Friday, May 31, 2019

[opensuse-announce] Advance discontinuation notice for openSUSE Leap 42.3

Hi folks,

This is the advance discontinuation notice for openSUSE Leap 42.3.

On June 30th 2019 the openSUSE Leap 42 release series will reach its
end of life, after 4 years of lifetime (42.1 was released in fall 2015).

openSUSE Leap 42.3 will receive no further maintenance or security
updates after that date.

It is recommended for openSUSE Leap users to upgrade to the recently
released openSUSE Leap 15.1.

Deployments with software that relies on Leap 42 technology and cannot
be moved to 15 right now may consider evaluating a (commercial) SUSE
Linux Enterprise 12 SP4 subscription and migrate the workload to SUSE
Linux Enterprise. With the upcoming SP5, SUSE Linux Enterprise 12
receives maintenance and support until 2027.

Ciao, Marcus, for SUSE Security and openSUSE Maintenance

Thursday, May 30, 2019

[USN-4001-2] libseccomp vulnerability

==========================================================================
Ubuntu Security Notice USN-4001-2
May 30, 2019

libseccomp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

libseccomp could allow unintended access to system calls.

Software Description:
- libseccomp: library for working with the Linux seccomp filter

Details:

USN-4001-1 fixed a vulnerability in libseccomp. This update provides the
corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Jann Horn discovered that libseccomp did not correctly generate 64-bit
syscall argument comparisons with arithmetic operators (LT, GT, LE, GE).
An attacker could use this to bypass intended access restrictions for
argument-filtered system calls.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
libseccomp2 2.4.1-0ubuntu0.14.04.2

This update uses a new upstream release which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-4001-2
https://usn.ubuntu.com/usn/usn-4001-1
CVE-2019-9893

[USN-4001-1] libseccomp vulnerability

==========================================================================
Ubuntu Security Notice USN-4001-1
May 30, 2019

libseccomp vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

libseccomp could allow unintended access to system calls.

Software Description:
- libseccomp: library for working with the Linux seccomp filter

Details:

Jann Horn discovered that libseccomp did not correctly generate 64-bit
syscall argument comparisons with arithmetic operators (LT, GT, LE, GE).
An attacker could use this to bypass intended access restrictions for
argument-filtered system calls.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libseccomp2 2.4.1-0ubuntu0.19.04.3

Ubuntu 18.10:
libseccomp2 2.4.1-0ubuntu0.18.10.3

Ubuntu 18.04 LTS:
libseccomp2 2.4.1-0ubuntu0.18.04.2

Ubuntu 16.04 LTS:
libseccomp2 2.4.1-0ubuntu0.16.04.2

This update uses a new upstream release which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-4001-1
CVE-2019-9893

Package Information:
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.19.04.3
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.18.10.3
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/libseccomp/2.4.1-0ubuntu0.16.04.2

[USN-4000-1] Corosync vulnerability

==========================================================================
Ubuntu Security Notice USN-4000-1
May 30, 2019

corosync vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Corosync could be made to crash or execute arbitrary code if it
received a specially crafted request.

Software Description:
- corosync: cluster engine daemon and utilities

Details:

It was discovered that Corosync incorrectly handled certain requests.
An attacker could possibly use this issue to cause a denial of service
or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  corosync                        2.4.3-0ubuntu1.1
  libtotem-pg5                    2.4.3-0ubuntu1.1

Ubuntu 16.04 LTS:
  corosync                        2.3.5-3ubuntu2.3
  libtotem-pg5                    2.3.5-3ubuntu2.3

After a standard system update you need to restart Corosync to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-4000-1
  CVE-2018-1084

Package Information:
  https://launchpad.net/ubuntu/+source/corosync/2.4.3-0ubuntu1.1
  https://launchpad.net/ubuntu/+source/corosync/2.3.5-3ubuntu2.3

[USN-3999-1] GnuTLS vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlzv4moACgkQZWnYVadE
vpMHCA/+MhPaeXBM+ifR5HYAEX6XSUkJrXfK+adqASdntrq2uPC899EeLxGrMqJ2
+1mz5T//zcjapm6H+08ZwnJnts7PGaKopSlik48iAW9Py1vJsaX5TiZSLZezZTDr
9x/WL0Tg5j63kjrQGQ+/Qo+vUr0E0AmzK7eHiapLhnmRbIZz08y1a0tYlGvCTQ6f
gZhqQVSH5ggaLAjYsPWg5R5HTdnpt5Rdd7VyjhLzTAI8VZbUm9fZ0CcEHg1Lt/Bd
v/jftCS6+Ys5J4/a34KiOWcz4BZMIXfpCpeNpptAonDhpXpFRRahMfRBL2FaUzyf
mnWI1YdWXegdLHaOIhKBn6FyoYGoT9AlWGn289Mpdxyd0XE4EsjGtyAiHTYDkGrd
2TCP0z21YBwy5Y/ylI87xS9cuLtoaxs6CHyvEkeF7o7b32W5Petmde0EmG0baD42
6kwN/BP9PGisNWpNZBOx+NpbOafyvEUMp7RrTyLXzHxJiCqOZuqHIIwMw5bIGx5/
cVCnHu4F68ucL8P5GhNrt67/epKRD+83H1znGtRHAZ4y4m3xeXhOuW5QG27BE92C
G+I6kgQFvUPAO0xwSPLbGhBzDGfJ6IBcLbOV89xZb8j2QP7FU8mqYjcRT4/GW5kl
C0/0itxfc2XXcfkz44+duIsghmYzLB95gmO0BC5RCVtK0VBudKQ=
=8mCm
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3999-1
May 30, 2019

gnutls28 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in GnuTLS.

Software Description:
- gnutls28: GNU TLS library

Details:

Eyal Ronen, Kenneth G. Paterson, and Adi Shamir discovered that GnuTLS was
vulnerable to a timing side-channel attack known as the "Lucky Thirteen"
issue. A remote attacker could possibly use this issue to perform
plaintext-recovery attacks via analysis of timing data. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10844,
CVE-2018-10845, CVE-2018-10846)

Tavis Ormandy discovered that GnuTLS incorrectly handled memory when
verifying certain X.509 certificates. A remote attacker could use this
issue to cause GnuTLS to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-3829)

It was discovered that GnuTLS incorrectly handled certain post-handshake
messages. A remote attacker could use this issue to cause GnuTLS to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-3836)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libgnutls30 3.6.5-2ubuntu1.1

Ubuntu 18.10:
libgnutls30 3.6.4-2ubuntu1.2

Ubuntu 18.04 LTS:
libgnutls30 3.5.18-1ubuntu1.1

Ubuntu 16.04 LTS:
libgnutls30 3.4.10-4ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3999-1
CVE-2018-10844, CVE-2018-10845, CVE-2018-10846, CVE-2019-3829,
CVE-2019-3836

Package Information:
https://launchpad.net/ubuntu/+source/gnutls28/3.6.5-2ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls28/3.6.4-2ubuntu1.2
https://launchpad.net/ubuntu/+source/gnutls28/3.5.18-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.5

[USN-3998-1] Evolution Data Server vulnerability

==========================================================================
Ubuntu Security Notice USN-3998-1
May 30, 2019

evolution-data-server vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Evolution Data Server would sometimes display email content as encrypted
when it was not.

Software Description:
- evolution-data-server: Evolution suite data server

Details:

Marcus Brinkmann discovered that Evolution Data Server did not correctly
interpret the output from GPG when decrypting encrypted messages. Under
certain circumstances, this could result in displaying clear-text portions
of encrypted messages as though they were encrypted.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
evolution-data-server 3.28.5-0ubuntu0.18.04.2
evolution-data-server-common 3.28.5-0ubuntu0.18.04.2
libcamel-1.2-61 3.28.5-0ubuntu0.18.04.2
libebackend-1.2-10 3.28.5-0ubuntu0.18.04.2
libedataserver-1.2-23 3.28.5-0ubuntu0.18.04.2

Ubuntu 16.04 LTS:
evolution-data-server 3.18.5-1ubuntu1.2
evolution-data-server-common 3.18.5-1ubuntu1.2
libcamel-1.2-54 3.18.5-1ubuntu1.2
libebackend-1.2-10 3.18.5-1ubuntu1.2
libedataserver-1.2-21 3.18.5-1ubuntu1.2

After a standard system update you need to restart Evolution to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3998-1
CVE-2018-15587

Package Information:
https://launchpad.net/ubuntu/+source/evolution-data-server/3.28.5-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/evolution-data-server/3.18.5-1ubuntu1.2

Wednesday, May 29, 2019

Fedora 31 System-Wide Change proposal: Switch RPMs to zstd compression

https://fedoraproject.org/wiki/Changes/Switch_RPMs_to_zstd_compression

= Switch RPMs to zstd compression =

== Summary ==
Binary RPMs are currently compressed with xz level 2.
Switching to zstd would increase decompression speed significantly.

== Owner ==
* Name: [[User:dmach| Daniel Mach]]
* Email: dmach@redhat.com

== Detailed Description ==
* The change requires setting a new compression algorithm in rpm
macros. Then a mass rebuild of all packages is required.
* The macro for setting the compression is: %define _binary_payload w19.zstdio
* The recommended compression level is 19. The builds will take
longer, but the additional compression time is negligible in the total
build time and it pays off in better compression ratio than xz lvl2
has.
* SRPM payload compression should stay at gzip (there's almost no
benefit in changing the compression, because SRPM's contents is
compressed already)

=== Use case: Firefox installation ===
I rebuilt firefox-66.0.5-1.fc30 with zstd level19.
Then I compared installation times with the original (xz compressed) package:

{| class="wikitable"
|-
! Compression !! Target File System !! Time
|-
| xz level 2 || tmpfs || 8s
|-
| xz level 2 || ext4 on nvme || 11s
|-
| zstd level 19 || tmpfs || 2s
|-
| zstd level 19 || ext4 on nvme || 4s
|-
|}


=== Comparison of compression algorithms and levels ===
Following table shows '''cpio''' and '''compressed cpio''' extraction
times into a tmpfs. Actual times in decompressing RPMs will differ due
to extracting on an actual disk and also some overhead in the RPM tool
(checks, scriptlets).

{| class="wikitable"
|-
! Compression !! Level !! Size B !! Size GiB
!! Compression time !! Compression time, 4 threads !!
Decompression time !! Comment
|-
| CPIO || - || 5016785692 || 4,7
|| - || - || -
||
|-
| xz || 2 || 1615017616 || 1,6
|| 9m55s || - || 1m36s
|| slow decompression
|-
| pxz || 2 || 1631869880 || 1,6
|| - || 6m11s || 1m38s
|| slow decompression
|-
| gzip || 9 || 2086354992 || 2,0
|| 10m23s || - || 31s
|| insufficient compression ratio
|-
| bzip2 || 9 || 1889161565 || 1,8
|| 8m || - || 2m50s
|| very slow decompression; compression ratio could be
better
|-
| zstd || 3 || 1913536587 || 1,8
|| 31s || 29s || 6,5s
||
|-
| zstd || 10 || 1737928978 || 1,7
|| 3m27s || 2m34s || 6,3s
||
|-
| zstd || 15 || 1717303256 || 1,7
|| 9m37s || 6m34s || 6,3s
|| identical compression speed to xz; fast decompression;
slightly worse compression ratio than xz
|-
| zstd || 17 || 1635525492 || 1,6
|| 16m16s || 11m20s || 6,7s
||
|-
| zstd || 19 || 1575843696 || 1,5
|| 24m2s || 18m55s || 7,7s
||
|-
|}

== Benefit to Fedora ==
* Faster installations/upgrades of user systems
* Faster koji builds (installations in build roots)
* Faster container builds
* Lower bandwidth on mirrors if we choose the highest compression level

== Scope ==
* Proposal owners: submit a patch to redhat-rpm-config
* Other developers: redhat-rpm-config maintainer: include the patch
and make a new build
* Release engineering: [https://pagure.io/releng/issue/8345 #8345]
mass rebuild is needed

== Upgrade/compatibility impact ==
* RPM in Fedora supports zstd compression already (from Fedora 28,
rpm-4.14.0-0.rc2.5.fc28). No impact on Fedora users is expected.
* Fedora <= 27 and some other distros will not be able to decompress
zstd-compressed RPMs.

== How To Test ==
* dnf install <package>
* rpm -q --qf "%{PAYLOADCOMPRESSOR} %{PAYLOADFLAGS}\n" <package>
* expected output: zstd 19

Also the overall system installation time should decrease significantly.

== User Experience ==
See '''Benefit to Fedora'''

== Dependencies ==
N/A

== Contingency Plan ==
* Contingency mechanism: Not needed, Fedora will stay at current compression.
* Contingency deadline: N/A
* Blocks release? No
* Blocks product? N/A

== Documentation ==
N/A

== Release Notes ==
RPMs have switched to zstd compression level 19.
Users will benefit from faster package decompression.
Users that build their packages will experience slightly longer build times.

--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[CentOS-announce] CESA-2019:1264 Important CentOS 7 libvirt Security Update

CentOS Errata and Security Advisory 2019:1264 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2019:1264

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
a5576c9049af0f04106990794428c22802b42066eb0268dedf49e7d6079ca139 libvirt-4.5.0-10.el7_6.10.x86_64.rpm
176beb81864060547751b1f94bec282b9ff4bec6f9cc84f6ad1373a04141af41 libvirt-admin-4.5.0-10.el7_6.10.x86_64.rpm
66300eaeb5cf856c86544468159c42f71bd55464dda0f038422ef95b0089436a libvirt-bash-completion-4.5.0-10.el7_6.10.x86_64.rpm
389cc2129844395d02388d2f4c626b24af8ace55f5c54eb897de49e66537f9bb libvirt-client-4.5.0-10.el7_6.10.i686.rpm
bf7e4e5dbffb93cf0c8f94dc44c41ec86b0ef33fb0ce83d4b5b61673e6615d4d libvirt-client-4.5.0-10.el7_6.10.x86_64.rpm
755e93422bc4a24ab6e0052b3b60e6cb0b84177ff79bf0f16c7e96e1b7471b46 libvirt-daemon-4.5.0-10.el7_6.10.x86_64.rpm
d6d362b18c78ff212672e74a12540667131adbff047490248b4d2645a72b4a34 libvirt-daemon-config-network-4.5.0-10.el7_6.10.x86_64.rpm
609633c12c439f5cb41c48ecd019b8b7ee8d7e6bfbe0c2ec8c60ca78f120da3f libvirt-daemon-config-nwfilter-4.5.0-10.el7_6.10.x86_64.rpm
fb743cfe2b3f6e5038dc2a33808232e9460135c6e8ce20e011148f7fd1d24517 libvirt-daemon-driver-interface-4.5.0-10.el7_6.10.x86_64.rpm
5e3a7320d6424f241882053013f2c1d0de0816cd89e1403a500227d74fbeeb67 libvirt-daemon-driver-lxc-4.5.0-10.el7_6.10.x86_64.rpm
533e8e12942ac647e5cd3f4c6585502dea905657cbc89ae0d25744e944c01c44 libvirt-daemon-driver-network-4.5.0-10.el7_6.10.x86_64.rpm
fbacd781e9f1e289bcc1d3fa1bdf5372c75ba3312878a155e2b56be8274e2b54 libvirt-daemon-driver-nodedev-4.5.0-10.el7_6.10.x86_64.rpm
d5f23f59942c1e0edb290bdf8d04060a29e45292f09632eb381d876ec6e2de88 libvirt-daemon-driver-nwfilter-4.5.0-10.el7_6.10.x86_64.rpm
a3d77aa95864251b29893d6e03fcf365a3084b9154d26b01b2cdb1cc40d4b4c5 libvirt-daemon-driver-qemu-4.5.0-10.el7_6.10.x86_64.rpm
5e6632eea34452631190a52e89eb80949e06df0e202fe275e219d182f02e38a6 libvirt-daemon-driver-secret-4.5.0-10.el7_6.10.x86_64.rpm
085ad9d629fe198a424dbd74c6a9b37f5d0dd3db1aa4c3df55cbb80f926acda2 libvirt-daemon-driver-storage-4.5.0-10.el7_6.10.x86_64.rpm
b14ec56f624f0e9ec7e1b0d89c10ba515ef2834b555fbdce6a7ccbe9430f8127 libvirt-daemon-driver-storage-core-4.5.0-10.el7_6.10.x86_64.rpm
7dd044d4d8468cfb84f0e70d78e5647fa2553216ec93c2611eb66bcd75f5995a libvirt-daemon-driver-storage-disk-4.5.0-10.el7_6.10.x86_64.rpm
0c566847c36d56b39fd8da5ee3f148030bae26d4d88debcaddeca3976e665d12 libvirt-daemon-driver-storage-gluster-4.5.0-10.el7_6.10.x86_64.rpm
10f2ed853329034bb99ace3939c83108312c94f20269273981ae8cfa5cd7c2a7 libvirt-daemon-driver-storage-iscsi-4.5.0-10.el7_6.10.x86_64.rpm
6a8020f76287f3275ce77bd229dfff0bbb250ce3ef57cd441140d12e826ddf7d libvirt-daemon-driver-storage-logical-4.5.0-10.el7_6.10.x86_64.rpm
d651d40ec0e3a25b494b7fa77b3baac14a2e5f6ea8396f629ee84dee88fc83d3 libvirt-daemon-driver-storage-mpath-4.5.0-10.el7_6.10.x86_64.rpm
0871e70c35d704f95a491342fc07cda7cea8aec4eca9d57f621e87f314ffa12d libvirt-daemon-driver-storage-rbd-4.5.0-10.el7_6.10.x86_64.rpm
8447575086717ff7f2f849a438e5a6c8c4f4880e16d13e7a4e9b2014a4807b1f libvirt-daemon-driver-storage-scsi-4.5.0-10.el7_6.10.x86_64.rpm
ceed3bc723b720d88c68797643e6fb630843a07fdcba303ae7a831a83a712943 libvirt-daemon-kvm-4.5.0-10.el7_6.10.x86_64.rpm
dfdec791cfe35a65c760107c15bef447fa94519e185bb9f2c681c8caac9fa636 libvirt-daemon-lxc-4.5.0-10.el7_6.10.x86_64.rpm
c65c648ef230bcb69868e9cbb7bfe46be2104c31129b4dcec3b88702f9fe7f84 libvirt-devel-4.5.0-10.el7_6.10.i686.rpm
eff379405df411eabb2ea4067c891c7971d24d6ef7ee06bae43c7f09c275c09e libvirt-devel-4.5.0-10.el7_6.10.x86_64.rpm
08085811aa8893c3c63734dcca0778ce64155490c8b28da795df5176aa36775b libvirt-docs-4.5.0-10.el7_6.10.x86_64.rpm
70679dead45c2020ed8f5c8108561c4da8f57e7ad6e967d229fde3bdb157a930 libvirt-libs-4.5.0-10.el7_6.10.i686.rpm
9fb2a50456d461b3a17b09f445b6010d196fc1f7c7db3ee01768491d46883c40 libvirt-libs-4.5.0-10.el7_6.10.x86_64.rpm
f1caa6ef12649f5b66d38ae8f4ed210d23aabf9d82efaa995ec9f267c8906974 libvirt-lock-sanlock-4.5.0-10.el7_6.10.x86_64.rpm
63f9d3a71d0e5284e3d3b0b951e9cacf209c5742f4acb510a51911f6291fa1b8 libvirt-login-shell-4.5.0-10.el7_6.10.x86_64.rpm
8dbbba481c031154da6a9b565b6a8ef6603498246912b5ce6b328f86931dc61b libvirt-nss-4.5.0-10.el7_6.10.i686.rpm
b9b87149ca587933840a6902ceaa2c5e5c06e44ecfb8f2a0ff1679f193e7bf24 libvirt-nss-4.5.0-10.el7_6.10.x86_64.rpm

Source:
a0cf4841e95f14ecd88c8790013f306de60af534bb4c72355e7b0e2af7c2d68f libvirt-4.5.0-10.el7_6.10.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2019:1267 Critical CentOS 6 firefox Security Update

CentOS Errata and Security Advisory 2019:1267 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2019:1267

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

i386:
41e1920d03ef2d819fb3f6d4aba478231d91f2dc359c9d595afba3bc556e308e firefox-60.7.0-1.el6.centos.i686.rpm

x86_64:
41e1920d03ef2d819fb3f6d4aba478231d91f2dc359c9d595afba3bc556e308e firefox-60.7.0-1.el6.centos.i686.rpm
8bcaa85425b5211864e55e0ff15e4f32e5b27eab33c0549fa90ee64c217f93f9 firefox-60.7.0-1.el6.centos.x86_64.rpm

Source:
eb7bc29e4bca2575c1a396b201c59f1f4f6a8691188e9b50ca0162a4281fb013 firefox-60.7.0-1.el6.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[CentOS-announce] CESA-2019:1265 Critical CentOS 7 firefox Security Update

CentOS Errata and Security Advisory 2019:1265 Critical

Upstream details at : https://access.redhat.com/errata/RHSA-2019:1265

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
6bf7b0a006db85d0ab1da140a2c48484033cdb242a87f32e47538b1477c7b5a6 firefox-60.7.0-1.el7.centos.i686.rpm
7180cf1102f4ce99f26f90cb19a23c66c1e8700a6756b148f58f9670ab778458 firefox-60.7.0-1.el7.centos.x86_64.rpm

Source:
fca10b620b7fce1190e8f2bc4ca013fc0729f7b4bd650e3ce2950a8a84db8ce8 firefox-60.7.0-1.el7.centos.src.rpm



--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce

[USN-3968-2] Sudo vulnerability

==========================================================================
Ubuntu Security Notice USN-3968-2
May 29, 2019

sudo vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

Sudo could be made to overwrite files if it received a specially
crafted input.

Software Description:
- sudo: Provide limited super user privileges to specific users

Details:

USN-3968-1 fixed a vulnerability in Sudo. This update provides
the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

 It was discovered that Sudo did not properly parse the contents of
 /proc/[pid]/stat when attempting to determine its controlling tty. A
 local attacker in some configurations could possibly use this to
 overwrite any file on the filesystem, bypassing intended permissions.
 (CVE-2017-1000368)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
  sudo                            1.8.9p5-1ubuntu1.5+esm1
  sudo-ldap                       1.8.9p5-1ubuntu1.5+esm1

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3968-2
  https://usn.ubuntu.com/usn/usn-3968-1
  CVE-2017-1000368

[USN-3996-1] GNU Screen vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwZbe96kJeWh2OITRdyg1Qz0oXX0FAlzulHoACgkQdyg1Qz0o
XX0XNxAAq9uWBRd1IIbExAB+525BGM1vPyg+iiWCZcbafLZ7OCcBWaCxWkVDpFcM
RIBA3MjSRiiOD4ifAZKI5bQ544Xw46e7iYGKttzuf4xz2703SvHHy79vorB4cKAb
tvqSfe7W1Oj+rfSLNbf5LRaTTeYK3aZYXOi47imTObc2K8wdTW1NW+uaSB0hb8oT
lddAJZFp4P3wGDZ2h0mYgyLACJaeKik6MJKNqIipJtpYeX3kVAs/E4aG4raL4HAx
lKAo+4nXpYIieXD5lTlC3OhW88o0dFg2cRHOuTyPn0W547baUBFHr//OiOyy/FmR
Wo4JXJkzvanZMCzJaDEUUHJnjCus664JPkqQ5zu599iQUAzFH54YyHgWt2DuCvjH
6wVPGe7B7KgEYrg6uxJfuLc92winqetfrJfrwdR4//QESYUo/wbjJtkxxF7eOBP9
9QZAhIHedqTPhWrg8pQAZPEEsy92318XOAsnk/vHsC4OR0ECELSz/1VgihiESTXX
3FJqCQynmD4ySf/potblfPc8KAtn7yVPNmqZiqxmEZHWBFgwUi+YGi1M1jglczr1
gPcX5aCMfgmvMnsrFmMc1K5qWae1ZBqwAmbTDVpA9OVI0F+q/kuRsvMWpz60p8vA
FoZaWi3WC86cd9Nwi41TceL1wM7x3gdI7JWdmPfGEh2VMFEE/gE=
=1WaK
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3996-1
May 29, 2019

GNU Screen vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM

Summary:

GNU Screen could be made to crash or run programs as your login if it
opened a specially crafted file or received specially crafted input.

Software Description:
- screen: terminal multiplexer with VT100/ANSI terminal emulation

Details:

Kuang-che Wu discovered that GNU Screen improperly handled certain input. An
attacker could use this issue to cause GNU Screen to crash, resulting in a
denial of service or the execution of arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
screen 4.1.0~20120320gitdb59704-9ubuntu0.1~esm1

Ubuntu 12.04 ESM:
screen 4.0.3-14ubuntu8.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3996-1
CVE-2015-6806

Tuesday, May 28, 2019

[USN-3997-1] Thunderbird vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAlztvUkACgkQYR+97NWU
bg+Hjgf8CJU1ilJYgvNAdtL9O+kLrZqKlFqzoxWnKb1ar25M4e1HcDbRagAERVL8
zN6z+cu1sfmkMMpcPYtjxP1PnotzsClEcKXQcRSZOXTFZQGilMsTK67hN002GMRV
IYCX/O7yiY0hCm8zHxHW7FNxrLQSjRQBNdMOjUHL7x4LXFRwbArq9Yr5wo4JMYtS
VPBYlKrFaOb/v1RvH+SQAzuLfT0NTsBT0GIZhykV8OIds2bCVjhGhnRoyEsGEr+K
tY5ETecbFn2uYryKNXH42/b7MeeaMYAJ4U0v4l3NxbEa1Q7Fc+XHuvF28VHmx+tt
/TmFSTVoVyZRLPU8+3TNIUk0COsqPg==
=jaTk
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3997-1
May 28, 2019

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass same-origin protections, or execute arbitrary code.
(CVE-2019-18511, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693,
CVE-2019-9797, CVE-2019-9800, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820)

Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service, or execute
arbitrary code. (CVE-2019-5798, CVE-2019-7317)

A type confusion bug was discovered with object groups and UnboxedObjects.
If a user were tricked in to opening a specially crafted website in a
browsing context after enabling the UnboxedObjects feature, an attacker
could potentially exploit this to bypass security checks. (CVE-2019-9816)

It was discovered that history data could be exposed via drag and drop
of hyperlinks to and from bookmarks. If a user were tricked in to dragging
a specially crafted hyperlink to a bookmark toolbar or sidebar, and
subsequently back in to the web content area, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2019-11698)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
  thunderbird                     1:60.7.0+build1-0ubuntu0.19.04.1

Ubuntu 18.10:
  thunderbird                     1:60.7.0+build1-0ubuntu0.18.10.1

Ubuntu 18.04 LTS:
  thunderbird                     1:60.7.0+build1-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
  thunderbird                     1:60.7.0+build1-0ubuntu0.16.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
  https://usn.ubuntu.com/usn/usn-3997-1
  CVE-2018-18511, CVE-2019-11691, CVE-2019-11692, CVE-2019-11693,
  CVE-2019-11698, CVE-2019-5798, CVE-2019-7317, CVE-2019-9797,
  CVE-2019-9800, CVE-2019-9816, CVE-2019-9817, CVE-2019-9819,
  CVE-2019-9820

Package Information:
 
https://launchpad.net/ubuntu/+source/thunderbird/1:60.7.0+build1-0ubuntu0.19.04.1
 
https://launchpad.net/ubuntu/+source/thunderbird/1:60.7.0+build1-0ubuntu0.18.10.1
 
https://launchpad.net/ubuntu/+source/thunderbird/1:60.7.0+build1-0ubuntu0.18.04.1
 
https://launchpad.net/ubuntu/+source/thunderbird/1:60.7.0+build1-0ubuntu0.16.04.1

[USN-3845-2] FreeRDP vulnerabilities

=======================================================================
===
Ubuntu Security Notice USN-3845-2
May 28, 2019

freerdp vulnerabilities
=======================================================================
===

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in FreeRDP.

Software Description:
- freerdp: RDP client for Windows Terminal Services

Details:

USN-3845-1 fixed several vulnerabilities in FreeRDP. This update
provides the
corresponding update for Ubuntu 18.04 LTS and Ubuntu 18.10.

Original advisory details:

Eyal Itkin discovered FreeRDP incorrectly handled certain stream
encodings. A
malicious server could use this issue to cause FreeRDP to crash,
resulting in a
denial of service, or possibly execute arbitrary code. This issue only
applies
to Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-8784, CVE-2018-8785)

Eyal Itkin discovered FreeRDP incorrectly handled bitmaps. A
malicious server
could use this issue to cause FreeRDP to crash, resulting in a denial
of
service, or possibly execute arbitrary code. (CVE-2018-8786, CVE-2018-
8787)

Eyal Itkin discovered FreeRDP incorrectly handled certain stream
encodings. A
malicious server could use this issue to cause FreeRDP to crash,
resulting in a
denial of service, or possibly execute arbitrary code. This issue only
applies
to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-
8788)

Eyal Itkin discovered FreeRDP incorrectly handled NTLM
authentication. A
malicious server could use this issue to cause FreeRDP to crash,
resulting in a
denial of service, or possibly execute arbitrary code. This issue only
applies
to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-
8789)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
libfreerdp-client1.1 1.1.0~git20140921.1.440916e+dfsg1-
15ubuntu1.18.10.1

Ubuntu 18.04 LTS:
libfreerdp-client1.1 1.1.0~git20140921.1.440916e+dfsg1-
15ubuntu1.18.04.1

In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3845-2
https://usn.ubuntu.com/usn/usn-3845-1
CVE-2018-8786, CVE-2018-8787, CVE-2018-8788, CVE-2018-8789

Package Information:

https://launchpad.net/ubuntu/+source/freerdp/1.1.0~git20140921.1.440916e+dfsg1-15ubuntu1.18.10.1

https://launchpad.net/ubuntu/+source/freerdp/1.1.0~git20140921.1.440916e+dfsg1-15ubuntu1.18.04.1

Fedora 28 End Of Life

As of the 28th of May 2019, Fedora 28 has reached its end of life
for updates and support. No further updates, including security
updates, will be available for Fedora 28. Fedora 29 will continue to receive
updates until approximately one month after the release of Fedora 31.
The maintenance schedule of Fedora releases is documented on the
Fedora Project wiki [0]. The Fedora Project wiki also contains
instructions [1] on how to upgrade from a previous release of Fedora
to a version receiving updates.

Regards,
Mohan Boddu.

[USN-3995-2] Keepalived vulnerability

==========================================================================
Ubuntu Security Notice USN-3995-2
May 28, 2019

keepalived vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM

Summary:

Keepalived could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- keepalived: Failover and monitoring daemon for LVS clusters

Details:

USN-3995-1 fixed a vulnerability in keepalived. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

 It was discovered that Keepalived incorrectly handled certain HTTP
 status response codes. A remote attacker could use this issue to cause
 Keepalived to crash, resulting in a denial of service, or possibly
 execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
  keepalived                      1:1.2.7-1ubuntu1+esm1

Ubuntu 12.04 ESM:
  keepalived                      1:1.2.2-3ubuntu1.2

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3995-2
  https://usn.ubuntu.com/usn/usn-3995-1
  CVE-2018-19115

OpenBSD Errata: May 29th, 2019 (mds)

Errata patches for the kernel have been released for OpenBSD 6.4 and 6.5.

Intel CPUs have a cross privilege side-channel attack. (MDS)

Binary updates for the amd64 platform are available via the syspatch utility.
Source code patches can be found on the respective errata page:

https://www.openbsd.org/errata64.html
https://www.openbsd.org/errata65.html

After patching, run fw_update to get the new CPU microcode, then reboot.

Fedora 31 System-Wide Change proposal: Node.js 12.x by default

https://fedoraproject.org/wiki/Changes/Nodejs12x

== Summary ==
The latest release of Node.js to carry a 30-month lifecycle is the
12.x series. As with 10.x and 8.x before it, Fedora 31 will carry 12.x
as the default Node.js interpreter for the system. The 10.x
interpreter will remain available as a non-default module stream.

== Owner ==
* Name: [[User:Sgallagh| Stephen Gallagher]]
* Email: sgallagh@fedoraproject.org
* Responsible SIG: Node.js SIG

== Detailed Description ==
Fedora 31 will ship with the latest LTS version of Node.js by default.
This will either be the `nodejs:12` module stream or else replicated
to the non-modular repository, depending on the status of other
release engineering work around supporting modular content in the
non-modular buildroots. To end-users, the experience should be
identical: `dnf install nodejs` will give them `nodejs-12.x` and the
matching `npm` package.

== Benefit to Fedora ==
Node.js is a popular server-side JavaScript engine. Keeping Fedora on
the latest release allows us to continue tracking the state-of-the-art
in that space. For those whose applications do not yet work with the
12.x release, Fedora 31 will also have the 10.x release available as a
selectable module stream.

== Scope ==
* Proposal owners:
The packages are already built for Fedora 31 in a non-default module
stream. On June 14th, 2019, the nodejs-12.x packages will become the
default in Fedora 31 (either by making the 12.x module stream be the
default stream or by rebuilding the packages as non-modular ,
depending on other factors).

If the non-modular buildroot work is finished and available by July
17th (a week before the mass-rebuild), Node.js 12.x will drop the
non-modular packages and make the 12.x stream the default.

* Other developers:
Any developer with a package that depends on Node.js at run-time or
build-time should test with the 12.x module stream enabled as soon as
possible. Issues should be reported to nodejs@lists.fedoraproject.org

* Release engineering: [https://pagure.io/releng/issue/8388 #8388]

Release engineering and FESCo will need to approve the change to the
default module stream.

* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
As with previous releases, users running Fedora 29 or Fedora 30 with
the non-modular nodejs-10.x packages will be automatically upgraded to
the 12.x packages, which may cause issues. If users are running
software known not to support Node.js 12.x yet, they can switch the
system back to using 10.x with yum commands (to be documented in
release notes).

== How To Test ==
* Confirm that `yum install nodejs` results in Node.js 12.x being installed.
* Confirm that upgrading from Fedora 29 or Fedora 30 with nodejs-10.x
installed (non-modular) results in an upgrade to nodejs-12.x
* Confirm that upgrading from Fedora 29 or Fedora 30 with the
`nodejs:10` module enabled does *not* result in an upgrade to 12.x and
still has `nodejs:10` enabled on Fedora 31.
* Confirm that upgrading from Fedora 29 or Fedora 30 with the
`nodejs:12` module enabled upgrades successfully and still has
`nodejs:12` enabled on Fedora 31.

== User Experience ==
Users will have the 12.x release of Node.js available by default. See
the "Upgrade/compatibility impact" section for specific details.

== Dependencies ==
All packages prefixed with `nodejs-` depend on this package. They will
need to be updated or removed from Fedora 31 if they do not work with
Node.js 12.x.

== Contingency Plan ==
* Contingency mechanism:
Revert to Node.js 10.x as the default stream. This may require bumping
epoch or making the `nodejs:10` stream the default, depending on the
status of the modules-in-non-modular-buildroot work at the time.

* Contingency deadline: August 5th, 2019
* Blocks release? No

== Documentation ==
* https://nodejs.org/dist/latest-v12.x/docs/api/
* https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md

== Release Notes ==
Fedora 31 now ships with Node.js 12.x as the default Node.js
JavaScript server-side engine. If your applications are not yet ready
for this newer version, you can revert to the 10.x series by running
the following commands

<pre>
dnf remove nodejs
dnf module reset nodejs
dnf module install nodejs:10
</pre>


--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[USN-3995-1] Keepalived vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlztPQoACgkQZWnYVadE
vpOskRAAswMwL0sl8zNIB03Q5TfGOYNaMzIaOzvW+m2QSAYhKuF4ZlXQI6LBUCaw
1hANyQdXbDzTEL8cRHJfBN7fK47k85ygf/yYUTmC1KOY+lur4si2l6w/TjbOJ9rO
gfA11zr4KM5JQUhX6PFM7hKrrCMOnf2y0w0gbe0Jcz661urx2SG8GpPcm83kYBfi
ZrfgEIvcgHTTiy9x0KZ06E8YSWS8oI/h7FV7rquneflyLqoiMid8jR3GXuIHneAW
6vR6iRtyiN54+U//3IJJpUX9be0pGGsLJ9tLl3pc142aNy3g0alsQ/MvIgjYMrVG
7o963OztlrOvQDwIaH3u5LuaOrUKy/7kYFQO10D8CBovyaFPMeNgmNSXgou4iWBt
PmKnJBcIj1HoMxxc9yArZDEvvGD11kdZb1dZ0qBd6gPcjKqWaAity4VwwvhUhlCW
/bjVXYCmQRuO8x0sWV6yYS1xm4uey+nbh/8WpbanZKK9vFUYTIUZH3bvAH6ahTgC
XOSe+mdMQrPiC9aH3jlblzxVcTzbiC2wLr3lV8N4qi3YBcqxCtXmEvIUQG3LivoJ
6X5CVgYae8IN5G7KonRlxnbM7PhVEBnaNutuKrfSY+Dte8zZ52O8zYhF+yw4B7fG
bzO1Rq1996wVi6laxpiDCW/gdgeTQ+fTp6UPHkPw7uIMGVjvMdE=
=4QoV
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3995-1
May 28, 2019

keepalived vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Keepalived could be made to crash or run programs if it received
specially crafted network traffic.

Software Description:
- keepalived: Failover and monitoring daemon for LVS clusters

Details:

It was discovered that Keepalived incorrectly handled certain HTTP status
response codes. A remote attacker could use this issue to cause Keepalived
to crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
keepalived 1:1.3.9-1ubuntu1.1

Ubuntu 18.04 LTS:
keepalived 1:1.3.9-1ubuntu0.18.04.2

Ubuntu 16.04 LTS:
keepalived 1:1.2.24-1ubuntu0.16.04.2

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3995-1
CVE-2018-19115

Package Information:
https://launchpad.net/ubuntu/+source/keepalived/1:1.3.9-1ubuntu1.1
https://launchpad.net/ubuntu/+source/keepalived/1:1.3.9-1ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/keepalived/1:1.2.24-1ubuntu0.16.04.2

Monday, May 27, 2019

[USN-3976-4] Samba vulnerability

==========================================================================
Ubuntu Security Notice USN-3976-4
May 27, 2019

samba vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

USN-3976-1 introduced a regression in Samba.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

USN-3976-1 fixed a vulnerability in Samba. The update introduced a
regression causing Samba to occasionally crash. This update fixes the
problem.

Original advisory details:

 Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly
 checked S4U2Self packets. In certain environments, a remote attacker
 could possibly use this issue to escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
  samba                           2:4.3.11+dfsg-0ubuntu0.14.04.20+esm2

In general, a standard system update will make all the necessary
changes.

References:
  https://usn.ubuntu.com/usn/usn-3976-4
  https://usn.ubuntu.com/usn/usn-3976-1
  https://launchpad.net/bugs/1827924

[USN-3994-1] gnome-desktop vulnerability

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlzsAgkACgkQZWnYVadE
vpPc7RAAgdq9i86Y98dPA1sZfpAXmOq80Wga161CEIlq3wkHC21YL05npxW8T+no
fPlUuse+iNy3cuESpb2yb9bGycpnqu7ZwVsZr3n0F75+AhIZmVDTrgZvIwLYp7ZS
dwcmoI5LrFAbQZN4wMMCq/pHr1XudK1YRldUyLkXhmQRhamMdwBcF/xroTG4p7cg
tFDUfs52J40XfaVDuUuN8xuo4xTYTP2MgWGsgw/c/RsRUMMzE9yHN6Ax9d2TJaEn
t3k/W8uiM8WJHAJewR+fTVsms6/kXZ6xNMD6ebXPVZez0uZYUiH4QY/Q0U/e6zD5
ChIs6T219MbvzySN4nCUgStbWzSBEmeQQJxAQFK3e9RvGq2RLZRCqv0OcetXLhol
ye9hbQAGowQD4Kj8GauDhB5tQr4IWfXaTwi99YYbgeo1vcPxISaWogpvWx1Hzeja
ho/w0ZVjn41bd4Mn5h4xl1Z8t7SgfETvGo+8EHbga1AEZly7jr/4+o4tnT8McgN0
gImo08NUZz1fG9I1Itz7YkNxgmDItN4oI0AoPqEgDzsIWybzshmBiZ7Ja+Wa1FzG
EaY1GRJ2bpwUeCehehtpyqRI5fh2UFBkTbNX3J4ZZgjxZpACNESco9cnXqoMYHbI
3SNLfMiErA5ebib0I0OrIDn2Rs3M3eCY0K8jr+jucRhzsVUcK2w=
=/4Xz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3994-1
May 27, 2019

gnome-desktop3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS

Summary:

gnome-desktop could be made to escape the thumbnailer sandbox.

Software Description:
- gnome-desktop3: Introspection data for GnomeDesktop

Details:

It was discovered that gnome-desktop incorrectly confined thumbnailers. If
a user were tricked into downloading a malicious image file, a remote
attacker could possibly combine this issue with another vulnerability to
escape the sandbox and execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
libgnome-desktop-3-17 3.32.1-1ubuntu1.1

Ubuntu 18.10:
libgnome-desktop-3-17 3.30.1-1ubuntu1.1

Ubuntu 18.04 LTS:
libgnome-desktop-3-17 3.28.2-0ubuntu1.3

After a standard system update you need to restart your session to make all
the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3994-1
CVE-2019-11460

Package Information:
https://launchpad.net/ubuntu/+source/gnome-desktop3/3.32.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gnome-desktop3/3.30.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/gnome-desktop3/3.28.2-0ubuntu1.3

[USN-3976-3] Samba regression

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlzsAfYACgkQZWnYVadE
vpNmRRAAlcM0LQ64qHqGVBpR13eJcaizCnyGzesJIC7OymrJjZaHBceWiAuEbEtP
YJQ4kINrJON4MNV/60JMAdiZr4av89lKSqHx93fLmi6ogg1g6YJW1oFU6A68IMXw
Ltsbh1jGmoL3C2pwXu3wRec26hnDB7s3S0si36XUUCnhmAneacOxTfdf+balM0Fo
65uNrnKlsU3wTRHbaGIdzw+1kXq+yu8u0U5OAc7A5LSqJV+VMTXymcv0tKRUjvt/
n22A/7M9l3GUycJF0gwXt4hBpS5EW8fyqqym66CpqDjMKO4JpcTX6iPFpiHr58jl
aty9HlZbB0iNlYEAlG2CxTAyYOFWhFtZ/ihw+OON3naDSsYd/Uw/PGSzVYcnyk0/
k2FiTIdhORreww0zneZkxeJViJM2Te2Fla73/mPenJJDbXXnw0PPzBoELdWWuFth
QTaj4h17P0gU5JAipFP2twhyf4fyW2Rc+lM54Vj8DtjTAGreqmVjErXkE8kgdBf8
g32DKYF41JdQGyZh7B4B6sNShK8OGaNoJPf0mqJQ0kY4Vzy1Tj49QO+5rwOYqEO1
Q5/x0cd6VTIivfOh5A2Ko94f65SZ8QvsmVpCov5MautTqGytxCUcHZSUrR8dsrVA
FwAf24EmTYxvnrJgCK+U0A07YVVoYTnal5c9yvU38zudkZEPUC8=
=eScX
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3976-3
May 27, 2019

samba regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

USN-3976-1 introduced a regression in Samba.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

USN-3976-1 fixed a vulnerability in Samba. The update introduced a
regression causing Samba to occasionally crash. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked
S4U2Self packets. In certain environments, a remote attacker could possibly
use this issue to escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.11

Ubuntu 16.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.16.04.21

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3976-3
https://usn.ubuntu.com/usn/usn-3976-1
https://launchpad.net/bugs/1827924

Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.11
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.21

Orphaned packages looking for new maintainers

The following packages are orphaned and will be retired when they
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will be retired when the affected package gets retired.

This report is online at: https://churchyard.fedorapeople.org/orphans-2019-05-27.txt

Packages retired today but still in this report: rubygem-sprite-factory

Request package ownership via: https://pagure.io/releng/issues

Package (co)maintainers Status Change
================================================================================
aeskulap orphan 6 weeks ago
apache-commons-discovery lkundrak, mizdebsk, orphan, 0 weeks ago
spike
ceph-deploy branto, fsimonce, ktdreyer, 3 weeks ago
orphan, trhoden
checkstyle dbhole, greghellings, lef, 1 weeks ago
mizdebsk, nsantos, orphan,
rmyers
clpbar dcantrel, orphan 3 weeks ago
cmdtest orphan 0 weeks ago
compat-openssl10-pkcs11-helper orphan, rdieter 2 weeks ago
dvdbackup cicku, orphan 6 weeks ago
emacs-pymacs orphan 6 weeks ago
flr orphan 0 weeks ago
genbackupdata orphan 0 weeks ago
gnome-dvb-daemon orphan 6 weeks ago
gnome-shell-extension-panel-osd orphan 6 weeks ago
gnumed-server orphan 0 weeks ago
gpart dcantrel, orphan 3 weeks ago
gscribble orphan 0 weeks ago
h2 akurtakov, dchen, lef, orphan 3 weeks ago
jwebunit orphan 2 weeks ago
kimchi jcapik, orphan 0 weeks ago
librtfcomp orphan 0 weeks ago
loopabull orphan 0 weeks ago
lrbd orphan 0 weeks ago
ltspfs enslaver, orphan 5 weeks ago
monkeysphere ctubbsii, orphan 1 weeks ago
ninja-ide echevemaster, orphan 5 weeks ago
nodejs-array-uniq nodejs-sig, orphan 0 weeks ago
pdc-updater orphan 0 weeks ago
plague dcbw, orphan 4 weeks ago
pyqt-mail-checker orphan 0 weeks ago
python-cachy orphan 1 weeks ago
python-larch orphan 0 weeks ago
python-mandrill orphan 0 weeks ago
python-psphere imcleod, orphan 0 weeks ago
python-pylev orphan 1 weeks ago
python-pytest-testmon orphan, python-sig 1 weeks ago
pywebkitgtk ivazquez, orphan, walters 5 weeks ago
repoview orphan 0 weeks ago
rubygem-chunky_png mmorsi, orphan 6 weeks ago
rubygem-codemirror-rails orphan 5 weeks ago
rubygem-commander maxamillion, orphan, tdawson 3 weeks ago
rubygem-compass-960-plugin orphan 6 weeks ago
rubygem-jquery-ui-rails orphan 3 weeks ago
rubygem-paranoia orphan 2 weeks ago
rubygem-sprite-factory * orphan 7 weeks ago
rubygem-webrat mmorsi, orphan 6 weeks ago
system-config-firewall orphan, twoerner 3 weeks ago
testoob orphan 2 weeks ago
totpcgi herlo, kevin, orphan 0 weeks ago
transmission-remote-cli orphan 0 weeks ago
wordgroupz orphan 0 weeks ago

The following packages require above mentioned packages:
Depending on: apache-commons-discovery (22), status change: 2019-05-22 (0 weeks ago)
eclipse-webtools (maintained by: eclipse-sig, galileo, mbooth)
eclipse-webtools-3.13.0-1.fc31.src requires osgi(org.apache.commons.discovery)
= 0.5.0

jenkins-commons-jelly (maintained by: mizdebsk, msrb)
jenkins-commons-jelly-1.1.20120928-10.fc24.src requires
mvn(commons-discovery:commons-discovery) = 0.5

jenkins (maintained by: mizdebsk, msrb)
jenkins-webapp-1.651.3-10.fc30.noarch requires apache-commons-discovery =
2:0.5-23.fc31, jenkins-commons-jelly = 1.1.20120928-10.fc24, stapler =
1.242-2.fc26, stapler-adjunct-timeline = 1.4-10.fc30
jenkins-1.651.3-10.fc30.src requires
mvn(commons-jelly:commons-jelly-tags-define) = 1.0,
mvn(commons-jelly:commons-jelly-tags-fmt) = 1.0,
mvn(commons-jelly:commons-jelly-tags-xml) = 1.0,
mvn(org.kohsuke.stapler:stapler-adjunct-timeline) = 1.4
jenkins-core-1.651.3-10.fc30.noarch requires
mvn(commons-jelly:commons-jelly-tags-define) = 1.0,
mvn(commons-jelly:commons-jelly-tags-fmt) = 1.0,
mvn(commons-jelly:commons-jelly-tags-xml) = 1.0,
mvn(org.kohsuke.stapler:stapler-adjunct-timeline) = 1.4

mx4j (maintained by: dwalluck, fnasser)
mx4j-1:3.0.1-30.fc30.src requires apache-commons-discovery = 2:0.5-23.fc31

stapler (maintained by: mizdebsk, msrb)
stapler-1.242-2.fc26.noarch requires mvn(commons-discovery:commons-discovery)
= 0.5
stapler-1.242-2.fc26.src requires mvn(commons-discovery:commons-discovery) =
0.5, mvn(org.jenkins-ci:commons-jelly) = 1.1.jenkins.20120928
stapler-jelly-1.242-2.fc26.noarch requires mvn(org.jenkins-ci:commons-jelly) =
1.1.jenkins.20120928

datanucleus-core (maintained by: pmackinn)
datanucleus-core-3.2.15-9.fc30.src requires mvn(mx4j:mx4j) = 3.0.1,
mvn(mx4j:mx4j-tools) = 3.0.1

jets3t (maintained by: gil)
jets3t-0.9.3-10.fc30.noarch requires mvn(mx4j:mx4j) = 3.0.1
jets3t-0.9.3-10.fc30.src requires mx4j = 1:3.0.1-30.fc30

sigar (maintained by: astokes, beekhof, russellb, zaneb)
sigar-1.6.5-0.20.git58097d9.fc27.src requires mx4j = 1:3.0.1-30.fc30

js-CodeMirror (maintained by: mizdebsk, msrb)
js-CodeMirror-1:2.38-7.fc30.src requires mvn(org.kohsuke.stapler:stapler) = 1.242
stapler-adjunct-codemirror-1:2.38-7.fc30.noarch requires
mvn(org.kohsuke.stapler:stapler) = 1.242

stapler-adjunct-timeline (maintained by: mizdebsk, msrb)
stapler-adjunct-timeline-1.4-10.fc30.noarch requires
mvn(org.kohsuke.stapler:stapler) = 1.242
stapler-adjunct-timeline-1.4-10.fc30.src requires
mvn(org.kohsuke.stapler:stapler) = 1.242

datanucleus-api-jdo (maintained by: pmackinn)
datanucleus-api-jdo-3.2.8-8.fc30.src requires
mvn(org.datanucleus:datanucleus-core) = 3.2.15

datanucleus-rdbms (maintained by: pmackinn)
datanucleus-rdbms-3.2.13-9.fc30.noarch requires osgi(org.datanucleus) = 3.2.15
datanucleus-rdbms-3.2.13-9.fc30.src requires
mvn(org.datanucleus:datanucleus-core) = 3.2.15

google-http-java-client (maintained by: gil)
google-http-java-client-1.22.0-6.fc30.src requires
mvn(org.datanucleus:datanucleus-api-jdo) = 3.2.8,
mvn(org.datanucleus:datanucleus-core) = 3.2.15,
mvn(org.datanucleus:datanucleus-rdbms) = 3.2.13

google-oauth-java-client (maintained by: gil)
google-oauth-java-client-1.22.0-3.fc27.src requires
mvn(com.google.http-client:google-http-client) = 1.22.0,
mvn(org.datanucleus:datanucleus-api-jdo) = 3.2.8,
mvn(org.datanucleus:datanucleus-core) = 3.2.15,
mvn(org.datanucleus:datanucleus-rdbms) = 3.2.13
google-oauth-java-client-1.22.0-3.fc27.noarch requires
mvn(com.google.http-client:google-http-client) = 1.22.0

hadoop (maintained by: ctubbsii, denisarnaud, milleruntime)
hadoop-2.7.6-5.fc29.src requires jets3t = 0.9.3-10.fc30
hadoop-common-2.7.6-5.fc29.noarch requires mvn(net.java.dev.jets3t:jets3t) = 0.9.3
hadoop-tests-2.7.6-5.fc29.noarch requires mvn(net.java.dev.jets3t:jets3t) = 0.9.3

springframework-batch (maintained by: gil)
springframework-batch-2.2.7-8.fc30.src requires
mvn(net.java.dev.jets3t:jets3t) = 0.9.3

cassandra (maintained by: acaringi, hhorak, jjanco, trepik)
cassandra-server-3.11.1-12.fc30.i686 requires sigar = 1.6.5-0.20.git58097d9.fc27

gradle (maintained by: jjelen, mizdebsk, stewardship-sig)
gradle-4.4.1-3.fc31.src requires
mvn(com.google.http-client:google-http-client) = 1.22.0,
mvn(com.google.oauth-client:google-oauth-client) = 1.22.0

spring-ldap (maintained by: gil)
spring-ldap-1.3.1-19.fc30.noarch requires
mvn(org.springframework.batch:spring-batch-core) = 2.2.7.RELEASE,
mvn(org.springframework.batch:spring-batch-infrastructure) = 2.2.7.RELEASE
spring-ldap-1.3.1-19.fc30.src requires
mvn(org.springframework.batch:spring-batch-core) = 2.2.7.RELEASE,
mvn(org.springframework.batch:spring-batch-infrastructure) = 2.2.7.RELEASE,
mvn(org.springframework.batch:spring-batch-test) = 2.2.7.RELEASE

javapackages-tools (maintained by: mizdebsk, msrb)
gradle-local-5.3.0-4.fc30.noarch requires gradle = 4.4.1-3.fc31

shrinkwrap-resolver (maintained by: gil, lef)
shrinkwrap-resolver-2.2.2-6.fc29.src requires
mvn(org.gradle:gradle-tooling-api) = 4.4.1
shrinkwrap-resolver-impl-gradle-embedded-archive-2.2.2-6.fc29.noarch requires
mvn(org.gradle:gradle-tooling-api) = 4.4.1

xmvn (maintained by: jjelen, mizdebsk, msrb, stewardship-sig)
xmvn-3.0.0-23.fc30.src requires gradle = 4.4.1-3.fc31

Too many dependencies for apache-commons-discovery, not all listed here

Depending on: checkstyle (23), status change: 2019-05-14 (1 weeks ago)
eclipse-checkstyle (maintained by: akurtakov, eclipse-sig, rmyers)
eclipse-checkstyle-7.6.0-7.fc31.src requires checkstyle = 8.0-7.fc31

hadoop (maintained by: ctubbsii, denisarnaud, milleruntime)
hadoop-2.7.6-5.fc29.src requires checkstyle = 8.0-7.fc31
hadoop-common-2.7.6-5.fc29.noarch requires checkstyle = 8.0-7.fc31

hibernate-search (maintained by: gil, goldmann, lef)
hibernate-search-5.5.4-2.fc26.noarch requires
mvn(com.puppycrawl.tools:checkstyle) = 8.0
hibernate-search-5.5.4-2.fc26.src requires
mvn(com.puppycrawl.tools:checkstyle) = 8.0,
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

maven-checkstyle-plugin (maintained by: ctubbsii, lef, mizdebsk, spike)
maven-checkstyle-plugin-3.0.0-4.fc30.noarch requires
mvn(com.puppycrawl.tools:checkstyle) = 8.0
maven-checkstyle-plugin-3.0.0-4.fc30.src requires
mvn(com.puppycrawl.tools:checkstyle) = 8.0

proxool (maintained by: gil, lef)
proxool-0.9.1-23.fc30.src requires mvn(com.puppycrawl.tools:checkstyle) = 8.0

scilab (maintained by: davidcl)
scilab-6.0.2-2.fc31.src requires checkstyle = 8.0-7.fc31

zookeeper (maintained by: ctubbsii, greghellings, mluscon, skottler, tstclair)
zookeeper-3.4.9-13.fc30.i686 requires checkstyle = 8.0-7.fc31
zookeeper-3.4.9-13.fc30.src requires checkstyle = 8.0-7.fc31

annox (maintained by: gil)
annox-1.0.1-7.fc30.src requires mvn(org.hibernate:hibernate-search-engine) =
5.5.4.Final

hibernate-hql (maintained by: gil, goldmann, lef)
hibernate-hql-1.3.0-0.2.Alpha2.fc26.noarch requires
mvn(org.hibernate:hibernate-search-engine) = 5.5.4.Final
hibernate-hql-1.3.0-0.2.Alpha2.fc26.src requires
mvn(org.hibernate:hibernate-search-engine) = 5.5.4.Final

querydsl (maintained by: gil)
querydsl-4.0.4-6.fc26.src requires mvn(org.hibernate:hibernate-search-orm) =
5.5.4.Final

querydsl3 (maintained by: gil)
querydsl3-3.7.2-9.fc28.src requires mvn(org.hibernate:hibernate-search-orm) =
5.5.4.Final

wildfly (maintained by: dchen, gil, goldmann, lef)
wildfly-10.1.0-13.fc29.src requires
mvn(org.hibernate:hibernate-search-backend-jgroups) = 5.5.4.Final,
mvn(org.hibernate:hibernate-search-backend-jms) = 5.5.4.Final,
mvn(org.hibernate:hibernate-search-engine) = 5.5.4.Final,
mvn(org.hibernate:hibernate-search-orm) = 5.5.4.Final,
mvn(org.hibernate:hibernate-search-serialization-avro) = 5.5.4.Final

apache-commons-configuration2 (maintained by: gil, java-sig)
apache-commons-configuration2-2.1-6.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

avro (maintained by: gil, lef, ricardo)
avro-1.7.6-5.fc28.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0
avro-parent-1.7.6-5.fc28.noarch requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

cargo-parent (maintained by: orion)
cargo-parent-4.13-13.fc30.src requires maven-checkstyle-plugin = 3.0.0-4.fc30

ehcache2 (maintained by: gil, lef)
ehcache2-2.10.2.2.21-3.fc27.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

google-http-java-client (maintained by: gil)
google-http-java-client-1.22.0-6.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

java-dirq (maintained by: lcons, mpaladin, stevetraylen)
java-dirq-1.8-6.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

johnzon (maintained by: gil, lef)
johnzon-0.9.4-7.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0
johnzon-parent-0.9.4-7.fc30.noarch requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

ldaptive (maintained by: gil)
ldaptive-1.1.0-6.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0
ldaptive-parent-1.1.0-6.fc30.noarch requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

nom-tam-fits (maintained by: gil, lupinix, zbyszek)
nom-tam-fits-1.15.1-6.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

quartz (maintained by: gil, java-sig, lef)
quartz-2.2.1-10.fc30.src requires maven-checkstyle-plugin = 3.0.0-4.fc30

shibboleth-java-parent-v3 (maintained by: gil)
shibboleth-java-parent-v3-8-7.fc30.noarch requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0
shibboleth-java-parent-v3-8-7.fc30.src requires
mvn(org.apache.maven.plugins:maven-checkstyle-plugin) = 3.0.0

Too many dependencies for checkstyle, not all listed here

Depending on: cmdtest (3), status change: 2019-05-20 (0 weeks ago)
cachedir (maintained by: mathstuf)
cachedir-1.4-3.fc28.src requires cmdtest = 0.30-3.fc29

genbackupdata (maintained by: orphan)
genbackupdata-1.9-9.fc30.src requires cmdtest = 0.30-3.fc29

python-larch (maintained by: orphan)
python-larch-1.20151025-9.fc28.src requires cmdtest = 0.30-3.fc29

Depending on: compat-openssl10-pkcs11-helper (1), status change: 2019-05-06 (2
weeks ago)
gnupg-pkcs11-scd (maintained by: mikep)
gnupg-pkcs11-scd-0.9.1-5.fc30.i686 requires libpkcs11-helper.so.100

Depending on: h2 (21), status change: 2019-04-30 (3 weeks ago)
bitcoinj (maintained by: jonny)
bitcoinj-0.14.3-6.fc29.src requires mvn(com.h2database:h2) = 1.4.196

hibernate3 (maintained by: gil, lef)
hibernate3-3.6.10-22.fc27.src requires h2 = 1.4.196-6.fc29

jberet (maintained by: gil, goldmann, lef)
jberet-1.2.1-6.fc30.src requires mvn(com.h2database:h2) = 1.4.196

johnzon (maintained by: gil, lef)
johnzon-0.9.4-7.fc30.src requires mvn(com.h2database:h2) = 1.4.196

junit-benchmarks (maintained by: gil)
junit-benchmarks-0.7.2-10.fc29.src requires mvn(com.h2database:h2) = 1.4.196

openas2 (maintained by: sdgathman)
openas2-2.6.3-2.fc30.src requires mvn(com.h2database:h2) = 1.4.196
openas2-lib-2.6.3-2.fc30.noarch requires mvn(com.h2database:h2) = 1.4.196

picketlink (maintained by: gil, goldmann, lef)
picketlink-2.7.1-7.fc30.src requires mvn(com.h2database:h2) = 1.4.196

springframework (maintained by: dchen, gil, lef)
springframework-3.2.18-4.fc28.src requires mvn(com.h2database:h2) = 1.4.196,
mvn(org.hibernate:hibernate-core:3) = 3.6.10.Final
springframework-orm-3.2.18-4.fc28.noarch requires
mvn(org.hibernate:hibernate-core:3) = 3.6.10.Final

springframework-batch (maintained by: gil)
springframework-batch-2.2.7-8.fc30.src requires mvn(com.h2database:h2) = 1.4.196

springframework-integration (maintained by: gil)
springframework-integration-3.0.7-10.fc29.noarch requires
mvn(com.h2database:h2) = 1.4.196
springframework-integration-3.0.7-10.fc29.src requires mvn(com.h2database:h2)
= 1.4.196

springframework-social (maintained by: gil)
springframework-social-1.0.3-9.fc30.src requires mvn(com.h2database:h2) = 1.4.196

tika (maintained by: gil, lef)
tika-1.17-4.fc30.src requires mvn(com.h2database:h2) = 1.4.196
tika-eval-1.17-4.fc30.noarch requires mvn(com.h2database:h2) = 1.4.196

wildfly (maintained by: dchen, gil, goldmann, lef)
wildfly-10.1.0-13.fc29.noarch requires mvn(com.h2database:h2) = 1.4.196
wildfly-10.1.0-13.fc29.src requires mvn(com.h2database:h2) = 1.4.196,
mvn(org.jberet:jberet-core) = 1.2.1.Final
wildfly-lib-10.1.0-13.fc29.noarch requires mvn(org.jberet:jberet-core) =
1.2.1.Final

multibit-commons (maintained by: jonny)
multibit-commons-1.1.0-6.fc30.noarch requires mvn(org.bitcoinj:bitcoinj-core)
= 0.14.3
multibit-commons-1.1.0-6.fc30.src requires mvn(org.bitcoinj:bitcoinj-core) =
0.14.3

dozer (maintained by: gil)
dozer-5.5.1-9.fc30.src requires hibernate3 = 3.6.10-22.fc27

ehcache-core (maintained by: gil, lef)
ehcache-core-2.6.11-7.fc30.noarch requires hibernate3 = 3.6.10-22.fc27,
mvn(org.hibernate:hibernate-core:3) = 3.6.10.Final
ehcache-core-2.6.11-7.fc30.src requires mvn(org.hibernate:hibernate-core:3) =
3.6.10.Final

ehcache2 (maintained by: gil, lef)
ehcache2-2.10.2.2.21-3.fc27.src requires mvn(org.hibernate:hibernate-core:3) =
3.6.10.Final

jasperreports (maintained by: gil, lef)
jasperreports-6.2.2-3.fc26.src requires mvn(org.hibernate:hibernate-core:3) =
3.6.10.Final

jipijapa (maintained by: gil, lef)
jipijapa-1.0.1-7.fc30.src requires mvn(org.hibernate:hibernate-core:3) =
3.6.10.Final

picketbox (maintained by: gil, lef, ricardo)
picketbox-4.9.6-8.fc30.noarch requires mvn(org.hibernate:hibernate-core:3) =
3.6.10.Final
picketbox-4.9.6-8.fc30.src requires mvn(org.hibernate:hibernate-core:3) =
3.6.10.Final

artemis (maintained by: gil, lef)
artemis-1.4.0-10.fc30.src requires mvn(org.apache.johnzon:johnzon-core) = 0.9.4
artemis-core-client-1.4.0-10.fc30.noarch requires
mvn(org.apache.johnzon:johnzon-core) = 0.9.4
artemis-jms-server-1.4.0-10.fc30.noarch requires
mvn(org.apache.johnzon:johnzon-core) = 0.9.4

Too many dependencies for h2, not all listed here

Depending on: librtfcomp (1), status change: 2019-05-20 (0 weeks ago)
synce-sync-engine (maintained by: awjb)
synce-sync-engine-0.15.1-17.fc29.i686 requires python2-librtfcomp = 1.1-26.fc29

Depending on: nodejs-array-uniq (3), status change: 2019-05-22 (0 weeks ago)
nodejs-gulp-util (maintained by: jsmith)
nodejs-gulp-util-3.0.8-5.fc29.noarch requires npm(array-uniq) = 1.0.2
nodejs-gulp-util-3.0.8-5.fc29.src requires npm(array-uniq) = 1.0.2

nodejs-gulp-mocha (maintained by: jsmith)
nodejs-gulp-mocha-4.3.1-3.fc29.noarch requires npm(gulp-util) = 3.0.8
nodejs-gulp-mocha-4.3.1-3.fc29.src requires npm(gulp-util) = 3.0.8

nodejs-gulp-ng-classify (maintained by: jsmith)
nodejs-gulp-ng-classify-4.0.1-2.fc29.src requires npm(gulp-util) = 3.0.8

Depending on: python-psphere (1), status change: 2019-05-20 (0 weeks ago)
imagefactory-plugins (maintained by: imcleod)
imagefactory-plugins-vSphere-1.1.11-2.fc30.noarch requires python2-psphere =
0.5.2-14.fc30

Depending on: pywebkitgtk (3), status change: 2019-04-17 (5 weeks ago)
gscribble (maintained by: orphan)
gscribble-0.1.2-16.fc29.noarch requires pywebkitgtk = 1.1.8-13.fc26

nested (maintained by: aeperezt, potty)
nested-1.2.2-22.fc29.noarch requires pywebkitgtk = 1.1.8-13.fc26

wordgroupz (maintained by: orphan)
wordgroupz-0.3.1-17.fc30.noarch requires pywebkitgtk = 1.1.8-13.fc26

Depending on: rubygem-chunky_png (4), status change: 2019-04-11 (6 weeks ago)
rubygem-compass (maintained by: mmorsi, tdawson)
rubygem-compass-1.0.1-3.fc24.noarch requires rubygem(chunky_png) = 1.2.7,
rubygem(chunky_png) = 1.2.7-1
rubygem-compass-1.0.1-3.fc24.src requires rubygem(chunky_png) = 1.2.7,
rubygem(chunky_png) = 1.2.7-1

rubygem-sprite-factory (maintained by: orphan)
rubygem-sprite-factory-1.7.1-1.fc31.src requires rubygem(chunky_png) = 1.2.7,
rubygem(chunky_png) = 1.2.7-1

rubygem-compass-960-plugin (maintained by: orphan)
rubygem-compass-960-plugin-0.10.4-15.fc30.noarch requires rubygem(compass) =
1.0.1-1

rubygem-compass-rails (maintained by: tdawson)
rubygem-compass-rails-2.0.4-7.fc30.noarch requires rubygem(compass) = 1.0.1-1

Depending on: rubygem-commander (1), status change: 2019-05-03 (3 weeks ago)
rubygem-rhc (maintained by: gomix, tdawson)
rubygem-rhc-1.38.7-7.fc30.noarch requires rubygem(commander) = 4.3.0

Affected (co)maintainers
acaringi: apache-commons-discovery
aeperezt: pywebkitgtk
akurtakov: h2, checkstyle
astokes: apache-commons-discovery
awjb: librtfcomp
beekhof: apache-commons-discovery
branto: ceph-deploy
cicku: dvdbackup
ctubbsii: monkeysphere, checkstyle, apache-commons-discovery
davidcl: checkstyle
dbhole: checkstyle
dcantrel: clpbar, gpart
dcbw: plague
dchen: h2, checkstyle
denisarnaud: checkstyle, apache-commons-discovery
dwalluck: apache-commons-discovery
echevemaster: ninja-ide
eclipse-sig: checkstyle, apache-commons-discovery
enslaver: ltspfs
fnasser: apache-commons-discovery
fsimonce: ceph-deploy
galileo: apache-commons-discovery
gil: checkstyle, h2, apache-commons-discovery
goldmann: h2, checkstyle
gomix: rubygem-commander
greghellings: checkstyle
herlo: totpcgi
hhorak: apache-commons-discovery
imcleod: python-psphere
ivazquez: pywebkitgtk
java-sig: checkstyle
jcapik: kimchi
jjanco: apache-commons-discovery
jjelen: apache-commons-discovery
jonny: h2
jsmith: nodejs-array-uniq
kevin: totpcgi
ktdreyer: ceph-deploy
lcons: checkstyle
lef: apache-commons-discovery, h2, checkstyle
lkundrak: apache-commons-discovery
lupinix: checkstyle
mathstuf: cmdtest
maxamillion: rubygem-commander
mbooth: apache-commons-discovery
mikep: compat-openssl10-pkcs11-helper
milleruntime: checkstyle, apache-commons-discovery
mizdebsk: checkstyle, apache-commons-discovery
mluscon: checkstyle
mmorsi: rubygem-chunky_png, rubygem-webrat
mpaladin: checkstyle
msrb: apache-commons-discovery
nodejs-sig: nodejs-array-uniq
nsantos: checkstyle
orion: checkstyle
pmackinn: apache-commons-discovery
potty: pywebkitgtk
python-sig: python-pytest-testmon
rdieter: compat-openssl10-pkcs11-helper
ricardo: h2, checkstyle
rmyers: checkstyle
russellb: apache-commons-discovery
sdgathman: h2
skottler: checkstyle
spike: checkstyle, apache-commons-discovery
stevetraylen: checkstyle
stewardship-sig: apache-commons-discovery
tdawson: rubygem-chunky_png, rubygem-commander
trepik: apache-commons-discovery
trhoden: ceph-deploy
tstclair: checkstyle
twoerner: system-config-firewall
walters: pywebkitgtk
zaneb: apache-commons-discovery
zbyszek: checkstyle

Orphans (50): aeskulap apache-commons-discovery ceph-deploy checkstyle
clpbar cmdtest compat-openssl10-pkcs11-helper dvdbackup
emacs-pymacs flr genbackupdata gnome-dvb-daemon
gnome-shell-extension-panel-osd gnumed-server gpart gscribble h2
jwebunit kimchi librtfcomp loopabull lrbd ltspfs monkeysphere
ninja-ide nodejs-array-uniq pdc-updater plague pyqt-mail-checker
python-cachy python-larch python-mandrill python-psphere
python-pylev python-pytest-testmon pywebkitgtk repoview
rubygem-chunky_png rubygem-codemirror-rails rubygem-commander
rubygem-compass-960-plugin rubygem-jquery-ui-rails
rubygem-paranoia rubygem-sprite-factory rubygem-webrat
system-config-firewall testoob totpcgi transmission-remote-cli
wordgroupz


Orphans (dependend on) (11): apache-commons-discovery checkstyle
cmdtest compat-openssl10-pkcs11-helper h2 librtfcomp
nodejs-array-uniq python-psphere pywebkitgtk rubygem-chunky_png
rubygem-commander


Orphans (rawhide) for at least 6 weeks (dependend on) (1):
rubygem-chunky_png


Orphans (rawhide) (not depended on) (39): aeskulap ceph-deploy clpbar
dvdbackup emacs-pymacs flr genbackupdata gnome-dvb-daemon
gnome-shell-extension-panel-osd gnumed-server gpart gscribble
jwebunit kimchi loopabull lrbd ltspfs monkeysphere ninja-ide
pdc-updater plague pyqt-mail-checker python-cachy python-larch
python-mandrill python-pylev python-pytest-testmon repoview
rubygem-codemirror-rails rubygem-compass-960-plugin
rubygem-jquery-ui-rails rubygem-paranoia rubygem-sprite-factory
rubygem-webrat system-config-firewall testoob totpcgi
transmission-remote-cli wordgroupz


Orphans (rawhide) for at least 6 weeks (not dependend on) (8):
aeskulap dvdbackup emacs-pymacs gnome-dvb-daemon
gnome-shell-extension-panel-osd rubygem-compass-960-plugin
rubygem-sprite-factory rubygem-webrat


Depending packages (rawhide) (77): annox apache-commons-configuration2
artemis avro bitcoinj cachedir cargo-parent cassandra
datanucleus-api-jdo datanucleus-core datanucleus-rdbms dozer
eclipse-checkstyle eclipse-webtools ehcache-core ehcache2
genbackupdata gnupg-pkcs11-scd google-http-java-client
google-oauth-java-client gradle gscribble hadoop hibernate-hql
hibernate-search hibernate3 imagefactory-plugins jasperreports
java-dirq javapackages-tools jberet jenkins jenkins-commons-jelly
jets3t jipijapa johnzon js-CodeMirror junit-benchmarks ldaptive
maven-checkstyle-plugin multibit-commons mx4j nested
nodejs-gulp-mocha nodejs-gulp-ng-classify nodejs-gulp-util
nom-tam-fits openas2 picketbox picketlink proxool python-larch
quartz querydsl querydsl3 rubygem-compass
rubygem-compass-960-plugin rubygem-compass-rails rubygem-rhc
rubygem-sprite-factory scilab shibboleth-java-parent-v3
shrinkwrap-resolver sigar spring-ldap springframework
springframework-batch springframework-integration
springframework-social stapler stapler-adjunct-timeline
synce-sync-engine tika wildfly wordgroupz xmvn zookeeper


Packages depending on packages orphaned (rawhide) for more than 6
weeks (4): rubygem-compass rubygem-compass-960-plugin
rubygem-compass-rails rubygem-sprite-factory


Not found in repo (rawhide) (2): eclipse-checkstyle eclipse-webtools

--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/master/f/scripts/find_unblocked_orphans.py

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

Friday, May 24, 2019

Fedora 31 System-Wide Change proposal: RPM 4.15

https://fedoraproject.org/wiki/Changes/RPM-4.15

== Summary ==
Update RPM to the 4.15.0 release.

== Owner ==
* Name: User:pmatilai, User:ffesti
* Email: pmatilai@redhat.com,ffesti@redhat.com

== Detailed Description ==

RPM 4.15 contains numerous improvements over previous versions
* Faster builds due to increased parallelism
* Dynamic build dependency generator (planned)
* Caret version operator (the opposite of tilde)
* String data is returned as surrogate-escaped utf-8 in Python 3 bindings
* %patchlist and %sourcelist spec sections for minimal boilerplate
patch and source declarations
* Experimental chroot operations for non-root users
* Many error and warning report improvements
* A new plugin for issuing audit log events on package install/update/erase
* Native support for Lua 5.2-5.3 without compat defines in Lua
* Numerous other improvements and bugfixes: https://rpm.org/wiki/Releases/4.15.0

Rawhide rpm will be updated to 4.15 alpha once released and updated through
beta and rc cycles, 5.15.0 final release is expected prior to F31 final freeze.

== Benefit to Fedora ==

See above.

== Scope ==
* Proposal owners:
** Rebase RPM
** help Python binding users adjust to the string change
** help coordinate for macro + helper script removals

* Other developers:
** Test new release, report issues and bugs.
** Fix Python 3 string/bytes usages in API users
(https://bugzilla.redhat.com/show_bug.cgi?id=1693751 already in
progress in rawhide)

* Release engineering: [https://pagure.io/releng/issue/8380 #8380]

* Policies and guidelines:
As always, utilizing new rpm features is subject to packaging guidelines,
but the time for this is after the new version has properly landed.
There is no need to change guidelines, any new features are optional.

* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==
* Python 3 bindings see a dramatic change as all string data is now
returned as utf-8 encoded string instead of bytes, but this is already
being test-driven in rawhide and at least anaconda, dnf and mock are
already compatible:
https://bugzilla.redhat.com/show_bug.cgi?id=1631292
* Similar to compiler updates, some previously working specs might
fail to build due to stricter error checking and the like.
* Some long-standing perl and python macros and helpers have been
removed from rpm and might need either changes to packages or
redhat-rpm-config

== How To Test ==

Rpm receives a thorough and constant testing via every single package
build, system installs and updates. New features can be tested
specifically as per their documentation.

== User Experience ==
There are no significant user experience changes, but some more minor
ones include:
* faster package builds on SMP systems
* improved diagnostics from macro errors/warnings and spec constrcuts

== Dependencies ==
* There is a soname bump involved so all API-dependent packages will
need a rebuild.
* The Python 3 string change has impact on several packages but this
is already in process

== Contingency Plan ==

* Contingency mechanism: Roll back to rpm 4.14, but under no
circumstances should such a thing be necessary.
* Contingency deadline: Beta freeze.
* Blocks release? No

== Documentation ==
Draft release notes available at https://rpm.org/wiki/Releases/4.15.0

--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

Thursday, May 23, 2019

[USN-3957-2] MariaDB vulnerabilities

=======================================================================
===
Ubuntu Security Notice USN-3957-2
May 23, 2019

MariaDB vulnerabilities
=======================================================================
===

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in MariaDB.

Software Description:
- mariadb-5.5: MariaDB database

Details:

USN-3957-1 fixed multiple vulnerabilities in MySQL. This update
addresses some
of them in MariaDB 5.5.

Ubuntu 14.04 LTS has been updated to MariaDB 5.5.64.

In addition to security fixes, the updated packages contain bug fixes,
new
features, and possibly incompatible changes.

Please see the following for more information:
https://mariadb.com/kb/en/library/mariadb-5564-changelog/
https://mariadb.com/kb/en/library/mariadb-5564-release-notes/

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
mariadb-server 5.5.64-1ubuntu0.14.04.1

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://usn.ubuntu.com/usn/usn-3957-2
https://usn.ubuntu.com/usn/usn-3957-1
CVE-2019-2614, CVE-2019-2627

Wednesday, May 22, 2019

[USN-3977-2] Intel Microcode update

==========================================================================
Ubuntu Security Notice USN-3977-2
May 22, 2019

intel-microcode update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM

Summary:

The system could be made to expose sensitive information.

Software Description:
- intel-microcode: Processor microcode for Intel CPUs

Details:

USN-3977-1 provided mitigations for Microarchitectural Data Sampling
(MDS) vulnerabilities in Intel Microcode for a large number of Intel
processor families. This update provides the corresponding updated
microcode mitigations for Intel Cherry Trail and Bay Trail processor
families.

Original advisory details:

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan
Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos,
Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss
discovered that memory previously stored in microarchitectural fill buffers
of an Intel CPU core may be exposed to a malicious process that is
executing on the same CPU core. A local attacker could use this to expose
sensitive information. (CVE-2018-12130)

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan
van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh
Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory
previously stored in microarchitectural load ports of an Intel CPU core may
be exposed to a malicious process that is executing on the same CPU core. A
local attacker could use this to expose sensitive information.
(CVE-2018-12127)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel
Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel
Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory
previously stored in microarchitectural store buffers of an Intel CPU core
may be exposed to a malicious process that is executing on the same CPU
core. A local attacker could use this to expose sensitive information.
(CVE-2018-12126)

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur,
Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa
Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and
Cristiano Giuffrida discovered that uncacheable memory previously stored in
microarchitectural buffers of an Intel CPU core may be exposed to a
malicious process that is executing on the same CPU core. A local attacker
could use this to expose sensitive information. (CVE-2019-11091)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
intel-microcode 3.20190514.0ubuntu0.19.04.3

Ubuntu 18.10:
intel-microcode 3.20190514.0ubuntu0.18.10.2

Ubuntu 18.04 LTS:
intel-microcode 3.20190514.0ubuntu0.18.04.3

Ubuntu 16.04 LTS:
intel-microcode 3.20190514.0ubuntu0.16.04.2

Ubuntu 14.04 ESM:
intel-microcode 3.20190514.0ubuntu0.14.04.2

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3977-2
https://usn.ubuntu.com/usn/usn-3977-1
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091,
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS

Package Information:
https://launchpad.net/ubuntu/+source/intel-microcode/3.20190514.0ubuntu0.19.04.3
https://launchpad.net/ubuntu/+source/intel-microcode/3.20190514.0ubuntu0.18.10.2
https://launchpad.net/ubuntu/+source/intel-microcode/3.20190514.0ubuntu0.18.04.3
https://launchpad.net/ubuntu/+source/intel-microcode/3.20190514.0ubuntu0.16.04.2