-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYP328AAoJEGEfvezVlG4PWRgH/3bR/uGhwXzOmPcxnrIwgiid
h6o0+qTLwWDjvX4DLm3Cg1dW6Lm4i2EdT4QpoxXUqbZG7HaG5K7wliKoWqgHuD66
vy2Mql63fHgTDSuStorwstDjrhQgvRC0YBofx9vp3YAAxC27iGTwf6fFVpCfoGSa
onJLfLKG7juTwxmsAkQqRdgt+O6XA4yuDgIvuBHnT+FH+T+lxtB+Vu21EQlB1DY0
jqN9q5X3oRt3/uI9XDTFTX6Ge1LY4WvSUsWUKSSrNmGZKuveG1K7GHt0s3kO5695
Jzfnn8yd92aplgzdGTcEO1siPIjXOmplTgUU+zhs2N8lgKiPAM0KYfzebL780wc=
=mhV5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3141-1
December 01, 2016
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Christian Holler, Jon Coppeard, Olli Pettay, Ehsan Akhgari, Gary Kwong,
Tooru Fujisawa, and Randell Jesup discovered multiple memory safety issues
in Thunderbird. If a user were tricked in to opening a specially crafted
message, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5290)
A same-origin policy bypass was discovered with local HTML files in some
circumstances. An attacker could potentially exploit this to obtain
sensitive information. (CVE-2016-5291)
A heap buffer-overflow was discovered in Cairo when processing SVG
content. If a user were tricked in to opening a specially crafted message,
an attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5296)
An error was discovered in argument length checking in Javascript. If a
user were tricked in to opening a specially crafted website in a browsing
context, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2016-5297)
A buffer overflow was discovered in nsScriptLoadHandler. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-9066)
A use-after-free was discovered in SVG animations. If a user were tricked
in to opening a specially crafted website in a browsing context, an
attacker could exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
thunderbird 1:45.5.1+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
thunderbird 1:45.5.1+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
thunderbird 1:45.5.1+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
thunderbird 1:45.5.1+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3141-1
CVE-2016-5290, CVE-2016-5291, CVE-2016-5296, CVE-2016-5297,
CVE-2016-9066, CVE-2016-9079
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:45.5.1+build1-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.5.1+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.5.1+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.5.1+build1-0ubuntu0.12.04.1
Wednesday, November 30, 2016
[USN-3140-1] Firefox vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYP2PIAAoJEGEfvezVlG4PTakH/jOShEdlMsKZTd22wwrjZBTN
6xjouOYIAt1JlvvKKSUZWG35j0y19T/GRWJRzP7blr/Qvk43Fq/mU+lGBat1BL1+
3lbSXQem0frS/i7Ck8dELq6CdX5g4hv2tqxSgHNtdxme91GMWIUc/zdpSZ3c8is4
JO9NWx8lg3lEc7tYjgpYu/puFKhcN1FN4fPRuDGU5AfmsJN8UpwldzlRoo+JRZSd
LEqmCunw89KtvUhxegFupfW3F+xyAl5P8SPMZU3iNcb2SAWoindAVDchnBFXXleK
Hy8hP/1trwC4P8cmJ/G4O+cWPJaiiVB7vx8LZ+cTDZx6iWrqqD81MX50huSHY/k=
=uNjF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3140-1
November 30, 2016
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
It was discovered that data: URLs can inherit the wrong origin after a
HTTP redirect in some circumstances. An attacker could potentially
exploit this to bypass same-origin restrictions. (CVE-2016-9078)
A use-after-free was discovered in SVG animations. If a user were tricked
in to opening a specially crafted website, an attacker could exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
firefox 50.0.2+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 50.0.2+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 50.0.2+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox 50.0.2+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3140-1
CVE-2016-9078, CVE-2016-9079
Package Information:
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.12.04.1
Version: GnuPG v2
iQEcBAEBCAAGBQJYP2PIAAoJEGEfvezVlG4PTakH/jOShEdlMsKZTd22wwrjZBTN
6xjouOYIAt1JlvvKKSUZWG35j0y19T/GRWJRzP7blr/Qvk43Fq/mU+lGBat1BL1+
3lbSXQem0frS/i7Ck8dELq6CdX5g4hv2tqxSgHNtdxme91GMWIUc/zdpSZ3c8is4
JO9NWx8lg3lEc7tYjgpYu/puFKhcN1FN4fPRuDGU5AfmsJN8UpwldzlRoo+JRZSd
LEqmCunw89KtvUhxegFupfW3F+xyAl5P8SPMZU3iNcb2SAWoindAVDchnBFXXleK
Hy8hP/1trwC4P8cmJ/G4O+cWPJaiiVB7vx8LZ+cTDZx6iWrqqD81MX50huSHY/k=
=uNjF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3140-1
November 30, 2016
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
It was discovered that data: URLs can inherit the wrong origin after a
HTTP redirect in some circumstances. An attacker could potentially
exploit this to bypass same-origin restrictions. (CVE-2016-9078)
A use-after-free was discovered in SVG animations. If a user were tricked
in to opening a specially crafted website, an attacker could exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
firefox 50.0.2+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 50.0.2+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 50.0.2+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox 50.0.2+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3140-1
CVE-2016-9078, CVE-2016-9079
Package Information:
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/firefox/50.0.2+build1-0ubuntu0.12.04.1
[USN-3147-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3147-1
November 30, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
linux-image-4.8.0-28-generic 4.8.0-28.30
linux-image-4.8.0-28-generic-lpae 4.8.0-28.30
linux-image-4.8.0-28-lowlatency 4.8.0-28.30
linux-image-4.8.0-28-powerpc-e500mc 4.8.0-28.30
linux-image-4.8.0-28-powerpc-smp 4.8.0-28.30
linux-image-4.8.0-28-powerpc64-emb 4.8.0-28.30
linux-image-generic 4.8.0.28.37
linux-image-generic-lpae 4.8.0.28.37
linux-image-lowlatency 4.8.0.28.37
linux-image-powerpc-e500mc 4.8.0.28.37
linux-image-powerpc-smp 4.8.0.28.37
linux-image-powerpc64-emb 4.8.0.28.37
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3147-1
CVE-2016-7097, CVE-2016-7425
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.8.0-28.30
Ubuntu Security Notice USN-3147-1
November 30, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
linux-image-4.8.0-28-generic 4.8.0-28.30
linux-image-4.8.0-28-generic-lpae 4.8.0-28.30
linux-image-4.8.0-28-lowlatency 4.8.0-28.30
linux-image-4.8.0-28-powerpc-e500mc 4.8.0-28.30
linux-image-4.8.0-28-powerpc-smp 4.8.0-28.30
linux-image-4.8.0-28-powerpc64-emb 4.8.0-28.30
linux-image-generic 4.8.0.28.37
linux-image-generic-lpae 4.8.0.28.37
linux-image-lowlatency 4.8.0.28.37
linux-image-powerpc-e500mc 4.8.0.28.37
linux-image-powerpc-smp 4.8.0.28.37
linux-image-powerpc64-emb 4.8.0.28.37
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3147-1
CVE-2016-7097, CVE-2016-7425
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.8.0-28.30
[USN-3146-2] Linux kernel (Xenial HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3146-2
November 30, 2016
linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3146-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that the __get_user_asm_ex implementation in the Linux
kernel for x86/x86_64 contained extended asm statements that were
incompatible with the exception table. A local attacker could use this to
gain administrative privileges. (CVE-2016-9644)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-51-generic 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-generic-lpae 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-lowlatency 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc-e500mc 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc-smp 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc64-emb 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc64-smp 4.4.0-51.72~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.51.38
linux-image-generic-lts-xenial 4.4.0.51.38
linux-image-lowlatency-lts-xenial 4.4.0.51.38
linux-image-powerpc-e500mc-lts-xenial 4.4.0.51.38
linux-image-powerpc-smp-lts-xenial 4.4.0.51.38
linux-image-powerpc64-emb-lts-xenial 4.4.0.51.38
linux-image-powerpc64-smp-lts-xenial 4.4.0.51.38
linux-image-virtual-lts-xenial 4.4.0.51.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3146-2
http://www.ubuntu.com/usn/usn-3146-1
CVE-2016-7097, CVE-2016-7425, CVE-2016-8658, CVE-2016-9644
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-51.72~14.04.1
Ubuntu Security Notice USN-3146-2
November 30, 2016
linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3146-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that the __get_user_asm_ex implementation in the Linux
kernel for x86/x86_64 contained extended asm statements that were
incompatible with the exception table. A local attacker could use this to
gain administrative privileges. (CVE-2016-9644)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-51-generic 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-generic-lpae 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-lowlatency 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc-e500mc 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc-smp 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc64-emb 4.4.0-51.72~14.04.1
linux-image-4.4.0-51-powerpc64-smp 4.4.0-51.72~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.51.38
linux-image-generic-lts-xenial 4.4.0.51.38
linux-image-lowlatency-lts-xenial 4.4.0.51.38
linux-image-powerpc-e500mc-lts-xenial 4.4.0.51.38
linux-image-powerpc-smp-lts-xenial 4.4.0.51.38
linux-image-powerpc64-emb-lts-xenial 4.4.0.51.38
linux-image-powerpc64-smp-lts-xenial 4.4.0.51.38
linux-image-virtual-lts-xenial 4.4.0.51.38
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3146-2
http://www.ubuntu.com/usn/usn-3146-1
CVE-2016-7097, CVE-2016-7425, CVE-2016-8658, CVE-2016-9644
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-51.72~14.04.1
[USN-3146-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3146-1
November 30, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
It was discovered that the __get_user_asm_ex implementation in the Linux
kernel for x86/x86_64 contained extended asm statements that were
incompatible with the exception table. A local attacker could use this to
gain administrative privileges. (CVE-2016-9644)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-51-generic 4.4.0-51.72
linux-image-4.4.0-51-generic-lpae 4.4.0-51.72
linux-image-4.4.0-51-lowlatency 4.4.0-51.72
linux-image-4.4.0-51-powerpc-e500mc 4.4.0-51.72
linux-image-4.4.0-51-powerpc-smp 4.4.0-51.72
linux-image-4.4.0-51-powerpc64-emb 4.4.0-51.72
linux-image-4.4.0-51-powerpc64-smp 4.4.0-51.72
linux-image-generic 4.4.0.51.54
linux-image-generic-lpae 4.4.0.51.54
linux-image-lowlatency 4.4.0.51.54
linux-image-powerpc-e500mc 4.4.0.51.54
linux-image-powerpc-smp 4.4.0.51.54
linux-image-powerpc64-emb 4.4.0.51.54
linux-image-powerpc64-smp 4.4.0.51.54
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3146-1
CVE-2016-7097, CVE-2016-7425, CVE-2016-8658, CVE-2016-9644
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-51.72
Ubuntu Security Notice USN-3146-1
November 30, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
It was discovered that the __get_user_asm_ex implementation in the Linux
kernel for x86/x86_64 contained extended asm statements that were
incompatible with the exception table. A local attacker could use this to
gain administrative privileges. (CVE-2016-9644)
Andreas Gruenbacher and Jan Kara discovered that the filesystem
implementation in the Linux kernel did not clear the setgid bit during a
setxattr call. A local attacker could use this to possibly elevate group
privileges. (CVE-2016-7097)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-51-generic 4.4.0-51.72
linux-image-4.4.0-51-generic-lpae 4.4.0-51.72
linux-image-4.4.0-51-lowlatency 4.4.0-51.72
linux-image-4.4.0-51-powerpc-e500mc 4.4.0-51.72
linux-image-4.4.0-51-powerpc-smp 4.4.0-51.72
linux-image-4.4.0-51-powerpc64-emb 4.4.0-51.72
linux-image-4.4.0-51-powerpc64-smp 4.4.0-51.72
linux-image-generic 4.4.0.51.54
linux-image-generic-lpae 4.4.0.51.54
linux-image-lowlatency 4.4.0.51.54
linux-image-powerpc-e500mc 4.4.0.51.54
linux-image-powerpc-smp 4.4.0.51.54
linux-image-powerpc64-emb 4.4.0.51.54
linux-image-powerpc64-smp 4.4.0.51.54
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3146-1
CVE-2016-7097, CVE-2016-7425, CVE-2016-8658, CVE-2016-9644
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-51.72
[USN-3145-2] Linux kernel (Trusty HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3145-2
November 30, 2016
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise
Details:
USN-3145-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS. This update provides the corresponding updates for the
Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for
Ubuntu 12.04 LTS.
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-103-generic 3.13.0-103.150~precise1
linux-image-3.13.0-103-generic-lpae 3.13.0-103.150~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.103.94
linux-image-generic-lts-trusty 3.13.0.103.94
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3145-2
http://www.ubuntu.com/usn/usn-3145-1
CVE-2016-7425, CVE-2016-8658
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-103.150~precise1
Ubuntu Security Notice USN-3145-2
November 30, 2016
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise
Details:
USN-3145-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS. This update provides the corresponding updates for the
Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for
Ubuntu 12.04 LTS.
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-103-generic 3.13.0-103.150~precise1
linux-image-3.13.0-103-generic-lpae 3.13.0-103.150~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.103.94
linux-image-generic-lts-trusty 3.13.0.103.94
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3145-2
http://www.ubuntu.com/usn/usn-3145-1
CVE-2016-7425, CVE-2016-8658
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-103.150~precise1
[USN-3145-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3145-1
November 30, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-103-generic 3.13.0-103.150
linux-image-3.13.0-103-generic-lpae 3.13.0-103.150
linux-image-3.13.0-103-lowlatency 3.13.0-103.150
linux-image-3.13.0-103-powerpc-e500 3.13.0-103.150
linux-image-3.13.0-103-powerpc-e500mc 3.13.0-103.150
linux-image-3.13.0-103-powerpc-smp 3.13.0-103.150
linux-image-3.13.0-103-powerpc64-emb 3.13.0-103.150
linux-image-3.13.0-103-powerpc64-smp 3.13.0-103.150
linux-image-generic 3.13.0.103.111
linux-image-generic-lpae 3.13.0.103.111
linux-image-lowlatency 3.13.0.103.111
linux-image-omap 3.13.0.103.111
linux-image-powerpc-e500mc 3.13.0.103.111
linux-image-powerpc-smp 3.13.0.103.111
linux-image-powerpc64-emb 3.13.0.103.111
linux-image-powerpc64-smp 3.13.0.103.111
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3145-1
CVE-2016-7425, CVE-2016-8658
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-103.150
Ubuntu Security Notice USN-3145-1
November 30, 2016
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-103-generic 3.13.0-103.150
linux-image-3.13.0-103-generic-lpae 3.13.0-103.150
linux-image-3.13.0-103-lowlatency 3.13.0-103.150
linux-image-3.13.0-103-powerpc-e500 3.13.0-103.150
linux-image-3.13.0-103-powerpc-e500mc 3.13.0-103.150
linux-image-3.13.0-103-powerpc-smp 3.13.0-103.150
linux-image-3.13.0-103-powerpc64-emb 3.13.0-103.150
linux-image-3.13.0-103-powerpc64-smp 3.13.0-103.150
linux-image-generic 3.13.0.103.111
linux-image-generic-lpae 3.13.0.103.111
linux-image-lowlatency 3.13.0.103.111
linux-image-omap 3.13.0.103.111
linux-image-powerpc-e500mc 3.13.0.103.111
linux-image-powerpc-smp 3.13.0.103.111
linux-image-powerpc64-emb 3.13.0.103.111
linux-image-powerpc64-smp 3.13.0.103.111
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3145-1
CVE-2016-7425, CVE-2016-8658
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-103.150
[USN-3144-2] Linux kernel (OMAP4) vulnerability
==========================================================================
Ubuntu Security Notice USN-3144-2
November 30, 2016
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1494-omap4 3.2.0-1494.121
linux-image-omap4 3.2.0.1494.89
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3144-2
http://www.ubuntu.com/usn/usn-3144-1
CVE-2016-7425
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1494.121
Ubuntu Security Notice USN-3144-2
November 30, 2016
linux-ti-omap4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-ti-omap4: Linux kernel for OMAP4
Details:
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-1494-omap4 3.2.0-1494.121
linux-image-omap4 3.2.0.1494.89
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3144-2
http://www.ubuntu.com/usn/usn-3144-1
CVE-2016-7425
Package Information:
https://launchpad.net/ubuntu/+source/linux-ti-omap4/3.2.0-1494.121
[USN-3144-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-3144-1
November 30, 2016
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
Details:
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-116-generic 3.2.0-116.158
linux-image-3.2.0-116-generic-pae 3.2.0-116.158
linux-image-3.2.0-116-highbank 3.2.0-116.158
linux-image-3.2.0-116-omap 3.2.0-116.158
linux-image-3.2.0-116-powerpc-smp 3.2.0-116.158
linux-image-3.2.0-116-powerpc64-smp 3.2.0-116.158
linux-image-3.2.0-116-virtual 3.2.0-116.158
linux-image-generic 3.2.0.116.132
linux-image-generic-pae 3.2.0.116.132
linux-image-highbank 3.2.0.116.132
linux-image-omap 3.2.0.116.132
linux-image-powerpc-smp 3.2.0.116.132
linux-image-powerpc64-smp 3.2.0.116.132
linux-image-virtual 3.2.0.116.132
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3144-1
CVE-2016-7425
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-116.158
Ubuntu Security Notice USN-3144-1
November 30, 2016
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
Details:
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.2.0-116-generic 3.2.0-116.158
linux-image-3.2.0-116-generic-pae 3.2.0-116.158
linux-image-3.2.0-116-highbank 3.2.0-116.158
linux-image-3.2.0-116-omap 3.2.0-116.158
linux-image-3.2.0-116-powerpc-smp 3.2.0-116.158
linux-image-3.2.0-116-powerpc64-smp 3.2.0-116.158
linux-image-3.2.0-116-virtual 3.2.0-116.158
linux-image-generic 3.2.0.116.132
linux-image-generic-pae 3.2.0.116.132
linux-image-highbank 3.2.0.116.132
linux-image-omap 3.2.0.116.132
linux-image-powerpc-smp 3.2.0.116.132
linux-image-powerpc64-smp 3.2.0.116.132
linux-image-virtual 3.2.0.116.132
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3144-1
CVE-2016-7425
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.2.0-116.158
[USN-3143-1] c-ares vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYPxldAAoJEGVp2FWnRL6TlQAP/j1r4KTrUytsNnaGLZjhRwtx
7p0FbQsszUz5R+zOggDBNihMHAkBxXxy8xZBSIgg51hU9SbUgwFOvLs9gsFTWmcK
cXcU6sfwxQpnxzima/6s1xQk1+/xCA5zH1YUbQ+tyEoDBfctscm3N/DbB7ZCTHIC
EtebIAZD6sRm0ETfd9ZKTL1C7edGqYbIciS6V6hyKd7dfbLdaAMzX0G7/foWJ7XH
mjl0ZYgjpG4slzQ1vphfQ82ajtYT3KX9+0x74BkGD1gEPp4NRTnyLRDLWonlntMr
0mdcyou2IEtdmeqa3tpdc3a1yuQaL3YDEs6/ep2K5fUwP0qISvYbvz5HNNzrqVuO
h0w3/KkrAXJQlN3exle87tk3s9FYNFeles7HLYZ4Pcd9lbfdzfjYzqA8WIW2jHG6
l8oM09AxT0okEujGOEycS0E7+ZGt5v5ssjTv2gy1eHcUq4iImAO2jHW7UBXSjOsy
Y5FL7XrrV9VQPlV9LvbTgF96tR02VDafnvCp4nCvbsYbcCoYJ51RKsdKf+Cxsjnp
nP3rFXpEtPhjveEImYVQ6JdQNU2hwTrwHTWDkSsAQqyT4xbq464mMUgsgXENTP6Q
m/BRp6IiozsOYHx1Z3XPzYoqOfBlhB+CGbzA6yc4sYm5DDxME8zMlP1ZE2IJuRvD
RWFNxEMuZD+1S6GK+Fit
=e7GG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3143-1
November 30, 2016
c-ares vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
c-ares could be made to crash or run programs if it processed a specially
crafted hostname.
Software Description:
- c-ares: library for asynchronous name resolves
Details:
Gzob Qq discovered that c-ares incorrectly handled certain hostnames. A
remote attacker could use this issue to cause applications using c-ares to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libc-ares2 1.11.0-1ubuntu0.1
Ubuntu 16.04 LTS:
libc-ares2 1.10.0-3ubuntu0.1
Ubuntu 14.04 LTS:
libc-ares2 1.10.0-2ubuntu0.1
Ubuntu 12.04 LTS:
libc-ares2 1.7.5-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3143-1
CVE-2016-5180
Package Information:
https://launchpad.net/ubuntu/+source/c-ares/1.11.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/c-ares/1.10.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/c-ares/1.10.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/c-ares/1.7.5-1ubuntu0.1
Version: GnuPG v2
iQIcBAEBCgAGBQJYPxldAAoJEGVp2FWnRL6TlQAP/j1r4KTrUytsNnaGLZjhRwtx
7p0FbQsszUz5R+zOggDBNihMHAkBxXxy8xZBSIgg51hU9SbUgwFOvLs9gsFTWmcK
cXcU6sfwxQpnxzima/6s1xQk1+/xCA5zH1YUbQ+tyEoDBfctscm3N/DbB7ZCTHIC
EtebIAZD6sRm0ETfd9ZKTL1C7edGqYbIciS6V6hyKd7dfbLdaAMzX0G7/foWJ7XH
mjl0ZYgjpG4slzQ1vphfQ82ajtYT3KX9+0x74BkGD1gEPp4NRTnyLRDLWonlntMr
0mdcyou2IEtdmeqa3tpdc3a1yuQaL3YDEs6/ep2K5fUwP0qISvYbvz5HNNzrqVuO
h0w3/KkrAXJQlN3exle87tk3s9FYNFeles7HLYZ4Pcd9lbfdzfjYzqA8WIW2jHG6
l8oM09AxT0okEujGOEycS0E7+ZGt5v5ssjTv2gy1eHcUq4iImAO2jHW7UBXSjOsy
Y5FL7XrrV9VQPlV9LvbTgF96tR02VDafnvCp4nCvbsYbcCoYJ51RKsdKf+Cxsjnp
nP3rFXpEtPhjveEImYVQ6JdQNU2hwTrwHTWDkSsAQqyT4xbq464mMUgsgXENTP6Q
m/BRp6IiozsOYHx1Z3XPzYoqOfBlhB+CGbzA6yc4sYm5DDxME8zMlP1ZE2IJuRvD
RWFNxEMuZD+1S6GK+Fit
=e7GG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3143-1
November 30, 2016
c-ares vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
c-ares could be made to crash or run programs if it processed a specially
crafted hostname.
Software Description:
- c-ares: library for asynchronous name resolves
Details:
Gzob Qq discovered that c-ares incorrectly handled certain hostnames. A
remote attacker could use this issue to cause applications using c-ares to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
libc-ares2 1.11.0-1ubuntu0.1
Ubuntu 16.04 LTS:
libc-ares2 1.10.0-3ubuntu0.1
Ubuntu 14.04 LTS:
libc-ares2 1.10.0-2ubuntu0.1
Ubuntu 12.04 LTS:
libc-ares2 1.7.5-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3143-1
CVE-2016-5180
Package Information:
https://launchpad.net/ubuntu/+source/c-ares/1.11.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/c-ares/1.10.0-3ubuntu0.1
https://launchpad.net/ubuntu/+source/c-ares/1.10.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/c-ares/1.7.5-1ubuntu0.1
[USN-3142-1] ImageMagick vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYPxiIAAoJEGVp2FWnRL6TE1AP/0viXuiNnFJgfiHPEBdzyU52
9WbK70352UGzjcrVoz6MJiWYjzKV0XQH9OxB9Gk3DPaEay/oznnjLvzuRYV11IwQ
fKjGNA+dn9+FYiQE/O/STHWZ2C7qImP9VcNEi3Treq7AuZJtMRwTufJPhXYlHJpE
q8wAvQpWbVd8/q2LOKvgifSUpZQ8CmFLsLTm3LboTyiisVJ6cFqGRYEBXzqsABm4
CKwOUdu6o11dd4Q/tn13eEFIolfGUlFSh5rIeb5r+dvYtHyykAZ4aaep0FOBBLX4
kiyoT1HzbOCFO/MvuWwUluVHhdSeSlI8gSGlKcDVKEzTsf3KvmN5+EJR0G33R/sW
jF3YaDj7o4xy8bRS5UEtChWdarCTb5Yo38A+Q/wfMJ3sPKZmQ/59hl1yphkCLMH9
KZpZcvXbQklYTBpb1zL/X1J+6vnwz4iauF9FG2syF62NJOlFKcSlxm5cTLiUIwMm
aX+XImFzFQjVuF0l/A/2xha0Gb+iDWbqKVAGmMrMGRWpX5m31F//Db9IQx/NwvlR
i2m43/szgdWwYZmSjVpf7ZMd/GcFbWZkUD/NDHPBhzaat+ZVjHwOf9dDeVlTAH7x
0T5dtPCy0YSDvo7dq1VvrVmEhl+uWAk9c+qnWD/6e3OIJAbxkPCmAHChRz8nGkAW
Pqk8Ks4eFxUhYEUmE7XE
=rdZN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3142-1
November 30, 2016
imagemagick vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in ImageMagick.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
imagemagick 8:6.8.9.9-7ubuntu8.2
imagemagick-6.q16 8:6.8.9.9-7ubuntu8.2
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu8.2
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu8.2
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu8.2
Ubuntu 16.04 LTS:
imagemagick 8:6.8.9.9-7ubuntu5.3
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.3
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.3
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.3
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.3
Ubuntu 14.04 LTS:
imagemagick 8:6.7.7.10-6ubuntu3.3
libmagick++5 8:6.7.7.10-6ubuntu3.3
libmagickcore5 8:6.7.7.10-6ubuntu3.3
libmagickcore5-extra 8:6.7.7.10-6ubuntu3.3
Ubuntu 12.04 LTS:
imagemagick 8:6.6.9.7-5ubuntu3.6
libmagick++4 8:6.6.9.7-5ubuntu3.6
libmagickcore4 8:6.6.9.7-5ubuntu3.6
libmagickcore4-extra 8:6.6.9.7-5ubuntu3.6
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3142-1
CVE-2016-7799, CVE-2016-7906, CVE-2016-8677, CVE-2016-8862,
CVE-2016-9556
Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu8.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.6
Version: GnuPG v2
iQIcBAEBCgAGBQJYPxiIAAoJEGVp2FWnRL6TE1AP/0viXuiNnFJgfiHPEBdzyU52
9WbK70352UGzjcrVoz6MJiWYjzKV0XQH9OxB9Gk3DPaEay/oznnjLvzuRYV11IwQ
fKjGNA+dn9+FYiQE/O/STHWZ2C7qImP9VcNEi3Treq7AuZJtMRwTufJPhXYlHJpE
q8wAvQpWbVd8/q2LOKvgifSUpZQ8CmFLsLTm3LboTyiisVJ6cFqGRYEBXzqsABm4
CKwOUdu6o11dd4Q/tn13eEFIolfGUlFSh5rIeb5r+dvYtHyykAZ4aaep0FOBBLX4
kiyoT1HzbOCFO/MvuWwUluVHhdSeSlI8gSGlKcDVKEzTsf3KvmN5+EJR0G33R/sW
jF3YaDj7o4xy8bRS5UEtChWdarCTb5Yo38A+Q/wfMJ3sPKZmQ/59hl1yphkCLMH9
KZpZcvXbQklYTBpb1zL/X1J+6vnwz4iauF9FG2syF62NJOlFKcSlxm5cTLiUIwMm
aX+XImFzFQjVuF0l/A/2xha0Gb+iDWbqKVAGmMrMGRWpX5m31F//Db9IQx/NwvlR
i2m43/szgdWwYZmSjVpf7ZMd/GcFbWZkUD/NDHPBhzaat+ZVjHwOf9dDeVlTAH7x
0T5dtPCy0YSDvo7dq1VvrVmEhl+uWAk9c+qnWD/6e3OIJAbxkPCmAHChRz8nGkAW
Pqk8Ks4eFxUhYEUmE7XE
=rdZN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3142-1
November 30, 2016
imagemagick vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in ImageMagick.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
It was discovered that ImageMagick incorrectly handled certain malformed
image files. If a user or automated system using ImageMagick were tricked
into opening a specially crafted image, an attacker could exploit this to
cause a denial of service or possibly execute code with the privileges of
the user invoking the program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
imagemagick 8:6.8.9.9-7ubuntu8.2
imagemagick-6.q16 8:6.8.9.9-7ubuntu8.2
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu8.2
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu8.2
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu8.2
Ubuntu 16.04 LTS:
imagemagick 8:6.8.9.9-7ubuntu5.3
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.3
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.3
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.3
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.3
Ubuntu 14.04 LTS:
imagemagick 8:6.7.7.10-6ubuntu3.3
libmagick++5 8:6.7.7.10-6ubuntu3.3
libmagickcore5 8:6.7.7.10-6ubuntu3.3
libmagickcore5-extra 8:6.7.7.10-6ubuntu3.3
Ubuntu 12.04 LTS:
imagemagick 8:6.6.9.7-5ubuntu3.6
libmagick++4 8:6.6.9.7-5ubuntu3.6
libmagickcore4 8:6.6.9.7-5ubuntu3.6
libmagickcore4-extra 8:6.6.9.7-5ubuntu3.6
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3142-1
CVE-2016-7799, CVE-2016-7906, CVE-2016-8677, CVE-2016-8862,
CVE-2016-9556
Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu8.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.3
https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.6
[LSN-0013-1] Linux kernel vulnerability
==========================================================================
Kernel Live Patch Security Notice LSN-0013-1
November 30, 2016
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu:
| Series | Base kernel | Arch | flavors |
|------------------+--------------+----------+------------------|
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency |
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)
Dmitry Vyukov discovered a use-after-free vulnerability during error
processing in the recvmmsg(2) implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7117)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your livepatches to the following
versions:
| Kernel | Version | flavors |
|-----------------+----------+--------------------------|
| 4.4.0-21.37 | 14.1 | generic, lowlatency |
| 4.4.0-22.39 | 14.1 | generic, lowlatency |
| 4.4.0-22.40 | 14.1 | generic, lowlatency |
| 4.4.0-24.43 | 14.1 | generic, lowlatency |
| 4.4.0-28.47 | 14.1 | generic, lowlatency |
| 4.4.0-31.50 | 14.1 | generic, lowlatency |
| 4.4.0-34.53 | 14.1 | generic, lowlatency |
| 4.4.0-36.55 | 14.1 | generic, lowlatency |
| 4.4.0-38.57 | 14.1 | generic, lowlatency |
| 4.4.0-42.62 | 14.1 | generic, lowlatency |
| 4.4.0-43.63 | 14.1 | generic, lowlatency |
| 4.4.0-45.66 | 14.1 | generic, lowlatency |
| 4.4.0-47.68 | 14.1 | generic, lowlatency |
Additionally, you should install an updated kernel with these fixes and
reboot at your convienience.
References:
CVE-2016-7042, CVE-2016-7117, CVE-2016-7425, CVE-2016-8658
Kernel Live Patch Security Notice LSN-0013-1
November 30, 2016
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu:
| Series | Base kernel | Arch | flavors |
|------------------+--------------+----------+------------------|
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency |
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)
Dmitry Vyukov discovered a use-after-free vulnerability during error
processing in the recvmmsg(2) implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7117)
Marco Grassi discovered that the driver for Areca RAID Controllers in the
Linux kernel did not properly validate control messages. A local attacker
could use this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-7425)
Daxing Guo discovered a stack-based buffer overflow in the Broadcom
IEEE802.11n FullMAC driver in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash) or possibly gain
privileges. (CVE-2016-8658)
Update instructions:
The problem can be corrected by updating your livepatches to the following
versions:
| Kernel | Version | flavors |
|-----------------+----------+--------------------------|
| 4.4.0-21.37 | 14.1 | generic, lowlatency |
| 4.4.0-22.39 | 14.1 | generic, lowlatency |
| 4.4.0-22.40 | 14.1 | generic, lowlatency |
| 4.4.0-24.43 | 14.1 | generic, lowlatency |
| 4.4.0-28.47 | 14.1 | generic, lowlatency |
| 4.4.0-31.50 | 14.1 | generic, lowlatency |
| 4.4.0-34.53 | 14.1 | generic, lowlatency |
| 4.4.0-36.55 | 14.1 | generic, lowlatency |
| 4.4.0-38.57 | 14.1 | generic, lowlatency |
| 4.4.0-42.62 | 14.1 | generic, lowlatency |
| 4.4.0-43.63 | 14.1 | generic, lowlatency |
| 4.4.0-45.66 | 14.1 | generic, lowlatency |
| 4.4.0-47.68 | 14.1 | generic, lowlatency |
Additionally, you should install an updated kernel with these fixes and
reboot at your convienience.
References:
CVE-2016-7042, CVE-2016-7117, CVE-2016-7425, CVE-2016-8658
F26 Self Contained Change: Zend Framework 3
= Proposed Self Contained Change: Zend Framework 3 =
https://fedoraproject.org/wiki/Changes/ZF3
https://fedoraproject.org/wiki/Changes/ZF3
Change owner(s):
* Remi Collet <remi at fedoraproject dot org>
Update Zend Framework to latest version 3.
Fedora 24 provides Zend Framework 2.5 (Fedora 25 provides ZF 2.5.3),
which is a transition version.
== Detailed Description ==
See upstream annoucement: Zend Framework 3 Released!
[https://framework.zend.com/blog/2016-06-28-zend-framework-3.html]
The Zend Framework is a huge set of ~60 components. The framework
version defines a minimal set of components, and their minimal
version. Version 3 is recommend for PHP 7.0 which is also part of
Fedora 25.
== Scope ==
* Proposal owners:
Update packages and create new for additional components
* Other developers:
Test their applications
* Release engineering: N/A (not a System Wide Change)
* List of deliverables: N/A (not a System Wide Change)
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Monday, November 28, 2016
[USN-3139-1] Vim vulnerability
==========================================================================
Ubuntu Security Notice USN-3139-1
November 29, 2016
vim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Vim could be made run programs as your login if it opened a specially
crafted file.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
Florian Larysch discovered that the Vim text editor did not properly
validate values for the 'filetype', 'syntax', and 'keymap' options. An
attacker could trick a user into opening a file with specially crafted
modelines and possibly execute arbitrary code with the user's privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
vim 2:7.4.1829-1ubuntu2.1
vim-common 2:7.4.1829-1ubuntu2.1
vim-gui-common 2:7.4.1829-1ubuntu2.1
vim-runtime 2:7.4.1829-1ubuntu2.1
Ubuntu 16.04 LTS:
vim 2:7.4.1689-3ubuntu1.2
vim-common 2:7.4.1689-3ubuntu1.2
vim-gui-common 2:7.4.1689-3ubuntu1.2
vim-runtime 2:7.4.1689-3ubuntu1.2
Ubuntu 14.04 LTS:
vim 2:7.4.052-1ubuntu3.1
vim-common 2:7.4.052-1ubuntu3.1
vim-gui-common 2:7.4.052-1ubuntu3.1
vim-runtime 2:7.4.052-1ubuntu3.1
Ubuntu 12.04 LTS:
vim 2:7.3.429-2ubuntu2.2
vim-common 2:7.3.429-2ubuntu2.2
vim-gui-common 2:7.3.429-2ubuntu2.2
vim-runtime 2:7.3.429-2ubuntu2.2
After a standard system update you need to restart Vim to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3139-1
CVE-2016-1248
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:7.4.1829-1ubuntu2.1
https://launchpad.net/ubuntu/+source/vim/2:7.4.1689-3ubuntu1.2
https://launchpad.net/ubuntu/+source/vim/2:7.4.052-1ubuntu3.1
https://launchpad.net/ubuntu/+source/vim/2:7.3.429-2ubuntu2.2
Ubuntu Security Notice USN-3139-1
November 29, 2016
vim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Vim could be made run programs as your login if it opened a specially
crafted file.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
Florian Larysch discovered that the Vim text editor did not properly
validate values for the 'filetype', 'syntax', and 'keymap' options. An
attacker could trick a user into opening a file with specially crafted
modelines and possibly execute arbitrary code with the user's privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
vim 2:7.4.1829-1ubuntu2.1
vim-common 2:7.4.1829-1ubuntu2.1
vim-gui-common 2:7.4.1829-1ubuntu2.1
vim-runtime 2:7.4.1829-1ubuntu2.1
Ubuntu 16.04 LTS:
vim 2:7.4.1689-3ubuntu1.2
vim-common 2:7.4.1689-3ubuntu1.2
vim-gui-common 2:7.4.1689-3ubuntu1.2
vim-runtime 2:7.4.1689-3ubuntu1.2
Ubuntu 14.04 LTS:
vim 2:7.4.052-1ubuntu3.1
vim-common 2:7.4.052-1ubuntu3.1
vim-gui-common 2:7.4.052-1ubuntu3.1
vim-runtime 2:7.4.052-1ubuntu3.1
Ubuntu 12.04 LTS:
vim 2:7.3.429-2ubuntu2.2
vim-common 2:7.3.429-2ubuntu2.2
vim-gui-common 2:7.3.429-2ubuntu2.2
vim-runtime 2:7.3.429-2ubuntu2.2
After a standard system update you need to restart Vim to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3139-1
CVE-2016-1248
Package Information:
https://launchpad.net/ubuntu/+source/vim/2:7.4.1829-1ubuntu2.1
https://launchpad.net/ubuntu/+source/vim/2:7.4.1689-3ubuntu1.2
https://launchpad.net/ubuntu/+source/vim/2:7.4.052-1ubuntu3.1
https://launchpad.net/ubuntu/+source/vim/2:7.3.429-2ubuntu2.2
[CentOS-announce] CESA-2016:2824 Moderate CentOS 6 expat Security Update
CentOS Errata and Security Advisory 2016:2824 Moderate
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2824.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
d8059e72fad589ffb0f0cdac95587126c947c071188cfeb5c2b8e6fd989d7742 expat-2.0.1-13.el6_8.i686.rpm
0134a37522bc833ca427003ae54bd250ff2cdc017e2e8e5e5e263943b27ede53 expat-devel-2.0.1-13.el6_8.i686.rpm
x86_64:
d8059e72fad589ffb0f0cdac95587126c947c071188cfeb5c2b8e6fd989d7742 expat-2.0.1-13.el6_8.i686.rpm
668543cbe7d320c097b893acdf692a38745096590b58615eb67ea940374a2125 expat-2.0.1-13.el6_8.x86_64.rpm
0134a37522bc833ca427003ae54bd250ff2cdc017e2e8e5e5e263943b27ede53 expat-devel-2.0.1-13.el6_8.i686.rpm
64684a601f126ca5e307fa152b56af0bb7cd31cb231a6d9560573d50bbe94326 expat-devel-2.0.1-13.el6_8.x86_64.rpm
Source:
1c09bb9d3eb76d17de44a027bb97381053fb94000567865ecc4569429afb4c57 expat-2.0.1-13.el6_8.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2824.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
d8059e72fad589ffb0f0cdac95587126c947c071188cfeb5c2b8e6fd989d7742 expat-2.0.1-13.el6_8.i686.rpm
0134a37522bc833ca427003ae54bd250ff2cdc017e2e8e5e5e263943b27ede53 expat-devel-2.0.1-13.el6_8.i686.rpm
x86_64:
d8059e72fad589ffb0f0cdac95587126c947c071188cfeb5c2b8e6fd989d7742 expat-2.0.1-13.el6_8.i686.rpm
668543cbe7d320c097b893acdf692a38745096590b58615eb67ea940374a2125 expat-2.0.1-13.el6_8.x86_64.rpm
0134a37522bc833ca427003ae54bd250ff2cdc017e2e8e5e5e263943b27ede53 expat-devel-2.0.1-13.el6_8.i686.rpm
64684a601f126ca5e307fa152b56af0bb7cd31cb231a6d9560573d50bbe94326 expat-devel-2.0.1-13.el6_8.x86_64.rpm
Source:
1c09bb9d3eb76d17de44a027bb97381053fb94000567865ecc4569429afb4c57 expat-2.0.1-13.el6_8.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2016:2820 Important CentOS 6 memcached Security Update
CentOS Errata and Security Advisory 2016:2820 Important
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2820.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
35812c96c050584a93071cfa04f37afef8d1885a580855d3356db301f6cd87e4 memcached-1.4.4-3.el6_8.1.i686.rpm
f6018b34b33f8e11d871213e9488133b673156c7fe9581e2de975127270ad609 memcached-devel-1.4.4-3.el6_8.1.i686.rpm
x86_64:
785fe53f1e886e6ea9ca66094f5e68a0f5c9e44f4f9785ad1801d8b935db3eca memcached-1.4.4-3.el6_8.1.x86_64.rpm
f6018b34b33f8e11d871213e9488133b673156c7fe9581e2de975127270ad609 memcached-devel-1.4.4-3.el6_8.1.i686.rpm
00a734f56b2dd232bed5f01b1cef425f7d815fc55328561022d0a9e2d345cef5 memcached-devel-1.4.4-3.el6_8.1.x86_64.rpm
Source:
970cd80a470d9205181a553e800ef6a82e1b71346fa51e4fa5ff63bfcb15bec1 memcached-1.4.4-3.el6_8.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-2820.html
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
35812c96c050584a93071cfa04f37afef8d1885a580855d3356db301f6cd87e4 memcached-1.4.4-3.el6_8.1.i686.rpm
f6018b34b33f8e11d871213e9488133b673156c7fe9581e2de975127270ad609 memcached-devel-1.4.4-3.el6_8.1.i686.rpm
x86_64:
785fe53f1e886e6ea9ca66094f5e68a0f5c9e44f4f9785ad1801d8b935db3eca memcached-1.4.4-3.el6_8.1.x86_64.rpm
f6018b34b33f8e11d871213e9488133b673156c7fe9581e2de975127270ad609 memcached-devel-1.4.4-3.el6_8.1.i686.rpm
00a734f56b2dd232bed5f01b1cef425f7d815fc55328561022d0a9e2d345cef5 memcached-devel-1.4.4-3.el6_8.1.x86_64.rpm
Source:
970cd80a470d9205181a553e800ef6a82e1b71346fa51e4fa5ff63bfcb15bec1 memcached-1.4.4-3.el6_8.1.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
16.04.2 - Rolling HWE Kernel
Hi All,
The Ubuntu 16.04.2 LTS point release for Xenial is set to release on Thurs Jan 19, 2017 according to the current Xenial release schedule:
As with previous point releases, we will deliver a newer Hardware Enablement Kernel with the point release. This newer HWE Kernel will be derived from the 16.10 Yakkety kernel (ie v4.8 based). There are some changes however that we wanted to make sure were communicated. The biggest change is that we are moving to what we refer to as a "rolling HWE kernel" model. Essentially, consumers of an HWE kernel will automatically be upgraded to the next HWE kernel offered in subsequent point releases until reaching the final HWE Kernel offered in 16.04.5. This change is fully documented here:
An additional change is that 16.04.2 Server images will provide both the GA and the HWE kernel as options, with the GA kernel being the default option. This is also documented in the wiki above. Desktop images will continue to only offer the HWE kernel.
We have also provided an early preview of the v4.8 based Yakkety HWE kernel. This can currently be found in the xenial-proposed pocket:
After enabling proposed, this kernel can be installed via the following command:
sudo apt-get install linux-generic-hwe-16.04-edge
Please do test and let us know your results. Also, please file any bugs against the linux kernel package in Launchpad.
Thanks,
Leann
[USN-3138-1] python-cryptography vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYPIsFAAoJEGVp2FWnRL6TdMoP/20BbWTl79bawcUVW8o5rbWg
83fSBSN/BjMJkCiDguVdZd567Z9qACm3LxFYJufPUGcIjmkwscDqeAzoPIsTM9G8
iQPeASTGZRmzQuMNp5HOH04VZjAVZO0OTwX5o8/HHUNAEeZD4wCr8suSi5W5Veh8
qQmhE/lf1KNytn00g5Tt0gLfyg0T50mjXW3YeBcXiGbAVxK5YTUitqfDMBjszTTp
IU5EmyvLp6/E1bRG+ZuskCManckod7weT6StOqomecszt6ljr5x/1WYeRAmJqlYu
QnEQO0OAP+VjHHRWvX2LbcdPHIbvdorjewXkfQjisRxnDI2nBsE0qJ1hyRe+0i2e
d+5fiZdLCSOU+2wv0gghvOqU1ATBOP3Qfr6n/GeLY91p88m58du5arEi7UcN4rbO
uCBOvTiXqcrJlSjvC3O2WSRKEUKRX83nMh7YQCsPtzhvWkwFRNLSPERsdn9652Jt
nTPWp4D57NyFCUu94XJCANGF2farpDf2zAI6u5cCO9ekGK9MyHgN6nr09cns1Jsq
vlHFKJPJJX4xWh+cNoM6bWu3EoT5nK1Ecjh+6+fKe2TH72T9xfxC0a91kN9/D94I
ZqVehoi58u+PdEeplqHUiZGIG6pG4720EuNKnDk/MuTeyeUyrdEyOf2YxiD+ca91
DkwvkEqme9B0rZdOTgmR
=lgYx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3138-1
November 28, 2016
python-cryptography vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
python-cryptography could generate incorrect keys.
Software Description:
- python-cryptography: Cryptography Python library
Details:
Markus Döring discovered that python-cryptography incorrectly handled
certain HKDF lengths. This could result in python-cryptography returning an
empty string instead of the expected derived key.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-cryptography 1.5-2ubuntu0.1
python3-cryptography 1.5-2ubuntu0.1
Ubuntu 16.04 LTS:
python-cryptography 1.2.3-1ubuntu0.1
python3-cryptography 1.2.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3138-1
CVE-2016-9243
Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/1.5-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/1.2.3-1ubuntu0.1
Version: GnuPG v2
iQIcBAEBCgAGBQJYPIsFAAoJEGVp2FWnRL6TdMoP/20BbWTl79bawcUVW8o5rbWg
83fSBSN/BjMJkCiDguVdZd567Z9qACm3LxFYJufPUGcIjmkwscDqeAzoPIsTM9G8
iQPeASTGZRmzQuMNp5HOH04VZjAVZO0OTwX5o8/HHUNAEeZD4wCr8suSi5W5Veh8
qQmhE/lf1KNytn00g5Tt0gLfyg0T50mjXW3YeBcXiGbAVxK5YTUitqfDMBjszTTp
IU5EmyvLp6/E1bRG+ZuskCManckod7weT6StOqomecszt6ljr5x/1WYeRAmJqlYu
QnEQO0OAP+VjHHRWvX2LbcdPHIbvdorjewXkfQjisRxnDI2nBsE0qJ1hyRe+0i2e
d+5fiZdLCSOU+2wv0gghvOqU1ATBOP3Qfr6n/GeLY91p88m58du5arEi7UcN4rbO
uCBOvTiXqcrJlSjvC3O2WSRKEUKRX83nMh7YQCsPtzhvWkwFRNLSPERsdn9652Jt
nTPWp4D57NyFCUu94XJCANGF2farpDf2zAI6u5cCO9ekGK9MyHgN6nr09cns1Jsq
vlHFKJPJJX4xWh+cNoM6bWu3EoT5nK1Ecjh+6+fKe2TH72T9xfxC0a91kN9/D94I
ZqVehoi58u+PdEeplqHUiZGIG6pG4720EuNKnDk/MuTeyeUyrdEyOf2YxiD+ca91
DkwvkEqme9B0rZdOTgmR
=lgYx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3138-1
November 28, 2016
python-cryptography vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
Summary:
python-cryptography could generate incorrect keys.
Software Description:
- python-cryptography: Cryptography Python library
Details:
Markus Döring discovered that python-cryptography incorrectly handled
certain HKDF lengths. This could result in python-cryptography returning an
empty string instead of the expected derived key.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-cryptography 1.5-2ubuntu0.1
python3-cryptography 1.5-2ubuntu0.1
Ubuntu 16.04 LTS:
python-cryptography 1.2.3-1ubuntu0.1
python3-cryptography 1.2.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3138-1
CVE-2016-9243
Package Information:
https://launchpad.net/ubuntu/+source/python-cryptography/1.5-2ubuntu0.1
https://launchpad.net/ubuntu/+source/python-cryptography/1.2.3-1ubuntu0.1
Planned Outage: Cloud Environment - 2016-12-01 21:00 UTC
There will be an outage starting at 2016-12-01 21:00 UTC, which will last
approximately 4 hours.
approximately 4 hours.
To convert UTC to your local time, take a look at
https://fedoraproject.org/wiki/UTCHowto
or run:
date -d '2016-12-01 21:00 UTC'
Reason for outage:
We have been in a freeze for the release of Fedora 25 and have
multiple updates across the systems needed to occur. Part of these are
to bring RHEL-7 systems to 7.3 and others are to bring some systems to
Fedora 25.
Affected Services:
Cloud Environment - *.fedorainfracloud.org
Unaffected Services:
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
Package Database - https://admin.fedoraproject.org/pkgdb/
BFO - https://boot.fedoraproject.org/
GIT / Source Control
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - https://docs.fedoraproject.org/
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - https://fedorapeople.org/
Main Website - https://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
QA Services
Secondary Architectures
Spins - https://spins.fedoraproject.org/
Start - https://start.fedoraproject.org/
Torrent - https://torrent.fedoraproject.org/
Translation Services - https://translate.fedoraproject.org/
Wiki - https://fedoraproject.org/wiki/
Staging - .stg.fedoraproject.org, .stg.phx2.fedoraproject.org
Ticket Link: https://pagure.io/fedora-infrastructure/issue/5581
Contact Information: infrastructure @lists.fedoraproject.org
Please join #fedora-admin in irc.freenode.net or add comments to the
ticket for this outage above.
--
Stephen J Smoogen.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Planned Outage: General Services Environment - 2016-11-30 21:00 UTC
There will be an outage starting at 2016-11-30 21:00 UTC, which will last
approximately 4 hours.
approximately 4 hours.
To convert UTC to your local time, take a look at
https://fedoraproject.org/wiki/UTCHowto
or run:
date -d '2016-11-30 21:00 UTC'
Reason for outage:
We have been in a freeze for the release of Fedora 25 and have
multiple updates across the systems needed to occur. Part of these are
to bring RHEL-7 systems to 7.3 and others are to bring some systems to
Fedora 25.
Affected Services:
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
Package Database - https://admin.fedoraproject.org/pkgdb/
BFO - https://boot.fedoraproject.org/
GIT / Source Control
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - https://docs.fedoraproject.org/
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - https://fedorapeople.org/
Main Website - https://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
QA Services
Secondary Architectures
Spins - https://spins.fedoraproject.org/
Start - https://start.fedoraproject.org/
Torrent - https://torrent.fedoraproject.org/
Translation Services - https://translate.fedoraproject.org/
Wiki - https://fedoraproject.org/wiki/
Unaffected Services:
Staging - .stg.fedoraproject.org, .stg.phx2.fedoraproject.org
Ticket Link: TBA
Contact Information: infrastructure @lists.fedoraproject.org
Please join #fedora-admin in irc.freenode.net or add comments to the
ticket for this outage above.
--
Stephen J Smoogen.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Planned Outage: 2016-11-29 21:00 UTC Build Environment
There will be an outage starting at 2016-11-29 21:00 UTC, which will last
approximately 4 hours.
approximately 4 hours.
To convert UTC to your local time, take a look at
https://fedoraproject.org/wiki/UTCHowto
or run:
date -d '2016-11-29 21:00 UTC'
Reason for outage:
We have been in a freeze for the release of Fedora 25 and have
multiple updates across the systems needed to occur. Part of these are
to bring RHEL-7 systems to 7.3 and others are to bring some systems to
Fedora 25.
Affected Services:
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
Package Database - https://admin.fedoraproject.org/pkgdb/
Unaffected Services:
BFO - https://boot.fedoraproject.org/
GIT / Source Control
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - https://docs.fedoraproject.org/
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - https://fedorapeople.org/
Main Website - https://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
QA Services
Secondary Architectures
Spins - https://spins.fedoraproject.org/
Start - https://start.fedoraproject.org/
Torrent - https://torrent.fedoraproject.org/
Translation Services - https://translate.fedoraproject.org/
Wiki - https://fedoraproject.org/wiki/
Staging - .stg.fedoraproject.org, .stg.phx2.fedoraproject.org
Ticket Link: https://pagure.io/fedora-infrastructure/issue/5579
Contact Information: infrastructure @lists.fedoraproject.org
Please join #fedora-admin in irc.freenode.net or add comments to the
ticket for this outage above.
--
Stephen J Smoogen.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Planned Outage: Staging Environment - 2016-11-28 21:00 UTC
There will be an outage starting at 2016-11-28 21:00 UTC, which will last
approximately 4 hours.
approximately 4 hours.
To convert UTC to your local time, take a look at
https://fedoraproject.org/wiki/UTCHowto
or run:
date -d '2016-11-28 21:00 UTC'
Reason for outage:
We have been in a freeze for the release of Fedora 25 and have
multiple updates across the systems needed to occur. Part of these are
to bring RHEL-7 systems to 7.3 and others are to bring some systems to
Fedora 25.
Affected Services:
Staging - .stg.fedoraproject.org, .stg.phx2.fedoraproject.org
Unaffected Services:
BFO - https://boot.fedoraproject.org/
Bodhi - https://admin.fedoraproject.org/updates/
Buildsystem - http://koji.fedoraproject.org/
GIT / Source Control
DNS - ns1.fedoraproject.org, ns2.fedoraproject.org
Docs - https://docs.fedoraproject.org/
Email system
Fedora Account System - https://admin.fedoraproject.org/accounts/
Fedora Community - https://admin.fedoraproject.org/community/
Fedora Hosted - https://fedorahosted.org/
Fedora Insight - https://insight.fedoraproject.org/
Fedora People - https://fedorapeople.org/
Main Website - https://fedoraproject.org/
Mirror List - https://mirrors.fedoraproject.org/
Mirror Manager - https://admin.fedoraproject.org/mirrormanager/
Package Database - https://admin.fedoraproject.org/pkgdb/
QA Services
Secondary Architectures
Spins - https://spins.fedoraproject.org/
Start - https://start.fedoraproject.org/
Torrent - https://torrent.fedoraproject.org/
Translation Services - https://translate.fedoraproject.org/
Wiki - https://fedoraproject.org/wiki/
Ticket Link: TBA
Contact Information: infrastructure @lists.fedoraproject.org
Please join #fedora-admin in irc.freenode.net or add comments to the
ticket for this outage above.
--
Stephen J Smoogen.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
[USN-3135-2] GStreamer Good Plugins vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYPDcuAAoJEGVp2FWnRL6TsPoP/RXgC4EfLcwXmu0KvxMX+fOL
+aMhgKMkAs4nvc4R5Jq6OGTanuq4WElK2JWqctBOR7FZcuYrt9a7ukBHKbpYAiGl
9kR1KzR3qzMF8YS3QVIxrVk7jJxTMQs8Xg2gEwzAByTNFpxVO/9u64sdERmAc9ih
/kniwE+Y+tdEc1wd3szYUabZnF2die/zEN3c2WevKLPrQ2aXodzwWvrBoZI3hSpK
RG4G9/KVmRerFw/4NopT7kCM/wx7XSJJo2kxOtLLrrdpneTTyBCojrchjenPNi+D
FS1ozn64z8CUXA9s3LRmluDpO8ZCujDRPhVkrwFyOpHvJZLySxDj/aKYGdsewhkG
oyqlNQqrvEbm7Uf54+Mq7V2nn2Hj87OuLxzzo42wfjW/9LhTr81dKyoFdOyk5fbo
mQQGY6MjRfFRD7LLIzO18GsASUEfGBDgHDB3jI8rHGvIRB5QTARbRej7AM1m01QW
h9yoNQmbWRIHlDas4YpIntUVlehBg6Hn9dj+SdnoLFWqSL4oTEZCDBVEHqD1suBM
BuBLE5hHQg1OxXIXVauU5/Ee43vHxu69WD8GL11fXFxFyMcwPg/zZM38jNPuu2/Y
y+6FrNytrmVkxewaNPIxT8I615UlwjcHgJN4BV+Zf4DVPOaDQUIkNloaxz7OiWWY
tu8l9ZnfE71tDGs+DPb8
=alX1
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3135-2
November 28, 2016
gst-plugins-good0.10, gst-plugins-good1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
GStreamer could be made to crash or run programs as your login if it opened
a specially crafted file.
Software Description:
- gst-plugins-good1.0: GStreamer plugins
- gst-plugins-good0.10: GStreamer plugins
Details:
USN-3135-1 fixed a vulnerability in GStreamer Good Plugins. The original
security fix was incomplete. This update fixes the problem.
Original advisory details:
Chris Evans discovered that GStreamer Good Plugins did not correctly handle
malformed FLC movie files. If a user were tricked into opening a crafted
FLC movie file with a GStreamer application, an attacker could cause a
denial of service via application crash, or execute arbitrary code with the
privileges of the user invoking the program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
gstreamer1.0-plugins-good 1.8.3-1ubuntu1.2
Ubuntu 16.04 LTS:
gstreamer1.0-plugins-good 1.8.2-1ubuntu0.3
Ubuntu 14.04 LTS:
gstreamer0.10-plugins-good 0.10.31-3+nmu1ubuntu5.2
gstreamer1.0-plugins-good 1.2.4-1~ubuntu1.3
Ubuntu 12.04 LTS:
gstreamer0.10-plugins-good 0.10.31-1ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3135-2
http://www.ubuntu.com/usn/usn-3135-1
https://launchpad.net/bugs/1643901
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.3-1ubuntu1.2
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.2-1ubuntu0.3
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-3+nmu1ubuntu5.2
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.2.4-1~ubuntu1.3
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-1ubuntu1.4
Version: GnuPG v2
iQIcBAEBCgAGBQJYPDcuAAoJEGVp2FWnRL6TsPoP/RXgC4EfLcwXmu0KvxMX+fOL
+aMhgKMkAs4nvc4R5Jq6OGTanuq4WElK2JWqctBOR7FZcuYrt9a7ukBHKbpYAiGl
9kR1KzR3qzMF8YS3QVIxrVk7jJxTMQs8Xg2gEwzAByTNFpxVO/9u64sdERmAc9ih
/kniwE+Y+tdEc1wd3szYUabZnF2die/zEN3c2WevKLPrQ2aXodzwWvrBoZI3hSpK
RG4G9/KVmRerFw/4NopT7kCM/wx7XSJJo2kxOtLLrrdpneTTyBCojrchjenPNi+D
FS1ozn64z8CUXA9s3LRmluDpO8ZCujDRPhVkrwFyOpHvJZLySxDj/aKYGdsewhkG
oyqlNQqrvEbm7Uf54+Mq7V2nn2Hj87OuLxzzo42wfjW/9LhTr81dKyoFdOyk5fbo
mQQGY6MjRfFRD7LLIzO18GsASUEfGBDgHDB3jI8rHGvIRB5QTARbRej7AM1m01QW
h9yoNQmbWRIHlDas4YpIntUVlehBg6Hn9dj+SdnoLFWqSL4oTEZCDBVEHqD1suBM
BuBLE5hHQg1OxXIXVauU5/Ee43vHxu69WD8GL11fXFxFyMcwPg/zZM38jNPuu2/Y
y+6FrNytrmVkxewaNPIxT8I615UlwjcHgJN4BV+Zf4DVPOaDQUIkNloaxz7OiWWY
tu8l9ZnfE71tDGs+DPb8
=alX1
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3135-2
November 28, 2016
gst-plugins-good0.10, gst-plugins-good1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
GStreamer could be made to crash or run programs as your login if it opened
a specially crafted file.
Software Description:
- gst-plugins-good1.0: GStreamer plugins
- gst-plugins-good0.10: GStreamer plugins
Details:
USN-3135-1 fixed a vulnerability in GStreamer Good Plugins. The original
security fix was incomplete. This update fixes the problem.
Original advisory details:
Chris Evans discovered that GStreamer Good Plugins did not correctly handle
malformed FLC movie files. If a user were tricked into opening a crafted
FLC movie file with a GStreamer application, an attacker could cause a
denial of service via application crash, or execute arbitrary code with the
privileges of the user invoking the program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
gstreamer1.0-plugins-good 1.8.3-1ubuntu1.2
Ubuntu 16.04 LTS:
gstreamer1.0-plugins-good 1.8.2-1ubuntu0.3
Ubuntu 14.04 LTS:
gstreamer0.10-plugins-good 0.10.31-3+nmu1ubuntu5.2
gstreamer1.0-plugins-good 1.2.4-1~ubuntu1.3
Ubuntu 12.04 LTS:
gstreamer0.10-plugins-good 0.10.31-1ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3135-2
http://www.ubuntu.com/usn/usn-3135-1
https://launchpad.net/bugs/1643901
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.3-1ubuntu1.2
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.2-1ubuntu0.3
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-3+nmu1ubuntu5.2
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.2.4-1~ubuntu1.3
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-1ubuntu1.4
Reminder: Fedora 23 End Of Life on 2016-Dec-20
Fedora 23 support is going to be EOL on Tuesday, December 20th, 2016.
At this day we are going to close all the Fedora 23 bugs which will
remain open [1].
You have last few weeks to submit your updates to the Fedora 23, if
you have any, before the Fedora 23 release becomes unsupported.
At this day we are going to close all the Fedora 23 bugs which will
remain open [1].
You have last few weeks to submit your updates to the Fedora 23, if
you have any, before the Fedora 23 release becomes unsupported.
[1] https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora25#Fedora_23_EOL_Closure
Regards,
Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Saturday, November 26, 2016
Wednesday, November 23, 2016
[USN-3137-1] MoinMoin vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYNeHwAAoJEGVp2FWnRL6T8nAP/2sECasjLmZ4/YfKAUAKkw4p
ulqx3RLsb+cAPSArVu6PXtpH1vCgpA+v+v9aUt1WHbFPUCXrBDSKElghkc9dne54
xI8f+9DSs4bXinaCZUUYPmrFCV/5PXy8dTqVkklAK/qH9rwKcHOYnTrgyClnI/3D
KLMKIhNSgfVNGT8Epx2ryA35ja7eMmAKxjNfSscil/VLIqOB/lvm3CfRX8xT4vxx
GnxCr9TELr1IkkJhwYaGmzWdThuxThGF5uWTpsMFNCELWeTUeB+GQQq4P7mksd3o
McAt8k/HV6NLGCq/uBn1K2C0ejtVXSTnwG1yREfEmN2UyRJI4PUOvU/jL1cSVe3X
frxFDqiqO6kZsimdaXWMOy63BdRJi4m4ksDRKHF+JvipOiVFFgIGhKeigjRbuBt7
vyj2ScJWvITkkK+uMVdeYrplfIygCKoHn3am5c3VSvN5IppsdirXaZrzdYmoKgvM
MvghAbiHIc87bPYlZj+ZbCDAdWgob4Y3v8+tjaCQ2WYefgnocWaav5I4hd3U0MG5
6RDoZD8wjT0zgUnm3cbOcy6dwkmfkvbUJVADaDG4yt1x6BPFNSDl6y41D7U+33RT
s8gVE4HPm1jwNyNWpqS9+GczJpTtkWXGcXU07v7uE0iagcts9nN2AaAHrmUW8x4e
k1VR/coGN3A4bUmbLLXP
=rG/e
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3137-1
November 23, 2016
moin vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in MoinMoin.
Software Description:
- moin: Collaborative hypertext environment
Details:
It was discovered that MoinMoin did not properly sanitize certain inputs,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-moinmoin 1.9.8-1ubuntu1.16.10.1
Ubuntu 16.04 LTS:
python-moinmoin 1.9.8-1ubuntu1.16.04.1
Ubuntu 14.04 LTS:
python-moinmoin 1.9.7-1ubuntu2.1
Ubuntu 12.04 LTS:
python-moinmoin 1.9.3-1ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3137-1
CVE-2016-7146, CVE-2016-7148, CVE-2016-9119
Package Information:
https://launchpad.net/ubuntu/+source/moin/1.9.8-1ubuntu1.16.10.1
https://launchpad.net/ubuntu/+source/moin/1.9.8-1ubuntu1.16.04.1
https://launchpad.net/ubuntu/+source/moin/1.9.7-1ubuntu2.1
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu2.3
Version: GnuPG v2
iQIcBAEBCgAGBQJYNeHwAAoJEGVp2FWnRL6T8nAP/2sECasjLmZ4/YfKAUAKkw4p
ulqx3RLsb+cAPSArVu6PXtpH1vCgpA+v+v9aUt1WHbFPUCXrBDSKElghkc9dne54
xI8f+9DSs4bXinaCZUUYPmrFCV/5PXy8dTqVkklAK/qH9rwKcHOYnTrgyClnI/3D
KLMKIhNSgfVNGT8Epx2ryA35ja7eMmAKxjNfSscil/VLIqOB/lvm3CfRX8xT4vxx
GnxCr9TELr1IkkJhwYaGmzWdThuxThGF5uWTpsMFNCELWeTUeB+GQQq4P7mksd3o
McAt8k/HV6NLGCq/uBn1K2C0ejtVXSTnwG1yREfEmN2UyRJI4PUOvU/jL1cSVe3X
frxFDqiqO6kZsimdaXWMOy63BdRJi4m4ksDRKHF+JvipOiVFFgIGhKeigjRbuBt7
vyj2ScJWvITkkK+uMVdeYrplfIygCKoHn3am5c3VSvN5IppsdirXaZrzdYmoKgvM
MvghAbiHIc87bPYlZj+ZbCDAdWgob4Y3v8+tjaCQ2WYefgnocWaav5I4hd3U0MG5
6RDoZD8wjT0zgUnm3cbOcy6dwkmfkvbUJVADaDG4yt1x6BPFNSDl6y41D7U+33RT
s8gVE4HPm1jwNyNWpqS9+GczJpTtkWXGcXU07v7uE0iagcts9nN2AaAHrmUW8x4e
k1VR/coGN3A4bUmbLLXP
=rG/e
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3137-1
November 23, 2016
moin vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in MoinMoin.
Software Description:
- moin: Collaborative hypertext environment
Details:
It was discovered that MoinMoin did not properly sanitize certain inputs,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
python-moinmoin 1.9.8-1ubuntu1.16.10.1
Ubuntu 16.04 LTS:
python-moinmoin 1.9.8-1ubuntu1.16.04.1
Ubuntu 14.04 LTS:
python-moinmoin 1.9.7-1ubuntu2.1
Ubuntu 12.04 LTS:
python-moinmoin 1.9.3-1ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3137-1
CVE-2016-7146, CVE-2016-7148, CVE-2016-9119
Package Information:
https://launchpad.net/ubuntu/+source/moin/1.9.8-1ubuntu1.16.10.1
https://launchpad.net/ubuntu/+source/moin/1.9.8-1ubuntu1.16.04.1
https://launchpad.net/ubuntu/+source/moin/1.9.7-1ubuntu2.1
https://launchpad.net/ubuntu/+source/moin/1.9.3-1ubuntu2.3
[USN-3136-1] LXC vulnerability
==========================================================================
Ubuntu Security Notice USN-3136-1
November 23, 2016
lxc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
LXC could be made to allow containers to access to the host filesystem.
Software Description:
- lxc: Linux Containers userspace tools
Details:
Roman Fiedler discovered a directory traversal flaw in lxc-attach. An
attacker with access to an LXC container could exploit this flaw to access
files outside of the container.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
liblxc1 2.0.5-0ubuntu1.2
lxc1 2.0.5-0ubuntu1.2
Ubuntu 16.04 LTS:
liblxc1 2.0.5-0ubuntu1~ubuntu16.04.3
lxc1 2.0.5-0ubuntu1~ubuntu16.04.3
Ubuntu 14.04 LTS:
liblxc1 1.0.8-0ubuntu0.4
lxc 1.0.8-0ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3136-1
CVE-2016-8649
Package Information:
https://launchpad.net/ubuntu/+source/lxc/2.0.5-0ubuntu1.2
https://launchpad.net/ubuntu/+source/lxc/2.0.5-0ubuntu1~ubuntu16.04.3
https://launchpad.net/ubuntu/+source/lxc/1.0.8-0ubuntu0.4
Ubuntu Security Notice USN-3136-1
November 23, 2016
lxc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
LXC could be made to allow containers to access to the host filesystem.
Software Description:
- lxc: Linux Containers userspace tools
Details:
Roman Fiedler discovered a directory traversal flaw in lxc-attach. An
attacker with access to an LXC container could exploit this flaw to access
files outside of the container.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
liblxc1 2.0.5-0ubuntu1.2
lxc1 2.0.5-0ubuntu1.2
Ubuntu 16.04 LTS:
liblxc1 2.0.5-0ubuntu1~ubuntu16.04.3
lxc1 2.0.5-0ubuntu1~ubuntu16.04.3
Ubuntu 14.04 LTS:
liblxc1 1.0.8-0ubuntu0.4
lxc 1.0.8-0ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3136-1
CVE-2016-8649
Package Information:
https://launchpad.net/ubuntu/+source/lxc/2.0.5-0ubuntu1.2
https://launchpad.net/ubuntu/+source/lxc/2.0.5-0ubuntu1~ubuntu16.04.3
https://launchpad.net/ubuntu/+source/lxc/1.0.8-0ubuntu0.4
Tuesday, November 22, 2016
[USN-3135-1] GStreamer Good Plugins vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYNKqTAAoJEGVp2FWnRL6TfbAP/2kHf5ZU3p54dfsSAdHytwcY
jNG2Xcz2VVREUP8vT1U4kyKOyqR/IDiAga2YIArArmlKRghXcPxjlgPGJnnwGw7A
9hS/FYvy8ScgraJhvywr8AOihAt9FXw+nn48piDcO2CruXPyoP/ghXkE2Z7cvUMv
YPRJWcNnSmPafZeBdra2wNqwMzyHBYVO4kkGLHWVEiffew4J3OoHxQgYNWFIxFEt
si6rl5r+7BFH8R82pDXB7RySIS+uSpel4XMLitja3NNXK3RYzo2mJQ/DfDiwjyU4
9g1bcBBCgVMANr8DCfbYwyIyWiL+HlNkBtQJ2vv9AdmJv/6gifOcmEJvKORU6OG0
+xAb6zcDlCzQm58035+mkTHwLqiyaLsp3ZNN7p+QEtwRJ2zv/teehTGFY0SqUtkd
36+eUIiOVXLOketR/EGSZ8ZLDC/4R8YBkludwU/DWgSHpUyI0q4EaHggYKVCkT+3
6S3Z+kIitSo1Wg/RcE2UidizMRMwVJEFLWlYBOXtlaD6Tv3CkdlrF97FnV2OMdfV
7ewAuYcoJZoH9tclk99Qiegcl4Gcv+o6R2VMENUQluTHqCcEql8jgtybk3g7o2aP
cRuNy92EKTYAJPmOQeVX1J4zbe/8bkIvuLTOCg5Rm+r3CJAcWf6DMJUuYbranQeu
Ogm/DYW25YbZPc6Uny0R
=0q36
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3135-1
November 22, 2016
gst-plugins-good0.10, gst-plugins-good1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
GStreamer could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- gst-plugins-good1.0: GStreamer plugins
- gst-plugins-good0.10: GStreamer plugins
Details:
Chris Evans discovered that GStreamer Good Plugins did not correctly handle
malformed FLC movie files. If a user were tricked into opening a crafted
FLC movie file with a GStreamer application, an attacker could cause a
denial of service via application crash, or execute arbitrary code with the
privileges of the user invoking the program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
gstreamer1.0-plugins-good 1.8.3-1ubuntu1.1
Ubuntu 16.04 LTS:
gstreamer1.0-plugins-good 1.8.2-1ubuntu0.2
Ubuntu 14.04 LTS:
gstreamer0.10-plugins-good 0.10.31-3+nmu1ubuntu5.1
gstreamer1.0-plugins-good 1.2.4-1~ubuntu1.1
Ubuntu 12.04 LTS:
gstreamer0.10-plugins-good 0.10.31-1ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3135-1
https://launchpad.net/bugs/1643901
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.3-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.2-1ubuntu0.2
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-3+nmu1ubuntu5.1
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.2.4-1~ubuntu1.1
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-1ubuntu1.3
Version: GnuPG v2
iQIcBAEBCgAGBQJYNKqTAAoJEGVp2FWnRL6TfbAP/2kHf5ZU3p54dfsSAdHytwcY
jNG2Xcz2VVREUP8vT1U4kyKOyqR/IDiAga2YIArArmlKRghXcPxjlgPGJnnwGw7A
9hS/FYvy8ScgraJhvywr8AOihAt9FXw+nn48piDcO2CruXPyoP/ghXkE2Z7cvUMv
YPRJWcNnSmPafZeBdra2wNqwMzyHBYVO4kkGLHWVEiffew4J3OoHxQgYNWFIxFEt
si6rl5r+7BFH8R82pDXB7RySIS+uSpel4XMLitja3NNXK3RYzo2mJQ/DfDiwjyU4
9g1bcBBCgVMANr8DCfbYwyIyWiL+HlNkBtQJ2vv9AdmJv/6gifOcmEJvKORU6OG0
+xAb6zcDlCzQm58035+mkTHwLqiyaLsp3ZNN7p+QEtwRJ2zv/teehTGFY0SqUtkd
36+eUIiOVXLOketR/EGSZ8ZLDC/4R8YBkludwU/DWgSHpUyI0q4EaHggYKVCkT+3
6S3Z+kIitSo1Wg/RcE2UidizMRMwVJEFLWlYBOXtlaD6Tv3CkdlrF97FnV2OMdfV
7ewAuYcoJZoH9tclk99Qiegcl4Gcv+o6R2VMENUQluTHqCcEql8jgtybk3g7o2aP
cRuNy92EKTYAJPmOQeVX1J4zbe/8bkIvuLTOCg5Rm+r3CJAcWf6DMJUuYbranQeu
Ogm/DYW25YbZPc6Uny0R
=0q36
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3135-1
November 22, 2016
gst-plugins-good0.10, gst-plugins-good1.0 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
GStreamer could be made to crash or run programs as your login if it
opened a specially crafted file.
Software Description:
- gst-plugins-good1.0: GStreamer plugins
- gst-plugins-good0.10: GStreamer plugins
Details:
Chris Evans discovered that GStreamer Good Plugins did not correctly handle
malformed FLC movie files. If a user were tricked into opening a crafted
FLC movie file with a GStreamer application, an attacker could cause a
denial of service via application crash, or execute arbitrary code with the
privileges of the user invoking the program.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
gstreamer1.0-plugins-good 1.8.3-1ubuntu1.1
Ubuntu 16.04 LTS:
gstreamer1.0-plugins-good 1.8.2-1ubuntu0.2
Ubuntu 14.04 LTS:
gstreamer0.10-plugins-good 0.10.31-3+nmu1ubuntu5.1
gstreamer1.0-plugins-good 1.2.4-1~ubuntu1.1
Ubuntu 12.04 LTS:
gstreamer0.10-plugins-good 0.10.31-1ubuntu1.3
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3135-1
https://launchpad.net/bugs/1643901
Package Information:
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.3-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.2-1ubuntu0.2
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-3+nmu1ubuntu5.1
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.2.4-1~ubuntu1.1
https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-1ubuntu1.3
[USN-3134-1] Python vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3134-1
November 22, 2016
python2.7, python3.2, python3.4, python3.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description:
- python2.7: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language
- python3.4: An interactive high-level object-oriented language
- python3.2: An interactive high-level object-oriented language
Details:
It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications
from contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
possibly execute arbitrary code. (CVE-2016-5636)
Guido Vranken discovered that the urllib modules in Python did
not properly handle carriage return line feed (CRLF) in headers. A
remote attacker could use this to craft URLs that inject arbitrary
HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2016-5699)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libpython2.7 2.7.12-1ubuntu0~16.04.1
libpython2.7-minimal 2.7.12-1ubuntu0~16.04.1
libpython2.7-stdlib 2.7.12-1ubuntu0~16.04.1
libpython3.5 3.5.2-2ubuntu0~16.04.1
libpython3.5-minimal 3.5.2-2ubuntu0~16.04.1
libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.1
python2.7 2.7.12-1ubuntu0~16.04.1
python2.7-minimal 2.7.12-1ubuntu0~16.04.1
python3.5 3.5.2-2ubuntu0~16.04.1
python3.5-minimal 3.5.2-2ubuntu0~16.04.1
Ubuntu 14.04 LTS:
libpython2.7 2.7.6-8ubuntu0.3
libpython2.7-minimal 2.7.6-8ubuntu0.3
libpython2.7-stdlib 2.7.6-8ubuntu0.3
libpython3.4 3.4.3-1ubuntu1~14.04.5
libpython3.4-minimal 3.4.3-1ubuntu1~14.04.5
libpython3.4-stdlib 3.4.3-1ubuntu1~14.04.5
python2.7 2.7.6-8ubuntu0.3
python2.7-minimal 2.7.6-8ubuntu0.3
python3.4 3.4.3-1ubuntu1~14.04.5
python3.4-minimal 3.4.3-1ubuntu1~14.04.5
Ubuntu 12.04 LTS:
libpython2.7 2.7.3-0ubuntu3.9
libpython3.2 3.2.3-0ubuntu3.8
python2.7 2.7.3-0ubuntu3.9
python2.7-minimal 2.7.3-0ubuntu3.9
python3.2 3.2.3-0ubuntu3.8
python3.2-minimal 3.2.3-0ubuntu3.8
After a standard system update you need to restart any Python
applications to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3134-1
CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699
Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.3
https://launchpad.net/ubuntu/+source/python3.4/3.4.3-1ubuntu1~14.04.5
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.9
https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.8
Ubuntu Security Notice USN-3134-1
November 22, 2016
python2.7, python3.2, python3.4, python3.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python.
Software Description:
- python2.7: An interactive high-level object-oriented language
- python3.5: An interactive high-level object-oriented language
- python3.4: An interactive high-level object-oriented language
- python3.2: An interactive high-level object-oriented language
Details:
It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications
from contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
possibly execute arbitrary code. (CVE-2016-5636)
Guido Vranken discovered that the urllib modules in Python did
not properly handle carriage return line feed (CRLF) in headers. A
remote attacker could use this to craft URLs that inject arbitrary
HTTP headers. This issue only affected Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2016-5699)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libpython2.7 2.7.12-1ubuntu0~16.04.1
libpython2.7-minimal 2.7.12-1ubuntu0~16.04.1
libpython2.7-stdlib 2.7.12-1ubuntu0~16.04.1
libpython3.5 3.5.2-2ubuntu0~16.04.1
libpython3.5-minimal 3.5.2-2ubuntu0~16.04.1
libpython3.5-stdlib 3.5.2-2ubuntu0~16.04.1
python2.7 2.7.12-1ubuntu0~16.04.1
python2.7-minimal 2.7.12-1ubuntu0~16.04.1
python3.5 3.5.2-2ubuntu0~16.04.1
python3.5-minimal 3.5.2-2ubuntu0~16.04.1
Ubuntu 14.04 LTS:
libpython2.7 2.7.6-8ubuntu0.3
libpython2.7-minimal 2.7.6-8ubuntu0.3
libpython2.7-stdlib 2.7.6-8ubuntu0.3
libpython3.4 3.4.3-1ubuntu1~14.04.5
libpython3.4-minimal 3.4.3-1ubuntu1~14.04.5
libpython3.4-stdlib 3.4.3-1ubuntu1~14.04.5
python2.7 2.7.6-8ubuntu0.3
python2.7-minimal 2.7.6-8ubuntu0.3
python3.4 3.4.3-1ubuntu1~14.04.5
python3.4-minimal 3.4.3-1ubuntu1~14.04.5
Ubuntu 12.04 LTS:
libpython2.7 2.7.3-0ubuntu3.9
libpython3.2 3.2.3-0ubuntu3.8
python2.7 2.7.3-0ubuntu3.9
python2.7-minimal 2.7.3-0ubuntu3.9
python3.2 3.2.3-0ubuntu3.8
python3.2-minimal 3.2.3-0ubuntu3.8
After a standard system update you need to restart any Python
applications to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3134-1
CVE-2016-0772, CVE-2016-1000110, CVE-2016-5636, CVE-2016-5699
Package Information:
https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.1
https://launchpad.net/ubuntu/+source/python2.7/2.7.6-8ubuntu0.3
https://launchpad.net/ubuntu/+source/python3.4/3.4.3-1ubuntu1~14.04.5
https://launchpad.net/ubuntu/+source/python2.7/2.7.3-0ubuntu3.9
https://launchpad.net/ubuntu/+source/python3.2/3.2.3-0ubuntu3.8
余世维诚邀您来学习
为什么企业没有人才,存在哪些问题:
公司的快速发展和人的综合能力提升速度不相协调!
企业所器重的人才创造不出绩效,让企业屡屡失望!
公司人资缺乏对人才识别的技能,缺乏人才复制传承的系统性!
自主培养的人才忠诚度高,和企业文化相适应,但自主培养速度慢、周期长。
尽心血挖到的人才,流动性大,跳槽率高,与企业文化容相冲突,不能公司所用!
……
公司的快速发展和人的综合能力提升速度不相协调!
企业所器重的人才创造不出绩效,让企业屡屡失望!
公司人资缺乏对人才识别的技能,缺乏人才复制传承的系统性!
自主培养的人才忠诚度高,和企业文化相适应,但自主培养速度慢、周期长。
尽心血挖到的人才,流动性大,跳槽率高,与企业文化容相冲突,不能公司所用!
……
Fedora 25 released!
Fedora 25 released!
===================
===================
The Fedora Project is pleased to announce the immediate availability of
Fedora 25, the next big step our journey into the containerized, modular
future!
Fedora is a global community that works together to lead the advancement
of free and open source software. As part of the community's mission the
project delivers three editions, each one a free, Linux-based operating
system tailored to meet specific use cases: Fedora 25 Atomic Host,
Fedora 25 Server, and Fedora 25 Workstation.
Each edition is built from a common set of base packages, which form the
foundation of the Fedora operating system. As with all new versions of
Fedora, Fedora 25 provides many bug fixes and tweaks to these underlying
components, as well as new and enhanced packages, including:
* Docker 1.12 for building and running containerized applications
* Node.js 6.5, the latest version of the popular server-side JavaScript
engine
* Support for Rust, a faster and more stable system programming language
* Multiple Python versions — 2.6, 2.7, 3.3, 3.4 and 3.5 — to help run
test suites across several Python configurations, as well as PyPy,
PyPy3, and Jython
Fedora Workstation
------------------
Providing many of the latest open source developer and desktop tools,
Fedora 25 Workstation delivers a host of new features, including the
long-awaited official debut of the Wayland display server. Replacing the
legacy X11 system, Wayland has been under development for several years
and seeks to provide a smoother, richer experience for graphical
environments and better capabilities for modern graphics hardware. To
further enhance ease-of-use, Fedora 25 Workstation also features GNOME
3.22, which offers multiple file renaming, a redesigned keyboard
settings tool and additional user interface improvements. Workstation
users will also be pleased with the inclusion of decoding support for
the MP3 media format.
Fedora 25 Workstation now makes it easier to for Windows and OS X users
to get started, with Fedora Media Writer serving as the default download
for those operating systems. This tool helps users find and download the
current Fedora release and write it to removable media, like a USB
stick, allowing potential Fedora users to "test drive" the operating
system from that media environment. Fedora can then be installed to
their systems with the same process.
For current Fedora users, the upgrade path from Fedora 24 to Fedora 25
has been simplified and streamlined, with typical upgrades taking less
than 30 minutes, depending on system configuration and network speed.
Upgrades can be started from the command line or from the GNOME Software
tool, just like regular security and bugfix updates.
For developers, beyond the new docker engine and language support
included in the base Fedora 25 packages, Fedora 25 Workstation
introduces improved Flatpak support. This tweak makes it easier to
install, update and remove Flatpak software and enables this application
packaging standard to be more user friendly at the workstation level.
GNOME Shell extensions are also no longer checked for compatibility with
the current version of the Shell. This was originally required because
the GNOME interfaces were changing rapidly during the early days of
GNOME 3. Now these interfaces have stabilized, and extensions can
generally be expected to work with new releases.
Fedora Server
-------------
In addition to the flexible multi-role functionality provided by
rolekit, Fedora 25 Server now delivers a new SELinux Troubleshooter
module for Cockpit. Similar to what is available on Fedora Workstation,
the module helps provide suggestions for a user when an SELinux denial
is encountered, which otherwise requires log checking and manual
workarounds.
Fedora 25 Server also will now display SSH keys in the Cockpit system
dashboard to make it easier for administrators to see what keys are
connecting to a given machine. Additionally, support is now included for
multi-step (including two-factor) authentication services.
The FreeIPA identity management system has also been upgraded to 4.4
series, which offers a set of new features for servers deployed in an
identity management role. Some of these enhancements include:
* Topology management: FreeIPA web UI can now be used to visually
manage topology graph for large deployments.
* DNS sites: DNS management in FreeIPA now supports location-specific
placement of services.
* Subordinate Certificate Authorities: FreeIPA Certificate Authority
now is able to create subordinate CAs to issue certificates with a
specific scope.
* Kerberos Authentication Indicators: Kerberos KDC now takes
Authentication Indicators into account when issuing service tickets.
For example, two-factor authenticated Kerberos credentials can now be
required prior to obtaining tickets to a VPN service (supported by
OpenConnect Server).
Fedora Atomic
-------------
New in Fedora 25 is the addition of Fedora 25 Atomic Host as one of
Fedora's three editions, replacing Fedora Cloud. While a Fedora Cloud
Base image will continue to be available for users seeking to run
workloads on a general purpose host, Fedora Atomic Host provides an
optimized host designed to create and deploy container-based workloads.
Fedora 25 Atomic Host is shipped in several formats, to allow users to
spin up virtual machines or install Atomic Host on bare metal. To keep
pace with innovations in the world of Linux containers, Fedora Atomic
Host is expected to be refreshed on a two-week release cycle (with major
releases coinciding with new Fedora versions) and provides an easy
upgrade path to accommodate rapid application development.
Fedora will also offer a docker-formatted base image, to be updated
monthly along with critical security updates, for use in building Linux
containers.
Spins and More
--------------
These are not the only parts of Fedora that are seeing changes in the
release today. Our KDE spin features new and improved packages for
music, video, and personal information management. Xfce includes
improvements to the terminal, notifications, and power management.
Mate-Compiz features an update to Mate 1.16 and a complete switch to
the GTK+3 toolkit.
Downloads
---------
You can download the new Fedora 25 starting today! Download Fedora 25
from our Get Fedora site:
* Workstation: https://getfedora.org/workstation/
* Server: https://getfedora.org/server/
* Atomic: https://getfedora.org/atomic/
Or, check out one of our popular variants:
* Spins: https://spins.fedoraproject.org/
* Labs: https://labs.fedoraproject.org/
Architectures
-------------
As always, Fedora is available for 32-bit ARM and 64-bit Intel
architecture systems, and select Spins are also available for 32-bit
x86. We're also simultaneously releasing for 64-bit ARM, Power
(including a little endian variant), and s390x. For these, see:
* https://alt.fedoraproject.org/alt/
Of particular note to many enthusiasts, this is the first release where
we officially run on the Raspberry Pi (versions 2 and 3). More details
are available in this Fedora Magazine Article:
* https://fedoramagazine.org/raspberry-pi-support-fedora-25-beta/
Upgrades
--------
If you're already running Fedora, you don't need to download or create a
boot image. Instead, start the upgrade process from GNOME Software or
using DNF System Upgrade at the command line. For instructions, refer
* Upgrades: http://fedoraproject.org/wiki/Upgrading
Documentation and Common Bugs
-----------------------------
Read the full release notes for Fedora 25:
* https://docs.fedoraproject.org/en-US/Fedora/25/html/Release_Notes/
Fedora 25 common bugs are documented at:
* http://fedoraproject.org/wiki/Common_F25_bugs
Thank You!
----------
Fedora would not be possible without the hard work of the very dedicated
contributor community. Thanks to the thousands of Fedora contributors
and millions of upstream developers who made this release!
-- Matthew Miller, Fedora Project Leader
--
Matthew Miller
<mattdm@fedoraproject.org>
Fedora Project Leader
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Monday, November 21, 2016
[USN-3132-1] tar vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYM0MTAAoJEGVp2FWnRL6TkYcP/iJPTjiDNFB1qRwH+h1NOhTn
0hTYMK0ViDBBqGlRzpJ//pwmzgznz+e98TTRaZOpvJfYvLLv7kODbGwSBXWsgoo9
s6m5T4Ah87oBCGw5v/bg09op5freyr9o6w8MkoeN7wsNmkfiygmBI3myDDh0lXed
ZZDk2mWXVZVpX65BjnWlAmU9eS6s7VNCg4+sJBceRVyddh1hetWQGIDAYp01ScS9
IlPYXoE9sKPrwRc+oRFddYom9Os1dC37BNW+8EN5gOUzuNWmHbUs+jiCGt4nSoMF
bBBuawxTYBADJWt7Pz0buiJJRQFpMqhN2wzJsgM6rhTy20DsDKT8eLr2ozq7LqgF
pg0TEP/MIc50R68iqS8zmIPRryYa2S1WZQOYbCMgySi/EKH2V1JO8UBy+deW2Mr2
aGWVYAqf3WbhSZtUISZVa2t64sxVpLLvJGHb7WaD2FRyMG/hxPyg1BgAWZ2EootC
Gb5SbdfZGb6dbwMZM4hWUy6FnLTaIsRjST9ifb0B9KYSW8r8edAHkxEmOTbynqaf
4UZqKs99nS/qwf1XtFzVcsnBFB90ZpUXJuyxJKEJ0i7T7oicjyRmUD9Kg1rpXG7F
PTcDQ3aek9nMwQDI/Rr61dg6uYNtNFdyOnGXymJwyTrtA83NJsJdAi7aDNEa+NAd
pKDlitfLYH3FYTOrRsCl
=5dDl
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3132-1
November 21, 2016
tar vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
tar could be made to overwrite files.
Software Description:
- tar: GNU version of the tar archiving utility
Details:
Harry Sintonen discovered that tar incorrectly handled extracting files
when path names are specified on the command line. If a user or automated
system were tricked into processing a specially crafted archive, an
attacker could possibly overwrite arbitrary files.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
tar 1.29b-1ubuntu0.1
Ubuntu 16.04 LTS:
tar 1.28-2.1ubuntu0.1
Ubuntu 14.04 LTS:
tar 1.27.1-1ubuntu0.1
Ubuntu 12.04 LTS:
tar 1.26-4ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3132-1
CVE-2016-6321
Package Information:
https://launchpad.net/ubuntu/+source/tar/1.29b-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.28-2.1ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.27.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.26-4ubuntu1.1
Version: GnuPG v2
iQIcBAEBCgAGBQJYM0MTAAoJEGVp2FWnRL6TkYcP/iJPTjiDNFB1qRwH+h1NOhTn
0hTYMK0ViDBBqGlRzpJ//pwmzgznz+e98TTRaZOpvJfYvLLv7kODbGwSBXWsgoo9
s6m5T4Ah87oBCGw5v/bg09op5freyr9o6w8MkoeN7wsNmkfiygmBI3myDDh0lXed
ZZDk2mWXVZVpX65BjnWlAmU9eS6s7VNCg4+sJBceRVyddh1hetWQGIDAYp01ScS9
IlPYXoE9sKPrwRc+oRFddYom9Os1dC37BNW+8EN5gOUzuNWmHbUs+jiCGt4nSoMF
bBBuawxTYBADJWt7Pz0buiJJRQFpMqhN2wzJsgM6rhTy20DsDKT8eLr2ozq7LqgF
pg0TEP/MIc50R68iqS8zmIPRryYa2S1WZQOYbCMgySi/EKH2V1JO8UBy+deW2Mr2
aGWVYAqf3WbhSZtUISZVa2t64sxVpLLvJGHb7WaD2FRyMG/hxPyg1BgAWZ2EootC
Gb5SbdfZGb6dbwMZM4hWUy6FnLTaIsRjST9ifb0B9KYSW8r8edAHkxEmOTbynqaf
4UZqKs99nS/qwf1XtFzVcsnBFB90ZpUXJuyxJKEJ0i7T7oicjyRmUD9Kg1rpXG7F
PTcDQ3aek9nMwQDI/Rr61dg6uYNtNFdyOnGXymJwyTrtA83NJsJdAi7aDNEa+NAd
pKDlitfLYH3FYTOrRsCl
=5dDl
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3132-1
November 21, 2016
tar vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
tar could be made to overwrite files.
Software Description:
- tar: GNU version of the tar archiving utility
Details:
Harry Sintonen discovered that tar incorrectly handled extracting files
when path names are specified on the command line. If a user or automated
system were tricked into processing a specially crafted archive, an
attacker could possibly overwrite arbitrary files.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
tar 1.29b-1ubuntu0.1
Ubuntu 16.04 LTS:
tar 1.28-2.1ubuntu0.1
Ubuntu 14.04 LTS:
tar 1.27.1-1ubuntu0.1
Ubuntu 12.04 LTS:
tar 1.26-4ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3132-1
CVE-2016-6321
Package Information:
https://launchpad.net/ubuntu/+source/tar/1.29b-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.28-2.1ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.27.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tar/1.26-4ubuntu1.1
F26 Self Contained Change: Java/OpenJDK enforces the system-wide crypto policy
= Proposed Self Contained Change:Java/OpenJDK enforces the system-wide
crypto policy =
https://fedoraproject.org/wiki/Changes/JavaCryptoPolicies
crypto policy =
https://fedoraproject.org/wiki/Changes/JavaCryptoPolicies
Change owner(s):
* Nikos Mavrogiannopoulos <nmav AT redhat DOT com>
As it is now, the System-wide crypto policy in F25 is enforced by the
OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across all
applications in Fedora, including the Java ones, OpenJDK is enhanced
to respect the settings of the system-wide crypto policy as well.
== Detailed Description ==
As it is now, the System-wide crypto policy in F25 is enforced by the
OpenSSL, GnuTLS and NSS TLS libraries. To harmonize crypto across all
applications in Fedora, including the Java ones, OpenJDK is enhanced
to respect the settings of the system-wide crypto policy as well.
After that change the administrator should be assured that any Java
application will follow a policy that adheres to the configured
profile.
== Scope ==
* Proposal owners:
The change requires modifying OpenJDK to read additional security
properties from the generated by the crypto policies file
(/etc/crypto-policies/back-ends/java.config).
* Other developers:
There are no required actions by other developers. The change requires
only targeted changes to openjdk and crypto-policies.
* Release engineering:
No actions required.
* Policies and guidelines:
The packaging guidelines for crypto policies need to be modified to
include OpenJDK/java in the list of libraries supporting the policies.
* Trademark approval:
N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Subscribe to:
Posts (Atom)