Wednesday, October 31, 2018
[USN-3805-1] curl vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvZq00ACgkQZWnYVadE
vpMLlA/9HLCmpns1DM3hS7gXMTrwCY1wh2uyPJm8JK/443RqB3O45V5WYBv6/tzW
WdM6syDiQd/uIRTiUQoh1IP/neGXgFnAHBO++mOOjoZuLoFgu7AEUoWa8Lrx8cpA
QZLZTFfCq2RL4iCYu3I7iUdhd7DUpv3J0AIkSQuu8dO46+1ONoayVdrowTdPGCbx
URpvgBaImaSUeiQz4UMZdWwaYkj1mLW+V4EjWg62nsLpqjp9NhgbNWyMBQQQ0REE
9hgiLCjd1iOORqLvPQW/DlQTveH1iCocqG5fg93CrIMunp8mGiyebZjeoHd3ZwWY
HD9iBSdbzv8cCfJPtf1T2Ki08fErVtACsZOM7tImgRda6M1Dyj4zlgOUIGrKQEJD
tBamXopu96w/Sg18lAwXyroUofQ+KH454ICivLbGjS4KFFqjGi2yoK9zhOi/Xh85
CYORhwt25XPHTovzLxpd8BJHN/62nDzfw0+ipl8a1icGSA68Q4u9591zqjia6Y0k
uPj9YISD4I8edgQ/xZP6u3rekI4zanlfNQwx+lz+FuIFQqd9axdScuqK4Y2eBRgO
tO/J63Ys6AZoOMNpauREqsfzGyKlZEMzwrdy10HKw5+Rt5i+w0o7EBGZ9ibbzkcN
i42qZ4dFA7wFPtBkhB8PGEUY5OGhI7+4jTguSYh8viDPps6IDI8=
=fLBw
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3805-1
October 31, 2018
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Harry Sintonen discovered that curl incorrectly handled SASL
authentication. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when
closing certain handles. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly
handled error messages. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2018-16842)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
curl 7.61.0-1ubuntu2.2
libcurl3-gnutls 7.61.0-1ubuntu2.2
libcurl3-nss 7.61.0-1ubuntu2.2
libcurl4 7.61.0-1ubuntu2.2
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.5
libcurl3-gnutls 7.58.0-2ubuntu3.5
libcurl3-nss 7.58.0-2ubuntu3.5
libcurl4 7.58.0-2ubuntu3.5
Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.11
libcurl3 7.47.0-1ubuntu2.11
libcurl3-gnutls 7.47.0-1ubuntu2.11
libcurl3-nss 7.47.0-1ubuntu2.11
Ubuntu 14.04 LTS:
curl 7.35.0-1ubuntu2.19
libcurl3 7.35.0-1ubuntu2.19
libcurl3-gnutls 7.35.0-1ubuntu2.19
libcurl3-nss 7.35.0-1ubuntu2.19
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3805-1
CVE-2018-16839, CVE-2018-16840, CVE-2018-16842
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.61.0-1ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.5
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.11
https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.19
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvZq00ACgkQZWnYVadE
vpMLlA/9HLCmpns1DM3hS7gXMTrwCY1wh2uyPJm8JK/443RqB3O45V5WYBv6/tzW
WdM6syDiQd/uIRTiUQoh1IP/neGXgFnAHBO++mOOjoZuLoFgu7AEUoWa8Lrx8cpA
QZLZTFfCq2RL4iCYu3I7iUdhd7DUpv3J0AIkSQuu8dO46+1ONoayVdrowTdPGCbx
URpvgBaImaSUeiQz4UMZdWwaYkj1mLW+V4EjWg62nsLpqjp9NhgbNWyMBQQQ0REE
9hgiLCjd1iOORqLvPQW/DlQTveH1iCocqG5fg93CrIMunp8mGiyebZjeoHd3ZwWY
HD9iBSdbzv8cCfJPtf1T2Ki08fErVtACsZOM7tImgRda6M1Dyj4zlgOUIGrKQEJD
tBamXopu96w/Sg18lAwXyroUofQ+KH454ICivLbGjS4KFFqjGi2yoK9zhOi/Xh85
CYORhwt25XPHTovzLxpd8BJHN/62nDzfw0+ipl8a1icGSA68Q4u9591zqjia6Y0k
uPj9YISD4I8edgQ/xZP6u3rekI4zanlfNQwx+lz+FuIFQqd9axdScuqK4Y2eBRgO
tO/J63Ys6AZoOMNpauREqsfzGyKlZEMzwrdy10HKw5+Rt5i+w0o7EBGZ9ibbzkcN
i42qZ4dFA7wFPtBkhB8PGEUY5OGhI7+4jTguSYh8viDPps6IDI8=
=fLBw
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3805-1
October 31, 2018
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Harry Sintonen discovered that curl incorrectly handled SASL
authentication. A remote attacker could use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when
closing certain handles. A remote attacker could use this issue to cause
curl to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly
handled error messages. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2018-16842)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
curl 7.61.0-1ubuntu2.2
libcurl3-gnutls 7.61.0-1ubuntu2.2
libcurl3-nss 7.61.0-1ubuntu2.2
libcurl4 7.61.0-1ubuntu2.2
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.5
libcurl3-gnutls 7.58.0-2ubuntu3.5
libcurl3-nss 7.58.0-2ubuntu3.5
libcurl4 7.58.0-2ubuntu3.5
Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.11
libcurl3 7.47.0-1ubuntu2.11
libcurl3-gnutls 7.47.0-1ubuntu2.11
libcurl3-nss 7.47.0-1ubuntu2.11
Ubuntu 14.04 LTS:
curl 7.35.0-1ubuntu2.19
libcurl3 7.35.0-1ubuntu2.19
libcurl3-gnutls 7.35.0-1ubuntu2.19
libcurl3-nss 7.35.0-1ubuntu2.19
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3805-1
CVE-2018-16839, CVE-2018-16840, CVE-2018-16842
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.61.0-1ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.5
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.11
https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.19
Tuesday, October 30, 2018
[USN-3804-1] OpenJDK vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3804-1
October 30, 2018
openjdk-8, openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-lts: Open Source Java implementation
- openjdk-8: Open Source Java implementation
Details:
It was discovered that the Security component of OpenJDK did not properly
ensure that manifest elements were signed before use. An attacker could
possibly use this to specially construct an untrusted Java application or
applet that could escape sandbox restrictions. (CVE-2018-3136)
Artem Smotrakov discovered that the HTTP client redirection handler
implementation in OpenJDK did not clear potentially sensitive information
in HTTP headers when following redirections to different hosts. An attacker
could use this to expose sensitive information. (CVE-2018-3139)
It was discovered that the Java Naming and Directory Interface (JNDI)
implementation in OpenJDK did not properly enforce restrictions specified
by system properties in some situations. An attacker could potentially use
this to execute arbitrary code. (CVE-2018-3149)
It was discovered that the Utility component of OpenJDK did not properly
ensure all attributes in a JAR were signed before use. An attacker could
use this to specially construct an untrusted Java application or applet
that could escape sandbox restrictions. This issue only affected Ubuntu
18.04 LTS and Ubuntu 18.10. (CVE-2018-3150)
It was discovered that the Hotspot component of OpenJDK did not properly
perform access checks in certain cases when performing field link
resolution. An attacker could use this to specially construct an untrusted
Java application or applet that could escape sandbox restrictions.
(CVE-2018-3169)
Felix Dörre discovered that the Java Secure Socket Extension (JSSE)
implementation in OpenJDK did not ensure that the same endpoint
identification algorithm was used during TLS session resumption as during
initial session setup. An attacker could use this to expose sensitive
information. (CVE-2018-3180)
Krzysztof Szafrański discovered that the Scripting component did not
properly restrict access to the scripting engine in some situations. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2018-3183)
Tobias Ospelt discovered that the Resource Interchange File Format (RIFF)
reader implementation in OpenJDK contained an infinite loop. An attacker
could use this to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2018-3214)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
openjdk-11-jdk 11.0.1+13-2ubuntu1
openjdk-11-jre 11.0.1+13-2ubuntu1
openjdk-11-jre-headless 11.0.1+13-2ubuntu1
Ubuntu 18.04 LTS:
openjdk-11-jdk 10.0.2+13-1ubuntu0.18.04.3
openjdk-11-jre 10.0.2+13-1ubuntu0.18.04.3
openjdk-11-jre-headless 10.0.2+13-1ubuntu0.18.04.3
Ubuntu 16.04 LTS:
openjdk-8-jdk 8u181-b13-1ubuntu0.16.04.1
openjdk-8-jre 8u181-b13-1ubuntu0.16.04.1
openjdk-8-jre-headless 8u181-b13-1ubuntu0.16.04.1
openjdk-8-jre-jamvm 8u181-b13-1ubuntu0.16.04.1
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3804-1
CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3150,
CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3214
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.1+13-2ubuntu1
https://launchpad.net/ubuntu/+source/openjdk-lts/10.0.2+13-1ubuntu0.18.04.3
https://launchpad.net/ubuntu/+source/openjdk-8/8u181-b13-1ubuntu0.16.04.1
Ubuntu Security Notice USN-3804-1
October 30, 2018
openjdk-8, openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-lts: Open Source Java implementation
- openjdk-8: Open Source Java implementation
Details:
It was discovered that the Security component of OpenJDK did not properly
ensure that manifest elements were signed before use. An attacker could
possibly use this to specially construct an untrusted Java application or
applet that could escape sandbox restrictions. (CVE-2018-3136)
Artem Smotrakov discovered that the HTTP client redirection handler
implementation in OpenJDK did not clear potentially sensitive information
in HTTP headers when following redirections to different hosts. An attacker
could use this to expose sensitive information. (CVE-2018-3139)
It was discovered that the Java Naming and Directory Interface (JNDI)
implementation in OpenJDK did not properly enforce restrictions specified
by system properties in some situations. An attacker could potentially use
this to execute arbitrary code. (CVE-2018-3149)
It was discovered that the Utility component of OpenJDK did not properly
ensure all attributes in a JAR were signed before use. An attacker could
use this to specially construct an untrusted Java application or applet
that could escape sandbox restrictions. This issue only affected Ubuntu
18.04 LTS and Ubuntu 18.10. (CVE-2018-3150)
It was discovered that the Hotspot component of OpenJDK did not properly
perform access checks in certain cases when performing field link
resolution. An attacker could use this to specially construct an untrusted
Java application or applet that could escape sandbox restrictions.
(CVE-2018-3169)
Felix Dörre discovered that the Java Secure Socket Extension (JSSE)
implementation in OpenJDK did not ensure that the same endpoint
identification algorithm was used during TLS session resumption as during
initial session setup. An attacker could use this to expose sensitive
information. (CVE-2018-3180)
Krzysztof Szafrański discovered that the Scripting component did not
properly restrict access to the scripting engine in some situations. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2018-3183)
Tobias Ospelt discovered that the Resource Interchange File Format (RIFF)
reader implementation in OpenJDK contained an infinite loop. An attacker
could use this to cause a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2018-3214)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
openjdk-11-jdk 11.0.1+13-2ubuntu1
openjdk-11-jre 11.0.1+13-2ubuntu1
openjdk-11-jre-headless 11.0.1+13-2ubuntu1
Ubuntu 18.04 LTS:
openjdk-11-jdk 10.0.2+13-1ubuntu0.18.04.3
openjdk-11-jre 10.0.2+13-1ubuntu0.18.04.3
openjdk-11-jre-headless 10.0.2+13-1ubuntu0.18.04.3
Ubuntu 16.04 LTS:
openjdk-8-jdk 8u181-b13-1ubuntu0.16.04.1
openjdk-8-jre 8u181-b13-1ubuntu0.16.04.1
openjdk-8-jre-headless 8u181-b13-1ubuntu0.16.04.1
openjdk-8-jre-jamvm 8u181-b13-1ubuntu0.16.04.1
This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3804-1
CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3150,
CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3214
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.1+13-2ubuntu1
https://launchpad.net/ubuntu/+source/openjdk-lts/10.0.2+13-1ubuntu0.18.04.3
https://launchpad.net/ubuntu/+source/openjdk-8/8u181-b13-1ubuntu0.16.04.1
[USN-3803-1] Ghostscript vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvYr/EACgkQZWnYVadE
vpMclw//XEFyDbUaiyAIeI9xwbGyVN9A+bAojDmjADhPMaOjxQa5F5LPIiOyf0L7
J9k6k/pMANNsaOdV1/NeZKtyWxYFjDwQ3SEjCveY/GSYJWU3SbDyOLTq/Ic9yJeI
GJfIkNwbrckEVVoRfQl+kGJq4nl1dABqkKzzWExeG318cyJhWlPdGpF3yc2wc+Kr
H3GUVmENjd5MMesJ8R+GxMCrXeqv1Kb4vIaQi5jqltqa3eNSBLjt5MdIC1stiPnW
8+pfFlEbco4xa1PQL3gEm/mwantYMe1gJyjVxlFX3QDw/Jq/kIsr0B3WdhmPv0sT
+HHdRRc6SUabjt339kTzGQlRZ8zgZ0j7sd6Byy2mqjx8bTN+Rt7Ie+zJx/fn36gX
rSyQwZbSh+B9kWHFi7u50axpATrZe0W7fCKqCGZ6s1pLT+zds1TVn7KSbnZNYq2V
1EG9oqfyHAXxXJL7pEZ6ecCFJ9vTfjt3VkurpTP7MWE9XfLGVF3OTM1V11qmxxQM
pKf/MXclv3Xpr1fyNkL4+2F9uAvju/dDZoRaXYQIZJdn1jiTXAt6coQl+ihoz1PB
OkOocC0Nx+TDK8mfLXyOl/UVKnQ+P6CxOX9Y/Gay8EtgtEUremikMK/CSW3a841D
xilhMy/6P53xT89x4hwBoINfjo4rqPMUsJikW7uhUUGRvo0w310=
=gYW3
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3803-1
October 30, 2018
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
Tavis Ormandy discovered multiple security issues in Ghostscript. If a user
or automated system were tricked into processing a specially crafted file,
a remote attacker could possibly use these issues to access arbitrary
files, execute arbitrary code, or cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
ghostscript 9.25~dfsg+1-0ubuntu1.1
libgs9 9.25~dfsg+1-0ubuntu1.1
Ubuntu 18.04 LTS:
ghostscript 9.25~dfsg+1-0ubuntu0.18.04.2
libgs9 9.25~dfsg+1-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
ghostscript 9.25~dfsg+1-0ubuntu0.16.04.2
libgs9 9.25~dfsg+1-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
ghostscript 9.25~dfsg+1-0ubuntu0.14.04.2
libgs9 9.25~dfsg+1-0ubuntu0.14.04.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3803-1
CVE-2018-17961, CVE-2018-18073, CVE-2018-18284
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu0.14.04.2
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvYr/EACgkQZWnYVadE
vpMclw//XEFyDbUaiyAIeI9xwbGyVN9A+bAojDmjADhPMaOjxQa5F5LPIiOyf0L7
J9k6k/pMANNsaOdV1/NeZKtyWxYFjDwQ3SEjCveY/GSYJWU3SbDyOLTq/Ic9yJeI
GJfIkNwbrckEVVoRfQl+kGJq4nl1dABqkKzzWExeG318cyJhWlPdGpF3yc2wc+Kr
H3GUVmENjd5MMesJ8R+GxMCrXeqv1Kb4vIaQi5jqltqa3eNSBLjt5MdIC1stiPnW
8+pfFlEbco4xa1PQL3gEm/mwantYMe1gJyjVxlFX3QDw/Jq/kIsr0B3WdhmPv0sT
+HHdRRc6SUabjt339kTzGQlRZ8zgZ0j7sd6Byy2mqjx8bTN+Rt7Ie+zJx/fn36gX
rSyQwZbSh+B9kWHFi7u50axpATrZe0W7fCKqCGZ6s1pLT+zds1TVn7KSbnZNYq2V
1EG9oqfyHAXxXJL7pEZ6ecCFJ9vTfjt3VkurpTP7MWE9XfLGVF3OTM1V11qmxxQM
pKf/MXclv3Xpr1fyNkL4+2F9uAvju/dDZoRaXYQIZJdn1jiTXAt6coQl+ihoz1PB
OkOocC0Nx+TDK8mfLXyOl/UVKnQ+P6CxOX9Y/Gay8EtgtEUremikMK/CSW3a841D
xilhMy/6P53xT89x4hwBoINfjo4rqPMUsJikW7uhUUGRvo0w310=
=gYW3
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3803-1
October 30, 2018
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
Tavis Ormandy discovered multiple security issues in Ghostscript. If a user
or automated system were tricked into processing a specially crafted file,
a remote attacker could possibly use these issues to access arbitrary
files, execute arbitrary code, or cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
ghostscript 9.25~dfsg+1-0ubuntu1.1
libgs9 9.25~dfsg+1-0ubuntu1.1
Ubuntu 18.04 LTS:
ghostscript 9.25~dfsg+1-0ubuntu0.18.04.2
libgs9 9.25~dfsg+1-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
ghostscript 9.25~dfsg+1-0ubuntu0.16.04.2
libgs9 9.25~dfsg+1-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
ghostscript 9.25~dfsg+1-0ubuntu0.14.04.2
libgs9 9.25~dfsg+1-0ubuntu0.14.04.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3803-1
CVE-2018-17961, CVE-2018-18073, CVE-2018-18284
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu1.1
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/ghostscript/9.25~dfsg+1-0ubuntu0.14.04.2
Fedora 29 is available now!
Tomorrow is Halloween, but this week at the Fedora Project, we're
not scared of anything. Today, we officially release Fedora 29!
As always, this release is the result of the hard work of thousands
of people working in Fedora, and many times more working in all of
the upstream projects. Thank you and congratulations to everyone!
Read the official announcement at:
* https://fedoramagazine.org/announcing-fedora-29/
or just go ahead and grab it from:
* https://getfedora.org/
--
Matthew Miller mattdm@mattdm.org <http://mattdm.org/>
Fedora Project Leader mattdm@fedoraproject.org <http://fedoraproject.org/>
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org
not scared of anything. Today, we officially release Fedora 29!
As always, this release is the result of the hard work of thousands
of people working in Fedora, and many times more working in all of
the upstream projects. Thank you and congratulations to everyone!
Read the official announcement at:
* https://fedoramagazine.org/announcing-fedora-29/
or just go ahead and grab it from:
* https://getfedora.org/
--
Matthew Miller mattdm@mattdm.org <http://mattdm.org/>
Fedora Project Leader mattdm@fedoraproject.org <http://fedoraproject.org/>
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org
Monday, October 29, 2018
F30 Self-Contained Change proposal: Pantheon Desktop
https://fedoraproject.org/wiki/Changes/PantheonDesktop
= Pantheon Desktop =
== Summary ==
The Pantheon desktop environment is the DE that powers elementaryOS. It builds
on GNOME technologies, but utilizes components that were written from scratch
in vala, using the GTK+3 toolkit.
== Owner ==
* Name: [[User:Decathorpe | Fabio Valentini ]]
* Email: decathorpe AT fedoraproject DOT org
* Release notes owner:
== Current status ==
* Targeted release: [[Releases/30 | Fedora 30 ]]
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
* Tracker bug:
== Detailed Description ==
The Pantheon desktop will be another viable choice for users of fedora. In
particular, this is also interesting for users who like the Pantheon desktop,
but would prefer to use fedora instead of an ubuntu-based distribution.
Most of the components of the Pantheon desktop shell and the applications
developed by elementary have already been packaged for fedora.
== Benefit to Fedora ==
This change will make fedora the first linux distribution other than
elementaryOS to support the Pantheon Desktop environment and elementary
applications.
It gives users of fedora another choice for their desktop environment, and it
gives users of Pantheon and elementary applications the ability to choose a
different linux distribution for the first time.
== Scope ==
=== Proposal owners ===
* investigate improving missing switchboard plugs for fedora support,
and package them:
** Date and Time plug: behavioral differences between fedora / ubuntu
** Locale plug: implement dnf / PackageKit backend for langpack installation
** Power plug: remove dependency on ubuntu-specific patches to
gnome-settings-daemon
** Security and Privacy plug: implement FirewallD backend to replace ufw
* do testing for components not yet in official fedora repositories,
and package them:
** Parental Controls plug: does this actually work on fedora?
** Sharing plug: does this actually work on fedora?
** User Accounts plug: investigate behavioral differences between
fedora / ubuntu
* improve screensaver / lock screen support
** possibly patch Pantheon session components to use standard interfaces
** consider implementing shim for GDM / gnome-screensaver and LightDM
/ light-locker compatibility, or
** consider implementing adapter for translating different DBus calls for this
* create metapackages or comps groups:
** Pantheon Session (Desktop Environment without apps)
** Pantheon Desktop (Desktop Enviromnent with apps)
=== Other developers ===
This is not a system-wide change - however, some components require the latest
releases from the accounts-SSO / signon stack.
In particular, {{package|signon-glib}} needs an update to version 2.0 to allow
packaging the Online Accounts support for switchboard and some elementary
applications.
=== Release engineering ===
No impact
=== Trademark approval ===
N/A - not needed for this Change
This Change is about simply adding Desktop Environment to fedora.
If we decide to make this a spin in the future, that will be a separate Change.
== Upgrade/compatibility impact ==
Packages for the Pantheon DE and elementary applications have been available
since fedora 25 in some cases, and most components have been available since
fedora 27. Upgrading to the latest fedora release brings users the latest
versions of these packages.
However, due to upstream changes, some desktop applications might lose user
settings when upgrading from fedora 28 to 29, because upstream changed their
GSettings path between releases. For that reason, the updates containing these
breaking changes were not pushed to stable releases < 29.
== How To Test ==
* install the Pantheon Desktop Environment:
{{package|pantheon-session-settings}} (metapackages / comps groups not
yet available)
* choose Pantheon session at login
* use the system as usual
* try out elementary applications
* check if screensaver kicks in (possibly doesn't work yet)
== User Experience ==
* no impact for users who don't already have the Pantheon session or
elementary applications installed
* usability and stability improvements for users who already use it
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: N/A (not a System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change) - No
* Blocks product? N/A
== Documentation ==
The current status of the project and detailed instructions on how to install
the Pantheon session on fedora are available at
https://decathorpe.com/fedora-elementary-stable-status.html .
== Release Notes ==
The improved Pantheon Desktop Environment and elementary applications found in
the latest release of
[https://medium.com/elementaryos/elementary-os-5-juno-is-here-471dfdedc7b3
elementaryOS 5.0 "Juno"]
will officially be available on fedora 30 as well.
--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
= Pantheon Desktop =
== Summary ==
The Pantheon desktop environment is the DE that powers elementaryOS. It builds
on GNOME technologies, but utilizes components that were written from scratch
in vala, using the GTK+3 toolkit.
== Owner ==
* Name: [[User:Decathorpe | Fabio Valentini ]]
* Email: decathorpe AT fedoraproject DOT org
* Release notes owner:
== Current status ==
* Targeted release: [[Releases/30 | Fedora 30 ]]
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
* Tracker bug:
== Detailed Description ==
The Pantheon desktop will be another viable choice for users of fedora. In
particular, this is also interesting for users who like the Pantheon desktop,
but would prefer to use fedora instead of an ubuntu-based distribution.
Most of the components of the Pantheon desktop shell and the applications
developed by elementary have already been packaged for fedora.
== Benefit to Fedora ==
This change will make fedora the first linux distribution other than
elementaryOS to support the Pantheon Desktop environment and elementary
applications.
It gives users of fedora another choice for their desktop environment, and it
gives users of Pantheon and elementary applications the ability to choose a
different linux distribution for the first time.
== Scope ==
=== Proposal owners ===
* investigate improving missing switchboard plugs for fedora support,
and package them:
** Date and Time plug: behavioral differences between fedora / ubuntu
** Locale plug: implement dnf / PackageKit backend for langpack installation
** Power plug: remove dependency on ubuntu-specific patches to
gnome-settings-daemon
** Security and Privacy plug: implement FirewallD backend to replace ufw
* do testing for components not yet in official fedora repositories,
and package them:
** Parental Controls plug: does this actually work on fedora?
** Sharing plug: does this actually work on fedora?
** User Accounts plug: investigate behavioral differences between
fedora / ubuntu
* improve screensaver / lock screen support
** possibly patch Pantheon session components to use standard interfaces
** consider implementing shim for GDM / gnome-screensaver and LightDM
/ light-locker compatibility, or
** consider implementing adapter for translating different DBus calls for this
* create metapackages or comps groups:
** Pantheon Session (Desktop Environment without apps)
** Pantheon Desktop (Desktop Enviromnent with apps)
=== Other developers ===
This is not a system-wide change - however, some components require the latest
releases from the accounts-SSO / signon stack.
In particular, {{package|signon-glib}} needs an update to version 2.0 to allow
packaging the Online Accounts support for switchboard and some elementary
applications.
=== Release engineering ===
No impact
=== Trademark approval ===
N/A - not needed for this Change
This Change is about simply adding Desktop Environment to fedora.
If we decide to make this a spin in the future, that will be a separate Change.
== Upgrade/compatibility impact ==
Packages for the Pantheon DE and elementary applications have been available
since fedora 25 in some cases, and most components have been available since
fedora 27. Upgrading to the latest fedora release brings users the latest
versions of these packages.
However, due to upstream changes, some desktop applications might lose user
settings when upgrading from fedora 28 to 29, because upstream changed their
GSettings path between releases. For that reason, the updates containing these
breaking changes were not pushed to stable releases < 29.
== How To Test ==
* install the Pantheon Desktop Environment:
{{package|pantheon-session-settings}} (metapackages / comps groups not
yet available)
* choose Pantheon session at login
* use the system as usual
* try out elementary applications
* check if screensaver kicks in (possibly doesn't work yet)
== User Experience ==
* no impact for users who don't already have the Pantheon session or
elementary applications installed
* usability and stability improvements for users who already use it
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: N/A (not a System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change) - No
* Blocks product? N/A
== Documentation ==
The current status of the project and detailed instructions on how to install
the Pantheon session on fedora are available at
https://decathorpe.com/fedora-elementary-stable-status.html .
== Release Notes ==
The improved Pantheon Desktop Environment and elementary applications found in
the latest release of
[https://medium.com/elementaryos/elementary-os-5-juno-is-here-471dfdedc7b3
elementaryOS 5.0 "Juno"]
will officially be available on fedora 30 as well.
--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
[CentOS-announce] CESA-2018:C001 CentOS 7 xorg-x11-server Security Update
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlvXZQUACgkQTKkMgmrBY7Mc+gCgr1gv5inhFZhluvWgBFzQauvZ
oCQAn3/dGbxXJQUe4Vxx3wbe7ofTxedI
=zch3
-----END PGP SIGNATURE-----
CentOS Errata and Security Advisory 2018:C001 Important
x86_64:
d7040381e9d05074c9220073c20eabe185ca6f133b0e8238f6afb250b28b566f xorg-x11-server-common-1.19.5-5.1.el7_5.0.1.x86_64.rpm
ca56b7e4b160e55125ec6b1fa57c24cd2083edefa0ffd78c49bb4111ae053006 xorg-x11-server-devel-1.19.5-5.1.el7_5.0.1.i686.rpm
8c4ca5dc5588839730be5f34995f6f3b1f36c1bc335759fa936f4ddf79fd9dc7 xorg-x11-server-devel-1.19.5-5.1.el7_5.0.1.x86_64.rpm
e9d9591569a2c4d6782e266952965b7f507583913b2dce149a3fac2fd9f636ff xorg-x11-server-source-1.19.5-5.1.el7_5.0.1.noarch.rpm
e2283801ce3fc087cda74e5d752a9def156d7f8fe598fd383ad1002b9e797bbe xorg-x11-server-Xdmx-1.19.5-5.1.el7_5.0.1.x86_64.rpm
f61c07c9d7b907fc7175f680ad9f63a04d4b5b94ea5b064e92f9e1b98bb12d68 xorg-x11-server-Xephyr-1.19.5-5.1.el7_5.0.1.x86_64.rpm
3f8c7bd64a2ad51308c23873a72d7443dde96783e0cd6345a7c3294ad97f029d xorg-x11-server-Xnest-1.19.5-5.1.el7_5.0.1.x86_64.rpm
b3ebf91cfe4a50a6264dc2688205d577d8591288a91407153904a9bd4e2b287f xorg-x11-server-Xorg-1.19.5-5.1.el7_5.0.1.x86_64.rpm
f43e9ed375c13ac8a09c488db632e8c4a3ca447ec5c9f4664ee2c0b98296a65f xorg-x11-server-Xvfb-1.19.5-5.1.el7_5.0.1.x86_64.rpm
2a52feefdd3bc0e1e2cf54cc73531576159e4476cf456fce35afd055a3072248 xorg-x11-server-Xwayland-1.19.5-5.1.el7_5.0.1.x86_64.rpm
NOTE: This update is in response to CVE-2018-14655 (https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html), there currently is no corresponding update for RHEL 7.5.
Thanks to Pablo Garcia for suggesting and testing this update in the CentOS-QA IRC Channel.
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlvXZQUACgkQTKkMgmrBY7Mc+gCgr1gv5inhFZhluvWgBFzQauvZ
oCQAn3/dGbxXJQUe4Vxx3wbe7ofTxedI
=zch3
-----END PGP SIGNATURE-----
CentOS Errata and Security Advisory 2018:C001 Important
x86_64:
d7040381e9d05074c9220073c20eabe185ca6f133b0e8238f6afb250b28b566f xorg-x11-server-common-1.19.5-5.1.el7_5.0.1.x86_64.rpm
ca56b7e4b160e55125ec6b1fa57c24cd2083edefa0ffd78c49bb4111ae053006 xorg-x11-server-devel-1.19.5-5.1.el7_5.0.1.i686.rpm
8c4ca5dc5588839730be5f34995f6f3b1f36c1bc335759fa936f4ddf79fd9dc7 xorg-x11-server-devel-1.19.5-5.1.el7_5.0.1.x86_64.rpm
e9d9591569a2c4d6782e266952965b7f507583913b2dce149a3fac2fd9f636ff xorg-x11-server-source-1.19.5-5.1.el7_5.0.1.noarch.rpm
e2283801ce3fc087cda74e5d752a9def156d7f8fe598fd383ad1002b9e797bbe xorg-x11-server-Xdmx-1.19.5-5.1.el7_5.0.1.x86_64.rpm
f61c07c9d7b907fc7175f680ad9f63a04d4b5b94ea5b064e92f9e1b98bb12d68 xorg-x11-server-Xephyr-1.19.5-5.1.el7_5.0.1.x86_64.rpm
3f8c7bd64a2ad51308c23873a72d7443dde96783e0cd6345a7c3294ad97f029d xorg-x11-server-Xnest-1.19.5-5.1.el7_5.0.1.x86_64.rpm
b3ebf91cfe4a50a6264dc2688205d577d8591288a91407153904a9bd4e2b287f xorg-x11-server-Xorg-1.19.5-5.1.el7_5.0.1.x86_64.rpm
f43e9ed375c13ac8a09c488db632e8c4a3ca447ec5c9f4664ee2c0b98296a65f xorg-x11-server-Xvfb-1.19.5-5.1.el7_5.0.1.x86_64.rpm
2a52feefdd3bc0e1e2cf54cc73531576159e4476cf456fce35afd055a3072248 xorg-x11-server-Xwayland-1.19.5-5.1.el7_5.0.1.x86_64.rpm
NOTE: This update is in response to CVE-2018-14655 (https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html), there currently is no corresponding update for RHEL 7.5.
Thanks to Pablo Garcia for suggesting and testing this update in the CentOS-QA IRC Channel.
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
[CentOS-announce] CEBA-2018:3013 CentOS 7 tzdata BugFix Update
CentOS Errata and Bugfix Advisory 2018:3013
Upstream details at : https://access.redhat.com/errata/RHBA-2018:3013
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
59e12ef8382b5e1e893053e6b6b8ae9408df040bfe114a5a01e83dbfd53f6287 tzdata-2018f-2.el7.noarch.rpm
789b5f573116c54397536cc178fb76eec58bc6b06cc811c0c3372f0505bfd251 tzdata-java-2018f-2.el7.noarch.rpm
Source:
4c179f9fa6c98c75a94ab9f4fec7435abab6fa6484494f25059412a71669ccea tzdata-2018f-2.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2018:3013
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
59e12ef8382b5e1e893053e6b6b8ae9408df040bfe114a5a01e83dbfd53f6287 tzdata-2018f-2.el7.noarch.rpm
789b5f573116c54397536cc178fb76eec58bc6b06cc811c0c3372f0505bfd251 tzdata-java-2018f-2.el7.noarch.rpm
Source:
4c179f9fa6c98c75a94ab9f4fec7435abab6fa6484494f25059412a71669ccea tzdata-2018f-2.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEBA-2018:3013 CentOS 6 tzdata BugFix Update
CentOS Errata and Bugfix Advisory 2018:3013
Upstream details at : https://access.redhat.com/errata/RHBA-2018:3013
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
0e3a88856581aea77fe93130ea5a87c8db4645ef9e8a542dba9ea503293379e0 tzdata-2018f-1.el6.noarch.rpm
f798c34e5a2e851ae952333ed2230c575199aa04159836012f65b89dfe3fb907 tzdata-java-2018f-1.el6.noarch.rpm
x86_64:
0e3a88856581aea77fe93130ea5a87c8db4645ef9e8a542dba9ea503293379e0 tzdata-2018f-1.el6.noarch.rpm
f798c34e5a2e851ae952333ed2230c575199aa04159836012f65b89dfe3fb907 tzdata-java-2018f-1.el6.noarch.rpm
Source:
c6aac1e140d20ead4a4418c4357569cd6bace1a980a6f1bd0a3b1cf506f3da92 tzdata-2018f-1.el6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2018:3013
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
0e3a88856581aea77fe93130ea5a87c8db4645ef9e8a542dba9ea503293379e0 tzdata-2018f-1.el6.noarch.rpm
f798c34e5a2e851ae952333ed2230c575199aa04159836012f65b89dfe3fb907 tzdata-java-2018f-1.el6.noarch.rpm
x86_64:
0e3a88856581aea77fe93130ea5a87c8db4645ef9e8a542dba9ea503293379e0 tzdata-2018f-1.el6.noarch.rpm
f798c34e5a2e851ae952333ed2230c575199aa04159836012f65b89dfe3fb907 tzdata-java-2018f-1.el6.noarch.rpm
Source:
c6aac1e140d20ead4a4418c4357569cd6bace1a980a6f1bd0a3b1cf506f3da92 tzdata-2018f-1.el6.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[USN-3799-2] MySQL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3799-2
October 29, 2018
mysql-5.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.5: MySQL database
Details:
USN-3799-1 fixed a vulnerability in MySQL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.62 in Ubuntu 12.04 ESM.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-62.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
mysql-server-5.5 5.5.62-0ubuntu0.12.04.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3799-2
https://usn.ubuntu.com/usn/usn-3799-1
CVE-2018-3133, CVE-2018-3174, CVE-2018-3282
Ubuntu Security Notice USN-3799-2
October 29, 2018
mysql-5.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.5: MySQL database
Details:
USN-3799-1 fixed a vulnerability in MySQL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update
includes new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.62 in Ubuntu 12.04 ESM.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-62.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
mysql-server-5.5 5.5.62-0ubuntu0.12.04.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3799-2
https://usn.ubuntu.com/usn/usn-3799-1
CVE-2018-3133, CVE-2018-3174, CVE-2018-3282
Friday, October 26, 2018
[USN-3802-1] X.Org X server vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvTLM8ACgkQZWnYVadE
vpOb9g/7B5Q+d1t2fO6pW4afdsgQZBVA768HdpTXAVwE4tnaDecqrqgHuBNTqV0S
/fsQa93r1fhLcG3tEemsZZC7NkyJ+GodCQwokB9+bbTcg/FChQRw0CoW8+5v96+K
hVMEAjWuaAeUg92UP/+1nUqYai5ACGINCv5jOMhXk0EEvaaIuPyNoT2kO6tzeC0A
HsJQccoB2PBroLKlG2QHX7tdSsIhgr3HQo/8reuelzrKeTMav5ULjQVnjHowq4mm
5ryXNWQ+u7keWnFpmJG9DwMYPjYYa07WTWG0iN8D792cQY70UaiStKgG8drt06T1
bN1GbWH/lqkrotaLbTuQcabW5vA6AMlulhUJBfs44JJ/fG28owgahdyx6eDRKru1
VZiIrNmUiPhsNFjkVkrrEQXHJymnbMRxyJ0wcIvQLTAJHSUlG+OezpZAxDEoCU+m
29zYIm4HC5Ii+QNsHNzXJTTclayPln3OOIXpL+RjGNMbeMy+B2aRa3c0UTxmPiXc
7Hno7HyURwFgx3znSjL1Pv+Y4Um1JBCnnNXqIO2uYgBb6UKoKVjPG2sdzjNQs1mG
rWnfAoiDx6+1pHdjSEEdmEJOyayIXVIHcC3riU+o22cdkceEo0tsYTT5VIWrw0Xq
HKGhMKmrHkj5K/MatpN3kueqRpHYrKnVmpkj7e/sMPE5JkRLXLg=
=4UWW
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3802-1
October 26, 2018
xorg-server, xorg-server-hwe-16.04 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
X.Org X server could be made to overwrite files as the administrator.
Software Description:
- xorg-server: X.Org X11 server
- xorg-server-hwe-16.04: X.Org X11 server
Details:
Narendra Shinde discovered that the X.Org X server incorrectly handled
certain command line parameters when running as root with the legacy
wrapper. When certain graphics drivers are being used, a local attacker
could possibly use this issue to overwrite arbitrary files and escalate
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
xserver-xorg-core 2:1.20.1-3ubuntu2.1
Ubuntu 18.04 LTS:
xserver-xorg-core 2:1.19.6-1ubuntu4.2
Ubuntu 16.04 LTS:
xserver-xorg-core-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.2
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3802-1
CVE-2018-14665
Package Information:
https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.1-3ubuntu2.1
https://launchpad.net/ubuntu/+source/xorg-server/2:1.19.6-1ubuntu4.2
https://launchpad.net/ubuntu/+source/xorg-server-hwe-16.04/2:1.19.6-1ubuntu4.1~16.04.2
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvTLM8ACgkQZWnYVadE
vpOb9g/7B5Q+d1t2fO6pW4afdsgQZBVA768HdpTXAVwE4tnaDecqrqgHuBNTqV0S
/fsQa93r1fhLcG3tEemsZZC7NkyJ+GodCQwokB9+bbTcg/FChQRw0CoW8+5v96+K
hVMEAjWuaAeUg92UP/+1nUqYai5ACGINCv5jOMhXk0EEvaaIuPyNoT2kO6tzeC0A
HsJQccoB2PBroLKlG2QHX7tdSsIhgr3HQo/8reuelzrKeTMav5ULjQVnjHowq4mm
5ryXNWQ+u7keWnFpmJG9DwMYPjYYa07WTWG0iN8D792cQY70UaiStKgG8drt06T1
bN1GbWH/lqkrotaLbTuQcabW5vA6AMlulhUJBfs44JJ/fG28owgahdyx6eDRKru1
VZiIrNmUiPhsNFjkVkrrEQXHJymnbMRxyJ0wcIvQLTAJHSUlG+OezpZAxDEoCU+m
29zYIm4HC5Ii+QNsHNzXJTTclayPln3OOIXpL+RjGNMbeMy+B2aRa3c0UTxmPiXc
7Hno7HyURwFgx3znSjL1Pv+Y4Um1JBCnnNXqIO2uYgBb6UKoKVjPG2sdzjNQs1mG
rWnfAoiDx6+1pHdjSEEdmEJOyayIXVIHcC3riU+o22cdkceEo0tsYTT5VIWrw0Xq
HKGhMKmrHkj5K/MatpN3kueqRpHYrKnVmpkj7e/sMPE5JkRLXLg=
=4UWW
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3802-1
October 26, 2018
xorg-server, xorg-server-hwe-16.04 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
X.Org X server could be made to overwrite files as the administrator.
Software Description:
- xorg-server: X.Org X11 server
- xorg-server-hwe-16.04: X.Org X11 server
Details:
Narendra Shinde discovered that the X.Org X server incorrectly handled
certain command line parameters when running as root with the legacy
wrapper. When certain graphics drivers are being used, a local attacker
could possibly use this issue to overwrite arbitrary files and escalate
privileges.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
xserver-xorg-core 2:1.20.1-3ubuntu2.1
Ubuntu 18.04 LTS:
xserver-xorg-core 2:1.19.6-1ubuntu4.2
Ubuntu 16.04 LTS:
xserver-xorg-core-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.2
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3802-1
CVE-2018-14665
Package Information:
https://launchpad.net/ubuntu/+source/xorg-server/2:1.20.1-3ubuntu2.1
https://launchpad.net/ubuntu/+source/xorg-server/2:1.19.6-1ubuntu4.2
https://launchpad.net/ubuntu/+source/xorg-server-hwe-16.04/2:1.19.6-1ubuntu4.1~16.04.2
Thursday, October 25, 2018
OpenBSD Errata: October 25th, 2018 (xserver)
Errata patches for Xorg have been released for OpenBSD 6.3 and 6.4.
The Xorg X server incorrectly validates certain options, allowing arbitrary
files to be overwritten.
Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the
respective errata pages:
https://www.openbsd.org/errata63.html
https://www.openbsd.org/errata64.html
If the X server is running, restart it after patching.
As an immediate (temporary) workaround, the Xorg binary's setuid bit can be
removed by running: chmod u-s /usr/X11R6/bin/Xorg
The Xorg X server incorrectly validates certain options, allowing arbitrary
files to be overwritten.
Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the
respective errata pages:
https://www.openbsd.org/errata63.html
https://www.openbsd.org/errata64.html
If the X server is running, restart it after patching.
As an immediate (temporary) workaround, the Xorg binary's setuid bit can be
removed by running: chmod u-s /usr/X11R6/bin/Xorg
[CentOS-announce] CESA-2018:3005 Critical CentOS 7 firefox Security Update
CentOS Errata and Security Advisory 2018:3005 Critical
Upstream details at : https://access.redhat.com/errata/RHSA-2018:3005
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
92725d2fa00529e327919f388a3f4feb777d7f07017249d1feae89b762d83f11 firefox-60.3.0-1.el7.centos.i686.rpm
be3a0170d5a7337c36503e94d4622e534ef6c98f9fe55f7f36487b37214de23e firefox-60.3.0-1.el7.centos.x86_64.rpm
Source:
458adf01f66b78338dc05bc6b12c78f060cc15dedd5a1c535d56c7f22d418a92 firefox-60.3.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2018:3005
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
92725d2fa00529e327919f388a3f4feb777d7f07017249d1feae89b762d83f11 firefox-60.3.0-1.el7.centos.i686.rpm
be3a0170d5a7337c36503e94d4622e534ef6c98f9fe55f7f36487b37214de23e firefox-60.3.0-1.el7.centos.x86_64.rpm
Source:
458adf01f66b78338dc05bc6b12c78f060cc15dedd5a1c535d56c7f22d418a92 firefox-60.3.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CEEA-2018:2984 CentOS 7 xorg-x11-server Enhancement Update
CentOS Errata and Enhancement Advisory 2018:2984
Upstream details at : https://access.redhat.com/errata/RHEA-2018:2984
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
4a9d8941e6cd3aa6466b1523f5070245e5dce2972268a5da22fc15fb20a06428 xorg-x11-server-1.19.5-5.1.el7_5.src.rpm
4d254146c3427137714cae08b8224a5fc85374adc0888b4b3f20770b142e2e1c xorg-x11-server-common-1.19.5-5.1.el7_5.x86_64.rpm
a1810d6cc11c4e871b63e4a39b0c6caa396b8b120f928d5f49e254bc351ae991 xorg-x11-server-devel-1.19.5-5.1.el7_5.i686.rpm
a6819e38b5ec6fad65365d346519fdb66d1268e2b19ac4684cad90523590a656 xorg-x11-server-devel-1.19.5-5.1.el7_5.x86_64.rpm
30f538ea7654fa7d5379e1089132accad9dab147bb8269713e162dcff71f40d5 xorg-x11-server-source-1.19.5-5.1.el7_5.noarch.rpm
55add998a8a2a71a746a5ab6b30fbb094671b7e6bb993d250dce62847c3cdc55 xorg-x11-server-Xdmx-1.19.5-5.1.el7_5.x86_64.rpm
e4e83bcb70a74993947a1ea81e81cf7ac10c08668d8492675c05d8d3940b82e2 xorg-x11-server-Xephyr-1.19.5-5.1.el7_5.x86_64.rpm
58b449d313ba09feb44ec06987a3e2493c5d0bbf610a8c1266e89c66db21e53e xorg-x11-server-Xnest-1.19.5-5.1.el7_5.x86_64.rpm
ebf00f996efd373978be3948b9df638a861e31ba2038b36613e26f0842d73cbe xorg-x11-server-Xorg-1.19.5-5.1.el7_5.x86_64.rpm
b6cfc8d98632119b15a92a22555736d25f6f896c05837f8ec89935318fb56666 xorg-x11-server-Xvfb-1.19.5-5.1.el7_5.x86_64.rpm
5b8614a5c1d5ede70235b0601e6fa884d1de94e30a1972b00e52f85e86a06df7 xorg-x11-server-Xwayland-1.19.5-5.1.el7_5.x86_64.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHEA-2018:2984
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
4a9d8941e6cd3aa6466b1523f5070245e5dce2972268a5da22fc15fb20a06428 xorg-x11-server-1.19.5-5.1.el7_5.src.rpm
4d254146c3427137714cae08b8224a5fc85374adc0888b4b3f20770b142e2e1c xorg-x11-server-common-1.19.5-5.1.el7_5.x86_64.rpm
a1810d6cc11c4e871b63e4a39b0c6caa396b8b120f928d5f49e254bc351ae991 xorg-x11-server-devel-1.19.5-5.1.el7_5.i686.rpm
a6819e38b5ec6fad65365d346519fdb66d1268e2b19ac4684cad90523590a656 xorg-x11-server-devel-1.19.5-5.1.el7_5.x86_64.rpm
30f538ea7654fa7d5379e1089132accad9dab147bb8269713e162dcff71f40d5 xorg-x11-server-source-1.19.5-5.1.el7_5.noarch.rpm
55add998a8a2a71a746a5ab6b30fbb094671b7e6bb993d250dce62847c3cdc55 xorg-x11-server-Xdmx-1.19.5-5.1.el7_5.x86_64.rpm
e4e83bcb70a74993947a1ea81e81cf7ac10c08668d8492675c05d8d3940b82e2 xorg-x11-server-Xephyr-1.19.5-5.1.el7_5.x86_64.rpm
58b449d313ba09feb44ec06987a3e2493c5d0bbf610a8c1266e89c66db21e53e xorg-x11-server-Xnest-1.19.5-5.1.el7_5.x86_64.rpm
ebf00f996efd373978be3948b9df638a861e31ba2038b36613e26f0842d73cbe xorg-x11-server-Xorg-1.19.5-5.1.el7_5.x86_64.rpm
b6cfc8d98632119b15a92a22555736d25f6f896c05837f8ec89935318fb56666 xorg-x11-server-Xvfb-1.19.5-5.1.el7_5.x86_64.rpm
5b8614a5c1d5ede70235b0601e6fa884d1de94e30a1972b00e52f85e86a06df7 xorg-x11-server-Xwayland-1.19.5-5.1.el7_5.x86_64.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2018:3006 Critical CentOS 6 firefox Security Update
CentOS Errata and Security Advisory 2018:3006 Critical
Upstream details at : https://access.redhat.com/errata/RHSA-2018:3006
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
5f403870421892ff828545d93b19bc94eeee03b4c16fa432712637ee5415b479 firefox-60.3.0-1.el6.centos.i686.rpm
x86_64:
5f403870421892ff828545d93b19bc94eeee03b4c16fa432712637ee5415b479 firefox-60.3.0-1.el6.centos.i686.rpm
f330418f88045fe41bff2ffe23b2cf4ac0ea9119f7ba3dc97f666adc5fe46964 firefox-60.3.0-1.el6.centos.x86_64.rpm
Source:
1d474a68ee15a8d2d6b5fd45b61dffadbdd0cc582eb45e17842d9dd4994e06c5 firefox-60.3.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2018:3006
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
5f403870421892ff828545d93b19bc94eeee03b4c16fa432712637ee5415b479 firefox-60.3.0-1.el6.centos.i686.rpm
x86_64:
5f403870421892ff828545d93b19bc94eeee03b4c16fa432712637ee5415b479 firefox-60.3.0-1.el6.centos.i686.rpm
f330418f88045fe41bff2ffe23b2cf4ac0ea9119f7ba3dc97f666adc5fe46964 firefox-60.3.0-1.el6.centos.x86_64.rpm
Source:
1d474a68ee15a8d2d6b5fd45b61dffadbdd0cc582eb45e17842d9dd4994e06c5 firefox-60.3.0-1.el6.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Fedora 29 Final is GO
The Fedora 29 Final RC1.2 compose [1] is GO and will to be shipped
live on Tuesday, October 30, 2018.
For more information please check the Go/No-Go meeting minutes [2] or logs [3].
Thank you to everyone who has worked on this release.
[1] http://dl.fedoraproject.org/pub/alt/stage/29_RC-1.2/
[2] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-10-25/f29-final-go_no_go-meeting.2018-10-25-17.03.html
[3] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-10-25/f29-final-go_no_go-meeting.2018-10-25-17.03.log.html
--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
live on Tuesday, October 30, 2018.
For more information please check the Go/No-Go meeting minutes [2] or logs [3].
Thank you to everyone who has worked on this release.
[1] http://dl.fedoraproject.org/pub/alt/stage/29_RC-1.2/
[2] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-10-25/f29-final-go_no_go-meeting.2018-10-25-17.03.html
[3] https://meetbot.fedoraproject.org/fedora-meeting-1/2018-10-25/f29-final-go_no_go-meeting.2018-10-25-17.03.log.html
--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Issues with Google Chrome, PyCharm, Steam and other third-party repos in Fedora 29 prereleases
It was discovered[1] a short while ago that, due to a packaging
mistake in the fedora-workstation-repos package, upgrades from Fedora
28->Fedora 29 would replace the /etc/yum.repos.d/*.repo files provided
from that package with their default configuration.
What this meant in practice is that anyone who was using those
repositories in Fedora 28 would find them silently disabled in Fedora
29. In particular, this would mean that they might not notice that
they were not receiving updates, particularly (in the case of Chrome)
security updates.
This has been fixed for F29 Final, but if you have upgraded from
F28->F29 prior to today (such as at the Beta release), you should
check and verify that your expected repos are correctly enabled.
You can verify which repositories on your system are enabled or
disabled by running the command:
`dnf repolist --all`
If you discover that any of your expected repos have been disabled,
they can be re-enabled with:
`dnf config-manager --set-enabled <repo_name>`
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1640626
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
mistake in the fedora-workstation-repos package, upgrades from Fedora
28->Fedora 29 would replace the /etc/yum.repos.d/*.repo files provided
from that package with their default configuration.
What this meant in practice is that anyone who was using those
repositories in Fedora 28 would find them silently disabled in Fedora
29. In particular, this would mean that they might not notice that
they were not receiving updates, particularly (in the case of Chrome)
security updates.
This has been fixed for F29 Final, but if you have upgraded from
F28->F29 prior to today (such as at the Beta release), you should
check and verify that your expected repos are correctly enabled.
You can verify which repositories on your system are enabled or
disabled by running the command:
`dnf repolist --all`
If you discover that any of your expected repos have been disabled,
they can be re-enabled with:
`dnf config-manager --set-enabled <repo_name>`
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1640626
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Wednesday, October 24, 2018
[USN-3801-1] Firefox vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAlvQxsMACgkQYR+97NWU
bg9JSggAqGILObzpchrqqN/zf6QQpPM9oIWLaGXRC2oiGncra3bpCfcQY+vtpc6z
C2KeJTsU9vfS71F4agpnpBUjvvJ6PE3TjVLB/KdJSsL5LeKYcowjU76BfuAY6wIa
6w0g2N7URCRtyzBw2pFyKHyqsVmwkUDZ9JhkFFF1CwedIoH6bvRuf/1suhYmXLGF
dAK9dQptk5Qdm5rnVbEW8xnotMrLkWwjppMDYIjie25ADea5qfl4eCHTsid2CcYa
Sovx+jv8wiTDNvt2sAUGLQuy7mV0CEd55D8yzGsDEFq5egV9sN8E6CKF9dt7tXkL
klyUhaC04iMBnSj/MYxIvtDG5zDhbQ==
=cetO
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3801-1
October 24, 2018
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)
Multiple security issues were discovered with WebExtensions in Firefox.
If a user were tricked in to installing a specially crafted extension, an
attacker could potentially exploit these to bypass domain restrictions,
gain additional privileges, or run content scripts in local pages without
permission. (CVE-2018-12395, CVE-2018-12396, CVE-2018-12397)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
firefox 63.0+build2-0ubuntu0.18.10.2
Ubuntu 18.04 LTS:
firefox 63.0+build2-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
firefox 63.0+build2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
firefox 63.0+build2-0ubuntu0.14.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3801-1
CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12395, CVE-2018-12396, CVE-2018-12397, CVE-2018-12398,
CVE-2018-12399, CVE-2018-12401, CVE-2018-12402, CVE-2018-12403
Package Information:
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.18.10.2
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.14.04.2
iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAlvQxsMACgkQYR+97NWU
bg9JSggAqGILObzpchrqqN/zf6QQpPM9oIWLaGXRC2oiGncra3bpCfcQY+vtpc6z
C2KeJTsU9vfS71F4agpnpBUjvvJ6PE3TjVLB/KdJSsL5LeKYcowjU76BfuAY6wIa
6w0g2N7URCRtyzBw2pFyKHyqsVmwkUDZ9JhkFFF1CwedIoH6bvRuf/1suhYmXLGF
dAK9dQptk5Qdm5rnVbEW8xnotMrLkWwjppMDYIjie25ADea5qfl4eCHTsid2CcYa
Sovx+jv8wiTDNvt2sAUGLQuy7mV0CEd55D8yzGsDEFq5egV9sN8E6CKF9dt7tXkL
klyUhaC04iMBnSj/MYxIvtDG5zDhbQ==
=cetO
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3801-1
October 24, 2018
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)
Multiple security issues were discovered with WebExtensions in Firefox.
If a user were tricked in to installing a specially crafted extension, an
attacker could potentially exploit these to bypass domain restrictions,
gain additional privileges, or run content scripts in local pages without
permission. (CVE-2018-12395, CVE-2018-12396, CVE-2018-12397)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
firefox 63.0+build2-0ubuntu0.18.10.2
Ubuntu 18.04 LTS:
firefox 63.0+build2-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
firefox 63.0+build2-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
firefox 63.0+build2-0ubuntu0.14.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3801-1
CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12395, CVE-2018-12396, CVE-2018-12397, CVE-2018-12398,
CVE-2018-12399, CVE-2018-12401, CVE-2018-12402, CVE-2018-12403
Package Information:
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.18.10.2
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.16.04.2
https://launchpad.net/ubuntu/+source/firefox/63.0+build2-0ubuntu0.14.04.2
[USN-3800-1] audiofile vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3800-1
October 24, 2018
audiofile vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in audiofile.
Software Description:
- audiofile: Open-source version of the SGI audiofile library
Details:
It was discovered that audiofile incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-13440)
It was discovered that audiofile incorrectly handled certain files.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-17095)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
audiofile-tools 0.3.6-2ubuntu0.14.04.3
libaudiofile1 0.3.6-2ubuntu0.14.04.3
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3800-1
CVE-2018-13440, CVE-2018-17095
Package Information:
https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.3
Ubuntu Security Notice USN-3800-1
October 24, 2018
audiofile vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in audiofile.
Software Description:
- audiofile: Open-source version of the SGI audiofile library
Details:
It was discovered that audiofile incorrectly handled certain files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-13440)
It was discovered that audiofile incorrectly handled certain files.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-17095)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
audiofile-tools 0.3.6-2ubuntu0.14.04.3
libaudiofile1 0.3.6-2ubuntu0.14.04.3
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3800-1
CVE-2018-13440, CVE-2018-17095
Package Information:
https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.3
Tuesday, October 23, 2018
LibreSSL 2.8.2 Released
We would like to announce that we have released LibreSSL 2.8.2, which is
available in the LibreSSL directory of your local OpenBSD mirror. This
announcement comes a few days after it was first available on October
18th, 2018, along with OpenBSD 6.4. This is the first stable release from
the 2.8 series.
It includes the following changes from 2.8.1
* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
along with test harness fixes.
* Fixed memory leak in nc(1)
LibreSSL 2.8.2 also includes:
* Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM,
AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
X25519 test vectors. Applied appropriate fixes for errors uncovered by tests.
* Simplified key exchange signature generation and verification.
* Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
* Converted more code paths to use CBB/CBS. All handshake messages are
now created by CBB.
* Fixed various memory leaks found by Coverity.
* Simplified session ticket parsing and handling, inspired by
BoringSSL.
* Modified signature of CRYPTO_mem_leaks_* to return -1. This function
is a no-op in LibreSSL, so this function returns an error to not
indicate the (non-)existence of memory leaks.
* SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
X509_OBJECT_up_ref_count now return an int for error handling,
matching OpenSSL.
* Converted a number of #defines into proper functions, matching
OpenSSL's ABI.
* Added X509_get0_serialNumber from OpenSSL.
* Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
OpenSSL.
* Removed broken pkcs8 formats from openssl(1).
* Converted more functions in public API to use const arguments.
* Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
EVP_AEAD interface.
* Stopped using composite EVP_CIPHER AEADs.
* Added timing-safe compares for checking results of signature
verification. There are no known attacks, this is just inexpensive
prudence.
* Correctly clear the current cipher state, when changing cipher state.
This fixed an issue where renegotiation of cipher suites would fail
when switched from AEAD to non-AEAD or vice-versa.
Issue reported by Bernard Spil.
* Added more cipher tests to appstest.sh, including all TLSv1.2
ciphers.
* Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.
* Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
retrieved and set with appropriate validation.
* Extensive documentation updates and additional API history.
* Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
* Tighten up checks for various X509_VERIFY_PARAM functions,
'poisoning' parameters so that an unverified certificate cannot be
used if it fails verification.
* Fixed a potential memory leak on failure in ASN1_item_digest
* Fixed a potential memory alignment crash in asn1_item_combine_free
* Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
* Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
* Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
and matching OpenSSL behavior, rewrote ENGINE_* documentation.
* Added const annotations to many existing APIs from OpenSSL, making
interoperability easier for downstream applications.
* Fixed small timing side-channels in ecdsa_sign_setup and
dsa_sign_setup.
* Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
operation of BN_* functions.
* Updated BN_clear to use explicit_bzero.
* Added a missing bounds check in c2i_ASN1_BIT_STRING.
* More CBS conversions, including simplifications to RSA key exchange,
and converted code to use dedicated buffers for secrets.
* Removed three remaining single DES cipher suites.
* Fixed a potential leak/incorrect return value in DSA signature
generation.
* Added a blinding value when generating DSA and ECDSA signatures, in
order to reduce the possibility of a side-channel attack leaking the
private key.
* Added ECC constant time scalar multiplication support.
From Billy Brumley and his team at Tampere University of Technology.
* Revised the implementation of RSASSA-PKCS1-v1_5 to match the
specification in RFC 8017. Based on an OpenSSL commit by David
Benjamin.
* Cleaned up BN_* implementations following changes made in OpenSSL by
Davide Galassi and others.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
available in the LibreSSL directory of your local OpenBSD mirror. This
announcement comes a few days after it was first available on October
18th, 2018, along with OpenBSD 6.4. This is the first stable release from
the 2.8 series.
It includes the following changes from 2.8.1
* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
along with test harness fixes.
* Fixed memory leak in nc(1)
LibreSSL 2.8.2 also includes:
* Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM,
AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and
X25519 test vectors. Applied appropriate fixes for errors uncovered by tests.
* Simplified key exchange signature generation and verification.
* Fixed a one-byte buffer overrun in callers of EVP_read_pw_string
* Converted more code paths to use CBB/CBS. All handshake messages are
now created by CBB.
* Fixed various memory leaks found by Coverity.
* Simplified session ticket parsing and handling, inspired by
BoringSSL.
* Modified signature of CRYPTO_mem_leaks_* to return -1. This function
is a no-op in LibreSSL, so this function returns an error to not
indicate the (non-)existence of memory leaks.
* SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,
X509_OBJECT_up_ref_count now return an int for error handling,
matching OpenSSL.
* Converted a number of #defines into proper functions, matching
OpenSSL's ABI.
* Added X509_get0_serialNumber from OpenSSL.
* Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding
PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching
OpenSSL.
* Removed broken pkcs8 formats from openssl(1).
* Converted more functions in public API to use const arguments.
* Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the
EVP_AEAD interface.
* Stopped using composite EVP_CIPHER AEADs.
* Added timing-safe compares for checking results of signature
verification. There are no known attacks, this is just inexpensive
prudence.
* Correctly clear the current cipher state, when changing cipher state.
This fixed an issue where renegotiation of cipher suites would fail
when switched from AEAD to non-AEAD or vice-versa.
Issue reported by Bernard Spil.
* Added more cipher tests to appstest.sh, including all TLSv1.2
ciphers.
* Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.
* Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be
retrieved and set with appropriate validation.
* Extensive documentation updates and additional API history.
* Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
* Tighten up checks for various X509_VERIFY_PARAM functions,
'poisoning' parameters so that an unverified certificate cannot be
used if it fails verification.
* Fixed a potential memory leak on failure in ASN1_item_digest
* Fixed a potential memory alignment crash in asn1_item_combine_free
* Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.
* Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
* Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers
and matching OpenSSL behavior, rewrote ENGINE_* documentation.
* Added const annotations to many existing APIs from OpenSSL, making
interoperability easier for downstream applications.
* Fixed small timing side-channels in ecdsa_sign_setup and
dsa_sign_setup.
* Documented security pitfalls with BN_FLG_CONSTTIME and constant-time
operation of BN_* functions.
* Updated BN_clear to use explicit_bzero.
* Added a missing bounds check in c2i_ASN1_BIT_STRING.
* More CBS conversions, including simplifications to RSA key exchange,
and converted code to use dedicated buffers for secrets.
* Removed three remaining single DES cipher suites.
* Fixed a potential leak/incorrect return value in DSA signature
generation.
* Added a blinding value when generating DSA and ECDSA signatures, in
order to reduce the possibility of a side-channel attack leaking the
private key.
* Added ECC constant time scalar multiplication support.
From Billy Brumley and his team at Tampere University of Technology.
* Revised the implementation of RSASSA-PKCS1-v1_5 to match the
specification in RFC 8017. Based on an OpenSSL commit by David
Benjamin.
* Cleaned up BN_* implementations following changes made in OpenSSL by
Davide Galassi and others.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
[USN-3799-1] MySQL vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvPfEYACgkQZWnYVadE
vpNmtA/9FhNru1FFI9i8Cd11izbxAyafUwH/Bfqhn7qBxwcrYMAofmgLcwF0zFQ/
wQZWpkVt1bxrbpL/E8F7YO3vibM7o/hj16MET97gHv/u6Tav3fCbhCrTSXxmqTYT
F2KMD8ZO/1tqIA/m1SVlFKpFBs1IX1H9NY9q9LDFsG1JlV7d2DMLQ9Tu4+gPaely
ohXBl0fO+ohT7mGKQlvekciPqInzaI/uY9CONi/z/f5O7ZiFqu76HLXgwF/PFvA2
v6fmGoTxhPGdJz0UX4wuKzUAtKRd8jw3QGWMJaXV4C0Hf0TQq/B/q8enc6JzBj0Q
sESVapNYoHMb+DT940TAntrUie3dw4yqg39cSVuQcYSdfim2RlJFf+d8BZcPDGDr
1VTj/5PyaKhg3l5TSSqJSrSuT/qhYyYlKgH0kysmJJ2vOCghfYo/uLqNXwaYz4Sa
8mZhs/dDi66u5bSv3ogjzRY2fzYQlBy0/QlHr/Hr8ENiKanvkNVFqMTwBlM35oXa
y7xZzpaTY+JB71G5LVh3xQjIDNQBFxwRuR9f8u2N5rElxaEhzZRO/jzWk/Rrv7fn
L4zoXuB+D64DkPx3TWG4M16+kq2MxOtDAFi4sIFYc84eqIfPVE3JzaoQv0+GnW70
4S7j94F+ll7lrrlCro/PnvVbzg0su1cS/JjoEfL7yp8zzkTSVTI=
=d5Rr
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3799-1
October 23, 2018
mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.62 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to MySQL 5.7.24.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-62.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-24.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
mysql-server-5.7 5.7.24-0ubuntu0.18.10.1
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.24-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.24-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.62-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3799-1
CVE-2018-3133, CVE-2018-3143, CVE-2018-3144, CVE-2018-3155,
CVE-2018-3156, CVE-2018-3161, CVE-2018-3162, CVE-2018-3171,
CVE-2018-3173, CVE-2018-3174, CVE-2018-3185, CVE-2018-3187,
CVE-2018-3200, CVE-2018-3247, CVE-2018-3251, CVE-2018-3276,
CVE-2018-3277, CVE-2018-3278, CVE-2018-3282, CVE-2018-3283,
CVE-2018-3284
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.24-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.24-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.24-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.62-0ubuntu0.14.04.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvPfEYACgkQZWnYVadE
vpNmtA/9FhNru1FFI9i8Cd11izbxAyafUwH/Bfqhn7qBxwcrYMAofmgLcwF0zFQ/
wQZWpkVt1bxrbpL/E8F7YO3vibM7o/hj16MET97gHv/u6Tav3fCbhCrTSXxmqTYT
F2KMD8ZO/1tqIA/m1SVlFKpFBs1IX1H9NY9q9LDFsG1JlV7d2DMLQ9Tu4+gPaely
ohXBl0fO+ohT7mGKQlvekciPqInzaI/uY9CONi/z/f5O7ZiFqu76HLXgwF/PFvA2
v6fmGoTxhPGdJz0UX4wuKzUAtKRd8jw3QGWMJaXV4C0Hf0TQq/B/q8enc6JzBj0Q
sESVapNYoHMb+DT940TAntrUie3dw4yqg39cSVuQcYSdfim2RlJFf+d8BZcPDGDr
1VTj/5PyaKhg3l5TSSqJSrSuT/qhYyYlKgH0kysmJJ2vOCghfYo/uLqNXwaYz4Sa
8mZhs/dDi66u5bSv3ogjzRY2fzYQlBy0/QlHr/Hr8ENiKanvkNVFqMTwBlM35oXa
y7xZzpaTY+JB71G5LVh3xQjIDNQBFxwRuR9f8u2N5rElxaEhzZRO/jzWk/Rrv7fn
L4zoXuB+D64DkPx3TWG4M16+kq2MxOtDAFi4sIFYc84eqIfPVE3JzaoQv0+GnW70
4S7j94F+ll7lrrlCro/PnvVbzg0su1cS/JjoEfL7yp8zzkTSVTI=
=d5Rr
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3799-1
October 23, 2018
mysql-5.5, mysql-5.7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
- mysql-5.5: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.5.62 in Ubuntu 14.04 LTS. Ubuntu 16.04 LTS,
Ubuntu 18.04 LTS, and Ubuntu 18.10 have been updated to MySQL 5.7.24.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-62.html
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-24.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
mysql-server-5.7 5.7.24-0ubuntu0.18.10.1
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.24-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
mysql-server-5.7 5.7.24-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
mysql-server-5.5 5.5.62-0ubuntu0.14.04.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3799-1
CVE-2018-3133, CVE-2018-3143, CVE-2018-3144, CVE-2018-3155,
CVE-2018-3156, CVE-2018-3161, CVE-2018-3162, CVE-2018-3171,
CVE-2018-3173, CVE-2018-3174, CVE-2018-3185, CVE-2018-3187,
CVE-2018-3200, CVE-2018-3247, CVE-2018-3251, CVE-2018-3276,
CVE-2018-3277, CVE-2018-3278, CVE-2018-3282, CVE-2018-3283,
CVE-2018-3284
Package Information:
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.24-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.24-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.24-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.62-0ubuntu0.14.04.1
[USN-3788-2] Tex Live-bin vulnerability
==========================================================================
Ubuntu Security Notice USN-3788-2
October 23, 2018
texlive-bin vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Several security issues were fixed in Tex Live.
Software Description:
- texlive-bin: TeX Live: path search library for TeX (development part)
Details:
USN-3788-1 fixed vulnerabilities in Tex Live. This update provides
the corresponding update for Ubuntu 18.10
Original advisory details:
It was discovered that Tex Live incorrectly handled certain files.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-17407)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
texlive-binaries 2018.20180824.48463-1ubuntu0.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3788-2
https://usn.ubuntu.com/usn/usn-3788-1
CVE-2018-17407
Package Information:
https://launchpad.net/ubuntu/+source/texlive-bin/2018.20180824.48463-1ubuntu0.1
Ubuntu Security Notice USN-3788-2
October 23, 2018
texlive-bin vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Several security issues were fixed in Tex Live.
Software Description:
- texlive-bin: TeX Live: path search library for TeX (development part)
Details:
USN-3788-1 fixed vulnerabilities in Tex Live. This update provides
the corresponding update for Ubuntu 18.10
Original advisory details:
It was discovered that Tex Live incorrectly handled certain files.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-17407)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
texlive-binaries 2018.20180824.48463-1ubuntu0.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3788-2
https://usn.ubuntu.com/usn/usn-3788-1
CVE-2018-17407
Package Information:
https://launchpad.net/ubuntu/+source/texlive-bin/2018.20180824.48463-1ubuntu0.1
Monday, October 22, 2018
[USN-3777-3] Linux kernel (Azure) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3777-3
October 23, 2018
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
USN-3777-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
%LTS. This update provides the corresponding updates for the
Linux kernel for Azure Cloud systems.
Jann Horn discovered that the vmacache subsystem did not properly handle
sequence number overflows, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or execute arbitrary code. (CVE-2018-17182)
It was discovered that the paravirtualization implementation in the Linux
kernel did not properly handle some indirect calls, reducing the
effectiveness of Spectre v2 mitigations for paravirtual guests. A local
attacker could use this to expose sensitive information. (CVE-2018-15594)
It was discovered that microprocessors utilizing speculative execution and
prediction of return addresses via Return Stack Buffer (RSB) may allow
unauthorized memory reads via sidechannel attacks. An attacker could use
this to expose sensitive information. (CVE-2018-15572)
Jann Horn discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. A local attacker could use this to
expose sensitive information, including kernel memory. (CVE-2017-5715)
It was discovered that a stack-based buffer overflow existed in the iSCSI
target implementation of the Linux kernel. A remote attacker could use this
to cause a denial of service (system crash). (CVE-2018-14633)
Jann Horn and Ken Johnson discovered that microprocessors utilizing
speculative execution of a memory read may allow unauthorized memory reads
via a sidechannel attack. This flaw is known as Spectre Variant 4. A local
attacker could use this to expose sensitive information, including kernel
memory. (CVE-2018-3639)
It was discovered that a memory leak existed in the IRDA subsystem of the
Linux kernel. A local attacker could use this to cause a denial of service
(kernel memory exhaustion). (CVE-2018-6554)
It was discovered that a use-after-free vulnerability existed in the IRDA
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-6555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1025-azure 4.15.0-1025.26
linux-image-azure 4.15.0.1025.25
Ubuntu 16.04 LTS:
linux-image-4.15.0-1025-azure 4.15.0-1025.26~16.04.1
linux-image-azure 4.15.0.1025.31
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3777-3
https://usn.ubuntu.com/usn/usn-3777-1
CVE-2017-5715, CVE-2018-14633, CVE-2018-15572, CVE-2018-15594,
CVE-2018-17182, CVE-2018-3639, CVE-2018-6554, CVE-2018-6555
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1025.26
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1025.26~16.04.1
Ubuntu Security Notice USN-3777-3
October 23, 2018
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
USN-3777-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
%LTS. This update provides the corresponding updates for the
Linux kernel for Azure Cloud systems.
Jann Horn discovered that the vmacache subsystem did not properly handle
sequence number overflows, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or execute arbitrary code. (CVE-2018-17182)
It was discovered that the paravirtualization implementation in the Linux
kernel did not properly handle some indirect calls, reducing the
effectiveness of Spectre v2 mitigations for paravirtual guests. A local
attacker could use this to expose sensitive information. (CVE-2018-15594)
It was discovered that microprocessors utilizing speculative execution and
prediction of return addresses via Return Stack Buffer (RSB) may allow
unauthorized memory reads via sidechannel attacks. An attacker could use
this to expose sensitive information. (CVE-2018-15572)
Jann Horn discovered that microprocessors utilizing speculative execution
and branch prediction may allow unauthorized memory reads via sidechannel
attacks. This flaw is known as Spectre. A local attacker could use this to
expose sensitive information, including kernel memory. (CVE-2017-5715)
It was discovered that a stack-based buffer overflow existed in the iSCSI
target implementation of the Linux kernel. A remote attacker could use this
to cause a denial of service (system crash). (CVE-2018-14633)
Jann Horn and Ken Johnson discovered that microprocessors utilizing
speculative execution of a memory read may allow unauthorized memory reads
via a sidechannel attack. This flaw is known as Spectre Variant 4. A local
attacker could use this to expose sensitive information, including kernel
memory. (CVE-2018-3639)
It was discovered that a memory leak existed in the IRDA subsystem of the
Linux kernel. A local attacker could use this to cause a denial of service
(kernel memory exhaustion). (CVE-2018-6554)
It was discovered that a use-after-free vulnerability existed in the IRDA
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-6555)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1025-azure 4.15.0-1025.26
linux-image-azure 4.15.0.1025.25
Ubuntu 16.04 LTS:
linux-image-4.15.0-1025-azure 4.15.0-1025.26~16.04.1
linux-image-azure 4.15.0.1025.31
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3777-3
https://usn.ubuntu.com/usn/usn-3777-1
CVE-2017-5715, CVE-2018-14633, CVE-2018-15572, CVE-2018-15594,
CVE-2018-17182, CVE-2018-3639, CVE-2018-6554, CVE-2018-6555
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1025.26
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1025.26~16.04.1
[USN-3798-2] Linux kernel (Trusty HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3798-2
October 23, 2018
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise ESM
Details:
USN-3798-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
Dmitry Vyukov discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
negatively instantiated. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8539)
It was discovered that a use-after-free vulnerability existed in the device
driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7913)
Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), and Lenx Wei (韦韬)
discovered a race condition in the generic SCSI driver (sg) of the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-0794)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a NULL pointer dereference could be triggered in the
OCFS2 file system implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2017-18216)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use- after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
It was discovered that a buffer overflow existed in the NFC Logical Link
Control Protocol (llcp) implementation in the Linux kernel. An attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-9518)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
linux-image-3.13.0-161-generic 3.13.0-161.211~precise1
linux-image-3.13.0-161-generic-lpae 3.13.0-161.211~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.161.151
linux-image-generic-lts-trusty 3.13.0.161.151
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3798-2
https://usn.ubuntu.com/usn/usn-3798-1
CVE-2015-8539, CVE-2016-7913, CVE-2017-0794, CVE-2017-15299,
CVE-2017-18216, CVE-2018-1000004, CVE-2018-7566, CVE-2018-9518
Ubuntu Security Notice USN-3798-2
October 23, 2018
linux-lts-trusty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise ESM
Details:
USN-3798-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.
Dmitry Vyukov discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
negatively instantiated. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8539)
It was discovered that a use-after-free vulnerability existed in the device
driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7913)
Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), and Lenx Wei (韦韬)
discovered a race condition in the generic SCSI driver (sg) of the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-0794)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a NULL pointer dereference could be triggered in the
OCFS2 file system implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2017-18216)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use- after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
It was discovered that a buffer overflow existed in the NFC Logical Link
Control Protocol (llcp) implementation in the Linux kernel. An attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-9518)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 ESM:
linux-image-3.13.0-161-generic 3.13.0-161.211~precise1
linux-image-3.13.0-161-generic-lpae 3.13.0-161.211~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.161.151
linux-image-generic-lts-trusty 3.13.0.161.151
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3798-2
https://usn.ubuntu.com/usn/usn-3798-1
CVE-2015-8539, CVE-2016-7913, CVE-2017-0794, CVE-2017-15299,
CVE-2017-18216, CVE-2018-1000004, CVE-2018-7566, CVE-2018-9518
[USN-3798-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3798-1
October 23, 2018
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
Details:
Dmitry Vyukov discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
negatively instantiated. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8539)
It was discovered that a use-after-free vulnerability existed in the device
driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7913)
Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), and Lenx Wei (韦韬)
discovered a race condition in the generic SCSI driver (sg) of the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-0794)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a NULL pointer dereference could be triggered in the
OCFS2 file system implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2017-18216)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use- after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
It was discovered that a buffer overflow existed in the NFC Logical Link
Control Protocol (llcp) implementation in the Linux kernel. An attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-9518)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-161-generic 3.13.0-161.211
linux-image-3.13.0-161-generic-lpae 3.13.0-161.211
linux-image-3.13.0-161-lowlatency 3.13.0-161.211
linux-image-3.13.0-161-powerpc-e500 3.13.0-161.211
linux-image-3.13.0-161-powerpc-e500mc 3.13.0-161.211
linux-image-3.13.0-161-powerpc-smp 3.13.0-161.211
linux-image-3.13.0-161-powerpc64-emb 3.13.0-161.211
linux-image-3.13.0-161-powerpc64-smp 3.13.0-161.211
linux-image-generic 3.13.0.161.171
linux-image-generic-lpae 3.13.0.161.171
linux-image-highbank 3.13.0.161.171
linux-image-lowlatency 3.13.0.161.171
linux-image-powerpc-e500 3.13.0.161.171
linux-image-powerpc-e500mc 3.13.0.161.171
linux-image-powerpc-smp 3.13.0.161.171
linux-image-powerpc64-emb 3.13.0.161.171
linux-image-powerpc64-smp 3.13.0.161.171
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3798-1
CVE-2015-8539, CVE-2016-7913, CVE-2017-0794, CVE-2017-15299,
CVE-2017-18216, CVE-2018-1000004, CVE-2018-7566, CVE-2018-9518
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-161.211
Ubuntu Security Notice USN-3798-1
October 23, 2018
linux vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
Details:
Dmitry Vyukov discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
negatively instantiated. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2015-8539)
It was discovered that a use-after-free vulnerability existed in the device
driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7913)
Pengfei Ding (丁鹏飞), Chenfu Bao (包沉浮), and Lenx Wei (韦韬)
discovered a race condition in the generic SCSI driver (sg) of the Linux
kernel. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-0794)
Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)
It was discovered that a NULL pointer dereference could be triggered in the
OCFS2 file system implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash).
(CVE-2017-18216)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use- after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)
It was discovered that a buffer overflow existed in the NFC Logical Link
Control Protocol (llcp) implementation in the Linux kernel. An attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-9518)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-3.13.0-161-generic 3.13.0-161.211
linux-image-3.13.0-161-generic-lpae 3.13.0-161.211
linux-image-3.13.0-161-lowlatency 3.13.0-161.211
linux-image-3.13.0-161-powerpc-e500 3.13.0-161.211
linux-image-3.13.0-161-powerpc-e500mc 3.13.0-161.211
linux-image-3.13.0-161-powerpc-smp 3.13.0-161.211
linux-image-3.13.0-161-powerpc64-emb 3.13.0-161.211
linux-image-3.13.0-161-powerpc64-smp 3.13.0-161.211
linux-image-generic 3.13.0.161.171
linux-image-generic-lpae 3.13.0.161.171
linux-image-highbank 3.13.0.161.171
linux-image-lowlatency 3.13.0.161.171
linux-image-powerpc-e500 3.13.0.161.171
linux-image-powerpc-e500mc 3.13.0.161.171
linux-image-powerpc-smp 3.13.0.161.171
linux-image-powerpc64-emb 3.13.0.161.171
linux-image-powerpc64-smp 3.13.0.161.171
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3798-1
CVE-2015-8539, CVE-2016-7913, CVE-2017-0794, CVE-2017-15299,
CVE-2017-18216, CVE-2018-1000004, CVE-2018-7566, CVE-2018-9518
Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-161.211
[USN-3797-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3797-1
October 23, 2018
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
Details:
Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)
It was discovered that an integer overflow existed in the CD-ROM driver of
the Linux kernel. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2018-16658)
It was discovered that an integer overflow existed in the HID Bluetooth
implementation in the Linux kernel that could lead to a buffer overwrite.
An attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-9363)
Yves Younan discovered that the CIPSO labeling implementation in the Linux
kernel did not properly handle IP header options in some situations. A
remote attacker could use this to specially craft network traffic that
could cause a denial of service (infinite loop). (CVE-2018-10938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1036-kvm 4.4.0-1036.42
linux-image-4.4.0-1070-aws 4.4.0-1070.80
linux-image-4.4.0-1099-raspi2 4.4.0-1099.107
linux-image-4.4.0-1103-snapdragon 4.4.0-1103.108
linux-image-4.4.0-138-generic 4.4.0-138.164
linux-image-4.4.0-138-generic-lpae 4.4.0-138.164
linux-image-4.4.0-138-lowlatency 4.4.0-138.164
linux-image-4.4.0-138-powerpc-e500mc 4.4.0-138.164
linux-image-4.4.0-138-powerpc-smp 4.4.0-138.164
linux-image-4.4.0-138-powerpc64-emb 4.4.0-138.164
linux-image-4.4.0-138-powerpc64-smp 4.4.0-138.164
linux-image-aws 4.4.0.1070.72
linux-image-generic 4.4.0.138.144
linux-image-generic-lpae 4.4.0.138.144
linux-image-kvm 4.4.0.1036.35
linux-image-lowlatency 4.4.0.138.144
linux-image-powerpc-e500mc 4.4.0.138.144
linux-image-powerpc-smp 4.4.0.138.144
linux-image-powerpc64-emb 4.4.0.138.144
linux-image-powerpc64-smp 4.4.0.138.144
linux-image-raspi2 4.4.0.1099.99
linux-image-snapdragon 4.4.0.1103.95
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3797-1
CVE-2018-10938, CVE-2018-14734, CVE-2018-16658, CVE-2018-9363
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-138.164
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1070.80
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1036.42
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1099.107
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1103.108
Ubuntu Security Notice USN-3797-1
October 23, 2018
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-raspi2: Linux kernel for Raspberry Pi 2
- linux-snapdragon: Linux kernel for Snapdragon processors
Details:
Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)
It was discovered that an integer overflow existed in the CD-ROM driver of
the Linux kernel. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2018-16658)
It was discovered that an integer overflow existed in the HID Bluetooth
implementation in the Linux kernel that could lead to a buffer overwrite.
An attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-9363)
Yves Younan discovered that the CIPSO labeling implementation in the Linux
kernel did not properly handle IP header options in some situations. A
remote attacker could use this to specially craft network traffic that
could cause a denial of service (infinite loop). (CVE-2018-10938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
linux-image-4.4.0-1036-kvm 4.4.0-1036.42
linux-image-4.4.0-1070-aws 4.4.0-1070.80
linux-image-4.4.0-1099-raspi2 4.4.0-1099.107
linux-image-4.4.0-1103-snapdragon 4.4.0-1103.108
linux-image-4.4.0-138-generic 4.4.0-138.164
linux-image-4.4.0-138-generic-lpae 4.4.0-138.164
linux-image-4.4.0-138-lowlatency 4.4.0-138.164
linux-image-4.4.0-138-powerpc-e500mc 4.4.0-138.164
linux-image-4.4.0-138-powerpc-smp 4.4.0-138.164
linux-image-4.4.0-138-powerpc64-emb 4.4.0-138.164
linux-image-4.4.0-138-powerpc64-smp 4.4.0-138.164
linux-image-aws 4.4.0.1070.72
linux-image-generic 4.4.0.138.144
linux-image-generic-lpae 4.4.0.138.144
linux-image-kvm 4.4.0.1036.35
linux-image-lowlatency 4.4.0.138.144
linux-image-powerpc-e500mc 4.4.0.138.144
linux-image-powerpc-smp 4.4.0.138.144
linux-image-powerpc64-emb 4.4.0.138.144
linux-image-powerpc64-smp 4.4.0.138.144
linux-image-raspi2 4.4.0.1099.99
linux-image-snapdragon 4.4.0.1103.95
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3797-1
CVE-2018-10938, CVE-2018-14734, CVE-2018-16658, CVE-2018-9363
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-138.164
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1070.80
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1036.42
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1099.107
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1103.108
[USN-3797-2] Linux kernel (Xenial HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3797-2
October 23, 2018
linux-lts-xenial, linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3797-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)
It was discovered that an integer overflow existed in the CD-ROM driver of
the Linux kernel. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2018-16658)
It was discovered that a integer overflow existed in the HID Bluetooth
implementation in the Linux kernel that could lead to a buffer overwrite.
An attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-9363)
Yves Younan discovered that the CIPSO labeling implementation in the Linux
kernel did not properly handle IP header options in some situations. A
remote attacker could use this to specially craft network traffic that
could cause a denial of service (infinite loop). (CVE-2018-10938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-1032-aws 4.4.0-1032.35
linux-image-4.4.0-138-generic 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-generic-lpae 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-lowlatency 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc-e500mc 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc-smp 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc64-emb 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc64-smp 4.4.0-138.164~14.04.1
linux-image-aws 4.4.0.1032.32
linux-image-generic-lpae-lts-xenial 4.4.0.138.118
linux-image-generic-lts-xenial 4.4.0.138.118
linux-image-lowlatency-lts-xenial 4.4.0.138.118
linux-image-powerpc-e500mc-lts-xenial 4.4.0.138.118
linux-image-powerpc-smp-lts-xenial 4.4.0.138.118
linux-image-powerpc64-emb-lts-xenial 4.4.0.138.118
linux-image-powerpc64-smp-lts-xenial 4.4.0.138.118
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3797-2
https://usn.ubuntu.com/usn/usn-3797-1
CVE-2018-10938, CVE-2018-14734, CVE-2018-16658, CVE-2018-9363
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1032.35
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-138.164~14.04.1
Ubuntu Security Notice USN-3797-2
October 23, 2018
linux-lts-xenial, linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
USN-3797-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)
It was discovered that an integer overflow existed in the CD-ROM driver of
the Linux kernel. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2018-16658)
It was discovered that a integer overflow existed in the HID Bluetooth
implementation in the Linux kernel that could lead to a buffer overwrite.
An attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-9363)
Yves Younan discovered that the CIPSO labeling implementation in the Linux
kernel did not properly handle IP header options in some situations. A
remote attacker could use this to specially craft network traffic that
could cause a denial of service (infinite loop). (CVE-2018-10938)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
linux-image-4.4.0-1032-aws 4.4.0-1032.35
linux-image-4.4.0-138-generic 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-generic-lpae 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-lowlatency 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc-e500mc 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc-smp 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc64-emb 4.4.0-138.164~14.04.1
linux-image-4.4.0-138-powerpc64-smp 4.4.0-138.164~14.04.1
linux-image-aws 4.4.0.1032.32
linux-image-generic-lpae-lts-xenial 4.4.0.138.118
linux-image-generic-lts-xenial 4.4.0.138.118
linux-image-lowlatency-lts-xenial 4.4.0.138.118
linux-image-powerpc-e500mc-lts-xenial 4.4.0.138.118
linux-image-powerpc-smp-lts-xenial 4.4.0.138.118
linux-image-powerpc64-emb-lts-xenial 4.4.0.138.118
linux-image-powerpc64-smp-lts-xenial 4.4.0.138.118
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://usn.ubuntu.com/usn/usn-3797-2
https://usn.ubuntu.com/usn/usn-3797-1
CVE-2018-10938, CVE-2018-14734, CVE-2018-16658, CVE-2018-9363
Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1032.35
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-138.164~14.04.1
[USN-3796-3] Paramiko vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE8kACgkQZWnYVadE
vpNQnQ//bSvyhy8Ozb2HEz50/Ow7BaWJjWCZyV+OmDtXR4lJKtuJ4Jm5Uh0Nrd3m
gnxQPndFYcn4+l7uJ9+/UHPXOgCp+w61TTlkWG4L3iF6Vqmds3j/m/z2orwsDBoF
vb0n+QhN+pOZ3bwOAeJwG42jJcxcTmKjHI9LpkdyjkHe0b9wQH/e4N+bAjHzaaOH
BgvVxfdTJTlxnSz/WSlba1glwO/TX5XPEkYqQN2F00EJJi+ZP3Lyrco3nF7OTgtD
ietwF8oOdmuEBvyRugXz8/3Qf54yGBN5ttYIzWC52nAHpG4C8uOOEO1UkyggPVnF
GXt+c/RoJ4x41M1uFYUo1RO5F99nNonEx0OZ/eqYWxS8X6zviNEZqVDS+qETN7pa
Yr+JJfx4mUAsNoLZy7KMcf6vLeoFLo1mNx8ZLtzkbg1lIXfXeqS4KS9a/XWaUyRI
lVaNe6mnFGfbMRobIrSxITRVNSeMK8t4+XbOv3JlVZGZkM4oGltI0eP/6acKAZcN
mcta0RKa+T8L+afSmrbh86OZjG+5CLF91Uz+F+CvlCaeNBkn+Y0SONcZGBlEaSie
gBPVgAgMHAEfaOv+AhoPSyhFmF0CSkQOvwGeMJ5k8TFeT7A18fcojaQNViRho4dC
rRfs8q6fbpOTo/xU9OJHqSvGJUVagq3dYtGfd8lE0/A9GvdK0z4=
=bKUE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3796-3
October 22, 2018
paramiko vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Paramiko could allow unintended access to network services.
Software Description:
- paramiko: Python SSH2 library
Details:
USN-3796-1 fixed a vulnerability in Paramiko. This update provides the
corresponding update for Ubuntu 18.10.
Original advisory details:
Daniel Hoffman discovered that Paramiko incorrectly handled authentication
when being used as a server. A remote attacker could use this issue to
bypass authentication without any credentials.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
python-paramiko 2.4.1-0ubuntu3.1
python3-paramiko 2.4.1-0ubuntu3.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3796-3
https://usn.ubuntu.com/usn/usn-3796-1
CVE-2018-1000805
Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.4.1-0ubuntu3.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE8kACgkQZWnYVadE
vpNQnQ//bSvyhy8Ozb2HEz50/Ow7BaWJjWCZyV+OmDtXR4lJKtuJ4Jm5Uh0Nrd3m
gnxQPndFYcn4+l7uJ9+/UHPXOgCp+w61TTlkWG4L3iF6Vqmds3j/m/z2orwsDBoF
vb0n+QhN+pOZ3bwOAeJwG42jJcxcTmKjHI9LpkdyjkHe0b9wQH/e4N+bAjHzaaOH
BgvVxfdTJTlxnSz/WSlba1glwO/TX5XPEkYqQN2F00EJJi+ZP3Lyrco3nF7OTgtD
ietwF8oOdmuEBvyRugXz8/3Qf54yGBN5ttYIzWC52nAHpG4C8uOOEO1UkyggPVnF
GXt+c/RoJ4x41M1uFYUo1RO5F99nNonEx0OZ/eqYWxS8X6zviNEZqVDS+qETN7pa
Yr+JJfx4mUAsNoLZy7KMcf6vLeoFLo1mNx8ZLtzkbg1lIXfXeqS4KS9a/XWaUyRI
lVaNe6mnFGfbMRobIrSxITRVNSeMK8t4+XbOv3JlVZGZkM4oGltI0eP/6acKAZcN
mcta0RKa+T8L+afSmrbh86OZjG+5CLF91Uz+F+CvlCaeNBkn+Y0SONcZGBlEaSie
gBPVgAgMHAEfaOv+AhoPSyhFmF0CSkQOvwGeMJ5k8TFeT7A18fcojaQNViRho4dC
rRfs8q6fbpOTo/xU9OJHqSvGJUVagq3dYtGfd8lE0/A9GvdK0z4=
=bKUE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3796-3
October 22, 2018
paramiko vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Paramiko could allow unintended access to network services.
Software Description:
- paramiko: Python SSH2 library
Details:
USN-3796-1 fixed a vulnerability in Paramiko. This update provides the
corresponding update for Ubuntu 18.10.
Original advisory details:
Daniel Hoffman discovered that Paramiko incorrectly handled authentication
when being used as a server. A remote attacker could use this issue to
bypass authentication without any credentials.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
python-paramiko 2.4.1-0ubuntu3.1
python3-paramiko 2.4.1-0ubuntu3.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3796-3
https://usn.ubuntu.com/usn/usn-3796-1
CVE-2018-1000805
Package Information:
https://launchpad.net/ubuntu/+source/paramiko/2.4.1-0ubuntu3.1
[USN-3792-3] Net-SNMP vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE7cACgkQZWnYVadE
vpOuzw//XzLgGQ6fr3LqpnIajbGZHm9cc/dstzs34O/EGYn0F/2CVCnr7IHFnx05
UmuHpF5a3GG9s0XkiZiPV99D+ryejQOH/Na0T7dEYrAJmMlpvSLUYJ5Re2qN5CnW
YwVMU2y79ZlJeCxrbIKiOSukfMrb7UwnbQPOrmjzY5YovX+KcL4oku8gwTq9ieBH
kSf7YHjvEd0MQydVAtvomWquUIbVhgq3PyUtdlz326su0HdCDMW9Eb8CWm1K+PYD
r0uqDAjmPZ/sGlgMLBiqSo3oWtlPp/I72tn6BWJsoBrkruquFK7QbB72M/TFNWcP
6KLV0Vc81fdnAJyNrtCGjc/SbaE0Kik6xzO2V2nBIIFjBL8/PIQJfoVS+TSyNKri
gXtXAOTeoCD7dffNwABEBGI5/RSqSmriRcswrnfseTZHTvWfhz3rajxSo5qDOxZo
Kgw7r203xS1ygba9sQW/AOvj+oDou5Ej6/Kvw2bPYeYs79WLyDf9QPqyJyD+T4PD
LSwdMmneDfDoDEyT/6hwpSUqTblTzX29SHbx6qowrWq2VjeOHUekQoyLnUjnk3pt
bgmGiCgo5YutvpVcTrKZSMxkT6zEGjjcKx1Qywzv6I/Gmi0XyXNNRts83ivKLelR
hMemLv+v6p5xskkUrbWw27WxvDULac/HxmzIdiIvg8MLs27djBw=
=PllG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3792-3
October 22, 2018
net-snmp vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Net-SNMP could be made to crash if it received specially crafted network
traffic.
Software Description:
- net-snmp: SNMP (Simple Network Management Protocol) server and applications
Details:
USN-3792-1 fixed a vulnerability in Net-SNMP. This update provides the
corresponding update for Ubuntu 18.10.
Original advisory details:
It was discovered that Net-SNMP incorrectly handled certain certain crafted
packets. A remote attacker could possibly use this issue to cause Net-SNMP
to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
libsnmp30 5.7.3+dfsg-1.8ubuntu3.18.10.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3792-3
https://usn.ubuntu.com/usn/usn-3792-1
CVE-2018-18065
Package Information:
https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1.8ubuntu3.18.10.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE7cACgkQZWnYVadE
vpOuzw//XzLgGQ6fr3LqpnIajbGZHm9cc/dstzs34O/EGYn0F/2CVCnr7IHFnx05
UmuHpF5a3GG9s0XkiZiPV99D+ryejQOH/Na0T7dEYrAJmMlpvSLUYJ5Re2qN5CnW
YwVMU2y79ZlJeCxrbIKiOSukfMrb7UwnbQPOrmjzY5YovX+KcL4oku8gwTq9ieBH
kSf7YHjvEd0MQydVAtvomWquUIbVhgq3PyUtdlz326su0HdCDMW9Eb8CWm1K+PYD
r0uqDAjmPZ/sGlgMLBiqSo3oWtlPp/I72tn6BWJsoBrkruquFK7QbB72M/TFNWcP
6KLV0Vc81fdnAJyNrtCGjc/SbaE0Kik6xzO2V2nBIIFjBL8/PIQJfoVS+TSyNKri
gXtXAOTeoCD7dffNwABEBGI5/RSqSmriRcswrnfseTZHTvWfhz3rajxSo5qDOxZo
Kgw7r203xS1ygba9sQW/AOvj+oDou5Ej6/Kvw2bPYeYs79WLyDf9QPqyJyD+T4PD
LSwdMmneDfDoDEyT/6hwpSUqTblTzX29SHbx6qowrWq2VjeOHUekQoyLnUjnk3pt
bgmGiCgo5YutvpVcTrKZSMxkT6zEGjjcKx1Qywzv6I/Gmi0XyXNNRts83ivKLelR
hMemLv+v6p5xskkUrbWw27WxvDULac/HxmzIdiIvg8MLs27djBw=
=PllG
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3792-3
October 22, 2018
net-snmp vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Net-SNMP could be made to crash if it received specially crafted network
traffic.
Software Description:
- net-snmp: SNMP (Simple Network Management Protocol) server and applications
Details:
USN-3792-1 fixed a vulnerability in Net-SNMP. This update provides the
corresponding update for Ubuntu 18.10.
Original advisory details:
It was discovered that Net-SNMP incorrectly handled certain certain crafted
packets. A remote attacker could possibly use this issue to cause Net-SNMP
to crash, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
libsnmp30 5.7.3+dfsg-1.8ubuntu3.18.10.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3792-3
https://usn.ubuntu.com/usn/usn-3792-1
CVE-2018-18065
Package Information:
https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1.8ubuntu3.18.10.1
[USN-3795-2] libssh vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE6IACgkQZWnYVadE
vpNmYRAAl7yapsiQyhwNawVJ8kR3ZHpCSYb56uCcpaZYvdh+lkNtQf8Bl/vKEBkX
j37VJnJuT4iJom519qlnf6Rn+7fHQMtQ36Um/HnR5j0i/WQvZWqBzVAIU/v/JJpQ
Uqr087YlglfLwrxjAtwYDdTxRPdJjwllnhYJAWPI/mqNpXxm6MSsINgaGlT+0eWp
chUS9/ItitQbH/f1ebVPv5rklw9TqrT7mj+WcHxGDh6OGiODcDI5HXey/xfLUeXa
6prLzol8SXUOaN8eUT4uHQRPKKCNB+bCPVneNxx37l3vIxYauDUf4+ED7ZtILL+F
AOAYDfOjA3VlMRbC+w3a6XvLaQPddOEj3DvqXrUHIo/IK7usUeA5cNAqJ9JINjfC
ra8XpikwJ4kpknoOKdbox49tFSZgNuIWyECf5N7mPvnIEO7a+1aTIQ4ckJ+sNyLx
K4xDHJkvRHMNt958pCQWfCtgHH4K+uzAvW+60+ryeIeEQ4wCHZzurDyND6s7xIQ4
7W3CC74rWzroKEMpU+1FDuL9As+LG0C4Kqxr44Ot3tFbtjyvrtj0erDNaFXnhuUu
Of0MGLpsm2qYa3dGAeK8vc5O51xc7ujGaUoJwMslG1GjELPPZiQfvIZWz4D1O8Y+
RBHolA7DKIbulE+n9AllonfMWcMz5pCU+OOfMEJ9tfWSCkgG3xY=
=J+LQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3795-2
October 22, 2018
libssh vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
libssh could allow unintended access to network services.
Software Description:
- libssh: A tiny C SSH library
Details:
USN-3795-1 fixed a vulnerability in libssh. This update provides the
corresponding update for Ubuntu 18.10.
Original advisory details:
Peter Winter-Smith discovered that libssh incorrectly handled
authentication when being used as a server. A remote attacker could use
this issue to bypass authentication without any credentials.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
libssh-4 0.8.1-1ubuntu0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3795-2
https://usn.ubuntu.com/usn/usn-3795-1
CVE-2018-10933
Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.8.1-1ubuntu0.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlvOE6IACgkQZWnYVadE
vpNmYRAAl7yapsiQyhwNawVJ8kR3ZHpCSYb56uCcpaZYvdh+lkNtQf8Bl/vKEBkX
j37VJnJuT4iJom519qlnf6Rn+7fHQMtQ36Um/HnR5j0i/WQvZWqBzVAIU/v/JJpQ
Uqr087YlglfLwrxjAtwYDdTxRPdJjwllnhYJAWPI/mqNpXxm6MSsINgaGlT+0eWp
chUS9/ItitQbH/f1ebVPv5rklw9TqrT7mj+WcHxGDh6OGiODcDI5HXey/xfLUeXa
6prLzol8SXUOaN8eUT4uHQRPKKCNB+bCPVneNxx37l3vIxYauDUf4+ED7ZtILL+F
AOAYDfOjA3VlMRbC+w3a6XvLaQPddOEj3DvqXrUHIo/IK7usUeA5cNAqJ9JINjfC
ra8XpikwJ4kpknoOKdbox49tFSZgNuIWyECf5N7mPvnIEO7a+1aTIQ4ckJ+sNyLx
K4xDHJkvRHMNt958pCQWfCtgHH4K+uzAvW+60+ryeIeEQ4wCHZzurDyND6s7xIQ4
7W3CC74rWzroKEMpU+1FDuL9As+LG0C4Kqxr44Ot3tFbtjyvrtj0erDNaFXnhuUu
Of0MGLpsm2qYa3dGAeK8vc5O51xc7ujGaUoJwMslG1GjELPPZiQfvIZWz4D1O8Y+
RBHolA7DKIbulE+n9AllonfMWcMz5pCU+OOfMEJ9tfWSCkgG3xY=
=J+LQ
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3795-2
October 22, 2018
libssh vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
libssh could allow unintended access to network services.
Software Description:
- libssh: A tiny C SSH library
Details:
USN-3795-1 fixed a vulnerability in libssh. This update provides the
corresponding update for Ubuntu 18.10.
Original advisory details:
Peter Winter-Smith discovered that libssh incorrectly handled
authentication when being used as a server. A remote attacker could use
this issue to bypass authentication without any credentials.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
libssh-4 0.8.1-1ubuntu0.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3795-2
https://usn.ubuntu.com/usn/usn-3795-1
CVE-2018-10933
Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.8.1-1ubuntu0.1
[USN-3790-2] Requests vulnerability
==========================================================================
Ubuntu Security Notice USN-3790-2
October 22, 2018
requests vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Requests could be made to expose sensitive information if it
received a specially crafted HTTP header.
Software Description:
- requests: elegant and simple HTTP library for Python
Details:
USN-3790-1 fixed vulnerabilities in Requests. This update provides
the corresponding update for Ubuntu 18.10
Original advisory details:
It was discovered that Requests incorrectly handled certain HTTP
headers. An attacker could possibly use this issue to access sensitive
information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
python-requests 2.18.4-2ubuntu0.18.10.1
python3-requests 2.18.4-2ubuntu0.18.10.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3790-2
https://usn.ubuntu.com/usn/usn-3790-1
CVE-2018-18074
Package Information:
https://launchpad.net/ubuntu/+source/requests/2.18.4-2ubuntu0.18.10.1
Ubuntu Security Notice USN-3790-2
October 22, 2018
requests vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
Summary:
Requests could be made to expose sensitive information if it
received a specially crafted HTTP header.
Software Description:
- requests: elegant and simple HTTP library for Python
Details:
USN-3790-1 fixed vulnerabilities in Requests. This update provides
the corresponding update for Ubuntu 18.10
Original advisory details:
It was discovered that Requests incorrectly handled certain HTTP
headers. An attacker could possibly use this issue to access sensitive
information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.10:
python-requests 2.18.4-2ubuntu0.18.10.1
python3-requests 2.18.4-2ubuntu0.18.10.1
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3790-2
https://usn.ubuntu.com/usn/usn-3790-1
CVE-2018-18074
Package Information:
https://launchpad.net/ubuntu/+source/requests/2.18.4-2ubuntu0.18.10.1
[CentOS-announce] CESA-2018:2942 Critical CentOS 7 java-1.8.0-openjdk Security Update
CentOS Errata and Security Advisory 2018:2942 Critical
Upstream details at : https://access.redhat.com/errata/RHSA-2018:2942
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9b0e9718995176baa60a1b6255be237c6e5c1a32b992d0ec9b9d6dfdd63e53dd java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.i686.rpm
de28afb2c6ac7ba0cabe579f18556d2db93dd353821f1afbd352c689e05d2594 java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64.rpm
ebb413d9754ce3802915fafbd5e8981b384695cc63ef6b36f2fc3a1d1dca0a3d java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.i686.rpm
200695ef0188b557a215a07240521ec10ba9ae8a3c1bd24f9a538560667f9419 java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.x86_64.rpm
20d43426186ccea7f314bb648e172ea005dc20d4ac1579f1055197c5f9d03167 java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.i686.rpm
58fe7e287e6109c7aef6fe6ff2157f5cf55bc480c363b08d0f1160a53c741298 java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
f00fe6e02fd11d22ecd005467a3d290ded7da77fe12befc4f185c6348930084a java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.i686.rpm
689bb6f3baf737044da0151c85a439c64e7510c2fd387b59a9e7e69c00f625a2 java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
0dccca8428044d48d68a14f05b33faf12bfa7e7538e542e697a4027074053b21 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.i686.rpm
0c2a3d25658ec786915729ded22d614befad39fd9760d30f728eb912ca4b4d01 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.x86_64.rpm
3d8a7d52c30d256d7121aab8b4c1ea890e873f65d1b567bced20dd4713d63add java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.i686.rpm
51edf6417f25ddec17820199829ea7ee023396dded46f0ecf4357ea69b78417c java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
14da8e4faf28166a647f7e65f7142febe33b7172be1167a82983fff0d2af2d75 java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.i686.rpm
656e24f21d2b5571656ca04543b71fc9289672d4823c3c2baa0c9c9e10f7a350 java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.x86_64.rpm
897b6d04c02310e8911e4cd764501568334d5540698f7b191413d92fd9af3afd java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.i686.rpm
79f16d3c2a1b7f17f8656e45f5aff73f23faf3734029aad1cfe6f734f1dbbe98 java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
75a66b41c490aaa5a937551bb55e4a1a0c7d8f62c9e6cb84e9a47e99f3581f50 java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.i686.rpm
93d4359d53ad9fdd3c6bc185f354e58f1c1981476ac5079b10b1f3a7625c949b java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.x86_64.rpm
d1d183dd5fc0aae33f47a01198b9d6a23bb396ac772cca5bfd58da2dd78923a6 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.i686.rpm
944271660651618b66ce31cf9a79f9fd4e7c9e449de17e8fcc349a6eb0a6fdb7 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
6d19225f904e922baa53c9b0970a38757851a0a74f38fae777f1b71da4ef17c5 java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el7_5.noarch.rpm
745cac8aedcd76e3c30d11e2eda2edac2eb9e8049603b8c044d51dd8509afdc5 java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
4f616aa6afc6c10f3f4945328c9240f5137fa46ee3e7259f8cc605a7e805514b java-1.8.0-openjdk-javadoc-zip-1.8.0.191.b12-0.el7_5.noarch.rpm
51323aab38ddd36f4728cb357e4fd333175aeac53df6ff154ff440ea092071cc java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
c601c87a3c8a2379f3ab69d44ccb7d6eefd67dfa1b1debc494d30a6a4ce738a0 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.i686.rpm
89499e98c3f7ef8e7804c237974c302ac7022708e0a199908c674928de742842 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.x86_64.rpm
6bc179ef5abab92a4f46045cc10dc4348d2359bddaa5cdf85c86b2e9055f9a57 java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.i686.rpm
0dc3e87d3c2fd2149d44250f654031b59023e312804a0ef689cd079fc9e6e4d5 java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
Source:
e98a223e70a66648032fee4515aa0ccd4c067a86e4cede1daf4e53974642a292 java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2018:2942
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
9b0e9718995176baa60a1b6255be237c6e5c1a32b992d0ec9b9d6dfdd63e53dd java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.i686.rpm
de28afb2c6ac7ba0cabe579f18556d2db93dd353821f1afbd352c689e05d2594 java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64.rpm
ebb413d9754ce3802915fafbd5e8981b384695cc63ef6b36f2fc3a1d1dca0a3d java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.i686.rpm
200695ef0188b557a215a07240521ec10ba9ae8a3c1bd24f9a538560667f9419 java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.x86_64.rpm
20d43426186ccea7f314bb648e172ea005dc20d4ac1579f1055197c5f9d03167 java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.i686.rpm
58fe7e287e6109c7aef6fe6ff2157f5cf55bc480c363b08d0f1160a53c741298 java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
f00fe6e02fd11d22ecd005467a3d290ded7da77fe12befc4f185c6348930084a java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.i686.rpm
689bb6f3baf737044da0151c85a439c64e7510c2fd387b59a9e7e69c00f625a2 java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
0dccca8428044d48d68a14f05b33faf12bfa7e7538e542e697a4027074053b21 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.i686.rpm
0c2a3d25658ec786915729ded22d614befad39fd9760d30f728eb912ca4b4d01 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.x86_64.rpm
3d8a7d52c30d256d7121aab8b4c1ea890e873f65d1b567bced20dd4713d63add java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.i686.rpm
51edf6417f25ddec17820199829ea7ee023396dded46f0ecf4357ea69b78417c java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
14da8e4faf28166a647f7e65f7142febe33b7172be1167a82983fff0d2af2d75 java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.i686.rpm
656e24f21d2b5571656ca04543b71fc9289672d4823c3c2baa0c9c9e10f7a350 java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.x86_64.rpm
897b6d04c02310e8911e4cd764501568334d5540698f7b191413d92fd9af3afd java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.i686.rpm
79f16d3c2a1b7f17f8656e45f5aff73f23faf3734029aad1cfe6f734f1dbbe98 java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
75a66b41c490aaa5a937551bb55e4a1a0c7d8f62c9e6cb84e9a47e99f3581f50 java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.i686.rpm
93d4359d53ad9fdd3c6bc185f354e58f1c1981476ac5079b10b1f3a7625c949b java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.x86_64.rpm
d1d183dd5fc0aae33f47a01198b9d6a23bb396ac772cca5bfd58da2dd78923a6 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.i686.rpm
944271660651618b66ce31cf9a79f9fd4e7c9e449de17e8fcc349a6eb0a6fdb7 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
6d19225f904e922baa53c9b0970a38757851a0a74f38fae777f1b71da4ef17c5 java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el7_5.noarch.rpm
745cac8aedcd76e3c30d11e2eda2edac2eb9e8049603b8c044d51dd8509afdc5 java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
4f616aa6afc6c10f3f4945328c9240f5137fa46ee3e7259f8cc605a7e805514b java-1.8.0-openjdk-javadoc-zip-1.8.0.191.b12-0.el7_5.noarch.rpm
51323aab38ddd36f4728cb357e4fd333175aeac53df6ff154ff440ea092071cc java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
c601c87a3c8a2379f3ab69d44ccb7d6eefd67dfa1b1debc494d30a6a4ce738a0 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.i686.rpm
89499e98c3f7ef8e7804c237974c302ac7022708e0a199908c674928de742842 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.x86_64.rpm
6bc179ef5abab92a4f46045cc10dc4348d2359bddaa5cdf85c86b2e9055f9a57 java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.i686.rpm
0dc3e87d3c2fd2149d44250f654031b59023e312804a0ef689cd079fc9e6e4d5 java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
Source:
e98a223e70a66648032fee4515aa0ccd4c067a86e4cede1daf4e53974642a292 java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2018:2943 Critical CentOS 6 java-1.8.0-openjdk Security Update
CentOS Errata and Security Advisory 2018:2943 Critical
Upstream details at : https://access.redhat.com/errata/RHSA-2018:2943
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
10e294486f79da36e480a94314963c0f717e456e9012f7b06910fea207426df0 java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.i686.rpm
263fdc2d3ff25a6f22505624021937a5441a2590d233ffe64af12f4bb15ed717 java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el6_10.i686.rpm
0720e6b37c2af702b40ff4a3be4d8359a13137d206dc58dbc8542b1e0d3df212 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el6_10.i686.rpm
b3dbc54235955614622f83e7c019ae09344099d7e39276d6585d5c80600d488f java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el6_10.i686.rpm
37000c7965df7f72b3df937148a57dc360851bfd1caa5d84af4ddfb6099d86ef java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el6_10.i686.rpm
7c034a5e931f94ac96f67f7685b01ccf4c1a016789d9e6ceb2fd6873f82f408e java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el6_10.i686.rpm
f0cd73e105ec804bee3e94a0fc39af5ff160c0584df50fc5274802a036fc5f62 java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el6_10.i686.rpm
92875f69d68f8c74f6a92c870e5274290d673a9a902e66b4b9ac891e7b1f4a13 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el6_10.i686.rpm
104130bf5d4ed651bd1828f6657d3981d8d25049351fd37b5581a23a5ffc308d java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el6_10.noarch.rpm
a763f67e250a3215b92c7b501d169cf7851a864b1f086ba1f9df8ce6505da9c8 java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el6_10.noarch.rpm
368dc1878f3de0dc4bd0db96cad65366101ffcfbe34fd21213bfbdfb708371c4 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el6_10.i686.rpm
ed7d7a11c82daceabff7b535917d3949c2317c72ef371ae0c7c2478eea944535 java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el6_10.i686.rpm
x86_64:
2d2c6d2a280e29239e43ab60c80593a39339301bf9bcda87e88a7e31de3ca0f7 java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64.rpm
bda285f5f4e207b90b159203f72ca8781aee4046a77b2a48c27c659933ac3982 java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
e408a1d98e6160f93ca1ef352fd6267bfaacf76899172a0107745f6b1c3534c0 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el6_10.x86_64.rpm
d6f8d3f0a49e0caf3aeaf13136456b7a605d8319fef057eb5648b351f8d8d8f2 java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
45f67548838bf2d38bf4034fdde912c9508e54d3e430a5845d797eb1048c4461 java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el6_10.x86_64.rpm
a2366bcd33a170bc6e558582ebf25e33c098924f639f9048915a76c82046bbf9 java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
c8c235b12f05501925f0f7e984284f2028c6edc2d0ad4d8d35f8ace9838e1451 java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el6_10.x86_64.rpm
619da945f3226c01f8cdb522050d00a3d5b7462632c4684eca049aaa80cea068 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
104130bf5d4ed651bd1828f6657d3981d8d25049351fd37b5581a23a5ffc308d java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el6_10.noarch.rpm
a763f67e250a3215b92c7b501d169cf7851a864b1f086ba1f9df8ce6505da9c8 java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el6_10.noarch.rpm
60db35ba2dbe7a5f76f627dfb2d70dde0952f7d2b4d9fb8ab990435c02eb3f43 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el6_10.x86_64.rpm
810e2ab3386ee551a8e04192ae00d7e91d6f71b19caf3e2a829580ba9c5d786a java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
Source:
ca59253e2ebe94076af3f4188ea82542cbce3538326d9078c663c079096b8dbb java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2018:2943
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
i386:
10e294486f79da36e480a94314963c0f717e456e9012f7b06910fea207426df0 java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.i686.rpm
263fdc2d3ff25a6f22505624021937a5441a2590d233ffe64af12f4bb15ed717 java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el6_10.i686.rpm
0720e6b37c2af702b40ff4a3be4d8359a13137d206dc58dbc8542b1e0d3df212 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el6_10.i686.rpm
b3dbc54235955614622f83e7c019ae09344099d7e39276d6585d5c80600d488f java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el6_10.i686.rpm
37000c7965df7f72b3df937148a57dc360851bfd1caa5d84af4ddfb6099d86ef java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el6_10.i686.rpm
7c034a5e931f94ac96f67f7685b01ccf4c1a016789d9e6ceb2fd6873f82f408e java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el6_10.i686.rpm
f0cd73e105ec804bee3e94a0fc39af5ff160c0584df50fc5274802a036fc5f62 java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el6_10.i686.rpm
92875f69d68f8c74f6a92c870e5274290d673a9a902e66b4b9ac891e7b1f4a13 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el6_10.i686.rpm
104130bf5d4ed651bd1828f6657d3981d8d25049351fd37b5581a23a5ffc308d java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el6_10.noarch.rpm
a763f67e250a3215b92c7b501d169cf7851a864b1f086ba1f9df8ce6505da9c8 java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el6_10.noarch.rpm
368dc1878f3de0dc4bd0db96cad65366101ffcfbe34fd21213bfbdfb708371c4 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el6_10.i686.rpm
ed7d7a11c82daceabff7b535917d3949c2317c72ef371ae0c7c2478eea944535 java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el6_10.i686.rpm
x86_64:
2d2c6d2a280e29239e43ab60c80593a39339301bf9bcda87e88a7e31de3ca0f7 java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64.rpm
bda285f5f4e207b90b159203f72ca8781aee4046a77b2a48c27c659933ac3982 java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
e408a1d98e6160f93ca1ef352fd6267bfaacf76899172a0107745f6b1c3534c0 java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el6_10.x86_64.rpm
d6f8d3f0a49e0caf3aeaf13136456b7a605d8319fef057eb5648b351f8d8d8f2 java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
45f67548838bf2d38bf4034fdde912c9508e54d3e430a5845d797eb1048c4461 java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el6_10.x86_64.rpm
a2366bcd33a170bc6e558582ebf25e33c098924f639f9048915a76c82046bbf9 java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
c8c235b12f05501925f0f7e984284f2028c6edc2d0ad4d8d35f8ace9838e1451 java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el6_10.x86_64.rpm
619da945f3226c01f8cdb522050d00a3d5b7462632c4684eca049aaa80cea068 java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
104130bf5d4ed651bd1828f6657d3981d8d25049351fd37b5581a23a5ffc308d java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el6_10.noarch.rpm
a763f67e250a3215b92c7b501d169cf7851a864b1f086ba1f9df8ce6505da9c8 java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el6_10.noarch.rpm
60db35ba2dbe7a5f76f627dfb2d70dde0952f7d2b4d9fb8ab990435c02eb3f43 java-1.8.0-openjdk-src-1.8.0.191.b12-0.el6_10.x86_64.rpm
810e2ab3386ee551a8e04192ae00d7e91d6f71b19caf3e2a829580ba9c5d786a java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
Source:
ca59253e2ebe94076af3f4188ea82542cbce3538326d9078c663c079096b8dbb java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Subscribe to:
Posts (Atom)