.ubuntu.com/usn/usn-3104-1
CVE-2016-5195

Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1491.118