Re: F26 Self Contained Change: Anaconda LVM RAID

I would like the "User Experience" section to be fleshed-out a bit
more. Currently it says "There should be no visible change for
non-expert users. Expert users could make use of the new LVM RAID's
features."

I think, though, there's plenty of middle ground here: users who are
not experts in LVM RAID yet would like to have data redundancy and need
to manage that.

The Documentation section mentions the installation guide, which is
great, but what about documentation for replacing disks or adding to
the set?

--
Matthew Miller
<mattdm@fedoraproject.org>
Fedora Project Leader
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

[USN-3181-1] OpenSSL vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYkNLzAAoJEGVp2FWnRL6ToAkP/iJeXAXWxz1r5CJ6T2f+zpVp
OGAlzScBLYn1pOcKMYduHLNhMjWjOacFuaufiYF5mTaPIXQBXBscylqQTi5yDWJJ
/SpOuxqbOLwHTFJ6m9y925JX+zTP68oorzEpjAPaVb+EVduaVbY9MNwPdJS4W0qH
upoYIrdzVoLVqoI2VctIUVAQRbBJAd5f+f7SM4WZJva22OpTkRtzTS6CK1W19sCZ
1CG1Qbu/6cUsxytILttEmHl1V/PJ+A0V6Y4dRekaabqtQLS0n/h8tLzG76KcChCd
ZGetYF/k9yCLuPuhN+R73nUoakf8kvcyNxElUaQ9+TtXzkRIpIiU3H4VtQtx/Y6x
GkYZ6gcwix/fPsB4HuRKtl1cBHxNj3u47yXeGDD7fyYpVi6RfY3REn/2Zn8RL9Dc
HkKYyCVxyvnrb7ruInG5vMR3whwodiC2/t3EpD6msmZ3/BAb8uUv/6QEzoUAI9WS
mO8JXl2MElsLHblvTT2BCi2dwRRCnvLFFURpCq6IgctbaFIflfOkHUb7w4yAA2Ke
ZhMA8gZwvLuCxxtndXG0NrFHnOWHbEJlpC65d9ZBR0F51TY5sWmk03lz5NgIPu86
Izr/uhPOV0OJ/9xSEzMaA7cAjz39F61Ze7Tg5RPvvVHhipH+XlEiOYtEEcQvukbR
GX8JzaXB8OlLe4U5sb05
=uLwY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3181-1
January 31, 2017

openssl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in OpenSSL.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

Guido Vranken discovered that OpenSSL used undefined behaviour when
performing pointer arithmetic. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other
releases were fixed in a previous security update. (CVE-2016-2177)

It was discovered that OpenSSL did not properly handle Montgomery
multiplication, resulting in incorrect results leading to transient
failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10.
(CVE-2016-7055)

It was discovered that OpenSSL did not properly use constant-time
operations when performing ECDSA P-256 signing. A remote attacker could
possibly use this issue to perform a timing attack and recover private
ECDSA keys. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2016-7056)

Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts.
A remote attacker could possibly use this issue to cause OpenSSL to stop
responding, resulting in a denial of service. (CVE-2016-8610)

Robert Święcki discovered that OpenSSL incorrectly handled certain
truncated packets. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2017-3731)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, and Ubuntu 16.10. (CVE-2017-3732)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
libssl1.0.0 1.0.2g-1ubuntu9.1

Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.6

Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.22

Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.39

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3181-1
CVE-2016-2177, CVE-2016-7055, CVE-2016-7056, CVE-2016-8610,
CVE-2017-3731, CVE-2017-3732

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu9.1
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.6
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.22
https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.39

F26 System Wide Change: GNOME 3.24

= System Wide Change: GNOME 3.24 =
https://fedoraproject.org/wiki/Changes/GNOME3.24

Change owner(s):
* Kalev Lember <klember AT redhat DOT com>

Update GNOME to the latest upstream release, 3.24

== Detailed Description ==
Tentative new features for 3.24 include:

* Updated System Settings panels: User Accounts, Printer, Online Accounts
* Tag Editing in GNOME Music
* ownCloud integration in GNOME Music
* Sharing Framework
* Photo Import
* Passwords and Keys Application
* Revamped Header Bar and Bookmarks in Web
* Browse as root in Files

More details are available in
https://wiki.gnome.org/ReleasePlanning/FeaturePlans

== Scope ==
Proposal owners:
* Keep existing GNOME packages updated
* Follow upstream module changes
* Package new applications and new dependencies of existing GNOME
packages for GNOME 3.24

Other developers: N/A

Release engineering: N/A

List of deliverables: N/A

Policies and guidelines: N/A

Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

REMINDER: Fedora 26 Bugzilla Rawhide rebase in three weeks

Greetings,

This e-mail is intended to inform you about the upcoming Bugzilla changes
happening on 2017-02-21 (Rawhide bug rebase) and what you need to do,
if anything.

We will be automatically changing the version for most rawhide bugs to
Fedora 26.
This will result in regular bugs reported against rawhide during the Fedora 26
development cycle being changed to version '26' instead of their current
assignment, 'rawhide'. This is to align with the branching of Fedora 26 from
rawhide and to more accurately tell where in the lineage of releases the bug was
last reported.

Note that this procedure does not apply to bugs that are open for the 'Package
Review' or 'kernel' components or bugs that have the ''FutureFeature''
or ''Tracking'' keywords
set. These will stay open as rawhide bugs indefinitely.

If you do not want your bugs changed to version '26', add the ''FutureFeature''
keyword. If you need help changing a large amount of bugs manually, we'd be glad
to help.

The process was re-approved by FESCo https://pagure.io/fesco/issue/1096 .

Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

F26 Self Contained Change: SSSD fast cache for local users

= Proposed Self Contained Change: SSSD fast cache for local users =
https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers

Change owner(s):
* Stephen Gallagher <sgallagh AT redhat DOT com>
* Jakub Hrozek <jhrozek AT redhat DOT com>

Enable resolving all users through the sss NSS modules for better performance.

== Detailed Description ==
SSSD ships with a very fast memory cache for a couple of releases now.
However, using this cache conflicts with nscd's caching and nscd has
been disabled by default. That degrades performance, because every
user or group lookup must open the local files.

This change proposes leveraging a new "files" provider SSSD will ship
in the next version in order to resolve also users from the local
files. That way, the "sss" NSS module can be configured before the
files module in nsswitch.conf and the system could leverage sss_nss
caching for both local and remote users.

The upstream design of the files provider can be found at:
https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider

Below is a mini-FAQ that lists the most common questions we've received so far:

Q: Does SSSD take over /etc/passwd and /etc/files?
A: No. SSSD just monitors them with inotify and copies the records
into its cache.

Q: Does SSSD need to be running all the time now? What if it crashes?
A: SSSD needs to be running in order to benefit from this
functionality. However, the nss_sss module is built in such a way that
even if sssd is not running, nss_sss should fail over to nss_files
pretty quickly (we'll quantify "pretty quickly" in a more scientific
fashion soon)

Q: Do I need to configure SSSD now?
A: No, we'll ship a default configuration.

== Scope ==
* Proposal owners:
Jakub Hrozek and Stephen Gallagher work on the design and coding

* Other developers:
The SSSD upstream will participate in code review of the change

* Release engineering:
None required

* Policies and guidelines:
None needed

* Trademark approval:
None needed
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

F26 Self Contained Change: Anaconda LVM RAID

= Proposed Self Contained Change: Anaconda LVM RAID =
https://fedoraproject.org/wiki/Changes/AnacondaLVMRAID

Change owner(s):
* Vratislav Podzimek (Anaconda/Blivet) <vpodzime AT redhat DOT com>
* Heinz Mauelshagen (LVM) <heinzm AT redhat DOT com>

Use LVM RAID instead of LVM of top of MD RAID in the Anaconda installer.

== Detailed Description ==
In the current situation when a user chooses LVM (or Thin LVM)
partitioning in the Custom Spoke and then sets RAID level for the VG
Anaconda (and Blivet) create an MD RAID device which is used as a PV
for the VG. With this change we are going to use LVM RAID directly
instead. That means that all the LVs in that VG will be RAID LVs with
the specified RAID level. LVM RAID provides same functionality as MD
RAID (it shares the same kernel code) with better flexibility and
additional features expected in future.

== Scope ==
* Proposal owners:
-- Blivet developers: Support creation of LVM RAID in a similar way as
LVM on top of MD RAID. (Creation of RAID LVs is already supported.)
-- Anaconda developers: Use the new way to create LVM RAID instead of
creating LVM on top of MD RAID.
-- LVM developers: LVM RAID already has all features required by this change.

* Other developers:
N/A (not a System Wide Change)

* Release engineering:

* List of deliverables:
N/A (not a System Wide Change)

* Policies and guidelines:

* Trademark approval:
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

REMINDER: Submission deadline for System Wide Changes of Fedora 26 is today

Hi everyone!

The submission deadline for System Wide Changes of Fedora 26 [1] is
today (January 31st). Alpha release of Fedora 26 is planned then on
March 14th.

As the deadline applies for System Wide Changes it is always good to
have most of Self Contained Changes proposed as well. In case you'll
need any help with your Change proposals, feel free to contact me.

[1] https://fedoraproject.org/wiki/Releases/26/Schedule

Best Regards,
Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

F26 System Wide Change: Kerberos KCM credential cache by default

= System Wide Change: Kerberos KCM credential cache by default =
https://fedoraproject.org/wiki/Changes/KerberosKCMCache

Change owner(s):
* Jakub Hrozek <jhrozek AT redhat DOT com>

Default to a new Kerberos credential cache type called KCM which is
better suited for containerized environments and provides a better
user experience in the general case as well.

== Detailed Description ==
Over time, Fedora used different credential cache types to store
Kerberos credentials - going from a simple file-based storage (FILE:)
to a directory (DIR:) and most recently a kernel-keyring based cache
(KEYRING:).

Each of these caches has its own set of advantages and disadvantages.
The FILE ccache is very widely supported, but does not allow multiple
primary caches in a collection. The DIR cache does, but creating and
managing the directories including proper access control can be
tricky. The KEYRING cache is not well suited for cases where multiple
semi-isolated environments might share the same kernel. Managing
credential caches' life cycle is not well solved in neither of these
cache types automatically, only with the help of a daemon like SSSD.

The scope of this change is to introduce a new Kerberos credential
cache type called KCM and switch to using it by default.

With KCM, the Kerberos caches are not stored in a "passive" store, but
managed by a daemon. In this setup, the Kerberos library (typically
used through an application, like for example, kinit) is a "KCM
client" and the daemon is being referred to as a "KCM server". The KCM
server will be provided as a socket-activated service of the SSSD
deamon.

== Scope ==
* Proposal owners:
SSSD developers will implement a KCM server. The krb5-libs package
will then switch its default from KEYRING to KCM. The libkrb5 package
will require the sssd-kcm subpackage and enable its socket so that the
KCM server is socket activated when needed. Please note that the KCM
server only listens on a local UNIX socket, not over the network.

* Other developers: None required

* Release engineering: None required

* List of deliverables: None affected

* Policies and guidelines: None required

* Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

F26 Self Contained Change: Container Minimal Image

= Proposed Self Contained Change: Container Minimal Image =
https://fedoraproject.org/wiki/Changes/ContainerMinimalImage

Change owner(s):
* Dusty Mabe <dusty AT dustymabe DOT com>

Produce a new container image that contains as little as possible, but
also still provides the ability to install packages from dnf
repositories.

== Detailed Description ==
As a user of Fedora I'd like to build containers based on an image
that is a little more lightweight than the current base container
image that is produced in Fedora. We have a proof of concept kickstart
[1] that will create such an image. It is a work in progress.

[1] https://pagure.io/fedora-kickstarts/pull-request/120

== Scope ==
* Proposal owners:
Implementation of this Change

* Other developers:
N/A (not a System Wide Change)

* Release engineering:
N/A (not a System Wide Change)

* List of deliverables:
N/A (not a System Wide Change)

* Policies and guidelines:
N/A (not a System Wide Change)

* Trademark approval:
N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

F26 System Wide Change: Python Classroom Lab

= System Wide Change: Python Classroom Lab =
https://fedoraproject.org/wiki/Changes/PythonClassroomLab

Change owner(s):
* Miro Hrončok <mhroncok AT redhat DOT com>
* SIGs/Python <python-devel@lists.fedoraproject.org>

A new Python Classroom Lab will be created in 3 variants: Workstation
based, Docker based and Vagrant based. It's an important step for our
Fedora Loves Python initiative. The main audience are Python teachers
and workshop instructors.

== Detailed Description ==
A new comps packages group with Python development tools will be
created and a new Lab (or Spin) for teaching Python or Python related
topics will be available from labs.fedoraproject.org as well as from
the Docker Hub and Vagrant Atlas.

A work in progress for the lab is available on GitHub.

The Lab will contain:
* Python 3.6 including the python3-devel package
* Python 2.7 including the python2-devel package
* PyPy 3
* tox
* virtualenv
* IPython console for both Python 2 and 3
* Jupyter Notebook with Python 2 and 3 kernels (if this gets into
Fedora in time)
* offline documentation for Python 2 and 3
* basic toolchain for building C and C++ extensions and valgrind
* git
* nano, vim, ssh client, curl, wget
* devel packages for commonly used dependencies of packages on the
Python Package Index
* * libxml2-devel
* * libyaml-devel
...

The Workstation based lab will also contain:
* Basic GNOME
* Terminal emulator
* Text editor
* PDF reader
* Web browser
* Image viewer
* ...and possibly other utilities

But it will not include multimedia and virtualization support, office
suite, e-mail client.

== Scope ==
Proposal owners:
* create the comps group
* create kickstarts for live and vagrant variants
* create a layer for docker

Other developers:
* Design team: Create an image for labs.fedoraproject.org
* Websites team: Add the new Lab to labs.fedoraproject.org

Release engineering:
List of deliverables:
* Labs/i386/iso/Fedora-Python-Classroom-Live-i386-_RELEASE_MILESTONE_.iso
* Labs/x86_64/iso/Fedora-Python-Classroom-Live-x86_64-_RELEASE_MILESTONE_.iso
* Labs/armhfp/images/Fedora-Python-Classroom-armhfp-_RELEASE_MILESTONE_-sda.raw.xz
* Labs/i386/images/Fedora-Python-Classroom-Vagrant-_RELEASE_MILESTONE_.i386.vagrant-libvirt.box
* Labs/i386/images/Fedora-Python-Classroom-Vagrant-_RELEASE_MILESTONE_.i386.vagrant-virtualbox.box
* Labs/x86_64/images/Fedora-Python-Classroom-Vagrant-_RELEASE_MILESTONE_.x86_64.vagrant-libvirt.box
* Labs/x86_64/images/Fedora-Python-Classroom-Vagrant-_RELEASE_MILESTONE_.x86_64.vagrant-virtualbox.box
* docker images via Fedora Docker Layered image build service

Policies and guidelines: nothing

Trademark approval: waiting
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

[announce] NYC*BUG Wednesday: OS the underlying overhead of computation

Other upcoming:

AsiaBSDCon (.org) March 9-12, Tokyo, Japan
BSDCan (.org) Jun 9-10, Ottawa, Canada
EuroBSDCon (.org) September 21-24, Paris, France

****

February 1, Wednesday
OS : The underlying overhead of computation
Antti Kantee
18:45, Suspenders, 103 Greenwich Street, 2nd Floor, Manhattan
Notice: Location Change

Abstract

An operating system is a piece of code intended to help computer
operators load punch cards -- hence "operating". The timesharing system
was created to allow interactive shared access to the handful of
computers which existed at the time. We will examine what is in the
interactive punch card loader in 2017, what actually belongs in there,
and why things are the way they are. Like science, the talk is highly
religious. Unlike computer science, the talk is grounded in reality.
Discussions, heretical opinions, and questions are encouraged.

Speaker Bio

Antti Kantee has been a NetBSD committer since the 1900's and has
managed to do many sorts of damage. He is probably best (or worst,
depending on who you ask) known for his decade-long workhaul on rump
kernels. Antti very recently moved to the Princeton area, so in case he
appears particularly absent during his talk, he got lost on the way to
the venue.

_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce

[CentOS-announce] Release for CentOS AltArch 7 (1611) on i386 Architecture

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAliPPocACgkQTKkMgmrBY7OryQCfWDJ1h3gQzq/CJq3Wx+LjJpZq
gwwAniCpHfdD/K6FlL6sUWwahQD6MPnu
=jujt
-----END PGP SIGNATURE-----
The CentOS AltArch SIG is a group of people working to build alternative
architecture support derived from CentOS Linux's sources. You can find
more details about the AltArch group at:

https://wiki.centos.org/SpecialInterestGroup/AltArch

Including details on how to get involved and ways to get help for
architecture specific issues.

This is the release announcement for the i386 (Intel 32-bit)
Architecture based on the source code released for CentOS-7 (1611). It
includes all packages that build on x86 32-bit processors.

The release notes for the normal CentOS-7 apply:

https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7

with the following notes that are specific to i386:

https://wiki.centos.org/SpecialInterestGroup/AltArch/i386

If you already have a previous version of CentOS-7 i386 installed, just
running 'yum update' will get you the latest packages installed.

ISOs can be downloaded from:

http://mirror.centos.org/altarch/7/isos/i386/

Here are the SHA256SUMS for the ISOs:

CentOS-7-i386-DVD-1611.iso:
25eff443460d53155cb837983c947fb3d74f4c0a3077dc699c7d50e9fdb4c0f3

CentOS-7-i386-Everything-1611.iso
578a475248ecef427269357b7ff22b973a007f534988f39f365b8dded43fad72

CentOS-7-i386-LiveGNOME-1611.iso:
16a75041a77e4d98922d2f68c54abef35f50a1e8aa863f182ab84b443cb0fcd1

CentOS-7-i386-LiveKDE-1611.iso:
f9651851adee59d646b509757186f038f2b453d285d92dce5b7b91c396d20d1a

CentOS-7-i386-Minimal-1611.iso:
bf0e17041aad294fbb3fa5c6fb100258ace4f62b94d5bf3356b40f9807a88805

CentOS-7-i386-NetInstall-1611.iso:
249c344d3e82f49be3195e06741276f409815b1d4785f1439fc47c342eb6dd7c

===========================

The CentOS team will have a Dojo in Brussels, Belgium on Friday 3th
February 2017:

https://wiki.centos.org/Events/Dojo/Brussels2017

I will be at the Dojo to discuss the i386 distribution with those who
are interested. I will also be at the CentOS Booth at FOSDEM 2017 (
https://fosdem.org/2017/ ) in Brussels, Belgium on February 4th and 5th,
2017. I will also attend the Config Management Camp EU (
http://cfgmgmtcamp.eu/ ) in Ghent, Belgium on the 6th of February,
2017. If you have any questions and will be at any of those locations,
please look me up.

Bug reports and feedback about specific packages should be filed at
https://bugs.centos.org/ against the relevant package name, for project
CentOS Linux 7, in the same manner as you would for x86_64. However, do
mention the architecture as applicable.

===========================

Johnny Hughes
CentOS-7 i386 AltArch Maintainer
Twitter: @JohnnyCentOS
Freenode IRC: hughesjr

[announce] mirrors.nycbug.org update

All
I recently swapped Apache out as our web server in favor of thttpd . Please let me know if have any issues with the new setup .


---
Mark Saad | nonesuch@longcount.org
_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce

[USN-3165-1] Thunderbird vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYi+PVAAoJEGEfvezVlG4PU7gH/ilVMeXdyBlIJYB4GkPv7jWP
Er3W/pxYVsqfwi/0XKCFqNa7FBWgYBUxt8y+4lhZVfUNg8F5qQdc3ZI1glwhk6EU
mH6SZqUA+J1wqDtW6K+CCuwXr0DVmBSwBO574o00lbTm2LgkMrGGEfSSWd7E0CnA
Lv08JVVF2kZnmUgm772CuAVnFXTFi/g3JRSbgOXgfFi1/gvMYoeqIAI92LoqqGUv
x3RlhEsM7QMOmDUwxynEWQOtiPwSAuIq6KsNn5/ggWEvIyJW0kGEqkV7aFsptgFo
6H+cD/LiX8OYq0q6MSvzO9MlpkYZ7pdqPHALnX+D4j8ZDpctkMOxXQPV2k+gxuA=
=GEKu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3165-1
January 28, 2017

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on <marquee> elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
thunderbird 1:45.7.0+build1-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:
thunderbird 1:45.7.0+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
thunderbird 1:45.7.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
thunderbird 1:45.7.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3165-1
CVE-2016-9893, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898,
CVE-2016-9899, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905,
CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378,
CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.12.04.1

[USN-3175-1] Firefox vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYi8QDAAoJEGEfvezVlG4PlCoIAISD8Epzn6O5HfGdEIwIjVRK
pMleqzMCYz+GVo5wNHyARRUWwaAXCPUQ/RPq+c43mL265ejLEN6vktLwwXRBrkYm
SDMLgO+QD8cru71htXqjJij+vFPd/Vr29cr+FSDDQYqNxG3E3AIwftTvWW88rMGc
sr9nFf8ECxQL/UavNQYTb6Aa8XG90LaRIjo5GAuVoBRFI6itqYx1D5O5OIOI+NLP
sHb96duIhHAyEkwjWJUctK+9ZVHGvV5zUfAdWYkdl5wyN16or/duhE7r2AW+/8Pm
RJOy62emNAprW/UmMzEFp5fLbgydY4PD39y0cdWsHH6A8efT02v+SYUYgGaN4c8=
=6hgf
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3175-1
January 27, 2017

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5376)

Atte Kettunen discovered a memory corruption issue in Skia in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5377)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5378)

A use-after-free was discovered in Web Animations in some circumstances.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2017-5379)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5380)

Jann Horn discovered that the "export" function in the Certificate Viewer
can force local filesystem navigation when the Common Name contains
slashes. If a user were tricked in to exporting a specially crafted
certificate, an attacker could potentially exploit this to save content
with arbitrary filenames in unsafe locations. (CVE-2017-5381)

Jerri Rice discovered that the Feed preview for RSS feeds can be used to
capture errors and exceptions generated by privileged content. An attacker
could potentially exploit this to obtain sensitive information.
(CVE-2017-5382)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)

Paul Stone and Alex Chapman discovered that the full URL path is exposed
to JavaScript functions specified by Proxy Auto-Config (PAC) files. If a
user has enabled Web Proxy Auto Detect (WPAD), an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5384)

Muneaki Nishimura discovered that data sent in multipart channels will
ignore the Referrer-Policy response headers. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5385)

Muneaki Nishimura discovered that WebExtensions can affect other
extensions using the data: protocol. If a user were tricked in to
installing a specially crafted addon, an attacker could potentially
exploit this to obtain sensitive information or gain additional
privileges. (CVE-2017-5386)

Mustafa Hasan discovered that the existence of local files can be
determined using the <track> element. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5387)

Cullen Jennings discovered that WebRTC can be used to generate large
amounts of UDP traffic. An attacker could potentially exploit this to
conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)

Kris Maglione discovered that WebExtensions can use the mozAddonManager
API by modifying the CSP headers on sites with the appropriate permissions
and then using host requests to redirect script loads to a malicious site.
If a user were tricked in to installing a specially crafted addon, an
attacker could potentially exploit this to install additional addons
without user permission. (CVE-2017-5389)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Jerri Rice discovered that about: pages used by content can load
privileged about: pages in iframes. An attacker could potentially exploit
this to gain additional privileges, in combination with a
content-injection bug in one of those about: pages. (CVE-2017-5391)

Stuart Colville discovered that mozAddonManager allows for the
installation of extensions from the CDN for addons.mozilla.org, a publicly
accessible site. If a user were tricked in to installing a specially
crafted addon, an attacker could potentially exploit this, in combination
with a cross-site scripting (XSS) attack on Mozilla's AMO sites, to
install additional addons. (CVE-2017-5393)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5396)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
firefox 51.0.1+build2-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:
firefox 51.0.1+build2-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
firefox 51.0.1+build2-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:
firefox 51.0.1+build2-0ubuntu0.12.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3175-1
CVE-2017-5373, CVE-2017-5374, CVE-2017-5375, CVE-2017-5376,
CVE-2017-5377, CVE-2017-5378, CVE-2017-5379, CVE-2017-5380,
CVE-2017-5381, CVE-2017-5382, CVE-2017-5383, CVE-2017-5384,
CVE-2017-5385, CVE-2017-5386, CVE-2017-5387, CVE-2017-5388,
CVE-2017-5389, CVE-2017-5390, CVE-2017-5391, CVE-2017-5393,
CVE-2017-5396

Package Information:
https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/firefox/51.0.1+build2-0ubuntu0.12.04.1

[CentOS-announce] CESA-2017:0184 Important CentOS 6 mysql Security Update

CentOS Errata and Security Advisory 2017:0184 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0184.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
90a5007752cc5dc69559fbac5117708c4aacd4ee45dc09ea79d4b86e739f6196 mysql-5.1.73-8.el6_8.i686.rpm
d9fa54a3d70a5d9e5732d22cf2eac1f01b3e78df12cfd2f803488323736081c1 mysql-bench-5.1.73-8.el6_8.i686.rpm
faac0fa3bfcba71701f3c85f1ab96cc0fb2ed27130f2cda55082d459dd960bde mysql-devel-5.1.73-8.el6_8.i686.rpm
e8d0100a1dfe23387f41101b8cd6e458ea0b479e1262f4c06205a4cb25449c7e mysql-embedded-5.1.73-8.el6_8.i686.rpm
cdce7ce86780ddec72435dbf96a336dc2c48166feff6c5bccea2873d58962658 mysql-embedded-devel-5.1.73-8.el6_8.i686.rpm
afa9536c07ca2540d89e33b74299856708c1080de4453ef50ec5654b1d1ae092 mysql-libs-5.1.73-8.el6_8.i686.rpm
bed77f90cc7dab7121d50e594becd0e583182d31df09422545d690f5b7c43629 mysql-server-5.1.73-8.el6_8.i686.rpm
c2dcb64a748bc7fdbc77cb9fbfec0fe99b309d1c3af0fbe87dc25b82a5e74825 mysql-test-5.1.73-8.el6_8.i686.rpm

x86_64:
3086e370dee78dcf420a882c33707369cedc0c16fff25020ef38ddc8dd10a1c2 mysql-5.1.73-8.el6_8.x86_64.rpm
1ec8a72b49e3942de13fa941555970ea979066fda8b30fab7744fa2235f31b33 mysql-bench-5.1.73-8.el6_8.x86_64.rpm
faac0fa3bfcba71701f3c85f1ab96cc0fb2ed27130f2cda55082d459dd960bde mysql-devel-5.1.73-8.el6_8.i686.rpm
ee4cafcc7ad0859a45ff54ca17997a903279732a96d45b0bdad99576f8596f8e mysql-devel-5.1.73-8.el6_8.x86_64.rpm
e8d0100a1dfe23387f41101b8cd6e458ea0b479e1262f4c06205a4cb25449c7e mysql-embedded-5.1.73-8.el6_8.i686.rpm
5dbc5d8e5809e2901d5e8e8b1418750002b83e3406e03ae8d71cfb94127eb243 mysql-embedded-5.1.73-8.el6_8.x86_64.rpm
cdce7ce86780ddec72435dbf96a336dc2c48166feff6c5bccea2873d58962658 mysql-embedded-devel-5.1.73-8.el6_8.i686.rpm
112a82ba493db96e355d00b6f1982e3b1edf91a43049eedc88e616e697c51f0f mysql-embedded-devel-5.1.73-8.el6_8.x86_64.rpm
afa9536c07ca2540d89e33b74299856708c1080de4453ef50ec5654b1d1ae092 mysql-libs-5.1.73-8.el6_8.i686.rpm
eb618e3896815be9548104036c272b9f17f54b8706b52451bcb8e6ddc0a2ed7b mysql-libs-5.1.73-8.el6_8.x86_64.rpm
e903e2e57ff025de587503648680701f99c2162d852c04b6e3660b30087637ed mysql-server-5.1.73-8.el6_8.x86_64.rpm
847d84415d57eb33f505408b9676d59949b8b3d46002ae37dc028d0cc6977945 mysql-test-5.1.73-8.el6_8.x86_64.rpm

Source:
c328e9e7e4d58ccd09d5c40830f71215249a868c2eb80762e993d5d9eb7ee96d mysql-5.1.73-8.el6_8.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2017:0190 Critical CentOS 7 firefox Security Update

CentOS Errata and Security Advisory 2017:0190 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0190.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
34c0472b0952187186f440bfc92ba8623f074def7f9d3167adc812197c615428 firefox-45.7.0-1.el7.centos.i686.rpm
bebce01ac11511a2e55ef51c4f63671ed5bbb1016d159ccbcfd8f21b0ad84fce firefox-45.7.0-1.el7.centos.x86_64.rpm

Source:
92ff3bdf3c2f19b580e13dbe68b9b21d479351e5c4f0c0695d1cfc01c9ccc42f firefox-45.7.0-1.el7.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2017:0182 Moderate CentOS 7 squid Security Update

CentOS Errata and Security Advisory 2017:0182 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0182.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
275a75c85ff8c059d37c719dc5095b13f475d3713a3b464e4e45f4138ff78ddb squid-3.5.20-2.el7_3.2.x86_64.rpm
d92cb53e1cd1ca105c79f40e434a04fd67635671255e5ca5f8655ffe877ca124 squid-migration-script-3.5.20-2.el7_3.2.x86_64.rpm
5e1c34b8905de8a5f82c9f35543671aa80facc44e21341e284042f0e2f5e7d1f squid-sysvinit-3.5.20-2.el7_3.2.x86_64.rpm

Source:
8c17b5ff7d793529ed91f0ec5b772104019357863706e9636a2246c67d522bad squid-3.5.20-2.el7_3.2.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2017:0190 Critical CentOS 5 firefox Security Update

CentOS Errata and Security Advisory 2017:0190 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0190.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
bb7c734cceac8492f93bc3623d8b95a3c1f5b765af9286c1ed7c4b8528535ebd firefox-45.7.0-1.el5.centos.i386.rpm

x86_64:
bb7c734cceac8492f93bc3623d8b95a3c1f5b765af9286c1ed7c4b8528535ebd firefox-45.7.0-1.el5.centos.i386.rpm
202bb19502b662d84846286383e106f4018e3699db8c0588e3eeffead8cac8a8 firefox-45.7.0-1.el5.centos.x86_64.rpm

Source:
dcfedc05611839011adf391231df0213575d9be03345ca660f7b45223c75b5d2 firefox-45.7.0-1.el5.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2017:0190 Critical CentOS 6 firefox Security Update

CentOS Errata and Security Advisory 2017:0190 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0190.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
d029cd11706e8ccf1a68d2dbafaeb483d74db49c698dd7061bd9e2e51d576657 firefox-45.7.0-1.el6.centos.i686.rpm

x86_64:
d029cd11706e8ccf1a68d2dbafaeb483d74db49c698dd7061bd9e2e51d576657 firefox-45.7.0-1.el6.centos.i686.rpm
652667b06a4596e42b0ad12a5f88e49ad9ee68276e2c2002cadf19f597e58386 firefox-45.7.0-1.el6.centos.x86_64.rpm

Source:
8e61cfbbfbd1dfc9daa8ba468c350ec9cd694aaffb3a98e42a42f790fc816f39 firefox-45.7.0-1.el6.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2017:0183 Moderate CentOS 6 squid34 Security Update

CentOS Errata and Security Advisory 2017:0183 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0183.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
ca6821bc977e58ddefd9bccf91dc98ee75d90aaf433f6a462d18786a23481d24 squid34-3.4.14-9.el6_8.4.i686.rpm

x86_64:
05af47a8209fb31705b6e7916ff30c0ce1b89005f24fc427e88ba257348c2857 squid34-3.4.14-9.el6_8.4.x86_64.rpm

Source:
59a82b8676b28b88dfdab8fc952dd5423414306e48cbdecc593b6760bd1a5add squid34-3.4.14-9.el6_8.4.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEEA-2017:0188 CentOS 6 rtsx_pci Enhancement Update

CentOS Errata and Enhancement Advisory 2017:0188

Upstream details at : https://rhn.redhat.com/errata/RHEA-2017-0188.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
c2b35efce655a383ad0e9f18128bcb85fe3660b0ec6134ff4d09a57bf9e12170 kmod-rtsx_pci-642-1.el6_8.i686.rpm

x86_64:
15aed624799009c5ce5de9989b6d34b0f6b3b4ae64b42b459fecf83d82be524d kmod-rtsx_pci-642-1.el6_8.x86_64.rpm

Source:
49aeb3e303a4b561acdc901382022f3eb9d8e9c13c552148b2ef7f45583f5778 rtsx_pci-642-1.el6_8.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

F26 Self Contained Change: NetworkManager 1.8

= Proposed Self Contained Change: NetworkManager 1.8 =
https://fedoraproject.org/wiki/Changes/NetworkManager18

Change owner(s):
* Lubomir Rintel <lkundrak AT v3 DOT sk>

Update to NetworkManager to version 1.8.

== Detailed Description ==
NetworkManager 1.8 will include significant changes and improvements:
* MACsec support
* Proxy support including autoconfiguration
* Integration with systemd-resolved
* IPv6 connection sharing (prefix delegation to hotspots)
* Dropped hard dependency on dhclient, ppp
* VPN plugins no longer depend on GUI

== Scope ==
* Proposal owners:
Update NetworkManager, connection editor and VPN plugin packages.

* Other developers:
N/A (not needed for this Change)

* Release engineering:
N/A (not needed for this Change)

* Policies and guidelines:
N/A (not needed for this Change)

* Trademark approval:
N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

[USN-3179-1] OpenJDK 8 vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3179-1
January 25, 2017

openjdk-8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:
- openjdk-8: Open Source Java implementation

Details:

Karthik Bhargavan and Gaetan Leurent discovered that the DES and
Triple DES ciphers were vulnerable to birthday attacks. A remote
attacker could possibly use this flaw to obtain clear text data from
long encrypted sessions. This update moves those algorithms to the
legacy algorithm set and causes them to be used only if no non-legacy
algorithms can be negotiated. (CVE-2016-2183)

It was discovered that OpenJDK accepted ECSDA signatures using
non-canonical DER encoding. An attacker could use this to modify or
expose sensitive data. (CVE-2016-5546)

It was discovered that OpenJDK did not properly verify object
identifier (OID) length when reading Distinguished Encoding Rules
(DER) records, as used in x.509 certificates and elsewhere. An
attacker could use this to cause a denial of service (memory
consumption). (CVE-2016-5547)

It was discovered that covert timing channel vulnerabilities existed
in the DSA and ECDSA implementations in OpenJDK. A remote attacker
could use this to expose sensitive information. (CVE-2016-5548,
CVE-2016-5549)

It was discovered that the URLStreamHandler class in OpenJDK did not
properly parse user information from a URL. A remote attacker could
use this to expose sensitive information. (CVE-2016-5552)

It was discovered that the URLClassLoader class in OpenJDK did not
properly check access control context when downloading class files. A
remote attacker could use this to expose sensitive information.
(CVE-2017-3231)

It was discovered that the Remote Method Invocation (RMI)
implementation in OpenJDK performed deserialization of untrusted
inputs. A remote attacker could use this to execute arbitrary
code. (CVE-2017-3241)

It was discovered that the Java Authentication and Authorization
Service (JAAS) component of OpenJDK did not properly perform user
search LDAP queries. An attacker could use a specially constructed
LDAP entry to expose or modify sensitive information. (CVE-2017-3252)

It was discovered that the PNGImageReader class in OpenJDK did not
properly handle iTXt and zTXt chunks. An attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-3253)

It was discovered that integer overflows existed in the
SocketInputStream and SocketOutputStream classes of OpenJDK. An
attacker could use this to expose sensitive information.
(CVE-2017-3261)

It was discovered that the atomic field updaters in the
java.util.concurrent.atomic package in OpenJDK did not properly
restrict access to protected field members. An attacker could use
this to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3272)

It was discovered that a vulnerability existed in the class
construction implementation in OpenJDK. An attacker could use this
to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3289)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
openjdk-8-jdk 8u121-b13-0ubuntu1.16.10.2
openjdk-8-jdk-headless 8u121-b13-0ubuntu1.16.10.2
openjdk-8-jre 8u121-b13-0ubuntu1.16.10.2
openjdk-8-jre-headless 8u121-b13-0ubuntu1.16.10.2
openjdk-8-jre-jamvm 8u121-b13-0ubuntu1.16.10.2
openjdk-8-jre-zero 8u121-b13-0ubuntu1.16.10.2

Ubuntu 16.04 LTS:
openjdk-8-jdk 8u121-b13-0ubuntu1.16.04.2
openjdk-8-jdk-headless 8u121-b13-0ubuntu1.16.04.2
openjdk-8-jre 8u121-b13-0ubuntu1.16.04.2
openjdk-8-jre-headless 8u121-b13-0ubuntu1.16.04.2
openjdk-8-jre-jamvm 8u121-b13-0ubuntu1.16.04.2
openjdk-8-jre-zero 8u121-b13-0ubuntu1.16.04.2

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3179-1
CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548,
CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241,
CVE-2017-3252, CVE-2017-3253, CVE-2017-3261, CVE-2017-3272,
CVE-2017-3289

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u121-b13-0ubuntu1.16.10.2
https://launchpad.net/ubuntu/+source/openjdk-8/8u121-b13-0ubuntu1.16.04.2

Scientific Linux 7.3 x86_64 is officially released

Scientific Linux 7.3 x86_64 - Jan 25 2017

== Information ==

NOTE: Please review the SL Release Notes along with
The Upstream Vendor's Release Notes:

http://ftp.scientificlinux.org/linux/scientific/7.3/x86_64/release-notes/

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/index.html

There is a great deal of information within those documents not listed here.

Please run: yum clean expire-cache

== Media ==
You can find the release media at:
http://ftp.scientificlinux.org/linux/scientific/7.3/x86_64/iso/

Due to the size of the release, the 4.7gb Install media is discontinued.
We have retained the Dual Layer Install media.

Alternatively the livecd-iso-to-disk utility is able to convert
this to USB successfully. A USB device of sufficient size is
required.

Alternatively you can utilize the dd command to write the
raw image to a USB device.

http://ftp.scientificlinux.org/linux/scientific/7/x86_64/release-notes/#_how_to_make_a_bootable_usb_installer

== SL Specific Updates ==

.Scientific Linux Contexts
SL 7.3 includes updated support for Scientific Linux Contexts which
should allow for ease of creating local customization for specific
computing needs. Anaconda integration should be less intrusive
for non-context users
For more information on Scientific Linux Contexts:
http://ftp.scientificlinux.org/linux/scientific/7/contexts/README.html

.OpenAFS
With SL 7.2 OpenAFS has been updated to version 1.6.20 the latest
upstream stable.

.sl-release
There is a new Scientific Linux End User License Agreement (EULA).
The EULA now contains information about the U.S. Government contract
under which Fermilab produces Scientific Linux.


== UEFI Secure Boot ==
The status of UEFI Secure Boot for Scientific Linux is noted in detail at:

http://ftp.scientificlinux.org/linux/scientific/7/x86_64/release-notes/#_about_uefi_secure_boot

Booting SL7 with Secure Boot enabled works but requires a manual step.
This is because the "shim" has not been signed by the UEFI CA.
Instructions are included within the SL7 Release Notes.

[arch-announce] Phasing out i686 support

Due to the decreasing popularity of i686 among the developers and the community,
we have decided to phase out the support of this architecture.

The decision means that February ISO will be the last that allows to install 32
bit Arch Linux. The next 9 months are deprecation period, during which i686 will
be still receiving upgraded packages. Starting from November 2017, packaging and
repository tools will no longer require that from maintainers, effectively
making i686 unsupported.

However, as there is still some interest in keeping i686 alive, we would like to
encourage the community to make it happen with our guidance. The [arch-ports][1]
mailing list and #archlinux-ports IRC channel on Freenode will be used for
further coordination.

The [multilib] repository will not be affected by this change.

[1]: https://lists.archlinux.org/listinfo/arch-ports

URL: https://www.archlinux.org/news/phasing-out-i686-support/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce

[announce] NYC*BUG Upcoming: OS: the underlying overhead of computation

March 1, 645 PM
Suspenders Restaurant
2nd Floor
108 Greenwich Street by Rector Street
Manhattan

OS : The underlying overhead of computation

An operating system is a piece of code intended to help computer
operators load punch cards -- hence "operating". The timesharing system
was created to allow interactive shared access to the handful of
computers which existed at the time. We will examine what is in the
interactive punch card loader in 2017, what actually belongs in there,
and why things are the way they are. Like science, the talk is highly
religious. Unlike computer science, the talk is grounded in reality.
Discussions, heretical opinions, and questions are encouraged.

Bio

Antti Kantee has been a NetBSD committer since the 1900's and has
managed to do many sorts of damage. He is probably best (or worst,
depending on who you ask) known for his decade-long workhaul on rump
kernels. Antti very recently moved to the Princeton area, so in case he
appears particularly absent during his talk, he got lost on the way to
the venue.

_______________________________________________
announce mailing list
announce@lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/announce

[opensuse-announce] Re: Elections on hold

Hello Martin,

On 25 January 2017 at 13:09, Martin Pluskal <martin@pluskal.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello
>
> I have to regretfully inform you, that due to technical difficulties in
> our tool connect.opensuse.org we have to put current elections on hold.
> I deeply apologize for any inconvenience this might have caused to you.
>
> Technical problems that many of you noticed on the mailinglist proven
> to have more than visual consequences and our administrators are now
> looking in the issue trying to figure out how to solve the underlying
> problem.
>
> Election team will update election schedule and inform you about next
> steps as soon as possible (whether we can continue/recover current poll
> or if we will need to start from scratch).
>
>
> Kind regards from election team
>
> Martin Pluskal

Thank you for the announcement and all the work you & the team have
and will do to resolve this situation.

Due to the exceptional circumstances, the openSUSE Board will continue
operating with it's currently elected members.

In the unlikely event of any major Board decisions being required
during this exceptional extension of the current Board, we will
consider options such as delaying the decision until the new board
members are chosen, or possibly including all of the candidates in the
decision making process.

Our priority is ensuring continuity while these technical issues get
fixed and will do our best to balance the needs for timely decisions
with the expectation that we should have been transitioning to a new
elected Board chosen by the community.

Once we get back on track, with elections that effectively fill the
two positions to be vacated by Kostas and Michal, the 2 year
term-length of those new board members will start from the date of
their election. Or in other words, once we're able to fix these
technical issues, the communities chosen board members will still
serve a full 2 year term from that date, so the candidates will not be
disadvantaged by this delay.

Kind regards,

Richard Brown
On behalf of the openSUSE Board
--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org

[opensuse-announce] Elections on hold

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello

I have to regretfully inform you, that due to technical difficulties in
our tool connect.opensuse.org we have to put current elections on hold.
I deeply apologize for any inconvenience this might have caused to you.

Technical problems that many of you noticed on the mailinglist proven
to have more than visual consequences and our administrators are now
looking in the issue trying to figure out how to solve the underlying
problem.

Election team will update election schedule and inform you about next
steps as soon as possible (whether we can continue/recover current poll
or if we will need to start from scratch).


Kind regards from election team

Martin Pluskal
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwQnJ+Ps8HqIKhK3yWyRdZ/3eaFcFAliIlXQACgkQWyRdZ/3e
aFfe+Q//cnIEdz/HLFq07Hb4CkW8SNqGFwMr/Lv8aDdTuPiQhP8X1+/p0+AArQZT
n33DTmOYpUB4BketBuiE8SMx/rcdY9pPRVzuj/aVng/zqFu07FRNX6D0BXOyOZka
rY1a2VE4S6MZWuzCq5FxJVjaLW7XZzRwG4OWBaLpNNpWFX7CRXkSLNiZ0atSIRMQ
7vdTwzPxaK3eogRGBzqBIu8l8vHoonpUbZ7rATASmzPhFkQnCOnzFpJImX92PBJL
nBA4YEsiEQRULI631dM9jG1X0WLtCljKuVYDnxAZU2SKfqRd/1H3mYZjzCPyJfez
ecD8UqI5rBioJk+lPZvzabObqMaZr9cUTSohTSmnT0duhh+2eb0mMbOk+ueuM5rV
wq5QkHJB3e7JtaHb/+Dzhc3uI29uJlHzKnKsrklXbfOvFwsG5i+ZNNorW6E1we8o
gDTL7/VgEnqUGTKHDjv8/L7jfHk56HpeqoJ+BRSxcQpDrzUYFi7VjaNj61EY7QJ5
da+j2T0qp3vbkHhX/hQstb855csRIExT8r51FZGbf9Ovh15LayY8CM8DLsQtIUcC
cTvZBxgyobVfbb1534QWbUhAOFsRUD/lKTLrcMcWjJ5q9iaEZs8KM+cbvdkN7X8f
OhAJIzEA9p26xpBaZ87peBlckRs1x9p2Fgt82uhDdxtXDKE/CAU=
=W36B
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org

[USN-3178-1] icoutils vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYh7ZfAAoJEGVp2FWnRL6TF6cP/34yALKf9ypOWNvCGRvEj7s3
CxAT/gfg14Be1DppJYJcBShLnnDItD1tAx5JLkKHUt5M3LHSkCWVF9I6RViRSvfp
w2wJXT2M0K+DVOr3GWwDp7GC2y0REz7vOCR3dq94/NeepWnhoxdt62zbqRNvunhE
Chm9hlMPvE+VO313XLkQFO/p5t3Kx1n2KdN56JX4m/PSnJUbg62wJv5VQUJTV8NE
lplxNmCFZFuTgOEjObM+SLFcn0MUmNqFGN5IpjMCYxwIhMHoXA1VnCUsT9CfNMwg
pEv2S9ktoYZIhLPPtR0P1iyJwfTYt/bwtYY2J1RDK/RKccMnE11eo0gnwxK2lO2k
D+R1MCUGH+6aPl64H8N7T7+Qw8pCcTj2LZWhZl8ppiHdbBJXYvrM62wofmn1NIl2
hvjUGOoDs1Uj5bH/MayRBKdNjT9q//2JidEHglI0nPq9D0iBaUB8l8uOpvuYACDV
+n8luFaq4A3VYqx8tShlkQnjbtbIPlobRnOm98Yiaku4NEPSbOpoS4dPiTFONsyr
icXE8h9XfEced/tuKUGKt6TET6gfrSsumkAquQNDj5p/mJr+cHmlO/NFjpOvb+mH
oYjg7KgoYMA02KIJr36E05yMe36o9XJSSF28a5vZw2RJXonbVrNIBzX3IkkmtaxU
9IUQHs4gCtdmHonOaReu
=sK/V
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3178-1
January 24, 2017

icoutils vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

icoutils could be made to crash or run programs as your login if it opened
a specially crafted file.

Software Description:
- icoutils: Create and extract MS Windows icons and cursors

Details:

It was discovered that icoutils incorrectly handled memory when processing
certain files. If a user or automated system were tricked into opening a
specially crafted file, an attacker could cause icoutils to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
icoutils 0.29.1-2ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3178-1
CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333

Package Information:
https://launchpad.net/ubuntu/+source/icoutils/0.29.1-2ubuntu0.1

Planned outage: Server Reboots / Firmware updates - 2017-01-25 21:00 UTC

Planned Outage: Server reboots / Firmware updates - 2017-01-25 21:00 UTC

There will be an outage starting at 2017-01-25 21:00 UTC, which will
last approximately 4 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run:

date -d '2017-01-25 21:00 UTC'

Reason for outage:

We will be rebooting servers into the latest kernel and updated package
sets, as well and performing some firmware updates on selected servers.
No one service should be down very long, but all services may go up and
down in the outage window as various servers are rebooted.

Affected Services:

All services may be up or down during the outage window, with the
exception of cloud services (anything with .cloud.fedoraproject.org or
fedorainfracloud.org in the name)

Contact Information:

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/5715

Please join #fedora-admin or #fedora-noc on irc.freenode.net or add
comments to the ticket for this outage above.

[USN-3177-1] Tomcat vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYhk4qAAoJEGVp2FWnRL6TyIEP/imbDfvXICvXbqumyCjifNeW
50zIPGeJqQLjE53Bfyrako97o6waVF14oyea7mAO5mrGV86RHOSi8ULe2XYSX+Mc
pO/hYYfKb1VBs29McM4fZV7QccORlzeUugT+eIva3tlxLEAh/t7obzDo4jH+5Bmj
lC27b25G0LLHoaZ7x5qmxyNzl/1Ay/uXt9Y/4CACoZbDcChlisI9XUXOulsx5hpr
8uWwDTOXZLRqPxlTFE9iDndXWuBBr/uP6+vthMs06hKwuL+CKdw2whksRElfUyQc
adHcjSO2zoQ/VMijBPDF8aZxuH4ZxJMEN3UHImAIVMJ+p2ZrWequEppY1HUuIIif
8nnQYokhrl+NlJUJZyyFvVyKNiNughkGx1HmHg+TRJH75UBK4Vat3HWevFDVrYUi
kc1PLvssFD25sKM8v/8XCuNtSvTfJK21QKpXKKU6PfWh1aE6kjoXb55mrPsET4KN
JtBeMpeIv14ctUVOeWsqJV3SSvGIaKfMMGjujnYkqU7t9Fxagg/7FIE2hTWikGKE
DDiZ6MitwqFQAmBuvNNn1vgFrPrlYPcMcu6WXJicP1bloQ7T5RUOrxUV5cFiUhC3
kPRRZZgM1A+6A0VdClWOCpcj39UCoiZ7N5sR80sp2iMbTh5Ajiw1ySP/U181vF/L
WNnQZGVTwkmLDTkerQKm
=1863
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3177-1
January 23, 2017

tomcat6, tomcat7, tomcat8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat8: Servlet and JSP engine
- tomcat7: Servlet and JSP engine
- tomcat6: Servlet and JSP engine

Details:

It was discovered that the Tomcat realm implementations incorrectly handled
passwords when a username didn't exist. A remote attacker could possibly
use this issue to enumerate usernames. This issue only applied to Ubuntu
12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-0762)

Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly
limited use of a certain utility method. A malicious application could
possibly use this to bypass Security Manager restrictions. This issue only
applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-5018)

It was discovered that Tomcat did not protect applications from untrusted
data in the HTTP_PROXY environment variable. A remote attacker could
possibly use this issue to redirect outbound traffic to an arbitrary proxy
server. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-5388)

It was discovered that Tomcat incorrectly controlled reading system
properties. A malicious application could possibly use this to bypass
Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS,
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6794)

It was discovered that Tomcat incorrectly controlled certain configuration
parameters. A malicious application could possibly use this to bypass
Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS,
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6796)

It was discovered that Tomcat incorrectly limited access to global JNDI
resources. A malicious application could use this to access any global JNDI
resource without an explicit ResourceLink. This issue only applied to
Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6797)

Regis Leroy discovered that Tomcat incorrectly filtered certain invalid
characters from the HTTP request line. A remote attacker could possibly
use this issue to inject data into HTTP responses. (CVE-2016-6816)

Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not
implement a recommended fix. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2016-8735)

It was discovered that Tomcat incorrectly handled error handling in the
send file code. A remote attacker could possibly use this issue to access
information from other requests. (CVE-2016-8745)

Paul Szabo discovered that the Tomcat package incorrectly handled upgrades
and removals. A local attacker could possibly use this issue to obtain
root privileges. (CVE-2016-9774, CVE-2016-9775)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
libtomcat8-java 8.0.37-1ubuntu0.1
tomcat8 8.0.37-1ubuntu0.1

Ubuntu 16.04 LTS:
libtomcat8-java 8.0.32-1ubuntu1.3
tomcat8 8.0.32-1ubuntu1.3

Ubuntu 14.04 LTS:
libtomcat7-java 7.0.52-1ubuntu0.8
tomcat7 7.0.52-1ubuntu0.8

Ubuntu 12.04 LTS:
libtomcat6-java 6.0.35-1ubuntu3.9
tomcat6 6.0.35-1ubuntu3.9

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3177-1
CVE-2016-0762, CVE-2016-5018, CVE-2016-5388, CVE-2016-6794,
CVE-2016-6796, CVE-2016-6797, CVE-2016-6816, CVE-2016-8735,
CVE-2016-8745, CVE-2016-9774, CVE-2016-9775

Package Information:
https://launchpad.net/ubuntu/+source/tomcat8/8.0.37-1ubuntu0.1
https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.3
https://launchpad.net/ubuntu/+source/tomcat7/7.0.52-1ubuntu0.8
https://launchpad.net/ubuntu/+source/tomcat6/6.0.35-1ubuntu3.9

[USN-3176-1] PCSC-Lite vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJYhk4bAAoJEGVp2FWnRL6T8PkQAIkKeo+XYnQHM0i03UNdAjAA
+MJ2uzh9UDY0rpzl9aAhvzIHXCV84hyhw2KKrH/eQ8i5D4lMkeT5WLCGw82yhklC
xY6BzI93k/qoRGQCC+6gHskwL6Zy6hud9QCdzXD2onf1hbbvWUBs8y00oe3OQgLw
VJWengDG48CmL/WCivOLXFBxSvLNonXUxLB06Vqv7FBmO34dY009sM7B4XULv8r5
rGozsd9pyFAWJT4B+Di2cKqCC6dSqIq66pC1ADGeGBlvzx9qoSvZ38sUV3kLUiMw
DLT5++PCNYAl4uGCZEzXkiLRJdcQEMm2b1i4OHE+Kv0rYZYxQ8q+4cqd6zCEDr6q
3cN1uraodkwfgXvULAJnePWyBV+zvO0nYpOZNgzjEFatI/T5uOONcV7pK1bzijFk
IfeuozhsO0hjupu4RH1Vqp0TeT5nuuzLYSBIAhUsQ5zimbKMl2fqAh5aMcjSKrmh
06MK0b91tnsu+R7qVEBxSOji++MT0mZEjwJ8MCdXbty5VyxON8MCUKfhEtP394ax
mh2eelGe715Qay00jYLqN7dJM4nGWsH9/zqcMMP9c+0ix9ZWnlYm0FwIt1QC2V08
5IMSq/JLFAV18RYksNpKL7k1Fpz1UumCN/nZP8naYKUecCPj3T6tIb7FeIsJG+gp
8KfMZQjuNQeEDVpyZDSH
=6QQC
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3176-1
January 23, 2017

pcsc-lite vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

PCSC-Lite could be made to crash or run programs as an administrator
if it received specially crafted input.

Software Description:
- pcsc-lite: Middleware to access a smart card using PC/SC

Details:

Peter Wu discovered that the PC/SC service did not correctly handle certain
resources. A local attacker could use this issue to cause PC/SC to crash,
resulting in a denial of service, or possibly execute arbitrary code with
root privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.10:
pcscd 1.8.14-1ubuntu1.16.10.1

Ubuntu 16.04 LTS:
pcscd 1.8.14-1ubuntu1.16.04.1

Ubuntu 14.04 LTS:
pcscd 1.8.10-1ubuntu1.1

Ubuntu 12.04 LTS:
pcscd 1.7.4-2ubuntu2.1

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3176-1
CVE-2016-10109

Package Information:
https://launchpad.net/ubuntu/+source/pcsc-lite/1.8.14-1ubuntu1.16.10.1
https://launchpad.net/ubuntu/+source/pcsc-lite/1.8.14-1ubuntu1.16.04.1
https://launchpad.net/ubuntu/+source/pcsc-lite/1.8.10-1ubuntu1.1
https://launchpad.net/ubuntu/+source/pcsc-lite/1.7.4-2ubuntu2.1

[CentOS-announce] Announcing the release for Gluster 3.9 on CentOS Linux 6 x86_64

I am happy to announce the General Availability of Gluster 3.9 for
CentOS 6 on x86_64. These packages are following the upstream Gluster
Community releases, and will receive monthly bugfix updates.

Gluster 3.9 is a Short-Term-Maintenance release, and will only receive
updates until the next version (3.10) becomes available. The difference
between Long-Term-Maintenance and Short-Term-Maintenance releases is
explained on the Gluster release schedule page:
https://www.gluster.org/community/release-schedule/

Users of CentOS 6 can now simply install Gluster 3.9 with only these two
commands:

# yum install centos-release-gluster39
# yum install glusterfs-server

The centos-release-gluster39 package is delivered via CentOS Extras
repos. This contains all the metadata and dependancy information, needed
to install Gluster 3.9.

Note that the standard centos-release-gluster (virtual) package is
still available and points to the 3.8 version. This is intentional
because 3.8 is a Long-Term-Maintenance version and does not require
users to update the major versions avery couple of months. Some
deployments may need to install the centos-release-gluster package as
well as centos-release-gluster39 to fullfill dependencies (most recent
versions of oVirt possibly).

We have a quickstart guide specifically built around the packages are
available, it makes for a good introduction to Gluster and will help get
you started in just a few simple steps, this quick start is available at
https://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart

More details about the packages that the Gluster project provides in the
Storage SIG is available in the documentation:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster

The centos-release-gluster* repositories offer additional packages that
enhance the usability of Gluster itself. Utilities and tools that were
working with previous versions of Gluster are expected to stay working
fine. If there are any proboems, or requests for additional tools and
applications to be provided, just send us an email with your
suggestions. The current list of packages that is (planned to become)
available can be found here:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster/Ecosystem-pkgs

We welcome all feedback, comments and contributions. You can get in
touch with the CentOS Storage SIG on the centos-devel mailing list
( https://lists.centos.org ) and with the Gluster developer and user
communities at https://www.gluster.org/mailman/listinfo , we are also
available on irc at #gluster on irc.freenode.net, and on twitter at
@gluster .

Cheers,
Niels de Vos
Storage SIG member & Gluster maintainer

[CentOS-announce] Announcing the release for Gluster 3.9 on CentOS Linux 7 x86_64

I am happy to announce the General Availability of Gluster 3.9 for
CentOS 7 on x86_64. These packages are following the upstream Gluster
Community releases, and will receive monthly bugfix updates.

Gluster 3.9 is a Short-Term-Maintenance release, and will only receive
updates until the next version (3.10) becomes available. The difference
between Long-Term-Maintenance and Short-Term-Maintenance releases is
explained on the Gluster release schedule page:
https://www.gluster.org/community/release-schedule/

Users of CentOS 7 can now simply install Gluster 3.9 with only these two
commands:

# yum install centos-release-gluster39
# yum install glusterfs-server

The centos-release-gluster39 package is delivered via CentOS Extras
repos. This contains all the metadata and dependancy information, needed
to install Gluster 3.9.

Note that the standard centos-release-gluster (virtual) package is
still available and points to the 3.8 version. This is intentional
because 3.8 is a Long-Term-Maintenance version and does not require
users to update the major versions avery couple of months. Some
deployments may need to install the centos-release-gluster package as
well as centos-release-gluster39 to fullfill dependencies (most recent
versions of oVirt possibly).

We have a quickstart guide specifically built around the packages are
available, it makes for a good introduction to Gluster and will help get
you started in just a few simple steps, this quick start is available at
https://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart

More details about the packages that the Gluster project provides in the
Storage SIG is available in the documentation:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster

The centos-release-gluster* repositories offer additional packages that
enhance the usability of Gluster itself. Utilities and tools that were
working with previous versions of Gluster are expected to stay working
fine. If there are any proboems, or requests for additional tools and
applications to be provided, just send us an email with your
suggestions. The current list of packages that is (planned to become)
available can be found here:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster/Ecosystem-pkgs

We welcome all feedback, comments and contributions. You can get in
touch with the CentOS Storage SIG on the centos-devel mailing list
( https://lists.centos.org ) and with the Gluster developer and user
communities at https://www.gluster.org/mailman/listinfo , we are also
available on irc at #gluster on irc.freenode.net, and on twitter at
@gluster .

Cheers,
Niels de Vos
Storage SIG member & Gluster maintainer

[CentOS-announce] CESA-2017:0180 Critical CentOS 7 java-1.8.0-openjdk Security Update

CentOS Errata and Security Advisory 2017:0180 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0180.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
b002bc39803820082dabc431b991958f9397bc317248e981f77530cf8428c717 java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.i686.rpm
460180c36d7248c993ed1c7efd333fe7c9819dc9be1b12208ddd3071c140a55a java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64.rpm
e248153a1904ea792d4815c47960c5a73e59abc1c4cf5cec464bd453bc7762e6 java-1.8.0-openjdk-accessibility-1.8.0.121-0.b13.el7_3.x86_64.rpm
5d2c4f7cb529dcd1763a9ae648d447edbc5f07a01c54423a69cb0d140de0c6a6 java-1.8.0-openjdk-accessibility-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
ecba68f71f2cbcb197c41220b648694e847a0437d2b24499a65107dadcdb3510 java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el7_3.i686.rpm
a87f43a746f505fc2827afa5ace424006850d07dc2647b79b534281898a5718f java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
39833c95afbc018e7a91c9a2476cb5055ca32fc2fcc6b60d79408e34b81f8ca1 java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el7_3.x86_64.rpm
ca5a4add5dbd60bac513d89e7e915660d31d1b8c4ce7f273990a1f45f387a931 java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
a0c638d96cbbcb3acea1b71f51adc571ff6a09c7c0c8d9cb519e654fce15cd07 java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el7_3.i686.rpm
9e1bb8b701666ff38b321f8b7a152df363bf4f6ea0276f98bd540d151a901278 java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el7_3.x86_64.rpm
b9122db5db773a07675bfd042aff7b248ec7f4cdc905b78ce43b2d8fde466b31 java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el7_3.i686.rpm
4acc1c716632d0dc135a0ca0ed2d8de29e5813d62c9ef579bd2783191f254850 java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
8f92a775f9a1056256baf5b132cbf4a61d12e3db79ae4b33dd7c6da80cd0e82f java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el7_3.i686.rpm
820b3b25e699f6dc0768fee7f8362ea5bf3770046dfdbdfc2d1e7bd6d56946f8 java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el7_3.x86_64.rpm
e2e99c6977af60e940b6b6e74a35d744742a2a85cf9a2779c5f141375be2393d java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el7_3.i686.rpm
e47d2e31358e70ebc3b83f8f32b986df3c293b465ba46da4c91f05a7c1c8e8cf java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
77c3b0a2194e7239009c8f68f136e7eeeb2ce4ed287a6d9c52ff01dfc3655718 java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el7_3.noarch.rpm
f0b418e75b930fb391bbb05021d638e1569d83b85603c49267708adcef8777ed java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el7_3.noarch.rpm
d06e1bfe81fd73e1c143a5bc22d5ad881794acc186408ba142fefdc3128a151d java-1.8.0-openjdk-javadoc-zip-1.8.0.121-0.b13.el7_3.noarch.rpm
c68200d318c1b4c803e2b4822ba74963d955c737397e259f2c32c87127048b45 java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.121-0.b13.el7_3.noarch.rpm
2d57cd90202ef0aa603585c9f5e2e9cba72e1c07aa324de697cc307dd4f17121 java-1.8.0-openjdk-src-1.8.0.121-0.b13.el7_3.x86_64.rpm
e99b31852e84ff9e81784d68a53204b4f6168f0fde26f209c0eb56c41755e6ae java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm

Source:
6df0ee7bf1488263efafcc84765297e4b970ad8f1ca5291ae90f2d43536ec7f3 java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2017:0180 Critical CentOS 6 java-1.8.0-openjdk Security Update

CentOS Errata and Security Advisory 2017:0180 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0180.html

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
e04f0af0db6bf5966115be1c780071d3c25c5bbb91b2293d561a6fa15d1631aa java-1.8.0-openjdk-1.8.0.121-0.b13.el6_8.i686.rpm
864d94e6e625bc5a1c1917d7daadb5cb18d23edbd83a959e81f3e933a96127cc java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el6_8.i686.rpm
14a0f1360afffd36590ddafbc3c85c2070ab29441431a35f424d533d4689e42f java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el6_8.i686.rpm
0b27c5e7c38290daf4b10a3afd8088c2b98d32018dafdbe11fb85cb401ac99a1 java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el6_8.i686.rpm
d7ec3be372b0b762035137aa79932ff4adba3113d15ddfc1728469c362d7bea6 java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el6_8.i686.rpm
e93b86d265215f0f7eed95889f479881b26436934ea1dcf7bfbb896c37e1579c java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el6_8.i686.rpm
e7ec1b932abf317c54744e4053209ab525d129db5c4a55cf5aef2afaf894da3e java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el6_8.i686.rpm
ac9e8aeec13ad539b2ce43dda728936102a6dcf3337ec002d5fec1b22cba32b8 java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el6_8.i686.rpm
ea03e4503f1d19fc9e07e4cf72abfe77cdca5a9fbf480f7361dbb474f750b724 java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el6_8.noarch.rpm
d27d67a2828310000afcda45aece8be486a4d07a24917618e2bbb1fd383b31c2 java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el6_8.noarch.rpm
156ed32eaf641980040ea33925b5325d89c9eea3d67bfb27835d66aaae5d1c8a java-1.8.0-openjdk-src-1.8.0.121-0.b13.el6_8.i686.rpm
72056b3acfc35e1512d431d170bf0bfb3ec41e014d63a37d44a947a3dd566e63 java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el6_8.i686.rpm

x86_64:
882720170cdd2b723de69104217ba3bfb6f9a88c1f42b4ab1f71d540974d7aca java-1.8.0-openjdk-1.8.0.121-0.b13.el6_8.x86_64.rpm
226b4196d0aeb6e69c68b79a25c761ff6a68002b8461d67eda8396c945fe7380 java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
25de4d1e1d3154aa6c96d23d2fe3e8c6b422ebd45e1d8d83f150f63b2b82bb2d java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el6_8.x86_64.rpm
46839bfcaadc731258cf7f0434f0f9f4e3bc3ac869a60196b78f36dbfdd12602 java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
d99419b905892f7a4682cb6727a41b9c4c4a033efa9e78216f6c134b6633ee3b java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el6_8.x86_64.rpm
02f44a59db465a34b851188016ed34f4e7086b5626728e7b3937cb0ad802ba4f java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
db7da24a1dd722fdcb576491fae25fe01c4ac85e19ffb039b0cd7aade82897de java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el6_8.x86_64.rpm
4efccbc0830a05709ffa58a8d7124a52ef58e5c6ed57747fe5c63a0088ffdc4c java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
ea03e4503f1d19fc9e07e4cf72abfe77cdca5a9fbf480f7361dbb474f750b724 java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el6_8.noarch.rpm
d27d67a2828310000afcda45aece8be486a4d07a24917618e2bbb1fd383b31c2 java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el6_8.noarch.rpm
50f40ffa84e6f61c9e8de385618530246b14db4080b20efb43ae38aa3e52ac39 java-1.8.0-openjdk-src-1.8.0.121-0.b13.el6_8.x86_64.rpm
b20148d489829fd3236174b32d6057a1d6b3a77cfaccd261825c68ca1952e73e java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm

Source:
893dd0e503edfbf2bbf0018a0c019bf55d9259a8aef8f3a768832870f7678673 java-1.8.0-openjdk-1.8.0.121-0.b13.el6_8.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce