Unix News Tutorials Events and Stuff: November 2018

Friday, November 30, 2018

Fedora 27 End Of Life

Hi,

As of the 30th of November 2018, Fedora 27 has reached its end of life

for updates and support. No further updates, including security

updates, will be available for Fedora 27. Fedora 28 will continue to receive

updates until 4 weeks after the release of Fedora 30.

The maintenance schedule of Fedora releases is documented on the

Fedora Project wiki [0]. The Fedora Project wiki also contains

instructions [1] on how to upgrade from a previous release of Fedora

to a version receiving updates.

Regards,

Mohan Boddu.

[0]https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#Maintenance_Schedule

[1]https://fedoraproject.org/wiki/Upgrading?rd=DistributionUpgrades

Bugzilla outage/upgrade delayed until 9 December 2018

The upgrade of bugzilla.redhat.com has been delayed a week. It will
now be done on 9 December 2018 from 0:00 to 12:00 UTC.

On Mon, Nov 26, 2018 at 10:57 AM Ben Cotton <bcotton@redhat.com> wrote:

> If you haven't seen the banner at the top of bugzilla.redhat.com, it
> is scheduled to undergo an upgrade from Bugzilla 4 to Bugzilla 5 on
> December 2 2018. The outage will begin on 2 December at 0:00 UTC and
> end on 2 December at 12:00 UTC.
>
> For more information on Bugzilla 5, see:
> https://partner-bugzilla.redhat.com/page.cgi?id=whats-new.html
> https://partner-bugzilla.redhat.com/page.cgi?id=release-notes.html
>
> Bugzilla 5.0 introduces a new REST endpoint to replace XML-RPC and
> JSON-RPC. The XML-RPC and JSON-RPC APIs will remain available.
>

--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[USN-3833-1] Linux kernel (AWS) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3833-1
November 30, 2018

linux-aws vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

Jann Horn discovered that the Linux kernel mishandles mapping UID or GID
ranges inside nested user namespaces in some situations. A local attacker
could use this to bypass access controls on resources outside the
namespace. (CVE-2018-18955)

Philipp Wendler discovered that the overlayfs implementation in the Linux
kernel did not properly verify the directory contents permissions from
within a unprivileged user namespace. A local attacker could use this to
expose sensitive information (protected file names). (CVE-2018-6559)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
linux-image-4.15.0-1029-aws 4.15.0-1029.30
linux-image-aws 4.15.0.1029.29

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3833-1
CVE-2018-18955, CVE-2018-6559

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1029.30

[USN-3832-1] Linux kernel (AWS) vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3832-1
November 30, 2018

linux-aws vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems

Details:

Jann Horn discovered that the procfs file system implementation in the
Linux kernel did not properly restrict the ability to inspect the kernel
stack of an arbitrary task. A local attacker could use this to expose
sensitive information. (CVE-2018-17972)

Jann Horn discovered that the mremap() system call in the Linux kernel did
not properly flush the TLB when completing, potentially leaving access to a
physical page after it has been released to the page allocator. A local
attacker could use this to cause a denial of service (system crash), expose
sensitive information, or possibly execute arbitrary code. (CVE-2018-18281)

It was discovered that the BPF verifier in the Linux kernel did not
correctly compute numeric bounds in some situations. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2018-18445)

Daniel Dadap discovered that the module loading implementation in the Linux
kernel did not properly enforce signed module loading when booted with UEFI
Secure Boot in some situations. A local privileged attacker could use this
to execute untrusted code in the kernel. (CVE-2018-18653)

Jann Horn discovered that the Linux kernel mishandles mapping UID or GID
ranges inside nested user namespaces in some situations. A local attacker
could use this to bypass access controls on resources outside the
namespace. (CVE-2018-18955)

Philipp Wendler discovered that the overlayfs implementation in the Linux
kernel did not properly verify the directory contents permissions from
within a unprivileged user namespace. A local attacker could use this to
expose sensitive information (protected file names). (CVE-2018-6559)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
linux-image-4.18.0-1006-aws 4.18.0-1006.7
linux-image-aws 4.18.0.1006.6

After a standard system update you need to reboot your computer to make
all the necessary changes.
XXX MAYBE WITH XXX
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3832-1
CVE-2018-17972, CVE-2018-18281, CVE-2018-18445, CVE-2018-18653,
CVE-2018-18955, CVE-2018-6559

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.18.0-1006.7

[USN-3832-1] Linux kernel (AWS) vulnerabilities

Thursday, November 29, 2018

OpenBSD Errata: November 29th, 2018 (qcow2)

Errata patches for vmd have been released for OpenBSD 6.4.

Writing more than 4GB to a qcow2 volume corrupts the virtual disk.

Binary updates for the amd64 and i386 platforms are available via the
syspatch utility. Source code patches can be found on the errata page:

https://www.openbsd.org/errata64.html

After patching, restart the vmd service.

OpenBSD Errata: November 29th, 2018 (smtpd)

Errata patches for OpenSMTPD have been released for OpenBSD 6.4.

The mail.mda and mail.lmtp delivery agents were not reporting temporary
failures correctly, causing smtpd to bounce messages in some cases where
it should have retried them.

Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the errata
page:

https://www.openbsd.org/errata64.html

After patching, restart the smtpd service.

OpenBSD Errata: November 29th, 2018 (uipc)

Errata patches for the kernel have been released for OpenBSD 6.3 and 6.4.

UNIX domain sockets leak kernel memory with MSG_PEEK on SCM_RIGHTS, or can
attempt excessive memory allocations leading to a crash.

Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the
respective errata page:

https://www.openbsd.org/errata63.html
https://www.openbsd.org/errata64.html

As these affect the kernel, a reboot will be needed after patching.

OpenBSD Errata: November 29th, 2018 (perl)

Errata patches for perl have been released for OpenBSD 6.3 and 6.4.

Various overflows exist in perl.

Binary updates for the amd64, i386, and arm64 platforms are available
via the syspatch utility. Source code patches can be found on the
respective errata page:

https://www.openbsd.org/errata63.html
https://www.openbsd.org/errata64.html

Fedora 30 Self-Contained Change proposal: Migrate Python-based Nautilus extensions to Python 3

https://fedoraproject.org/wiki/Changes/NautilusExtensionsPython3

The Python backend for the nautilus-python extension will be updated
from python2 to python3. All Nautilus extensions written in Python
will need to be checked for Python 3 compatibility and updated if
necessary. Extensions compatible only with Python 2 will no longer be
supported.

## Owner

Name: Kalev Lember, Frank Dana
Email: klember@redhat.com, ferdnyc@gmail.com
Release notes owner:

## Detailed Description

The nautilus-python package allows Nautilus extensions to be written
in the Python scripting language. In Fedora releases up to and
including Fedora 29, these extensions were executed in a Python 2
environment. With the general move to Python 3 as Fedora's default
Python runtime and the impending deprecation of Python 2,
nautilus-python will execute extension code in a Python 3 context.
Compatibility with Python 3 will be required for all Python-based
Nautilus extensions.

(Note: In Fedora 28 the nautilus-python package was named
python2-nautilus. For Fedora 29 the name has been reverted to
nautilus-python to better indicate its status as a Nautilus
component.)

## Benefit to Fedora

In addition to eliminating nautilus-python's direct dependency on
Python 2, this change will remove all Python-based Nautilus extensions
from the list of Fedora components which still require the legacy
Python 2 interpreter (which has been deprecated, and is slated for
removal). It will allow us to ensure that all Python-based Nautilus
extensions still in use are fully compatible with Python 3.

## Scope

Proposal owners: Build nautilus-python with Python 3 support and deploy.

Other developers: N/A (not a System Wide Change)

Release engineering: N/A (not a System Wide Change)

List of deliverables: N/A (not a System Wide Change)

Policies and guidelines: N/A (not a System Wide Change)

Trademark approval: N/A (not needed for this Change)

## Upgrade/compatibility impact

N/A (not a System Wide Change)

## How To Test

Launch the Nautilus file manager and verify that any functionality
provided by Python-based extensions is still available.

## User Experience

As long as Python 3 compatibility is verified for all Nautilus Python
extensions, users will see no impact from this change. If any
extensions are not compatible with Python 3 and must be removed, users
may notice loss of certain functionality from Nautilus.

## Dependencies

Any Nautilus extensions which use nautilus-python will have to be
checked for Python 3 compatibility. Repackaging should not be
necessary, as the nautilus-python dependency Required by those
packages will be carried forward to Python 3 builds.

The list of packages in the Fedora 29 repos which depend on
nautilus-python is, as of 2018-11-08:

kde-connect-nautilus
nautilus-font-manager
nautilus-pastebin
nautilus-phatch
nextcloud-client-nautilus
nitroshare-extension-nautilus
onionshare
owncloud-client-nautilus
qdigidoc-nautilus
rabbitvcs-nautilus
tilix-nautilus
tortoisehg-nautilus

## Contingency Plan

Continue shipping builds of nautilus-python based on Python 2.

--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[USN-3795-3] libssh regression

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlwAEdQACgkQZWnYVadE
vpMW8w//WSQ4ADYEyR4K8OPLzKO4u9n6VQ+QJUQxQ4UCkG3dVg8B9BxXgVrGhnID
1qcDjrZc8LTVoZTi2siwCLaujdZyuxFsTSsHUsAyjPPNQIfAI1uOxNvZjXeN3/5Z
kAKy/7so/oL2TaNwvVTqsr13Be3neKgxduAFs3LSntBS6gcJOVqhiqMtWuz+4Q91
qCsW9OoN1xZ2CRdiNFz37+BPA2vFvLqyNVbzwu8DGRe/4UHuv1PLfg1nS+0+Ph45
+3B59CtG9FDu68LieAPyQgNPyU0R/z1JZPNsiGuoC+wioaDlmbXDcW6kICMGp06P
T+4kofMfMw3Obtk/R1EjhXd+GkIZRoiWlUM+LqTjRZHoJ0WIPSGdddshTz5egIGB
UDBGUuQi4sVwzE/iAO6Fcy93VAZeBDNlJHDuhEglS8VNuUnosTGOIheSvSTeUE22
gB9EN0LZpOD7ifpQG8X1bjI6IP0QsmnXj/ADPqjGTWPfpP/MdJp1nmbA+HDbDFu6
Z0+inpelOZ4HU2si+tD3NclGm8yqc+jj3+YxpdNoJQoVpb3tebNCp09Kmtrt9dIM
zMi6pnrxcNEC5us4MNmZMOEng5eQ8JZJK79MDVlJNEBL61AUdSwmr/3kBj4Tj6I2
Nr6H+dA5nBMtF5/Beqp7oYUr7Vibr0MjVVloVKAEpWbhu959Coc=
=MTzE
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3795-3
November 29, 2018

libssh regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3795-1 and USN-3795-2 introduced a regression in libssh.

Software Description:
- libssh: A tiny C SSH library

Details:

USN-3795-1 and USN-3795-2 fixed a vulnerability in libssh. The upstream
fix introduced a regression. This update fixes the problem.

Original advisory details:

Peter Winter-Smith discovered that libssh incorrectly handled
authentication when being used as a server. A remote attacker could use
this issue to bypass authentication without any credentials.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libssh-4 0.8.1-1ubuntu0.3

Ubuntu 18.04 LTS:
libssh-4 0.8.0~20170825.94fa1e38-1ubuntu0.2

Ubuntu 16.04 LTS:
libssh-4 0.6.3-4.3ubuntu0.2

Ubuntu 14.04 LTS:
libssh-4 0.6.1-0ubuntu3.5

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3795-3
https://usn.ubuntu.com/usn/usn-3795-1
https://launchpad.net/bugs/1805348

Package Information:
https://launchpad.net/ubuntu/+source/libssh/0.8.1-1ubuntu0.3
https://launchpad.net/ubuntu/+source/libssh/0.8.0~20170825.94fa1e38-1ubuntu0.2
https://launchpad.net/ubuntu/+source/libssh/0.6.3-4.3ubuntu0.2
https://launchpad.net/ubuntu/+source/libssh/0.6.1-0ubuntu3.5

[USN-3831-1] Ghostscript vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlv/7DcACgkQZWnYVadE
vpMIrhAAppjyKGkiBH3lJ/3Jz+GjczBCu3gOl9DkT9o8zslKN3rLmrAkyqEFy1yD
AcE1MfZdk/XNkjb5ZFSj4WemJVaUS+QvnjgbtEgYZem6PpXR8oPjuuHQ8VcJLm0t
ZpKz+v24sQxzLvgGbiMt3Lg2NEahTow+xqql79HAtFMzs7DJq/Cv92EiTIZJJ0bq
xBy2lEBidyAkf3P/VnMkfAJG59tUQ5BXslNLT7mfQWkuPtS1tC7vyLIPY8jfyBcT
CFcgWvkEXwlf7QkwJnfTJ5HUcuB4x9txIXFvcvSY7y4IsuHs/cMw/tgZQHQB5Vgg
rIHuYkK3Qh86LdQcZVGiblwD9zvjHGV6lvWMAxrLJCmBRHrbDLvQIGTPHDMPQklx
2KdDqg0DTwHBAE+TYar2mfTh7eUevyKz/v1LONWy7RCjbwWFG98Rks0br0gMMa2H
8c1y9x2IZzzecitGIGf8AkNfFfExVr4aKNdApISLtvyXc1QBiOkDfQYmLi/+BCdp
zSJ369KkWCWwKvJ/KwSYKgrGBsE9XB7G32WZYJ/UWh4j0jprk4FNRTIlzJ6P6Qta
+XG6BdeSh+ix0Z6egvvoOf2DaYx3iqebj98xnNJ8LDWj3PIyZpU1PkEerP8L3dHB
kS6lw202XdRlTtzCBM2cKCQc+zXAeriKiIjt92gUEKU5Btm852Q=
=9MS5
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3831-1
November 29, 2018

ghostscript vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Ghostscript.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that Ghostscript contained multiple security issues. If a
user or automated system were tricked into processing a specially crafted
file, a remote attacker could possibly use these issues to access arbitrary
files, execute arbitrary code, or cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
ghostscript 9.26~dfsg+0-0ubuntu0.18.10.1
libgs9 9.26~dfsg+0-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.1
libgs9 9.26~dfsg+0-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.1
libgs9 9.26~dfsg+0-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.14.04.1
libgs9 9.26~dfsg+0-0ubuntu0.14.04.1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3831-1
CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477

Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.14.04.1

Wednesday, November 28, 2018

Fedora 30 System-Wide Change proposal: Ruby 2.6

https://fedoraproject.org/wiki/Changes/Ruby_2.6

== Summary ==
Ruby 2.6 is the latest stable version of Ruby. Many new features and
improvements are included for the increasingly diverse and expanding
demands for Ruby. With this major update from Ruby 2.5 in Fedora 29 to
Ruby 2.6 in Fedora 30, Fedora becomes the superior Ruby development
platform.

== Owner ==
* Name: [[User:vondruch| Vít Ondruch]], [[User:pvalena| Pavel Valena]]
* Email: vondruch@redhat.com, pvalena@redhat.com

== Detailed Description ==
Ruby 2.6 is upstream's new major release of Ruby. Many new features
and improvements are included.

=== JIT ===

Ruby 2.6 introduces an initial implementation of JIT (Just-in-time) compiler.

JIT compiler aims to improve performance of any Ruby program
execution. Unlike ordinary JIT compilers for other languages, Ruby's
JIT compiler does JIT compilation in a unique way, which prints C code
to a disk and spawns common C compiler process to generate native
code.

The main purpose of this JIT release is to provide a chance to check
if it works for your platform and to find out security risks before
the 2.6 release. JIT compiler is supported when Ruby is built by GCC,
Clang, or Microsoft VC++, which needs to be available on runtime.
Otherwise you can't use it for now.

As of Ruby 2.6.0 preview3, we achieved 1.7x faster performance than
Ruby 2.5 on CPU-intensive non-trivial benchmark workload called
Optcarrot. The performance on memory-intensive workload like Rails
application are going to be improved as well.

=== RubyVM::AST [Experimental] ===

Ruby 2.6 introduces `RubyVM::AST` module.

This module has `parse` method which parses a given ruby code of
string and returns AST (Abstract Syntax Tree) nodes, and `parse_file`
method which parses a given ruby code file and returns AST nodes.
`RubyVM::AST::Node` class is also introduced. You can get location
information and children nodes from `Node` objects. This feature is
experimental. Compatibility of the structure of AST nodes are not
guaranteed.

=== New Features ===

* Add a new alias `then` to `Kernel#yield_self`.
* Add `Random.bytes`.
* Add `Binding#source_location`. This method returns the source
location of binding, a 2-element array of __FILE__ and __LINE__.
* Add `:exception` option to let `Kernel.#system` raise error instead
of returning `false`.
* Add a new alias then to `Kernel#yield_self`.
* `else` without `rescue` now causes a syntax error. [EXPERIMENTAL]
* Constant names may start with a non-ASCII capital letter.
* An endless range, (1..), is introduced. It works as it has no end.

=== Performance improvements ===

* Speedup `Proc#call` because we don't need to care about $SAFE any
more. With `lc_fizzbuzz` benchmark it makes x1.4 speed improvement.
* Speedup `block.call` where block is passed block parameter. Ruby 2.6
improves the performance of passed block calling. There can observed
2.6x improvement with micro-benchmarks.
* Transient Heap (theap) is introduced. theap is managed heap for
short-living memory objects which are pointed by specific classes. For
example, making small and short-living Hash object is x2 faster. With
rdoc benchmark, 6-7% performance improvement is observed.

=== Other notable changes since 2.5 ===

* `$SAFE` is a process global state and we can set `0` again.
* Passing `safe_level` to `ERB.new` is deprecated. `trim_mode` and
`eoutvar` arguments are changed to keyword arguments.
* Merged RubyGems 3.0.0.beta2.
* Merge Bundler as default gem.

== Benefit to Fedora ==

With a latest release, Ruby language is supporting the newest language
features, which enables even faster and easier development of Ruby
applications.

== Scope ==
* Proposal owners:
** Finish packaging of Ruby 2.6. Current changes available in PR
https://src.fedoraproject.org/rpms/ruby/pull-request/32
** Rebuilding of Ruby packages providing native extensions (i.e.
packages which depends on libruby).
.

* Other developers:
** Rebuild of packages with binary extensions (i.e. packages which
depends on libruby) will be handled automatically, but some packages
might need fixes/updates to support Ruby 2.6 properly.

* Release engineering: [https://pagure.io/releng/issue/7936 #7936]
** Separate Koji tag for package rebuild will be needed.
* Policies and guidelines: N/A
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
* User specific Ruby binary extensions need to be rebuild.

== How To Test ==
* No special hardware is needed.
* To test, install Ruby 2.6. The test builds are pusblished in PR or
on Ruby-SIG ML
* Try to locally rebuild your packages using Ruby 2.6.
* Use the packages with your applications previously written in Ruby.
* If something doesn't work as it should, let us know.

== User Experience ==
The Ruby programs/scripts should behave as they were used to.

== Dependencies ==
<pre>
$ dnf repoquery --disablerepo=* --enablerepo=rawhide
--enablerepo=rawhide-source --arch=src --whatrequires 'ruby-devel' |
sort | uniq | wc -l
156
</pre>

== Contingency Plan ==
* Contingency deadline: Mass Rebuild
* Blocks release? No
* Blocks product? No

== Documentation ==
* [http://www.ruby-doc.org/ Help and documentation for the Ruby
programming language]
* [https://github.com/ruby/ruby/blob/v2_6_0_preview3/NEWS Ruby
2.6.0.preview3 NEWS]

== Release Notes ==
* The Ruby 2.6 bumps soname, therefore Ruby packages, which use binary
extensions, should be rebuilt. Nevertheless, since upstream paid great
attention to source compatibility, no changes to your code are needed.

https://github.com/ruby/ruby/blob/trunk/NEWS

--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[HEADS UP] Rawhide buildroot now has glibc-minimal-langpack instead

Hello,

the removal of glibc-all-langpacks from the buildroot[0] is done.
Standard buildroot has decreased from 445 to 237 megabytes in
installed size ;)

Before:
DEBUG util.py:439: Install 146 Packages
DEBUG util.py:439: Total download size: 86 M
DEBUG util.py:439: Installed size: 445 M

After:
DEBUG util.py:439: Install 146 Packages
DEBUG util.py:439: Total download size: 61 M
DEBUG util.py:439: Installed size: 237 M

All thanks go to zbyszek and mboddu :champagne:!

[0]https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[FreeBSD-Announce] Interim support guarantee for FreeBSD 12

Dear FreeBSD community,

The Core Team, in consultation with Release Engineering, the Security
Team, and Port Manager has decided that we need to reevaluate the 5-year
support of stable branches starting with stable/12. A changed security
landscape, increased toolchain velocity, and shorter support windows for
our upstream components necessitate this reevaluation.

We will be leading discussions on updating our support model, with the
goal of making the model sustainable for the Project. These
discussions, which will include opportunities for community feedback,
will be complete by March 31, 2019.

Regardless of the outcome of the discussions, we guarantee support for
the stable/12 branch for at least 18 months, or at least 6 months after
13.0 is released, whichever is later. Again, these are minimum
durations for the stable/12 branch support and they will not be reduced.

After these discussions are complete, there will be a revised statement
about the stable/12 branch lifetime.

Release Engineering, the Security Team, Port Manager, and the Core Team

[USN-3830-1] OpenJDK regression

==========================================================================
Ubuntu Security Notice USN-3830-1
November 28, 2018

openjdk-8, openjdk-lts regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-3804-1 introduced a regression in OpenJDK.

Software Description:
- openjdk-lts: Open Source Java implementation
- openjdk-8: Open Source Java implementation

Details:

USN-3804-1 fixed vulnerabilities in OpenJDK. Unfortunately, that update
introduced a regression when validating JAR files that prevented Java
applications from finding classes in some situations. This update
fixes the problem.

We apologize for the inconvenience.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
openjdk-11-jdk 10.0.2+13-1ubuntu0.18.04.4
openjdk-11-jre 10.0.2+13-1ubuntu0.18.04.4
openjdk-11-jre-headless 10.0.2+13-1ubuntu0.18.04.4

Ubuntu 16.04 LTS:
openjdk-8-jdk 8u191-b12-0ubuntu0.16.04.1
openjdk-8-jre 8u191-b12-0ubuntu0.16.04.1
openjdk-8-jre-headless 8u191-b12-0ubuntu0.16.04.1
openjdk-8-jre-jamvm 8u191-b12-0ubuntu0.16.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3830-1
https://usn.ubuntu.com/usn/usn-3804-1
https://launchpad.net/bugs/1800792

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/10.0.2+13-1ubuntu0.18.04.4
https://launchpad.net/ubuntu/+source/openjdk-8/8u191-b12-0ubuntu0.16.04.1

Tuesday, November 27, 2018

[USN-3829-1] Git vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3829-1
November 27, 2018

git vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Git.

Software Description:
- git: fast, scalable, distributed revision control system

Details:

It was discovered that Git incorrectly handled layers of tree objects.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2017-15298)

It was discovered that Git incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10.
(CVE-2018-19486)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
git                             1:2.19.1-1ubuntu1.1

Ubuntu 18.04 LTS:
git                             1:2.17.1-1ubuntu0.4

Ubuntu 16.04 LTS:
git                             1:2.7.4-0ubuntu1.6

Ubuntu 14.04 LTS:
git                             1:1.9.1-1ubuntu0.10

In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3829-1
CVE-2017-15298, CVE-2018-19486

Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.19.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.4
https://launchpad.net/ubuntu/+source/git/1:2.7.4-0ubuntu1.6
https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.10

[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:13.icmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-18:13.icmp Errata Notice
The FreeBSD Project

Topic: ICMP buffer underwrite

Category: core
Module: kernel
Announced: 2018-11-27
Affects: All supported versions of FreeBSD.
Corrected: 2018-11-08 21:58:51 UTC (stable/11, 11.2-STABLE)
2018-11-27 19:43:16 UTC (releng/11.2, 11.2-RELEASE-p5)
CVE Name: CVE-2018-17156

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I. Background

ICMP messages are control messages used to send error messages and
operational information.

II. Problem Description

The icmp_error routine allocates either an mbuf or a cluster depending on the
size of the data to be quoted in the ICMP reply, but the calculation failed
to account for additional padding on 64-bit platforms when using a
non-default sysctl value for net.inet.icmp.quotelen.

III. Impact

For systems that set net.inet.icmp.quotelen to a non-default value, a buffer
underwrite condition occurs.

IV. Workaround

Reset net.inet.icmp.quotelen to default value of 8 using sysctl(8):

# sysctl net.inet.icmp.quotelen=8

V. Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Afterwards, reboot the system.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterwards, reboot the system.

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch
# fetch https://security.FreeBSD.org/patches/EN-18:13/icmp.patch.asc
# gpg --verify icmp.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r340268
releng/11.2/ r341089
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<other info on the problem>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17156>

<URL:https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:13.icmp.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKLuRAAqkua0loRn3k5N5OjGl1MFMiCX3Yg7pu7oQ0N/ZifqDOt8B8slp4+qjSO
VyH07EFrk5FTz2WKXShqWcdZAL8+dBUHQaMATBI++ORiPBE+lBjYCZ1/+wrw7ie4
bOjJ4F0d/4ijs+qkt/T0hFBPGMVbF8Xafbm29P6H0mjYPNSID64g+TQacVVUQfhN
aLXCfkXFXusbOzFT0DRY8vy+SdsV2anqo3979W4G//+ytGvvwxqy6g+8N8CphUSM
3vxCSvNxkd5o0C5EY53QbwueZ3A4nCnQQwGB2AFQnN9fDT1genIPzGjo0fQ8iY36
lQiSeEg9VVSMLRiey8ix7JlLShVCUADt3dNamSMJiNz4Vo4dAjD4tKNPDGFfKhoQ
edUEDTSBbqtN8BbW2e/hiHZSu6vQmXwgI6tKtuEcKPHZbnW/wr+XzyrwcwYBXsNA
xK1aGokHr7W0T2FTOZ9b9i4mfZLL8gfr70FBi7/INEbmQYPDylT2VCsoQO7Wox8o
uhbXRxtlwZ1ix3POlhzTotjJSou8ny2PZnBVzu/64fGbIFWS4bCk35HmRIlN4lt6
ViAGBFJprJpcitFhOX51SBEgh689LKOuVUmucO2rpXAg53XzUR1xCvC3O2uY78AU
fHp/0Gro0HeA45NY8zqQgv0VjbjTXw9mBOi2WCI9EKo+G3cYjOg=
=kqz6
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:14.tzdata

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-18:14.tzdata Errata Notice
The FreeBSD Project

Topic: Timezone database information update

Category: contrib
Module: zoneinfo
Announced: 2018-11-27
Credits: Philip Paeps
Affects: All supported versions of FreeBSD.
Corrected: 2018-10-31 02:01:28 UTC (stable/11, 11.2-STABLE)
2018-11-27 19:44:39 UTC (releng/11.2, 11.2-RELEASE-p5)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I. Background

The tzsetup(8) program allows the user to specify the default local timezone.
Based on the selected timezone, tzsetup(8) copies one of the files from
/usr/share/zoneinfo to /etc/localtime. This file actually controls the
conversion.

II. Problem Description

Several changes in Daylight Savings Time happened after previous FreeBSD
releases were released that would affect many people who live in different
countries. Because of these changes, the data in the zoneinfo files need to
be updated, and if the local timezone on the running system is affected,
tzsetup(8) needs to be run so the /etc/localtime is updated.

III. Impact

An incorrect time will be displayed on a system configured to use one of the
affected timezones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.

IV. Workaround

The system administrator can install an updated timezone database from the
misc/zoneinfo port and run tzsetup(8) to get the timezone database corrected.

Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.

V. Solution

Please note that some third party software, for instance PHP, Ruby, Java and
Perl, may be using different zoneinfo data source, in such cases this
software must be updated separately. For software packages that is installed
via binary packages, they can be upgraded by executing `pkg upgrade'.

Following the instructions in this Errata Notice will update all of the
zoneinfo files to be the same as what was released with FreeBSD release.

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. Restart all the affected
applications and daemons, or reboot the system.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart all the affected applications and daemons, or reboot the system.

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-18:14/tzdata-2018g.patch
# fetch https://security.FreeBSD.org/patches/EN-18:14/tzdata-2018g.patch.asc
# gpg --verify tzdata-2018g.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart all the affected applications and daemons, or reboot the system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r339938
releng/11.2/ r341091
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:14.tzdata.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+ZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKLTA//f+IoMMK1aLX9Dj1JxdapNpqDjAhL1G+K13uUaLFI8r5+2/WGkZXWvwfh
8z9+KQA76gidGia4zac7DcXXogsqU2ld/JWOMKNgt5RxS43U4LvBAzyMnD1VxWUs
1Z+aMre+h4FW0sB+Hx7/Uo2Mcd70mNEmGMFCilEO6P+XaYY98AGyLIkX7t5XW4cF
6chmLy/gJAXKAsPv1sDHvlvvkLf8rdZuZ/Z5JID6nQsZU7RHKhr0IQqZ6SIURhEo
9TZSnUy+F9CCBPQNz8Sv6S9i/7ggCjyAeaiXQUO4gEvsGUJiovt6MOdeeCQbTnOK
0Gk7gCZ4SGF3nLXSKX4/AFLJn5Kro0v+88Lwoi/hJWhkEGQKgsE4BMMFXxI3Ukah
AQ1snXG1/H9dgY1Os1XEjXx4Oxq2Qbeu+Hqppc+YY00Q9b3k8OAEVBDZlgtHlBGc
oyOeffWw2nB/Vn8vOl3r+r2wUoTsjU8nVNXZLFMROQadRH2WPEpfSeHM/5PyBCW8
0LPru9Nrt/GbR8wqXSY8Zr7KWIAEC5nLxT0HO8sfbYv6gbEHjUNPezalaTWRn4TZ
0m2OHu2x2Tir5rcUgxsDvz0/LrB6RM8B0TPAqF77fIxvB+Hor6W3PCJbLuNnPiyK
ELx2PeumYDKoSxpcQXFPku24SqMYY5du9x80aoFv1tGxZOAJfMw=
=2jLJ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-18:15.loader

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-18:15.loader Errata Notice
The FreeBSD Project

Topic: Deferred kernel loading breaks loader password

Category: core
Module: loader
Announced: 2018-11-27
Credits: Devin Teske
Affects: All supported versions of FreeBSD.
Corrected: 2018-10-24 23:17:17 UTC (stable/11, 11.2-STABLE)
2018-11-27 19:45:25 UTC (releng/11.2, 11.2-RELEASE-p5)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I. Background

The loader is a FreeBSD component which is part of the boot sequence for a
machine. The loader is most commonly visible with the "beastie" boot menu,
allowing specification of different boot time parameters.

II. Problem Description

A change in the loader to allow deferred loading of the kernel introduced a
bug when using a loader password. After this change and when the loader
password is enabled, the menu is not loaded and instead the machine goes into
the autoboot routine. The autoboot routine then fails when the kernel has
not yet been loaded, yielding a loader prompt where the user has full control
of the boot process.

III. Impact

Setting the loader password with the intention of preventing the user from
bypassing the boot process instead causes the boot to fail and gives the user
full control of the boot process.

IV. Workaround

No workaround is available, but systems that do not use a loader password are
not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, reboot the system.

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/EN-18:15/loader.patch
# fetch https://security.FreeBSD.org/patches/EN-18:15/loader.patch.asc
# gpg --verify loader.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html> and reboot
the system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r339697
releng/11.2/ r341093
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-18:15.loader.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n+tfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJRKQ//cJzGNBcKnH3cAltXRM2eWqv6L2UAPYfOs5QEArIB5x4IR+wqc53AbyG4
AlpWAUf1KCwOFV+ceflihmYiWPPUqSV6nn+0My+uEFQebu8j00D5Mer/x9g6SikB
x65zXS//rHidaf5KWOKMajEW+jtC9JS42ffdyk+KgEYM4UCNY60iKhJ74rtwRjun
RwYKBXdtOcbS9Tp/SIIB3tQm1orhK5xe4w+kG4nM9Cz5OYk4j/GmcudWICjzjNzG
QxGENiDePEjLoCZTHn2Rgntwp0AjNY5FxdR8CgN5GtYHIepJIscE7BlYA6kZDoG9
e+01e3d7oAz92Dx8h59AkOGZPNI2lL4ZnBAcrpsZa+YkV67kxMHOIGp6faRYdWsf
+Ew8fh7AbVVhBO4yKWyoHkbREof07Iq3hXX7pi/Imb+nsYYPC6x0vax+qv823P4/
jnqIryC3MWezOIkTD6B752yED3prP3TDFi+/Lo2ke2K4rPkVRsMfRojcKaKVnWLl
HpgyffSiVv/dwv005Mdx0kCBnKtZthO9D0GHZSkRIXw2r5C5QQ8F7/EABfWFq1iN
sM+J682zjJhbFgFzJGceAQGrgVlN91AIl3Ipp2ggi33qQTEOreItRJdN7WBgSI3s
fTqA6OqgbknpWmCvusu/gi+SMjbO3Hk2hR6noB4bDVNPhPPCIZE=
=om/y
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-18:13.nfs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-18:13.nfs Security Advisory
The FreeBSD Project

Topic: Multiple vulnerabilities in NFS server code

Category: core
Module: nfs
Announced: 2018-11-27
Credits: Jakub Jirasek, Secunia Research at Flexera
Affects: All supported versions of FreeBSD.
Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE)
2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5)
CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

The Network File System (NFS) allows a host to export some or all of its file
systems so that other hosts can access them over the network and mount them
as if they were local. FreeBSD includes both server and client
implementations of NFS.

II. Problem Description

Insufficient and improper checking in the NFS server code could cause a
denial of service or possibly remote code execution via a specially crafted
network packet.

III. Impact

A remote attacker could cause the NFS server to crash, resulting in a denial
of service, or possibly execute arbitrary code on the server.

IV. Workaround

No workaround is available, but systems that do not provide NFS services are
not vulnerable.

Additionally, it is highly recommended the NFS service port (default port
number 2049) is protected via a host or network based firewall to prevent
arbitrary, untrusted clients from being able to connect.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Afterward, reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Afterward, reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 11.2]
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch
# fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc
# gpg --verify nfs.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/11/ r340854
releng/11.2/ r341088
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://www.flexerasoftware.com/enterprise/company/about/secunia-research/>

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA
5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm
xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n
Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6
vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw
D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb
Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM
DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1JwktzThKrUzjL8bntmjoqtr1Xcp2txJ
hgALulqz9nzkHaHcEolgk5xFTvx4gCzhjII7XEU3/rLNPPlJK3Pfo0UvPLAUkdLj
McnKqOyQ6uSl8/lNuVsd3JCZ3dlsES7VmdEu0YJ4goc/6/AB8KXnSqzheT7Cjn1p
lGzbFYmXosUj9NEQl/SOg6O8LnRrJIw4Tbm9vfkDss1G+sjUdaA=
=m/Lh
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[USN-3827-2] Samba vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3827-2
November 27, 2018

samba vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in Samba.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

USN-3827-1 fixed a vulnerability in samba. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Florian Stuelpner discovered that Samba incorrectly handled CNAME
records. A remote attacker could use this issue to cause Samba to
crash, resulting in a denial of service. (CVE-2018-14629)

Alex MacCuish discovered that Samba incorrectly handled memory when
configured to accept smart-card authentication. A remote attacker
could possibly use this issue to cause Samba to crash, resulting in a
denial of service. (CVE-2018-16841)

Garming Sam discovered that Samba incorrectly handled memory when
processing LDAP searches. A remote attacker could possibly use this
issue to cause Samba to crash, resulting in a denial of service.
(CVE-2018-16851)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
samba 2:3.6.25-0ubuntu0.12.04.16

In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3827-2
https://usn.ubuntu.com/usn/usn-3827-1
CVE-2018-14629, CVE-2018-16841, CVE-2018-16851

[USN-3816-3] systemd regression

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAlv9oG8ACgkQYR+97NWU
bg/cewf/Y+P22INAYdfu6YcEa9rwkEPFvFgTiGbihLYH+SRW6kAzpz+SBHxMcRiK
/B4Le8EQTso3NFc7uj2pywehPqpEj9kWc7SoQQq4dvYCMolYD/SH0XunmJNzgK3t
kg2s+jIohLwK3UohU4Cfbr2xQyC/jvy5uJh0Evv7bKKGfLCKnAtsbicE/D02pHAF
BCIilfCETvDdkUr3E8IpntxfEMZ4uBq9i/t5lUPBtLXiEzgWu/TRzX/FcYtjfCSF
h1qpQpWca0dvY8SmOQ7GfHkxsizADyx84LGPY2E7OeyKv6Yq4GPXrtcO9PVAq9TF
FvdruiCVy9bI4dgGH5h4Y+BxtwjZGg==
=hxEq
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3816-3
November 27, 2018

systemd regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

USN-3816-1 caused a regression in systemd-tmpfiles.

Software Description:
- systemd: system and service manager

Details:

USN-3816-1 fixed vulnerabilities in systemd. The fix for CVE-2018-6954
caused a regression in systemd-tmpfiles when running Ubuntu inside a
container on some older kernels. This issue only affected Ubuntu 16.04
LTS. In order to continue to support this configuration, the fixes for
CVE-2018-6954 have been reverted.

We apologize for the inconvenience.

Original advisory details:

Jann Horn discovered that unit_deserialize incorrectly handled status
messages
above a certain length. A local attacker could potentially exploit this via
NotifyAccess to inject arbitrary state across re-execution and obtain root
privileges. (CVE-2018-15686)

Jann Horn discovered a race condition in chown_one(). A local attacker
could potentially exploit this by setting arbitrary permissions on certain
files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 18.10. (CVE-2018-15687)

It was discovered that systemd-tmpfiles mishandled symlinks in
non-terminal path components. A local attacker could potentially exploit
this by gaining ownership of certain files to obtain root privileges. This
issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-6954)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
systemd 229-4ubuntu21.10

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3816-3
https://usn.ubuntu.com/usn/usn-3816-1
https://launchpad.net/bugs/1804847

Package Information:
https://launchpad.net/ubuntu/+source/systemd/229-4ubuntu21.10

[USN-3828-1] WebKitGTK+ vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlv9lQQACgkQZWnYVadE
vpNr6xAAnOIDqBoBKrEgRP49SWBLgD/Q4LMGf4Ic/ZoLf6NEPCD/e13XpEg80k5A
4LwW99EoOAcgYJwYVQr3CPge0jps+T0aY7fugBbXm//BZgxM75325Pc0yiS9Y7GJ
KgeSbETLxer0EvctI0DnDb3w52I/sbREpExqpk6fIZsY4L7a4rgTMusqM4sgO5cU
g3LKpofEgTVcUOsrmq1VBtFQZOTN5KmiSSwyhZa/G+7GB0qYgfljY37wbzy0ny2X
jbD04lSa3UDvHumeGd6dZw80m6oiWKLjplh4a7TChaLyogcGBluNJ9ZPWq7PU1Pw
eGyOe4rFRIV1xdtgfg9KR51sl36y7nZEwtSZObu0VZZI/BJcKJT32HIb4XZtF3P1
32GvD4Qn5BW/ivM2EqHz1dBV9SO2ISrKdAsN6OZef4OhxmiQzQPs98CLCr/AG2pa
PGkD6K3hVaEohPtSjD2mfyHUwBUvKcg1qBzWiFZI5pYb4NHeQ/yM0sAQ1a7vzddf
VjxbuNErqAJR/JGrhZv3b71DJCxnaf5L8VrlBOlmcY5Ffsr47Du59zBkBXK5JQTQ
N/gpHWauyJip6ErHhqQxpzGTSiqHcb/kkrQu4NvKPk2Pb0+9lqb/OaYDRoPNNADX
cw6VP/sFlX0/B6cesPscAwTsmAWSkMJ4AuhIevz+z4EiBVhfdQE=
=+W+4
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3828-1
November 27, 2018

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in WebKitGTK+.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

A large number of security issues were discovered in the WebKitGTK+ Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.10.1
libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
libjavascriptcoregtk-4.0-18 2.22.4-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 2.22.4-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3828-1
CVE-2018-4345, CVE-2018-4372, CVE-2018-4386

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.22.4-0ubuntu0.18.04.1

[USN-3827-1] Samba vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlv9UTUACgkQZWnYVadE
vpOeUxAAt51RihtTJtE/4ldKAZiTq1uit4AYhB/gUiiOraTWJxBVHbTfKtvC9snI
Y4YprN03/cbmykDBjTx/BTwn4O1ewaTTvL0lcvhmXBKJFVBgRurcVymKuEHH0H48
rA2ThdvSftdCwHvsWBOJSYTrfkc9sAXgVyjdl/Zip8j9gzL/EpgQRfP1Z/naizyt
zKsgmB0kwJO5tumFQPKgOQZxzBtvBB1xUaqKyvGooZcavNsWtcNipK6WJeyDhAwr
GQEWl1u+7zqPRNta2t4+ZH38uV7BXBoN7+MhqKxpTSsvkJHoBuAXY/5iGgLg+eF9
me/tQfU89pN5uWSEdaejFsXnyBMOMdrD6QDcT0hDUOqE7uI0BOvSwm36on3mEOj2
U23D4cLZUwKQrPSrgypNTnRVr2s8bAazUMA3hxGg8EkOXEsEoJSayagm/bkjbUah
vvihy3Dbat3G2CZKOCvvS4TYuOafgcBZpMB7oRw5D4MVQ//a8Z5/gI15zKiB8mmc
TP6gflqhF8VhWRHI72pi+IRbnyu9W8IM/jpHO2+YPv3F/yBSxKDTONC7eF6WWWeW
mbTniHMi0Z2ImuFqFWtuZa2+rhHM0BEEJQyuY2QC5lNfky9PFg7k+/RmYAYfQyxw
k36Ldtu9hk/ygE/KG3e+rO96qzYuvA4gHZKTw2wC/GHsAH2pxsM=
=UFEP
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3827-1
November 27, 2018

samba vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Samba.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Florian Stuelpner discovered that Samba incorrectly handled CNAME records.
A remote attacker could use this issue to cause Samba to crash, resulting
in a denial of service. (CVE-2018-14629)

Alex MacCuish discovered that Samba incorrectly handled memory when
configured to accept smart-card authentication. A remote attacker could
possibly use this issue to cause Samba to crash, resulting in a denial of
service. (CVE-2018-16841)

Garming Sam discovered that Samba incorrectly handled memory when
processing LDAP searches. A remote attacker could possibly use this issue
to cause Samba to crash, resulting in a denial of service. (CVE-2018-16851)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
samba 2:4.8.4+dfsg-2ubuntu2.1

Ubuntu 18.04 LTS:
samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.5

Ubuntu 16.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.16.04.18

Ubuntu 14.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.14.04.19

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3827-1
CVE-2018-14629, CVE-2018-16841, CVE-2018-16851

Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.8.4+dfsg-2ubuntu2.1
https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.5
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.18
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.14.04.19

Monday, November 26, 2018

Bugzilla outage/upgrade on 2 December 2018

Hi all,

If you haven't seen the banner at the top of bugzilla.redhat.com, it
is scheduled to undergo an upgrade from Bugzilla 4 to Bugzilla 5 on
December 2 2018. The outage will begin on 2 December at 0:00 UTC and
end on 2 December at 12:00 UTC.

For more information on Bugzilla 5, see:
https://partner-bugzilla.redhat.com/page.cgi?id=whats-new.html
https://partner-bugzilla.redhat.com/page.cgi?id=release-notes.html

Bugzilla 5.0 introduces a new REST endpoint to replace XML-RPC and
JSON-RPC. The XML-RPC and JSON-RPC APIs will remain available.

--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[USN-3826-1] QEMU vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlv8DasACgkQZWnYVadE
vpN5KQ/+JpmkzxvqgCIIH/uuwJvgCakW1wetzVdbKY+1J5hS9g86Wlagoy4UkROa
1Lpcqo53bBHYTPt1lMxMwrGD7UjibBPALP2rlDVSgWo32ScCusH0NfgKdcXQ6UWg
8LP5eAE1TKEyZFuBVUuS/dl3CF7MudYoSNO+Hy8IkvqABDkqYq2TuGpG7lQWynZA
OYuhiuqOr5cZNBUgPTcrc/AptB9851QLzvuf/l0bujJxTP0I0fWiVvA+nfjQYIyC
4mdEos800dAgKPLc8jjlwKrqn5TKoZVgJiDzXd5ge1S4M6krYB2cALZzfbu24nHl
j3P9c5w3l2r6KnpUQP1RNQBEU6H7qDfWHDSQBEGxUrzsdunT2Nl1tcXD31cKCveB
hgZ8MMxuNU/rvS0RZUiXh5WVciBgCQx9gZux9YUm/JQp4v/dZXuc4OsIUsJTeAqE
0eO6D0/Osunn4psRwIt3uV3gM/j4izZ8Qw10rPI72CtG/15M/FrfIBfsBn+v0BNk
zi+qDNlbEph5Tk2FFrejdw5Zm2Anb7u/q1KJaKA2jo5IgQRpoX1BR10Fgs8n0GP1
s3bC9GRKWL3BrhNswM5pCZkYTDgR/x3IX2HFRNxamNUospCOT7yLIeIgrn77NZmO
ldrnwoK/lH3HbctKg8S29RdB3I/tDyDE/OdLj02Cz8iH6q4SB80=
=GGMX
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3826-1
November 26, 2018

qemu vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer

Details:

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
NE2000 device emulation. An attacker inside the guest could use this issue
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)

It was discovered that QEMU incorrectly handled the Slirp networking
back-end. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. In the default installation, when QEMU is used
with libvirt, attackers would be isolated by the libvirt AppArmor profile.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2018-11806)

Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled
certain QMP commands. An attacker could possibly use this issue to crash
the QEMU guest agent, resulting in a denial of service. (CVE-2018-12617)

Li Qiang discovered that QEMU incorrectly handled NVM Express Controller
emulation. An attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code on the host. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile. This
issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16847)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
RTL8139 device emulation. An attacker inside the guest could use this issue
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17958)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled
PCNET device emulation. An attacker inside the guest could use this issue
to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17962)

Daniel Shapira discovered that QEMU incorrectly handled large packet sizes.
An attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2018-17963)

It was discovered that QEMU incorrectly handled LSI53C895A device
emulation. An attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2018-18849)

Moguofang discovered that QEMU incorrectly handled the IPowerNV LPC
controller. An attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. This issue only affected Ubuntu
18.04 LTS and Ubuntu 18.10. (CVE-2018-18954)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System
support. An attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2018-19364)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
qemu-system 1:2.12+dfsg-3ubuntu8.1
qemu-system-arm 1:2.12+dfsg-3ubuntu8.1
qemu-system-mips 1:2.12+dfsg-3ubuntu8.1
qemu-system-misc 1:2.12+dfsg-3ubuntu8.1
qemu-system-ppc 1:2.12+dfsg-3ubuntu8.1
qemu-system-s390x 1:2.12+dfsg-3ubuntu8.1
qemu-system-sparc 1:2.12+dfsg-3ubuntu8.1
qemu-system-x86 1:2.12+dfsg-3ubuntu8.1

Ubuntu 18.04 LTS:
qemu-system 1:2.11+dfsg-1ubuntu7.8
qemu-system-arm 1:2.11+dfsg-1ubuntu7.8
qemu-system-mips 1:2.11+dfsg-1ubuntu7.8
qemu-system-misc 1:2.11+dfsg-1ubuntu7.8
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.8
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.8
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.8
qemu-system-x86 1:2.11+dfsg-1ubuntu7.8

Ubuntu 16.04 LTS:
qemu-system 1:2.5+dfsg-5ubuntu10.33
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.33
qemu-system-arm 1:2.5+dfsg-5ubuntu10.33
qemu-system-mips 1:2.5+dfsg-5ubuntu10.33
qemu-system-misc 1:2.5+dfsg-5ubuntu10.33
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.33
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.33
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.33
qemu-system-x86 1:2.5+dfsg-5ubuntu10.33

Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.44
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.44
qemu-system-arm 2.0.0+dfsg-2ubuntu1.44
qemu-system-mips 2.0.0+dfsg-2ubuntu1.44
qemu-system-misc 2.0.0+dfsg-2ubuntu1.44
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.44
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.44
qemu-system-x86 2.0.0+dfsg-2ubuntu1.44

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3826-1
CVE-2018-10839, CVE-2018-11806, CVE-2018-12617, CVE-2018-16847,
CVE-2018-17958, CVE-2018-17962, CVE-2018-17963, CVE-2018-18849,
CVE-2018-18954, CVE-2018-19364

Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.12+dfsg-3ubuntu8.1
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.8
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.33
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.44

REMINDER: Fedora 27 End of Life on 2018-Nov-30

I apologize for the short notice. As a reminder, Fedora 27 reaches End
of Life on Friday, 30 November 2018. On this date, we will close all
the Fedora 27 bugs which remain open[1].

[1] https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=POST&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=ON_QA&bug_status=VERIFIED&bug_status=RELEASE_PENDING&classification=Fedora&list_id=9748312&query_format=advanced&version=26

--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

Fedora 30 System-Wide Change Proposal: GnuPG2 as default GPG implementation

https://fedoraproject.org/wiki/Changes/GnuPG2_as_default_GPG_implementation

== Summary ==
The /usr/bin/gpg path representing the main GPG implementation will
now use GnuPG 2 instead of GnuPG 1.

== Owner ==
* Name: [[User:ignatenkobrain|Igor Gnatenko]], [[User:till|Till
Maas]], [[User:ngompa|Neal Gompa]]
* Email: ignatenkobrain@fedoraproject.org, opensource@till.name,
ngompa13@gmail.com

== Detailed Description ==
For long time, GnuPG 2 is de-facto standard and it is unfortunate to
have /usr/bin/gpg to point to GnuPG 1 given that all major
repositories already have it that way.
Some of them don't even have GnuPG 1 shipped (RHEL is one example).

== Benefit to Fedora ==
This change will bring Fedora in line with other major distributions,
users will get consistent experience between distributions and the
naive expectation that "gpg" binary is the latest and greatest
implementation of GnuPG.

== Scope ==
* Proposal owners:
** Rename gnupg package to gnupg1
** Rename gpg binary to gpg1
** Rename gpg2 binary to gpg
** Create gpg2 → gpg symlink
** Check and fix if needed existing packages which require /usr/bin/gpg
* Other developers: Everything can be handled by change owners.
* Release engineering: [https://pagure.io/releng/issue/7920 #7920]
* Policies and guidelines: No changes are needed.
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
Users will have to adapt to change that gpg is now called gpg1 if
their usage is not compatible with both 1.x and 2.x.

== How To Test ==
Before change is implemented, owners will prepare COPR repository. You
will need to enable it and update and ensure that your
applications/scripts still work.

== User Experience ==
* /usr/bin/gpg is pointing to latest release of GnuPG 2 which makes
consistent user experience between distributions

== Dependencies ==
What can't be adopted to this change will be patched to use gpg1
explicitly, no action is needed from any developers.

== Contingency Plan ==
* Contingency mechanism: Owners will revert changes and postpone
change to next release.
* Contingency deadline: Beta Freeze.
* Blocks release? No
* Blocks product? No

== Documentation ==
Both gpg1 and gpg2 have their own documentation shipped with them.

--
Ben Cotton
Fedora Program Manager
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

Friday, November 23, 2018

[USN-3801-2] Firefox regressions

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAlv4ZL8ACgkQYR+97NWU
bg82tgf/YPzWtFZ3ELaFr5KeEMkYymO5Ed0mI4PyOWOgxk4TsO/LkkHiPOjpEUoS
eZQ+W4n3fdLlhv72Zr4aVLAC5dWbeDR3iD32Hiwc2XfYBcxS4Yz2v0aX1P2TCzvr
r9RG71eccCX2kFmbPSb6ftE6/0PiczXtUV84C3APUPcb8ks/tLeTNnj0U2Qk8lKU
D3qgfFrwALLGTbsaESdRm8AZMr8JvMeCFh+WpsN9nejtitzcQdjXFVN4s9xcOoYM
QRErcIyH60L+qjyINj2mPtsBUAoph/2WOd47kO7KfHtFO1X66eJcVId2qxJd7Odp
UWfCQhJmVJs+Jht7otSuBUDmQorqNQ==
=bV10
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3801-2
November 23, 2018

firefox regressions
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3801-1 caused some minor regressions in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-3801-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problems.

We apologize for the inconvenience.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass CSP
restrictions, spoof the protocol registration notification bar, leak
SameSite cookies, bypass mixed content warnings, or execute arbitrary
code. (CVE-2018-12388, CVE-2018-12390, CVE-2018-12392, CVE-2018-12393,
CVE-2018-12398, CVE-2018-12399, CVE-2018-12401, CVE-2018-12402,
CVE-2018-12403)

Multiple security issues were discovered with WebExtensions in Firefox.
If a user were tricked in to installing a specially crafted extension, an
attacker could potentially exploit these to bypass domain restrictions,
gain additional privileges, or run content scripts in local pages without
permission. (CVE-2018-12395, CVE-2018-12396, CVE-2018-12397)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
firefox 63.0.3+build1-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
firefox 63.0.3+build1-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
firefox 63.0.3+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
firefox 63.0.3+build1-0ubuntu0.14.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3801-2
https://usn.ubuntu.com/usn/usn-3801-1
https://launchpad.net/bugs/1804881

Package Information:
https://launchpad.net/ubuntu/+source/firefox/63.0.3+build1-0ubuntu0.18.10.1
https://launchpad.net/ubuntu/+source/firefox/63.0.3+build1-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/firefox/63.0.3+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/firefox/63.0.3+build1-0ubuntu0.14.04.1