==========================================================================
Ubuntu Security Notice USN-3637-1
April 30, 2018
wavpack vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 17.10
Summary:
Several security issues were fixed in WavPackXXX-APP-XXX.
Software Description:
- wavpack: audio codec (lossy and lossless) - encoder and decoder
Details:
Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan
Caciulescu discovered that WavPack incorrectly handled certain .wav
files. An attacker could possibly use this to execute arbitrary code or
cause a denial of service. (CVE-2018-10536, CVE-2018-10537)
Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan
Caciulescu discovered that WavPack incorrectly handled certain .wav
files. An attacker could possibly use this to cause a denial of
service. (CVE-2018-10538, CVE-2018-10539, CVE-2018-10540)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
wavpack 5.1.0-2ubuntu1.1
Ubuntu 17.10:
wavpack 5.1.0-2ubuntu0.3
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3637-1
CVE-2018-10536, CVE-2018-10537, CVE-2018-10538, CVE-2018-10539,
CVE-2018-10540
Package Information:
https://launchpad.net/ubuntu/+source/wavpack/5.1.0-2ubuntu1.1
https://launchpad.net/ubuntu/+source/wavpack/5.1.0-2ubuntu0.3
Monday, April 30, 2018
Bouncing messages from opensuse-announce@opensuse.org
Hi, this is the Mlmmj program managing the <opensuse-announce@opensuse.org>
mailing list.
Some messages to you could not be delivered. If you're seeing this
message it means things are back to normal, and it's merely for your
information.
Here is the list of the bounced messages:
- 988
mailing list.
Some messages to you could not be delivered. If you're seeing this
message it means things are back to normal, and it's merely for your
information.
Here is the list of the bounced messages:
- 988
[USN-3636-1] Ghostscript vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3636-1
April 30, 2018
Ubuntu Security Notice USN-3636-1
April 30, 2018
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled certain
PostScript files. An attacker could possibly use this to cause a denial
of server. (CVE-2016-10317)
It was discovered that Ghostscript incorrectly handled certain PDF
files. An attacker could possibly use this to cause a denial of
service. (CVE-2018-10194)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
ghostscript 9.22~dfsg+1-0ubuntu1.1
libgs9 9.22~dfsg+1-0ubuntu1.1
Ubuntu 17.10:
ghostscript 9.21~dfsg+1-0ubuntu3.1
libgs9 9.21~dfsg+1-0ubuntu3.1
Ubuntu 16.04 LTS:
ghostscript 9.18~dfsg~0-0ubuntu2.8
libgs9 9.18~dfsg~0-0ubuntu2.8
Ubuntu 14.04 LTS:
ghostscript 9.10~dfsg-0ubuntu10.12
libgs9 9.10~dfsg-0ubuntu10.12
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3636-1
CVE-2016-10317, CVE-2018-10194
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.22~dfsg+1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ghostscript/9.21~dfsg+1-0ubuntu3.1
https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.8
https://launchpad.net/ubuntu/+source/ghostscript/9.10~dfsg-0ubuntu10.12
[USN-3627-2] Apache HTTP Server vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa50uSAAoJEGVp2FWnRL6TXfYP/RS59meK5VMolndduknNPQlK
Z0u421Lg1fV5KpwYEqmO7qlmptsbelyslS2gCgkWocaGI9FPparhXA1iwbStH0F/
EmUtBk1CgLl5R1M6SVxSCrj7pOY747xg3T30x2Mut557p5ELgUPWJVkVruv0fX4f
9MVX35WeR8Ah79I2Fp0yV/LSa/kY+nf4ciHeIxugYa34h6wH9SXIAVPoovavI5U2
hXsPzSqhiI6YnPPcnqwgkP6nd+yzzZDzVgnzJQ9lqWkEhAxHXSlDtuMfYz6C1Rfc
xocEjjw4uRNHrqiXxhDFQuKEUar/zXxn0dLjcW/valfT7sVHSr8FWiwLVCAcB4RV
r9uJlscKcTW9MRPTXqejRIVbdF2yyJcnO5o9ZpAS9z6mT4wgax2jKvOD/AYC6jHt
1xpgfbruLtnDepxOZb7DacWP/mAeDqCA01+nrt+368I6CZ0SUigiLR29jb45LjBq
rV5o7t+DfzLnNRAuuYSFQkPFAIrkRVJjx/mX8UAvm+XdY4zVYld5DFfreN0DZvgy
Hgrwp1Nnpm/fKuLIIE/4Crz79p3wHY9XG8uOzqe2EfXsTJr0SE9MXikmx/RcVZRw
Bho14eYz5jDkf9WFaO7EjzfSJdxvXekGLPIckh/DRAVTGy0MPYGoZV6PUkSjrutC
I8XGn6hrukedVPO6G0bX
=pYIu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3627-2
April 30, 2018
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update
provides the corresponding updates for Ubuntu 18.04 LTS.
Original advisory details:
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Elar Lang discovered that the Apache HTTP Server incorrectly handled
certain characters specified in <FilesMatch>. A remote attacker could
possibly use this issue to upload certain files, contrary to expectations.
(CVE-2017-15715)
It was discovered that the Apache HTTP Server mod_session module
incorrectly handled certain headers. A remote attacker could possibly use
this issue to influence session data. (CVE-2018-1283)
Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause
the server to crash, leading to a denial of service. (CVE-2018-1301)
Robert Swiecki discovered that the Apache HTTP Server mod_cache_socache
module incorrectly handled certain headers. A remote attacker could
possibly use this issue to cause the server to crash, leading to a denial
of service. (CVE-2018-1303)
Nicolas Daniels discovered that the Apache HTTP Server incorrectly
generated the nonce when creating HTTP Digest authentication challenges.
A remote attacker could possibly use this issue to replay HTTP requests
across a cluster of servers. (CVE-2018-1312)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
apache2-bin 2.4.29-1ubuntu4.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3627-2
https://usn.ubuntu.com/usn/usn-3627-1
CVE-2017-15710, CVE-2017-15715, CVE-2018-1283, CVE-2018-1301,
CVE-2018-1303, CVE-2018-1312
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.1
iQIcBAEBCgAGBQJa50uSAAoJEGVp2FWnRL6TXfYP/RS59meK5VMolndduknNPQlK
Z0u421Lg1fV5KpwYEqmO7qlmptsbelyslS2gCgkWocaGI9FPparhXA1iwbStH0F/
EmUtBk1CgLl5R1M6SVxSCrj7pOY747xg3T30x2Mut557p5ELgUPWJVkVruv0fX4f
9MVX35WeR8Ah79I2Fp0yV/LSa/kY+nf4ciHeIxugYa34h6wH9SXIAVPoovavI5U2
hXsPzSqhiI6YnPPcnqwgkP6nd+yzzZDzVgnzJQ9lqWkEhAxHXSlDtuMfYz6C1Rfc
xocEjjw4uRNHrqiXxhDFQuKEUar/zXxn0dLjcW/valfT7sVHSr8FWiwLVCAcB4RV
r9uJlscKcTW9MRPTXqejRIVbdF2yyJcnO5o9ZpAS9z6mT4wgax2jKvOD/AYC6jHt
1xpgfbruLtnDepxOZb7DacWP/mAeDqCA01+nrt+368I6CZ0SUigiLR29jb45LjBq
rV5o7t+DfzLnNRAuuYSFQkPFAIrkRVJjx/mX8UAvm+XdY4zVYld5DFfreN0DZvgy
Hgrwp1Nnpm/fKuLIIE/4Crz79p3wHY9XG8uOzqe2EfXsTJr0SE9MXikmx/RcVZRw
Bho14eYz5jDkf9WFaO7EjzfSJdxvXekGLPIckh/DRAVTGy0MPYGoZV6PUkSjrutC
I8XGn6hrukedVPO6G0bX
=pYIu
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3627-2
April 30, 2018
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
USN-3627-1 fixed vulnerabilities in Apache HTTP Server. This update
provides the corresponding updates for Ubuntu 18.04 LTS.
Original advisory details:
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Elar Lang discovered that the Apache HTTP Server incorrectly handled
certain characters specified in <FilesMatch>. A remote attacker could
possibly use this issue to upload certain files, contrary to expectations.
(CVE-2017-15715)
It was discovered that the Apache HTTP Server mod_session module
incorrectly handled certain headers. A remote attacker could possibly use
this issue to influence session data. (CVE-2018-1283)
Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause
the server to crash, leading to a denial of service. (CVE-2018-1301)
Robert Swiecki discovered that the Apache HTTP Server mod_cache_socache
module incorrectly handled certain headers. A remote attacker could
possibly use this issue to cause the server to crash, leading to a denial
of service. (CVE-2018-1303)
Nicolas Daniels discovered that the Apache HTTP Server incorrectly
generated the nonce when creating HTTP Digest authentication challenges.
A remote attacker could possibly use this issue to replay HTTP requests
across a cluster of servers. (CVE-2018-1312)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
apache2-bin 2.4.29-1ubuntu4.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3627-2
https://usn.ubuntu.com/usn/usn-3627-1
CVE-2017-15710, CVE-2017-15715, CVE-2018-1283, CVE-2018-1301,
CVE-2018-1303, CVE-2018-1312
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.1
[USN-3629-3] MySQL vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa50uBAAoJEGVp2FWnRL6TZloQAJNVywQgoAea22OFiIFiPhme
3GdYqq8dHmOpoVpiv010yDxcOLyEAzuvn5MPeu2bUbDhgcSS5XYrnQfSJeX8J+QJ
WnIirJu9KvBr2KtTsfE4Ag+P6djffFGlZDeb0nPpumQw2s6u5JGlMgQg04uHKilD
gBemSpJWdnf2uo+b7aC1AcgQu4VAD0X4imo0xh/+Ls0j2lj+oHpSd4YK8lJ/5Tm/
LGCleXYAmrSYJl/ggjwcKNQRwExTLEOxwua6FNN2fm+sHPOZ8AKaWP/jfwM8t5T+
335D7fKZpenEjRnMLDcfBlwCWoUtDpyQiAM0SMYq++uYl1khAdNYhPFiMsXddTOs
TKSk3bIIPyOTy39DQoRONWQEHBWDRgcHqY9b6dmU0jg3FGoF1/OU1/qrUzf6fmpf
T0EYYNDc2NJ2EzUoZ79sMracSZbuIo+DVbEqRU7cpKU0rRDAJERh9a6qKfzp7nBu
Qk2l++T5bHSo5MYxOM98Kys62SfkBmzvktot5B4BpJJ86d0uJirHMB5X92xUpbwz
Kp5k2B4zpRM0R5gbPehCTy79vaTwi/QS0LgscxTRbZ180QX8crOSlLr7bd0FwrzN
BLPFaQN3lkIzvexqBikdexTCEU8+gFGmk5mYveTYlSBivMaliu5H/4iwHULUpucK
0fUTFPjS7iK07woQXHTX
=P1FP
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3629-3
April 30, 2018
mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
Details:
USN-3629-1 fixed vulnerabilities in MySQL. This update provides the
corresponding updates for Ubuntu 18.04 LTS.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.60 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and
Ubuntu 17.10 have been updated to MySQL 5.7.22.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-22.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.22-0ubuntu18.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3629-3
https://usn.ubuntu.com/usn/usn-3629-1
CVE-2018-2755, CVE-2018-2758, CVE-2018-2759, CVE-2018-2761,
CVE-2018-2762, CVE-2018-2766, CVE-2018-2769, CVE-2018-2771,
CVE-2018-2773, CVE-2018-2775, CVE-2018-2776, CVE-2018-2777,
CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787,
CVE-2018-2810, CVE-2018-2812, CVE-2018-2813, CVE-2018-2816,
CVE-2018-2817, CVE-2018-2818, CVE-2018-2819, CVE-2018-2839,
CVE-2018-2846
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.22-0ubuntu18.04.1
iQIcBAEBCgAGBQJa50uBAAoJEGVp2FWnRL6TZloQAJNVywQgoAea22OFiIFiPhme
3GdYqq8dHmOpoVpiv010yDxcOLyEAzuvn5MPeu2bUbDhgcSS5XYrnQfSJeX8J+QJ
WnIirJu9KvBr2KtTsfE4Ag+P6djffFGlZDeb0nPpumQw2s6u5JGlMgQg04uHKilD
gBemSpJWdnf2uo+b7aC1AcgQu4VAD0X4imo0xh/+Ls0j2lj+oHpSd4YK8lJ/5Tm/
LGCleXYAmrSYJl/ggjwcKNQRwExTLEOxwua6FNN2fm+sHPOZ8AKaWP/jfwM8t5T+
335D7fKZpenEjRnMLDcfBlwCWoUtDpyQiAM0SMYq++uYl1khAdNYhPFiMsXddTOs
TKSk3bIIPyOTy39DQoRONWQEHBWDRgcHqY9b6dmU0jg3FGoF1/OU1/qrUzf6fmpf
T0EYYNDc2NJ2EzUoZ79sMracSZbuIo+DVbEqRU7cpKU0rRDAJERh9a6qKfzp7nBu
Qk2l++T5bHSo5MYxOM98Kys62SfkBmzvktot5B4BpJJ86d0uJirHMB5X92xUpbwz
Kp5k2B4zpRM0R5gbPehCTy79vaTwi/QS0LgscxTRbZ180QX8crOSlLr7bd0FwrzN
BLPFaQN3lkIzvexqBikdexTCEU8+gFGmk5mYveTYlSBivMaliu5H/4iwHULUpucK
0fUTFPjS7iK07woQXHTX
=P1FP
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3629-3
April 30, 2018
mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
Details:
USN-3629-1 fixed vulnerabilities in MySQL. This update provides the
corresponding updates for Ubuntu 18.04 LTS.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.60 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and
Ubuntu 17.10 have been updated to MySQL 5.7.22.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-22.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.22-0ubuntu18.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3629-3
https://usn.ubuntu.com/usn/usn-3629-1
CVE-2018-2755, CVE-2018-2758, CVE-2018-2759, CVE-2018-2761,
CVE-2018-2762, CVE-2018-2766, CVE-2018-2769, CVE-2018-2771,
CVE-2018-2773, CVE-2018-2775, CVE-2018-2776, CVE-2018-2777,
CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787,
CVE-2018-2810, CVE-2018-2812, CVE-2018-2813, CVE-2018-2816,
CVE-2018-2817, CVE-2018-2818, CVE-2018-2819, CVE-2018-2839,
CVE-2018-2846
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.22-0ubuntu18.04.1
[USN-3635-1] WebKitGTK+ vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa50tuAAoJEGVp2FWnRL6TaxUQAIsK35MViNgqkRVzMaIRVJnK
3IjvZrnirkYFJgV1D+DM9Kaunk3fPgU7nz7dbsyfzuGh+luGtt/laSnvv1v3bTXQ
6Bzto8X3b08yJBb2urNSeGUiympEqTAaVU8dDVQ18uqNbdQ5Vr7IEFWDKbIz0D1U
w9VFzmT1j8FUN20ebF9VTRCoG2asyfbTGoHvLQr/9BfHmFkfJp4EUqXJ/EuWYMPa
ltNUyK3t/jx92A0B99X4WamYr6XKQ3EzGwhi2JLVmQxxZUoFYOFbBYaVlpN1LYfh
OS9l+sWC7ocsT6GUcaBEZrf8vjHJodLT7QuoYvbOU62nO/fR4/j17+EKh+VOB348
hYKnpii5OyG67srxSGIb5iIbkdTe/VuZH4dapcsRdE3cVG3qbnZXRt8s7mLAELCO
5xH24RsrI2lbIPuJumwYB/QTVToe7FiblbZWhn3FPdSxI3NLU6gim8N0auGGpWfD
crsFKBLP/zdY0qIUQkupqW/KJ9xmQhLyVthqCJaL7iR6JQiH2o74u+WiA59parqY
C2P6jjOjfwj4AHi9sFrupQH5oAyjwbHjwTFOFf5Sm8FjhPqgewC2W7s8VYYkjHXF
pXgyUjMjKlXR54fT8w+itDSKDHlTHEa3Fjn89hPxu7uYVMFMErTbqPXZhc9iIxl1
rqMr8n4wJz5gvGrmHQEY
=EHMv
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3635-1
April 30, 2018
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
libjavascriptcoregtk-4.0-18 2.20.1-0ubuntu0.17.10.1
libwebkit2gtk-4.0-37 2.20.1-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.20.1-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.20.1-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3635-1
CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
CVE-2018-4163, CVE-2018-4165
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.20.1-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.20.1-0ubuntu0.16.04.1
iQIcBAEBCgAGBQJa50tuAAoJEGVp2FWnRL6TaxUQAIsK35MViNgqkRVzMaIRVJnK
3IjvZrnirkYFJgV1D+DM9Kaunk3fPgU7nz7dbsyfzuGh+luGtt/laSnvv1v3bTXQ
6Bzto8X3b08yJBb2urNSeGUiympEqTAaVU8dDVQ18uqNbdQ5Vr7IEFWDKbIz0D1U
w9VFzmT1j8FUN20ebF9VTRCoG2asyfbTGoHvLQr/9BfHmFkfJp4EUqXJ/EuWYMPa
ltNUyK3t/jx92A0B99X4WamYr6XKQ3EzGwhi2JLVmQxxZUoFYOFbBYaVlpN1LYfh
OS9l+sWC7ocsT6GUcaBEZrf8vjHJodLT7QuoYvbOU62nO/fR4/j17+EKh+VOB348
hYKnpii5OyG67srxSGIb5iIbkdTe/VuZH4dapcsRdE3cVG3qbnZXRt8s7mLAELCO
5xH24RsrI2lbIPuJumwYB/QTVToe7FiblbZWhn3FPdSxI3NLU6gim8N0auGGpWfD
crsFKBLP/zdY0qIUQkupqW/KJ9xmQhLyVthqCJaL7iR6JQiH2o74u+WiA59parqY
C2P6jjOjfwj4AHi9sFrupQH5oAyjwbHjwTFOFf5Sm8FjhPqgewC2W7s8VYYkjHXF
pXgyUjMjKlXR54fT8w+itDSKDHlTHEa3Fjn89hPxu7uYVMFMErTbqPXZhc9iIxl1
rqMr8n4wJz5gvGrmHQEY
=EHMv
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3635-1
April 30, 2018
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in WebKitGTK+.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
libjavascriptcoregtk-4.0-18 2.20.1-0ubuntu0.17.10.1
libwebkit2gtk-4.0-37 2.20.1-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
libjavascriptcoregtk-4.0-18 2.20.1-0ubuntu0.16.04.1
libwebkit2gtk-4.0-37 2.20.1-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3635-1
CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
CVE-2018-4163, CVE-2018-4165
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.20.1-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.20.1-0ubuntu0.16.04.1
[opensuse-announce] Re: [opensuse-project] Elections Results
2018-04-29 11:10 GMT+02:00 Administrator <admin@different-perspectives.com>:
>
> I'd like to congratulate Ana for joining the board.
Thanks! :) Although I think you are missing some congratulations, as I
am not the only joining the board. ;)
> Although I'm not a voting member bu as along time use and supporter of (open)SuSE, and in the interests of diversity, could I ask for a breakdown of the voting membership and board by gender and racial origin. If the results are as I suspect, what are board's plans for addressing this?
>
> And don't start with the nonsense about "unbiassed" and "meritocracy."
In openSUSE we welcome EVERYBODY independently of his gender and
racial origin. As some people have raised up, there are not data on
voters, but even if there were, we are already encouraging everybody
who wants to join to do it and I hope we keep doing so.
I really hope that people voted me because they share my ideas and
concept of what openSUSE is and the things that need to be improved,
and not because I am a woman. I think this is exactly what equality
means and one of the reason that makes openSUSE so awesome. :)
Regards,
Ana
--
Ana María Martínez Gómez
http://anamaria.martinezgomez.name
--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org
>
> I'd like to congratulate Ana for joining the board.
Thanks! :) Although I think you are missing some congratulations, as I
am not the only joining the board. ;)
> Although I'm not a voting member bu as along time use and supporter of (open)SuSE, and in the interests of diversity, could I ask for a breakdown of the voting membership and board by gender and racial origin. If the results are as I suspect, what are board's plans for addressing this?
>
> And don't start with the nonsense about "unbiassed" and "meritocracy."
In openSUSE we welcome EVERYBODY independently of his gender and
racial origin. As some people have raised up, there are not data on
voters, but even if there were, we are already encouraging everybody
who wants to join to do it and I hope we keep doing so.
I really hope that people voted me because they share my ideas and
concept of what openSUSE is and the things that need to be improved,
and not because I am a woman. I think this is exactly what equality
means and one of the reason that makes openSUSE so awesome. :)
Regards,
Ana
--
Ana María Martínez Gómez
http://anamaria.martinezgomez.name
--
To unsubscribe, e-mail: opensuse-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-announce+help@opensuse.org
Sunday, April 29, 2018
Bouncing messages from opensuse-announce@opensuse.org
Hi, this is the Mlmmj program managing the <opensuse-announce@opensuse.org>
mailing list.
Some messages to you could not be delivered. If you're seeing this
message it means things are back to normal, and it's merely for your
information.
Here is the list of the bounced messages:
- 986
mailing list.
Some messages to you could not be delivered. If you're seeing this
message it means things are back to normal, and it's merely for your
information.
Here is the list of the bounced messages:
- 986
Thursday, April 26, 2018
Ubuntu 18.04 LTS (Bionic Beaver) released
The Ubuntu team is very pleased to announce our seventh long-term support
release, Ubuntu 18.04 LTS for Desktop, Server, Cloud, and Core.
release, Ubuntu 18.04 LTS for Desktop, Server, Cloud, and Core.
Codenamed "Bionic Beaver", 18.04 LTS continues Ubuntu's proud tradition
of integrating the latest and greatest open source technologies into a
high-quality, easy-to-use Linux distribution. The team has been hard at
work through this cycle, introducing new features and fixing bugs.
The Ubuntu kernel has been updated to the 4.15 based Linux kernel,
with additional support for Linux security module stacking, signing
of POWER host and NV kernels, and improved support for IBM and Intel
hardware enablement from Linux 4.16.
Ubuntu Desktop 18.04 LTS brings a fresh look with the GNOME desktop
environment. GNOME Shell on Ubuntu is designed to be easy to use for
people upgrading from 16.04 LTS and presents a familiar user interface.
New features for users upgrading from 16.04 LTS include assistance with
logging in to public Wifi hotspots and the Night Light feature to
reduce eye strain in the evenings.
18.04 LTS also brings the new minimal installation option which provides
a full desktop with only the essential packages installed, and a tool to
easily enable Canonical LivePatch to apply critical kernel security fixes
without rebooting.
Ubuntu Server 18.04 LTS includes the Queens release of OpenStack
including the clustering enabled LXD 3.0, new network configuration via
netplan.io, and a next-generation fast server installer. Ubuntu Server
brings major updates to industry standard packages available on private
clouds, public clouds, containers or bare metal in your datacentre.
The newest Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,
Ubuntu Studio, and Xubuntu are also being released today.
More details can be found for these at their individual release notes:
https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes#Official_flavors
Maintenance updates will be provided for 5 years for Ubuntu Desktop,
Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. Ubuntu Studio will be
supported for 9 months. All the remaining flavours will be supported
for 3 years.
To get Ubuntu 18.04 LTS
-----------------------
In order to download Ubuntu 18.04 LTS, visit:
http://www.ubuntu.com/download
Users of Ubuntu 17.10 will be offered an automatic upgrade to 18.04 LTS
via Update Manager shortly. Users of 16.04 LTS will be offered the
automatic upgrade when 18.04.1 LTS is released, which is scheduled for
July 26th. For further information about upgrading, see:
http://www.ubuntu.com/download/desktop/upgrade
As always, upgrades to the latest version of Ubuntu are entirely free
of charge.
We recommend that all users read the release notes, which document
caveats, workarounds for known issues, as well as more in-depth notes
on the release itself. They are available at:
http://wiki.ubuntu.com/BionicBeaver/ReleaseNotes
Find out what's new in this release with a graphical overview:
http://www.ubuntu.com/desktop
http://www.ubuntu.com/desktop/features
If you have a question, or if you think you may have found a bug
but aren't sure, you can try asking in any of the following places:
#ubuntu on irc.freenode.net
http://lists.ubuntu.com/mailman/listinfo/ubuntu-users
http://www.ubuntuforums.org
http://askubuntu.com
Help Shape Ubuntu
-----------------
If you would like to help shape Ubuntu, take a look at the list
of ways you can participate at:
http://community.ubuntu.com/contribute
About Ubuntu
------------
Ubuntu is a full-featured Linux distribution for desktops, laptops,
netbooks and servers, with a fast and easy installation and regular
releases. A tightly-integrated selection of excellent applications
is included, and an incredible variety of add-on software is just a
few clicks away.
Professional services including support are available from Canonical
and hundreds of other companies around the world. For more information
about support, visit:
More Information
----------------
You can learn more about Ubuntu and about this release on our
website listed below:
To sign up for future Ubuntu announcements, please subscribe to
Ubuntu's very low volume announcement list at:
http://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
On behalf of the Ubuntu Release Team,
... Adam Conrad
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
Fedora 28 Final status is GO
The Fedora_28_RC_1.1 compose [1] is considered as GOLD and it is going
to be shipped on 2018-May-01 as Fedora 28 Final release.
For more information please check the meeting minutes [2] from the
Go/No-Go meeting.
[1] http://dl.fedoraproject.org/pub/alt/stage/28_RC-1.1/
[2] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-04-26/f28-final-go-no-go-meeting.2018-04-26-17.02.html
Regards,
Jan
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
to be shipped on 2018-May-01 as Fedora 28 Final release.
For more information please check the meeting minutes [2] from the
Go/No-Go meeting.
[1] http://dl.fedoraproject.org/pub/alt/stage/28_RC-1.1/
[2] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-04-26/f28-final-go-no-go-meeting.2018-04-26-17.02.html
Regards,
Jan
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
libicu upgrade to 61.1 with soname bump in rawhide/F29
Hi,
I'm upgrading libicu to 61.1 for rawhide, which as usual comes with
a soname bump. I requested a side target f29-icu for the builds, I'll
ask Pete Walter (who already did it for 60.1) to help with rebuilding
the dependent packages, or another proven packager if he's not
available.
Eike
--
LibreOffice Calc developer. Number formatter stricken i18n transpositionizer.
GPG key 0x6A6CD5B765632D3A - 2265 D7F3 A7B0 95CC 3918 630B 6A6C D5B7 6563 2D3A
Care about Free Software, support the FSFE https://fsfe.org/support/?erack
I'm upgrading libicu to 61.1 for rawhide, which as usual comes with
a soname bump. I requested a side target f29-icu for the builds, I'll
ask Pete Walter (who already did it for 60.1) to help with rebuilding
the dependent packages, or another proven packager if he's not
available.
Eike
--
LibreOffice Calc developer. Number formatter stricken i18n transpositionizer.
GPG key 0x6A6CD5B765632D3A - 2265 D7F3 A7B0 95CC 3918 630B 6A6C D5B7 6563 2D3A
Care about Free Software, support the FSFE https://fsfe.org/support/?erack
Wednesday, April 25, 2018
[USN-3629-2] MySQL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3629-2
April 25, 2018
mysql-5.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.5: MySQL database
Details:
USN-3629-1 fixed a vulnerability in MySQL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.60 in Ubuntu 12.04 ESM.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
mysql-server-5.5 5.5.60-0ubuntu0.12.04.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3629-2
https://usn.ubuntu.com/usn/usn-3629-1
CVE-2018-2755, CVE-2018-2761, CVE-2018-2771, CVE-2018-2773,
CVE-2018-2781, CVE-2018-2813, CVE-2018-2817, CVE-2018-2818,
CVE-2018-2819
Ubuntu Security Notice USN-3629-2
April 25, 2018
mysql-5.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.5: MySQL database
Details:
USN-3629-1 fixed a vulnerability in MySQL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.60 in Ubuntu 12.04 ESM.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
mysql-server-5.5 5.5.60-0ubuntu0.12.04.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3629-2
https://usn.ubuntu.com/usn/usn-3629-1
CVE-2018-2755, CVE-2018-2761, CVE-2018-2771, CVE-2018-2773,
CVE-2018-2781, CVE-2018-2813, CVE-2018-2817, CVE-2018-2818,
CVE-2018-2819
Tuesday, April 24, 2018
[USN-3634-1] PackageKit vulnerability
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa34gCAAoJEGVp2FWnRL6T72IP+gNcyEwiMNF4ZSWoHyPHZg6K
ubgZBcuxrVmYmEdp97kV90Yr+6PziyHiXFttmJ9ElIrLyBVhOKB83jv03gkIDcrG
00s/jTfRqiFCvZvUxMh6MvqNgfOLKn3E4/wVxisoZ/W/NshDzdryx0pr9H9Qhcv2
hHmOoP0uAo6VrzQAZspTx1fSgXjiun7n40/53X8QxIqdpnULz+wEDlbbsqSTiQEu
Q0egwBFwS9a22To0yfqKSsqqpCGBi0/jIBo6nkbFfPyR4G7NfasyP0CImHHvk3EE
EDsA2bcRtwvbLzQa3mETX+Pe4U/GetpCXA98eS6pVJocraiPu/3QvBftQF/xBS12
AdVEkwHDlvKh/nLXfORR6AbYTR3INKg/rWgGcUJMYtEJurc1+dDM9Q2ewRMYJH0p
w2jbTwcatWOFM+TZ0YGu0ykXtJ38HmDKQyw0SATDpJOnLP9Goscu5kOonqiZolzk
yfT0dGuzbm9nts1nslNxodhyB0dexGsO4aCSWHKqTA4JagOmItqzz31NWcElBU63
2dwI9G0Nj5o3j5mDAU4zUqi8lzNLF380qv9XhEgXlSrRaUqErU6tpcDf7XTSSdXJ
wZeQ5KkIlT6IQ45zuYZ0DoTargJOJyNNwtYeDSckDySHaSP18R5Sr6oQGztbDz6F
+EWtqUgEqKAcKdDheYJE
=bDvm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3634-1
April 24, 2018
packagekit vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
Summary:
PackageKit could be made to install or run programs as an administrator.
Software Description:
- packagekit: Provides a package management service
Details:
Matthias Gerstner discovered that PackageKit incorrectly handled
authentication. A local attacker could possibly use this issue to install
arbitrary packages and escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
packagekit 1.1.7-1ubuntu0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3634-1
CVE-2018-1106
Package Information:
https://launchpad.net/ubuntu/+source/packagekit/1.1.7-1ubuntu0.1
iQIcBAEBCgAGBQJa34gCAAoJEGVp2FWnRL6T72IP+gNcyEwiMNF4ZSWoHyPHZg6K
ubgZBcuxrVmYmEdp97kV90Yr+6PziyHiXFttmJ9ElIrLyBVhOKB83jv03gkIDcrG
00s/jTfRqiFCvZvUxMh6MvqNgfOLKn3E4/wVxisoZ/W/NshDzdryx0pr9H9Qhcv2
hHmOoP0uAo6VrzQAZspTx1fSgXjiun7n40/53X8QxIqdpnULz+wEDlbbsqSTiQEu
Q0egwBFwS9a22To0yfqKSsqqpCGBi0/jIBo6nkbFfPyR4G7NfasyP0CImHHvk3EE
EDsA2bcRtwvbLzQa3mETX+Pe4U/GetpCXA98eS6pVJocraiPu/3QvBftQF/xBS12
AdVEkwHDlvKh/nLXfORR6AbYTR3INKg/rWgGcUJMYtEJurc1+dDM9Q2ewRMYJH0p
w2jbTwcatWOFM+TZ0YGu0ykXtJ38HmDKQyw0SATDpJOnLP9Goscu5kOonqiZolzk
yfT0dGuzbm9nts1nslNxodhyB0dexGsO4aCSWHKqTA4JagOmItqzz31NWcElBU63
2dwI9G0Nj5o3j5mDAU4zUqi8lzNLF380qv9XhEgXlSrRaUqErU6tpcDf7XTSSdXJ
wZeQ5KkIlT6IQ45zuYZ0DoTargJOJyNNwtYeDSckDySHaSP18R5Sr6oQGztbDz6F
+EWtqUgEqKAcKdDheYJE
=bDvm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3634-1
April 24, 2018
packagekit vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
Summary:
PackageKit could be made to install or run programs as an administrator.
Software Description:
- packagekit: Provides a package management service
Details:
Matthias Gerstner discovered that PackageKit incorrectly handled
authentication. A local attacker could possibly use this issue to install
arbitrary packages and escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
packagekit 1.1.7-1ubuntu0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3634-1
CVE-2018-1106
Package Information:
https://launchpad.net/ubuntu/+source/packagekit/1.1.7-1ubuntu0.1
[USN-3632-1] Linux kernel (Azure) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3632-1
April 24, 2018
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)
It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-15129)
It was discovered that the HugeTLB component of the Linux kernel did not
properly handle holes in hugetlb ranges. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2017-16994)
It was discovered that the netfilter component of the Linux did not
properly restrict access to the connection tracking helpers list. A local
attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)
It was discovered that the netfilter passive OS fingerprinting (xt_osf)
module did not properly perform access control checks. A local attacker
could improperly modify the system-wide OS fingerprint list.
(CVE-2017-17450)
Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
contained an out-of-bounds read when handling memory-mapped I/O. A local
attacker could use this to expose sensitive information. (CVE-2017-17741)
It was discovered that the Salsa20 encryption algorithm implementations in
the Linux kernel did not properly handle zero-length inputs. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-17805)
It was discovered that the HMAC implementation did not validate the state
of the underlying cryptographic hash algorithm. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-17806)
It was discovered that the keyring implementation in the Linux kernel did
not properly check permissions when a key request was performed on a task's
default keyring. A local attacker could use this to add keys to
unauthorized keyrings. (CVE-2017-17807)
It was discovered that the Broadcom NetXtremeII ethernet driver in the
Linux kernel did not properly validate Generic Segment Offload (GSO) packet
sizes. An attacker could use this to cause a denial of service (interface
unavailability). (CVE-2018-1000026)
It was discovered that the Reliable Datagram Socket (RDS) implementation in
the Linux kernel contained an out-of-bounds write during RDMA page
allocation. An attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-5332)
Mohamed Ghannam discovered a null pointer dereference in the RDS (Reliable
Datagram Sockets) protocol implementation of the Linux kernel. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-5333)
范龙飞 discovered that a race condition existed in loop block device
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-5344)
It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-8043)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.13.0-1014-azure 4.13.0-1014.17
linux-image-azure 4.13.0.1014.16
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3632-1
CVE-2017-0861, CVE-2017-1000407, CVE-2017-15129, CVE-2017-16994,
CVE-2017-17448, CVE-2017-17450, CVE-2017-17741, CVE-2017-17805,
CVE-2017-17806, CVE-2017-17807, CVE-2018-1000026, CVE-2018-5332,
CVE-2018-5333, CVE-2018-5344, CVE-2018-8043
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.13.0-1014.17
Ubuntu Security Notice USN-3632-1
April 24, 2018
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)
It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)
It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-15129)
It was discovered that the HugeTLB component of the Linux kernel did not
properly handle holes in hugetlb ranges. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2017-16994)
It was discovered that the netfilter component of the Linux did not
properly restrict access to the connection tracking helpers list. A local
attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)
It was discovered that the netfilter passive OS fingerprinting (xt_osf)
module did not properly perform access control checks. A local attacker
could improperly modify the system-wide OS fingerprint list.
(CVE-2017-17450)
Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
contained an out-of-bounds read when handling memory-mapped I/O. A local
attacker could use this to expose sensitive information. (CVE-2017-17741)
It was discovered that the Salsa20 encryption algorithm implementations in
the Linux kernel did not properly handle zero-length inputs. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-17805)
It was discovered that the HMAC implementation did not validate the state
of the underlying cryptographic hash algorithm. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-17806)
It was discovered that the keyring implementation in the Linux kernel did
not properly check permissions when a key request was performed on a task's
default keyring. A local attacker could use this to add keys to
unauthorized keyrings. (CVE-2017-17807)
It was discovered that the Broadcom NetXtremeII ethernet driver in the
Linux kernel did not properly validate Generic Segment Offload (GSO) packet
sizes. An attacker could use this to cause a denial of service (interface
unavailability). (CVE-2018-1000026)
It was discovered that the Reliable Datagram Socket (RDS) implementation in
the Linux kernel contained an out-of-bounds write during RDMA page
allocation. An attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-5332)
Mohamed Ghannam discovered a null pointer dereference in the RDS (Reliable
Datagram Sockets) protocol implementation of the Linux kernel. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-5333)
范龙飞 discovered that a race condition existed in loop block device
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-5344)
It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-8043)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.13.0-1014-azure 4.13.0-1014.17
linux-image-azure 4.13.0.1014.16
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3632-1
CVE-2017-0861, CVE-2017-1000407, CVE-2017-15129, CVE-2017-16994,
CVE-2017-17448, CVE-2017-17450, CVE-2017-17741, CVE-2017-17805,
CVE-2017-17806, CVE-2017-17807, CVE-2018-1000026, CVE-2018-5332,
CVE-2018-5333, CVE-2018-5344, CVE-2018-8043
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.13.0-1014.17
[USN-3633-1] Linux kernel (Intel Euclid) vulnerability
==========================================================================
Ubuntu Security Notice USN-3633-1
April 24, 2018
linux-euclid vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-euclid: Linux kernel for Intel Euclid systems
Details:
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-9026-euclid 4.4.0-9026.28
linux-image-euclid 4.4.0.9026.27
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3633-1
CVE-2017-16995
Package Information:
https://launchpad.net/ubuntu/+source/linux-euclid/4.4.0-9026.28
Ubuntu Security Notice USN-3633-1
April 24, 2018
linux-euclid vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-euclid: Linux kernel for Intel Euclid systems
Details:
Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-9026-euclid 4.4.0-9026.28
linux-image-euclid 4.4.0.9026.27
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3633-1
CVE-2017-16995
Package Information:
https://launchpad.net/ubuntu/+source/linux-euclid/4.4.0-9026.28
[USN-3631-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3631-1
April 24, 2018
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
Details:
It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2017-13305)
It was discovered that the DM04/QQBOX USB driver in the Linux kernel did
not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
Wang Qize discovered that an information disclosure vulnerability existed
in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A
local attacker could use this to expose sensitive information (kernel
pointer addresses). (CVE-2018-5750)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use-after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1021-kvm 4.4.0-1021.26
linux-image-4.4.0-1055-aws 4.4.0-1055.64
linux-image-4.4.0-1087-raspi2 4.4.0-1087.95
linux-image-4.4.0-1090-snapdragon 4.4.0-1090.95
linux-image-4.4.0-121-generic 4.4.0-121.145
linux-image-4.4.0-121-generic-lpae 4.4.0-121.145
linux-image-4.4.0-121-lowlatency 4.4.0-121.145
linux-image-4.4.0-121-powerpc-e500mc 4.4.0-121.145
linux-image-4.4.0-121-powerpc-smp 4.4.0-121.145
linux-image-4.4.0-121-powerpc64-emb 4.4.0-121.145
linux-image-4.4.0-121-powerpc64-smp 4.4.0-121.145
linux-image-aws 4.4.0.1055.57
linux-image-generic 4.4.0.121.127
linux-image-generic-lpae 4.4.0.121.127
linux-image-kvm 4.4.0.1021.20
linux-image-lowlatency 4.4.0.121.127
linux-image-powerpc-e500mc 4.4.0.121.127
linux-image-powerpc-smp 4.4.0.121.127
linux-image-powerpc64-emb 4.4.0.121.127
linux-image-powerpc64-smp 4.4.0.121.127
linux-image-raspi2 4.4.0.1087.87
linux-image-snapdragon 4.4.0.1090.82
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3631-1
CVE-2017-13305, CVE-2017-16538, CVE-2018-1000004, CVE-2018-5750,
CVE-2018-7566
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-121.145
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1055.64
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1021.26
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1087.95
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1090.95
Ubuntu Security Notice USN-3631-1
April 24, 2018
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
Details:
It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2017-13305)
It was discovered that the DM04/QQBOX USB driver in the Linux kernel did
not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
Wang Qize discovered that an information disclosure vulnerability existed
in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A
local attacker could use this to expose sensitive information (kernel
pointer addresses). (CVE-2018-5750)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use-after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1021-kvm 4.4.0-1021.26
linux-image-4.4.0-1055-aws 4.4.0-1055.64
linux-image-4.4.0-1087-raspi2 4.4.0-1087.95
linux-image-4.4.0-1090-snapdragon 4.4.0-1090.95
linux-image-4.4.0-121-generic 4.4.0-121.145
linux-image-4.4.0-121-generic-lpae 4.4.0-121.145
linux-image-4.4.0-121-lowlatency 4.4.0-121.145
linux-image-4.4.0-121-powerpc-e500mc 4.4.0-121.145
linux-image-4.4.0-121-powerpc-smp 4.4.0-121.145
linux-image-4.4.0-121-powerpc64-emb 4.4.0-121.145
linux-image-4.4.0-121-powerpc64-smp 4.4.0-121.145
linux-image-aws 4.4.0.1055.57
linux-image-generic 4.4.0.121.127
linux-image-generic-lpae 4.4.0.121.127
linux-image-kvm 4.4.0.1021.20
linux-image-lowlatency 4.4.0.121.127
linux-image-powerpc-e500mc 4.4.0.121.127
linux-image-powerpc-smp 4.4.0.121.127
linux-image-powerpc64-emb 4.4.0.121.127
linux-image-powerpc64-smp 4.4.0.121.127
linux-image-raspi2 4.4.0.1087.87
linux-image-snapdragon 4.4.0.1090.82
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3631-1
CVE-2017-13305, CVE-2017-16538, CVE-2018-1000004, CVE-2018-5750,
CVE-2018-7566
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-121.145
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1055.64
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1021.26
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1087.95
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1090.95
[USN-3631-2] Linux kernel (Xenial HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3631-2
April 24, 2018
linux-lts-xenial, linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2017-13305)
It was discovered that the DM04/QQBOX USB driver in the Linux kernel did
not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
Wang Qize discovered that an information disclosure vulnerability existed
in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A
local attacker could use this to expose sensitive information (kernel
pointer addresses). (CVE-2018-5750)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use-after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-1017-aws 4.4.0-1017.17
linux-image-4.4.0-121-generic 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-generic-lpae 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-lowlatency 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc-e500mc 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc-smp 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc64-emb 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc64-smp 4.4.0-121.145~14.04.1
linux-image-aws 4.4.0.1017.17
linux-image-generic-lpae-lts-xenial 4.4.0.121.102
linux-image-generic-lts-xenial 4.4.0.121.102
linux-image-lowlatency-lts-xenial 4.4.0.121.102
linux-image-powerpc-e500mc-lts-xenial 4.4.0.121.102
linux-image-powerpc-smp-lts-xenial 4.4.0.121.102
linux-image-powerpc64-emb-lts-xenial 4.4.0.121.102
linux-image-powerpc64-smp-lts-xenial 4.4.0.121.102
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3631-2
https://usn.ubuntu.com/usn/usn-3631-1
CVE-2017-13305, CVE-2017-16538, CVE-2018-1000004, CVE-2018-5750,
CVE-2018-7566
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1017.17
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-121.145~14.04.1
Ubuntu Security Notice USN-3631-2
April 24, 2018
linux-lts-xenial, linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2017-13305)
It was discovered that the DM04/QQBOX USB driver in the Linux kernel did
not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
Wang Qize discovered that an information disclosure vulnerability existed
in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A
local attacker could use this to expose sensitive information (kernel
pointer addresses). (CVE-2018-5750)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use-after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-1017-aws 4.4.0-1017.17
linux-image-4.4.0-121-generic 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-generic-lpae 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-lowlatency 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc-e500mc 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc-smp 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc64-emb 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc64-smp 4.4.0-121.145~14.04.1
linux-image-aws 4.4.0.1017.17
linux-image-generic-lpae-lts-xenial 4.4.0.121.102
linux-image-generic-lts-xenial 4.4.0.121.102
linux-image-lowlatency-lts-xenial 4.4.0.121.102
linux-image-powerpc-e500mc-lts-xenial 4.4.0.121.102
linux-image-powerpc-smp-lts-xenial 4.4.0.121.102
linux-image-powerpc64-emb-lts-xenial 4.4.0.121.102
linux-image-powerpc64-smp-lts-xenial 4.4.0.121.102
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3631-2
https://usn.ubuntu.com/usn/usn-3631-1
CVE-2017-13305, CVE-2017-16538, CVE-2018-1000004, CVE-2018-5750,
CVE-2018-7566
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1017.17
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-121.145~14.04.1
[USN-3630-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-3630-1
April 23, 2018
linux, linux-raspi2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
- linux-raspi2: Linux kernel for Raspberry Pi 2
Details:
It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
linux-image-4.13.0-1017-raspi2 4.13.0-1017.18
linux-image-4.13.0-39-generic 4.13.0-39.44
linux-image-4.13.0-39-generic-lpae 4.13.0-39.44
linux-image-4.13.0-39-lowlatency 4.13.0-39.44
linux-image-generic 4.13.0.39.42
linux-image-generic-lpae 4.13.0.39.42
linux-image-lowlatency 4.13.0.39.42
linux-image-raspi2 4.13.0.1017.15
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3630-1
CVE-2018-8043
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.13.0-39.44
https://launchpad.net/ubuntu/+source/linux-raspi2/4.13.0-1017.18
Ubuntu Security Notice USN-3630-1
April 23, 2018
linux, linux-raspi2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux: Linux kernel
- linux-raspi2: Linux kernel for Raspberry Pi 2
Details:
It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
linux-image-4.13.0-1017-raspi2 4.13.0-1017.18
linux-image-4.13.0-39-generic 4.13.0-39.44
linux-image-4.13.0-39-generic-lpae 4.13.0-39.44
linux-image-4.13.0-39-lowlatency 4.13.0-39.44
linux-image-generic 4.13.0.39.42
linux-image-generic-lpae 4.13.0.39.42
linux-image-lowlatency 4.13.0.39.42
linux-image-raspi2 4.13.0.1017.15
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3630-1
CVE-2018-8043
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.13.0-39.44
https://launchpad.net/ubuntu/+source/linux-raspi2/4.13.0-1017.18
[USN-3630-2] Linux kernel (HWE) vulnerability
==========================================================================
Ubuntu Security Notice USN-3630-2
April 24, 2018
linux-hwe, linux-gcp, linux-oem vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
- linux-oem: Linux kernel for OEM processors
Details:
USN-3630-1 fixed a vulnerability in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.
It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.13.0-1013-gcp 4.13.0-1013.17
linux-image-4.13.0-1024-oem 4.13.0-1024.27
linux-image-4.13.0-39-generic 4.13.0-39.44~16.04.1
linux-image-4.13.0-39-generic-lpae 4.13.0-39.44~16.04.1
linux-image-4.13.0-39-lowlatency 4.13.0-39.44~16.04.1
linux-image-gcp 4.13.0.1013.15
linux-image-generic-hwe-16.04 4.13.0.39.58
linux-image-generic-lpae-hwe-16.04 4.13.0.39.58
linux-image-gke 4.13.0.1013.15
linux-image-lowlatency-hwe-16.04 4.13.0.39.58
linux-image-oem 4.13.0.1024.28
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3630-2
https://usn.ubuntu.com/usn/usn-3630-1
CVE-2018-8043
Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp/4.13.0-1013.17
https://launchpad.net/ubuntu/+source/linux-hwe/4.13.0-39.44~16.04.1
https://launchpad.net/ubuntu/+source/linux-oem/4.13.0-1024.27
Ubuntu Security Notice USN-3630-2
April 24, 2018
linux-hwe, linux-gcp, linux-oem vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
The system could be made to crash under certain conditions.
Software Description:
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
- linux-oem: Linux kernel for OEM processors
Details:
USN-3630-1 fixed a vulnerability in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.
It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.13.0-1013-gcp 4.13.0-1013.17
linux-image-4.13.0-1024-oem 4.13.0-1024.27
linux-image-4.13.0-39-generic 4.13.0-39.44~16.04.1
linux-image-4.13.0-39-generic-lpae 4.13.0-39.44~16.04.1
linux-image-4.13.0-39-lowlatency 4.13.0-39.44~16.04.1
linux-image-gcp 4.13.0.1013.15
linux-image-generic-hwe-16.04 4.13.0.39.58
linux-image-generic-lpae-hwe-16.04 4.13.0.39.58
linux-image-gke 4.13.0.1013.15
linux-image-lowlatency-hwe-16.04 4.13.0.39.58
linux-image-oem 4.13.0.1024.28
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3630-2
https://usn.ubuntu.com/usn/usn-3630-1
CVE-2018-8043
Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp/4.13.0-1013.17
https://launchpad.net/ubuntu/+source/linux-hwe/4.13.0-39.44~16.04.1
https://launchpad.net/ubuntu/+source/linux-oem/4.13.0-1024.27
Monday, April 23, 2018
[USN-3629-1] MySQL vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa3jzDAAoJEGVp2FWnRL6TFyUP/2jvDwboYJOayXQ/oFqMfVRl
Vtp1LTmQogE9PMWMjuui8sYtofo5qPEj11imWTzTviSpeampuNQOQ6AzaBFi/UVP
Tsa2gn/6Jv8mDiZG1OxT8woxbxS9L5RZwfS5XTgHByvp4pP/wYa3t3gj31g1vtlb
efqESgCBpOuLa/rvtjgmhjbcxGJvClMWjVcDcDLvaAYAXlgDqxupNmXakEiPnjT+
eH+OjEMBDpn0IqKsdr9ilVCQ6FKCc7XdU0+3KQPPynaXbvIJEY6HB07Ssb9hvH/H
hoUJduzkPC65oQXisy0jMCFmyrLIg+e9FX80oObBvf47KZ66IxhgHi1Es89Llooe
nVhv4Wjd/vZqMFmG0F2FhQD4p2W3/mfW9E/zGgKoOCBi0Ozp3iVYYvk+zNAvfQRf
jnE9pzfURIbZ8kcKLif4Vz/NSQJQdOjVp88JMYinsi7WyQ6KbVKCn9banXPsVbef
z3UqDbRHaNzOgpNxOt+xYk4D9nGAPPLTvmKtur+CWpgzQbUzvDO9yg2mOOBvtkZf
OG2oE5T+Rh4LMQxvoabkLhfDQbry2LTvn0SHnwnCg3M49o+IAEPT0BgfweQV9DLT
eaRJvxzf+s3xS/XEzfCaD+Q/xEtffJBRzYbiqDdwSJxbaZYlbaq+Ayt4HFbR5bfg
qY0KrqOn2mRXXJoHV4D1
=P63w
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3629-1
April 23, 2018
mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.60 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and
Ubuntu 17.10 have been updated to MySQL 5.7.22.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-22.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
mysql-server-5.7 5.7.22-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.22-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.60-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3629-1
CVE-2018-2755, CVE-2018-2758, CVE-2018-2759, CVE-2018-2761,
CVE-2018-2762, CVE-2018-2766, CVE-2018-2769, CVE-2018-2771,
CVE-2018-2773, CVE-2018-2775, CVE-2018-2776, CVE-2018-2777,
CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787,
CVE-2018-2810, CVE-2018-2812, CVE-2018-2813, CVE-2018-2816,
CVE-2018-2817, CVE-2018-2818, CVE-2018-2819, CVE-2018-2839,
CVE-2018-2846
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.22-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.22-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.60-0ubuntu0.14.04.1
iQIcBAEBCgAGBQJa3jzDAAoJEGVp2FWnRL6TFyUP/2jvDwboYJOayXQ/oFqMfVRl
Vtp1LTmQogE9PMWMjuui8sYtofo5qPEj11imWTzTviSpeampuNQOQ6AzaBFi/UVP
Tsa2gn/6Jv8mDiZG1OxT8woxbxS9L5RZwfS5XTgHByvp4pP/wYa3t3gj31g1vtlb
efqESgCBpOuLa/rvtjgmhjbcxGJvClMWjVcDcDLvaAYAXlgDqxupNmXakEiPnjT+
eH+OjEMBDpn0IqKsdr9ilVCQ6FKCc7XdU0+3KQPPynaXbvIJEY6HB07Ssb9hvH/H
hoUJduzkPC65oQXisy0jMCFmyrLIg+e9FX80oObBvf47KZ66IxhgHi1Es89Llooe
nVhv4Wjd/vZqMFmG0F2FhQD4p2W3/mfW9E/zGgKoOCBi0Ozp3iVYYvk+zNAvfQRf
jnE9pzfURIbZ8kcKLif4Vz/NSQJQdOjVp88JMYinsi7WyQ6KbVKCn9banXPsVbef
z3UqDbRHaNzOgpNxOt+xYk4D9nGAPPLTvmKtur+CWpgzQbUzvDO9yg2mOOBvtkZf
OG2oE5T+Rh4LMQxvoabkLhfDQbry2LTvn0SHnwnCg3M49o+IAEPT0BgfweQV9DLT
eaRJvxzf+s3xS/XEzfCaD+Q/xEtffJBRzYbiqDdwSJxbaZYlbaq+Ayt4HFbR5bfg
qY0KrqOn2mRXXJoHV4D1
=P63w
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3629-1
April 23, 2018
mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.60 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS, and
Ubuntu 17.10 have been updated to MySQL 5.7.22.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-60.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-22.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
mysql-server-5.7 5.7.22-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.22-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.60-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3629-1
CVE-2018-2755, CVE-2018-2758, CVE-2018-2759, CVE-2018-2761,
CVE-2018-2762, CVE-2018-2766, CVE-2018-2769, CVE-2018-2771,
CVE-2018-2773, CVE-2018-2775, CVE-2018-2776, CVE-2018-2777,
CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781,
CVE-2018-2782, CVE-2018-2784, CVE-2018-2786, CVE-2018-2787,
CVE-2018-2810, CVE-2018-2812, CVE-2018-2813, CVE-2018-2816,
CVE-2018-2817, CVE-2018-2818, CVE-2018-2819, CVE-2018-2839,
CVE-2018-2846
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.22-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.22-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.60-0ubuntu0.14.04.1
[Guidelines change] Changes to the packaging guidelines
Here are the recent changes to the packaging guidelines.
-----
A note was added to the Python guidelines indicating that the python2
stack may go away and that upstreams should be contacted about software
not yet ported to python3.
* https://fedoraproject.org/wiki/Packaging:Python#Python_Version_Support
* https://pagure.io/packaging-committee/issue/753
-----
The Python guidelines now more clearly indicate that use of %{__python},
%{python_sitelib} and %{python_sitearch} is forbidden.
* https://fedoraproject.org/wiki/Packaging:Python#Macros
* https://pagure.io/packaging-committee/issue/745
-----
Information about the automatic shebang line checking and modification
has been added to both the main guidelines and the Python guidelines.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Shebang_lines
* https://fedoraproject.org/wiki/Packaging:Python#Multiple_Python_Runtimes
* https://pagure.io/packaging-committee/issue/738
-----
The guidelines section relating to architecture support has been updated
to reflect the current state of koji's support of
ExclusiveArch:/ExcludeArch: in noarch packages.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Noarch_with_Unported_Dependencies
* https://pagure.io/packaging-committee/issue/751
-----
A guideline was added showing how to disable buildroot policy scripts
for your package, if necessary:
* https://fedoraproject.org/wiki/Packaging:Guidelines#BRP_.28BuildRoot_Policy.29_Scripts
* https://pagure.io/packaging-committee/issue/749
-----
The Documentation section of the main guidelines was expanded to include
information about reducing build dependencies by building documentation
in a separate source package.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Documentation
* https://pagure.io/packaging-committee/issue/715
-----
The AppData guidelines were updated to mention the %_metainfodir macro,
which was added to cut down on the need for %if blocks in cross-distro
specfiles.
* https://fedoraproject.org/wiki/Packaging:AppData#app-data-validate_usage
* https://pagure.io/packaging-committee/issue/752
Note that redhat-rpm-config/epel-rpm-macros packages supporting this are
in updates-testing, but buildroot overrides are active so you can use
the macro in Koji builds now.
-----
The section on packaging additional RPM macros has been simplified significantly.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Packaging_of_Additional_RPM_Macros
* https://pagure.io/packaging-committee/issue/601
Note that the epel-rpm-macros package supporting this in EPEL7 is in
updates-testing, but a buildroot override is active so you can use the
macro in Koji builds now.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
-----
A note was added to the Python guidelines indicating that the python2
stack may go away and that upstreams should be contacted about software
not yet ported to python3.
* https://fedoraproject.org/wiki/Packaging:Python#Python_Version_Support
* https://pagure.io/packaging-committee/issue/753
-----
The Python guidelines now more clearly indicate that use of %{__python},
%{python_sitelib} and %{python_sitearch} is forbidden.
* https://fedoraproject.org/wiki/Packaging:Python#Macros
* https://pagure.io/packaging-committee/issue/745
-----
Information about the automatic shebang line checking and modification
has been added to both the main guidelines and the Python guidelines.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Shebang_lines
* https://fedoraproject.org/wiki/Packaging:Python#Multiple_Python_Runtimes
* https://pagure.io/packaging-committee/issue/738
-----
The guidelines section relating to architecture support has been updated
to reflect the current state of koji's support of
ExclusiveArch:/ExcludeArch: in noarch packages.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Noarch_with_Unported_Dependencies
* https://pagure.io/packaging-committee/issue/751
-----
A guideline was added showing how to disable buildroot policy scripts
for your package, if necessary:
* https://fedoraproject.org/wiki/Packaging:Guidelines#BRP_.28BuildRoot_Policy.29_Scripts
* https://pagure.io/packaging-committee/issue/749
-----
The Documentation section of the main guidelines was expanded to include
information about reducing build dependencies by building documentation
in a separate source package.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Documentation
* https://pagure.io/packaging-committee/issue/715
-----
The AppData guidelines were updated to mention the %_metainfodir macro,
which was added to cut down on the need for %if blocks in cross-distro
specfiles.
* https://fedoraproject.org/wiki/Packaging:AppData#app-data-validate_usage
* https://pagure.io/packaging-committee/issue/752
Note that redhat-rpm-config/epel-rpm-macros packages supporting this are
in updates-testing, but buildroot overrides are active so you can use
the macro in Koji builds now.
-----
The section on packaging additional RPM macros has been simplified significantly.
* https://fedoraproject.org/wiki/Packaging:Guidelines#Packaging_of_Additional_RPM_Macros
* https://pagure.io/packaging-committee/issue/601
Note that the epel-rpm-macros package supporting this in EPEL7 is in
updates-testing, but a buildroot override is active so you can use the
macro in Koji builds now.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Saturday, April 21, 2018
OpenBSD Errata: April 21st, 2018 (httpd)
Errata patches for httpd have been released for OpenBSD 6.2 and 6.3.
httpd can leak file descriptors when servicing range requests.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata pages:
https://www.openbsd.org/errata62.html
https://www.openbsd.org/errata63.html
httpd can leak file descriptors when servicing range requests.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata pages:
https://www.openbsd.org/errata62.html
https://www.openbsd.org/errata63.html
OpenBSD Errata: April 21st, 2018 (gif)
Errata patches for the generic tunnel interface driver have been released
for OpenBSD 6.3.
In the gif(4) interface, use the specified protocol for IPv6, plug an mbuf
leak, and avoid a use after free.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the errata page:
https://www.openbsd.org/errata63.html
As this affects the kernel, a reboot will be needed after patching.
for OpenBSD 6.3.
In the gif(4) interface, use the specified protocol for IPv6, plug an mbuf
leak, and avoid a use after free.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the errata page:
https://www.openbsd.org/errata63.html
As this affects the kernel, a reboot will be needed after patching.
OpenBSD Errata: April 21st, 2018 (arp)
Errata patches for the kernel's Address Resolution Protocol implementation
have been released for OpenBSD 6.3.
ARP replies could be sent on the wrong member of a bridge(4) interface.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the errata page:
https://www.openbsd.org/errata63.html
As this affects the kernel, a reboot will be needed after patching.
have been released for OpenBSD 6.3.
ARP replies could be sent on the wrong member of a bridge(4) interface.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the errata page:
https://www.openbsd.org/errata63.html
As this affects the kernel, a reboot will be needed after patching.
OpenBSD Errata: April 21st, 2018 (libtls)
Errata patches for libtls have been released for OpenBSD 6.3.
Additional data is inadvertently removed when private keys are cleared from
TLS configuration, which can prevent OCSP from functioning correctly.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the errata page:
https://www.openbsd.org/errata63.html
Additional data is inadvertently removed when private keys are cleared from
TLS configuration, which can prevent OCSP from functioning correctly.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the errata page:
https://www.openbsd.org/errata63.html
Friday, April 20, 2018
[arch-announce] glibc 2.27-2 and pam 1.3.0-2 may require manual intervention
The new version of glibc removes support for NIS and NIS+. The default
`/etc/nsswitch.conf` file provided by `filesystem` package already
reflects this change. Please make sure to merge pacnew file if it exists
prior to upgrade.
NIS functionality can still be enabled by installing `libnss_nis`
package. There is no replacement for NIS+ in the official repositories.
`pam 1.3.0-2` no longer ships pam_unix2 module and `pam_unix_*.so`
compatibility symlinks. Before upgrading, review PAM configuration files
in the `/etc/pam.d` directory and replace removed modules with
`pam_unix.so`. Users of pam_unix2 should also reset their passwords
after such change. Defaults provided by `pambase` package do not need
any modifications.
URL: https://www.archlinux.org/news/glibc-227-2-and-pam-130-2-may-require-manual-intervention/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce
`/etc/nsswitch.conf` file provided by `filesystem` package already
reflects this change. Please make sure to merge pacnew file if it exists
prior to upgrade.
NIS functionality can still be enabled by installing `libnss_nis`
package. There is no replacement for NIS+ in the official repositories.
`pam 1.3.0-2` no longer ships pam_unix2 module and `pam_unix_*.so`
compatibility symlinks. Before upgrading, review PAM configuration files
in the `/etc/pam.d` directory and replace removed modules with
`pam_unix.so`. Users of pam_unix2 should also reset their passwords
after such change. Defaults provided by `pambase` package do not need
any modifications.
URL: https://www.archlinux.org/news/glibc-227-2-and-pam-130-2-may-require-manual-intervention/
_______________________________________________
arch-announce mailing list
arch-announce@archlinux.org
https://lists.archlinux.org/listinfo/arch-announce
Thursday, April 19, 2018
Estonia Open-EID available again
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyDPJliaqxY2mgTx0gGlpgfGJkusFAlrZBI8ACgkQgGlpgfGJ
kutiJA//d3U8bmdnW+4louDTGbiQZ1IV5NfmjssIQPCWKLaeqCyE8qm7R3mkDcJL
Z8M2XuAB6FEol/vIdPg246j3yk5GLiFFTKIAFKvJzr8bWJwPMlLJpMb9cqbOWXOd
VJJVcZongdKFONktElGpNj3mGnoM7A0dmv5yiFOzQz9LD4yum88Nh90lmTY/gTlV
hoN4i90cVUxMER6cob45W4LKMmu8fADwKxCwQtco2Fioi130v4gytzcs7V6An0z7
qQ8HI3LAEIcxOG/Rzgh8lXsiBb+1GJDDxuepVux1CrVn7Viv+gfdejENEGNbr6ZP
RGUM70dmzH/JYFD1AweLESG3UJCspamyuPE6ITsD/ndoyeZljww1qn6/5WuRypLT
PpJc69lOfACidgXjVUS4CvUn5xifuLXVANoynf73/it49G5fL+PQr7qkk51s1SyC
d7n98sUDgs2UX54tV0sNO6u10WunK8cL+y8jAd/lCxZ1TrTdPkHPljHCcAADjbyx
RN/O+AAPAOm0Zv553Yp1TyjtgiyjDeRzuM/tezUqUwNOyo8Huj0W2UHAId9YTYqb
++o2K3DA5ryFSplWklHfmZ+ERFp9mMkrimdBnk4jRkFNhi1y6JO5a0I3aT9Go27R
9s33KN9pwkrucG7h4S78WxLXzpoLY4G4Z5x+Wvy3BV//qlCoQ0k=
=0/Af
-----END PGP SIGNATURE-----
Hello, I am glad to announce that the Estonia Open-EID client software
stack[1], has been unretired and updated to lastest version.
To use it, simply install open-eid package.
System reboot is recommended[2].
Best regards
[1]: https://github.com/open-eid/
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1545027
iQIzBAEBCAAdFiEEyDPJliaqxY2mgTx0gGlpgfGJkusFAlrZBI8ACgkQgGlpgfGJ
kutiJA//d3U8bmdnW+4louDTGbiQZ1IV5NfmjssIQPCWKLaeqCyE8qm7R3mkDcJL
Z8M2XuAB6FEol/vIdPg246j3yk5GLiFFTKIAFKvJzr8bWJwPMlLJpMb9cqbOWXOd
VJJVcZongdKFONktElGpNj3mGnoM7A0dmv5yiFOzQz9LD4yum88Nh90lmTY/gTlV
hoN4i90cVUxMER6cob45W4LKMmu8fADwKxCwQtco2Fioi130v4gytzcs7V6An0z7
qQ8HI3LAEIcxOG/Rzgh8lXsiBb+1GJDDxuepVux1CrVn7Viv+gfdejENEGNbr6ZP
RGUM70dmzH/JYFD1AweLESG3UJCspamyuPE6ITsD/ndoyeZljww1qn6/5WuRypLT
PpJc69lOfACidgXjVUS4CvUn5xifuLXVANoynf73/it49G5fL+PQr7qkk51s1SyC
d7n98sUDgs2UX54tV0sNO6u10WunK8cL+y8jAd/lCxZ1TrTdPkHPljHCcAADjbyx
RN/O+AAPAOm0Zv553Yp1TyjtgiyjDeRzuM/tezUqUwNOyo8Huj0W2UHAId9YTYqb
++o2K3DA5ryFSplWklHfmZ+ERFp9mMkrimdBnk4jRkFNhi1y6JO5a0I3aT9Go27R
9s33KN9pwkrucG7h4S78WxLXzpoLY4G4Z5x+Wvy3BV//qlCoQ0k=
=0/Af
-----END PGP SIGNATURE-----
Hello, I am glad to announce that the Estonia Open-EID client software
stack[1], has been unretired and updated to lastest version.
To use it, simply install open-eid package.
System reboot is recommended[2].
Best regards
[1]: https://github.com/open-eid/
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1545027
[USN-3628-2] OpenSSL vulnerability
==========================================================================
Ubuntu Security Notice USN-3628-2
April 19, 2018
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
OpenSSL could allow access to sensitve information.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-3628-1 fixed a vulnerability in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA
key generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
libssl1.0.0 1.0.1-4ubuntu5.41
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3628-2
https://usn.ubuntu.com/usn/usn-3628-1
CVE-2018-0737
Ubuntu Security Notice USN-3628-2
April 19, 2018
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
OpenSSL could allow access to sensitve information.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-3628-1 fixed a vulnerability in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA
key generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
libssl1.0.0 1.0.1-4ubuntu5.41
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3628-2
https://usn.ubuntu.com/usn/usn-3628-1
CVE-2018-0737
[USN-3628-1] OpenSSL vulnerability
==========================================================================
Ubuntu Security Notice USN-3628-1
April 19, 2018
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
OpenSSL could allow access to sensitve information.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA
key generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
libssl1.0.0 1.0.2g-1ubuntu13.5
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.12
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.25
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3628-1
CVE-2018-0737
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu13.5
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.12
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.25
Ubuntu Security Notice USN-3628-1
April 19, 2018
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
OpenSSL could allow access to sensitve information.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA
key generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
libssl1.0.0 1.0.2g-1ubuntu13.5
Ubuntu 16.04 LTS:
libssl1.0.0 1.0.2g-1ubuntu4.12
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.25
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3628-1
CVE-2018-0737
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu13.5
https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.12
https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.25
[USN-3627-1] Apache HTTP Server vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa2KdoAAoJEGVp2FWnRL6T7boP/16yJ+zOOvJtGOsmkveOjfWu
r9AjWrEZ01eiKrekXK+mnFrS2T6/JLQfNcsbPy5btp19+JP6/xB/VugfEAvDUxgX
6H3dvUzVdsshY8KhiVOUHtRqqBZHZeZjw+txichbAWcDv6NZN7HOUhH9B5vNMtK7
LLGuzg5cAVoYlrDopNtHEa/zAOfusA1nGwcT8Cauq+Y15Bcj/Qd6C7yFbjp4+G/9
KN44wUHVewxAEjtAI78mytyKlCqb2DtTmeC89isUqskcYhx71fX2jwhzC7W/uzcS
VXvTKrghF1yh0u+uMk5yrzw7bi3akKo6lsRFC0UgfM2hft8NIhxMZcxNBaUTdD7k
LRxasqZ2gwa8z1ngKYzYINMwkOD3myyjEGKHS90p09q3BnNLRugui+JJmM4C4a3S
vaM4h8fJNNTnb2B2cYtNsP7mjFmYbL4Nd80reZU9XFalhLH4jy7yI0wENdfu87Dr
G8bLNtSHyQ462XrcGVGU+Ig5UsSPChlpW8reZuuO66l6CnAAmPPbwNnhEmScbS4z
Rktn1idxTq6PwUOoX7WXv4gbLjrXs7Z1KKHFVQj2c54X1DAh2JdVftUnfpkVAP3d
8eqvXgGXo3Ep/t1v6l0+wIbnMGV29ij2XDFSbWOKFAjGm5YxbOiA11CLX6Efi99b
I2bkRCX1Acb7dZFUMedr
=kGW8
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3627-1
April 19, 2018
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Elar Lang discovered that the Apache HTTP Server incorrectly handled
certain characters specified in <FilesMatch>. A remote attacker could
possibly use this issue to upload certain files, contrary to expectations.
(CVE-2017-15715)
It was discovered that the Apache HTTP Server mod_session module
incorrectly handled certain headers. A remote attacker could possibly use
this issue to influence session data. (CVE-2018-1283)
Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause
the server to crash, leading to a denial of service. (CVE-2018-1301)
Robert Swiecki discovered that the Apache HTTP Server mod_cache_socache
module incorrectly handled certain headers. A remote attacker could
possibly use this issue to cause the server to crash, leading to a denial
of service. (CVE-2018-1303)
Nicolas Daniels discovered that the Apache HTTP Server incorrectly
generated the nonce when creating HTTP Digest authentication challenges.
A remote attacker could possibly use this issue to replay HTTP requests
across a cluster of servers. (CVE-2018-1312)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
apache2-bin 2.4.27-2ubuntu4.1
Ubuntu 16.04 LTS:
apache2-bin 2.4.18-2ubuntu3.8
Ubuntu 14.04 LTS:
apache2-bin 2.4.7-1ubuntu4.20
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3627-1
CVE-2017-15710, CVE-2017-15715, CVE-2018-1283, CVE-2018-1301,
CVE-2018-1303, CVE-2018-1312
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.27-2ubuntu4.1
https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.8
https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.20
iQIcBAEBCgAGBQJa2KdoAAoJEGVp2FWnRL6T7boP/16yJ+zOOvJtGOsmkveOjfWu
r9AjWrEZ01eiKrekXK+mnFrS2T6/JLQfNcsbPy5btp19+JP6/xB/VugfEAvDUxgX
6H3dvUzVdsshY8KhiVOUHtRqqBZHZeZjw+txichbAWcDv6NZN7HOUhH9B5vNMtK7
LLGuzg5cAVoYlrDopNtHEa/zAOfusA1nGwcT8Cauq+Y15Bcj/Qd6C7yFbjp4+G/9
KN44wUHVewxAEjtAI78mytyKlCqb2DtTmeC89isUqskcYhx71fX2jwhzC7W/uzcS
VXvTKrghF1yh0u+uMk5yrzw7bi3akKo6lsRFC0UgfM2hft8NIhxMZcxNBaUTdD7k
LRxasqZ2gwa8z1ngKYzYINMwkOD3myyjEGKHS90p09q3BnNLRugui+JJmM4C4a3S
vaM4h8fJNNTnb2B2cYtNsP7mjFmYbL4Nd80reZU9XFalhLH4jy7yI0wENdfu87Dr
G8bLNtSHyQ462XrcGVGU+Ig5UsSPChlpW8reZuuO66l6CnAAmPPbwNnhEmScbS4z
Rktn1idxTq6PwUOoX7WXv4gbLjrXs7Z1KKHFVQj2c54X1DAh2JdVftUnfpkVAP3d
8eqvXgGXo3Ep/t1v6l0+wIbnMGV29ij2XDFSbWOKFAjGm5YxbOiA11CLX6Efi99b
I2bkRCX1Acb7dZFUMedr
=kGW8
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3627-1
April 19, 2018
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Apache HTTP Server.
Software Description:
- apache2: Apache HTTP server
Details:
Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
mod_authnz_ldap module incorrectly handled missing charset encoding
headers. A remote attacker could possibly use this issue to cause the
server to crash, resulting in a denial of service. (CVE-2017-15710)
Elar Lang discovered that the Apache HTTP Server incorrectly handled
certain characters specified in <FilesMatch>. A remote attacker could
possibly use this issue to upload certain files, contrary to expectations.
(CVE-2017-15715)
It was discovered that the Apache HTTP Server mod_session module
incorrectly handled certain headers. A remote attacker could possibly use
this issue to influence session data. (CVE-2018-1283)
Robert Swiecki discovered that the Apache HTTP Server incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause
the server to crash, leading to a denial of service. (CVE-2018-1301)
Robert Swiecki discovered that the Apache HTTP Server mod_cache_socache
module incorrectly handled certain headers. A remote attacker could
possibly use this issue to cause the server to crash, leading to a denial
of service. (CVE-2018-1303)
Nicolas Daniels discovered that the Apache HTTP Server incorrectly
generated the nonce when creating HTTP Digest authentication challenges.
A remote attacker could possibly use this issue to replay HTTP requests
across a cluster of servers. (CVE-2018-1312)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
apache2-bin 2.4.27-2ubuntu4.1
Ubuntu 16.04 LTS:
apache2-bin 2.4.18-2ubuntu3.8
Ubuntu 14.04 LTS:
apache2-bin 2.4.7-1ubuntu4.20
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3627-1
CVE-2017-15710, CVE-2017-15715, CVE-2018-1283, CVE-2018-1301,
CVE-2018-1303, CVE-2018-1312
Package Information:
https://launchpad.net/ubuntu/+source/apache2/2.4.27-2ubuntu4.1
https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.8
https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.20
Fedora 28 Final Release Readiness Meeting on Thursday, April 26 @ 19:00 UTC
Join us on irc.freenode.net in #fedora-meeting-1 for the Fedora 28
Final Release Readiness Meeting meeting.
The meeting is going to be held on Thursday, April 26, 2018 at 19:00
UTC. Please check the [1] link for your time zone.
We will meet to make sure we are coordinated and ready for the Final
release of Fedora 28. Please note that this meeting is going to be
held even if the release is delayed at the Go/No-Go meeting on the
same day two hours earlier.
You may received this message several times, but it is by purpose to
open this meeting to the teams and to raise awareness, so hopefully
more team representatives will come to this meeting. This meeting
works best when we have representatives from all of the teams.
For more information please check the [2] link.
[1] https://apps.fedoraproject.org/calendar/meeting/9024/
[2] https://fedoraproject.org/wiki/Release_Readiness_Meetings
Thank you for your support,
Regards, Jan
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Final Release Readiness Meeting meeting.
The meeting is going to be held on Thursday, April 26, 2018 at 19:00
UTC. Please check the [1] link for your time zone.
We will meet to make sure we are coordinated and ready for the Final
release of Fedora 28. Please note that this meeting is going to be
held even if the release is delayed at the Go/No-Go meeting on the
same day two hours earlier.
You may received this message several times, but it is by purpose to
open this meeting to the teams and to raise awareness, so hopefully
more team representatives will come to this meeting. This meeting
works best when we have representatives from all of the teams.
For more information please check the [2] link.
[1] https://apps.fedoraproject.org/calendar/meeting/9024/
[2] https://fedoraproject.org/wiki/Release_Readiness_Meetings
Thank you for your support,
Regards, Jan
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora 28 Final release Go/No-Go Meeting on Thursday, April 26 @ 17:00 UTC
Join us on irc.freenode.net in #fedora-meeting-1 for this important
meeting, wherein we shall determine the readiness of the Fedora 28
Final.
The meeting is going to be held on Thursday, April 26, 2018 at 17:00
UTC. Please check the [1] link for your time zone.
Before each public release Development, QA and Release Engineering
meet to determine if the release criteria are met for a particular
release. This meeting is called the Go/No-Go Meeting. Verifying that
the Release criteria are met is the responsibility of the QA Team.
Release Candidate (RC) availability and good QA coverage are
prerequisites for the Go/No-Go meeting. If you have any bug on the
list, please help us with Beta release. If we won't be ready by
Thursday, we will use this meeting to review blockers and decide what
to do.
In the meantime, please keep also an eye on the Fedora 28 Final
Blocker list [2].
For more details about this meeting please follow the [3] link.
[1] https://apps.fedoraproject.org/calendar/meeting/9025/
[2] http://qa.fedoraproject.org/blockerbugs/milestone/28/final/buglist
[3] https://fedoraproject.org/wiki/Go_No_Go_Meeting
Thank you in advance for your support.
Regards, Jan
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
meeting, wherein we shall determine the readiness of the Fedora 28
Final.
The meeting is going to be held on Thursday, April 26, 2018 at 17:00
UTC. Please check the [1] link for your time zone.
Before each public release Development, QA and Release Engineering
meet to determine if the release criteria are met for a particular
release. This meeting is called the Go/No-Go Meeting. Verifying that
the Release criteria are met is the responsibility of the QA Team.
Release Candidate (RC) availability and good QA coverage are
prerequisites for the Go/No-Go meeting. If you have any bug on the
list, please help us with Beta release. If we won't be ready by
Thursday, we will use this meeting to review blockers and decide what
to do.
In the meantime, please keep also an eye on the Fedora 28 Final
Blocker list [2].
For more details about this meeting please follow the [3] link.
[1] https://apps.fedoraproject.org/calendar/meeting/9025/
[2] http://qa.fedoraproject.org/blockerbugs/milestone/28/final/buglist
[3] https://fedoraproject.org/wiki/Go_No_Go_Meeting
Thank you in advance for your support.
Regards, Jan
--
Jan Kuřík
JBoss EAP Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Tuesday, April 17, 2018
[USN-3625-2] Perl vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3625-2
April 17, 2018
perl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Perl.
Software Description:
- perl: Practical Extraction and Report Language
Details:
USN-3625-1 fixed a vulnerability in Perl. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Perl incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause Perl
to hang, resulting in a denial of service. (CVE-2015-8853)
It was discovered that Perl incorrectly loaded libraries from the
current working directory. A local attacker could possibly use this
issue to execute arbitrary code. (CVE-2016-6185)
It was discovered that Perl incorrectly handled the rmtree and
remove_tree functions. A local attacker could possibly use this issue
to set the mode on arbitrary files. (CVE-2017-6512)
GwanYeong Kim discovered that Perl incorrectly handled certain data
when using the pack function. An attacker could use this issue to
cause Perl to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2018-6913)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
perl 5.14.2-6ubuntu2.7
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3625-2
https://usn.ubuntu.com/usn/usn-3625-1
CVE-2015-8853, CVE-2016-6185, CVE-2017-6512, CVE-2018-6913
Ubuntu Security Notice USN-3625-2
April 17, 2018
perl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Perl.
Software Description:
- perl: Practical Extraction and Report Language
Details:
USN-3625-1 fixed a vulnerability in Perl. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Perl incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause Perl
to hang, resulting in a denial of service. (CVE-2015-8853)
It was discovered that Perl incorrectly loaded libraries from the
current working directory. A local attacker could possibly use this
issue to execute arbitrary code. (CVE-2016-6185)
It was discovered that Perl incorrectly handled the rmtree and
remove_tree functions. A local attacker could possibly use this issue
to set the mode on arbitrary files. (CVE-2017-6512)
GwanYeong Kim discovered that Perl incorrectly handled certain data
when using the pack function. An attacker could use this issue to
cause Perl to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2018-6913)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
perl 5.14.2-6ubuntu2.7
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3625-2
https://usn.ubuntu.com/usn/usn-3625-1
CVE-2015-8853, CVE-2016-6185, CVE-2017-6512, CVE-2018-6913
[USN-3611-2] OpenSSL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3611-2
April 17, 2018
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-3611-1 fixed a vulnerability in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that OpenSSL incorrectly parsed the IPAddressFamily
extension in X.509 certificates, resulting in an erroneous display of
the certificate in text format. (CVE-2017-3735)
It was discovered that OpenSSL incorrectly handled certain ASN.1
types. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2018-0739)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
libssl1.0.0 1.0.1-4ubuntu5.40
openssl 1.0.1-4ubuntu5.40
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3611-2
https://usn.ubuntu.com/usn/usn-3611-1
CVE-2017-3735, CVE-2018-0739
Ubuntu Security Notice USN-3611-2
April 17, 2018
openssl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
USN-3611-1 fixed a vulnerability in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that OpenSSL incorrectly parsed the IPAddressFamily
extension in X.509 certificates, resulting in an erroneous display of
the certificate in text format. (CVE-2017-3735)
It was discovered that OpenSSL incorrectly handled certain ASN.1
types. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2018-0739)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
libssl1.0.0 1.0.1-4ubuntu5.40
openssl 1.0.1-4ubuntu5.40
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3611-2
https://usn.ubuntu.com/usn/usn-3611-1
CVE-2017-3735, CVE-2018-0739
Monday, April 16, 2018
Fedora 28 Final Freeze
Hi all,
Today, April 17th 2018, is an important day on the Fedora 28
schedule [1], with significant cut-offs.
Today we have the Final Freeze [2]. This means that only packages
which fix accepted blocker or freeze exception bugs [3][4][5] will be
marked as 'stable' and included in the Final composes. Other builds
will remain in updates-testing until the Final release is approved, at
which point the Final freeze is lifted and packages can move to the
'updates' repository, pending updates will be pushed before final
release as zero day updates.
Regards,
Release Engineering
[USN-3626-1] Ruby vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3626-1
April 16, 2018
Ubuntu Security Notice USN-3626-1
April 16, 2018
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ruby.
Software Description:
- ruby2.3: Object-oriented scripting language
- ruby1.9.1: Object-oriented scripting language
- ruby2.0: Object-oriented scripting language
Details:
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-6914)
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to access sensitive information.
(CVE-2018-8778, CVE-2018-8780)
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to connect to an unintended socket.
(CVE-2018-8779)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
libruby2.3 2.3.3-1ubuntu1.5
ruby2.3 2.3.3-1ubuntu1.5
Ubuntu 16.04 LTS:
libruby2.3 2.3.1-2~16.04.9
ruby2.3 2.3.1-2~16.04.9
Ubuntu 14.04 LTS:
libruby1.9.1 1.9.3.484-2ubuntu1.11
libruby2.0 2.0.0.484-1ubuntu2.9
ruby1.9.1 1.9.3.484-2ubuntu1.11
ruby1.9.3 1.9.3.484-2ubuntu1.11
ruby2.0 2.0.0.484-1ubuntu2.9
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3626-1
CVE-2018-6914, CVE-2018-8778, CVE-2018-8779, CVE-2018-8780
Package Information:
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.3-1ubuntu1.5
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.9
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.11
https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.9
[USN-3625-1] Perl vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJa1LDmAAoJEGVp2FWnRL6TgS0QALRAmhglnNejPxzMc5hMUA8L
rEVmURoUpOalLg2klfUY1sc2sB/7Tu6pmiLYJf2zlYW1lnNrGPPba8IGWhPCtzDR
vTLqEQULW29eFnBoCUorRwZG7LqR1yJnIube2hndzQuv1OeCzafjSKaDvwVM0ztR
f5RnC18U3TYt25bvfVriOwaT12c+n1p6HquQEACF96l1cOR7pGiVTo3l6qIXhJH3
ibd9HLb/6D/ultedXGGlpaQDqUFLLHxUxDRxilohapz+FzcKJDYZKwDsmQ/mbg/k
7cuJoi35sDG0gZvfL2akcvhIZGfvv6UxW7EQnMSyXHtwmBoJA2nqr6L23UhSR62x
W15RGyiD8d08W+rtH2Vz592urZyrYu2eZnshx044KVEEGOM1pHOrkNyBgczpEg/q
XO/lBiFsYiFttxG2wZU3h4YgmLqRx/Otf1BczDr93DUAtzjWLoviaA+af91QfXUn
pnf19BB1uo3Ub9lc94rY72fJ+nFzXdjVhNM6w6TKFQzc1yp58uPEfnXd5ZGI8fUA
WV8ZohoK0woaBiLyR95wO0a39GZ2fB1GxZ4g/R/7shocKB42dYgLnHkdvIqcVwev
98dCt1pw8HNAIuGr4fgtDniW2FU5GFTE6S0tT394zLXB2iqfi2R8ZGh8D/BVL1td
LxwVm1rsx8Qp+a0JyxNF
=YFF5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3625-1
April 16, 2018
perl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Perl.
Software Description:
- perl: Practical Extraction and Report Language
Details:
It was discovered that Perl incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause Perl to
hang, resulting in a denial of service. This issue only affected Ubuntu
14.04 LTS. (CVE-2015-8853)
It was discovered that Perl incorrectly loaded libraries from the current
working directory. A local attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-6185)
It was discovered that Perl incorrectly handled the rmtree and remove_tree
functions. A local attacker could possibly use this issue to set the mode
on arbitrary files. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2017-6512)
Brian Carpenter discovered that Perl incorrectly handled certain regular
expressions. An attacker could use this issue to cause Perl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue has only been addressed in Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2018-6797)
Nguyen Duc Manh discovered that Perl incorrectly handled certain regular
expressions. An attacker could use this issue to cause Perl to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 17.10. (CVE-2018-6798)
GwanYeong Kim discovered that Perl incorrectly handled certain data when
using the pack function. An attacker could use this issue to cause Perl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-6913)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
perl 5.26.0-8ubuntu1.1
Ubuntu 16.04 LTS:
perl 5.22.1-9ubuntu0.3
Ubuntu 14.04 LTS:
perl 5.18.2-2ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3625-1
CVE-2015-8853, CVE-2016-6185, CVE-2017-6512, CVE-2018-6797,
CVE-2018-6798, CVE-2018-6913
Package Information:
https://launchpad.net/ubuntu/+source/perl/5.26.0-8ubuntu1.1
https://launchpad.net/ubuntu/+source/perl/5.22.1-9ubuntu0.3
https://launchpad.net/ubuntu/+source/perl/5.18.2-2ubuntu1.4
iQIcBAEBCgAGBQJa1LDmAAoJEGVp2FWnRL6TgS0QALRAmhglnNejPxzMc5hMUA8L
rEVmURoUpOalLg2klfUY1sc2sB/7Tu6pmiLYJf2zlYW1lnNrGPPba8IGWhPCtzDR
vTLqEQULW29eFnBoCUorRwZG7LqR1yJnIube2hndzQuv1OeCzafjSKaDvwVM0ztR
f5RnC18U3TYt25bvfVriOwaT12c+n1p6HquQEACF96l1cOR7pGiVTo3l6qIXhJH3
ibd9HLb/6D/ultedXGGlpaQDqUFLLHxUxDRxilohapz+FzcKJDYZKwDsmQ/mbg/k
7cuJoi35sDG0gZvfL2akcvhIZGfvv6UxW7EQnMSyXHtwmBoJA2nqr6L23UhSR62x
W15RGyiD8d08W+rtH2Vz592urZyrYu2eZnshx044KVEEGOM1pHOrkNyBgczpEg/q
XO/lBiFsYiFttxG2wZU3h4YgmLqRx/Otf1BczDr93DUAtzjWLoviaA+af91QfXUn
pnf19BB1uo3Ub9lc94rY72fJ+nFzXdjVhNM6w6TKFQzc1yp58uPEfnXd5ZGI8fUA
WV8ZohoK0woaBiLyR95wO0a39GZ2fB1GxZ4g/R/7shocKB42dYgLnHkdvIqcVwev
98dCt1pw8HNAIuGr4fgtDniW2FU5GFTE6S0tT394zLXB2iqfi2R8ZGh8D/BVL1td
LxwVm1rsx8Qp+a0JyxNF
=YFF5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3625-1
April 16, 2018
perl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Perl.
Software Description:
- perl: Practical Extraction and Report Language
Details:
It was discovered that Perl incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause Perl to
hang, resulting in a denial of service. This issue only affected Ubuntu
14.04 LTS. (CVE-2015-8853)
It was discovered that Perl incorrectly loaded libraries from the current
working directory. A local attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and
Ubuntu 16.04 LTS. (CVE-2016-6185)
It was discovered that Perl incorrectly handled the rmtree and remove_tree
functions. A local attacker could possibly use this issue to set the mode
on arbitrary files. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2017-6512)
Brian Carpenter discovered that Perl incorrectly handled certain regular
expressions. An attacker could use this issue to cause Perl to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue has only been addressed in Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2018-6797)
Nguyen Duc Manh discovered that Perl incorrectly handled certain regular
expressions. An attacker could use this issue to cause Perl to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 17.10. (CVE-2018-6798)
GwanYeong Kim discovered that Perl incorrectly handled certain data when
using the pack function. An attacker could use this issue to cause Perl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-6913)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
perl 5.26.0-8ubuntu1.1
Ubuntu 16.04 LTS:
perl 5.22.1-9ubuntu0.3
Ubuntu 14.04 LTS:
perl 5.18.2-2ubuntu1.4
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3625-1
CVE-2015-8853, CVE-2016-6185, CVE-2017-6512, CVE-2018-6797,
CVE-2018-6798, CVE-2018-6913
Package Information:
https://launchpad.net/ubuntu/+source/perl/5.26.0-8ubuntu1.1
https://launchpad.net/ubuntu/+source/perl/5.22.1-9ubuntu0.3
https://launchpad.net/ubuntu/+source/perl/5.18.2-2ubuntu1.4
[USN-3624-2] Patch vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3624-2
April 16, 2018
patch vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Patch.
Software Description:
- patch: Apply a diff file to an original
Details:
USN-3624-1 fixed a vulnerability in Patch. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Patch incorrectly handled certain files. An
attacker could possibly use this to cause a denial of service.
(CVE-2016-10713)
It was discovered that Patch incorrectly handled certain input
validation. An attacker could possibly use this to execute arbitrary
code. (CVE-2018-1000156)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
patch 2.6.1-3ubuntu0.2
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3624-2
https://usn.ubuntu.com/usn/usn-3624-1
CVE-2016-10713, CVE-2018-1000156
Ubuntu Security Notice USN-3624-2
April 16, 2018
patch vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Patch.
Software Description:
- patch: Apply a diff file to an original
Details:
USN-3624-1 fixed a vulnerability in Patch. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that Patch incorrectly handled certain files. An
attacker could possibly use this to cause a denial of service.
(CVE-2016-10713)
It was discovered that Patch incorrectly handled certain input
validation. An attacker could possibly use this to execute arbitrary
code. (CVE-2018-1000156)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
patch 2.6.1-3ubuntu0.2
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3624-2
https://usn.ubuntu.com/usn/usn-3624-1
CVE-2016-10713, CVE-2018-1000156
Saturday, April 14, 2018
OpenBSD Errata: April 14th, 2018 (perl)
Errata patches for perl have been released for OpenBSD 6.1, 6.2, and 6.3.
Heap overflows exist in perl which can lead to segmentation faults,
crashes, and reading memory past the buffer.
Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the
respective errata pages:
https://www.openbsd.org/errata61.html
https://www.openbsd.org/errata62.html
https://www.openbsd.org/errata63.html
Heap overflows exist in perl which can lead to segmentation faults,
crashes, and reading memory past the buffer.
Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the
respective errata pages:
https://www.openbsd.org/errata61.html
https://www.openbsd.org/errata62.html
https://www.openbsd.org/errata63.html
Friday, April 13, 2018
Mailing list server downtime this Saturday
The machine room that lists.openbsd.org is in will be undergoing
maintenance Saturday April 14th. As a result, the list server will
be taken down at 6:00am MDT. It will be back up by 5pm MDT at the
latest.
This also affects ftp.usa.openbsd.org (aka anoncvs3.usa.openbsd.org)
which is located in the same machine room.
- todd
maintenance Saturday April 14th. As a result, the list server will
be taken down at 6:00am MDT. It will be back up by 5pm MDT at the
latest.
This also affects ftp.usa.openbsd.org (aka anoncvs3.usa.openbsd.org)
which is located in the same machine room.
- todd
[USN-3621-2] Ruby regression
==========================================================================
Ubuntu Security Notice USN-3621-2
April 13, 2018
ruby1.9.1, ruby2.0 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
USN-3621-1 caused a regression in Ruby.
Software Description:
- ruby1.9.1: Object-oriented scripting language
- ruby2.0: Object-oriented scripting language
Details:
USN-3621-1 fixed vulnerabilities in Ruby. The update caused an issue
due to an incomplete patch for CVE-2018-1000074. This update reverts
the problematic patch pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to access sensitive information.
(CVE-2018-1000073)
It was discovered that Ruby incorrectly handled certain files. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000074)
It was discovered that Ruby incorrectly handled certain files. An
attacker could possibly use this to cause a denial of service.
(CVE-2018-1000075)
It was discovered that Ruby incorrectly handled certain crypto
signatures. An attacker could possibly use this to execute arbitrary
code. (CVE-2018-1000076)
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libruby1.9.1 1.9.3.484-2ubuntu1.10
libruby2.0 2.0.0.484-1ubuntu2.8
ruby1.9.1 1.9.3.484-2ubuntu1.10
ruby1.9.3 1.9.3.484-2ubuntu1.10
ruby2.0 2.0.0.484-1ubuntu2.8
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3621-2
https://usn.ubuntu.com/usn/usn-3621-1
CVE-2018-1000074
Package Information:
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.10
https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.8
Ubuntu Security Notice USN-3621-2
April 13, 2018
ruby1.9.1, ruby2.0 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
USN-3621-1 caused a regression in Ruby.
Software Description:
- ruby1.9.1: Object-oriented scripting language
- ruby2.0: Object-oriented scripting language
Details:
USN-3621-1 fixed vulnerabilities in Ruby. The update caused an issue
due to an incomplete patch for CVE-2018-1000074. This update reverts
the problematic patch pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to access sensitive information.
(CVE-2018-1000073)
It was discovered that Ruby incorrectly handled certain files. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000074)
It was discovered that Ruby incorrectly handled certain files. An
attacker could possibly use this to cause a denial of service.
(CVE-2018-1000075)
It was discovered that Ruby incorrectly handled certain crypto
signatures. An attacker could possibly use this to execute arbitrary
code. (CVE-2018-1000076)
It was discovered that Ruby incorrectly handled certain inputs. An
attacker could possibly use this to execute arbitrary code.
(CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libruby1.9.1 1.9.3.484-2ubuntu1.10
libruby2.0 2.0.0.484-1ubuntu2.8
ruby1.9.1 1.9.3.484-2ubuntu1.10
ruby1.9.3 1.9.3.484-2ubuntu1.10
ruby2.0 2.0.0.484-1ubuntu2.8
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3621-2
https://usn.ubuntu.com/usn/usn-3621-1
CVE-2018-1000074
Package Information:
https://launchpad.net/ubuntu/+source/ruby1.9.1/1.9.3.484-2ubuntu1.10
https://launchpad.net/ubuntu/+source/ruby2.0/2.0.0.484-1ubuntu2.8
Renaming "docker" references to generic ones like "container" or "OCI'
Hi All,
As the container landscape has changed over the last few years, Docker Inc. has changed what the term "docker" means. Along with changes in the container namespace with tools like buildah, cri-o, rkt and other ways to run containers, it makes sense to refer to containers in a more generic sense, using terms like "container" or "OCI(Open Container Initiative)" instead of "docker".
We have already renamed the Docker namespace to "containers" in dist-git. The Bugzilla project for containers is under container as well. Wherever possible to be consistent with using more generic terms, "docker" should be renamed to an appropriate generic term. This will allow us to more seamlessly adapt and change with the continuing evolution of the container based world. A side effect is that the changes will more closely align us with ongoing work within Red Hat.
There are several areas that can be evaluated for changes from "docker" to "container" (or OCI). These include:
* The bellow URLs will not show a package that is using docker only in
the package description which shows up in bugzilla along with other
locations
[1] https://src.fedoraproject.org/projects/container/%2A
[2] https://src.fedoraproject.org/projects/*docker*
As the container landscape has changed over the last few years, Docker Inc. has changed what the term "docker" means. Along with changes in the container namespace with tools like buildah, cri-o, rkt and other ways to run containers, it makes sense to refer to containers in a more generic sense, using terms like "container" or "OCI(Open Container Initiative)" instead of "docker".
We have already renamed the Docker namespace to "containers" in dist-git. The Bugzilla project for containers is under container as well. Wherever possible to be consistent with using more generic terms, "docker" should be renamed to an appropriate generic term. This will allow us to more seamlessly adapt and change with the continuing evolution of the container based world. A side effect is that the changes will more closely align us with ongoing work within Red Hat.
There are several areas that can be evaluated for changes from "docker" to "container" (or OCI). These include:
- Changing a package description to be more generic
- Working with upstream to rename the project and bringing that back to
- Fedora
- Changing labels and descriptions used within Dockerfiles
* The bellow URLs will not show a package that is using docker only in
the package description which shows up in bugzilla along with other
locations
[1] https://src.fedoraproject.org/
[2] https://src.fedoraproject.org/
Best Regards,
Sushma Shivakumar
RCM Project ManagerSushma Shivakumar
Red Hat, Brno
Subscribe to:
Posts (Atom)