This is a follow-up to the End of Life warning sent last month to
confirm that as of today (April 28, 2017), Ubuntu 12.04 is no longer
generally supported. No more package updates will be accepted to
the 12.04 primary archive, and it will be copied for archival to
old-releases.ubuntu.com in the coming weeks.
However, we will again remind you that for customers who can't upgrade
immediately, Canonical is offering Extended Security Support for Ubuntu
Advantage customers, more info about which can be found here:
* https://ubuntu.com/esm
The original End of Life warning follows, with upgrade instructions:
Ubuntu announced its 12.04 (Precise Pangolin) release almost 5 years ago,
on April 26, 2012. As with the earlier LTS releases, Ubuntu committed
to ongoing security and critical fixes for a period of 5 years. The
support period is now nearing its end and Ubuntu 12.04 will reach end
of life on Friday, April 28th. At that time, Ubuntu Security Notices
will no longer include information or updated packages for Ubuntu 12.04.
The supported upgrade path from Ubuntu 12.04 is via Ubuntu 14.04.
Users are encouraged to evaluate and upgrade to our latest 16.04 LTS
release via 14.04. Instructions and caveats for the upgrades may be
found at https://help.ubuntu.com/community/TrustyUpgrades and
https://help.ubuntu.com/community/XenialUpgrades. Ubuntu 14.04 and
16.04 continue to be actively supported with security updates and
select high-impact bug fixes. All announcements of official security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
For users who can't upgrade immediately, Canonical has just announced
an extended support package for Ubuntu Advantage customers, which will
keep delivering security updates while you evaluate your upgrades to
newer releases. The announcement, with details about how and where to
purchase extended support, can be found at:
https://lists.ubuntu.com/archives/ubuntu-announce/2017-March/000217.html
Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.
On behalf of the Ubuntu Release Team,
Adam Conrad
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Friday, April 28, 2017
Alternative Arch update
Hi All,
Just letting you all know that as part of the redefinition of
Alternative Architectures[1] we have just enabled the building of s390x
in primary koji. this is the last new architecture we are planning to
enable at this point. s390x will be added to rawhide composes early
next week. If you have any questions or experience any issues and wan
releng to provide assistance, please contact us by one of the
documented channels[2].
With the import being done now, it has been decided that s390x is too
late for Fedora 26, as such it will be built and shipped from
s390.koji.fedoraproject.org in the Fedora 26 cycle we brought in
aarch64, ppc64 and ppc64le to primary koji. This means that the arm and
ppc koji's will be used for updates until Fedora 25 goes End of Life
and will be shut down at that point. The s390 koji will live on until
Fedora 26 goes EOL.
Regards
Dennis
[1] https://fedoraproject.org/wiki/Architectures/RedefiningSecondaryArc
hitectures
[2] https://docs.pagure.org/releng/
Just letting you all know that as part of the redefinition of
Alternative Architectures[1] we have just enabled the building of s390x
in primary koji. this is the last new architecture we are planning to
enable at this point. s390x will be added to rawhide composes early
next week. If you have any questions or experience any issues and wan
releng to provide assistance, please contact us by one of the
documented channels[2].
With the import being done now, it has been decided that s390x is too
late for Fedora 26, as such it will be built and shipped from
s390.koji.fedoraproject.org in the Fedora 26 cycle we brought in
aarch64, ppc64 and ppc64le to primary koji. This means that the arm and
ppc koji's will be used for updates until Fedora 25 goes End of Life
and will be shut down at that point. The s390 koji will live on until
Fedora 26 goes EOL.
Regards
Dennis
[1] https://fedoraproject.org/wiki/Architectures/RedefiningSecondaryArc
hitectures
[2] https://docs.pagure.org/releng/
[USN-3272-1] Ghostscript vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3272-1
April 28, 2017
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript improperly handled parameters to
the rsdparams and eqproc commands. An attacker could use these to
craft a malicious document that could disable -dSAFER protections,
thereby allowing the execution of arbitrary code, or cause a denial
of service (application crash). (CVE-2017-8291)
Kamil Frankowicz discovered a use-after-free vulnerability in the
color management module of Ghostscript. An attacker could use this
to cause a denial of service (application crash). (CVE-2016-10217)
Kamil Frankowicz discovered a divide-by-zero error in the scan
conversion code in Ghostscript. An attacker could use this to cause
a denial of service (application crash). (CVE-2016-10219)
Kamil Frankowicz discovered multiple NULL pointer dereference errors in
Ghostscript. An attacker could use these to cause a denial of service
(application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
ghostscript 9.19~dfsg+1-0ubuntu7.2
ghostscript-x 9.19~dfsg+1-0ubuntu7.2
libgs9 9.19~dfsg+1-0ubuntu7.2
libgs9-common 9.19~dfsg+1-0ubuntu7.2
Ubuntu 16.10:
ghostscript 9.19~dfsg+1-0ubuntu6.4
ghostscript-x 9.19~dfsg+1-0ubuntu6.4
libgs9 9.19~dfsg+1-0ubuntu6.4
libgs9-common 9.19~dfsg+1-0ubuntu6.4
Ubuntu 16.04 LTS:
ghostscript 9.18~dfsg~0-0ubuntu2.4
ghostscript-x 9.18~dfsg~0-0ubuntu2.4
libgs9 9.18~dfsg~0-0ubuntu2.4
libgs9-common 9.18~dfsg~0-0ubuntu2.4
Ubuntu 14.04 LTS:
ghostscript 9.10~dfsg-0ubuntu10.7
ghostscript-x 9.10~dfsg-0ubuntu10.7
libgs9 9.10~dfsg-0ubuntu10.7
libgs9-common 9.10~dfsg-0ubuntu10.7
Ubuntu 12.04 LTS:
ghostscript 9.05~dfsg-0ubuntu4.5
ghostscript-x 9.05~dfsg-0ubuntu4.5
libgs9 9.05~dfsg-0ubuntu4.5
libgs9-common 9.05~dfsg-0ubuntu4.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3272-1
CVE-2016-10217, CVE-2016-10219, CVE-2016-10220, CVE-2017-5951,
CVE-2017-7207, CVE-2017-8291
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.19~dfsg+1-0ubuntu7.2
https://launchpad.net/ubuntu/+source/ghostscript/9.19~dfsg+1-0ubuntu6.4
https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.4
https://launchpad.net/ubuntu/+source/ghostscript/9.10~dfsg-0ubuntu10.7
https://launchpad.net/ubuntu/+source/ghostscript/9.05~dfsg-0ubuntu4.5
Ubuntu Security Notice USN-3272-1
April 28, 2017
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript improperly handled parameters to
the rsdparams and eqproc commands. An attacker could use these to
craft a malicious document that could disable -dSAFER protections,
thereby allowing the execution of arbitrary code, or cause a denial
of service (application crash). (CVE-2017-8291)
Kamil Frankowicz discovered a use-after-free vulnerability in the
color management module of Ghostscript. An attacker could use this
to cause a denial of service (application crash). (CVE-2016-10217)
Kamil Frankowicz discovered a divide-by-zero error in the scan
conversion code in Ghostscript. An attacker could use this to cause
a denial of service (application crash). (CVE-2016-10219)
Kamil Frankowicz discovered multiple NULL pointer dereference errors in
Ghostscript. An attacker could use these to cause a denial of service
(application crash). (CVE-2016-10220, CVE-2017-5951, CVE-2017-7207)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
ghostscript 9.19~dfsg+1-0ubuntu7.2
ghostscript-x 9.19~dfsg+1-0ubuntu7.2
libgs9 9.19~dfsg+1-0ubuntu7.2
libgs9-common 9.19~dfsg+1-0ubuntu7.2
Ubuntu 16.10:
ghostscript 9.19~dfsg+1-0ubuntu6.4
ghostscript-x 9.19~dfsg+1-0ubuntu6.4
libgs9 9.19~dfsg+1-0ubuntu6.4
libgs9-common 9.19~dfsg+1-0ubuntu6.4
Ubuntu 16.04 LTS:
ghostscript 9.18~dfsg~0-0ubuntu2.4
ghostscript-x 9.18~dfsg~0-0ubuntu2.4
libgs9 9.18~dfsg~0-0ubuntu2.4
libgs9-common 9.18~dfsg~0-0ubuntu2.4
Ubuntu 14.04 LTS:
ghostscript 9.10~dfsg-0ubuntu10.7
ghostscript-x 9.10~dfsg-0ubuntu10.7
libgs9 9.10~dfsg-0ubuntu10.7
libgs9-common 9.10~dfsg-0ubuntu10.7
Ubuntu 12.04 LTS:
ghostscript 9.05~dfsg-0ubuntu4.5
ghostscript-x 9.05~dfsg-0ubuntu4.5
libgs9 9.05~dfsg-0ubuntu4.5
libgs9-common 9.05~dfsg-0ubuntu4.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3272-1
CVE-2016-10217, CVE-2016-10219, CVE-2016-10220, CVE-2017-5951,
CVE-2017-7207, CVE-2017-8291
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.19~dfsg+1-0ubuntu7.2
https://launchpad.net/ubuntu/+source/ghostscript/9.19~dfsg+1-0ubuntu6.4
https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.4
https://launchpad.net/ubuntu/+source/ghostscript/9.10~dfsg-0ubuntu10.7
https://launchpad.net/ubuntu/+source/ghostscript/9.05~dfsg-0ubuntu4.5
[USN-3271-1] Libxslt vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3271-1
April 28, 2017
libxslt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Libxslt.
Software Description:
- libxslt: XSLT processing library
Details:
Holger Fuhrmannek discovered an integer overflow in the
xsltAddTextString() function in Libxslt. An attacker could use
this to craft a malicious document that, when opened, could cause a
denial of service (application crash) or possible execute arbitrary
code. (CVE-2017-5029)
Nicolas Gregoire discovered that Libxslt mishandled namespace
nodes. An attacker could use this to craft a malicious document that,
when opened, could cause a denial of service (application crash)
or possibly execute arbtrary code. This issue only affected Ubuntu
16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683)
Sebastian Apelt discovered that a use-after-error existed in the
xsltDocumentFunctionLoadDocument() function in Libxslt. An attacker
could use this to craft a malicious document that, when opened,
could cause a denial of service (application crash) or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1841)
It was discovered that a type confusion error existed in the
xsltStylePreCompute() function in Libxslt. An attacker could use this
to craft a malicious XML file that, when opened, caused a denial of
service (application crash). This issue only affected Ubuntu 14.04
LTS and Ubuntu 12.04 LTS. (CVE-2015-7995)
Nicolas Gregoire discovered the Libxslt mishandled the 'i' and 'a'
format tokens for xsl:number data. An attacker could use this to
craft a malicious document that, when opened, could cause a denial of
service (application crash). This issue only affected Ubuntu 16.04 LTS,
Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1684)
It was discovered that the xsltFormatNumberConversion() function
in Libxslt did not properly handle empty decimal separators. An
attacker could use this to craft a malicious document that, when
opened, could cause a denial of service (application crash). This
issue only affected Ubuntu 16.10, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS,
and Ubuntu 12.04 LTS. (CVE-2016-4738)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libxslt1.1 1.1.29-2ubuntu0.1
Ubuntu 16.10:
libxslt1.1 1.1.29-1ubuntu0.1
Ubuntu 16.04 LTS:
libxslt1.1 1.1.28-2.1ubuntu0.1
Ubuntu 14.04 LTS:
libxslt1.1 1.1.28-2ubuntu0.1
Ubuntu 12.04 LTS:
libxslt1.1 1.1.26-8ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3271-1
CVE-2015-7995, CVE-2016-1683, CVE-2016-1684, CVE-2016-1841,
CVE-2016-4738, CVE-2017-5029
Package Information:
https://launchpad.net/ubuntu/+source/libxslt/1.1.29-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.29-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.28-2.1ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.28-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.26-8ubuntu1.4
Ubuntu Security Notice USN-3271-1
April 28, 2017
libxslt vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Libxslt.
Software Description:
- libxslt: XSLT processing library
Details:
Holger Fuhrmannek discovered an integer overflow in the
xsltAddTextString() function in Libxslt. An attacker could use
this to craft a malicious document that, when opened, could cause a
denial of service (application crash) or possible execute arbitrary
code. (CVE-2017-5029)
Nicolas Gregoire discovered that Libxslt mishandled namespace
nodes. An attacker could use this to craft a malicious document that,
when opened, could cause a denial of service (application crash)
or possibly execute arbtrary code. This issue only affected Ubuntu
16.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1683)
Sebastian Apelt discovered that a use-after-error existed in the
xsltDocumentFunctionLoadDocument() function in Libxslt. An attacker
could use this to craft a malicious document that, when opened,
could cause a denial of service (application crash) or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS,
Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1841)
It was discovered that a type confusion error existed in the
xsltStylePreCompute() function in Libxslt. An attacker could use this
to craft a malicious XML file that, when opened, caused a denial of
service (application crash). This issue only affected Ubuntu 14.04
LTS and Ubuntu 12.04 LTS. (CVE-2015-7995)
Nicolas Gregoire discovered the Libxslt mishandled the 'i' and 'a'
format tokens for xsl:number data. An attacker could use this to
craft a malicious document that, when opened, could cause a denial of
service (application crash). This issue only affected Ubuntu 16.04 LTS,
Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. (CVE-2016-1684)
It was discovered that the xsltFormatNumberConversion() function
in Libxslt did not properly handle empty decimal separators. An
attacker could use this to craft a malicious document that, when
opened, could cause a denial of service (application crash). This
issue only affected Ubuntu 16.10, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS,
and Ubuntu 12.04 LTS. (CVE-2016-4738)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libxslt1.1 1.1.29-2ubuntu0.1
Ubuntu 16.10:
libxslt1.1 1.1.29-1ubuntu0.1
Ubuntu 16.04 LTS:
libxslt1.1 1.1.28-2.1ubuntu0.1
Ubuntu 14.04 LTS:
libxslt1.1 1.1.28-2ubuntu0.1
Ubuntu 12.04 LTS:
libxslt1.1 1.1.26-8ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3271-1
CVE-2015-7995, CVE-2016-1683, CVE-2016-1684, CVE-2016-1841,
CVE-2016-4738, CVE-2017-5029
Package Information:
https://launchpad.net/ubuntu/+source/libxslt/1.1.29-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.29-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.28-2.1ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.28-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libxslt/1.1.26-8ubuntu1.4
Thursday, April 27, 2017
[USN-3270-1] NSS vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJZAiW4AAoJEGVp2FWnRL6TfqAQAJ4yCDv830ws/1MNH1FR+uzo
Ko76esYqh45kUC22PqxWFybX/5/ovRc8Ona0cpNojgWFy7Rz91neDfKtfKmn80oa
SSgVAKNySNGJlO+tIQlVxhViLEaWr+Ko0lKWOIAaUrbY3i+rUk1wnRsCQyBmAMqv
WHJZrjrCfoXtYrN71i4OaAqvMdcvIMc9+u/Lp4SKGDgBC4+bRxD6owr+GK1JAjoa
I0d1iYgWGBUvlPUffXAsTbqKBtv+UOaGeVPTJ0V7BjwXs1eghR9qD13h2rXe/tOj
cBlTc8rNNf6PFHJwXVXK8K2AuSoL+nakML++EgG0PO9LebHvzb9CD9BwF6QieVA4
OxgVXan254EfL+agFs0bhFcuZw/2tWa182NHS3c5qgUEworjiDQvppA6cBXoGSfA
xhezR9vmxZ3umxZL9EHdi9S1KeGhbnrPL7mVJJo9wpgrNlqeR1L6IYz9EroEJsot
QDVNFDvUsq82pYJcD5c1187T07hBL4i+Z7h7lKP+zQ6XX5MSMF6vVuQAWtk2+ugg
xxxi+Jgw2/KCk+s0QpBuU+M+IbDRBFHo67IJnmh0a0SiO8hJFCOCoabuMiNIoH6g
J8BZVeveQN3n4kV7q9GHE/G1wRosuC02e3w6rKShHhT8rUnYRzS7gtYV1rP/JVpY
A5H68ugbp4mTi4OD4/+a
=1hga
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3270-1
April 27, 2017
nss vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in NSS.
Software Description:
- nss: Network Security Service library
Details:
Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks. A remote attacker could
possibly use this flaw to obtain clear text data from long encrypted
sessions. This update causes NSS to limit use of the same symmetric key.
(CVE-2016-2183)
It was discovered that NSS incorrectly handled Base64 decoding. A remote
attacker could use this flaw to cause NSS to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2017-5461)
This update refreshes the NSS package to version 3.28.4 which includes
the latest CA certificate bundle.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libnss3 2:3.28.4-0ubuntu0.17.04.1
Ubuntu 16.10:
libnss3 2:3.28.4-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libnss3 2:3.28.4-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
libnss3 2:3.28.4-0ubuntu0.14.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-3270-1
CVE-2016-2183, CVE-2017-5461
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.14.04.1
Version: GnuPG v2
iQIcBAEBCgAGBQJZAiW4AAoJEGVp2FWnRL6TfqAQAJ4yCDv830ws/1MNH1FR+uzo
Ko76esYqh45kUC22PqxWFybX/5/ovRc8Ona0cpNojgWFy7Rz91neDfKtfKmn80oa
SSgVAKNySNGJlO+tIQlVxhViLEaWr+Ko0lKWOIAaUrbY3i+rUk1wnRsCQyBmAMqv
WHJZrjrCfoXtYrN71i4OaAqvMdcvIMc9+u/Lp4SKGDgBC4+bRxD6owr+GK1JAjoa
I0d1iYgWGBUvlPUffXAsTbqKBtv+UOaGeVPTJ0V7BjwXs1eghR9qD13h2rXe/tOj
cBlTc8rNNf6PFHJwXVXK8K2AuSoL+nakML++EgG0PO9LebHvzb9CD9BwF6QieVA4
OxgVXan254EfL+agFs0bhFcuZw/2tWa182NHS3c5qgUEworjiDQvppA6cBXoGSfA
xhezR9vmxZ3umxZL9EHdi9S1KeGhbnrPL7mVJJo9wpgrNlqeR1L6IYz9EroEJsot
QDVNFDvUsq82pYJcD5c1187T07hBL4i+Z7h7lKP+zQ6XX5MSMF6vVuQAWtk2+ugg
xxxi+Jgw2/KCk+s0QpBuU+M+IbDRBFHo67IJnmh0a0SiO8hJFCOCoabuMiNIoH6g
J8BZVeveQN3n4kV7q9GHE/G1wRosuC02e3w6rKShHhT8rUnYRzS7gtYV1rP/JVpY
A5H68ugbp4mTi4OD4/+a
=1hga
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3270-1
April 27, 2017
nss vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in NSS.
Software Description:
- nss: Network Security Service library
Details:
Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks. A remote attacker could
possibly use this flaw to obtain clear text data from long encrypted
sessions. This update causes NSS to limit use of the same symmetric key.
(CVE-2016-2183)
It was discovered that NSS incorrectly handled Base64 decoding. A remote
attacker could use this flaw to cause NSS to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2017-5461)
This update refreshes the NSS package to version 3.28.4 which includes
the latest CA certificate bundle.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libnss3 2:3.28.4-0ubuntu0.17.04.1
Ubuntu 16.10:
libnss3 2:3.28.4-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
libnss3 2:3.28.4-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
libnss3 2:3.28.4-0ubuntu0.14.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-3270-1
CVE-2016-2183, CVE-2017-5461
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.14.04.1
Announcing Bugzilla 5 Public Beta!
Hello All,
We are pleased to announce Red Hat's Bugzilla 5 beta [1]! We're inviting all of you to participate.
We encourage you to test your current scripts against this new version and take part in the beta discussions on the Fedora development list [2]. Partners and customers may also use their existing communications channels to share feedback or questions. We ask that you provide feedback or questions by Wednesday, May 17th.
Here is a short list of some of the changes in Bugzilla 5:
Major improvements in the WebServices interface, including a new REST-like endpoint, allowing clients to access data using standard HTTP calls for easy development.
The UI has been significantly overhauled for a modern browsing experience.
Performance improvements, including caching improvements to allow faster access to certain types of data.
Red Hat Associates, Customers and Fedora Account System users can now log in using SAML.
The addition of some of the Bayoteers extensions allowing features such as inline editing of bugs in search results, team management and scrum tools, etc.
Ye Olde diff viewer has been replaced with the modern diff2html diff viewer
Improved, updated documentation including a rewrite using the reStructuredText format, which allows documentation to be more easily converted into different formats such as HTML and PDF, etc
The official release date for Bugzilla 5 will be determined based on the beta feedback. We will communicate to you as the beta progresses.
For more information refer to:
https://beta-bugzilla.redhat.c
https://beta-bugzilla.redhat.c
https://beta-bugzilla.redhat.c
https://beta-bugzilla.redhat.c
https://beta-bugzilla.redhat.c
Cheers, the Red Hat Bugzilla team.
1: https://beta-bugzilla.redhat.c
2: https://lists.fedoraproject.or
[USN-3269-1] MySQL vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJZAf8MAAoJEGVp2FWnRL6TDPUQALPCaONSTE5CEA3+gIcLFSd4
HJ1cKhA59OuXJ9NNUHP5yObXK8dm6GLIo1OEnz43baEiXWLvF9C154zR+7Bai9ci
IxG4XjBRl6nXxI9DF7LR/4ScOohmETxTqsyTasu3IqGTLj0ei9uru21U/6M8BbMZ
C/M7dIrrAktI7cKmsNXKyuIakSyp+5MgEO4a7vLbTOK0PUidGRlHKZzcFT26Somd
JXyu4003w2S+7RiPn1xFtkedmAAh49pYXJHXSS9oQSaKaPUwyKlaAVRBEkqgsw9I
cj39Fh15yEwQZsCKRKVFmxwcv4cbwBGuIH/9QW+sqTSioLPZ+4W0a6aAJlkbzfvj
/PbEckFbQMp/542qN8uktqr+AiQt34wDv1X88TtJ5WZ1xjwpeA8LK7+y+tPhvRFI
vbZDZIMxNyk4cHwL/dQiGyXrNci3WxfSMNrD3lnnseRm4S9FERrz1mg2E6x7iZYO
fupAXXY1LDfYj/uTaE5ePRPFrgws+9Dl41ZEpouIWq4Zt40kXKbrQxkFv3aekPcH
kODEA3gZeXIKDALVWXJVjvu6Fzqg7PmO8+DQo536jy5e0XQxt087exMDCRd0p23O
W+YzLLC9In8cRCWEu7JJSbc/7Is9KNWUWd3uvPRdOKGU9knERrvJJjxRoG5sGNeO
aRL3p2/fu0eye20B/6Kw
=0/Ks
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3269-1
April 27, 2017
mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
mysql-server-5.7 5.7.18-0ubuntu0.17.04.1
Ubuntu 16.10:
mysql-server-5.7 5.7.18-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.18-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.55-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3269-1
CVE-2017-3302, CVE-2017-3305, CVE-2017-3308, CVE-2017-3309,
CVE-2017-3329, CVE-2017-3331, CVE-2017-3450, CVE-2017-3453,
CVE-2017-3454, CVE-2017-3455, CVE-2017-3456, CVE-2017-3457,
CVE-2017-3458, CVE-2017-3459, CVE-2017-3460, CVE-2017-3461,
CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3465,
CVE-2017-3467, CVE-2017-3468, CVE-2017-3599, CVE-2017-3600
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.55-0ubuntu0.14.04.1
Version: GnuPG v2
iQIcBAEBCgAGBQJZAf8MAAoJEGVp2FWnRL6TDPUQALPCaONSTE5CEA3+gIcLFSd4
HJ1cKhA59OuXJ9NNUHP5yObXK8dm6GLIo1OEnz43baEiXWLvF9C154zR+7Bai9ci
IxG4XjBRl6nXxI9DF7LR/4ScOohmETxTqsyTasu3IqGTLj0ei9uru21U/6M8BbMZ
C/M7dIrrAktI7cKmsNXKyuIakSyp+5MgEO4a7vLbTOK0PUidGRlHKZzcFT26Somd
JXyu4003w2S+7RiPn1xFtkedmAAh49pYXJHXSS9oQSaKaPUwyKlaAVRBEkqgsw9I
cj39Fh15yEwQZsCKRKVFmxwcv4cbwBGuIH/9QW+sqTSioLPZ+4W0a6aAJlkbzfvj
/PbEckFbQMp/542qN8uktqr+AiQt34wDv1X88TtJ5WZ1xjwpeA8LK7+y+tPhvRFI
vbZDZIMxNyk4cHwL/dQiGyXrNci3WxfSMNrD3lnnseRm4S9FERrz1mg2E6x7iZYO
fupAXXY1LDfYj/uTaE5ePRPFrgws+9Dl41ZEpouIWq4Zt40kXKbrQxkFv3aekPcH
kODEA3gZeXIKDALVWXJVjvu6Fzqg7PmO8+DQo536jy5e0XQxt087exMDCRd0p23O
W+YzLLC9In8cRCWEu7JJSbc/7Is9KNWUWd3uvPRdOKGU9knERrvJJjxRoG5sGNeO
aRL3p2/fu0eye20B/6Kw
=0/Ks
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3269-1
April 27, 2017
mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.55 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 16.10 and Ubuntu 17.04 have been updated to MySQL 5.7.18.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
mysql-server-5.7 5.7.18-0ubuntu0.17.04.1
Ubuntu 16.10:
mysql-server-5.7 5.7.18-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.18-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.55-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3269-1
CVE-2017-3302, CVE-2017-3305, CVE-2017-3308, CVE-2017-3309,
CVE-2017-3329, CVE-2017-3331, CVE-2017-3450, CVE-2017-3453,
CVE-2017-3454, CVE-2017-3455, CVE-2017-3456, CVE-2017-3457,
CVE-2017-3458, CVE-2017-3459, CVE-2017-3460, CVE-2017-3461,
CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3465,
CVE-2017-3467, CVE-2017-3468, CVE-2017-3599, CVE-2017-3600
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.55-0ubuntu0.14.04.1
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-17:04.ipfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-17:04.ipfilter Security Advisory
The FreeBSD Project
Topic: ipfilter(4) fragment handling panic
Category: contrib
Module: ipfilter
Announced: 2017-04-27
Credits: Cy Schubert
Affects: All supported versions of FreeBSD.
Corrected: 2017-04-21 01:51:49 UTC (stable/11, 11.0-STABLE)
2017-04-27 06:52:30 UTC (releng/11.0, 11.0-RELEASE-p10)
2017-04-21 01:51:49 UTC (stable/10, 10.3-STABLE)
2017-04-27 06:52:30 UTC (releng/10.3, 10.3-RELEASE-p19)
CVE Name: CVE-2017-1081
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
IP Filter, also known as ipfilter(4), is a cross-platform, open source packet
filter (firewall) originally written for BSD operating systems, including
FreeBSD, NetBSD, and OpenBSD, and for Solaris. ipfilter(4) is one of three
firewalls included in FreeBSD (the others being ipfw(4) and pf(4)). It
performs firewall and NAT functions using the pfil(9) framework as do the
other firewalls in FreeBSD in the kernel.
II. Problem Description
ipfilter(4), capable of stateful packet inspection, using the "keep state"
or "keep frags" rule options, will not only maintain the state of
connections, such as TCP streams or UDP communication, it also maintains
the state of fragmented packets. When a packet fragments are received they
are cached in a hash table (and linked list). When a fragment is received it
is compared with fragments already cached in the hash table for a match. If
it does not match the new entry is used to create a new entry in the hash
table. If on the other hand it does match, unfortunately the wrong entry is
freed, the entry in the hash table. This results in use after free panic
(and for a brief moment prior to the panic a memory leak due to the wrong
entry being freed).
III. Impact
Carefully feeding fragments that are allowed to pass by an ipfilter(4)
firewall can be used to cause a panic followed by reboot loop denial of
service attack.
IV. Workaround
No workaround is available, but systems not using ipfilter(4) are not
vulnerable. A default installation doesn't enable ipfilter(4).
ipfilter(4) configurations not using "keep state" pr "keep frags" are not
vulnerable. Users may be able to temporarily replace stateful inspection
with stateless rules however this is not as secure as stateful inspection.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reload the ipl.ko kernel module or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reload the ipl.ko kernel module or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch
# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch.asc
# gpg --verify ipfilter.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system or reload the ipl.ko kernel module.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r317241
releng/10.3/ r317487
stable/11/ r317241
releng/11.0/ r317487
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1081>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:04.ipfilter.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.20 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlbAACgkQ7Wfs1l3P
auejpBAAtsITE8qn04H5gT8EGq/ntkN8DQydmVHn0OpmwDGg/XD4Wrwye8jqHhFb
XdOj5aMb0QbEK3WjDZwbvHNqTkyzl5QXc3PPs7V5mHdYGHsMRWvSyXutRmopgmsp
ee59qLeKxvWGss0gqkUWZQQcbdIVN8hTXnumBZ8ncrpjluaYZuO8DvyZQ1Cy4f+f
sd6PCZHemjs4MtSriV4AKOtM1QPuBQEkrQ6clA5j55Txk6fkcy1CUoyP0KmW20Iu
VFY/UyrfvbVDgbsFMMFsSn/F9DlKVLLtgjpXqztuOu1QhLbAs7spMnUjRnilfOE6
rsyOh26sjEIlQ3sNf7IrFsXdoqLWgn7CDToZEk5xfyv7MyEuEd5INfAkcLz9Mcp+
AymVRmC29CDt8dIJlEaXPyYXDLx5PGPB+SUR2VghzPQkHM9X9EOnJcVEbAn3QnQ1
sFkh4mlsh3cQ9iw2+RYzIybgBzv0OjxIasU3QtnbRNXgdNVnoV/yTeEUFSyVzvC2
6JcjJCq7WZ3U9EBKbPoVzRBsHAal/3EWMnXMprcdNPuxjd+9357K5OnMXiP9ab9G
KthAVRN1y+bZ/SNEtqE/T1vrxH9JV/BEqQjtx+DMp7v7TzGgK8rqSJT8H/bIu2h3
IecRnQRkDipqITFQKSoPiqJZeuoVcXaYw8Cp5gUpL618m4DwZ3w=
=C7OI
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-17:04.ipfilter Security Advisory
The FreeBSD Project
Topic: ipfilter(4) fragment handling panic
Category: contrib
Module: ipfilter
Announced: 2017-04-27
Credits: Cy Schubert
Affects: All supported versions of FreeBSD.
Corrected: 2017-04-21 01:51:49 UTC (stable/11, 11.0-STABLE)
2017-04-27 06:52:30 UTC (releng/11.0, 11.0-RELEASE-p10)
2017-04-21 01:51:49 UTC (stable/10, 10.3-STABLE)
2017-04-27 06:52:30 UTC (releng/10.3, 10.3-RELEASE-p19)
CVE Name: CVE-2017-1081
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
IP Filter, also known as ipfilter(4), is a cross-platform, open source packet
filter (firewall) originally written for BSD operating systems, including
FreeBSD, NetBSD, and OpenBSD, and for Solaris. ipfilter(4) is one of three
firewalls included in FreeBSD (the others being ipfw(4) and pf(4)). It
performs firewall and NAT functions using the pfil(9) framework as do the
other firewalls in FreeBSD in the kernel.
II. Problem Description
ipfilter(4), capable of stateful packet inspection, using the "keep state"
or "keep frags" rule options, will not only maintain the state of
connections, such as TCP streams or UDP communication, it also maintains
the state of fragmented packets. When a packet fragments are received they
are cached in a hash table (and linked list). When a fragment is received it
is compared with fragments already cached in the hash table for a match. If
it does not match the new entry is used to create a new entry in the hash
table. If on the other hand it does match, unfortunately the wrong entry is
freed, the entry in the hash table. This results in use after free panic
(and for a brief moment prior to the panic a memory leak due to the wrong
entry being freed).
III. Impact
Carefully feeding fragments that are allowed to pass by an ipfilter(4)
firewall can be used to cause a panic followed by reboot loop denial of
service attack.
IV. Workaround
No workaround is available, but systems not using ipfilter(4) are not
vulnerable. A default installation doesn't enable ipfilter(4).
ipfilter(4) configurations not using "keep state" pr "keep frags" are not
vulnerable. Users may be able to temporarily replace stateful inspection
with stateless rules however this is not as secure as stateful inspection.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Reload the ipl.ko kernel module or reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Reload the ipl.ko kernel module or reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch
# fetch https://security.FreeBSD.org/patches/SA-17:04/ipfilter.patch.asc
# gpg --verify ipfilter.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system or reload the ipl.ko kernel module.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/10/ r317241
releng/10.3/ r317487
stable/11/ r317241
releng/11.0/ r317487
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1081>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:04.ipfilter.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.20 (FreeBSD)
iQIzBAEBCgAdFiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlkBlbAACgkQ7Wfs1l3P
auejpBAAtsITE8qn04H5gT8EGq/ntkN8DQydmVHn0OpmwDGg/XD4Wrwye8jqHhFb
XdOj5aMb0QbEK3WjDZwbvHNqTkyzl5QXc3PPs7V5mHdYGHsMRWvSyXutRmopgmsp
ee59qLeKxvWGss0gqkUWZQQcbdIVN8hTXnumBZ8ncrpjluaYZuO8DvyZQ1Cy4f+f
sd6PCZHemjs4MtSriV4AKOtM1QPuBQEkrQ6clA5j55Txk6fkcy1CUoyP0KmW20Iu
VFY/UyrfvbVDgbsFMMFsSn/F9DlKVLLtgjpXqztuOu1QhLbAs7spMnUjRnilfOE6
rsyOh26sjEIlQ3sNf7IrFsXdoqLWgn7CDToZEk5xfyv7MyEuEd5INfAkcLz9Mcp+
AymVRmC29CDt8dIJlEaXPyYXDLx5PGPB+SUR2VghzPQkHM9X9EOnJcVEbAn3QnQ1
sFkh4mlsh3cQ9iw2+RYzIybgBzv0OjxIasU3QtnbRNXgdNVnoV/yTeEUFSyVzvC2
6JcjJCq7WZ3U9EBKbPoVzRBsHAal/3EWMnXMprcdNPuxjd+9357K5OnMXiP9ab9G
KthAVRN1y+bZ/SNEtqE/T1vrxH9JV/BEqQjtx+DMp7v7TzGgK8rqSJT8H/bIu2h3
IecRnQRkDipqITFQKSoPiqJZeuoVcXaYw8Cp5gUpL618m4DwZ3w=
=C7OI
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Wednesday, April 26, 2017
Planned outage: koji database - 2017-04-27 00:00
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEESz7rprBJHpbnMnrQSzew2A/7u14FAlkBKyMACgkQSzew2A/7
u16guBAAgd+UgiMLOPg44wBVgKz2Y6s9khhbmyFd9Vt5lfG91f1Xde48paTMklA8
rtibXsktOIT3ToY3+mkbcbY4BzamER+nT1n2/XxRHzRTZ+66fdCyllxk64AymM30
P2O7Q+by2cYzn/DlUm0hXy1f4M97Cc2m9de3iTY5ajU91lhv5lt0NM30HiOTZTLO
uOcR33pAjkyMutD3yrqpg6fTi5vFBj7iA34iEeCUxSRkFzypMhcBF6qs2mmDBkmR
QbQDuUZJZV7rHHJck/4iOD8xkCofalPLpcbPwRfy4W4VLjDOgS+Kz5obfBGwC3Sv
+N1wbS0x6SKp+yfScM0OrhyyUkOjoy9uTjs1zVyZ5eZZ4ZcMZL3dHi8nPTXHNrTW
jfbWfGePnBNBQzJ9kw6XsFakEDUO3wu1wCSZc4+3dwgm4Mh6IniIkA/XtZbSoFs+
OX/YdmuiCPIADVJ8YmPc/SLh0R0Tl7V3PG70edx5FNYJQMSDWh5haRvwr6mBzDBp
oRjlRWP7X91ZOHvc5hnm7tr63AM4KVmd+jUyXtVBqqe/pUaRh4drksLpV7pb1oM/
r+AIgkseEjt/B4xTb+cZKMVJkpcs9RA4H3E6Ywdx2rqsvh8+wwCUSqkAzPaXHVQr
qLbIhNcF9Cduhc5yTJzDvvO6i5amKVOakMegearJtRdXt/Ta0KI=
=Gn0u
-----END PGP SIGNATURE-----
We will be rebooting the koji database server in order to add more
virtual cpus to it.
This outage should be just a minute or two and should not hopefully
affect in progress builds.
Sorry for the short notice of this outage, but we wanted to improve koji
performance and this is an easy way to quickly do so.
See: https://pagure.io/fedora-infrastructure/issue/6015
or #fedora-admin on irc.freenode.net for any questions or comments.
kevin
iQIzBAEBCgAdFiEESz7rprBJHpbnMnrQSzew2A/7u14FAlkBKyMACgkQSzew2A/7
u16guBAAgd+UgiMLOPg44wBVgKz2Y6s9khhbmyFd9Vt5lfG91f1Xde48paTMklA8
rtibXsktOIT3ToY3+mkbcbY4BzamER+nT1n2/XxRHzRTZ+66fdCyllxk64AymM30
P2O7Q+by2cYzn/DlUm0hXy1f4M97Cc2m9de3iTY5ajU91lhv5lt0NM30HiOTZTLO
uOcR33pAjkyMutD3yrqpg6fTi5vFBj7iA34iEeCUxSRkFzypMhcBF6qs2mmDBkmR
QbQDuUZJZV7rHHJck/4iOD8xkCofalPLpcbPwRfy4W4VLjDOgS+Kz5obfBGwC3Sv
+N1wbS0x6SKp+yfScM0OrhyyUkOjoy9uTjs1zVyZ5eZZ4ZcMZL3dHi8nPTXHNrTW
jfbWfGePnBNBQzJ9kw6XsFakEDUO3wu1wCSZc4+3dwgm4Mh6IniIkA/XtZbSoFs+
OX/YdmuiCPIADVJ8YmPc/SLh0R0Tl7V3PG70edx5FNYJQMSDWh5haRvwr6mBzDBp
oRjlRWP7X91ZOHvc5hnm7tr63AM4KVmd+jUyXtVBqqe/pUaRh4drksLpV7pb1oM/
r+AIgkseEjt/B4xTb+cZKMVJkpcs9RA4H3E6Ywdx2rqsvh8+wwCUSqkAzPaXHVQr
qLbIhNcF9Cduhc5yTJzDvvO6i5amKVOakMegearJtRdXt/Ta0KI=
=Gn0u
-----END PGP SIGNATURE-----
We will be rebooting the koji database server in order to add more
virtual cpus to it.
This outage should be just a minute or two and should not hopefully
affect in progress builds.
Sorry for the short notice of this outage, but we wanted to improve koji
performance and this is an easy way to quickly do so.
See: https://pagure.io/fedora-infrastructure/issue/6015
or #fedora-admin on irc.freenode.net for any questions or comments.
kevin
Tuesday, April 25, 2017
OpenVPN, OpenSSL and Fedora 26+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJY/7QMAAoJEIh23YAzae8UPWkQAKBP4dcBGjEw0/XW8uCsx87B
Ob8TpA3SlGzi1UEljvC6myLLRokHOvr4xeXHcS3A6XvhFvPnJ09gpeMDUNTPhXBE
SVyjegGh6zgntH6WXWag3JJcuIXPhSl6iyJ7H6pZLQKpkalsIM3G9PQFvemsVHOc
tZhi0tNicWRrF5XW6R5oKjG7Fe4Oug4eml6EyIRUYqxhxqaBQ26JHg0+u644o8c2
XfGCQKB1A5oyzntYrV8T/E6wGtClJrqnQ81IKKkTFIorsf73D7wfF5utqwJDjUFm
SyGguaiHW46l3hshHmiV3c+u31IRlqWyGbtJ4xs9dp/rpw0I/By1MXzUJVJrNe48
OSx/bEFcWcwmglWZ7/uPq+W4DCDMxg3brvF5h5pTdPtMS4ynaPCl0nrsXshZJ+Ii
/wprPVwB+24GHOnLXLOV2f951FQ8pwVvB7i2CvOIy6bmd+EOT8oga16HEv7DLiko
pcUoRN1mKfjplpyYG17/nMzsSUJcly4V1thtxXeL6uATIJCcU58E843ThVn0eYJE
ArdVTs+NTKtuxqABsbGcQ9vafQJQeNYBGLvjFlEFrpTRVN5qUWCvsjJZJq5+Fy+2
B+E8EIWzSEWtlpbTKctN4VZEks+sYDVitZUk3GYShtVuB8L4ETLJLFBif8Py3SF+
W4kDMk/gZs9fkQa9VZhx
=3imk
-----END PGP SIGNATURE-----
Hi,
This is actually just a very late heads-up about challenges with OpenVPN
in Fedora 26.
Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
good step forward. Unfortunately, that gives OpenVPN a real challenge.
The OpenSSL v1.1 support is not completed. Patches have been sent to
the upstream devel mailing list for review, but only half of them have
been processed and applied so far.
So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
to mbed TLS instead of OpenSSL (which OpenVPN also supports). That have
revealed several issues:
- mbed TLS 2.3+ does by default not support certificates hashes
"older" than SHA1. And RSA keys must be 2048 bits or more.
This have been fixed by a couple of additional patches on top
of the upstream OpenVPN code base. It supports now RSA keys
of 1024 bits or more. In addition for OpenSSL support of the
OPENSSL_ENABLE_MD5_VERIFY, a quirk have been added to also enable
MD5 support if that environment variable have been set.
- mbed TLS build in Fedora lacked PKCS#11 support. This have
been resolved. But there are concerns how well this plays along
with another dependency OpenVPN have, pkcs11-helper. This is being
investigated and tested. Feel free to help out on bz #1432152 if
you depend on PKCS#11/Smart Card functionality. Your feedback is
valuable!
- mbed TLS completely lacks support for PKCS#12 files.
Now, there is kind of an alternative by using compat-openssl-10. But
that does not play well with pkcs11-helper; which is compiled against
OpenSSL v1.1.
Currently the plan is to stay with mbed TLS support until PKCS#11
support is fully confirmed working or not working at all. If not
working, we can at least move to compat-openssl10 without PKCS#11
support, which enables PKCS#12 support again. If PKCS#11 support works
with mbed TLS, then we will stay on mbed TLS for now as I value that
support more important than PKCS#12.
Once OpenVPN have released a version with full OpenSSL v1.1 support (or
at least have all the needed patches reviewed and applied to their
upstream git repos), then I will switch back to the default openssl
package again.
This is far from ideal. But I do consider this the best compromise than
not having an OpenVPN package in Fedora 26 at all.
For those of you having PKCS#12 files, there is a kind of workaround
where you can split up that file into CA, Certificate and Private Key
PEM files - which OpenVPN can use directly.
$ openssl pkcs12 -nokeys -cacerts -in $PKCS12FILE > ca-cert.pem
$ openssl pkcs12 -nokeys -clcerts -in $PKCS12FILE > cert.pem
$ openssl pkcs12 -nocerts -nodes -in $PKCS12FILE > private-key.pem
If switching from '-nodes' with for example '-aes256' on the last line,
the private key will be encrypted and password protected; similar to
what your PKCS#12 files may already use today.
I am sorry for not having sent this heads-up earlier. I took over
package maintenance mid-March, and I've taken this package through a
very much needed overhaul to align the packaging with improvements in
the upstream packaging. The previous maintainers have done a good job
keeping this package alive, but the gap against upstream began to be a
bit too big. There are still a few things which needs to be ironed out.
But once the mbed TLS/OpenSSL issue and a few other more minor issues
gets resolved, I'd say we're pretty much in a reasonable shape.
If you have questions, issues or comments ... feel free to reach out!
--
kind regards,
David Sommerseth
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJY/7QMAAoJEIh23YAzae8UPWkQAKBP4dcBGjEw0/XW8uCsx87B
Ob8TpA3SlGzi1UEljvC6myLLRokHOvr4xeXHcS3A6XvhFvPnJ09gpeMDUNTPhXBE
SVyjegGh6zgntH6WXWag3JJcuIXPhSl6iyJ7H6pZLQKpkalsIM3G9PQFvemsVHOc
tZhi0tNicWRrF5XW6R5oKjG7Fe4Oug4eml6EyIRUYqxhxqaBQ26JHg0+u644o8c2
XfGCQKB1A5oyzntYrV8T/E6wGtClJrqnQ81IKKkTFIorsf73D7wfF5utqwJDjUFm
SyGguaiHW46l3hshHmiV3c+u31IRlqWyGbtJ4xs9dp/rpw0I/By1MXzUJVJrNe48
OSx/bEFcWcwmglWZ7/uPq+W4DCDMxg3brvF5h5pTdPtMS4ynaPCl0nrsXshZJ+Ii
/wprPVwB+24GHOnLXLOV2f951FQ8pwVvB7i2CvOIy6bmd+EOT8oga16HEv7DLiko
pcUoRN1mKfjplpyYG17/nMzsSUJcly4V1thtxXeL6uATIJCcU58E843ThVn0eYJE
ArdVTs+NTKtuxqABsbGcQ9vafQJQeNYBGLvjFlEFrpTRVN5qUWCvsjJZJq5+Fy+2
B+E8EIWzSEWtlpbTKctN4VZEks+sYDVitZUk3GYShtVuB8L4ETLJLFBif8Py3SF+
W4kDMk/gZs9fkQa9VZhx
=3imk
-----END PGP SIGNATURE-----
Hi,
This is actually just a very late heads-up about challenges with OpenVPN
in Fedora 26.
Fedora is moving towards OpenSSL v1.1, which is in my opinion a sane and
good step forward. Unfortunately, that gives OpenVPN a real challenge.
The OpenSSL v1.1 support is not completed. Patches have been sent to
the upstream devel mailing list for review, but only half of them have
been processed and applied so far.
So, to be able to provide OpenVPN in Fedora 26 it was decided to switch
to mbed TLS instead of OpenSSL (which OpenVPN also supports). That have
revealed several issues:
- mbed TLS 2.3+ does by default not support certificates hashes
"older" than SHA1. And RSA keys must be 2048 bits or more.
This have been fixed by a couple of additional patches on top
of the upstream OpenVPN code base. It supports now RSA keys
of 1024 bits or more. In addition for OpenSSL support of the
OPENSSL_ENABLE_MD5_VERIFY, a quirk have been added to also enable
MD5 support if that environment variable have been set.
- mbed TLS build in Fedora lacked PKCS#11 support. This have
been resolved. But there are concerns how well this plays along
with another dependency OpenVPN have, pkcs11-helper. This is being
investigated and tested. Feel free to help out on bz #1432152 if
you depend on PKCS#11/Smart Card functionality. Your feedback is
valuable!
- mbed TLS completely lacks support for PKCS#12 files.
Now, there is kind of an alternative by using compat-openssl-10. But
that does not play well with pkcs11-helper; which is compiled against
OpenSSL v1.1.
Currently the plan is to stay with mbed TLS support until PKCS#11
support is fully confirmed working or not working at all. If not
working, we can at least move to compat-openssl10 without PKCS#11
support, which enables PKCS#12 support again. If PKCS#11 support works
with mbed TLS, then we will stay on mbed TLS for now as I value that
support more important than PKCS#12.
Once OpenVPN have released a version with full OpenSSL v1.1 support (or
at least have all the needed patches reviewed and applied to their
upstream git repos), then I will switch back to the default openssl
package again.
This is far from ideal. But I do consider this the best compromise than
not having an OpenVPN package in Fedora 26 at all.
For those of you having PKCS#12 files, there is a kind of workaround
where you can split up that file into CA, Certificate and Private Key
PEM files - which OpenVPN can use directly.
$ openssl pkcs12 -nokeys -cacerts -in $PKCS12FILE > ca-cert.pem
$ openssl pkcs12 -nokeys -clcerts -in $PKCS12FILE > cert.pem
$ openssl pkcs12 -nocerts -nodes -in $PKCS12FILE > private-key.pem
If switching from '-nodes' with for example '-aes256' on the last line,
the private key will be encrypted and password protected; similar to
what your PKCS#12 files may already use today.
I am sorry for not having sent this heads-up earlier. I took over
package maintenance mid-March, and I've taken this package through a
very much needed overhaul to align the packaging with improvements in
the upstream packaging. The previous maintainers have done a good job
keeping this package alive, but the gap against upstream began to be a
bit too big. There are still a few things which needs to be ironed out.
But once the mbed TLS/OpenSSL issue and a few other more minor issues
gets resolved, I'd say we're pretty much in a reasonable shape.
If you have questions, issues or comments ... feel free to reach out!
--
kind regards,
David Sommerseth
Shutting down public FTP services
------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Shutting down public FTP services press@debian.org
April 25th, 2017 https://www.debian.org/News/2017/20170425
------------------------------------------------------------------------
After many years of serving the needs of our users, and some more of
declining usage in favor of better options, all public-facing debian.org
FTP services will be shut down on November 1, 2017. These are:
* ftp://ftp.debian.org
* ftp://security.debian.org
This decision is driven by the following considerations:
* FTP servers have no support for caching or acceleration.
* Most software implementations have stagnated and are awkward to use
and configure.
* Usage of the FTP servers is pretty low as our own installer has not
offered FTP as a way to access mirrors for over ten years.
* The protocol is inefficient and requires adding awkward kludges to
firewalls and load-balancing daemons.
Information for users
---------------------
The DNS names ftp.debian.org and ftp.<CC>.debian.org will remain the
same. The mirrors should just be accessed using HTTP instead:
* http://ftp.debian.org
* http://security.debian.org
Information for developers
--------------------------
Our developer services will not be affected. These are the upload queues
for both the main and the security archive:
* ftp://ftp.upload.debian.org
* ftp://security-master.debian.org
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
mirror team at their public mailing list
<debian-mirrors@lists.debian.org>.
The Debian Project https://www.debian.org/
Shutting down public FTP services press@debian.org
April 25th, 2017 https://www.debian.org/News/2017/20170425
------------------------------------------------------------------------
After many years of serving the needs of our users, and some more of
declining usage in favor of better options, all public-facing debian.org
FTP services will be shut down on November 1, 2017. These are:
* ftp://ftp.debian.org
* ftp://security.debian.org
This decision is driven by the following considerations:
* FTP servers have no support for caching or acceleration.
* Most software implementations have stagnated and are awkward to use
and configure.
* Usage of the FTP servers is pretty low as our own installer has not
offered FTP as a way to access mirrors for over ten years.
* The protocol is inefficient and requires adding awkward kludges to
firewalls and load-balancing daemons.
Information for users
---------------------
The DNS names ftp.debian.org and ftp.<CC>.debian.org will remain the
same. The mirrors should just be accessed using HTTP instead:
* http://ftp.debian.org
* http://security.debian.org
Information for developers
--------------------------
Our developer services will not be affected. These are the upload queues
for both the main and the security archive:
* ftp://ftp.upload.debian.org
* ftp://security-master.debian.org
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
mirror team at their public mailing list
<debian-mirrors@lists.debian.org>.
[USN-3268-1] QEMU vulnerabilities
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJY/z1dAAoJEGVp2FWnRL6TTREQAKNmR4GDvoZTctC+K/DPORKz
FXMhiOTpCjNYlROrxgWPpvxCyftinKkGeYA6CMgNj8/v/tW/9YaCdYJ0FzmivzJD
1czeTvoqF0g37kpHEfin7AmFcveY7WcRkYZd6+eVFEI2Mdae1Es3Bl8Ttu+2qCoi
ewaP5MarDMGRvlFkrKz3vRssBbfoL97WoEehi0tt7Qz03hhNYiHOUGRCCYVAeLl1
waedZgzXLk41hpqJdxBmw/n7t3UJDKrjG6Dm101DFdapymnJK+EjzY5qD1K1AvKU
KasQg5NJIHAyJ+ACw/EA1m7gOYN1KvnPcJJiz96Nt9mxYpqbFVxtfv0wrVflruI7
oS34JwEQ/SAHfzRCIFvpG1gtXwTfl7Q9Qi1Xa9m2nxh1MT03BVMUEp2wr4EelrwY
JI05X2+A9q0Rc1lS77YekPFqGkQzeMAUq2il+ptPGHoPN8kdZH1k4j9RqmpT6V3F
JpH/ysfo6j42KE/NwXHxt+ZzqO6V3e4/pkrbgs4EXPOtPsAJZq1TdyrZ3d8uY0bO
1mwOL4kzoxRZtLmkNbloQhH7jq1fDwxQ3O0V5MRclWbMW6/0re+6TQXJlVR0zjH5
s9rO9EE5R2Jl6gn3424X0pVZuU3b2wpI/ATGuSr+gbSziXHXzAxgzw8fJ68lFw2g
vdLrBOJwNuSP2J4uXbJO
=ZBNI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3268-1
April 25, 2017
qemu vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
device. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-10028)
It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8667)
Jann Horn discovered that QEMU incorrectly handled VirtFS directory
sharing. A privileged attacker inside the guest could use this issue to
access files on the host file system outside of the shared directory and
possibly escalate their privileges. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-9602)
Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
device when being used with a VNC connection. A privileged attacker inside
the guest could use this issue to cause QEMU to crash, resulting in a
denial of service, or possibly execute arbitrary code on the host. In the
default installation, when QEMU is used with libvirt, attackers would be
isolated by the libvirt AppArmor profile. (CVE-2016-9603)
Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to leak
contents of host memory. (CVE-2016-9908)
Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2016-9912, CVE-2017-5552,
CVE-2017-5578)
Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-9914)
Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
device emulation. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5987)
Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
qemu-system 1:2.8+dfsg-3ubuntu2.1
qemu-system-aarch64 1:2.8+dfsg-3ubuntu2.1
qemu-system-arm 1:2.8+dfsg-3ubuntu2.1
qemu-system-mips 1:2.8+dfsg-3ubuntu2.1
qemu-system-misc 1:2.8+dfsg-3ubuntu2.1
qemu-system-ppc 1:2.8+dfsg-3ubuntu2.1
qemu-system-s390x 1:2.8+dfsg-3ubuntu2.1
qemu-system-sparc 1:2.8+dfsg-3ubuntu2.1
qemu-system-x86 1:2.8+dfsg-3ubuntu2.1
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3268-1
CVE-2016-10028, CVE-2016-8667, CVE-2016-9602, CVE-2016-9603,
CVE-2016-9908, CVE-2016-9912, CVE-2016-9914, CVE-2017-5552,
CVE-2017-5578, CVE-2017-5987, CVE-2017-6505
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.8+dfsg-3ubuntu2.1
Version: GnuPG v2
iQIcBAEBCgAGBQJY/z1dAAoJEGVp2FWnRL6TTREQAKNmR4GDvoZTctC+K/DPORKz
FXMhiOTpCjNYlROrxgWPpvxCyftinKkGeYA6CMgNj8/v/tW/9YaCdYJ0FzmivzJD
1czeTvoqF0g37kpHEfin7AmFcveY7WcRkYZd6+eVFEI2Mdae1Es3Bl8Ttu+2qCoi
ewaP5MarDMGRvlFkrKz3vRssBbfoL97WoEehi0tt7Qz03hhNYiHOUGRCCYVAeLl1
waedZgzXLk41hpqJdxBmw/n7t3UJDKrjG6Dm101DFdapymnJK+EjzY5qD1K1AvKU
KasQg5NJIHAyJ+ACw/EA1m7gOYN1KvnPcJJiz96Nt9mxYpqbFVxtfv0wrVflruI7
oS34JwEQ/SAHfzRCIFvpG1gtXwTfl7Q9Qi1Xa9m2nxh1MT03BVMUEp2wr4EelrwY
JI05X2+A9q0Rc1lS77YekPFqGkQzeMAUq2il+ptPGHoPN8kdZH1k4j9RqmpT6V3F
JpH/ysfo6j42KE/NwXHxt+ZzqO6V3e4/pkrbgs4EXPOtPsAJZq1TdyrZ3d8uY0bO
1mwOL4kzoxRZtLmkNbloQhH7jq1fDwxQ3O0V5MRclWbMW6/0re+6TQXJlVR0zjH5
s9rO9EE5R2Jl6gn3424X0pVZuU3b2wpI/ATGuSr+gbSziXHXzAxgzw8fJ68lFw2g
vdLrBOJwNuSP2J4uXbJO
=ZBNI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3268-1
April 25, 2017
qemu vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
device. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-10028)
It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8667)
Jann Horn discovered that QEMU incorrectly handled VirtFS directory
sharing. A privileged attacker inside the guest could use this issue to
access files on the host file system outside of the shared directory and
possibly escalate their privileges. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-9602)
Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
device when being used with a VNC connection. A privileged attacker inside
the guest could use this issue to cause QEMU to crash, resulting in a
denial of service, or possibly execute arbitrary code on the host. In the
default installation, when QEMU is used with libvirt, attackers would be
isolated by the libvirt AppArmor profile. (CVE-2016-9603)
Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to leak
contents of host memory. (CVE-2016-9908)
Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2016-9912, CVE-2017-5552,
CVE-2017-5578)
Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-9914)
Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
device emulation. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5987)
Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
qemu-system 1:2.8+dfsg-3ubuntu2.1
qemu-system-aarch64 1:2.8+dfsg-3ubuntu2.1
qemu-system-arm 1:2.8+dfsg-3ubuntu2.1
qemu-system-mips 1:2.8+dfsg-3ubuntu2.1
qemu-system-misc 1:2.8+dfsg-3ubuntu2.1
qemu-system-ppc 1:2.8+dfsg-3ubuntu2.1
qemu-system-s390x 1:2.8+dfsg-3ubuntu2.1
qemu-system-sparc 1:2.8+dfsg-3ubuntu2.1
qemu-system-x86 1:2.8+dfsg-3ubuntu2.1
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3268-1
CVE-2016-10028, CVE-2016-8667, CVE-2016-9602, CVE-2016-9603,
CVE-2016-9908, CVE-2016-9912, CVE-2016-9914, CVE-2017-5552,
CVE-2017-5578, CVE-2017-5987, CVE-2017-6505
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.8+dfsg-3ubuntu2.1
[USN-3267-1] Samba vulnerability
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJY/z1KAAoJEGVp2FWnRL6T7hMQAIDQYknR6oJPOHzH4qoSGpL+
jsCyKL/r+c+LOOyjH5ja995wNnxPLqtXJXldKdd6QiO+651VmzfgyhUEYTnODLLu
3R31xNMk2N+J7TDDnwyApuRQ9jegFiMestBvzy7yHCBgLSAU4m7DmFT+fC9pSRz+
2CuwrGEIm8cMvh2kDtODFP6QOQ9PXmd9aoQaM6HyVhZrXrlN7slL9+d+n1qoYNaU
KvDToEoP+ZJciTdFDyJ079S8QsNXx12xfYVA5AqxlibzVoEdT3kSq0bn6BJ90cth
pF1pXKAtTen2UsdDL3MZFGgcVKd3CNK6acZx4OYHtuWIzcgZq/6cZlcouDWAGnLw
+2VqTJWBs2m9hv5rlgbgMN7fk5JH4z5rU3Qg1sIA9Ux6bxDZ5fgB29yZ0tkkKSw4
Tt7x7stm4SG33IyohMA8uDrio3PiigSILHVRPy8LHgsGoXRiCsqwoH+NkUNK7Zl0
MqOFnvVTaXr50XhI9+Pi56nArk1Jo2q8dOQPoFFyJ5yLmOeVSmVztfyloGR/wUDR
NoWSVLByvm6WXkL9Kl0VjWYDFTC4iPTBtwh6hIUHKZFgVAcP5/G9WYsOWmjx4j85
XtdBHfqrG6KSw0k4WUl0RKfmv+wzHJBbyUtO/GjzDkoqpyMSv/1vRJTDWiB2y37u
UtvbRhAONhnyxf/GYDEU
=U0bp
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3267-1
April 25, 2017
samba vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
Summary:
Samba could be made to expose sensitive information over the network.
Software Description:
- samba: SMB/CIFS file, print, and login server for Unix
Details:
Jann Horn discovered that Samba incorrectly handled symlinks. An
authenticated remote attacker could use this issue to access files on the
server outside of the exported directories.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
samba 2:4.5.8+dfsg-0ubuntu0.17.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-3267-1
CVE-2017-2619
Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-0ubuntu0.17.04.1
Version: GnuPG v2
iQIcBAEBCgAGBQJY/z1KAAoJEGVp2FWnRL6T7hMQAIDQYknR6oJPOHzH4qoSGpL+
jsCyKL/r+c+LOOyjH5ja995wNnxPLqtXJXldKdd6QiO+651VmzfgyhUEYTnODLLu
3R31xNMk2N+J7TDDnwyApuRQ9jegFiMestBvzy7yHCBgLSAU4m7DmFT+fC9pSRz+
2CuwrGEIm8cMvh2kDtODFP6QOQ9PXmd9aoQaM6HyVhZrXrlN7slL9+d+n1qoYNaU
KvDToEoP+ZJciTdFDyJ079S8QsNXx12xfYVA5AqxlibzVoEdT3kSq0bn6BJ90cth
pF1pXKAtTen2UsdDL3MZFGgcVKd3CNK6acZx4OYHtuWIzcgZq/6cZlcouDWAGnLw
+2VqTJWBs2m9hv5rlgbgMN7fk5JH4z5rU3Qg1sIA9Ux6bxDZ5fgB29yZ0tkkKSw4
Tt7x7stm4SG33IyohMA8uDrio3PiigSILHVRPy8LHgsGoXRiCsqwoH+NkUNK7Zl0
MqOFnvVTaXr50XhI9+Pi56nArk1Jo2q8dOQPoFFyJ5yLmOeVSmVztfyloGR/wUDR
NoWSVLByvm6WXkL9Kl0VjWYDFTC4iPTBtwh6hIUHKZFgVAcP5/G9WYsOWmjx4j85
XtdBHfqrG6KSw0k4WUl0RKfmv+wzHJBbyUtO/GjzDkoqpyMSv/1vRJTDWiB2y37u
UtvbRhAONhnyxf/GYDEU
=U0bp
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3267-1
April 25, 2017
samba vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
Summary:
Samba could be made to expose sensitive information over the network.
Software Description:
- samba: SMB/CIFS file, print, and login server for Unix
Details:
Jann Horn discovered that Samba incorrectly handled symlinks. An
authenticated remote attacker could use this issue to access files on the
server outside of the exported directories.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
samba 2:4.5.8+dfsg-0ubuntu0.17.04.1
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
http://www.ubuntu.com/usn/usn-3267-1
CVE-2017-2619
Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.5.8+dfsg-0ubuntu0.17.04.1
Monday, April 24, 2017
openQA test results for critpath updates now shown in Bodhi
Hi folks! I thought this was worth sending out an announcement about so
as many packagers and testers as possible are aware of it.
With the rollout of Bodhi 2.6.0 to production today, openQA test
results for critpath updates now appear in the Bodhi webUI! Click the
'Automated Tests' tab on any critical path update (from the last two
months or so) and you should see, as well as the 'dist.*' tests you're
probably familiar with that are run by Taskotron, results for several
'update.*' tests. These are the openQA test results.
Clicking any result will take you to the openQA webUI page for that
job. If you're investigating a failure, look for thumbnails with a
*red* border. Usually, the first one of these will be the attempted
image match or console command that did not give the expected result.
If you can't understand a failure, please do come ask on test@ or in
#fedora-qa . Myself and garretraziel (Jan Sedlak) should be able to
explain.
This isn't a perfect test system, yet; there have been and will
continue to be 'false' failures, where something goes wrong in the test
process itself or the test just hits some transient bug that isn't
actually caused by the update. Because of this, we wrote an openQA
plugin that automatically retries all failed update tests one time, but
sometimes we get unlucky and a false failure happens again on the
retry.
This is quite common for Fedora 26 updates; there seem to be several of
these transient bugs in F26 at present, meaning sometimes the test VM
just doesn't boot successfully, sometimes GNOME crashes, and so on. If
you see a 'red' screenshot which is just a partially-completed
bootsplash screen, or the GDM login screen, this may be what happened.
Notably, *any* failure before the _advisory_update step cannot possibly
be a bug in the update, as nothing from the update is actually
installed until near the end of that step.
It's not currently possible for anyone but openQA admins to re-run
individual tests. You can cause *all* the openQA tests for your update
to be re-run by editing the update in any way (*any* edit event
triggers a re-run of the tests, not just changes to the update's
package manifest), but please be a bit sparing with this, as openQA
doesn't have unlimited capacity. For now you can, again, ask Jan or I
to re-run a single test if you'd like this. We will endeavour to set up
some kind of re-run request system in future.
Just like the taskotron results, at present these results are entirely
advisory. They do not have any effect on whether or when you can push
your update stable. But we set up this system to help out packagers, so
I hope you'll find it useful to keep an eye on the results and take a
look at any failures to see if they may indicate a bug in the update.
Once again, please do ask for any help you need in interpreting or
understanding the results. And please do send any suggestions, comments
or complaints our way!
And just to be clear, these tests are currently run only on *critical
path* updates. If your update does not include a critical path package,
the tests will not be run. I'm thinking of implementing some sort of
'whitelist' system for listing or otherwise marking non-critpath
packages for which we want to run some or all of the tests; for
instance, it would make a lot of sense to run the FreeIPA tests for any
package in the FreeIPA stack. But that's not implemented yet. We don't
just run the tests on *all* updates because we simply don't have the
capacity to do so at present.
I have written a blog post about this, with some more information,
including a brief explanation of what the current set of update tests
covers, here:
https://www.happyassassin.net/2017/04/24/automated-critical-path-update-functional-testing-for-fedora/
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
as many packagers and testers as possible are aware of it.
With the rollout of Bodhi 2.6.0 to production today, openQA test
results for critpath updates now appear in the Bodhi webUI! Click the
'Automated Tests' tab on any critical path update (from the last two
months or so) and you should see, as well as the 'dist.*' tests you're
probably familiar with that are run by Taskotron, results for several
'update.*' tests. These are the openQA test results.
Clicking any result will take you to the openQA webUI page for that
job. If you're investigating a failure, look for thumbnails with a
*red* border. Usually, the first one of these will be the attempted
image match or console command that did not give the expected result.
If you can't understand a failure, please do come ask on test@ or in
#fedora-qa . Myself and garretraziel (Jan Sedlak) should be able to
explain.
This isn't a perfect test system, yet; there have been and will
continue to be 'false' failures, where something goes wrong in the test
process itself or the test just hits some transient bug that isn't
actually caused by the update. Because of this, we wrote an openQA
plugin that automatically retries all failed update tests one time, but
sometimes we get unlucky and a false failure happens again on the
retry.
This is quite common for Fedora 26 updates; there seem to be several of
these transient bugs in F26 at present, meaning sometimes the test VM
just doesn't boot successfully, sometimes GNOME crashes, and so on. If
you see a 'red' screenshot which is just a partially-completed
bootsplash screen, or the GDM login screen, this may be what happened.
Notably, *any* failure before the _advisory_update step cannot possibly
be a bug in the update, as nothing from the update is actually
installed until near the end of that step.
It's not currently possible for anyone but openQA admins to re-run
individual tests. You can cause *all* the openQA tests for your update
to be re-run by editing the update in any way (*any* edit event
triggers a re-run of the tests, not just changes to the update's
package manifest), but please be a bit sparing with this, as openQA
doesn't have unlimited capacity. For now you can, again, ask Jan or I
to re-run a single test if you'd like this. We will endeavour to set up
some kind of re-run request system in future.
Just like the taskotron results, at present these results are entirely
advisory. They do not have any effect on whether or when you can push
your update stable. But we set up this system to help out packagers, so
I hope you'll find it useful to keep an eye on the results and take a
look at any failures to see if they may indicate a bug in the update.
Once again, please do ask for any help you need in interpreting or
understanding the results. And please do send any suggestions, comments
or complaints our way!
And just to be clear, these tests are currently run only on *critical
path* updates. If your update does not include a critical path package,
the tests will not be run. I'm thinking of implementing some sort of
'whitelist' system for listing or otherwise marking non-critpath
packages for which we want to run some or all of the tests; for
instance, it would make a lot of sense to run the FreeIPA tests for any
package in the FreeIPA stack. But that's not implemented yet. We don't
just run the tests on *all* updates because we simply don't have the
capacity to do so at present.
I have written a blog post about this, with some more information,
including a brief explanation of what the current set of update tests
covers, here:
https://www.happyassassin.net/2017/04/24/automated-critical-path-update-functional-testing-for-fedora/
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
[USN-3266-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-3266-1
April 25, 2017
linux, linux-raspi2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
- linux-raspi2: Linux kernel for Raspberry Pi 2
Details:
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
linux-image-4.8.0-1035-raspi2 4.8.0-1035.38
linux-image-4.8.0-49-generic 4.8.0-49.52
linux-image-4.8.0-49-generic-lpae 4.8.0-49.52
linux-image-4.8.0-49-lowlatency 4.8.0-49.52
linux-image-4.8.0-49-powerpc-e500mc 4.8.0-49.52
linux-image-4.8.0-49-powerpc-smp 4.8.0-49.52
linux-image-generic 4.8.0.49.61
linux-image-generic-lpae 4.8.0.49.61
linux-image-lowlatency 4.8.0.49.61
linux-image-powerpc-e500mc 4.8.0.49.61
linux-image-powerpc-smp 4.8.0.49.61
linux-image-raspi2 4.8.0.1035.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3266-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.8.0-49.52
https://launchpad.net/ubuntu/+source/linux-raspi2/4.8.0-1035.38
Ubuntu Security Notice USN-3266-1
April 25, 2017
linux, linux-raspi2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
- linux-raspi2: Linux kernel for Raspberry Pi 2
Details:
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
linux-image-4.8.0-1035-raspi2 4.8.0-1035.38
linux-image-4.8.0-49-generic 4.8.0-49.52
linux-image-4.8.0-49-generic-lpae 4.8.0-49.52
linux-image-4.8.0-49-lowlatency 4.8.0-49.52
linux-image-4.8.0-49-powerpc-e500mc 4.8.0-49.52
linux-image-4.8.0-49-powerpc-smp 4.8.0-49.52
linux-image-generic 4.8.0.49.61
linux-image-generic-lpae 4.8.0.49.61
linux-image-lowlatency 4.8.0.49.61
linux-image-powerpc-e500mc 4.8.0.49.61
linux-image-powerpc-smp 4.8.0.49.61
linux-image-raspi2 4.8.0.1035.39
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3266-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.8.0-49.52
https://launchpad.net/ubuntu/+source/linux-raspi2/4.8.0-1035.38
[USN-3266-2] Linux kernel (HWE) vulnerability
==========================================================================
Ubuntu Security Notice USN-3266-2
April 25, 2017
linux-hwe vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
USN-3266-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS.
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.8.0-49-generic 4.8.0-49.52~16.04.1
linux-image-4.8.0-49-generic-lpae 4.8.0-49.52~16.04.1
linux-image-4.8.0-49-lowlatency 4.8.0-49.52~16.04.1
linux-image-generic-hwe-16.04 4.8.0.49.21
linux-image-generic-lpae-hwe-16.04 4.8.0.49.21
linux-image-lowlatency-hwe-16.04 4.8.0.49.21
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3266-2
http://www.ubuntu.com/usn/usn-3266-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux-hwe/4.8.0-49.52~16.04.1
Ubuntu Security Notice USN-3266-2
April 25, 2017
linux-hwe vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
USN-3266-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 16.10 for Ubuntu 16.04 LTS.
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.8.0-49-generic 4.8.0-49.52~16.04.1
linux-image-4.8.0-49-generic-lpae 4.8.0-49.52~16.04.1
linux-image-4.8.0-49-lowlatency 4.8.0-49.52~16.04.1
linux-image-generic-hwe-16.04 4.8.0.49.21
linux-image-generic-lpae-hwe-16.04 4.8.0.49.21
linux-image-lowlatency-hwe-16.04 4.8.0.49.21
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3266-2
http://www.ubuntu.com/usn/usn-3266-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux-hwe/4.8.0-49.52~16.04.1
[USN-3265-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3265-1
April 25, 2017
linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon Processors
Details:
It was discovered that a use-after-free flaw existed in the filesystem
encryption subsystem in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-7374)
Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)
Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)
Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-5986)
Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)
Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)
It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)
Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)
Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1012-gke 4.4.0-1012.12
linux-image-4.4.0-1016-aws 4.4.0-1016.25
linux-image-4.4.0-1054-raspi2 4.4.0-1054.61
linux-image-4.4.0-1057-snapdragon 4.4.0-1057.61
linux-image-4.4.0-75-generic 4.4.0-75.96
linux-image-4.4.0-75-generic-lpae 4.4.0-75.96
linux-image-4.4.0-75-lowlatency 4.4.0-75.96
linux-image-4.4.0-75-powerpc-e500mc 4.4.0-75.96
linux-image-4.4.0-75-powerpc-smp 4.4.0-75.96
linux-image-4.4.0-75-powerpc64-smp 4.4.0-75.96
linux-image-aws 4.4.0.1016.19
linux-image-generic 4.4.0.75.81
linux-image-generic-lpae 4.4.0.75.81
linux-image-gke 4.4.0.1012.14
linux-image-lowlatency 4.4.0.75.81
linux-image-powerpc-e500mc 4.4.0.75.81
linux-image-powerpc-smp 4.4.0.75.81
linux-image-powerpc64-smp 4.4.0.75.81
linux-image-raspi2 4.4.0.1054.55
linux-image-snapdragon 4.4.0.1057.50
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3265-1
CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986,
CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347,
CVE-2017-6348, CVE-2017-7374
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-75.96
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1016.25
https://launchpad.net/ubuntu/+source/linux-gke/4.4.0-1012.12
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1054.61
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1057.61
Ubuntu Security Notice USN-3265-1
April 25, 2017
linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon Processors
Details:
It was discovered that a use-after-free flaw existed in the filesystem
encryption subsystem in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-7374)
Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)
Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)
Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-5986)
Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)
Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)
It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)
Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)
Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1012-gke 4.4.0-1012.12
linux-image-4.4.0-1016-aws 4.4.0-1016.25
linux-image-4.4.0-1054-raspi2 4.4.0-1054.61
linux-image-4.4.0-1057-snapdragon 4.4.0-1057.61
linux-image-4.4.0-75-generic 4.4.0-75.96
linux-image-4.4.0-75-generic-lpae 4.4.0-75.96
linux-image-4.4.0-75-lowlatency 4.4.0-75.96
linux-image-4.4.0-75-powerpc-e500mc 4.4.0-75.96
linux-image-4.4.0-75-powerpc-smp 4.4.0-75.96
linux-image-4.4.0-75-powerpc64-smp 4.4.0-75.96
linux-image-aws 4.4.0.1016.19
linux-image-generic 4.4.0.75.81
linux-image-generic-lpae 4.4.0.75.81
linux-image-gke 4.4.0.1012.14
linux-image-lowlatency 4.4.0.75.81
linux-image-powerpc-e500mc 4.4.0.75.81
linux-image-powerpc-smp 4.4.0.75.81
linux-image-powerpc64-smp 4.4.0.75.81
linux-image-raspi2 4.4.0.1054.55
linux-image-snapdragon 4.4.0.1057.50
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3265-1
CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986,
CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347,
CVE-2017-6348, CVE-2017-7374
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-75.96
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1016.25
https://launchpad.net/ubuntu/+source/linux-gke/4.4.0-1012.12
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1054.61
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1057.61
[USN-3265-2] Linux kernel (Xenial HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3265-2
April 25, 2017
linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3265-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a use-after-free flaw existed in the filesystem
encryption subsystem in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-7374)
Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)
Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)
Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-5986)
Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)
Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)
It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)
Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)
Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-75-generic 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-generic-lpae 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-lowlatency 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc-e500mc 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc-smp 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc64-smp 4.4.0-75.96~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.75.62
linux-image-generic-lts-xenial 4.4.0.75.62
linux-image-lowlatency-lts-xenial 4.4.0.75.62
linux-image-powerpc-e500mc-lts-xenial 4.4.0.75.62
linux-image-powerpc-smp-lts-xenial 4.4.0.75.62
linux-image-powerpc64-smp-lts-xenial 4.4.0.75.62
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3265-2
http://www.ubuntu.com/usn/usn-3265-1
CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986,
CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347,
CVE-2017-6348, CVE-2017-7374
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-75.96~14.04.1
Ubuntu Security Notice USN-3265-2
April 25, 2017
linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3265-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a use-after-free flaw existed in the filesystem
encryption subsystem in the Linux kernel. A local attacker could use this
to cause a denial of service (system crash). (CVE-2017-7374)
Andrey Konovalov discovered an out-of-bounds access in the IPv6 Generic
Routing Encapsulation (GRE) tunneling implementation in the Linux kernel.
An attacker could use this to possibly expose sensitive information.
(CVE-2017-5897)
Andrey Konovalov discovered that the IPv4 implementation in the Linux
kernel did not properly handle invalid IP options in some situations. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2017-5970)
Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did
not properly restrict mapping page zero. A local privileged attacker could
use this to execute arbitrary code. (CVE-2017-5669)
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-5986)
Dmitry Vyukov discovered that the Linux kernel did not properly handle TCP
packets with the URG flag. A remote attacker could use this to cause a
denial of service. (CVE-2017-6214)
Andrey Konovalov discovered that the LLC subsytem in the Linux kernel did
not properly set up a destructor in certain situations. A local attacker
could use this to cause a denial of service (system crash). (CVE-2017-6345)
It was discovered that a race condition existed in the AF_PACKET handling
code in the Linux kernel. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2017-6346)
Andrey Konovalov discovered that the IP layer in the Linux kernel made
improper assumptions about internal data layout when performing checksums.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-6347)
Dmitry Vyukov discovered race conditions in the Infrared (IrDA) subsystem
in the Linux kernel. A local attacker could use this to cause a denial of
service (deadlock). (CVE-2017-6348)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-75-generic 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-generic-lpae 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-lowlatency 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc-e500mc 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc-smp 4.4.0-75.96~14.04.1
linux-image-4.4.0-75-powerpc64-smp 4.4.0-75.96~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.75.62
linux-image-generic-lts-xenial 4.4.0.75.62
linux-image-lowlatency-lts-xenial 4.4.0.75.62
linux-image-powerpc-e500mc-lts-xenial 4.4.0.75.62
linux-image-powerpc-smp-lts-xenial 4.4.0.75.62
linux-image-powerpc64-smp-lts-xenial 4.4.0.75.62
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3265-2
http://www.ubuntu.com/usn/usn-3265-1
CVE-2017-5669, CVE-2017-5897, CVE-2017-5970, CVE-2017-5986,
CVE-2017-6214, CVE-2017-6345, CVE-2017-6346, CVE-2017-6347,
CVE-2017-6348, CVE-2017-7374
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-75.96~14.04.1
[USN-3264-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-3264-1
April 24, 2017
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
Details:
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-117-generic 3.13.0-117.164
linux-image-3.13.0-117-generic-lpae 3.13.0-117.164
linux-image-3.13.0-117-lowlatency 3.13.0-117.164
linux-image-3.13.0-117-powerpc-e500 3.13.0-117.164
linux-image-3.13.0-117-powerpc-e500mc 3.13.0-117.164
linux-image-3.13.0-117-powerpc-smp 3.13.0-117.164
linux-image-3.13.0-117-powerpc64-smp 3.13.0-117.164
linux-image-generic 3.13.0.117.127
linux-image-generic-lpae 3.13.0.117.127
linux-image-lowlatency 3.13.0.117.127
linux-image-powerpc-e500 3.13.0.117.127
linux-image-powerpc-e500mc 3.13.0.117.127
linux-image-powerpc-smp 3.13.0.117.127
linux-image-powerpc64-smp 3.13.0.117.127
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3264-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-117.164
Ubuntu Security Notice USN-3264-1
April 24, 2017
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
Details:
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-117-generic 3.13.0-117.164
linux-image-3.13.0-117-generic-lpae 3.13.0-117.164
linux-image-3.13.0-117-lowlatency 3.13.0-117.164
linux-image-3.13.0-117-powerpc-e500 3.13.0-117.164
linux-image-3.13.0-117-powerpc-e500mc 3.13.0-117.164
linux-image-3.13.0-117-powerpc-smp 3.13.0-117.164
linux-image-3.13.0-117-powerpc64-smp 3.13.0-117.164
linux-image-generic 3.13.0.117.127
linux-image-generic-lpae 3.13.0.117.127
linux-image-lowlatency 3.13.0.117.127
linux-image-powerpc-e500 3.13.0.117.127
linux-image-powerpc-e500mc 3.13.0.117.127
linux-image-powerpc-smp 3.13.0.117.127
linux-image-powerpc64-smp 3.13.0.117.127
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3264-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-117.164
[USN-3264-2] Linux kernel (Trusty HWE) vulnerability
==========================================================================
Ubuntu Security Notice USN-3264-2
April 24, 2017
linux-lts-trusty vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise
Details:
USN-3264-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-117-generic 3.13.0-117.164~precise1
linux-image-3.13.0-117-generic-lpae 3.13.0-117.164~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.117.108
linux-image-generic-lts-trusty 3.13.0.117.108
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3264-2
http://www.ubuntu.com/usn/usn-3264-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-117.164~precise1
Ubuntu Security Notice USN-3264-2
April 24, 2017
linux-lts-trusty vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise
Details:
USN-3264-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
Alexander Popov discovered that a race condition existed in the Stream
Control Transmission Protocol (SCTP) implementation in the Linux kernel. A
local attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
linux-image-3.13.0-117-generic 3.13.0-117.164~precise1
linux-image-3.13.0-117-generic-lpae 3.13.0-117.164~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.117.108
linux-image-generic-lts-trusty 3.13.0.117.108
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
http://www.ubuntu.com/usn/usn-3264-2
http://www.ubuntu.com/usn/usn-3264-1
CVE-2017-5986
Package Information:
https://launchpad.net/ubuntu/+source/linux-lts-trusty/3.13.0-117.164~precise1
reallost1.fbsd2233449:如何科学习规划车间物流? 9168
标准工时与生产线平衡管理
【时间地点】 2017年4月27-28日上海 07月15-16日上海 07月22-23日深圳
【参加对象】 企业劳动定额管理人员、人力资源管理人员、生产管理人员、采购管理人员
【学习费用】 3200/人(含两天中餐、指定教材、茶点等)
【咨询热线】:021-31006787、0755-61280006、 13381601000 许先生
【QQ、微信】:320588808
课程背景:
二十多年前,我们曾为日本丰田推行"准时化"生产模式实现的"零库存",感到震惊和羡慕。二十多年来,我们一直在为实现"零库存"而学习、模仿、推行丰田模式。二十多年后的今天,我们似乎又在为没有库存而感到苦恼。因为我们总是在为等待物料、如何保证交货期而憔虑。同时也为人工成本不断上升而生产能未能最大化而苦恼。这到底是为什么呢?是没有学好还是没有用好?或者说还是根本就没有领悟到其精髓的所在?
研究方向:
陈志华老师一直秉承实用、实战、实际的核心价值观,六年磨一剑,专为在中国的所有制造企业量身订做了该课题。主要研究方向为:如何利用企业的两条腿(硬件和软件)和两种力(管理拉动力和技术的拉动力);在减少加班、避免人海战术、运作系统化和数据化管理的前提下,如何才能做到缩短交货期,提高劳动生产效率。该课程没有说到领先的模式,更没有用到复杂的系统。而是用"盯" 、"抢" 、"省" 、"挖"四个字来构成一个系统化解决方案。
课程收益:
1、如何科学习规划车间物流;
2、如何科学理顺生产计划(生产计划的15大要点);
3、如何减少超负荷加班;
4、怎样通过计算来决定生产节拍与工位人数;
5、如何使车间管理既有拉动力又有推动力;
6、如何让工作从劳动强化走向劳动改善;
8、怎样构建现场管理的四大基石与实现"盯、挖、抢、省"
课程大纲:
第一讲 钱,在哪里!——不专业付出的代价
管理者管理效率——被勿视的西瓜
管理者管理思路——一个中心两个基本点
管理者管理方向——多主观少客观
管理者管理方法——重经验凭习惯
没有结局的结局——布局决定结局
员工的生产效率——只有强化没有改善
新产品的研发 ——没有可批量制造性
第二讲 标准工时(ST)新概念
标准工时的定义与时间的两大特点;
标准工时确立的六个原则;
使用标准工时的六个目的;
不属于标准工时范围的五个方面;
标准工时组成的两个部份;
标准工时宽裕率的三个组成部份;
标准工时的三种计算方法;
标准工时导入过程中的技巧。
第三讲:马表测量过程与技巧
马表测量工程师的七大先决条件
被测工种标准化作业必备的四种规范化文件
马表测量工作的"文房四宝"
<记录数据的表格范本>
马表测量工作的"望闻问切"
<ST系统建立的调查问卷范本>
测量过程中的五大窍门
测量数据的运算过程与有效数字
测量结果分析与作业技巧评估
<测量过程练习>
<生产运行评估指标管理练习>
第四讲:WF标准工时系统导入及检测
WF的起源与定义
WF的基本内容(十三项)介绍
高精度标准工时系统导入的四种工具
标准工时系统的导入程序
标准工时运算体系的三种表格
标准工时检测的三大指标与计算方法
标准工时检测系统的三种表格
标准工时系统的其它用途
(综合能力与综合成本评估)
ST的修正理由与频率
第五讲:形成生产瓶颈的十大原因分析
原因1、终端绝对出货能力受到制约
原因2、中间某一设备能力造成瓶颈
原因3、产品结构未能调整制约设备能力的发挥
原因4、顽固性质量问题存在导致生产效率低下
原因5、设备性能未能完全达到设计参数
原因6、设备可动率低下导致停机时间长
原因7、生产计划制定不合理导致资原浪费
原因8、生产辅助时间过长导致时间有效利用率低下
原因9、工位设计不合理导致整体平衡性差
原因10、人体工程科学运用不到位导致生产效率低下
第六讲:生产效率向上----生产平衡从环节走向系统
生产效率的定义与两重性
生产线管理的"争分夺秒与步调一致"的意义
什么是生产节拍(由什么因素决定、怎样调整)
什么是生产原理与生产方式
什么是标准化的现场管理三要素应用
标准化作业与作业标准化的三要素应用
经济动作三不原则的灵活应用
现场管理的"三不坚守原则"应用
车间物流的"三不原则应用"
分享:减速、少超负荷加班的八大要点
第七讲:从市场变化走向生产变革的案例分享
案例一:生产线可变化
案例二:员工走向多技能
案例三:多品种小批量换型系统
案例四:生产计划生成的15大要点分享
讲师介绍:[陈志华]
工商管理硕士,国内制造管理专家
历任日资世界五百强企业生产主管、品质主管,生产经理、制造总经理等,陈老师精通制造业领先的COB&SMT&AI等高技术制造管理;曾师从小川一也(日本能率协会管理中心专家, 日本WF&IE研究第一人,日本制造业研究的国宝级人物)专门研习标准工时与动作研究曾先后多次被派往日本和新加坡进修及培训(丰田JIT生产方式,对NPS有系统及深入研究和实践), 陈老师尤其擅长现场一体化管理(计划,成本,纳期,质量,技术,人员)。主讲课程有:《构筑高精度标准工时ST管理系统》、《多技能员工培养体系》、《多批少量生产方式实务》、《微利时代的精细化现场管理》、《全能班组长训练》等,主要出版物《反省中国式工厂管理》、《挑战80后管理》等。
陈老师曾为联想、松下空调、格力电器、通用电气、艾默生、华为技术、飞利蒲医疗系统、霍尼韦尔、ABB、柯尼卡美能达、奥林巴斯、富士-施乐、友达光电、东方通信、裕元制造集团、李锦记、曼秀雷敦、科勒洁具、步步高、西安杨森、亚伦国际集团、一汽丰田、东风汽车、福田汽车、江铃汽车、延锋伟世通、秦山核电、创维、雅马哈、锦湖轮胎、广东溢达、镇泰玩具等近千家客户提供过培训或咨询服务,至今有近万以上人次接受其专业课程训练。
十几年知名日本企业的制造管理实战经验,精辟的案例讲解及深刻的观点阐释,让陈老师讲堂上游刃有如。因其授课内容的实用性高,被学员们誉为所见过的最实在、最切合实际的培训师!
注:如不需此类课程信息,请发送"删除"至tuiding02@163.com,我们会第一时间处理,谢谢您的理解
Saturday, April 22, 2017
[opensuse-announce] openSUSE Leap's Next Major Version Number
Hi all,
On behalf of the openSUSE Board and Leap Release Management I am
pleased to announce the next version of openSUSE Leap after 42.3 will
be:
openSUSE Leap 15
As with Leap 42.x, minor releases are expected annually for at least 3
years, so you can expect a Leap 15.1 to follow, then 15.2 and onwards.
Obviously this is quite a dramatic change from the current version
number of 42.x, so I will explain what justifies this change in some
detail below.
First, some history. When we started openSUSE Leap, the version number
was an issue that needed addressing. openSUSE at that time was at
13.2, but SUSE Linux Enterprise (SLE) was at 12 and heading towards 12
SP1.
As the main unique selling point of Leap compared to every other
distribution is the fact it is based on SLE sources. We wanted to
reflect that in the version number.
This was particularly important when you consider that a major version
in SLE really means something ("major architectural changes from the
last version are introduced here") whereas minor versions/service
packs have a very different message ("easy to upgrade to, no major
workflow breaking changes"). Leap follows a similar philosophy, so we
wanted a versioning scheme to reflect SLEs.
But openSUSE had already had versions starting with 12, so we couldn't
sync up with SLE. This is where 42.x came from. It gave us the
opportunity to establish a relationship with SLE versions (SLE Version
+ 30 = Leap Version), reflect the major/minor nature of Leap releases,
and avoid clashes with version numbers we'd already used.
The choice of 42 doubled as a humorous nod to hitchhikers guide to the
galaxy and the first version numbers of SuSE Linux and YaST (4.2 and
0.42 respectively).
The plan was therefore for the next version of Leap to be 43 with it's
release aligned with SLE 13, followed by Leap 43.1 (with SLE 13 SP1),
Leap 43.2 (w. SP2), etc
However, like all good plans, things change.
SUSE have decided that their next version of SLE will be 15, not 13.
Upon learning of SUSE's plans the Board and Leap release team have
been considering our options.
This included ignoring the changes to SLE and releasing Leap 43 as
planned, at the cost of the link between SLE versions and Leap
versions.
45 was also considered, as were some frankly hilarious ideas that made
me worry about my own sanity and that of my fellow contributors.
After considering the pros and cons of all the options however, the
decision has been that Leap 15 will be our next version.
SUSE's decision to skip SLE 13 and 14 gave us a perfect opportunity to
sync up with SLE versions like we always wanted to originally with
Leap. It's an opportunity we will not be able to take so easily a few
years from now if we continued with Leaps current versioning.
There are only a few packages in our distribution that reference the
42.x versioning, and they should be easily handled as part of a zypper
dup, so we are not concerned about this decision impacting users
upgrading.
We are aware that this decision could be a minor annoyance for users
of Leap with configuration management tools like saltstack and puppet,
but the long term opportunity to simplify such configuration (by being
able to treat SLE and Leap similarly) outweighed our desire to avoid a
'one-time' effort for people currently handling the overly complicated
situation caused by Leap being at 42.x and SLE being at 12 SPx.
Packagers should be able to look forward to an easier time of things
as a result of this change. We intend to deprecate the
0%{leap_version} macro and simplify the current complex nest of
suse_version and sle_versions that can make it very frustrating to
build packages appropriately for Tumbleweed, Leap and SLE.
0%{suse_version} should continue to be available as a simple indicator
of the major version of Leap & SLE for packagers (eg, 0%{suse_version}
== 1500 is the expected value for SLE 15 and Leap 15 and all of their
minor versions/service packs).
0%{sle_version} should remain as a more precise indicator when
packagers need to handle specific versions of Leap and SLE (eg.
0%{sle_version} == 150000 is the expected value for SLE 15 & Leap 15,
with 150100 being the expected value for SLE 15 SP1 & Leap 15.1)
0%{is_opensuse} will continue for those times when packagers need to
distinguish between Leap and SLE even though they will now more
closely share their versions.
The above examples and what the future suse_version number will be for
Tumbleweed is not yet final, so expect to see emails from ludwig in
opensuse-factory@opensuse.org when they are set.
Thanks to everyone involved in this so far, I'm looking forward to
seeing what we make out of Leap 15, and even though I cross-posted
this I would like to ask that any followup conversation is kept to the
opensuse-project@opensuse.org thread.
Regards,
Richard Brown
on behalf of the openSUSE Board
--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org
On behalf of the openSUSE Board and Leap Release Management I am
pleased to announce the next version of openSUSE Leap after 42.3 will
be:
openSUSE Leap 15
As with Leap 42.x, minor releases are expected annually for at least 3
years, so you can expect a Leap 15.1 to follow, then 15.2 and onwards.
Obviously this is quite a dramatic change from the current version
number of 42.x, so I will explain what justifies this change in some
detail below.
First, some history. When we started openSUSE Leap, the version number
was an issue that needed addressing. openSUSE at that time was at
13.2, but SUSE Linux Enterprise (SLE) was at 12 and heading towards 12
SP1.
As the main unique selling point of Leap compared to every other
distribution is the fact it is based on SLE sources. We wanted to
reflect that in the version number.
This was particularly important when you consider that a major version
in SLE really means something ("major architectural changes from the
last version are introduced here") whereas minor versions/service
packs have a very different message ("easy to upgrade to, no major
workflow breaking changes"). Leap follows a similar philosophy, so we
wanted a versioning scheme to reflect SLEs.
But openSUSE had already had versions starting with 12, so we couldn't
sync up with SLE. This is where 42.x came from. It gave us the
opportunity to establish a relationship with SLE versions (SLE Version
+ 30 = Leap Version), reflect the major/minor nature of Leap releases,
and avoid clashes with version numbers we'd already used.
The choice of 42 doubled as a humorous nod to hitchhikers guide to the
galaxy and the first version numbers of SuSE Linux and YaST (4.2 and
0.42 respectively).
The plan was therefore for the next version of Leap to be 43 with it's
release aligned with SLE 13, followed by Leap 43.1 (with SLE 13 SP1),
Leap 43.2 (w. SP2), etc
However, like all good plans, things change.
SUSE have decided that their next version of SLE will be 15, not 13.
Upon learning of SUSE's plans the Board and Leap release team have
been considering our options.
This included ignoring the changes to SLE and releasing Leap 43 as
planned, at the cost of the link between SLE versions and Leap
versions.
45 was also considered, as were some frankly hilarious ideas that made
me worry about my own sanity and that of my fellow contributors.
After considering the pros and cons of all the options however, the
decision has been that Leap 15 will be our next version.
SUSE's decision to skip SLE 13 and 14 gave us a perfect opportunity to
sync up with SLE versions like we always wanted to originally with
Leap. It's an opportunity we will not be able to take so easily a few
years from now if we continued with Leaps current versioning.
There are only a few packages in our distribution that reference the
42.x versioning, and they should be easily handled as part of a zypper
dup, so we are not concerned about this decision impacting users
upgrading.
We are aware that this decision could be a minor annoyance for users
of Leap with configuration management tools like saltstack and puppet,
but the long term opportunity to simplify such configuration (by being
able to treat SLE and Leap similarly) outweighed our desire to avoid a
'one-time' effort for people currently handling the overly complicated
situation caused by Leap being at 42.x and SLE being at 12 SPx.
Packagers should be able to look forward to an easier time of things
as a result of this change. We intend to deprecate the
0%{leap_version} macro and simplify the current complex nest of
suse_version and sle_versions that can make it very frustrating to
build packages appropriately for Tumbleweed, Leap and SLE.
0%{suse_version} should continue to be available as a simple indicator
of the major version of Leap & SLE for packagers (eg, 0%{suse_version}
== 1500 is the expected value for SLE 15 and Leap 15 and all of their
minor versions/service packs).
0%{sle_version} should remain as a more precise indicator when
packagers need to handle specific versions of Leap and SLE (eg.
0%{sle_version} == 150000 is the expected value for SLE 15 & Leap 15,
with 150100 being the expected value for SLE 15 SP1 & Leap 15.1)
0%{is_opensuse} will continue for those times when packagers need to
distinguish between Leap and SLE even though they will now more
closely share their versions.
The above examples and what the future suse_version number will be for
Tumbleweed is not yet final, so expect to see emails from ludwig in
opensuse-factory@opensuse.org when they are set.
Thanks to everyone involved in this so far, I'm looking forward to
seeing what we make out of Leap 15, and even though I cross-posted
this I would like to ask that any followup conversation is kept to the
opensuse-project@opensuse.org thread.
Regards,
Richard Brown
on behalf of the openSUSE Board
--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org
Friday, April 21, 2017
[USN-3260-1] Firefox vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJY+ji7AAoJEGEfvezVlG4PxdIIAJ0/8/FG9HREmCZLvNAvcc6w
7my+1tq4ksCn8GCXlDADdfk/DBV35dJqcgnp9UWkn/tQo6aQxKDUN44UzXF019s8
877uK5zseBuEVzE2KvhPkVwoVqffPoqPvZhWUm4MubQW+9uj3AvgCrEYV1KsU1f8
hNEzzvAuip0YhwiFmMadHCWMqqB9BQAUMwR2zMS0kOUowNUVubRaB8KSztkYvWQF
Xe8afuOmO6swiJ0nFpUfCIgJYPIfky9P5BFbxDfNqkYEE+7SdE0px2+KxMWI65X2
gqTSz/Bb+h1wPRXnZ9v6MVRKvYfkwkaKeyJ6ywKbwkJhEW34hMFYm76sG5HO1QQ=
=zQRf
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3260-1
April 21, 2017
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, spoof the addressbar contents or other UI elements, escape
the sandbox to read local files, conduct cross-site scripting (XSS)
attacks, cause a denial of service via application crash, or execute
arbitrary code. (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432,
CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437,
CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442,
CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447,
CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454,
CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460,
CVE-2017-5461, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467,
CVE-2017-5468, CVE-2017-5469)
A flaw was discovered in the DRBG number generation in NSS. If an
attacker were able to perform a man-in-the-middle attack, this flaw
could potentially be exploited to view sensitive information.
(CVE-2017-5462)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
firefox 53.0+build6-0ubuntu0.17.04.1
Ubuntu 16.10:
firefox 53.0+build6-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 53.0+build6-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 53.0+build6-0ubuntu0.14.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3260-1
CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433,
CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437,
CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441,
CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445,
CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449,
CVE-2017-5451, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455,
CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460,
CVE-2017-5461, CVE-2017-5462, CVE-2017-5464, CVE-2017-5465,
CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469
Package Information:
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.14.04.1
iQEcBAEBCAAGBQJY+ji7AAoJEGEfvezVlG4PxdIIAJ0/8/FG9HREmCZLvNAvcc6w
7my+1tq4ksCn8GCXlDADdfk/DBV35dJqcgnp9UWkn/tQo6aQxKDUN44UzXF019s8
877uK5zseBuEVzE2KvhPkVwoVqffPoqPvZhWUm4MubQW+9uj3AvgCrEYV1KsU1f8
hNEzzvAuip0YhwiFmMadHCWMqqB9BQAUMwR2zMS0kOUowNUVubRaB8KSztkYvWQF
Xe8afuOmO6swiJ0nFpUfCIgJYPIfky9P5BFbxDfNqkYEE+7SdE0px2+KxMWI65X2
gqTSz/Bb+h1wPRXnZ9v6MVRKvYfkwkaKeyJ6ywKbwkJhEW34hMFYm76sG5HO1QQ=
=zQRf
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3260-1
April 21, 2017
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, spoof the addressbar contents or other UI elements, escape
the sandbox to read local files, conduct cross-site scripting (XSS)
attacks, cause a denial of service via application crash, or execute
arbitrary code. (CVE-2017-5429, CVE-2017-5430, CVE-2017-5432,
CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437,
CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442,
CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447,
CVE-2017-5448, CVE-2017-5449, CVE-2017-5451, CVE-2017-5453, CVE-2017-5454,
CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460,
CVE-2017-5461, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467,
CVE-2017-5468, CVE-2017-5469)
A flaw was discovered in the DRBG number generation in NSS. If an
attacker were able to perform a man-in-the-middle attack, this flaw
could potentially be exploited to view sensitive information.
(CVE-2017-5462)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
firefox 53.0+build6-0ubuntu0.17.04.1
Ubuntu 16.10:
firefox 53.0+build6-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
firefox 53.0+build6-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
firefox 53.0+build6-0ubuntu0.14.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3260-1
CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433,
CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437,
CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441,
CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445,
CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449,
CVE-2017-5451, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455,
CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460,
CVE-2017-5461, CVE-2017-5462, CVE-2017-5464, CVE-2017-5465,
CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469
Package Information:
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.17.04.1
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/53.0+build6-0ubuntu0.14.04.1
Thursday, April 20, 2017
Announce: Fedora Layered Image Release
Hello all,
On behalf of the Fedora Atomic WG[0] and Fedora Release
Engineering[1], I am pleased to announce the latest Fedora Layered
Image Release. This follows the latest Atomic Host Release that came
out yesterday[2].
At this time the following Container Images are available in the
Fedora Registry.
Base Images:
(Note that the "latest" tag currently points to "25" and the "rawhide"
tag currently points to "27", if no tag is provided in your pull
command then it will always default to "latest")
registry.fedoraproject.org/fedora:latest
registry.fedoraproject.org/fedora:rawhide
registry.fedoraproject.org/fedora:27
registry.fedoraproject.org/fedora:26
registry.fedoraproject.org/fedora:25
registry.fedoraproject.org/fedora:24
Layered Images:
(Note: Layered Images are namespaced in the registry and at this time
we are only releasing for the f25 namespace.)
registry.fedoraproject.org/f25/cockpit:135-5.f25docker
registry.fedoraproject.org/f25/cockpit:135
registry.fedoraproject.org/f25/cockpit
registry.fedoraproject.org/f25/kubernetes-node:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-node:0.1
registry.fedoraproject.org/f25/kubernetes-node
registry.fedoraproject.org/f25/kubernetes-controller-manager:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-controller-manager:0.1
registry.fedoraproject.org/f25/kubernetes-controller-manager
registry.fedoraproject.org/f25/mariadb:10.1-8.f25docker
registry.fedoraproject.org/f25/mariadb:10.1
registry.fedoraproject.org/f25/mariadb
registry.fedoraproject.org/f25/kubernetes-apiserver:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-apiserver:0.1
registry.fedoraproject.org/f25/kubernetes-apiserver
registry.fedoraproject.org/f25/kubernetes-scheduler:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-scheduler:0.1
registry.fedoraproject.org/f25/kubernetes-scheduler
registry.fedoraproject.org/f25/kubernetes-master:0.1-10.f25docker
registry.fedoraproject.org/f25/kubernetes-master:0.1
registry.fedoraproject.org/f25/kubernetes-master
registry.fedoraproject.org/f25/s2i-base:1-8.f25docker
registry.fedoraproject.org/f25/s2i-base:1
registry.fedoraproject.org/f25/s2i-base
registry.fedoraproject.org/f25/kubernetes-kubelet:0-9.f25docker
registry.fedoraproject.org/f25/kubernetes-kubelet:0
registry.fedoraproject.org/f25/kubernetes-kubelet
registry.fedoraproject.org/f25/flannel:0.1-8.f25docker
registry.fedoraproject.org/f25/flannel:0.1
registry.fedoraproject.org/f25/flannel
registry.fedoraproject.org/f25/kubernetes-proxy:0-9.f25docker
registry.fedoraproject.org/f25/kubernetes-proxy:0
registry.fedoraproject.org/f25/kubernetes-proxy
registry.fedoraproject.org/f25/etcd:0.1-10.f25docker
registry.fedoraproject.org/f25/etcd:0.1
registry.fedoraproject.org/f25/etcd
registry.fedoraproject.org/f25/toolchain:1-7.f25docker
registry.fedoraproject.org/f25/toolchain:1
registry.fedoraproject.org/f25/toolchain
The source of this content is provided in DistGit which can easily be
searched via the container pkgdb namespace[3].
As always, we welcome feedback and would encourage anyone interested
to come join the Fedora Atomic WG[0] as we continue to iterate on
integrating the Project Atomic[4] family of technologies into Fedora.
Anyone interested in contributing Container Images, please feel free
to join in and submit one for Review[5][6].
Special side note with this release, all layered images have been
rebuilt to ensure the base image they rely upon includes the fix for
CVE-2017-5461[7][8].
Thank you,
-AdamM
[0] - https://pagure.io/atomic-wg
[1] - https://docs.pagure.org/releng/
[2] - https://lists.fedoraproject.org/archives/list/cloud@lists.fedoraproject.org/thread/B6CXLASBHNDM3KL6A5SXKSMNM3OCPNYX/
[3] - https://admin.fedoraproject.org/pkgdb/packages/container/%2A/
[4] - https://www.projectatomic.io/
[5] - https://fedoraproject.org/wiki/Container:Review_Process
[6] - https://fedoraproject.org/wiki/Container:Guidelines
[7] - https://bugzilla.redhat.com/show_bug.cgi?id=1440080
[8] - https://bodhi.fedoraproject.org/updates/FEDORA-2017-521b5e42a4
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
On behalf of the Fedora Atomic WG[0] and Fedora Release
Engineering[1], I am pleased to announce the latest Fedora Layered
Image Release. This follows the latest Atomic Host Release that came
out yesterday[2].
At this time the following Container Images are available in the
Fedora Registry.
Base Images:
(Note that the "latest" tag currently points to "25" and the "rawhide"
tag currently points to "27", if no tag is provided in your pull
command then it will always default to "latest")
registry.fedoraproject.org/fedora:latest
registry.fedoraproject.org/fedora:rawhide
registry.fedoraproject.org/fedora:27
registry.fedoraproject.org/fedora:26
registry.fedoraproject.org/fedora:25
registry.fedoraproject.org/fedora:24
Layered Images:
(Note: Layered Images are namespaced in the registry and at this time
we are only releasing for the f25 namespace.)
registry.fedoraproject.org/f25/cockpit:135-5.f25docker
registry.fedoraproject.org/f25/cockpit:135
registry.fedoraproject.org/f25/cockpit
registry.fedoraproject.org/f25/kubernetes-node:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-node:0.1
registry.fedoraproject.org/f25/kubernetes-node
registry.fedoraproject.org/f25/kubernetes-controller-manager:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-controller-manager:0.1
registry.fedoraproject.org/f25/kubernetes-controller-manager
registry.fedoraproject.org/f25/mariadb:10.1-8.f25docker
registry.fedoraproject.org/f25/mariadb:10.1
registry.fedoraproject.org/f25/mariadb
registry.fedoraproject.org/f25/kubernetes-apiserver:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-apiserver:0.1
registry.fedoraproject.org/f25/kubernetes-apiserver
registry.fedoraproject.org/f25/kubernetes-scheduler:0.1-9.f25docker
registry.fedoraproject.org/f25/kubernetes-scheduler:0.1
registry.fedoraproject.org/f25/kubernetes-scheduler
registry.fedoraproject.org/f25/kubernetes-master:0.1-10.f25docker
registry.fedoraproject.org/f25/kubernetes-master:0.1
registry.fedoraproject.org/f25/kubernetes-master
registry.fedoraproject.org/f25/s2i-base:1-8.f25docker
registry.fedoraproject.org/f25/s2i-base:1
registry.fedoraproject.org/f25/s2i-base
registry.fedoraproject.org/f25/kubernetes-kubelet:0-9.f25docker
registry.fedoraproject.org/f25/kubernetes-kubelet:0
registry.fedoraproject.org/f25/kubernetes-kubelet
registry.fedoraproject.org/f25/flannel:0.1-8.f25docker
registry.fedoraproject.org/f25/flannel:0.1
registry.fedoraproject.org/f25/flannel
registry.fedoraproject.org/f25/kubernetes-proxy:0-9.f25docker
registry.fedoraproject.org/f25/kubernetes-proxy:0
registry.fedoraproject.org/f25/kubernetes-proxy
registry.fedoraproject.org/f25/etcd:0.1-10.f25docker
registry.fedoraproject.org/f25/etcd:0.1
registry.fedoraproject.org/f25/etcd
registry.fedoraproject.org/f25/toolchain:1-7.f25docker
registry.fedoraproject.org/f25/toolchain:1
registry.fedoraproject.org/f25/toolchain
The source of this content is provided in DistGit which can easily be
searched via the container pkgdb namespace[3].
As always, we welcome feedback and would encourage anyone interested
to come join the Fedora Atomic WG[0] as we continue to iterate on
integrating the Project Atomic[4] family of technologies into Fedora.
Anyone interested in contributing Container Images, please feel free
to join in and submit one for Review[5][6].
Special side note with this release, all layered images have been
rebuilt to ensure the base image they rely upon includes the fix for
CVE-2017-5461[7][8].
Thank you,
-AdamM
[0] - https://pagure.io/atomic-wg
[1] - https://docs.pagure.org/releng/
[2] - https://lists.fedoraproject.org/archives/list/cloud@lists.fedoraproject.org/thread/B6CXLASBHNDM3KL6A5SXKSMNM3OCPNYX/
[3] - https://admin.fedoraproject.org/pkgdb/packages/container/%2A/
[4] - https://www.projectatomic.io/
[5] - https://fedoraproject.org/wiki/Container:Review_Process
[6] - https://fedoraproject.org/wiki/Container:Guidelines
[7] - https://bugzilla.redhat.com/show_bug.cgi?id=1440080
[8] - https://bodhi.fedoraproject.org/updates/FEDORA-2017-521b5e42a4
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Subscribe to:
Posts (Atom)