Saturday, March 31, 2018

[FreeBSD-Announce] FreeBSD 10.3 end-of-life

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear FreeBSD community,

As of April 30, 2018, FreeBSD 10.3 will reach end-of-life and will no
longer be supported by the FreeBSD Security Team. Users of FreeBSD 10.3
are strongly encouraged to upgrade to a newer release as soon as
possible.

The currently supported branches and releases and their expected
end-of-life dates are:

+--------------------------------------------------------------------------+
| Branch | Release | Type | Release Date | Estimated EoL |
+-----------+------------+--------+----------------+-----------------------+
|stable/10 |n/a |n/a |n/a |October 31, 2018 |
+-----------+------------+--------+----------------+-----------------------+
|releng/10.3|10.3-RELEASE|Extended|April 4, 2016 |April 30, 2018 |
+--------------------------------------------------------------------------+
|releng/10.4|10.4-RELEASE|Normal |October 3, 2017 |October 31, 2018 |
+--------------------------------------------------------------------------+
|stable/11 |n/a |n/a |n/a |September 30, 2021 |
+-----------+------------+--------+----------------+-----------------------+
|releng/11.1|11.1-RELEASE|n/a |July 26, 2017 |11.2-RELEASE + 3 months|
+--------------------------------------------------+-----------------------+

As a reminder, FreeBSD changed the support model as of 11.0-RELEASE.
For additional information, please see
https://lists.freebsd.org/pipermail/freebsd-announce/2015-February/001624.html

Please refer to https://security.freebsd.org/ for an up-to-date list of
supported releases and the latest security advisories.

- --
The FreeBSD Security Team
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlq+1CNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJ6FRAAktNg88rhRcmdu4Zyq6n7lP/MYFspmrMrmz8ElSsAfAt9AR9BV28888/4
fHyQnZZ09mY5V+PuKQcOg5gQlngPFO4xFjGsKhwD1GEId1zEiiU7F0cQN35dA1Cd
B2T6eBRO+pJZ73U0Fdakj0qQNJ4wWYpVtDomQ6IruQy0dGb2t+0PF//VcDsDWTBR
iw8C1SmWVRyYyRyGFd0jeAhVXtCBVDCDh/Ul7Q2dq9nziEkFRFVhYWD0H4xlKysJ
FooVTdyxFFS+NI8cFIgdIBBYGjLidBr66XXV9nxheGvSAHDvF36Xdvyvgx7Z1+dz
dHuDfnjOkIY0CDTfTCeL+dOhqyPK4ypXetRei5VVdhMD6kWqlnK87DoVIAfqlaud
4bno48C1h2rdhrAKBUfHYVxrrjKR7h2EG068JUrqOPzhxPIPiZHplSzkBGeLvL/j
2MuSaAWK3d+xgmEPWLuAq0pxfuBkKzNgkBjfrpg4xO6vSkQa+e+XbipcuFsUfMAv
oxY+ZeGaKfJcWACqFnmolmf468/QDSpm4UAuNH8EcqVsKoCHQRl6BThfcpw4Uvkt
Fg/3D9wL0O/hZzOhOwxxspDNqtfXgsKSQZELfR/fGaBiw/GYV5xWcPROE1yxbRoO
4kcUONq2xvobJhwg2Ho9+hmQ9HElJsiJrhtjEgmKpp1CwAOi8Oo=
=hQXD
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

Friday, March 30, 2018

[opensuse-announce] openSUSE Elections postponed until April 15th.

The elections for the openSUSE Board have been postponed until April
15 to give candidates extra time to campaign and engage with the
community. Interviews with the candidates will be posted on news.o.o.
and we are in the process of scheduling a Q&A session on IRC.

Chuck Payne


--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org

Thursday, March 29, 2018

Fedora 28 Beta status is GO, release on April 03, 2018

The Fedora 28 Beta RC3 compose [1] is considered as GOLD and is going to be shipped live on Tuesday, April 3rd, 2018.

For more information please check the Go/No-Go meeting minutes [2] or logs [3].

I would like to thank all the people who were and are still working on this release.

[1] http://dl.fedoraproject.org/pub/alt/stage/28_Beta-1.3/
[2] https://meetbot.fedoraproject.org/fedora-meeting/2018-03-29/f28-beta-go-no-go-meeting.2018-03-29-16.04.html
[3] https://meetbot.fedoraproject.org/fedora-meeting/2018-03-29/f28-beta-go-no-go-meeting.2018-03-29-16.04.log.html

Regards,
Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic

[USN-3531-3] intel-microcode update

==========================================================================
Ubuntu Security Notice USN-3531-3
March 29, 2018

intel-microcode update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

The system could be made to expose sensitive information.

Software Description:
- intel-microcode: Processor microcode for Intel CPUs

Details:

Jann Horn discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. A local attacker could use this to
expose sensitive information, including kernel memory. (CVE-2017-5715)

This update provides the corrected microcode updates required for the
corresponding Linux kernel updates.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  intel-microcode                 3.20180312.0~ubuntu17.10.1

Ubuntu 16.04 LTS:
  intel-microcode                 3.20180312.0~ubuntu16.04.1

Ubuntu 14.04 LTS:
  intel-microcode                 3.20180312.0~ubuntu14.04.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3531-3
  https://usn.ubuntu.com/usn/usn-3531-1
  CVE-2017-5715

Package Information:
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20180312.0~ubuntu17.10.1
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20180312.0~ubuntu16.04.1
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20180312.0~ubuntu14.04.1

[USN-3545-1] Thunderbird vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJavOmzAAoJEGEfvezVlG4PGlUIAKZ252pnLNFFrk/zcq8+hEmm
t8nJ9tx9RuzTzurlcupRMIl5ms0TJP69GBL9/7HgYVNWdj2+GlRlNHtRcICmvpba
+0N0/QJ2mMQNkxFWs3KOYI7z0Kc3pthZw3EFWG6ofh1WE0ToxSNC+7eiF9xHNWwV
UTu8JNKKwWNeItY//z0HeXEQKXwsvbDFUIA4d72TGdT5cO+Qc3wwOdEfttyUInAK
x/CZvCaVL8oXqkZTdKP/cDtLKxYeKNjZX1USByqJ03lOFppRGXA6JAVRoaBhZzX4
rjNQjaZqvP+6sdk/7/YjTwJ69HUctNp+lnxWaPC0s7wVW0w0QunvtNgtaF9HXw4=
=kTYm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3545-1
March 29, 2018

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
or execute arbitrary code. (CVE-2018-5125, CVE-2018-5127, CVE-2018-5129,
CVE-2018-5144, CVE-2018-5145, CVE-2018-5146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
thunderbird 1:52.7.0+build1-0ubuntu0.17.10.1

Ubuntu 16.04 LTS:
thunderbird 1:52.7.0+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
thunderbird 1:52.7.0+build1-0ubuntu0.14.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3545-1
CVE-2018-5125, CVE-2018-5127, CVE-2018-5129, CVE-2018-5144,
CVE-2018-5145, CVE-2018-5146

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:52.7.0+build1-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:52.7.0+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:52.7.0+build1-0ubuntu0.14.04.1

Wednesday, March 28, 2018

[USN-3612-1] librelp vulnerability

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJau+p/AAoJEGVp2FWnRL6TwPYQALtGDdLsf7X+4jN+TeAYHQbH
1eSrZ4p7WbAknkdviQYG5DcKDkfyzyV0ZU1zMIc8jLV9Gqhiz6gVKujhbUATef6j
t6L6hScQNwGWwIky3WuOZ5uk9eSkx9Pa7v2OzHgFvVRoac0ejjxfGcAhdhf8gzFV
zvht9X24I6rqtOs1PQ2YkgXjvZONnztNEZoyfNWhJbXp0ha1OVM73lqPbcX8eKPl
Ft5GZuS2LKtCZzBnZ/LaE0Yt8cxv1F+tpYg/D2MpW7JMXzvSrV/o1eH8LD1N3drX
V23+tJeabtyMkoIydCd+b1FftCVtsSBY/g5zk/hrZcOZey1Sg7IolQmbYrXLgAFu
DfNAxjm5Nx5y8RVH5MAY1z8Kf0OcpMuP42xcS+YE+TQh0sxYMGBLMHjaaiKwxkyT
uHtZqpG2jCVBagcKDIqwpRr7Cu2evZ4aAOxT0Gtf+tIOn8SuvnzjfMZ1AKmAxqMX
VuQAIAf+3wd0enqdC/IQ4U0s9RDGD0zc57Pbr8LRksKyoGJ3A+DHMOgZm1W1F/Ht
8kJF0G0gigDvxAgUe+r7t/x7Wr1efiPqH0//lG5TUEOtTT/DIw/Q6Ie6U1X/MT4E
TPTL08neBu3cfPtcbiHCpW+3ppMkEwOL8aHc8Zi3gfg3e4GjbqxnfNLsJVlosZlV
d/zkkmdWGTrbx0XlWKUT
=9PlU
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3612-1
March 28, 2018

librelp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

librelp could be made to crash or run programs if it received specially
crafted network traffic.

Software Description:
- librelp: Reliable Event Logging Protocol (RELP) library

Details:

Bas van Schaik and Kevin Backhouse discovered that librelp incorrectly
handled checking certain x509 certificates. A remote attacker able to
connect to rsyslog could possibly use this issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
librelp0 1.2.2-2ubuntu1.1

After a standard system update you need to restart rsyslog to make all the
necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3612-1
CVE-2018-1000140

Package Information:
https://launchpad.net/ubuntu/+source/librelp/1.2.2-2ubuntu1.1

[USN-3610-1] ICU vulnerability

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJau+pSAAoJEGVp2FWnRL6TOZAQAIPrDUvIUHt0jAD5mTusW97S
KlmsmVvVc5fIHyn3qhPX482gG307j5zH7/g6o0Qu4pZWphsd+/Ea4qsL02nIxRoQ
3W8QevRQlHZ1NfO5q/lCeE0+m66zmJd9Uo4y8Mb3GSu2yqjvoiASlkwcVrQE2cAK
fxDa8r4tHQyks3aGZEwGOjF6CHbhsN46zq2qMClJ1ixQkc7PRX304mrfOlu+YREH
M+gqM6VGEkLXmH8SLX4B3xGYHB4A/QPDfc0RObsL30ayyka6IrbeukPLQlIrB20C
L/2s0NHktC9A2SCB4gYsxKTI8/43QlvoyNMSSsv38+dInXJT46O40QM6MD6+yYrO
Ezh+K2FkWL7jCG3ICxoXfe6G0i5RP8u2L94nTzbzpZsnem5XwJjhRnu0SwFMf1n0
mCCIo27mCWBjG0OkLNZFo0cCyErvLER14O6jAWqfx6PIuzAFsFyim8LbA4wIZLkz
EMYdmnK+NUnwbxGdNNDMxQhwwbmeOQmwCZE15lUDJYkaCLl1bHGWUtpGr+ukP/63
zL2rtHOQFr3RT+TwuJliILpq4BYtJKDF48Pc53zniTfSzGwM9dgyDXNSWE/dmILL
YRzdQ6SGLzeR6ydVCgGROfzSQAJIrLlXIuzQDO94DciHePJajyIcHZw+tEEBi89p
7VJLqgKbXCGoroPDV3gu
=ZC6o
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3610-1
March 28, 2018

icu vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

ICU could be made to crash if it received specially crafted input.

Software Description:
- icu: International Components for Unicode library

Details:

It was discovered that ICU incorrectly handled certain calendars. If an
application using ICU processed crafted data, a remote attacker could
possibly cause it to crash, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
libicu57 57.1-6ubuntu0.3

Ubuntu 16.04 LTS:
libicu55 55.1-7ubuntu0.4

Ubuntu 14.04 LTS:
libicu52 52.1-3ubuntu0.8

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3610-1
CVE-2017-15422

Package Information:
https://launchpad.net/ubuntu/+source/icu/57.1-6ubuntu0.3
https://launchpad.net/ubuntu/+source/icu/55.1-7ubuntu0.4
https://launchpad.net/ubuntu/+source/icu/52.1-3ubuntu0.8

[USN-3611-1] OpenSSL vulnerability

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJau+pmAAoJEGVp2FWnRL6T3LIP/RKgbrn7HogqaVmja+u381Fp
CSfk5G3uATPDt1xxVTEN5zw9uHjPNI2wL0zafX3Lee8baJCQV0f16e5EG9qVLJUj
yGPYFqtmh14CFpCDAMuAddrMnG9w6UPx6YC2GSETN8srIF1XDImaDZSW9Z34spj/
uaQEBWS6X/jzf9tNznlcynl9fuaXh4tGXzT466cNV8X4D05OB6vn/BpsodI9MWM1
f6y+W6rd7AC8dxzcI2gTC5HQqcxcMRgWODtr6kvTxDHZ1LzxxaWGXwm+KeT5asHy
52vXYDwV+voQhwjuNga4wlEdHAzUJhzgb+RVWDSOh7x+2huwk3U4XD/QvP+ra4Sr
CMwRUpNDrvw48hTRnRR2D7A5Uz007JLmAdDkY2TzpCdq0sk1nfu53/rVKso5Na2l
HK5fg0XEhwhZdHEeD1wdQzxXAb9uEFceDG8wFl+vcuw5FUu4KiOo/sxcg24XrSOv
WnDIXwiAAs86F572y7wBxRSPmHC9GXWBFKPRGNk+Oj2CdTo3BJN/eg9B8WE5jFrR
mpd2FoRlelRcJjhezdDn4L3Cyxgv7ya8lVmgdwn/Q//8HBR2+5Ny4OBuDox7JY0r
aJv+G1EHURTS5CCO/EjQUIOm+3/osBa2+4D+W5hm1UAx3zAPFs397jxKjwLNnlTD
jmIKGB2Ap2aGftMs1NBb
=aaPo
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3611-1
March 28, 2018

openssl vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

OpenSSL could be made to crash if it received specially crafted network
traffic.

Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

It was discovered that OpenSSL incorrectly handled certain ASN.1 types. A
remote attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
libssl1.0.0 1.0.2g-1ubuntu13.4

Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.11

Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.24

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3611-1
CVE-2018-0739

Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu13.4
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.11
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.24

[USN-3608-1] Zsh vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3608-1
March 27, 2018

zsh vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Zsh.

Software Description:
- zsh: shell with lots of features

Details:

Richard Maciel Costa discovered that Zsh incorrectly handled certain
inputs. An attacker could possibly use this to cause a denial of
service. (CVE-2018-1071)

It was discovered that Zsh incorrectly handled certain files. An
attacker could possibly use this to execute arbitrary code. 
(CVE-2018-1083)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  zsh                             5.2-5ubuntu1.2

Ubuntu 16.04 LTS:
  zsh                             5.1.1-1ubuntu2.2

Ubuntu 14.04 LTS:
  zsh                             5.0.2-3ubuntu6.2

After a standard system update you need to restart Zsh to make
all the necessary changes

References:
  https://usn.ubuntu.com/usn/usn-3608-1
  CVE-2018-1071, CVE-2018-1083

Package Information:
  https://launchpad.net/ubuntu/+source/zsh/5.2-5ubuntu1.2
  https://launchpad.net/ubuntu/+source/zsh/5.1.1-1ubuntu2.2
  https://launchpad.net/ubuntu/+source/zsh/5.0.2-3ubuntu6.2

[USN-3609-1] Firefox vulnerability

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJau3+nAAoJEGEfvezVlG4PFCMH/3sR40UwwA4Q6DutadiK3wSf
L7CrUGtWSeWrQJXVWt8/H8QvtevX0JstpB04CUnLnQvO8TC/exUBw8xnQwPKIw46
f3OpEz+Qc/CiFOEFibhXzxn1MpfnRoXl4Vt+TyBcdgkRrGktESREfaPxzmXQky5H
MBVtrzVIL/hmGhC4a2AOz+wD3+G6vWNi1HZu3tfX2UPg07O7vlaVZ2EeWBMtDjn1
72INsW/UgXY75fqi1MZfttZtQnfHZ15uK4MOgYnTbm5MYVrji0kD6e3k2tIrCJuU
hTpy1lcRmNJm59og9r97Q4/jpGNFOyt/hzOwO3fTxLFN4BwObWLVQFwrBuA4zhw=
=Rolt
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3609-1
March 27, 2018

firefox vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

A use-after-free was discovered in Firefox. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
firefox 59.0.2+build1-0ubuntu0.17.10.1

Ubuntu 16.04 LTS:
firefox 59.0.2+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
firefox 59.0.2+build1-0ubuntu0.14.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3609-1
CVE-2018-5148

Package Information:
https://launchpad.net/ubuntu/+source/firefox/59.0.2+build1-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/firefox/59.0.2+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/59.0.2+build1-0ubuntu0.14.04.1

F29 Self Contained Change: Ansible python3 default

= Proposed Self Contained Change: Ansible python3 default =
https://fedoraproject.org/wiki/Changes/Ansible_python3_default


Owner(s):
* Kevin Fenzi <kevin at scrye dot com>


Ansible started out as a python2 only application, but in recent years
a large amount of work has gone into porting things to python3. Last
year, the Fedora ansible package started shipping a ansible-python3
allowing users to switch to python3 on the control host easily if they
wished, but left the default as python2. Now in Fedora 29, the default
will be switched and the python3 version will be the only version
shipped.



== Detailed description ==
The Fedora ansible package will be changed to default to python3 with
the 'ansible' package. Note that this change is on the control host,
you can control what python is used on target hosts via your
inventory. You may continue to use python2 there, or use python3 as
your target hosts require.


== Scope ==
* Proposal owners:
Modify ansible package (already done)

* Other developers:
N/A (not a System Wide Change)

* Release engineering:
#releng-7414 https://pagure.io/releng/7414

** List of deliverables:
N/A (not a System Wide Change)

* Policies and guidelines:
N/A (not a System Wide Change)

* Trademark approval:
N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

Tuesday, March 27, 2018

[CentOS-announce] CEBA-2018:0597 CentOS 7 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2018:0597

Upstream details at : https://access.redhat.com/errata/RHBA-2018:0597

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
ff9063828a3427711ac3054a7c887c06d716eb69a6717669834a4fe59b9be74f tzdata-2018d-1.el7.noarch.rpm
805ffa512bdc30131d519956773e3ad1bd5ab6b1ae94d29d3f12c67ad8b7bbed tzdata-java-2018d-1.el7.noarch.rpm




--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2018:0592 Important CentOS 7 slf4j Security Update

CentOS Errata and Security Advisory 2018:0592 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0592

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
733630907981b82d45bd40cf4d3f113ff2193a4fdf1e293818669a707b739189 slf4j-1.7.4-4.el7_4.noarch.rpm
d145b3bc3337e418173681eade8a1666ad7624271a6e0b10cb41a39010c0fdef slf4j-javadoc-1.7.4-4.el7_4.noarch.rpm
58f4c9dd119e297fd38fcc638d1dc1d359fa281fb425d14eaaa6ec79f548c33f slf4j-manual-1.7.4-4.el7_4.noarch.rpm




--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEEA-2018:0579 CentOS 7 kmod-redhat-i40e Enhancement Update

CentOS Errata and Enhancement Advisory 2018:0579

Upstream details at : https://access.redhat.com/errata/RHEA-2018:0579

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
973726f539d915e4d6667bcd4a551f08403e56307c00ed85032ac916e5414982 kmod-redhat-i40e-2.1.14_k_dup7.4-2.1.el7_4.x86_64.rpm
c5deeb12aef29bff75a15fbf3af2d09acfd97841f64ef5a8596c4bbf09712052 kmod-redhat-i40evf-3.0.1_k_dup7.4-2.1.el7_4.x86_64.rpm

Source:
ef9a7cd89dea97c47b17796bb25546cb9cbc5dd11a28e74b70af8b3ec5f81a9e kmod-redhat-i40e-2.1.14_k_dup7.4-2.1.el7_4.src.rpm
9f5eb3e913cba0b1883d154f4af9b7f12936377e0977f8295b97273fab22376f kmod-redhat-i40evf-3.0.1_k_dup7.4-2.1.el7_4.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CEBA-2018:0597 CentOS 6 tzdata BugFix Update

CentOS Errata and Bugfix Advisory 2018:0597

Upstream details at : https://access.redhat.com/errata/RHBA-2018:0597

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
b07bee4e9445dc2e7f28d46222cf487164102f06256a6aefcd65d52c0f7896fc tzdata-2018d-1.el6.noarch.rpm
81c03c9e3f00b0806b40797a9aaf9c3a2b0d3b6f8acc2dae63b0c3eaf299dbcd tzdata-java-2018d-1.el6.noarch.rpm

x86_64:
b07bee4e9445dc2e7f28d46222cf487164102f06256a6aefcd65d52c0f7896fc tzdata-2018d-1.el6.noarch.rpm
81c03c9e3f00b0806b40797a9aaf9c3a2b0d3b6f8acc2dae63b0c3eaf299dbcd tzdata-java-2018d-1.el6.noarch.rpm

Source:
905226831ac71f99f6f75d3089d070aaa531628dc506eede51255003ba6ceedc tzdata-2018d-1.el6.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

F28 Self Contained Change: Stop building 389-ds-base on i686

= Proposed Self Contained Change: Stop building 389-ds-base on i686 =
https://fedoraproject.org/wiki/Changes/389-ds-base-remove-686


Owner(s):
* Mark Reynolds <mreynolds at redhat dot com>


389-ds-base does not work properly on i686 hardware in regards to atomic types.



== Detailed description ==
389-ds project have found an issue which causes system instability on
all versions of 1.4.x of the server on i686 platform. This is a
hardware limitation of the platform related to how we consume atomic
types. This may lead to thread unsafety and other issues.
- FreeIPA server will not be available on i686 due to this
- slapi-nis set of plugins will not be available on i686 due to this
- Upgrade of i686 instance of Fedora with FreeIPA server will not be
possible without fully uninstalling FreeIPA replica



== Scope ==
* Proposal owners:
This only requires a change to spec file to exclude i686

* Other developers:
N/A (not a System Wide Change)

* Release engineering:
#6894: https://pagure.io/releng/issues/6894

** List of deliverables:
N/A (not a System Wide Change)

* Policies and guidelines:
N/A (not a System Wide Change)

* Trademark approval:
N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

Monday, March 26, 2018

Re: [Help Needed] Fedora Server's Mission and Goals

I'm going to extend this by a week and cancel tomorrow's Server SIG meeting. People have been very distracted with dealing with Beta blockers and we've extended this request to a wider audience (it got picked up by certain news sources). Let's give it a little more time to percolate.

If you have thoughts, I'd really like to hear them.

On Mon, Mar 26, 2018 at 8:04 AM Stephen Gallagher <sgallagh@redhat.com> wrote:
Quick reminder to please send me your thoughts on this; I'll be collating them tonight and sending them out for us to discuss tomorrow.


On Tue, Mar 20, 2018 at 4:58 PM Stephen Gallagher <sgallagh@redhat.com> wrote:
During today's Server SIG IRC meeting[1], we discussed plans for Fedora 29 and onwards. In particular, we've decided that we're probably going to retire the concept of "server roles" from our overall goals. Adam Williamson -- representing Fedora QA -- raised the point that the related release criteria and test goals come directly from the Fedora Server Product Requirements Document (PRD) [2]. He correctly pointed out that we should start by revising the PRD and have that filter down ultimately into the release criteria.

Looking at the Fedora Wiki, the Fedora Server PRD is now over four years old and thus is ripe for an update. To that end, we're going to start with a brainstorming exercise to update our Mission Statement. The current statement reads:

Fedora Server is a common base platform with "featured server roles" built on top of it. We commit to produce, test, and distribute these server roles.

Clearly, this is no longer going to work for us, since we're planning to retire the server role concept. So what I'd like is this: If you are reading this, I'd like you to send me your view of what the purpose/goals/efforts of Fedora Server should be over the next 2-3 years (or even longer). I would ask that you send your thoughts directly to me, not as a reply on the list. This is so as not to influence anyone else's answers or to start a debate before the brainstorming is concluded. I will gather the responses and send them back out to the list as a complete set on Monday. The floodgates should then open to try to find the common elements and start turning them into an actionable strategy (the discussion will also continue at the Server SIG meeting on Tuesday).

Once that discussion settles down, I will take the major points we come to agreement on and start putting together a draft of a new Products Requirement Document. We can then discuss and tweak the PRD up to the Fedora 29 System-Wide Change Proposal deadline, at which point the Server SIG will submit its F29 Changes to FESCo.

Thank you all in advance for your help with this.

[USN-3607-1] Screen Resolution Extra vulnerability

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJauWwNAAoJEGEfvezVlG4P2DAH/RR85kdJTbZTz4rqo5toAL+j
23tSWS7J+qGFkApEJNk7Ec8r5bGs9ioyjPf5V47RPDaATdmZa1auAyCDWM4Jg75H
WRDoKcPjSaaCodefihXVLtd4Y2I89YC94Z/HLbBsn19niSP6NmmWk7g2Te1jWk2P
0YDSxR+qMCigR86h1wcG7rP1T+pRHlYDKk/mJedIOZfp15nGpgzXvVNfMAdogI9U
70WWOqs9JbmkLg8YZriv4FqyxoJTaRsQd07tyH4h02+XWvMV50TcG526rp5IO9r2
RaUjuLfKRlyXjjmKAh2uf30oLE1zOwlcoZT+pYqzvaPdVjjuSMs6ZUSMrHdu5iw=
=tui1
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3607-1
March 26, 2018

screen-resolution-extra vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Screen Resolution Extra could be tricked into bypassing PolicyKit
authorizations.

Software Description:
- screen-resolution-extra: Extension for the GNOME screen resolution applet

Details:

It was discovered that Screen Resolution Extra was using PolicyKit in an
unsafe manner. A local attacker could potentially exploit this issue to
bypass intended PolicyKit authorizations.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
screen-resolution-extra 0.17.1.1

Ubuntu 16.04 LTS:
screen-resolution-extra 0.17.1.1~16.04.1

Ubuntu 14.04 LTS:
screen-resolution-extra 0.17.1.1~14.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3607-1
CVE-2018-8885

Package Information:
https://launchpad.net/ubuntu/+source/screen-resolution-extra/0.17.1.1
https://launchpad.net/ubuntu/+source/screen-resolution-extra/0.17.1.1~16.04.1
https://launchpad.net/ubuntu/+source/screen-resolution-extra/0.17.1.1~14.04.1

[USN-3606-1] LibTIFF vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJauPPuAAoJEGVp2FWnRL6TbvEP+wY+GQ/8T4P29jJkJ5cbTEmQ
rXD0nLkCy6GqLFG+7B3nPDw65he8YEOX6Wki+Ywbb9bI0LAKE20jrjmz0Dbslahn
dnYBL2zJRVi5S9nbjJSsq/KQaSVR3SqQtNMIE18IQYLnj06OEgn3/GHamc2Go47q
U/2l4y4qnkuIMzXKzxDT1iyxFACT8xyEKFvwCV5vNMo7zrdnD2F1EoMWlGuqjtr+
B7zt0nKYPM/ZjmENzHFNMnX9nExMKrK8j3Y0qrVSNvCO9zJUMruFbE3NWG2FekSg
3ItmGN1tOtYfx6RoBrqGfP/1Q7HuvysNKLCozusNT2CbBw7ZS+6epX/jdF/vAOBD
gmya8sWQPGPtc7iGfWBJ8LL1HyeqzjO789VWJA97MabFrCcmNpx8lYymeLDD9DYc
AS/JjxttIGtG2jRI9FxBLzxQsvGZR1zLWT6qXQarU5Ycq0OCw+ozEj390CeZ/NP0
H5xNmElp+z8J9IUAcm32FBdW5JnDhHSGkJOvqcLtF7uj75ftXSdS/yxb8sgszlDZ
yvCCO1QMc29eV2fnd0x++Ek8rjanu4ggXre4L2ND+i+FOcMzlCiFaJYRCKRbDeZe
CMHn9E7DUqtItN27ysG8wwsqEiU4dujRyS5N7ctlO/+2ckWDlJRltmcA/lhsFb7p
7/s5bZI2Qxczd5I3keHI
=vdbH
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3606-1
March 26, 2018

tiff vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
libtiff-tools 4.0.8-5ubuntu0.1
libtiff5 4.0.8-5ubuntu0.1

Ubuntu 16.04 LTS:
libtiff-tools 4.0.6-1ubuntu0.4
libtiff5 4.0.6-1ubuntu0.4

Ubuntu 14.04 LTS:
libtiff-tools 4.0.3-7ubuntu0.9
libtiff5 4.0.3-7ubuntu0.9

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3606-1
CVE-2016-3186, CVE-2016-5102, CVE-2016-5318, CVE-2017-11613,
CVE-2017-12944, CVE-2017-17095, CVE-2017-18013, CVE-2017-5563,
CVE-2017-9117, CVE-2017-9147, CVE-2017-9935, CVE-2018-5784

Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.8-5ubuntu0.1
https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.4
https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.9

F29 System Wide Change: Ruby on Rails 5.2

= Proposed System Wide Change: Ruby on Rails 5.2 =
https://fedoraproject.org/wiki/Changes/Ruby_on_Rails_5.2


Owner(s):
* Pavel Valena <pvalena at redhat dot com>
* Vít Ondruch <vondruch at redhat dot com>
* Jun Aruga <jaruga at redhat dot com>


Ruby on Rails 5.2 is the latest version of well known web framework
written in Ruby.



== Detailed description ==
The Ruby on Rails stack is evolving quickly and Fedora needs to keep
pace with it. Therefore the whole Ruby on Rails stack should be
updated from 5.1 in Fedora 28 to 5.2 (latest version) in Fedora 29.
This will ensure that all the Ruby developers using Fedora have the
latest and greatest RPM-packaged Ruby on Rails.


== Scope ==
* Proposal owners:
** The whole Rails stack has to be updated
** Some dependencies of the Rails stack will need update
=== Packages need to be created/updated ===
- rubygem-activestorage - Create package
- rubygem-actioncable - Update to 5.2.x
- rubygem-actionmailer - Update to 5.2.x
- rubygem-actionpack - Update to 5.2.x
- rubygem-actionview - Update to 5.2.x
- rubygem-activejob - Update to 5.2.x
- rubygem-activemodel - Update to 5.2.x
- rubygem-activerecord - Update to 5.2.x
- rubygem-activesupport - Update to 5.2.x
- rubygem-rails - Update to 5.2.x
- rubygem-railties - Update to 5.2.x
- rubygem-arel - Update to 9.0.x

* Other developers:
Update Rails dependent packages to be working with Ruby on Rails 5.2

* Release engineering:
#7410 https://pagure.io/releng/issue/7410

**List of deliverables:
None

* Policies and guidelines:
Not needed

* Trademark approval:
Not needed
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

Friday, March 23, 2018

LibreSSL 2.7.1 Released

We have released LibreSSL 2.7.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the second
release from the 2.7 series, which will be part of OpenBSD 6.3.

It includes the following changes from 2.7.0

* Fixed a bug in int_x509_param_set_hosts, calling strlen() if name
length provided is 0 to match the OpenSSL behaviour. Issue noticed
by Christian Heimes <christian@python.org>

* Fixed builds macOS 10.11 and older.

LibreSSL 2.7.1 also includes:

* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.

* Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.

* Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.

* Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.

* Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.

* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.

* Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.

* Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.

* Fixed a memory leak in libtls when reusing a tls_config.

* Merged more DTLS support into the regular TLS code path, removing
duplicated code.

* Many improvements to Windows Cmake-based builds and tests,
especially when targeting Visual Studio.

Thanks for all of the testing, suggestions, and updates from the porting
community. We look forward to releasing a final stable version in a few
weeks.

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.

[USN-3595-2] Samba vulnerability

==========================================================================
Ubuntu Security Notice USN-3595-2
March 23, 2018

samba vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Samba could be made to crash if it received specially crafted
input.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

USN-3595-1 fix a vulnerability in Samba. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

 It was discovered that Samba incorrectly validated inputs to the RPC
 spoolss service. An authenticated attacker could use this issue to
 cause the service to crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
  samba                           2:3.6.25-0ubuntu0.12.04.15

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3595-2
  https://usn.ubuntu.com/usn/usn-3595-1
  CVE-2018-1050

Thursday, March 22, 2018

Fedora 28 Beta status is NO-GO

Release status of the Fedora 28 Beta is NO-GO.

Due to missing RC for the F28 Beta release and presence of blocker
bugs, the decision is "No Go". The Beta release slips for one week to
"Target #1" date (April 3rd). We are not going to slip the Final GA
yet.

For more information please check the minutes from the F28 Beta
Go/No-Go meeting [1][2].

[1] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-03-22/f28-beta-go-no-go-meeting.2018-03-22-17.00.html
[2] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-03-22/f28-beta-go-no-go-meeting.2018-03-22-17.00.log.html

Regards,
Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

[USN-3605-1] Sharutils vulnerability

==========================================================================
Ubuntu Security Notice USN-3605-1
March 22, 2018

sharutils vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Sharutils could be made to execute arbitrary code if it opened a
specially crafted file.

Software Description:
- sharutils: shar, unshar, uuencode, uudecode

Details:

It was discovered that Sharutils incorrectly handled certain files. An
attacker could possibly use this to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  sharutils                       1:4.15.2-2ubuntu0.1

Ubuntu 16.04 LTS:
  sharutils                       1:4.15.2-1ubuntu0.1

Ubuntu 14.04 LTS:
  sharutils                       1:4.14-1ubuntu1.1

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3605-1
  CVE-2018-1000097

Package Information:
  https://launchpad.net/ubuntu/+source/sharutils/1:4.15.2-2ubuntu0.1
  https://launchpad.net/ubuntu/+source/sharutils/1:4.15.2-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/sharutils/1:4.14-1ubuntu1.1

[USN-3604-1] libvorbis vulnerability

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJas694AAoJEGVp2FWnRL6ThmsP/iI47INqpYWsqW/HolZYDiNK
+63Q2FjgRqOsVbB9J+5c+m1x6VTFO9HqtZDmkI4W8swlSNDtowZLS2zNFT6B9ixj
ULXZbLWU5DuuYaUFRRvtDylUKUn8mLgGLQGd/t624rIXR2U3b2nbqHGWm0OW9L+3
yycKAZom2Q7WWEd6G/bNmgZO7eUuBFQ1/Qz3iTUsfpfXtHgZMl014AOR0tEqzEjC
JxKlFwGOL0COL1qDEtiSadqvQ/sHh2xMslpj1LhRSo5FHoN7ilrUFzQhE7wlfDdY
vT/4Ykx3mA+V470Arc0R150C0P+TQRScSl5Ze+LQldZsty0baA5wK2cIX1PHD4oW
IPdYt+FxJsSXku0805Dywra1evvy/YdGfJDj/v/7RF6lt4dmgucxWf9+OzEfqE/G
TnX387oOvfzt7dVANaia3KLmIqhdU4E2aZ/R9dkLOJEDzhP9sNRNkV48Vq+WUVyt
HqloOAdyEbq3HgXkrju4gEhgvmMEeJHsCX1ifHb3bpfFR1FpfE7KYbSAeZ4xKT5l
+CEw6OmdnoYM3K8dDeURbNwjXpKcIetHx5bE13kLpvXH4x9d4QKGueZOT4XnTZWO
i0EJ+k5bremH+4kEQ6CmnlpWRARhu/z5RCJKIQNYlKm69s0aM9XEGZZKhb8loSH+
IwAzucJonlNfpoz9Fjif
=KLYv
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3604-1
March 22, 2018

libvorbis vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

libvorbis could be made to crash or run programs as your login if it
opened a specially crafted file.

Software Description:
- libvorbis: The Vorbis General Audio Compression Codec

Details:

Richard Zhu discovered that libvorbis incorrectly handled certain sound
files. An attacker could use this to cause libvorbis to crash, resulting in
a denial or service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
libvorbis0a 1.3.5-4ubuntu0.2

Ubuntu 16.04 LTS:
libvorbis0a 1.3.5-3ubuntu0.2

Ubuntu 14.04 LTS:
libvorbis0a 1.3.2-1.3ubuntu1.2

After a standard system upgrade you need to restart any applications that
use libvorbis, such as Totem and gtkpod, to effect the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3604-1
CVE-2018-5146

Package Information:
https://launchpad.net/ubuntu/+source/libvorbis/1.3.5-4ubuntu0.2
https://launchpad.net/ubuntu/+source/libvorbis/1.3.5-3ubuntu0.2
https://launchpad.net/ubuntu/+source/libvorbis/1.3.2-1.3ubuntu1.2

LibreSSL 2.7.0 Released

We have released LibreSSL 2.7.0, which you can now download from
LibreSSL directory of your local OpenBSD mirror. This is the first
release from the 2.7 series, which will be part of OpenBSD 6.3.

It includes the following changes:

* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.

* Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.

* Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.

* Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.

* Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.

* Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.

* Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.

* Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.

* Fixed a memory leak in libtls when reusing a tls_config.

* Merged more DTLS support into the regular TLS code path, removing
duplicated code.

* Many improvements to Windows Cmake-based builds and tests,
especially when targeting Visual Studio.

The LibreSSL project continues improvement of the codebase to reflect
modern, safe programming practices. We welcome feedback and improvements
from the broader community. Thanks to all of the contributors who helped
make this release possible.

Tuesday, March 20, 2018

[USN-3603-2] Paramiko vulnerability

==========================================================================
Ubuntu Security Notice USN-3603-2
March 20, 2018

paramiko vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Paramiko could be made to run programs if it received specially
crafted network traffic.

Software Description:
- paramiko: Make ssh v2 connections with Python

Details:

USN-3603-1 fixed a vulnerability in Paramiko. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Matthijs Kooijman discovered that Paramiko's SSH server implementation
did not properly require authentication before processing requests. An
unauthenticated remote attacker could possibly use this to execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
python-paramiko 1.7.7.1-2ubuntu1.1

After a standard system update you need to restart any applications
using Paramiko's server implementation to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3603-2
https://usn.ubuntu.com/usn/usn-3603-1
CVE-2018-7750

[USN-3603-1] Paramiko vulnerability

==========================================================================
Ubuntu Security Notice USN-3603-1
March 20, 2018

paramiko vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Paramiko could be made to run programs if it received specially
crafted network traffic.

Software Description:
- paramiko: Python SSH2 library

Details:

Matthijs Kooijman discovered that Paramiko's SSH server implementation
did not properly require authentication before processing requests. An
unauthenticated remote attacker could possibly use this to execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
python-paramiko 2.0.0-1ubuntu0.1
python3-paramiko 2.0.0-1ubuntu0.1

Ubuntu 16.04 LTS:
python-paramiko 1.16.0-1ubuntu0.1
python3-paramiko 1.16.0-1ubuntu0.1

Ubuntu 14.04 LTS:
python-paramiko 1.10.1-1git1ubuntu0.1

After a standard system update you need to restart any applications
using Paramiko's server implementation to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3603-1
CVE-2018-7750

Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.0.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/paramiko/1.16.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/paramiko/1.10.1-1git1ubuntu0.1

[USN-3602-1] LibTIFF vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJasVvPAAoJEGVp2FWnRL6T9A4QAJtR+vP2nIqiRkoBNyboeZQe
MkNrIZMnaMBRdjNwza3rAHg6p27ur7om/HaguBR/Jwg8FbEF91zDvBLE4S8SIHoh
T2dRkUhm+36D1cXUGXs/8EukAzb9M+yu7IhjLfdSOiEajfa91/+fpsRwKAV0pPbq
uRty5VzmijWCLFVIPuH0XzgZZ4dh3t7lgt3c6C6dCc2Ke6/Jh3/2pS65n4rn6xSG
ic0f0llt+PwHBgRKHx063p8aAhMPWFp3mBfGZ/z3oQ3EboXI+J1zORlwTiITmVYg
fhL3QF26MJhoC/Y9odAqGiRHLdw3AWXjNWbv6FFCABbbOSuBd1S3xPpkeTQTt1AZ
udrYx2kkbr+uLKeQMvVVbqJj+7c54xsFhiTfaXzZYWzyiMB9fHpwxwxMHE8amgcp
BtI7Er6h9A1VJbTC40e+WTdcRwKc2kPCkcg7jHENWCZ29wXcsBTxPlJDSJAJAd9X
L0PHRZALRiirGDW859aONdbK2pee+n+f2JYEVYy8WhWKem8t6CsrHjJZssjlI6hc
F8CjNi0OhLt0K+RYhAksDMnkMyT6aV4GRp3ey5FKjFVf3oUIs+ossZTktQ3859rr
XPGkkGB6Cm2R5FGalxMGD6cwdzVCesoygmIaL0fB1skwVS9WRDO2YG1x/Nlof07R
M7WH1/f9veqj2pJ9efJm
=S5tC
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3602-1
March 20, 2018

tiff vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description:
- tiff: Tag Image File Format (TIFF) library

Details:

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libtiff-tools 4.0.6-1ubuntu0.3
libtiff5 4.0.6-1ubuntu0.3

Ubuntu 14.04 LTS:
libtiff-tools 4.0.3-7ubuntu0.8
libtiff5 4.0.3-7ubuntu0.8

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3602-1
CVE-2016-10266, CVE-2016-10267, CVE-2016-10268, CVE-2016-10269,
CVE-2016-10371, CVE-2017-10688, CVE-2017-11335, CVE-2017-12944,
CVE-2017-13726, CVE-2017-13727, CVE-2017-18013, CVE-2017-7592,
CVE-2017-7593, CVE-2017-7594, CVE-2017-7595, CVE-2017-7596,
CVE-2017-7597, CVE-2017-7598, CVE-2017-7599, CVE-2017-7600,
CVE-2017-7601, CVE-2017-7602, CVE-2017-9403, CVE-2017-9404,
CVE-2017-9815, CVE-2017-9936, CVE-2018-5784

Package Information:
https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.3
https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.8

[CentOS-announce] CESA-2018:0549 Critical CentOS 7 firefox Security Update

CentOS Errata and Security Advisory 2018:0549 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0549

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
90c6836eb7f11692f50299231d26262822f79d4da6e1e1cb36e6dcc68c1dd870 firefox-52.7.2-1.el7.centos.i686.rpm
5b8934a852316df6ce2fe5488c2a4ea8d78d1d2724a50be7f73f2874494918d2 firefox-52.7.2-1.el7.centos.x86_64.rpm

Source:
1a16107c6ed3d75c81ac01897c88f3c82a10faa894a74b3830ee5359ea7d86e5 firefox-52.7.2-1.el7.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2018:0549 Critical CentOS 6 firefox Security Update

CentOS Errata and Security Advisory 2018:0549 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0549

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
0c39e8f9ce8178d7884b572f6b09979193aa48b7911fb9761e436c3852de738c firefox-52.7.2-1.el6.centos.i686.rpm

x86_64:
0c39e8f9ce8178d7884b572f6b09979193aa48b7911fb9761e436c3852de738c firefox-52.7.2-1.el6.centos.i686.rpm
d08188d33bb737bf691617c9de7894b19e3550325c10aa4196710c1b32650711 firefox-52.7.2-1.el6.centos.x86_64.rpm

Source:
622a18de6cf2ea184ce40fa9505b3312bb407fa35ad329cf1fa3dae25c861156 firefox-52.7.2-1.el6.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

F29 System Wide Change: Python 3.7

= Proposed System Wide Change: Python 3.7 =
https://fedoraproject.org/wiki/Changes/Python3.7


Owner(s):
* Charalampos Stratakis <cstratak at fedoraproject dot org>
* Miro Hrončok <churchyard at fedoraproject dot org>
* Tomáš Orsava <torsava at fedoraproject dot org>
* Petr Viktorin <pviktori at fedoraproject dot org>


Update the Python 3 stack in Fedora from Python 3.6 to Python 3.7.



== Detailed description ==
Python 3.7 adds numerous features and optimizations. See the upstream
notes at https://www.python.org/dev/peps/pep-0537/#features-for-3-7
and https://docs.python.org/3.7/whatsnew/3.7.html .

=== Important dates ===
* 2018-05-21 Python 3.7.0 candidate 1
* 2018-06-04 Python 3.7.0 candidate 2 (if necessary)
* 2018-06-15 Python 3.7.0 final
* 2018-07-11 Fedora 29 Mass Rebuild
* 2018-08-14 Fedora 29 Change Checkpoint: Completion deadline (testable)
(From https://www.python.org/dev/peps/pep-0537/#schedule and
https://fedoraproject.org/wiki/Releases/29/Schedule .)

=== PEP 552 – Deterministic pycs ===
One change is notable from the packaging viewpoint:
https://www.python.org/dev/peps/pep-0552/ – "Deterministic pycs". We
may decide to use the new UNCHECKED_HASH mode, which would mean that
bytecode cache is not validated on import, i.e. changing a
RPM-installed *.py file manually will have no effect (unless the
corresponding __pycache__/*.pyc is updated or removed).


== Scope ==
We will coordinate the work in a side tag and merge when ready.

* Proposal owners:
*# Retire python37 from F29+
*# Update python3 to what was in python37
*#* Mass rebuild all the packages that BR python3/python3-devel...
(~2300 listed in [http://fedora.portingdb.xyz/ Python 3 Porting
Database for Fedora])
*# Reintroduce python36 from Fedora 25. Update it to have all fixes
and enhancements from python3 in Fedora 28 (or 29 before this change)

* Other developers:
Maintainers of packages that fail to rebuild during the mass rebuild
will be asked, using bugzilla, to fix or remove their packages from
the distribution. If any issues appear, they should be solvable either
by communicating with upstreams first and/or applying downstream
patches. Also the package maintainers should have a look at:
https://docs.python.org/3.7/whatsnew/3.7.html#porting-to-python-3-7 .
And python-maint team will be available to help with fixing issues.

* Fedora QA:
Based on some troubles with the
https://fedoraproject.org/wiki/Changes/Python3.6 , we'd like to have
an ack from QA before we merge the side tag.

* Release engineering:
https://pagure.io/releng/issue/7390
A targeted rebuild for all python packages will be required, before
the mass rebuild.

** List of deliverables:
nope

* Policies and guidelines:
nope

* Trademark approval:
nope
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

Fedora 28 Beta Go/No-Go Meeting on Thursday, March 22 @ 17:00 UTC

Join us on irc.freenode.net in #fedora-meeting-1 for this important
meeting, wherein we shall determine the readiness of the Fedora 28
Beta.

The meeting is going to be held on Thursday, March 22, 2018 at 17:00
UTC. Please check the [1] link for your time zone.

Before each public release Development, QA and Release Engineering
meet to determine if the release criteria are met for a particular
release. This meeting is called the Go/No-Go Meeting. Verifying that
the Release criteria are met is the responsibility of the QA Team.

Release Candidate (RC) availability and good QA coverage are
prerequisites for the Go/No-Go meeting. If you have any bug on the
list, please help us with Beta release. If we won't be ready by
Thursday, we will use this meeting to review blockers and decide what
to do.

In the meantime, please keep also an eye on the Fedora 28 Beta Blocker list [2].

For more details about this meeting please follow the [3] link.

[1] https://apps.fedoraproject.org/calendar/meeting/8824/
[2] http://qa.fedoraproject.org/blockerbugs/milestone/28/beta/buglist
[3] https://fedoraproject.org/wiki/Go_No_Go_Meeting

Thank you in advance for your support.
Regards, Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

Fedora 28 Beta Release Readiness Meeting on Thursday, March 22 @ 19:00 UTC

Join us on irc.freenode.net in #fedora-meeting-1 for the Fedora 28
Beta Release Readiness Meeting meeting.

The meeting is going to be held on Thursday, March 22, 2017 at 19:00
UTC. Please check the [1] link for your time zone.

We will meet to make sure we are coordinated and ready for the Beta
release of Fedora 28. Please note that this meeting is going to be
held even if the release is delayed at the Go/No-Go meeting on the
same day two hours earlier.

You may received this message several times, but it is by purpose to
open this meeting to the teams and to raise awareness, so hopefully
more team representatives will come to this meeting. This meeting
works best when we have representatives from all of the teams.

For more information please check the [2] link.


[1] https://apps.fedoraproject.org/calendar/meeting/8823/
[2] https://fedoraproject.org/wiki/Release_Readiness_Meetings

Thank you for your support,
Regards, Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org

Monday, March 19, 2018

[USN-3601-1] Memcached vulnerability

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJasCAJAAoJEGVp2FWnRL6TB1cQAJ9/QrOkC8M7gJdxC24/rMLL
pCba8OVueaQ3uLeliiVulIokfQTEYhZCMtJC1lB8YF3UT5/Pz79SFhJzm9l/Hqi3
vqW5EnrwPhUuQBhQQiaqLf/aU/7su4dKfLrlKpc5DCDQHF/TWQ4b8F6d6Hb2pN/v
RHqXFptfJIcdvV5pMbv4jRxTNeANZNXbDOW+riuG6sr0IH3T5gYAXtBBkNHI8r/2
8nXWiYu49E82nkFdbL3QoqaYFmV4v2+TmRVdbZ9QUsRxCOumpqdtpbEW4kVoBTPI
8+HwekyyyRitLpXKS7CymeAeEQ0/wk000wrmnf6Z3Y/hYWo6lvWrVkXumrbxKk8a
1PN3VY0t+OtFWymCAI0rkVB5NK0K5ksDOz6PsjK0k37IrgnD47KQVoJ/XRcMjX+/
jjYaTq2d8bqGg5fOeQSOuQdPDwHhCyzE9WwhB0j9yls9ae1aZ7VGrQntn8tZngFx
KCcBQ/zB7tMgW8bjszofFxSiS/S18nk+KxsMXn1VKR20n4c2S7l/jZW2NfCKxUnc
DsuIj0Q/17JnZLGt8jGMkA05WG/zkORDcpsT8qDCKFvP/4bNsjcikl4FajdIAc8u
fmvl05MPSIAdvoBjkcVg0T8d0ACYa3Squf5aBcobuLDx7Omff+AA9wgnd5sJzll4
IePxaOQfvmtlwB00cHXS
=0e4Q
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3601-1
March 19, 2018

memcached vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Memcached could be made to crash if it received specially crafted network
traffic.

Software Description:
- memcached: high-performance memory object caching system

Details:

It was discovered that Memcached incorrectly handled reusing certain items.
A remote attacker could possibly use this issue to cause Memcached to
crash, resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
memcached 1.4.33-1ubuntu3.3

Ubuntu 16.04 LTS:
memcached 1.4.25-2ubuntu1.4

Ubuntu 14.04 LTS:
memcached 1.4.14-0ubuntu9.3

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3601-1
CVE-2018-1000127

Package Information:
https://launchpad.net/ubuntu/+source/memcached/1.4.33-1ubuntu3.3
https://launchpad.net/ubuntu/+source/memcached/1.4.25-2ubuntu1.4
https://launchpad.net/ubuntu/+source/memcached/1.4.14-0ubuntu9.3

[CentOS-announce] Announcing the release for Gluster 4.0 on CentOS Linux 6 x86_64

I am happy to announce the General Availability of Gluster 4.0 for
CentOS 6 on x86_64. These packages are following the upstream Gluster
Community releases, and will receive monthly bugfix updates.

Gluster 4.0 is a Short-Term-Maintenance release, and will only receive
updates until the next version (4.1) becomes available. The difference
between Long-Term-Maintenance and Short-Term-Maintenance releases is
explained on the Gluster release schedule page:
https://www.gluster.org/community/release-schedule/

With this release, there is no glusterfs-server available for CentOS 6
anymore. The server component is now only available for CentOS 7. Users
with storage servers on CentOS 6 can stay on Gluster 3.12 for a while
longer, see the release schedule linked above for the date that Gluster
3.12 becomes End-Of-Life. It is recommended to plan an upgrade of the
storage servers to CentOS 7 and newer Gluster versions in the next few
months.

Users of CentOS 6 can now simply install Gluster 4.0 with only these two
commands:

# yum install centos-release-gluster40
# yum install glusterfs-client

The centos-release-gluster40 package is delivered via CentOS Extras
repos. This contains all the metadata and dependancy information, needed
to install Gluster 4.0.

Note that the standard centos-release-gluster (virtual) package is
still available and points to the 3.12 version. This is intentional
because 3.12 is a Long-Term-Maintenance version and does not require
users to update the major versions avery couple of months. Some
deployments may need to install the centos-release-gluster package as
well as centos-release-gluster40 to fullfill dependencies for other
projects.

We have a quickstart guide specifically built around the packages are
available, it makes for a good introduction to Gluster and will help get
you started in just a few simple steps, this quick start is available at
https://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart

More details about the packages that the Gluster project provides in the
Storage SIG is available in the documentation:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster

The centos-release-gluster* repositories offer additional packages that
enhance the usability of Gluster itself. Utilities and tools that were
working with previous versions of Gluster are expected to stay working
fine. If there are any proboems, or requests for additional tools and
applications to be provided, just send us an email with your
suggestions. The current list of packages that is (planned to become)
available can be found here:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster/Ecosystem-pkgs

We welcome all feedback, comments and contributions. You can get in
touch with the CentOS Storage SIG on the centos-devel mailing list
( https://lists.centos.org ) and with the Gluster developer and user
communities at https://www.gluster.org/mailman/listinfo , we are also
available on irc at #gluster on irc.freenode.net, and on twitter at
@gluster .

Cheers,
Niels de Vos
Storage SIG member & Gluster maintainer

[CentOS-announce] Announcing the release for Gluster 4.0 on CentOS Linux 7 x86_64

I am happy to announce the General Availability of Gluster 4.0 for
CentOS 7 on x86_64. These packages are following the upstream Gluster
Community releases, and will receive monthly bugfix updates.

Gluster 4.0 is a Short-Term-Maintenance release, and will only receive
updates until the next version (4.1) becomes available. The difference
between Long-Term-Maintenance and Short-Term-Maintenance releases is
explained on the Gluster release schedule page:
https://www.gluster.org/community/release-schedule/

Users of CentOS 7 can now simply install Gluster 4.0 with only these two
commands:

# yum install centos-release-gluster40
# yum install glusterfs-server

The centos-release-gluster40 package is delivered via CentOS Extras
repos. This contains all the metadata and dependancy information, needed
to install Gluster 4.0.

Note that the standard centos-release-gluster (virtual) package is
still available and points to the 3.12 version. This is intentional
because 3.12 is a Long-Term-Maintenance version and does not require
users to update the major versions avery couple of months. Some
deployments may need to install the centos-release-gluster package as
well as centos-release-gluster40 to fullfill dependencies for other
projects (possibly for oVirt, there may be others).

We have a quickstart guide specifically built around the packages are
available, it makes for a good introduction to Gluster and will help get
you started in just a few simple steps, this quick start is available at
https://wiki.centos.org/SpecialInterestGroup/Storage/gluster-Quickstart

More details about the packages that the Gluster project provides in the
Storage SIG is available in the documentation:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster

The centos-release-gluster* repositories offer additional packages that
enhance the usability of Gluster itself. Utilities and tools that were
working with previous versions of Gluster are expected to stay working
fine. If there are any proboems, or requests for additional tools and
applications to be provided, just send us an email with your
suggestions. The current list of packages that is (planned to become)
available can be found here:
https://wiki.centos.org/SpecialInterestGroup/Storage/Gluster/Ecosystem-pkgs

We welcome all feedback, comments and contributions. You can get in
touch with the CentOS Storage SIG on the centos-devel mailing list
( https://lists.centos.org ) and with the Gluster developer and user
communities at https://www.gluster.org/mailman/listinfo , we are also
available on irc at #gluster on irc.freenode.net, and on twitter at
@gluster .

Cheers,
Niels de Vos
Storage SIG member & Gluster maintainer

OpenBSD Errata: March 20th, 2018 (ipsec)

Errata patches for IPsec have been released for OpenBSD 6.2 and 6.1.

The IPsec AH header could be longer than the network packet, resulting in
a kernel crash.

Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata pages:

https://www.openbsd.org/errata61.html
https://www.openbsd.org/errata62.html

As these affect the kernel, a reboot will be needed after patching.

[USN-3600-1] PHP vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJar7aFAAoJEGVp2FWnRL6Tb6oQALTC4PfOuy9oXRNuPRP1zbVf
2FC0HJ1ds7M+PrZYNVvmbmMb2YNhB8HnwZ9xDKr34c5D/J4AjbtQxWtAjUpp3/EE
W32K2p++meNqTG7BQ8kc1KGciCn0odgZRDIIRN9zm6p2OEUAxWAFiFtqySxkuKTV
GlYblKo0Bsty0jo59M5wLmCDtFQD5ZIvzmFIP83DL0CZq32ltemlLNFdejrbaaRo
DRrJgPF+JUU9xjZ0oUDs+V1s/y8z5f4Ii19lqy/L/0ed3buv8dP/Wuof9gUiGGPn
5wrpELy4uzoIZuNJfPoXGpb7EdB1074MVVnLxmnNpXs5p4tMc0b0JefE8mS+sufJ
H3KtT8o2272gIOqZz7jSABewXgKJ0VTM03JHLgVleDbUOspVsZnIPYAphQRakO0z
ktRwMPee2nh8bJwoTJeLAYR59eBdkM84+7K7chgGXYD1dyIT7Bk+pUni+Xjq+Zkx
JBLCWoaBwv+kX5iYzaVKnerCpwfJyKqiKHtghEnI+ilRNnPIfy+qhJ3kE2hfrp57
xtZGKfor7PHk6NYb3htDPdOtqiHmvKB1VaXdS5kwxBkQoguTeJJC9IObua1CSF9L
giKYgAyvrckuiBuuhHuNlumSXQqtLit+EbrdFGxHfqRTCvTuX9cLhEkZrjne9DOs
Jmiaf+Yz8uj9Ymje6nXf
=/N7G
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3600-1
March 19, 2018

php5, php7.0, php7.1 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:
- php7.1: HTML-embedded scripting language interpreter
- php7.0: HTML-embedded scripting language interpreter
- php5: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain stream metadata. A
remote attacker could possibly use this issue to set arbitrary metadata.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10712)

It was discovered that PHP incorrectly handled the PHAR 404 error page. A
remote attacker could possibly use this issue to conduct cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 17.10. (CVE-2018-5712)

It was discovered that PHP incorrectly handled parsing certain HTTP
responses. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2018-7584)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
libapache2-mod-php7.1 7.1.15-0ubuntu0.17.10.1
php7.1-cgi 7.1.15-0ubuntu0.17.10.1
php7.1-cli 7.1.15-0ubuntu0.17.10.1
php7.1-fpm 7.1.15-0ubuntu0.17.10.1

Ubuntu 16.04 LTS:
libapache2-mod-php7.0 7.0.28-0ubuntu0.16.04.1
php7.0-cgi 7.0.28-0ubuntu0.16.04.1
php7.0-cli 7.0.28-0ubuntu0.16.04.1
php7.0-fpm 7.0.28-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.24
php5-cgi 5.5.9+dfsg-1ubuntu4.24
php5-cli 5.5.9+dfsg-1ubuntu4.24
php5-fpm 5.5.9+dfsg-1ubuntu4.24

In Ubuntu 16.04 LTS and Ubuntu 17.10, this update uses a new upstream
release, which includes additional bug fixes.

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3600-1
CVE-2016-10712, CVE-2018-5712, CVE-2018-7584

Package Information:
https://launchpad.net/ubuntu/+source/php7.1/7.1.15-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/php7.0/7.0.28-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.24

Friday, March 16, 2018

[USN-3599-1] Firefox vulnerability

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJarD5kAAoJEGEfvezVlG4P92EH/AuLF3U9Uxszi9Tg2UbRnrzW
GRUZmlbK95bSQG05xmki0ZaFb532+EbC+pEeJKhvuBS/DPfIpvKt9vJQ0UjDPxLh
epr9wOQmQsLBlFfIZhFlCz93FeVPLIVAfPxTKi+C8RQQrZttXzLg9eb8lES4LoH0
7RXUjZ0SrnodpbUlP4Hv/xvdFEOH2L6/YT5NiF1i0GkT1N0kXxqJ/siX/gbGXX99
o9Uj3JHJBfewTSZjSXJi8E2uLIXsvTLG6ETQ8Nzj+avNwDdM0gr+gQCbEbj6wLHu
zhdC8ZRkp1r/7wameBhOtC0Wu1vHn0thlqJMvgKdPRFCBy+gTR8VJmfX6lukXRI=
=DpfN
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3599-1
March 16, 2018

firefox vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

An out-of-bounds write was discovered when processing Vorbis audio data.
If a user were tricked in to opening a specially crafted website, an
attacker could exploit this to cause a denial of service, or execute
arbitrary code. (CVE-2018-5146)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
firefox 59.0.1+build1-0ubuntu0.17.10.1

Ubuntu 16.04 LTS:
firefox 59.0.1+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
firefox 59.0.1+build1-0ubuntu0.14.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3599-1
CVE-2018-5146

Package Information:
https://launchpad.net/ubuntu/+source/firefox/59.0.1+build1-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/firefox/59.0.1+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/59.0.1+build1-0ubuntu0.14.04.1

Changes in Fedora Release Engineering

Hi all,

Today I am writing to announce some changes in Fedora Release
Engineering. Effective Friday the 23rd of March 2018 Mohan Boddu will
be taking over as the primary person responsible for Release
Engineering in Fedora. Mohan has effectively been the primary person
since Fedora 26 as he has been doing most of the work. I will be
taking on a new role within Red Hat, and will no longer be in the
internal Release Engineering team.

Going forward Mohan will be supported by Suzanne Yeghiayan as project
manager for release engineering. All requests for work should go though
pagure[1] or taiga[2] to be groomed, prioritised and scoped.


I have posted a blog post[3] with some of my thoughts in reflection
looking back at the last 8 or so years.

Thank you all for you support over the years and your continued support
of Mohan and the rest of the Release Engineers in Fedora.


Dennis

[1] https://pagure.io/releng
[2] https://taiga.fedorainfracloud.org/project/acarter-fedora-docker-at
omic-tooling/

[3] https://ausil.us/wordpress/?p=143

Thursday, March 15, 2018

[CentOS-announce] CESA-2018:0527 Critical CentOS 7 firefox Security Update

CentOS Errata and Security Advisory 2018:0527 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0527

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
3d4f163b3fe61aa41272b201f56732c9352c1e12d13e85dc15f466363d0ba59b firefox-52.7.0-1.el7.centos.i686.rpm
9546d6326537d96a09245d90386164fd8786578b2c5de142e3f877c532e85612 firefox-52.7.0-1.el7.centos.x86_64.rpm

Source:
0852393b938ea86a3af795b46909d5fc13cf9da3f9f9b6ff85c8b2c2ee2f3e17 firefox-52.7.0-1.el7.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2018:0526 Critical CentOS 6 firefox Security Update

CentOS Errata and Security Advisory 2018:0526 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2018:0526

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
29059b6e8c894eef2944154ad9c3e5e98178bd2903a918ab1ab3b35098e1faf3 firefox-52.7.0-1.el6.centos.i686.rpm

x86_64:
29059b6e8c894eef2944154ad9c3e5e98178bd2903a918ab1ab3b35098e1faf3 firefox-52.7.0-1.el6.centos.i686.rpm
5ab36e9cf3534cc1af6c6ee3d6e302907235e8f8dd2b00f8003ea2e3ef98d272 firefox-52.7.0-1.el6.centos.x86_64.rpm

Source:
ae98346dd0287b8d7fe36edd4692a1980f4fcf1d53e7633307e33e67adfe9a71 firefox-52.7.0-1.el6.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-3598-1] curl vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJaqnlqAAoJEGVp2FWnRL6TCjUQALjx7nOytBdDSPGu97/bOouM
DuPApLK2D11qam68nrs+Y6OXoBykqMGcIqz1MBMn2cNPa/efhdx0wO//XjnmQ/WL
dN+2bj5DPzUAEHFV1Qd32sswh8vl+xh4s4Av7C/u26Kqayc8t9pq6OpO1PPu7bdg
oLo4WUVWM88b73GhqsZVW8xVubVUxdYJxpzQFDCFvf/E5R5MdeLNk5xFle8au4T6
N/TmFdheKlaqqlPwKbmM6qZEZnd6qkg5FpkvvAfCtu8AoQpfCteLOZCWYpEySDov
15iP5MpZThSAV71VgnXI65wQ/JJMUdaDcIe8O4JGng1uoTI+b3KiNCUPgeVkzIfX
Th55sf939sCLuRchBvGvz96SWBbE1GzmjyCBOFwgQIhZWZ73Mul0AqiDbnUFrthY
JhBz8RWWXhtAFdym92kCkDAZVka+I3FnvqRdEp3npwHthW95d12EF2zCmQ/edA49
5lKUrRQtzE6l+Cp7Gsj/yR6tCWdCKKhAmh9FOYuuVNAPxLoC3zxM5Lnbtdl5gmxD
+X/gbuuW2g/AGdP8byGh0R2TqOpragc24EEhFlwsmt40cK3X6K88xdEJmaWqO77Z
9g+v5n5qsH51uQ0WJ9MbmxIy8iIER08xWPWshPkR0Zcebw/H5pQblYVhVusBd1mJ
qDnPwpqcSeLmC5p5qf8D
=eHO5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3598-1
March 15, 2018

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Phan Thanh discovered that curl incorrectly handled certain FTP paths. An
attacker could use this to cause a denial of service or possibly execute
arbitrary code. (CVE-2018-1000120)

Dario Weisser discovered that curl incorrectly handled certain LDAP URLs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-1000121)

Max Dymond discovered that curl incorrectly handled certain RTSP data. An
attacker could possibly use this to cause a denial of service or even to
get access to sensitive data. (CVE-2018-1000122)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
curl 7.55.1-1ubuntu2.4
libcurl3 7.55.1-1ubuntu2.4
libcurl3-gnutls 7.55.1-1ubuntu2.4
libcurl3-nss 7.55.1-1ubuntu2.4

Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.7
libcurl3 7.47.0-1ubuntu2.7
libcurl3-gnutls 7.47.0-1ubuntu2.7
libcurl3-nss 7.47.0-1ubuntu2.7

Ubuntu 14.04 LTS:
curl 7.35.0-1ubuntu2.15
libcurl3 7.35.0-1ubuntu2.15
libcurl3-gnutls 7.35.0-1ubuntu2.15
libcurl3-nss 7.35.0-1ubuntu2.15

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3598-1
CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.55.1-1ubuntu2.4
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.7
https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.15