==========================================================================
Ubuntu Security Notice USN-4478-1
August 31, 2020
python-rsa vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Python-RSA could be made to expose sensitive information over the
network.
Software Description:
- python-rsa: Pure-Python RSA implementation (Python 2)
Details:
It was discovered that Python-RSA incorrectly handled certain ciphertexts.
An attacker could possibly use this issue to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
python-rsa 3.1.2-1ubuntu0.1+esm1
python3-rsa 3.1.2-1ubuntu0.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4478-1
CVE-2020-13757
Monday, August 31, 2020
Friday, August 28, 2020
[CentOS-announce] CEBA-2020:3528 CentOS 7 kernel BugFix Update
CentOS Errata and Bugfix Advisory 2020:3528
Upstream details at : https://access.redhat.com/errata/RHBA-2020:3528
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
a9df0328e0bccfa54df5bd2378ec14db5a5f5c6179dd7194a0777df82cec5c5d bpftool-3.10.0-1127.19.1.el7.x86_64.rpm
511aa35c715eac1f1c3152072e562a2ab6ce630816840ecd8eb4efd02f618648 kernel-3.10.0-1127.19.1.el7.x86_64.rpm
52fe5fca38e10fbaf349fc934d0fdb7ddeca5b649d0610f0551d56d04f9e9b3b kernel-abi-whitelists-3.10.0-1127.19.1.el7.noarch.rpm
9c9f201bbd75daa59c88c9f6f4ee9953f4fad91b66b18e43c3c62c0ab4143c0e kernel-debug-3.10.0-1127.19.1.el7.x86_64.rpm
1617c5143d4fe2fb00a19fb2f649ef34f9294443b98761ae8d6086aa7ff7be4d kernel-debug-devel-3.10.0-1127.19.1.el7.x86_64.rpm
ef2c185f0cd5d4f53e30c46033286021a6bc5f27fe3cf420da5d57432b5f1adb kernel-devel-3.10.0-1127.19.1.el7.x86_64.rpm
82ad527fc60baf62100718890dcce4f02775451f22fd883f5b8fc0c82cb222aa kernel-doc-3.10.0-1127.19.1.el7.noarch.rpm
ce0962a39a89c77ace07097b9e439beb31cafc3ba8f3883ca14c9fd2fa50d837 kernel-headers-3.10.0-1127.19.1.el7.x86_64.rpm
8ee101162cbfd9c739fd3dab2fd164c62055331f14bde7d25d10f83f473f79b0 kernel-tools-3.10.0-1127.19.1.el7.x86_64.rpm
21986cd05e36bbb5495f99872596d55a89eaf18877ba761f1c2803cdcb1fc4f5 kernel-tools-libs-3.10.0-1127.19.1.el7.x86_64.rpm
e60d0c1bb2119ac3b307b0b39d8ec7475242f1e821e10dfb620286b9592549b0 kernel-tools-libs-devel-3.10.0-1127.19.1.el7.x86_64.rpm
7096d68ec387f2e747a452a01c24075948e2d311383010973220b58b7394ca60 perf-3.10.0-1127.19.1.el7.x86_64.rpm
56ea2d57efb28b0d190a57d4b3367d08f38b01726ed403e5ac26e0804f4e191e python-perf-3.10.0-1127.19.1.el7.x86_64.rpm
Source:
3545971a9c31e1fae5938fc7c44bafb44c94304088b89ee3bdbe776c82715db6 kernel-3.10.0-1127.19.1.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHBA-2020:3528
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
a9df0328e0bccfa54df5bd2378ec14db5a5f5c6179dd7194a0777df82cec5c5d bpftool-3.10.0-1127.19.1.el7.x86_64.rpm
511aa35c715eac1f1c3152072e562a2ab6ce630816840ecd8eb4efd02f618648 kernel-3.10.0-1127.19.1.el7.x86_64.rpm
52fe5fca38e10fbaf349fc934d0fdb7ddeca5b649d0610f0551d56d04f9e9b3b kernel-abi-whitelists-3.10.0-1127.19.1.el7.noarch.rpm
9c9f201bbd75daa59c88c9f6f4ee9953f4fad91b66b18e43c3c62c0ab4143c0e kernel-debug-3.10.0-1127.19.1.el7.x86_64.rpm
1617c5143d4fe2fb00a19fb2f649ef34f9294443b98761ae8d6086aa7ff7be4d kernel-debug-devel-3.10.0-1127.19.1.el7.x86_64.rpm
ef2c185f0cd5d4f53e30c46033286021a6bc5f27fe3cf420da5d57432b5f1adb kernel-devel-3.10.0-1127.19.1.el7.x86_64.rpm
82ad527fc60baf62100718890dcce4f02775451f22fd883f5b8fc0c82cb222aa kernel-doc-3.10.0-1127.19.1.el7.noarch.rpm
ce0962a39a89c77ace07097b9e439beb31cafc3ba8f3883ca14c9fd2fa50d837 kernel-headers-3.10.0-1127.19.1.el7.x86_64.rpm
8ee101162cbfd9c739fd3dab2fd164c62055331f14bde7d25d10f83f473f79b0 kernel-tools-3.10.0-1127.19.1.el7.x86_64.rpm
21986cd05e36bbb5495f99872596d55a89eaf18877ba761f1c2803cdcb1fc4f5 kernel-tools-libs-3.10.0-1127.19.1.el7.x86_64.rpm
e60d0c1bb2119ac3b307b0b39d8ec7475242f1e821e10dfb620286b9592549b0 kernel-tools-libs-devel-3.10.0-1127.19.1.el7.x86_64.rpm
7096d68ec387f2e747a452a01c24075948e2d311383010973220b58b7394ca60 perf-3.10.0-1127.19.1.el7.x86_64.rpm
56ea2d57efb28b0d190a57d4b3367d08f38b01726ed403e5ac26e0804f4e191e python-perf-3.10.0-1127.19.1.el7.x86_64.rpm
Source:
3545971a9c31e1fae5938fc7c44bafb44c94304088b89ee3bdbe776c82715db6 kernel-3.10.0-1127.19.1.el7.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
s390x builder issues
Greetings.
As many of you know, the s390x builders have been very slow or failing
builds with intermittent i/o issues for a while now.
I've done what I can to mitigate this on the builder level, but the
problem is at a deeper level.
I've been asked to try and collect issues that package maintainers are
hitting on these builders and provide them to mainframe admins so they
can understand the impact on us and prioritize more resources or other
corrective measures.
To that end, if you are a maintainer and:
* A build on s390x being slow affects you (needed for another build,
important bug fix, etc) in a serious way
or
* a build on a s390x builder fails in some odd way that is NOT related
to your package (unable to download src.rpm, checksum mismatches, etc).
I'd love for you to note:
* the link to the failed/slow task
* The time (UTC preferred)
* which exact builder it was
* what the issue was
* how it impacted your fedora work
into: https://pagure.io/fedora-infrastructure/issue/9232
Please don't post to the list, mail me privately, etc.
Just add the info to the above issue.
Thanks for your help
kevin
As many of you know, the s390x builders have been very slow or failing
builds with intermittent i/o issues for a while now.
I've done what I can to mitigate this on the builder level, but the
problem is at a deeper level.
I've been asked to try and collect issues that package maintainers are
hitting on these builders and provide them to mainframe admins so they
can understand the impact on us and prioritize more resources or other
corrective measures.
To that end, if you are a maintainer and:
* A build on s390x being slow affects you (needed for another build,
important bug fix, etc) in a serious way
or
* a build on a s390x builder fails in some odd way that is NOT related
to your package (unable to download src.rpm, checksum mismatches, etc).
I'd love for you to note:
* the link to the failed/slow task
* The time (UTC preferred)
* which exact builder it was
* what the issue was
* how it impacted your fedora work
into: https://pagure.io/fedora-infrastructure/issue/9232
Please don't post to the list, mail me privately, etc.
Just add the info to the above issue.
Thanks for your help
kevin
Thursday, August 27, 2020
[USN-4477-1] Squid vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9H+DQACgkQZWnYVadE
vpMhZw/+JpuLqODnqYAkg6vfW/RMWNMjB8ABqdx2ogo4OjFD/pgKZCC6AdcrYiPQ
kmVZqItaqi+heH/StRkVe1gsBUjg9yrR+QFyZUR+T+z163eBVSPjR4ZmY4RSKI+B
4wa6I1sIoNz8aYYjFRVbrTb55P8mzV6ytSZxnomoduh6U+NeiOS+yXfDFzD5CaKQ
Rx6b3jNqza6a4HysrgaBTAg/xzDSI7CUUJY6yMTx+y+0fJhp3ezRz8DlbBySNyoU
NeAGw4wf7mB5ZTKdliLDerBo+k1NJlrdkwXgD518xkWuoS2sykAnM41+qsbRToCx
3PIvtourizAFs+sK6Hf2808un0WX0DdT/knDqZbZg+NvY448kapOPAGXWmVN1Umz
rNhgLJDrkQcEsCKanKK6AkXXtjvb1hUcUqmFvc0NDJQLCkL3vyyYx2EcUj4G9JSA
xSRaBoT7mkiAMBNJHdpYkz2roE4GGXmgQ4qWRlJPbt9hgZ3+hGY+C66CUlbIlj+4
LaaUf80IpGX14FyennIeo04EcScFQ+jzVf6t14ThzwJ24BFNHreqXrbRH7tn+53A
UgovHunEL9hMe44xoEnlu9PHsdpqDGpahKtgp2LHXbpfzqorWGFT1juqhR0jlPzK
jIXS5dxNQHKd+/fYTSLdwr9P9prUfi9zSX+ismanYnQx04GAhlU=
=S3uz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4477-1
August 27, 2020
squid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
Details:
Amit Klein discovered that Squid incorrectly validated certain data. A
remote attacker could possibly use this issue to perform an HTTP request
smuggling attack, resulting in cache poisoning. (CVE-2020-15810)
Régis Leroy discovered that Squid incorrectly validated certain data. A
remote attacker could possibly use this issue to perform an HTTP request
splitting attack, resulting in cache poisoning. (CVE-2020-15811)
Lubos Uhliarik discovered that Squid incorrectly handled certain Cache
Digest response messages sent by trusted peers. A remote attacker could
possibly use this issue to cause Squid to consume resources, resulting in a
denial of service. (CVE-2020-24606)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4477-1
CVE-2020-15810, CVE-2020-15811, CVE-2020-24606
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.2
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9H+DQACgkQZWnYVadE
vpMhZw/+JpuLqODnqYAkg6vfW/RMWNMjB8ABqdx2ogo4OjFD/pgKZCC6AdcrYiPQ
kmVZqItaqi+heH/StRkVe1gsBUjg9yrR+QFyZUR+T+z163eBVSPjR4ZmY4RSKI+B
4wa6I1sIoNz8aYYjFRVbrTb55P8mzV6ytSZxnomoduh6U+NeiOS+yXfDFzD5CaKQ
Rx6b3jNqza6a4HysrgaBTAg/xzDSI7CUUJY6yMTx+y+0fJhp3ezRz8DlbBySNyoU
NeAGw4wf7mB5ZTKdliLDerBo+k1NJlrdkwXgD518xkWuoS2sykAnM41+qsbRToCx
3PIvtourizAFs+sK6Hf2808un0WX0DdT/knDqZbZg+NvY448kapOPAGXWmVN1Umz
rNhgLJDrkQcEsCKanKK6AkXXtjvb1hUcUqmFvc0NDJQLCkL3vyyYx2EcUj4G9JSA
xSRaBoT7mkiAMBNJHdpYkz2roE4GGXmgQ4qWRlJPbt9hgZ3+hGY+C66CUlbIlj+4
LaaUf80IpGX14FyennIeo04EcScFQ+jzVf6t14ThzwJ24BFNHreqXrbRH7tn+53A
UgovHunEL9hMe44xoEnlu9PHsdpqDGpahKtgp2LHXbpfzqorWGFT1juqhR0jlPzK
jIXS5dxNQHKd+/fYTSLdwr9P9prUfi9zSX+ismanYnQx04GAhlU=
=S3uz
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4477-1
August 27, 2020
squid vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
Details:
Amit Klein discovered that Squid incorrectly validated certain data. A
remote attacker could possibly use this issue to perform an HTTP request
smuggling attack, resulting in cache poisoning. (CVE-2020-15810)
Régis Leroy discovered that Squid incorrectly validated certain data. A
remote attacker could possibly use this issue to perform an HTTP request
splitting attack, resulting in cache poisoning. (CVE-2020-15811)
Lubos Uhliarik discovered that Squid incorrectly handled certain Cache
Digest response messages sent by trusted peers. A remote attacker could
possibly use this issue to cause Squid to consume resources, resulting in a
denial of service. (CVE-2020-24606)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4477-1
CVE-2020-15810, CVE-2020-15811, CVE-2020-24606
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.2
[USN-4476-1] NSS vulnerability
==========================================================================
Ubuntu Security Notice USN-4476-1
August 27, 2020
nss vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
NSS could be made to expose sensitive information if it received a specially crafted
input.
Software Description:
- nss: Network Security Service library
Details:
It was discovered that NSS incorrectly handled some inputs.
An attacker could possibly use this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libnss3 2:3.49.1-1ubuntu1.5
Ubuntu 18.04 LTS:
libnss3 2:3.35-2ubuntu2.12
Ubuntu 16.04 LTS:
libnss3 2:3.28.4-0ubuntu0.16.04.14
Ubuntu 14.04 ESM:
libnss3 2:3.28.4-0ubuntu0.14.04.5+esm8
Ubuntu 12.04 ESM:
libnss3 2:3.28.4-0ubuntu0.12.04.11
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/4476-1
CVE-2020-12403
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.5
https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.12
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.14
Ubuntu Security Notice USN-4476-1
August 27, 2020
nss vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
NSS could be made to expose sensitive information if it received a specially crafted
input.
Software Description:
- nss: Network Security Service library
Details:
It was discovered that NSS incorrectly handled some inputs.
An attacker could possibly use this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libnss3 2:3.49.1-1ubuntu1.5
Ubuntu 18.04 LTS:
libnss3 2:3.35-2ubuntu2.12
Ubuntu 16.04 LTS:
libnss3 2:3.28.4-0ubuntu0.16.04.14
Ubuntu 14.04 ESM:
libnss3 2:3.28.4-0ubuntu0.14.04.5+esm8
Ubuntu 12.04 ESM:
libnss3 2:3.28.4-0ubuntu0.12.04.11
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/4476-1
CVE-2020-12403
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.5
https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.12
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.14
F34 Change: Python Upstream Architecture Names (Self-Contained Change)
https://fedoraproject.org/wiki/Changes/Python_Upstream_Architecture_Names
== Summary ==
Use CPython upstream architecture naming in Fedora's Python ecosystem
(mostly in filenames) instead of the previously patched Fedora names.
For example, have
<code>/usr/lib64/python3.9/lib-dynload/array.cpython-39-powerpc64le-linux-gnu.so</code>
instead of <code>/usr/lib64/python3.9/lib-dynload/array.cpython-39-ppc64le-linux-gnu.so</code>.
This makes packaging of Python itself a tad trickier, but it moves
Fedora's Python closer to upstream and solves interoperability
problems with ppc64le manylinux wheels.
The change has impact only on '''ppc64le''' and '''armv7hl'''
(considering the architectures built by koji.fedoraproject.org).
Packages assuming the filenames always contain
<code>%{_arch}-linux%{_gnu}</code> will need to be adapted.
== Owner ==
* Name: [[User:Churchyard|Miro Hrončok]]
* Name: [[User:Lbalhar|Lumír Balhar]]
* Email: python-maint@redhat.com
== Detailed Description ==
=== The Saga ===
==== A Long Time Ago in the Fedora Galaxy ====
Many releases ago, when Fedora wasn't being built for power and arm
yet, the Python maintainers mapped the Python "platform triplet" or
"multiarch name" to <code>%{_arch}-linux%{_gnu}</code>. This worked.
For example, on x86_64, this is <code>x86_64-linux-gnu</code> on
Fedora and this is consistent with the "platform triplet" used in
filenames in upstream.
==== The Phantom Technical Debt ====
Later around the year 2015, as more architectures were added, Python
build scripts were patched to use "the Fedora's architecture names":
* <code>powerpc</code> was changed to <code>ppc</code>
https://src.fedoraproject.org/rpms/python3/c/0efd3d31
* the arm triplet was patched
https://src.fedoraproject.org/rpms/python3/c/2f6352e7
* even the mips one https://src.fedoraproject.org/rpms/python3/c/4bc70e0c
At the time, that was a reasonable decision: the idea of cross-Linux
builds was sci-fi, and Fedora was not trying to stay close to upstream
as it is now (we had around 60 patches; today we're down to around 6).
==== Rise of the Manylinux Wheels ====
In the meantime, cross-Linux builds become a thing. The
[https://www.python.org/dev/peps/pep-0513/ manylinux1 standard] was
created in 2016, allowing to build Python wheels with compiled
extension modules on one Linux platform and ship them to many. The
first manylinux version only supported x86_64 and i686 and hence it
was not impacted by Fedora's patching decisions.
The manylinux standard arguably made the upstream Python packaging
ecosystem a much nicer place. Installing packages with compiled
extension modules was no longer such a pain. One could just run
<code>pip install numpy</code> and not worry about a disturbing lack
of a Fortran compiler. For that reason, manylinux wheels become widely
adopted by the most popular projects.
==== A New Architecture ====
With the third manylinux version --
[https://www.python.org/dev/peps/pep-0599/ manylinux2014] (created in
2019, named after the oldest Linux it supports -- CentOS 7), support
for more architectures was introduced: x86_64, i686, aarch64, armv7l,
ppc64, ppc64le, s390x. The adaption of new architectures is somehow
slow, because the [https://github.com/pypa/manylinux#manylinux2014
official manylinux2014 containers] only currently (August 2020) exist
for x86_64, i686, aarch64, ppc64le and s390x.
==== Revenge of the Patches ====
We have discovered [https://github.com/pypa/manylinux/issues/687 a
problem with the ppc64le manylinux2014 wheels]: The CentOS 7
manylinux2014 container images ship upstream Python without
RHEL/CentOS/EPEL patches. When an extension module is built there, it
is named with an upstream named suffix:
<code>.cpython-XY(m)-powerpc64le-linux-gnu.so</code>. The wheel is
installable on Fedora (with Fedora's patches), but the module won't
(even be considered for) import, because Fedora's Pythons expect the
extension to be <code>.cpython-XY(m)-ppc64le-linux-gnu.so</code>.
In theory, we have the same problem on armv7hl, but there are no
manylinux2014 containers available for that platform, so there are no
such wheels out there yet (to our knowledge).
The same problem also exists the other way around, albeit it's
arguably less severe. It is possible to build manylinux wheels on
(some version of) Fedora or EL (using the Python from that
distribution). However extension modules from such ppc64le wheels
won't import on other Linux distributions.
==== The Workaround Awakens ====
To allow importing extension modules from ppc64le manylinux wheels, we
have [https://src.fedoraproject.org/rpms/python3.9/pull-request/24
patched Pythons (3.5+) in Fedora] to consider both "Fedora's" and
upstream extension suffixes when importing extension modules. This
workarounds works well for users installing manylinux wheels on
Fedora, but does not solve the problem when building the wheels on
Fedora.
=== The Change ===
With this change proposal, we plan to
[https://src.fedoraproject.org/rpms/python3.9/pull-request/28 switch
to use the upstream architecture names] and keep the workaround to
preserve backwards compatibility. When we do that the following will
happen:
# The Python standard library extension module suffixes will change to
<code>.cpython-39-powerpc64le-linux-gnu.so</code> and
<code>.cpython-39-arm-linux-gnueabihf.so</code>. Python will still
import extension modules with the legacy suffixes
<code>.cpython-39-ppc64le-linux-gnu.so</code> and
<code>.cpython-39-arm-linux-gnu.so</code>. Other architectures not
built by koji.fedoraproject.org will also be renamed, see
[https://src.fedoraproject.org/rpms/python3.9/pull-request/28#comment-0
the pull request for a complete regex]. This will happen for Python
3.7, 3.8, 3.5, 3.6 and 3.9.
# The newly built Python packages with extension modules will also
change the suffixes. Packages that assume the platform triplet is
always <code>%{_arch}-linux%{_gnu}</code> (e.g. in the
<code>%files</code> section) will need to be adapted (see the
[[#New_Macros|New Macros]] section). A mix of legacy and upstream
suffixes will co-exist and work together.
# When safe, we will drop the workaround to support the legacy names.
For example, when we initially package Python 3.10, it will be
packaged without the workaround. On the other hand, older Python
versions might never be able to drop it, because users will carry
their own built extension modules from previous releases.
=== New Macros ===
For packagers' convenience we will add 2 new Python macros:
'''%python3_ext_suffix'''
Defined as:
%python3_ext_suffix %(%{__python3} -Ic "import sysconfig;
print(sysconfig.get_config_var('EXT_SUFFIX'))")
Values will be:
* <code>.cpython-39-x86_64-linux-gnu.so</code>
* <code>.cpython-39-powerpc64le-linux-gnu.so</code> on Fedora 34+ /
<code>.cpython-39-ppc64le-linux-gnu.so</code> on older Fedoras
* <code>.cpython-39-arm-linux-gnueabihf.so</code> on Fedora 34+ /
<code>.cpython-39-arm-linux-gnu.so</code> on older Fedoras
* etc.
Beware that due to chnages in Python, this macro only works with
Python 3. For Python 3.4, the value is <code>.cpython-34m.so</code> on
all architectures (similarly on older Python 3 versions, but we don't
have such in Fedora or EPEL).
'''%python3_platform_triplet'''
Defined as:
%python3_platform_triplet %(%{__python3} -Ic "import sysconfig;
print(sysconfig.get_config_var('MULTIARCH'))")
Values will be:
* <code>x86_64-linux-gnu</code>
* <code>powerpc64le-linux-gnu</code> / <code>ppc64le-linux-gnu</code>
* <code>arm-linux-gnueabihf</code> / <code>arm-linux-gnu</code>
* etc.
Beware that due to changes in Python, this macro only works with
Python versions 3.6 and newer.
Both macros will be backported to stable Fedoras and EPEL 7+ and will
have the corresponding <code>%python_</code> variant.
== Feedback ==
Eighth_Doctor: it's the cleverest written change proposal I've seen
in over a decade :)
== Benefit to Fedora ==
Users of ppc64le and armv7hl Fedora (and future RHEL) will have a
closer-to-upstream Python experience and will no longer suffer from
compatibility issues when they install or build manylinux wheels. The
upstream-downstream balance will be restored.
== Scope ==
* Proposal owners:
** Review and merge https://src.fedoraproject.org/rpms/python3.9/pull-request/28
** Add the new macros to all Fedoras and EPEL 7+ and mention them in
the guidelines
** Monitor builds of Python packages with extension modules, fix
issues if they arise.
** Backport to Python 3.5-3.8
** Drop the workaround from Python 3.10 once packaged
* Other developers: Mostly nothing, adapt the <code>%files</code>
section if needed
* Release engineering: a check of an impact with Release Engineering
is not needed
* Policies and guidelines: the new macros will be documented in the
Python packaging guidelines
* Trademark approval: not needed for this Change
* Alignment with Objectives: no
== Upgrade/compatibility impact ==
No significant user visible upgrade/compatibility problem is anticipated.
Filenames will be different, but the old filenames are still supported.
Scripts that hardcode filename assumptions might break.
== How To Test ==
On ppc64le, try to install a manylinux wheel and import from it. It
should work on any Python ≥ 3.5. E.g.:
pip install simple-manylinux-demo
python -c 'from dummyextension import extension'
On ppc64le, try to build a manylinux wheel and import from it on
another Linux. It should work on any Python ≥ 3.5. E.g.:
pip wheel . # on some project with extension module
auditwheel repair ...whl
wormhole send ...whl # or any other way
On another ppc64le Linux (such as Debian or openSUSE):
wormhole receive ...
pip install ...whl
python -c 'from ... import ...'
You can also build a regular (non-manylinux) wheel on Fedora 33/32 and
install and import it on Fedora 34. It should work.
The other way around will most likely also work, unless Fedora 34 has
an incompatible glibc update.
== User Experience ==
Users of ppc64le and armv7hl Fedora (and future RHEL) will have a
closer-to-upstream Python experience and will no longer suffer from
compatibility issues when they install or build manylinux wheels.
== Dependencies ==
No known dependencies. May the force be with us.
== Contingency Plan ==
* Contingency mechanism: Revert the change and rebuild all affected packages.
* Contingency deadline: Soft before the mass rebuild, so we could
leverage it for the revert-rebuilds. Hard before the beta freeze.
* Blocks release? No
* Blocks product? No
== Documentation ==
This page is the documentation.
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
== Summary ==
Use CPython upstream architecture naming in Fedora's Python ecosystem
(mostly in filenames) instead of the previously patched Fedora names.
For example, have
<code>/usr/lib64/python3.9/lib-dynload/array.cpython-39-powerpc64le-linux-gnu.so</code>
instead of <code>/usr/lib64/python3.9/lib-dynload/array.cpython-39-ppc64le-linux-gnu.so</code>.
This makes packaging of Python itself a tad trickier, but it moves
Fedora's Python closer to upstream and solves interoperability
problems with ppc64le manylinux wheels.
The change has impact only on '''ppc64le''' and '''armv7hl'''
(considering the architectures built by koji.fedoraproject.org).
Packages assuming the filenames always contain
<code>%{_arch}-linux%{_gnu}</code> will need to be adapted.
== Owner ==
* Name: [[User:Churchyard|Miro Hrončok]]
* Name: [[User:Lbalhar|Lumír Balhar]]
* Email: python-maint@redhat.com
== Detailed Description ==
=== The Saga ===
==== A Long Time Ago in the Fedora Galaxy ====
Many releases ago, when Fedora wasn't being built for power and arm
yet, the Python maintainers mapped the Python "platform triplet" or
"multiarch name" to <code>%{_arch}-linux%{_gnu}</code>. This worked.
For example, on x86_64, this is <code>x86_64-linux-gnu</code> on
Fedora and this is consistent with the "platform triplet" used in
filenames in upstream.
==== The Phantom Technical Debt ====
Later around the year 2015, as more architectures were added, Python
build scripts were patched to use "the Fedora's architecture names":
* <code>powerpc</code> was changed to <code>ppc</code>
https://src.fedoraproject.org/rpms/python3/c/0efd3d31
* the arm triplet was patched
https://src.fedoraproject.org/rpms/python3/c/2f6352e7
* even the mips one https://src.fedoraproject.org/rpms/python3/c/4bc70e0c
At the time, that was a reasonable decision: the idea of cross-Linux
builds was sci-fi, and Fedora was not trying to stay close to upstream
as it is now (we had around 60 patches; today we're down to around 6).
==== Rise of the Manylinux Wheels ====
In the meantime, cross-Linux builds become a thing. The
[https://www.python.org/dev/peps/pep-0513/ manylinux1 standard] was
created in 2016, allowing to build Python wheels with compiled
extension modules on one Linux platform and ship them to many. The
first manylinux version only supported x86_64 and i686 and hence it
was not impacted by Fedora's patching decisions.
The manylinux standard arguably made the upstream Python packaging
ecosystem a much nicer place. Installing packages with compiled
extension modules was no longer such a pain. One could just run
<code>pip install numpy</code> and not worry about a disturbing lack
of a Fortran compiler. For that reason, manylinux wheels become widely
adopted by the most popular projects.
==== A New Architecture ====
With the third manylinux version --
[https://www.python.org/dev/peps/pep-0599/ manylinux2014] (created in
2019, named after the oldest Linux it supports -- CentOS 7), support
for more architectures was introduced: x86_64, i686, aarch64, armv7l,
ppc64, ppc64le, s390x. The adaption of new architectures is somehow
slow, because the [https://github.com/pypa/manylinux#manylinux2014
official manylinux2014 containers] only currently (August 2020) exist
for x86_64, i686, aarch64, ppc64le and s390x.
==== Revenge of the Patches ====
We have discovered [https://github.com/pypa/manylinux/issues/687 a
problem with the ppc64le manylinux2014 wheels]: The CentOS 7
manylinux2014 container images ship upstream Python without
RHEL/CentOS/EPEL patches. When an extension module is built there, it
is named with an upstream named suffix:
<code>.cpython-XY(m)-powerpc64le-linux-gnu.so</code>. The wheel is
installable on Fedora (with Fedora's patches), but the module won't
(even be considered for) import, because Fedora's Pythons expect the
extension to be <code>.cpython-XY(m)-ppc64le-linux-gnu.so</code>.
In theory, we have the same problem on armv7hl, but there are no
manylinux2014 containers available for that platform, so there are no
such wheels out there yet (to our knowledge).
The same problem also exists the other way around, albeit it's
arguably less severe. It is possible to build manylinux wheels on
(some version of) Fedora or EL (using the Python from that
distribution). However extension modules from such ppc64le wheels
won't import on other Linux distributions.
==== The Workaround Awakens ====
To allow importing extension modules from ppc64le manylinux wheels, we
have [https://src.fedoraproject.org/rpms/python3.9/pull-request/24
patched Pythons (3.5+) in Fedora] to consider both "Fedora's" and
upstream extension suffixes when importing extension modules. This
workarounds works well for users installing manylinux wheels on
Fedora, but does not solve the problem when building the wheels on
Fedora.
=== The Change ===
With this change proposal, we plan to
[https://src.fedoraproject.org/rpms/python3.9/pull-request/28 switch
to use the upstream architecture names] and keep the workaround to
preserve backwards compatibility. When we do that the following will
happen:
# The Python standard library extension module suffixes will change to
<code>.cpython-39-powerpc64le-linux-gnu.so</code> and
<code>.cpython-39-arm-linux-gnueabihf.so</code>. Python will still
import extension modules with the legacy suffixes
<code>.cpython-39-ppc64le-linux-gnu.so</code> and
<code>.cpython-39-arm-linux-gnu.so</code>. Other architectures not
built by koji.fedoraproject.org will also be renamed, see
[https://src.fedoraproject.org/rpms/python3.9/pull-request/28#comment-0
the pull request for a complete regex]. This will happen for Python
3.7, 3.8, 3.5, 3.6 and 3.9.
# The newly built Python packages with extension modules will also
change the suffixes. Packages that assume the platform triplet is
always <code>%{_arch}-linux%{_gnu}</code> (e.g. in the
<code>%files</code> section) will need to be adapted (see the
[[#New_Macros|New Macros]] section). A mix of legacy and upstream
suffixes will co-exist and work together.
# When safe, we will drop the workaround to support the legacy names.
For example, when we initially package Python 3.10, it will be
packaged without the workaround. On the other hand, older Python
versions might never be able to drop it, because users will carry
their own built extension modules from previous releases.
=== New Macros ===
For packagers' convenience we will add 2 new Python macros:
'''%python3_ext_suffix'''
Defined as:
%python3_ext_suffix %(%{__python3} -Ic "import sysconfig;
print(sysconfig.get_config_var('EXT_SUFFIX'))")
Values will be:
* <code>.cpython-39-x86_64-linux-gnu.so</code>
* <code>.cpython-39-powerpc64le-linux-gnu.so</code> on Fedora 34+ /
<code>.cpython-39-ppc64le-linux-gnu.so</code> on older Fedoras
* <code>.cpython-39-arm-linux-gnueabihf.so</code> on Fedora 34+ /
<code>.cpython-39-arm-linux-gnu.so</code> on older Fedoras
* etc.
Beware that due to chnages in Python, this macro only works with
Python 3. For Python 3.4, the value is <code>.cpython-34m.so</code> on
all architectures (similarly on older Python 3 versions, but we don't
have such in Fedora or EPEL).
'''%python3_platform_triplet'''
Defined as:
%python3_platform_triplet %(%{__python3} -Ic "import sysconfig;
print(sysconfig.get_config_var('MULTIARCH'))")
Values will be:
* <code>x86_64-linux-gnu</code>
* <code>powerpc64le-linux-gnu</code> / <code>ppc64le-linux-gnu</code>
* <code>arm-linux-gnueabihf</code> / <code>arm-linux-gnu</code>
* etc.
Beware that due to changes in Python, this macro only works with
Python versions 3.6 and newer.
Both macros will be backported to stable Fedoras and EPEL 7+ and will
have the corresponding <code>%python_</code> variant.
== Feedback ==
Eighth_Doctor: it's the cleverest written change proposal I've seen
in over a decade :)
== Benefit to Fedora ==
Users of ppc64le and armv7hl Fedora (and future RHEL) will have a
closer-to-upstream Python experience and will no longer suffer from
compatibility issues when they install or build manylinux wheels. The
upstream-downstream balance will be restored.
== Scope ==
* Proposal owners:
** Review and merge https://src.fedoraproject.org/rpms/python3.9/pull-request/28
** Add the new macros to all Fedoras and EPEL 7+ and mention them in
the guidelines
** Monitor builds of Python packages with extension modules, fix
issues if they arise.
** Backport to Python 3.5-3.8
** Drop the workaround from Python 3.10 once packaged
* Other developers: Mostly nothing, adapt the <code>%files</code>
section if needed
* Release engineering: a check of an impact with Release Engineering
is not needed
* Policies and guidelines: the new macros will be documented in the
Python packaging guidelines
* Trademark approval: not needed for this Change
* Alignment with Objectives: no
== Upgrade/compatibility impact ==
No significant user visible upgrade/compatibility problem is anticipated.
Filenames will be different, but the old filenames are still supported.
Scripts that hardcode filename assumptions might break.
== How To Test ==
On ppc64le, try to install a manylinux wheel and import from it. It
should work on any Python ≥ 3.5. E.g.:
pip install simple-manylinux-demo
python -c 'from dummyextension import extension'
On ppc64le, try to build a manylinux wheel and import from it on
another Linux. It should work on any Python ≥ 3.5. E.g.:
pip wheel . # on some project with extension module
auditwheel repair ...whl
wormhole send ...whl # or any other way
On another ppc64le Linux (such as Debian or openSUSE):
wormhole receive ...
pip install ...whl
python -c 'from ... import ...'
You can also build a regular (non-manylinux) wheel on Fedora 33/32 and
install and import it on Fedora 34. It should work.
The other way around will most likely also work, unless Fedora 34 has
an incompatible glibc update.
== User Experience ==
Users of ppc64le and armv7hl Fedora (and future RHEL) will have a
closer-to-upstream Python experience and will no longer suffer from
compatibility issues when they install or build manylinux wheels.
== Dependencies ==
No known dependencies. May the force be with us.
== Contingency Plan ==
* Contingency mechanism: Revert the change and rebuild all affected packages.
* Contingency deadline: Soft before the mass rebuild, so we could
leverage it for the revert-rebuilds. Hard before the beta freeze.
* Blocks release? No
* Blocks product? No
== Documentation ==
This page is the documentation.
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
F34 Change: Reduce installation media size by improving the compression ratio of SquashFS filesystem (Self-Contained Change)
https://fedoraproject.org/wiki/Changes/OptimizeSquashFS
== Summary ==
Improve compression ratio of SquashFS filesystem on the installation media.
== Owner ==
* Name: [[User:bkhomuts|Bohdan Khomutskyi]]
* Email: bkhomuts@redhat.com
== Detailed Description ==
As of Fedora 31, the LiveOS/squashfs.img file on the installation
image, is compressed with default block size of mksquashfs. The
default block size is 128k. Additionaly, lorax sets BCJ filter
depending on the architecture. Those parameters can be adjusted which
will lead to a better compression ratio and/or reduction of the CPU
usage at build time.
This is simple to achieve. Recently, Lorax has gotten support for
adjusting the compression options for mksquashfs via the configuration
file. The file should be altered as following:
<pre>
[compression]
bcj = no
args = -b 1M -Xdict-size 1M -no-recovery
</pre>
Where -b 1M and -Xdict-size 1M are block and dictionary sizes
respectively; bcj -- branch-call-jump filter.
Based on the results above, I'd suggest selecting the following
''optimal configuration'': XZ algorithm, with block size of 1MiB and
without BCJ filter (plain xz -b 1M, without -Xbcj x86).
On the right, you can see the impact of the compression algorithms on
installation time.
As can be seen from the picture on the right hand side, selecting
'plain xz -b 1M configuration' has minimal impact on the installation
time and CPU usage during the installation. The compression will
result in +6.51% or, in real terms, +24.94s additional installation
time, compared to the savings of 142 MiB on the installation media,
refer to the documentation section to download the ISO images. This
increase in installation time will be compensated by the change in the
installer: https://github.com/rhinstaller/anaconda/pull/2292
I noticed, that even with maximum compression, CPU is not fully
utilized during installation.
== Benefit to Fedora ==
* Reduction of the installation media size and the cost of storing and
distributing Fedora.
* Reduction of the CPU usage at build time. Depending on which
compression parameters chosen.
== Scope ==
* Proposal owners:
The build environment should have support for adjusting the Lorax
configuration file and -squashfs-only parameter. Lorax is a program
that produces the LiveOS/squashfs.img file on the installation media.
One of the ways to enable such customization is to introduce support
in Pungi to pass -c option to Lorax.
* Other developers:
The pungi utility should support passing the custom configuration file
location to the Lorax utility. This option should apply during
buildInstall phase of pungi.
* Release engineering: [https://pagure.io/releng/issue/9127]
<!-- Does this feature require coordination with release engineering
(e.g. changes to installer image generation or update package
delivery)? Is a mass rebuild required? include a link to the releng
issue.
The issue is required to be filed prior to feature submission, to
ensure that someone is on board to do any process development work and
testing, and that all changes make it into the pipeline; a bullet
point in a change is not sufficient communication -->
* Policies and guidelines: Not required.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
N/A (not a System Wide Change)
== How To Test ==
<pre>
mkdir -p /mnt/new /mnt/old
sudo mount -o loop,ro FedoraInstallationOld.iso
sudo mount -o loop,ro FedoraInstallationNew.iso
ls -l /mnt/{new,old}/LiveOS/squashfs.img
</pre>
And then calculate the size difference.
== User Experience ==
* Decreasing the installation image size will reduce cost of mirroring
and storing Fedora installation images.
* Decreasing the installation image size will reduce the download time.
* Increasing the block size on the current configuration with EXT4
file system, should increase latency while accessing the EXT4
filesystem. The exact impact is to be evaluated.
* The impact of latency will be reduced, if the plain SquashFS option
is be choosen.
== Dependencies ==
Pungi, a utility that builds the compose, should include new
functionality mentioned above.
Alternatively, the /etc/lorax/lorax.conf should be altered in the
environment where Lorax is running.
== Contingency Plan ==
N/A
== Documentation ==
https://pagure.io/releng/issue/9127.<br/>
mksquashfs(1)<br/>
lorax(1)<br/>
https://docs.pagure.org/pungi<br/>
Select ISOs can be downloaded at https://khomutsky.com/fedora-dvd/<br/>
Spreadsheet pictured above [[File:Comparison Table SquashFS.ods]]
[https://github.com/rhinstaller/anaconda/pull/2292 Multi-core
decompression of SquashFS merge request]
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
== Summary ==
Improve compression ratio of SquashFS filesystem on the installation media.
== Owner ==
* Name: [[User:bkhomuts|Bohdan Khomutskyi]]
* Email: bkhomuts@redhat.com
== Detailed Description ==
As of Fedora 31, the LiveOS/squashfs.img file on the installation
image, is compressed with default block size of mksquashfs. The
default block size is 128k. Additionaly, lorax sets BCJ filter
depending on the architecture. Those parameters can be adjusted which
will lead to a better compression ratio and/or reduction of the CPU
usage at build time.
This is simple to achieve. Recently, Lorax has gotten support for
adjusting the compression options for mksquashfs via the configuration
file. The file should be altered as following:
<pre>
[compression]
bcj = no
args = -b 1M -Xdict-size 1M -no-recovery
</pre>
Where -b 1M and -Xdict-size 1M are block and dictionary sizes
respectively; bcj -- branch-call-jump filter.
Based on the results above, I'd suggest selecting the following
''optimal configuration'': XZ algorithm, with block size of 1MiB and
without BCJ filter (plain xz -b 1M, without -Xbcj x86).
On the right, you can see the impact of the compression algorithms on
installation time.
As can be seen from the picture on the right hand side, selecting
'plain xz -b 1M configuration' has minimal impact on the installation
time and CPU usage during the installation. The compression will
result in +6.51% or, in real terms, +24.94s additional installation
time, compared to the savings of 142 MiB on the installation media,
refer to the documentation section to download the ISO images. This
increase in installation time will be compensated by the change in the
installer: https://github.com/rhinstaller/anaconda/pull/2292
I noticed, that even with maximum compression, CPU is not fully
utilized during installation.
== Benefit to Fedora ==
* Reduction of the installation media size and the cost of storing and
distributing Fedora.
* Reduction of the CPU usage at build time. Depending on which
compression parameters chosen.
== Scope ==
* Proposal owners:
The build environment should have support for adjusting the Lorax
configuration file and -squashfs-only parameter. Lorax is a program
that produces the LiveOS/squashfs.img file on the installation media.
One of the ways to enable such customization is to introduce support
in Pungi to pass -c option to Lorax.
* Other developers:
The pungi utility should support passing the custom configuration file
location to the Lorax utility. This option should apply during
buildInstall phase of pungi.
* Release engineering: [https://pagure.io/releng/issue/9127]
<!-- Does this feature require coordination with release engineering
(e.g. changes to installer image generation or update package
delivery)? Is a mass rebuild required? include a link to the releng
issue.
The issue is required to be filed prior to feature submission, to
ensure that someone is on board to do any process development work and
testing, and that all changes make it into the pipeline; a bullet
point in a change is not sufficient communication -->
* Policies and guidelines: Not required.
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
N/A (not a System Wide Change)
== How To Test ==
<pre>
mkdir -p /mnt/new /mnt/old
sudo mount -o loop,ro FedoraInstallationOld.iso
sudo mount -o loop,ro FedoraInstallationNew.iso
ls -l /mnt/{new,old}/LiveOS/squashfs.img
</pre>
And then calculate the size difference.
== User Experience ==
* Decreasing the installation image size will reduce cost of mirroring
and storing Fedora installation images.
* Decreasing the installation image size will reduce the download time.
* Increasing the block size on the current configuration with EXT4
file system, should increase latency while accessing the EXT4
filesystem. The exact impact is to be evaluated.
* The impact of latency will be reduced, if the plain SquashFS option
is be choosen.
== Dependencies ==
Pungi, a utility that builds the compose, should include new
functionality mentioned above.
Alternatively, the /etc/lorax/lorax.conf should be altered in the
environment where Lorax is running.
== Contingency Plan ==
N/A
== Documentation ==
https://pagure.io/releng/issue/9127.<br/>
mksquashfs(1)<br/>
lorax(1)<br/>
https://docs.pagure.org/pungi<br/>
Select ISOs can be downloaded at https://khomutsky.com/fedora-dvd/<br/>
Spreadsheet pictured above [[File:Comparison Table SquashFS.ods]]
[https://github.com/rhinstaller/anaconda/pull/2292 Multi-core
decompression of SquashFS merge request]
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
[USN-4475-1] Chrony vulnerability
==========================================================================
Ubuntu Security Notice USN-4475-1
August 27, 2020
chrony vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Chrony could be made to crash or expose sensitive information.
Software Description:
- chrony: An implementation of the Network Time Protocol
Details:
It was discovered that Chrony incorrectly handled certain symbolic links.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
chrony 3.5-6ubuntu6.2
Ubuntu 18.04 LTS:
chrony 3.2-4ubuntu4.5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4475-1
CVE-2020-14367
Package Information:
https://launchpad.net/ubuntu/+source/chrony/3.5-6ubuntu6.2
https://launchpad.net/ubuntu/+source/chrony/3.2-4ubuntu4.5
Ubuntu Security Notice USN-4475-1
August 27, 2020
chrony vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Chrony could be made to crash or expose sensitive information.
Software Description:
- chrony: An implementation of the Network Time Protocol
Details:
It was discovered that Chrony incorrectly handled certain symbolic links.
An attacker could possibly use this issue to cause a denial of service or
expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
chrony 3.5-6ubuntu6.2
Ubuntu 18.04 LTS:
chrony 3.2-4ubuntu4.5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4475-1
CVE-2020-14367
Package Information:
https://launchpad.net/ubuntu/+source/chrony/3.5-6ubuntu6.2
https://launchpad.net/ubuntu/+source/chrony/3.2-4ubuntu4.5
[USN-4446-2] Squid regression
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9HqbcACgkQZWnYVadE
vpP6gRAAhdKcUVo73pdNSyntCRPxTV0mtWpXZ7ZJ0CLS7s6wpomUmFF4dURLZy8K
nD74+a48b0uKAovvsGAaUhQCbf+0yux8LW7s/mQJkFautwBP2xsDObzusH3lRmmd
b/iFIWCqpBnwWGkvw9TT0q/JQLm9vhnd5sr9Qm+HK/+KD3i2INADYqssaOK1+q6R
r4WcQKppsBe+q/DZafHDVti6wjX9clPWGBk7z0N8g/TRL3JotEZ6f6BbAPnq/Z3V
ByhPKrwu0WiBrx04WcGa7uQw8jtMqWMKmpsg86RNdrqqcHeSjhM0uMiXns93z3zY
1wYeWykFzCESTkg4lv2LAG7V9xMgzVmhHbklt3ooOdDKjS9NG25vJ310w1T6a8rj
2jOnxPy5R8R8yEMu+9/4e1yNri+qOMnJP+QYYeTNcrPqJAQh/K+QVcophjgPm1Qm
iFJ6NdhVODbcCM5Ag2lWJNBoeDmQKVRy0rz/QLLVLwjgS4wTyofEg4oYEAtY0xye
iMjlJw7UndT58Mv8Ir0u9JiO981GMNLDnnwl+a/kayteav4wxYQQydFW7YRd3qae
5SJMG2mA8p74Ja75v0s/I/s3PsEDtiv+yIytlq178tQgzjmWRfuaXTI84lloaaRd
UoP2Pu40r6P17sDWIRdJfG1QfH91b4eYACsTFsJpOJEs/zBJdEc=
=7NTI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4446-2
August 27, 2020
squid3 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
USN-4446-1 introduced a regression in Squid.
Software Description:
- squid3: Web proxy cache server
Details:
USN-4446-1 fixed vulnerabilities in Squid. The update introduced a
regression when using Squid with the icap or ecap protocols. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handled URL decoding. A remote
attacker could possibly use this issue to bypass certain rule checks.
(CVE-2019-12524)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled input validation. A remote attacker could use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2019-18676)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.8
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.13
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4446-2
https://usn.ubuntu.com/4446-1
https://launchpad.net/bugs/1890265
Package Information:
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.8
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.13
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9HqbcACgkQZWnYVadE
vpP6gRAAhdKcUVo73pdNSyntCRPxTV0mtWpXZ7ZJ0CLS7s6wpomUmFF4dURLZy8K
nD74+a48b0uKAovvsGAaUhQCbf+0yux8LW7s/mQJkFautwBP2xsDObzusH3lRmmd
b/iFIWCqpBnwWGkvw9TT0q/JQLm9vhnd5sr9Qm+HK/+KD3i2INADYqssaOK1+q6R
r4WcQKppsBe+q/DZafHDVti6wjX9clPWGBk7z0N8g/TRL3JotEZ6f6BbAPnq/Z3V
ByhPKrwu0WiBrx04WcGa7uQw8jtMqWMKmpsg86RNdrqqcHeSjhM0uMiXns93z3zY
1wYeWykFzCESTkg4lv2LAG7V9xMgzVmhHbklt3ooOdDKjS9NG25vJ310w1T6a8rj
2jOnxPy5R8R8yEMu+9/4e1yNri+qOMnJP+QYYeTNcrPqJAQh/K+QVcophjgPm1Qm
iFJ6NdhVODbcCM5Ag2lWJNBoeDmQKVRy0rz/QLLVLwjgS4wTyofEg4oYEAtY0xye
iMjlJw7UndT58Mv8Ir0u9JiO981GMNLDnnwl+a/kayteav4wxYQQydFW7YRd3qae
5SJMG2mA8p74Ja75v0s/I/s3PsEDtiv+yIytlq178tQgzjmWRfuaXTI84lloaaRd
UoP2Pu40r6P17sDWIRdJfG1QfH91b4eYACsTFsJpOJEs/zBJdEc=
=7NTI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4446-2
August 27, 2020
squid3 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
USN-4446-1 introduced a regression in Squid.
Software Description:
- squid3: Web proxy cache server
Details:
USN-4446-1 fixed vulnerabilities in Squid. The update introduced a
regression when using Squid with the icap or ecap protocols. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Jeriko One discovered that Squid incorrectly handled caching certain
requests. A remote attacker could possibly use this issue to perform
cache-injection attacks or gain access to reverse proxy features such as
ESI. (CVE-2019-12520)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled certain URN requests. A remote attacker could possibly use this
issue to bypass access checks. (CVE-2019-12523)
Jeriko One discovered that Squid incorrectly handled URL decoding. A remote
attacker could possibly use this issue to bypass certain rule checks.
(CVE-2019-12524)
Jeriko One and Kristoffer Danielsson discovered that Squid incorrectly
handled input validation. A remote attacker could use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2019-18676)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.8
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.13
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4446-2
https://usn.ubuntu.com/4446-1
https://launchpad.net/bugs/1890265
Package Information:
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.8
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.13
Wednesday, August 26, 2020
[USN-4474-1] Firefox vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAl9GsSwACgkQYR+97NWU
bg8a9ggAnWbgk5k0iDVP5/xib80rN7AvgrhkNAG4eFHSPHYNR6TMyTeWlx1x6UNe
Jyka93G+Y4Nci3/rapV01H0VL61L7+S/LGtwjBLvicUXMNzAgAk00jwhMJ+LSvr/
G1U7khx9Xq/R0fopSRDIixM6UJDNc8kwn4inzpG1M35jwGKhJsffvC4oLGJntwQE
P5+5AybJ/P7jzJpyO/8dIxNNIHMcTHawPKNpWonP+QcimJekwTq7CFA0B7ZQc/8N
ui8/eyc5C8u/5l+xnwP+tV3yBmwDYicy1PjL+apVXyfkSVSo4OomH7ostql4H1L0
T7q0UOYbxA4knZezhXu8G90/l+aymQ==
=9L0i
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4474-1
August 26, 2020
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, trick the user
in to installing a malicious extension, spoof the URL bar, leak sensitive
information between origins, or execute arbitrary code. (CVE-2020-15664,
CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)
A data race was discovered when importing certificate information in to
the trust store. An attacker could potentially exploit this to cause an
unspecified impact. (CVE-2020-15668)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 80.0+build2-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 80.0+build2-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
firefox 80.0+build2-0ubuntu0.16.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://usn.ubuntu.com/4474-1
CVE-2020-12400, CVE-2020-12401, CVE-2020-15664, CVE-2020-15665,
CVE-2020-15666, CVE-2020-15668, CVE-2020-15670, CVE-2020-6829
Package Information:
https://launchpad.net/ubuntu/+source/firefox/80.0+build2-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/80.0+build2-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/firefox/80.0+build2-0ubuntu0.16.04.1
iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAl9GsSwACgkQYR+97NWU
bg8a9ggAnWbgk5k0iDVP5/xib80rN7AvgrhkNAG4eFHSPHYNR6TMyTeWlx1x6UNe
Jyka93G+Y4Nci3/rapV01H0VL61L7+S/LGtwjBLvicUXMNzAgAk00jwhMJ+LSvr/
G1U7khx9Xq/R0fopSRDIixM6UJDNc8kwn4inzpG1M35jwGKhJsffvC4oLGJntwQE
P5+5AybJ/P7jzJpyO/8dIxNNIHMcTHawPKNpWonP+QcimJekwTq7CFA0B7ZQc/8N
ui8/eyc5C8u/5l+xnwP+tV3yBmwDYicy1PjL+apVXyfkSVSo4OomH7ostql4H1L0
T7q0UOYbxA4knZezhXu8G90/l+aymQ==
=9L0i
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4474-1
August 26, 2020
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, trick the user
in to installing a malicious extension, spoof the URL bar, leak sensitive
information between origins, or execute arbitrary code. (CVE-2020-15664,
CVE-2020-15665, CVE-2020-15666, CVE-2020-15670)
It was discovered that NSS incorrectly handled certain signatures.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2020-12400, CVE-2020-12401, CVE-2020-6829)
A data race was discovered when importing certificate information in to
the trust store. An attacker could potentially exploit this to cause an
unspecified impact. (CVE-2020-15668)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 80.0+build2-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 80.0+build2-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
firefox 80.0+build2-0ubuntu0.16.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://usn.ubuntu.com/4474-1
CVE-2020-12400, CVE-2020-12401, CVE-2020-15664, CVE-2020-15665,
CVE-2020-15666, CVE-2020-15668, CVE-2020-15670, CVE-2020-6829
Package Information:
https://launchpad.net/ubuntu/+source/firefox/80.0+build2-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/80.0+build2-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/firefox/80.0+build2-0ubuntu0.16.04.1
[USN-4473-1] libmysofa vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4473-1
August 26, 2020
libmysofa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in libmysofa.
Software Description:
- libmysofa: library to read HRTFs stored in the AES69-2015 SOFA format
Details:
It was discovered that libmysofa incorrectly handled certain input files.
An attacker could possibly use this issue to cause a denial of service or
other unspecified impact.
(CVE-2019-16091, CVE-2019-16092, CVE-2019-16093, CVE-2019-16094,
CVE-2019-16095)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
libmysofa0 0.6~dfsg0-3+deb10u1build1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4473-1
CVE-2019-16091, CVE-2019-16092, CVE-2019-16093, CVE-2019-16094,
CVE-2019-16095
Package Information:
https://launchpad.net/ubuntu/+source/libmysofa/0.6~dfsg0-3+deb10u1build1
Ubuntu Security Notice USN-4473-1
August 26, 2020
libmysofa vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in libmysofa.
Software Description:
- libmysofa: library to read HRTFs stored in the AES69-2015 SOFA format
Details:
It was discovered that libmysofa incorrectly handled certain input files.
An attacker could possibly use this issue to cause a denial of service or
other unspecified impact.
(CVE-2019-16091, CVE-2019-16092, CVE-2019-16093, CVE-2019-16094,
CVE-2019-16095)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
libmysofa0 0.6~dfsg0-3+deb10u1build1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4473-1
CVE-2019-16091, CVE-2019-16092, CVE-2019-16093, CVE-2019-16094,
CVE-2019-16095
Package Information:
https://launchpad.net/ubuntu/+source/libmysofa/0.6~dfsg0-3+deb10u1build1
Tuesday, August 25, 2020
OpenBSD Errata: August 25th, 2020 (xserverlen)
Errata patches for Xorg have been released for OpenBSD 6.6 and 6.7.
Various X server extensions had deficient input validation.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:
https://www.openbsd.org/errata66.html
https://www.openbsd.org/errata67.html
Various X server extensions had deficient input validation.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:
https://www.openbsd.org/errata66.html
https://www.openbsd.org/errata67.html
OpenBSD Errata: August 25th, 2020 (xinitom)
Errata patches for libX11 have been released for OpenBSD 6.6 and 6.7.
An integer overflow in libX11 could lead to a double free.
Additionally, fix a regression in ximcp.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:
https://www.openbsd.org/errata66.html
https://www.openbsd.org/errata67.html
An integer overflow in libX11 could lead to a double free.
Additionally, fix a regression in ximcp.
Binary updates for the amd64, i386, and arm64 platforms are available via
the syspatch utility. Source code patches can be found on the respective
errata page:
https://www.openbsd.org/errata66.html
https://www.openbsd.org/errata67.html
Bodhi Activation point
Hi all,
Today's an important day on the Fedora 33 schedule[1], with several
significant cut-offs. First of all, today is the Bodhi activation point
[2]. That means that from now on all Fedora 33 packages must be
submitted to updates-testing and pass the relevant requirements[3]
before they will be marked as 'stable' and moved to the fedora
repository.
Today is also the Beta freeze[4]. This means that only packages which
fix accepted blocker or freeze exception bugs[5][6] will be marked as
'stable' and included in the Beta composes. Other builds will remain
in updates-testing until the Beta release is approved, at which point
the Beta freeze is lifted and packages can move to 'stable' as usual
until the Final freeze.
Today is also the '100% code complete deadline' Change
Checkpoint[5], meaning that Fedora 33 Changes must now be code
complete, meaning all the code required to enable the new change is
finished. The level of code completeness is reflected as tracker bug
state ON_QA. The change does not have to be fully tested by this
deadline'.
Finally, today is also the Software String freeze[7], which means that
strings marked for translation in Fedora-translated projects should
not now be changed for Fedora 33.
Tomas Hrcka
[1] https://fedorapeople.org/groups/schedule/f-33/f-33-key-tasks.html
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
Today's an important day on the Fedora 33 schedule[1], with several
significant cut-offs. First of all, today is the Bodhi activation point
[2]. That means that from now on all Fedora 33 packages must be
submitted to updates-testing and pass the relevant requirements[3]
before they will be marked as 'stable' and moved to the fedora
repository.
Today is also the Beta freeze[4]. This means that only packages which
fix accepted blocker or freeze exception bugs[5][6] will be marked as
'stable' and included in the Beta composes. Other builds will remain
in updates-testing until the Beta release is approved, at which point
the Beta freeze is lifted and packages can move to 'stable' as usual
until the Final freeze.
Today is also the '100% code complete deadline' Change
Checkpoint[5], meaning that Fedora 33 Changes must now be code
complete, meaning all the code required to enable the new change is
finished. The level of code completeness is reflected as tracker bug
state ON_QA. The change does not have to be fully tested by this
deadline'.
Finally, today is also the Software String freeze[7], which means that
strings marked for translation in Fedora-translated projects should
not now be changed for Fedora 33.
Tomas Hrcka
jednorozec on FreeNode #fedora-releng #fedora-devel #fedora-cs
[2] https://fedoraproject.org/wiki/Updates_Policy#Bodhi_enabling
[3] https://fedoraproject.org/wiki/Updates_Policy#Branched_release
[4] https://fedoraproject.org/wiki/Milestone_freezes
[5] https://fedoraproject.org/wiki/QA:SOP_blocker_bug_process
[6] https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process
[7] https://fedoraproject.org/wiki/ReleaseEngineering/StringFreezePolicy
[USN-4472-1] PostgreSQL vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9FC4wACgkQZWnYVadE
vpN/HQ//aUaR4ER2I5YyMzMKWQB5c2MeDaB48M25oTbQLCltttw3NbXUNapWr0K9
R6fHUUi9+hYo7P32AOSW2s58vEfbQCXDbs/NWQ8fZLsl+t1ZQryOuODrjI5zqzqF
g3ivIXXlulhJfTzBQSJJqDRwBZ2LVnG+GVirYFfgPtlRb47CJWepGtAQxKig3DOk
HNPRNH0gypMcycsawMjsfmXaJSZfqk3zfNSK9qLNQG4qAZlkNF4nx79OI/4tpjJN
OOLcUyewPlVUcdh4xLIr/Nc68SBdWiDMArKu+K7gs6vLrxwTrifRQFiKiF2W3QG6
bgRt2lB8/Js3r9EsBsNspWsY8xDmRk6v+afsyQB43DUeuXQsh0+r/rN0ASoZj9Hr
+uVYdxr0a/ihoDTwdi3Pma2vG+GdRtYYkA1aXoyRqYd+qzdYy0DH52fvjMaInSyz
LT4qPoZy9ixOM/dNFjXvqaYveibS/bJQ0OrSwfOh5IffEKYOILAenIXRu6k3+XRg
tkrskOfSi92cxK78dYaupDGNvOZk3tAhtUkb8Z5XLbmf+THGK9LY0ih0yYAtuna0
ccqL8Ajlxsn682ybmUx9pHKxkeE0c1YrdDqekPILqmV2UQSS7/UuaFPTABxeoCIG
AuhODXrZdLbo6tGW1twrmG4LaawCQouM4bPM0FAVn3pVZVfvSLw=
=Zcms
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4472-1
August 25, 2020
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
- postgresql-9.5: Object-relational SQL database
Details:
Noah Misch discovered that PostgreSQL incorrectly handled the search_path
setting when used with logical replication. A remote attacker could
possibly use this issue to execute arbitrary SQL code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14349)
Andres Freund discovered that PostgreSQL incorrectly handled search path
elements in CREATE EXTENSION. A remote attacker could possibly use this
issue to execute arbitrary SQL code. (CVE-2020-14350)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
postgresql-12 12.4-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.14-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.23-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://usn.ubuntu.com/4472-1
CVE-2020-14349, CVE-2020-14350
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-12/12.4-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.14-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.23-0ubuntu0.16.04.1
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9FC4wACgkQZWnYVadE
vpN/HQ//aUaR4ER2I5YyMzMKWQB5c2MeDaB48M25oTbQLCltttw3NbXUNapWr0K9
R6fHUUi9+hYo7P32AOSW2s58vEfbQCXDbs/NWQ8fZLsl+t1ZQryOuODrjI5zqzqF
g3ivIXXlulhJfTzBQSJJqDRwBZ2LVnG+GVirYFfgPtlRb47CJWepGtAQxKig3DOk
HNPRNH0gypMcycsawMjsfmXaJSZfqk3zfNSK9qLNQG4qAZlkNF4nx79OI/4tpjJN
OOLcUyewPlVUcdh4xLIr/Nc68SBdWiDMArKu+K7gs6vLrxwTrifRQFiKiF2W3QG6
bgRt2lB8/Js3r9EsBsNspWsY8xDmRk6v+afsyQB43DUeuXQsh0+r/rN0ASoZj9Hr
+uVYdxr0a/ihoDTwdi3Pma2vG+GdRtYYkA1aXoyRqYd+qzdYy0DH52fvjMaInSyz
LT4qPoZy9ixOM/dNFjXvqaYveibS/bJQ0OrSwfOh5IffEKYOILAenIXRu6k3+XRg
tkrskOfSi92cxK78dYaupDGNvOZk3tAhtUkb8Z5XLbmf+THGK9LY0ih0yYAtuna0
ccqL8Ajlxsn682ybmUx9pHKxkeE0c1YrdDqekPILqmV2UQSS7/UuaFPTABxeoCIG
AuhODXrZdLbo6tGW1twrmG4LaawCQouM4bPM0FAVn3pVZVfvSLw=
=Zcms
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4472-1
August 25, 2020
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in PostgreSQL.
Software Description:
- postgresql-12: Object-relational SQL database
- postgresql-10: Object-relational SQL database
- postgresql-9.5: Object-relational SQL database
Details:
Noah Misch discovered that PostgreSQL incorrectly handled the search_path
setting when used with logical replication. A remote attacker could
possibly use this issue to execute arbitrary SQL code. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14349)
Andres Freund discovered that PostgreSQL incorrectly handled search path
elements in CREATE EXTENSION. A remote attacker could possibly use this
issue to execute arbitrary SQL code. (CVE-2020-14350)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
postgresql-12 12.4-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
postgresql-10 10.14-0ubuntu0.18.04.1
Ubuntu 16.04 LTS:
postgresql-9.5 9.5.23-0ubuntu0.16.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
References:
https://usn.ubuntu.com/4472-1
CVE-2020-14349, CVE-2020-14350
Package Information:
https://launchpad.net/ubuntu/+source/postgresql-12/12.4-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/postgresql-10/10.14-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.23-0ubuntu0.16.04.1
Monday, August 24, 2020
LibreSSL 3.2.1 Released
We have released LibreSSL 3.2.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This is the second development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8. It includes the following changes:
* Propagate alerts from the read half of the TLSv1.3 record layer to I/O
functions.
* Send a record overflow alert for TLSv1.3 messages having overlong
plaintext or inner plaintext.
* Send an illegal parameter alert if a client sends an invalid DH key
share.
* Document PKCS7_final(3), PKCS7_add_attribute(3).
* Collapse x509v3 directory into x509.
* Improve TLSv1.3 client certificate selection to allow EC certificates
instead of only RSA certificates.
* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
of constructing a broken objects that may cause NULL pointer accesses.
* Add support for additional GOST curves from RFC 7836 and
draft-deremin-rfc4491-bis.
* Add OIDs for HMAC using the Streebog hash function.
* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
* Handle GOST in ssl_cert_dup().
* Stop sending GOST R 34.10-94 as a CertificateType.
* Use IANA allocated GOST ClientCertificateTypes.
* Add a custom copy handler for AES keywrap to fix a use-after-free.
* Enforce in the TLSv1.3 server that that ClientHello messages after
a HelloRetryRequest match the original ClientHello as per RFC 8446
section 4.1.2
* Document more PKCS7 attribute functions.
* Document PKCS7_get_signer_info(3).
* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
* Document PEM_def_callback(3).
* Document EVP_read_pw_string_min(3).
* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
* Document X509_get0_pubkey_bitstr(3).
* Fix an off-by-one in the CBS padding removal. From BoringSSL.
* Enforce restrictions on extensions present in the ClientHello as per
RFC 8446, section 9.2.
* Add new CMAC_Init(3) and ChaCha(3) manual pages.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behavior could cause a hang.
* Add initial support for openbsd/powerpc64.
* Make the message type available in the internal TLS extensions API
functions.
* Enable TLSv1.3 for the generic TLS_method().
* Convert openssl(1) s_client option handling.
* Document openssl(1) certhash.
* Convert openssl(1) verify option handling.
* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
use-after-free and double-free issues in calling programs.
* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
* Convert openssl(1) s_server option handling.
* Add minimal info callback support for TLSv1.3.
* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
* Correctly handle server requests for an OCSP response.
* Add the P-521 curve to the list of curves supported by default
in the client.
* Convert openssl(1) req option handling.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Send an unexpected message alert if no valid content type is found
in a TLSv1.3 record.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
LibreSSL directory of your local OpenBSD mirror soon.
This is the second development release from the 3.2.x series, which will
eventually be part of OpenBSD 6.8. It includes the following changes:
* Propagate alerts from the read half of the TLSv1.3 record layer to I/O
functions.
* Send a record overflow alert for TLSv1.3 messages having overlong
plaintext or inner plaintext.
* Send an illegal parameter alert if a client sends an invalid DH key
share.
* Document PKCS7_final(3), PKCS7_add_attribute(3).
* Collapse x509v3 directory into x509.
* Improve TLSv1.3 client certificate selection to allow EC certificates
instead of only RSA certificates.
* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
of constructing a broken objects that may cause NULL pointer accesses.
* Add support for additional GOST curves from RFC 7836 and
draft-deremin-rfc4491-bis.
* Add OIDs for HMAC using the Streebog hash function.
* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
* Handle GOST in ssl_cert_dup().
* Stop sending GOST R 34.10-94 as a CertificateType.
* Use IANA allocated GOST ClientCertificateTypes.
* Add a custom copy handler for AES keywrap to fix a use-after-free.
* Enforce in the TLSv1.3 server that that ClientHello messages after
a HelloRetryRequest match the original ClientHello as per RFC 8446
section 4.1.2
* Document more PKCS7 attribute functions.
* Document PKCS7_get_signer_info(3).
* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
* Document PEM_def_callback(3).
* Document EVP_read_pw_string_min(3).
* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
* Document X509_get0_pubkey_bitstr(3).
* Fix an off-by-one in the CBS padding removal. From BoringSSL.
* Enforce restrictions on extensions present in the ClientHello as per
RFC 8446, section 9.2.
* Add new CMAC_Init(3) and ChaCha(3) manual pages.
* Fix SSL_shutdown behavior to match the legacy stack. The previous
behavior could cause a hang.
* Add initial support for openbsd/powerpc64.
* Make the message type available in the internal TLS extensions API
functions.
* Enable TLSv1.3 for the generic TLS_method().
* Convert openssl(1) s_client option handling.
* Document openssl(1) certhash.
* Convert openssl(1) verify option handling.
* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
use-after-free and double-free issues in calling programs.
* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
* Convert openssl(1) s_server option handling.
* Add minimal info callback support for TLSv1.3.
* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
* Correctly handle server requests for an OCSP response.
* Add the P-521 curve to the list of curves supported by default
in the client.
* Convert openssl(1) req option handling.
* Avoid calling freezero with a negative size if a server sends a
malformed plaintext of all zeroes.
* Send an unexpected message alert if no valid content type is found
in a TLSv1.3 record.
The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.
[USN-4470-1] sane-backends vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9EEjIACgkQZWnYVadE
vpNiuA/+LDe8/sW/zvFdogFkpXzryQF5ILKUqgDFvsqhrbhtqL9W2e6mfVh05WID
vX4Iu1+jaFSzRUyrEH2uQr2xwT7kA4+g3Uo/TqRLGOUOi560gKL9GMoF5/y8Pbet
L2qyqFbwhpuhnWqIOsod3TXlj7R9IRUi/Kg89wo/4RgIW/Ffdfo78tHcRD+nT+Qk
BdjoqvbWrPomGUVt1rbvHkuaCDXcfgWvwVw0ffYtn5kTcsh6ubY5b5UoRXkNH9BX
ZdlXaStRi33JPSRULW7CSsj2N/PD8VoAgRfHoC4CHTK6dEwVYRB+Ch/GCVb8OslV
3LkxBoTtFksEBIhug65uzhsCJ4DrCKsZoJJjrTEdM95nd63Yy9xnM0l4vY1qQhdO
JRZya8DqKEJo+waUOPG0LZsUBnRLfgrr2SmpqLiiMuKbdtNkGias5FsKInPI5LjU
cdeC40uFiYz8pb2GBtJgcsuEOSPudQB9bBkZ05sIw5B9I9Ctc6nsjuMbDYSJlqoa
T1Ho7EdnrO9Ytfwr7e9CLj8kQ6dfWtN+qEiI14Mct9Je9ONY3s/Jfv0DJqmtIyW4
sviDelfXzFRKd2gukPUlrSOoDezGxy09e1ulE7LoGdDUTIHgZCQFTXvjiJ6W10Ov
jD2jNw6U3gw62QLVqDcrYwQDiIqC//lk8INT8gF/JVZJdySJAYM=
=aAKT
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4470-1
August 24, 2020
sane-backends vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in sane-backends.
Software Description:
- sane-backends: None
Details:
Kritphong Mongkhonvanit discovered that sane-backends incorrectly handled
certain packets. A remote attacker could possibly use this issue to obtain
sensitive memory information. This issue only affected Ubuntu 16.04 LTS.
(CVE-2017-6318)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to execute
arbitrary code. This issue only applied to Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2020-12861)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2020-12862, CVE-2020-12863)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only applied to Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-12864)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2020-12865)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause a
denial of service. This issue only applied to Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2020-12866)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2020-12867)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libsane1 1.0.29-0ubuntu5.1
Ubuntu 18.04 LTS:
libsane1 1.0.27-1~experimental3ubuntu2.3
Ubuntu 16.04 LTS:
libsane 1.0.25+git20150528-1ubuntu2.16.04.3
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4470-1
CVE-2017-6318, CVE-2020-12861, CVE-2020-12862, CVE-2020-12863,
CVE-2020-12864, CVE-2020-12865, CVE-2020-12866, CVE-2020-12867
Package Information:
https://launchpad.net/ubuntu/+source/sane-backends/1.0.29-0ubuntu5.1
https://launchpad.net/ubuntu/+source/sane-backends/1.0.27-1~experimental3ubuntu2.3
https://launchpad.net/ubuntu/+source/sane-backends/1.0.25+git20150528-1ubuntu2.16.04.3
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9EEjIACgkQZWnYVadE
vpNiuA/+LDe8/sW/zvFdogFkpXzryQF5ILKUqgDFvsqhrbhtqL9W2e6mfVh05WID
vX4Iu1+jaFSzRUyrEH2uQr2xwT7kA4+g3Uo/TqRLGOUOi560gKL9GMoF5/y8Pbet
L2qyqFbwhpuhnWqIOsod3TXlj7R9IRUi/Kg89wo/4RgIW/Ffdfo78tHcRD+nT+Qk
BdjoqvbWrPomGUVt1rbvHkuaCDXcfgWvwVw0ffYtn5kTcsh6ubY5b5UoRXkNH9BX
ZdlXaStRi33JPSRULW7CSsj2N/PD8VoAgRfHoC4CHTK6dEwVYRB+Ch/GCVb8OslV
3LkxBoTtFksEBIhug65uzhsCJ4DrCKsZoJJjrTEdM95nd63Yy9xnM0l4vY1qQhdO
JRZya8DqKEJo+waUOPG0LZsUBnRLfgrr2SmpqLiiMuKbdtNkGias5FsKInPI5LjU
cdeC40uFiYz8pb2GBtJgcsuEOSPudQB9bBkZ05sIw5B9I9Ctc6nsjuMbDYSJlqoa
T1Ho7EdnrO9Ytfwr7e9CLj8kQ6dfWtN+qEiI14Mct9Je9ONY3s/Jfv0DJqmtIyW4
sviDelfXzFRKd2gukPUlrSOoDezGxy09e1ulE7LoGdDUTIHgZCQFTXvjiJ6W10Ov
jD2jNw6U3gw62QLVqDcrYwQDiIqC//lk8INT8gF/JVZJdySJAYM=
=aAKT
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4470-1
August 24, 2020
sane-backends vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in sane-backends.
Software Description:
- sane-backends: None
Details:
Kritphong Mongkhonvanit discovered that sane-backends incorrectly handled
certain packets. A remote attacker could possibly use this issue to obtain
sensitive memory information. This issue only affected Ubuntu 16.04 LTS.
(CVE-2017-6318)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to execute
arbitrary code. This issue only applied to Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2020-12861)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2020-12862, CVE-2020-12863)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only applied to Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-12864)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to execute
arbitrary code. (CVE-2020-12865)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause a
denial of service. This issue only applied to Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2020-12866)
It was discovered that sane-backends incorrectly handled certain memory
operations. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2020-12867)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libsane1 1.0.29-0ubuntu5.1
Ubuntu 18.04 LTS:
libsane1 1.0.27-1~experimental3ubuntu2.3
Ubuntu 16.04 LTS:
libsane 1.0.25+git20150528-1ubuntu2.16.04.3
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4470-1
CVE-2017-6318, CVE-2020-12861, CVE-2020-12862, CVE-2020-12863,
CVE-2020-12864, CVE-2020-12865, CVE-2020-12866, CVE-2020-12867
Package Information:
https://launchpad.net/ubuntu/+source/sane-backends/1.0.29-0ubuntu5.1
https://launchpad.net/ubuntu/+source/sane-backends/1.0.27-1~experimental3ubuntu2.3
https://launchpad.net/ubuntu/+source/sane-backends/1.0.25+git20150528-1ubuntu2.16.04.3
[USN-4469-1] Ghostscript vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9EEhoACgkQZWnYVadE
vpMkfg//ZjNAw28A9pJs5oBqImuDA7tjOTFIupOS1xLT56VH3DajkDWP/1aVT9XJ
WLOKEXXMiibEhR4IHhHStJYWatKwhh9VGqv+bbreIX8VMoJyzPBRX9Yg3tE4p/le
BtsZ5rPxGLG5mBOR5DvVcDcDoBC2TgHurbUlQBfufFXUrBB4p80iUeLAsIhC1IpQ
bzB+UuygxoIW6dYa/jGGMCD4kNQv7rETP5s+cHp3R1RDT75X4ITeJAE4+SqkewdP
nVPrFs/zcWUtg27oMF6nFiWDQWKtiEsV2bo0cwEBO+5yImEc9jewerBo2NaBYHW/
9EDTu36Yrcrji2pC7S+7a3WLqw3P/6KHPzCpqPN68rVzOr9JkO7X78fUXyYBnX7V
IncnWxCY+FnzPu9PrEEsLTplde/nc5gdopPuEHlua28ATc0q70ZPySEiNbgwZT2s
IyuVHxYrrUkxm0zf5X93JSgcvwp4qsv5AjqCYsISfkIIFdOpfO4BEbQQiWbO+VkR
V5pNBDSkGW5jk74N0tmmridDc68MZq4LvgfBauluWEHH2KU2NhSaBLPNgxmtMAs+
+z2LsAQayN+L7ASlN2VS2xzNlIpkzTy6CT1fPD5OHd8oi3SsmWW8JWoF18/kDj/1
foOA8r6jEntitH5X+/Np6JOmVA+ryDHBgR0MzHfvUOTtIlrVqLI=
=js1H
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4469-1
August 24, 2020
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled certain document
files. If a user or automated system were tricked into processing a
specially crafted file, a remote attacker could use this issue to cause
Ghostscript to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
ghostscript 9.50~dfsg-5ubuntu4.2
libgs9 9.50~dfsg-5ubuntu4.2
Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.13
libgs9 9.26~dfsg+0-0ubuntu0.18.04.13
Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.13
libgs9 9.26~dfsg+0-0ubuntu0.16.04.13
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4469-1
CVE-2020-16287, CVE-2020-16288, CVE-2020-16289, CVE-2020-16290,
CVE-2020-16291, CVE-2020-16292, CVE-2020-16293, CVE-2020-16294,
CVE-2020-16295, CVE-2020-16296, CVE-2020-16297, CVE-2020-16298,
CVE-2020-16299, CVE-2020-16300, CVE-2020-16301, CVE-2020-16302,
CVE-2020-16303, CVE-2020-16304, CVE-2020-16305, CVE-2020-16306,
CVE-2020-16307, CVE-2020-16308, CVE-2020-16309, CVE-2020-16310,
CVE-2020-17538
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.2
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.13
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.13
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9EEhoACgkQZWnYVadE
vpMkfg//ZjNAw28A9pJs5oBqImuDA7tjOTFIupOS1xLT56VH3DajkDWP/1aVT9XJ
WLOKEXXMiibEhR4IHhHStJYWatKwhh9VGqv+bbreIX8VMoJyzPBRX9Yg3tE4p/le
BtsZ5rPxGLG5mBOR5DvVcDcDoBC2TgHurbUlQBfufFXUrBB4p80iUeLAsIhC1IpQ
bzB+UuygxoIW6dYa/jGGMCD4kNQv7rETP5s+cHp3R1RDT75X4ITeJAE4+SqkewdP
nVPrFs/zcWUtg27oMF6nFiWDQWKtiEsV2bo0cwEBO+5yImEc9jewerBo2NaBYHW/
9EDTu36Yrcrji2pC7S+7a3WLqw3P/6KHPzCpqPN68rVzOr9JkO7X78fUXyYBnX7V
IncnWxCY+FnzPu9PrEEsLTplde/nc5gdopPuEHlua28ATc0q70ZPySEiNbgwZT2s
IyuVHxYrrUkxm0zf5X93JSgcvwp4qsv5AjqCYsISfkIIFdOpfO4BEbQQiWbO+VkR
V5pNBDSkGW5jk74N0tmmridDc68MZq4LvgfBauluWEHH2KU2NhSaBLPNgxmtMAs+
+z2LsAQayN+L7ASlN2VS2xzNlIpkzTy6CT1fPD5OHd8oi3SsmWW8JWoF18/kDj/1
foOA8r6jEntitH5X+/Np6JOmVA+ryDHBgR0MzHfvUOTtIlrVqLI=
=js1H
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4469-1
August 24, 2020
ghostscript vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Ghostscript.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
It was discovered that Ghostscript incorrectly handled certain document
files. If a user or automated system were tricked into processing a
specially crafted file, a remote attacker could use this issue to cause
Ghostscript to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
ghostscript 9.50~dfsg-5ubuntu4.2
libgs9 9.50~dfsg-5ubuntu4.2
Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.13
libgs9 9.26~dfsg+0-0ubuntu0.18.04.13
Ubuntu 16.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.16.04.13
libgs9 9.26~dfsg+0-0ubuntu0.16.04.13
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4469-1
CVE-2020-16287, CVE-2020-16288, CVE-2020-16289, CVE-2020-16290,
CVE-2020-16291, CVE-2020-16292, CVE-2020-16293, CVE-2020-16294,
CVE-2020-16295, CVE-2020-16296, CVE-2020-16297, CVE-2020-16298,
CVE-2020-16299, CVE-2020-16300, CVE-2020-16301, CVE-2020-16302,
CVE-2020-16303, CVE-2020-16304, CVE-2020-16305, CVE-2020-16306,
CVE-2020-16307, CVE-2020-16308, CVE-2020-16309, CVE-2020-16310,
CVE-2020-17538
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.2
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.13
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.13
[USN-4471-1] Net-SNMP vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4471-1
August 24, 2020
net-snmp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Net-SNMP.
Software Description:
- net-snmp: SNMP (Simple Network Management Protocol) server and applications
Details:
Tobias Neitzel discovered that Net-SNMP incorrectly handled certain symlinks.
An attacker could possibly use this issue to access sensitive information.
(CVE-2020-15861)
It was discovered that Net-SNMP incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-15862)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libsnmp-base 5.8+dfsg-2ubuntu2.3
libsnmp-perl 5.8+dfsg-2ubuntu2.3
libsnmp35 5.8+dfsg-2ubuntu2.3
snmpd 5.8+dfsg-2ubuntu2.3
Ubuntu 18.04 LTS:
libsnmp-base 5.7.3+dfsg-1.8ubuntu3.5
libsnmp-perl 5.7.3+dfsg-1.8ubuntu3.5
libsnmp30 5.7.3+dfsg-1.8ubuntu3.5
snmpd 5.7.3+dfsg-1.8ubuntu3.5
Ubuntu 16.04 LTS:
libsnmp-base 5.7.3+dfsg-1ubuntu4.5
libsnmp-perl 5.7.3+dfsg-1ubuntu4.5
libsnmp30 5.7.3+dfsg-1ubuntu4.5
snmpd 5.7.3+dfsg-1ubuntu4.5
Ubuntu 14.04 ESM:
libsnmp-base 5.7.2~dfsg-8.1ubuntu3.3+esm1
libsnmp-perl 5.7.2~dfsg-8.1ubuntu3.3+esm1
libsnmp30 5.7.2~dfsg-8.1ubuntu3.3+esm1
snmpd 5.7.2~dfsg-8.1ubuntu3.3+esm1
Ubuntu 12.04 ESM:
libsnmp-base 5.4.3~dfsg-2.4ubuntu1.5
libsnmp-perl 5.4.3~dfsg-2.4ubuntu1.5
libsnmp15 5.4.3~dfsg-2.4ubuntu1.5
snmpd 5.4.3~dfsg-2.4ubuntu1.5
After a standard system update you need to restart snmpd to make
all the necessary changes.
References:
https://usn.ubuntu.com/4471-1
CVE-2020-15861, CVE-2020-15862
Package Information:
https://launchpad.net/ubuntu/+source/net-snmp/5.8+dfsg-2ubuntu2.3
https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1.8ubuntu3.5
https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1ubuntu4.5
Ubuntu Security Notice USN-4471-1
August 24, 2020
net-snmp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Net-SNMP.
Software Description:
- net-snmp: SNMP (Simple Network Management Protocol) server and applications
Details:
Tobias Neitzel discovered that Net-SNMP incorrectly handled certain symlinks.
An attacker could possibly use this issue to access sensitive information.
(CVE-2020-15861)
It was discovered that Net-SNMP incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu
18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-15862)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libsnmp-base 5.8+dfsg-2ubuntu2.3
libsnmp-perl 5.8+dfsg-2ubuntu2.3
libsnmp35 5.8+dfsg-2ubuntu2.3
snmpd 5.8+dfsg-2ubuntu2.3
Ubuntu 18.04 LTS:
libsnmp-base 5.7.3+dfsg-1.8ubuntu3.5
libsnmp-perl 5.7.3+dfsg-1.8ubuntu3.5
libsnmp30 5.7.3+dfsg-1.8ubuntu3.5
snmpd 5.7.3+dfsg-1.8ubuntu3.5
Ubuntu 16.04 LTS:
libsnmp-base 5.7.3+dfsg-1ubuntu4.5
libsnmp-perl 5.7.3+dfsg-1ubuntu4.5
libsnmp30 5.7.3+dfsg-1ubuntu4.5
snmpd 5.7.3+dfsg-1ubuntu4.5
Ubuntu 14.04 ESM:
libsnmp-base 5.7.2~dfsg-8.1ubuntu3.3+esm1
libsnmp-perl 5.7.2~dfsg-8.1ubuntu3.3+esm1
libsnmp30 5.7.2~dfsg-8.1ubuntu3.3+esm1
snmpd 5.7.2~dfsg-8.1ubuntu3.3+esm1
Ubuntu 12.04 ESM:
libsnmp-base 5.4.3~dfsg-2.4ubuntu1.5
libsnmp-perl 5.4.3~dfsg-2.4ubuntu1.5
libsnmp15 5.4.3~dfsg-2.4ubuntu1.5
snmpd 5.4.3~dfsg-2.4ubuntu1.5
After a standard system update you need to restart snmpd to make
all the necessary changes.
References:
https://usn.ubuntu.com/4471-1
CVE-2020-15861, CVE-2020-15862
Package Information:
https://launchpad.net/ubuntu/+source/net-snmp/5.8+dfsg-2ubuntu2.3
https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1.8ubuntu3.5
https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1ubuntu4.5
[USN-4468-2] Bind vulnerability
==========================================================================
Ubuntu Security Notice USN-4468-2
August 24, 2020
bind9 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Bind could be made to crash if it received a specially crafted
request.
Software Description:
- bind9: Internet Domain Name Server
Details:
USN-4468-1 fixed a vulnerability in Bind. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind
incorrectly handled certain truncated responses to a TSIG-signed request. A
remote attacker could possibly use this issue to cause Bind to crash,
resulting in a denial of service. (CVE-2020-8622)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
bind9 1:9.9.5.dfsg-3ubuntu0.19+esm3
Ubuntu 12.04 ESM:
bind9 1:9.8.1.dfsg.P1-4ubuntu0.31
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4468-2
https://usn.ubuntu.com/4468-1
CVE-2020-8622
Ubuntu Security Notice USN-4468-2
August 24, 2020
bind9 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Bind could be made to crash if it received a specially crafted
request.
Software Description:
- bind9: Internet Domain Name Server
Details:
USN-4468-1 fixed a vulnerability in Bind. This update provides
the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind
incorrectly handled certain truncated responses to a TSIG-signed request. A
remote attacker could possibly use this issue to cause Bind to crash,
resulting in a denial of service. (CVE-2020-8622)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
bind9 1:9.9.5.dfsg-3ubuntu0.19+esm3
Ubuntu 12.04 ESM:
bind9 1:9.8.1.dfsg.P1-4ubuntu0.31
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4468-2
https://usn.ubuntu.com/4468-1
CVE-2020-8622
Orphaned packages looking for new maintainers
The following packages are orphaned and will be retired when they
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will be retired when the affected package gets retired.
Request package ownership via the *Take* button in he left column on
https://src.fedoraproject.org/rpms/<pkgname>
Full report available at:
https://churchyard.fedorapeople.org/orphans-2020-08-24.txt
grep it for your FAS username and follow the dependency chain.
For human readable dependency chains, see https://packager.fedorainfracloud.org/
For all orphaned packages, see https://packager.fedorainfracloud.org/orphan
Package (co)maintainers Status Change
================================================================================
PEGTL orphan, rsroka 0 weeks ago
abrt-addon-python3 abrt-sig, ekulik, mmarusak, 0 weeks ago
msuchy, orphan
amftools churchyard, orphan 5 weeks ago
apache-commons-dbcp mizdebsk, orphan 1 weeks ago
container-exception-logger abrt-sig, ekulik, mmarusak, 0 weeks ago
msuchy, orphan
dbus-java orphan 2 weeks ago
emacs-lua orphan 5 weeks ago
fst orphan 2 weeks ago
geronimo-parent-poms jjelen, mizdebsk, orphan 0 weeks ago
glassfish-legal orphan 0 weeks ago
glassfish-master-pom orphan 0 weeks ago
jaxb2-maven-plugin jjelen, lef, orphan 2 weeks ago
joda-time mizdebsk, orphan 1 weeks ago
js-jquery-iframe-transport orphan 2 weeks ago
js-jquery-knob orphan 2 weeks ago
js-jquery-qrcode orphan 2 weeks ago
js-tag-it orphan 2 weeks ago
jvnet-parent mizdebsk, orphan 0 weeks ago
libmatthew-java orphan 2 weeks ago
libscs orphan 5 weeks ago
liquibase awood, orphan 2 weeks ago
lua-copas orphan 5 weeks ago
lua-coxpcall orphan 5 weeks ago
lua-logging orphan 5 weeks ago
lua-sql orphan 5 weeks ago
lua-wsapi orphan 5 weeks ago
lua-xmlrpc orphan 5 weeks ago
luadoc orphan 5 weeks ago
man-pages-de orphan, romal 2 weeks ago
maven-jaxb2-plugin orphan 1 weeks ago
mingw-liboil lfarkas, orphan, rjones 4 weeks ago
mozilla-iot-gateway orphan 4 weeks ago
mozilla-iot-gateway-addon-node orphan 2 weeks ago
mozilla-iot-gateway-addon- orphan 2 weeks ago
python
nanomsg orphan 2 weeks ago
nodejs-core-util-is nodejs-sig, orphan 3 weeks ago
nodejs-css-stringify nodejs-sig, orphan, patches 0 weeks ago
nodejs-css-tree orphan 0 weeks ago
nodejs-duplexer nodejs-sig, orphan 3 weeks ago
nodejs-duplexify nodejs-sig, orphan 3 weeks ago
nodejs-end-of-stream nodejs-sig, orphan 3 weeks ago
nodejs-espower-location- orphan 0 weeks ago
detector
nodejs-from nodejs-sig, orphan 3 weeks ago
nodejs-grunt nodejs-sig, orphan, patches, 0 weeks ago
piotrp
nodejs-http-signature nodejs-sig, orphan, patches 0 weeks ago
nodejs-readable-stream jsmith, nodejs-sig, orphan 3 weeks ago
nodejs-snapdragon orphan 0 weeks ago
numix-gtk-theme mymindstorm, orphan 0 weeks ago
numix-icon-theme mymindstorm, orphan 0 weeks ago
numix-icon-theme-circle mymindstorm, orphan 0 weeks ago
python-kaptan bowlofeggs, jcline, orphan 0 weeks ago
python-ladon orphan 5 weeks ago
python-libtmux orphan 0 weeks ago
python-nnpy orphan 2 weeks ago
python-txamqp orphan 5 weeks ago
qrcode-generator orphan 2 weeks ago
rmic-maven-plugin mizdebsk, orphan 1 weeks ago
ruby-ldap orphan 3 weeks ago
rubygem-delayed_job orphan 0 weeks ago
rubygem- orphan 0 weeks ago
delayed_job_active_record
rubygem-elasticsearch orphan 3 weeks ago
rubygem-elasticsearch-api orphan 3 weeks ago
rubygem-fast_gettext brandfbb, orphan 3 weeks ago
rubygem-org-ruby orphan 0 weeks ago
rubygem-rubypants orphan 0 weeks ago
rubygem-sigdump orphan 0 weeks ago
rubygem-wikicloth orphan 2 weeks ago
satyr abrt-sig, ekulik, mgrabovs, 0 weeks ago
mmarusak, msuchy, orphan
sonatype-oss-parent mizdebsk, orphan 0 weeks ago
stbi churchyard, orphan 5 weeks ago
stress-ng fale, orphan, slaanesh, 0 weeks ago
snecker
unboundid-ldapsdk orphan 3 weeks ago
unison213 gemi, orphan, rjones 3 weeks ago
unison227 brummbq, gemi, orphan, rjones, 3 weeks ago
timj
unison240 brummbq, orphan, rjones 3 weeks ago
usb_modeswitch huzaifas, orphan, romal 2 weeks ago
The following packages require above mentioned packages:
Report too long, see the full version at
https://churchyard.fedorapeople.org/orphans-2020-08-24.txt
See dependency chains of your packages at https://packager.fedorainfracloud.org/
See all orphaned packages at https://packager.fedorainfracloud.org/orphan
Affected (co)maintainers (either directly or via packages' dependencies):
abrt-sig: satyr, container-exception-logger, abrt-addon-python3
abrt-team: container-exception-logger, satyr
acaringi: sonatype-oss-parent
akurtakov: sonatype-oss-parent, jvnet-parent, geronimo-parent-poms
alakatos: PEGTL
anishpatil: nodejs-css-stringify
arobinso: sonatype-oss-parent, jvnet-parent
awood: liquibase
bowlofeggs: python-kaptan
brandfbb: rubygem-fast_gettext
brummbq: unison240, unison227
caolanm: sonatype-oss-parent
cfu: geronimo-parent-poms
churchyard: PEGTL, amftools, stbi
cipherboy: geronimo-parent-poms
clime: nodejs-grunt
coolsvap: geronimo-parent-poms
copr-sig: nodejs-grunt
cquad: sonatype-oss-parent
csutherl: geronimo-parent-poms
davidx: glassfish-legal, jvnet-parent, glassfish-master-pom
dbhole: sonatype-oss-parent, jvnet-parent
dcallagh: nodejs-css-stringify
decathorpe: glassfish-legal, jvnet-parent, glassfish-master-pom,
geronimo-parent-poms
deji: PEGTL
dmoluguw: jvnet-parent, geronimo-parent-poms
dominik: sonatype-oss-parent
dturecek: nodejs-grunt
ebaron: sonatype-oss-parent, jvnet-parent
eclipse-sig: sonatype-oss-parent, jvnet-parent
edewata: jvnet-parent, geronimo-parent-poms
ekulik: satyr, container-exception-logger, abrt-addon-python3
ellert: jvnet-parent
fab: nodejs-css-stringify
fale: stress-ng
fnasser: jvnet-parent
frostyx: nodejs-grunt
fsimonce: sonatype-oss-parent
galileo: sonatype-oss-parent
gemi: unison213, unison227
gil: glassfish-legal, jvnet-parent, glassfish-master-pom, geronimo-parent-poms,
sonatype-oss-parent
hguemar: PEGTL
hhorak: sonatype-oss-parent, PEGTL
hobbes1069: PEGTL
huwang: geronimo-parent-poms
huzaifas: usb_modeswitch
ignatenkobrain: PEGTL, python-kaptan, python-libtmux
java-maint-sig: glassfish-legal, jvnet-parent, glassfish-master-pom,
geronimo-parent-poms
jcapik: jvnet-parent
jcline: python-kaptan
jerboaa: sonatype-oss-parent, jvnet-parent
jfilak: container-exception-logger, satyr
jgu: PEGTL
jjames: sonatype-oss-parent, jvnet-parent
jjanco: sonatype-oss-parent
jjelen: glassfish-legal, jvnet-parent, glassfish-master-pom, jaxb2-maven-plugin,
geronimo-parent-poms, sonatype-oss-parent, apache-commons-dbcp
jjohnstn: sonatype-oss-parent, jvnet-parent
jkang: jvnet-parent
jkastner: PEGTL
jkucera: PEGTL
jmlich: PEGTL
jridky: PEGTL
jsmith: nodejs-snapdragon, nodejs-duplexify, nodejs-grunt, nodejs-end-of-stream,
nodejs-duplexer, nodejs-css-tree, nodejs-css-stringify, nodejs-core-util-is,
nodejs-readable-stream
jvanek: sonatype-oss-parent
kdaniel: sonatype-oss-parent, jvnet-parent, geronimo-parent-poms
kwizart: PEGTL
kwright: geronimo-parent-poms
lef: jaxb2-maven-plugin, jvnet-parent, geronimo-parent-poms, sonatype-oss-parent
lfarkas: mingw-liboil
lkundrak: sonatype-oss-parent, stbi
lupinix: sonatype-oss-parent, PEGTL
m4rtink: satyr
mbooth: sonatype-oss-parent, jvnet-parent
mef: sonatype-oss-parent
melmorabity: sonatype-oss-parent
mgrabovs: container-exception-logger, satyr
mharmsen: geronimo-parent-poms
mizdebsk: glassfish-legal, jvnet-parent, joda-time, rmic-maven-plugin,
glassfish-master-pom, geronimo-parent-poms, sonatype-oss-parent, apache-commons-dbcp
mjakubicek: sonatype-oss-parent
mmarusak: satyr, container-exception-logger, abrt-addon-python3
mmorsi: joda-time, sonatype-oss-parent
moceap: geronimo-parent-poms
mrceresa: PEGTL
mschorm: sonatype-oss-parent
msuchy: satyr, nodejs-grunt, container-exception-logger, abrt-addon-python3
mymindstorm: numix-icon-theme-circle, numix-icon-theme, numix-gtk-theme
neuro-sig: PEGTL
ngompa: sonatype-oss-parent
nodejs-sig: nodejs-snapdragon, nodejs-duplexify, nodejs-grunt,
nodejs-end-of-stream, nodejs-duplexer, nodejs-http-signature, nodejs-from,
nodejs-css-tree, nodejs-css-stringify, nodejs-core-util-is, nodejs-readable-stream
odubaj: sonatype-oss-parent
oliver: sonatype-oss-parent, jvnet-parent
orion: PEGTL
patches: nodejs-grunt, nodejs-http-signature, nodejs-css-stringify,
nodejs-core-util-is, nodejs-readable-stream
piotrp: nodejs-grunt, nodejs-css-stringify
praiskup: nodejs-grunt
raphgro: sonatype-oss-parent
rgrunber: sonatype-oss-parent, jvnet-parent
rjones: mingw-liboil, unison240, unison213, unison227
rmattes: PEGTL, emacs-lua
robotics-sig: PEGTL
romal: man-pages-de, usb_modeswitch
rsroka: PEGTL
sagitter: PEGTL
scitech_sig: PEGTL
sdgathman: sonatype-oss-parent, jvnet-parent
sebp: PEGTL
sergiomb: PEGTL, nodejs-css-stringify, js-jquery-iframe-transport
slaanesh: PEGTL, stress-ng
smani: PEGTL
snecker: stress-ng
spike: geronimo-parent-poms
tc01: jvnet-parent, nodejs-grunt, nodejs-css-stringify, nodejs-core-util-is,
nodejs-readable-stream
tdawson: nodejs-core-util-is, nodejs-readable-stream
thofmann: PEGTL, emacs-lua
timj: unison227
timn: emacs-lua
vakwetu: geronimo-parent-poms
van: geronimo-parent-poms
vjancik: PEGTL, nodejs-css-stringify, nodejs-core-util-is, nodejs-readable-stream
vtrefny: satyr
xavierb: nodejs-grunt
zbyszek: sonatype-oss-parent
zultron: PEGTL
zvetlik: nodejs-css-stringify, nodejs-core-util-is, nodejs-readable-stream
zzambers: sonatype-oss-parent
--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/master/f/scripts/find_unblocked_orphans.py
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will be retired when the affected package gets retired.
Request package ownership via the *Take* button in he left column on
https://src.fedoraproject.org/rpms/<pkgname>
Full report available at:
https://churchyard.fedorapeople.org/orphans-2020-08-24.txt
grep it for your FAS username and follow the dependency chain.
For human readable dependency chains, see https://packager.fedorainfracloud.org/
For all orphaned packages, see https://packager.fedorainfracloud.org/orphan
Package (co)maintainers Status Change
================================================================================
PEGTL orphan, rsroka 0 weeks ago
abrt-addon-python3 abrt-sig, ekulik, mmarusak, 0 weeks ago
msuchy, orphan
amftools churchyard, orphan 5 weeks ago
apache-commons-dbcp mizdebsk, orphan 1 weeks ago
container-exception-logger abrt-sig, ekulik, mmarusak, 0 weeks ago
msuchy, orphan
dbus-java orphan 2 weeks ago
emacs-lua orphan 5 weeks ago
fst orphan 2 weeks ago
geronimo-parent-poms jjelen, mizdebsk, orphan 0 weeks ago
glassfish-legal orphan 0 weeks ago
glassfish-master-pom orphan 0 weeks ago
jaxb2-maven-plugin jjelen, lef, orphan 2 weeks ago
joda-time mizdebsk, orphan 1 weeks ago
js-jquery-iframe-transport orphan 2 weeks ago
js-jquery-knob orphan 2 weeks ago
js-jquery-qrcode orphan 2 weeks ago
js-tag-it orphan 2 weeks ago
jvnet-parent mizdebsk, orphan 0 weeks ago
libmatthew-java orphan 2 weeks ago
libscs orphan 5 weeks ago
liquibase awood, orphan 2 weeks ago
lua-copas orphan 5 weeks ago
lua-coxpcall orphan 5 weeks ago
lua-logging orphan 5 weeks ago
lua-sql orphan 5 weeks ago
lua-wsapi orphan 5 weeks ago
lua-xmlrpc orphan 5 weeks ago
luadoc orphan 5 weeks ago
man-pages-de orphan, romal 2 weeks ago
maven-jaxb2-plugin orphan 1 weeks ago
mingw-liboil lfarkas, orphan, rjones 4 weeks ago
mozilla-iot-gateway orphan 4 weeks ago
mozilla-iot-gateway-addon-node orphan 2 weeks ago
mozilla-iot-gateway-addon- orphan 2 weeks ago
python
nanomsg orphan 2 weeks ago
nodejs-core-util-is nodejs-sig, orphan 3 weeks ago
nodejs-css-stringify nodejs-sig, orphan, patches 0 weeks ago
nodejs-css-tree orphan 0 weeks ago
nodejs-duplexer nodejs-sig, orphan 3 weeks ago
nodejs-duplexify nodejs-sig, orphan 3 weeks ago
nodejs-end-of-stream nodejs-sig, orphan 3 weeks ago
nodejs-espower-location- orphan 0 weeks ago
detector
nodejs-from nodejs-sig, orphan 3 weeks ago
nodejs-grunt nodejs-sig, orphan, patches, 0 weeks ago
piotrp
nodejs-http-signature nodejs-sig, orphan, patches 0 weeks ago
nodejs-readable-stream jsmith, nodejs-sig, orphan 3 weeks ago
nodejs-snapdragon orphan 0 weeks ago
numix-gtk-theme mymindstorm, orphan 0 weeks ago
numix-icon-theme mymindstorm, orphan 0 weeks ago
numix-icon-theme-circle mymindstorm, orphan 0 weeks ago
python-kaptan bowlofeggs, jcline, orphan 0 weeks ago
python-ladon orphan 5 weeks ago
python-libtmux orphan 0 weeks ago
python-nnpy orphan 2 weeks ago
python-txamqp orphan 5 weeks ago
qrcode-generator orphan 2 weeks ago
rmic-maven-plugin mizdebsk, orphan 1 weeks ago
ruby-ldap orphan 3 weeks ago
rubygem-delayed_job orphan 0 weeks ago
rubygem- orphan 0 weeks ago
delayed_job_active_record
rubygem-elasticsearch orphan 3 weeks ago
rubygem-elasticsearch-api orphan 3 weeks ago
rubygem-fast_gettext brandfbb, orphan 3 weeks ago
rubygem-org-ruby orphan 0 weeks ago
rubygem-rubypants orphan 0 weeks ago
rubygem-sigdump orphan 0 weeks ago
rubygem-wikicloth orphan 2 weeks ago
satyr abrt-sig, ekulik, mgrabovs, 0 weeks ago
mmarusak, msuchy, orphan
sonatype-oss-parent mizdebsk, orphan 0 weeks ago
stbi churchyard, orphan 5 weeks ago
stress-ng fale, orphan, slaanesh, 0 weeks ago
snecker
unboundid-ldapsdk orphan 3 weeks ago
unison213 gemi, orphan, rjones 3 weeks ago
unison227 brummbq, gemi, orphan, rjones, 3 weeks ago
timj
unison240 brummbq, orphan, rjones 3 weeks ago
usb_modeswitch huzaifas, orphan, romal 2 weeks ago
The following packages require above mentioned packages:
Report too long, see the full version at
https://churchyard.fedorapeople.org/orphans-2020-08-24.txt
See dependency chains of your packages at https://packager.fedorainfracloud.org/
See all orphaned packages at https://packager.fedorainfracloud.org/orphan
Affected (co)maintainers (either directly or via packages' dependencies):
abrt-sig: satyr, container-exception-logger, abrt-addon-python3
abrt-team: container-exception-logger, satyr
acaringi: sonatype-oss-parent
akurtakov: sonatype-oss-parent, jvnet-parent, geronimo-parent-poms
alakatos: PEGTL
anishpatil: nodejs-css-stringify
arobinso: sonatype-oss-parent, jvnet-parent
awood: liquibase
bowlofeggs: python-kaptan
brandfbb: rubygem-fast_gettext
brummbq: unison240, unison227
caolanm: sonatype-oss-parent
cfu: geronimo-parent-poms
churchyard: PEGTL, amftools, stbi
cipherboy: geronimo-parent-poms
clime: nodejs-grunt
coolsvap: geronimo-parent-poms
copr-sig: nodejs-grunt
cquad: sonatype-oss-parent
csutherl: geronimo-parent-poms
davidx: glassfish-legal, jvnet-parent, glassfish-master-pom
dbhole: sonatype-oss-parent, jvnet-parent
dcallagh: nodejs-css-stringify
decathorpe: glassfish-legal, jvnet-parent, glassfish-master-pom,
geronimo-parent-poms
deji: PEGTL
dmoluguw: jvnet-parent, geronimo-parent-poms
dominik: sonatype-oss-parent
dturecek: nodejs-grunt
ebaron: sonatype-oss-parent, jvnet-parent
eclipse-sig: sonatype-oss-parent, jvnet-parent
edewata: jvnet-parent, geronimo-parent-poms
ekulik: satyr, container-exception-logger, abrt-addon-python3
ellert: jvnet-parent
fab: nodejs-css-stringify
fale: stress-ng
fnasser: jvnet-parent
frostyx: nodejs-grunt
fsimonce: sonatype-oss-parent
galileo: sonatype-oss-parent
gemi: unison213, unison227
gil: glassfish-legal, jvnet-parent, glassfish-master-pom, geronimo-parent-poms,
sonatype-oss-parent
hguemar: PEGTL
hhorak: sonatype-oss-parent, PEGTL
hobbes1069: PEGTL
huwang: geronimo-parent-poms
huzaifas: usb_modeswitch
ignatenkobrain: PEGTL, python-kaptan, python-libtmux
java-maint-sig: glassfish-legal, jvnet-parent, glassfish-master-pom,
geronimo-parent-poms
jcapik: jvnet-parent
jcline: python-kaptan
jerboaa: sonatype-oss-parent, jvnet-parent
jfilak: container-exception-logger, satyr
jgu: PEGTL
jjames: sonatype-oss-parent, jvnet-parent
jjanco: sonatype-oss-parent
jjelen: glassfish-legal, jvnet-parent, glassfish-master-pom, jaxb2-maven-plugin,
geronimo-parent-poms, sonatype-oss-parent, apache-commons-dbcp
jjohnstn: sonatype-oss-parent, jvnet-parent
jkang: jvnet-parent
jkastner: PEGTL
jkucera: PEGTL
jmlich: PEGTL
jridky: PEGTL
jsmith: nodejs-snapdragon, nodejs-duplexify, nodejs-grunt, nodejs-end-of-stream,
nodejs-duplexer, nodejs-css-tree, nodejs-css-stringify, nodejs-core-util-is,
nodejs-readable-stream
jvanek: sonatype-oss-parent
kdaniel: sonatype-oss-parent, jvnet-parent, geronimo-parent-poms
kwizart: PEGTL
kwright: geronimo-parent-poms
lef: jaxb2-maven-plugin, jvnet-parent, geronimo-parent-poms, sonatype-oss-parent
lfarkas: mingw-liboil
lkundrak: sonatype-oss-parent, stbi
lupinix: sonatype-oss-parent, PEGTL
m4rtink: satyr
mbooth: sonatype-oss-parent, jvnet-parent
mef: sonatype-oss-parent
melmorabity: sonatype-oss-parent
mgrabovs: container-exception-logger, satyr
mharmsen: geronimo-parent-poms
mizdebsk: glassfish-legal, jvnet-parent, joda-time, rmic-maven-plugin,
glassfish-master-pom, geronimo-parent-poms, sonatype-oss-parent, apache-commons-dbcp
mjakubicek: sonatype-oss-parent
mmarusak: satyr, container-exception-logger, abrt-addon-python3
mmorsi: joda-time, sonatype-oss-parent
moceap: geronimo-parent-poms
mrceresa: PEGTL
mschorm: sonatype-oss-parent
msuchy: satyr, nodejs-grunt, container-exception-logger, abrt-addon-python3
mymindstorm: numix-icon-theme-circle, numix-icon-theme, numix-gtk-theme
neuro-sig: PEGTL
ngompa: sonatype-oss-parent
nodejs-sig: nodejs-snapdragon, nodejs-duplexify, nodejs-grunt,
nodejs-end-of-stream, nodejs-duplexer, nodejs-http-signature, nodejs-from,
nodejs-css-tree, nodejs-css-stringify, nodejs-core-util-is, nodejs-readable-stream
odubaj: sonatype-oss-parent
oliver: sonatype-oss-parent, jvnet-parent
orion: PEGTL
patches: nodejs-grunt, nodejs-http-signature, nodejs-css-stringify,
nodejs-core-util-is, nodejs-readable-stream
piotrp: nodejs-grunt, nodejs-css-stringify
praiskup: nodejs-grunt
raphgro: sonatype-oss-parent
rgrunber: sonatype-oss-parent, jvnet-parent
rjones: mingw-liboil, unison240, unison213, unison227
rmattes: PEGTL, emacs-lua
robotics-sig: PEGTL
romal: man-pages-de, usb_modeswitch
rsroka: PEGTL
sagitter: PEGTL
scitech_sig: PEGTL
sdgathman: sonatype-oss-parent, jvnet-parent
sebp: PEGTL
sergiomb: PEGTL, nodejs-css-stringify, js-jquery-iframe-transport
slaanesh: PEGTL, stress-ng
smani: PEGTL
snecker: stress-ng
spike: geronimo-parent-poms
tc01: jvnet-parent, nodejs-grunt, nodejs-css-stringify, nodejs-core-util-is,
nodejs-readable-stream
tdawson: nodejs-core-util-is, nodejs-readable-stream
thofmann: PEGTL, emacs-lua
timj: unison227
timn: emacs-lua
vakwetu: geronimo-parent-poms
van: geronimo-parent-poms
vjancik: PEGTL, nodejs-css-stringify, nodejs-core-util-is, nodejs-readable-stream
vtrefny: satyr
xavierb: nodejs-grunt
zbyszek: sonatype-oss-parent
zultron: PEGTL
zvetlik: nodejs-css-stringify, nodejs-core-util-is, nodejs-readable-stream
zzambers: sonatype-oss-parent
--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/master/f/scripts/find_unblocked_orphans.py
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Friday, August 21, 2020
Updating Scientific Linux 7 Secure Boot key
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Attention all Scientific Linux users of Secure Boot:
A new SECURE BOOT key for Scientific Linux 7 will be used starting
August 26 2020. The existing key expires on the same day.
The new key is published at
http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/SECURE-BOOT-KEY-fnal-sl7-exp-2023-09-27
in DER format[2].
A new grub2, shim, fwupd, and kernel will be issued along with the
first errata requiring this key.
For more information on Scientific Linux 7 and Secure Boot please
review our release notes[1].
UEFI SECURE BOOT users should validate the new certificate and load it
at this time[1].
Thanks,
The Scientific Linux Team
[1]
http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/release-notes/#_about_uefi_secure_boot
[2] A PEM formatted version of the certificate is provided here as
well:
- -----BEGIN CERTIFICATE-----
MIIF3jCCBMagAwIBAgIQAkyHL6S+kt/bvsNMzNB9rjANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p
bmcgQ0EgKFNIQTIpMB4XDTIwMDgyMTAwMDAwMFoXDTIzMDkyNzEyMDAwMFowgd8x
EzARBgsrBgEEAYI3PAIBAxMCVVMxGjAYBgNVBA8MEUdvdmVybm1lbnQgRW50aXR5
MRowGAYDVQQFExFHb3Zlcm5tZW50IEVudGl0eTELMAkGA1UEBhMCVVMxETAPBgNV
BAgTCElsbGlub2lzMRAwDgYDVQQHEwdCYXRhdmlhMS4wLAYDVQQKEyVGZXJtaSBO
YXRpb25hbCBBY2NlbGVyYXRvciBMYWJvcmF0b3J5MS4wLAYDVQQDEyVGZXJtaSBO
YXRpb25hbCBBY2NlbGVyYXRvciBMYWJvcmF0b3J5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAoEFaNBWGiocZ84lCRkcOJedpNwnY6wRRkC4f6D+yZcVn
rJVRdVfgMomX7RG3r+bFXZh3TDgA0snfIHDSDDoXRDKsHmJ5r/UDomK1X5tkso6h
GhNuwNVR/fzNiq8MzomJJK3JW75t6+6sz2mgTUuxL+VyTLIFzMl4gUL1b7H5/c8T
AtaY76NgzZrpiPXVL0BeR/Qm3+KkP21zbBpwdT3pBY88E3TOLVMxUJyjD78ENLPj
O4kzlPVjYCywqmIs1KXDMpcToZexm84EuLFY9r9Pn8UJa8RtKSIh8J9q8CaeN6uY
HYMb6LspvrvZuJmw2cKWazqwD/Cw8QkNim0qWbuKaQIDAQABo4ICBjCCAgIwHwYD
VR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFMWhIriHBCEd
zqnfBeRYMaW/OKSDMEMGA1UdEQQ8MDqgOAYIKwYBBQUHCAOgLDAqDChVUy1GRVJN
SSBOQVRJT05BTCBBQ0NFTEVSQVRPUiBMQUJPUkFUT1JZMA4GA1UdDwEB/wQEAwIH
gDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMDegNaAz
hjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEu
Y3JsMEsGA1UdIAREMEIwNwYJYIZIAYb9bAMCMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQMwfgYIKwYBBQUHAQEEcjBw
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSAYIKwYBBQUH
MAKGPGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVWQ29kZVNp
Z25pbmdDQS1TSEEyLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQBw5qkUbY9rDpngiwvSqp9ArNbDFV5mEmgjbwuQsrvHn6YVOxwmCQKhcmrMeUk7
UA+KAbRSbLdU+cdANKXJb7ULckrE7HO/cQkNYp7DXutamr8/KTtmtTa1ykf7XiFx
5E02ZZStBtKRApyCgWVndkYxRFdxuS9iF6SWt3Qcxy+yPkJQbwzhnKBXCQHkLbsx
1S2aKuZe55zqOj3LOxZFrL468dVvhxkhFbHHWjGXJwpmGYfhINTK/Wilvt3zaBAW
Ppc7RmkFb+KbX31pexkHbl9OC9IPxuXQuBAraqDBll7mvmx9CPQn8yKyJkOaNKDo
hwe+cMb58gPKjxydEv8ZvFpf
- -----END CERTIFICATE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAl9ADUAACgkQsLQYPxkqfX3rzACfcUhrZOEeY8mgVxr9nXHjOiVu
ifwAmwQEaMVtgrqF+w/6FVVYbDR1ieoZ
=EpGc
-----END PGP SIGNATURE-----
Hash: SHA1
Attention all Scientific Linux users of Secure Boot:
A new SECURE BOOT key for Scientific Linux 7 will be used starting
August 26 2020. The existing key expires on the same day.
The new key is published at
http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/os/SECURE-BOOT-KEY-fnal-sl7-exp-2023-09-27
in DER format[2].
A new grub2, shim, fwupd, and kernel will be issued along with the
first errata requiring this key.
For more information on Scientific Linux 7 and Secure Boot please
review our release notes[1].
UEFI SECURE BOOT users should validate the new certificate and load it
at this time[1].
Thanks,
The Scientific Linux Team
[1]
http://ftp.scientificlinux.org/linux/scientific/7x/x86_64/release-notes/#_about_uefi_secure_boot
[2] A PEM formatted version of the certificate is provided here as
well:
- -----BEGIN CERTIFICATE-----
MIIF3jCCBMagAwIBAgIQAkyHL6S+kt/bvsNMzNB9rjANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBFViBDb2RlIFNpZ25p
bmcgQ0EgKFNIQTIpMB4XDTIwMDgyMTAwMDAwMFoXDTIzMDkyNzEyMDAwMFowgd8x
EzARBgsrBgEEAYI3PAIBAxMCVVMxGjAYBgNVBA8MEUdvdmVybm1lbnQgRW50aXR5
MRowGAYDVQQFExFHb3Zlcm5tZW50IEVudGl0eTELMAkGA1UEBhMCVVMxETAPBgNV
BAgTCElsbGlub2lzMRAwDgYDVQQHEwdCYXRhdmlhMS4wLAYDVQQKEyVGZXJtaSBO
YXRpb25hbCBBY2NlbGVyYXRvciBMYWJvcmF0b3J5MS4wLAYDVQQDEyVGZXJtaSBO
YXRpb25hbCBBY2NlbGVyYXRvciBMYWJvcmF0b3J5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAoEFaNBWGiocZ84lCRkcOJedpNwnY6wRRkC4f6D+yZcVn
rJVRdVfgMomX7RG3r+bFXZh3TDgA0snfIHDSDDoXRDKsHmJ5r/UDomK1X5tkso6h
GhNuwNVR/fzNiq8MzomJJK3JW75t6+6sz2mgTUuxL+VyTLIFzMl4gUL1b7H5/c8T
AtaY76NgzZrpiPXVL0BeR/Qm3+KkP21zbBpwdT3pBY88E3TOLVMxUJyjD78ENLPj
O4kzlPVjYCywqmIs1KXDMpcToZexm84EuLFY9r9Pn8UJa8RtKSIh8J9q8CaeN6uY
HYMb6LspvrvZuJmw2cKWazqwD/Cw8QkNim0qWbuKaQIDAQABo4ICBjCCAgIwHwYD
VR0jBBgwFoAUj+h+8G0yagAFI8dwl2o6kP9r6tQwHQYDVR0OBBYEFMWhIriHBCEd
zqnfBeRYMaW/OKSDMEMGA1UdEQQ8MDqgOAYIKwYBBQUHCAOgLDAqDChVUy1GRVJN
SSBOQVRJT05BTCBBQ0NFTEVSQVRPUiBMQUJPUkFUT1JZMA4GA1UdDwEB/wQEAwIH
gDATBgNVHSUEDDAKBggrBgEFBQcDAzB7BgNVHR8EdDByMDegNaAzhjFodHRwOi8v
Y3JsMy5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEuY3JsMDegNaAz
hjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vRVZDb2RlU2lnbmluZ1NIQTItZzEu
Y3JsMEsGA1UdIAREMEIwNwYJYIZIAYb9bAMCMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQMwfgYIKwYBBQUHAQEEcjBw
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wSAYIKwYBBQUH
MAKGPGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVWQ29kZVNp
Z25pbmdDQS1TSEEyLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IB
AQBw5qkUbY9rDpngiwvSqp9ArNbDFV5mEmgjbwuQsrvHn6YVOxwmCQKhcmrMeUk7
UA+KAbRSbLdU+cdANKXJb7ULckrE7HO/cQkNYp7DXutamr8/KTtmtTa1ykf7XiFx
5E02ZZStBtKRApyCgWVndkYxRFdxuS9iF6SWt3Qcxy+yPkJQbwzhnKBXCQHkLbsx
1S2aKuZe55zqOj3LOxZFrL468dVvhxkhFbHHWjGXJwpmGYfhINTK/Wilvt3zaBAW
Ppc7RmkFb+KbX31pexkHbl9OC9IPxuXQuBAraqDBll7mvmx9CPQn8yKyJkOaNKDo
hwe+cMb58gPKjxydEv8ZvFpf
- -----END CERTIFICATE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAl9ADUAACgkQsLQYPxkqfX3rzACfcUhrZOEeY8mgVxr9nXHjOiVu
ifwAmwQEaMVtgrqF+w/6FVVYbDR1ieoZ
=EpGc
-----END PGP SIGNATURE-----
[USN-4468-1] Bind vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl8/0gYACgkQZWnYVadE
vpOMTA//XrbcpvJ0h8hV2PxES55Iiv0NBymZ0IuZ3HvkH5cLIiTq3OtdGbOsXn7U
HM6596Wf/SE/0W5M8UjxOfl0U9n1K6R6Fs5EVc0ifpX/lCpRlAGTDHZcfBkOc/1L
LZBO0b/tYp/5OQM91rrcHmcZkhNWet6XuQE+9v1zVvUPgFNeSiEqedof8Jzb/FhH
DxdhsNuLQYQRBdWxnSFkKnzjl+JIzl85ruXGU1U82ulKOqRt76VKMTKUuphhp/ZM
EBk6N5Zscg0Fg2rr6Lo1iMHUO34tkZf0tnx4GDeypVWHfM/Zm9G4drdM4VLhj9+1
Q08vZW07psNkl+vxFagcJKrXf+zRQYD946cdwmab5BfJ3vDNSyhGYzItTtVZGhS5
Kb489v8ISW42rISlz1deGQHU9e3wBGv0l8P5gHvg0bZpTgk/w/m02wKmQubTAnGU
q5Gqb4N5APOvkUXmwCi1i5bdiNOIUI0af3HZ0y267iuipyGpC/pVxcOasi6zBMZY
hOHpfd0eCxaHgLBvyvUv1CvdXZ1Ku0Blntz6UrN4ORrGgE/1t21KrPXeUnOfDhih
sSTXgc5RlY5U7UQUF8LeEe6i0GMwoeCMDkFMsa0YgGfWqV+MZddFDM8ohYYmEOp3
uTRLRtTTXYkbfeSGpM46HAFjnbA29XFmZtkFNqqEBqLdsGViJhE=
=JY6e
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4468-1
August 21, 2020
bind9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Bind.
Software Description:
- bind9: Internet Domain Name Server
Details:
Emanuel Almeida discovered that Bind incorrectly handled certain TCP
payloads. A remote attacker could possibly use this issue to cause Bind to
crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS. (CVE-2020-8620)
Joseph Gullo discovered that Bind incorrectly handled QNAME minimization
when used in certain configurations. A remote attacker could possibly use
this issue to cause Bind to crash, resulting in a denial of service. This
issue only affected Ubuntu 20.04 LTS. (CVE-2020-8621)
Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind
incorrectly handled certain truncated responses to a TSIG-signed request. A
remote attacker could possibly use this issue to cause Bind to crash,
resulting in a denial of service. (CVE-2020-8622)
Lyu Chiy discovered that Bind incorrectly handled certain queries. A remote
attacker could possibly use this issue to cause Bind to crash, resulting in
a denial of service. (CVE-2020-8623)
Joop Boonen discovered that Bind incorrectly handled certain subdomain
update-policy rules. A remote attacker granted privileges to change certain
parts of a zone could use this issue to change other contents of the zone,
contrary to expectations. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-8624)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
bind9 1:9.16.1-0ubuntu2.3
Ubuntu 18.04 LTS:
bind9 1:9.11.3+dfsg-1ubuntu1.13
Ubuntu 16.04 LTS:
bind9 1:9.10.3.dfsg.P4-8ubuntu1.17
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4468-1
CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623,
CVE-2020-8624
Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.3
https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.13
https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.17
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl8/0gYACgkQZWnYVadE
vpOMTA//XrbcpvJ0h8hV2PxES55Iiv0NBymZ0IuZ3HvkH5cLIiTq3OtdGbOsXn7U
HM6596Wf/SE/0W5M8UjxOfl0U9n1K6R6Fs5EVc0ifpX/lCpRlAGTDHZcfBkOc/1L
LZBO0b/tYp/5OQM91rrcHmcZkhNWet6XuQE+9v1zVvUPgFNeSiEqedof8Jzb/FhH
DxdhsNuLQYQRBdWxnSFkKnzjl+JIzl85ruXGU1U82ulKOqRt76VKMTKUuphhp/ZM
EBk6N5Zscg0Fg2rr6Lo1iMHUO34tkZf0tnx4GDeypVWHfM/Zm9G4drdM4VLhj9+1
Q08vZW07psNkl+vxFagcJKrXf+zRQYD946cdwmab5BfJ3vDNSyhGYzItTtVZGhS5
Kb489v8ISW42rISlz1deGQHU9e3wBGv0l8P5gHvg0bZpTgk/w/m02wKmQubTAnGU
q5Gqb4N5APOvkUXmwCi1i5bdiNOIUI0af3HZ0y267iuipyGpC/pVxcOasi6zBMZY
hOHpfd0eCxaHgLBvyvUv1CvdXZ1Ku0Blntz6UrN4ORrGgE/1t21KrPXeUnOfDhih
sSTXgc5RlY5U7UQUF8LeEe6i0GMwoeCMDkFMsa0YgGfWqV+MZddFDM8ohYYmEOp3
uTRLRtTTXYkbfeSGpM46HAFjnbA29XFmZtkFNqqEBqLdsGViJhE=
=JY6e
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4468-1
August 21, 2020
bind9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Bind.
Software Description:
- bind9: Internet Domain Name Server
Details:
Emanuel Almeida discovered that Bind incorrectly handled certain TCP
payloads. A remote attacker could possibly use this issue to cause Bind to
crash, resulting in a denial of service. This issue only affected Ubuntu
20.04 LTS. (CVE-2020-8620)
Joseph Gullo discovered that Bind incorrectly handled QNAME minimization
when used in certain configurations. A remote attacker could possibly use
this issue to cause Bind to crash, resulting in a denial of service. This
issue only affected Ubuntu 20.04 LTS. (CVE-2020-8621)
Dave Feldman, Jeff Warren, and Joel Cunningham discovered that Bind
incorrectly handled certain truncated responses to a TSIG-signed request. A
remote attacker could possibly use this issue to cause Bind to crash,
resulting in a denial of service. (CVE-2020-8622)
Lyu Chiy discovered that Bind incorrectly handled certain queries. A remote
attacker could possibly use this issue to cause Bind to crash, resulting in
a denial of service. (CVE-2020-8623)
Joop Boonen discovered that Bind incorrectly handled certain subdomain
update-policy rules. A remote attacker granted privileges to change certain
parts of a zone could use this issue to change other contents of the zone,
contrary to expectations. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-8624)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
bind9 1:9.16.1-0ubuntu2.3
Ubuntu 18.04 LTS:
bind9 1:9.11.3+dfsg-1ubuntu1.13
Ubuntu 16.04 LTS:
bind9 1:9.10.3.dfsg.P4-8ubuntu1.17
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4468-1
CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623,
CVE-2020-8624
Package Information:
https://launchpad.net/ubuntu/+source/bind9/1:9.16.1-0ubuntu2.3
https://launchpad.net/ubuntu/+source/bind9/1:9.11.3+dfsg-1ubuntu1.13
https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.17
Thursday, August 20, 2020
[USN-4466-2] curl vulnerability
==========================================================================
Ubuntu Security Notice USN-4466-2
August 20, 2020
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-4466-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
Marc Aldorasi discovered that curl incorrectly handled the libcurl
CURLOPT_CONNECT_ONLY option. This could result in data being sent to the
wrong destination, possibly exposing sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
curl 7.35.0-1ubuntu2.20+esm5
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm5
libcurl3-nss 7.35.0-1ubuntu2.20+esm5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4466-2
https://usn.ubuntu.com/4466-1
CVE-2020-8231
Ubuntu Security Notice USN-4466-2
August 20, 2020
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
USN-4466-1 fixed a vulnerability in curl. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
Marc Aldorasi discovered that curl incorrectly handled the libcurl
CURLOPT_CONNECT_ONLY option. This could result in data being sent to the
wrong destination, possibly exposing sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
curl 7.35.0-1ubuntu2.20+esm5
libcurl3-gnutls 7.35.0-1ubuntu2.20+esm5
libcurl3-nss 7.35.0-1ubuntu2.20+esm5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4466-2
https://usn.ubuntu.com/4466-1
CVE-2020-8231
Wednesday, August 19, 2020
[USN-4467-1] QEMU vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl89XP4ACgkQZWnYVadE
vpMd1hAAvG8V1A+mnqWO+LchsfdG5N3g924Dcq1nxSmxW1RxO1n4GZ02W0MPC/If
jp/8RP86QCYWyWU/AQ5QA4pw+4K2e5XrzXQI/402ebpgZwnQ53K29GIJXB0SwskP
ICCdvuDDcv64QW2iHsj0RrS7mR//iL4djtadyA3r54YLGw2++VUwwRScT0I3qkVz
Ykcw2RjaWoc84byPX2f2DKjB05uRJVWpxrt3pIhNtFJmb8rAvE30nxnDcmhxS6wh
Vhjaa4+AIdpuaGP5g5SLD55A5DFXqx3xjEg5+2nMQyk+65qb2VEWpRZLPGlDi64g
sMffPv12uoWNGZGddpP09bkWd0FES45szx95hkKAFmj4isewD7TrTM1WJ/pkSUE9
HPOBLdEjC5uxgwlRQtgAXoyaef5vpmgVOdUUI0u4GsntSaMg6UWujd+5scF/kqPe
810EEOVjHethT9HbLQ4bX2uHr77lQndqb+FSf7mtH94Syj9XMVoXYBOHzDy/sJ1l
h9Z7X2HoI128icIKa7nhMe+c15i0WgQ+o6+etRcO3HSBjXULISq0cgSASY9yP317
RQ5XRlLIM1ZQQ5JcTU5ICepUZZ+i1EfRzozomThCDyJcyBgQVV0Wd6NVXrZZanRr
vUOuUgMvLYh6EpoEmfOsDhS6hujvgGs0ZeaQ2GRT4+owBjh3+hw=
=980k
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4467-1
August 19, 2020
qemu vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
Ziming Zhang and VictorV discovered that the QEMU SLiRP networking
implementation incorrectly handled replying to certain ICMP echo requests.
An attacker inside a guest could possibly use this issue to leak host
memory to obtain sensitive information. This issue only affected Ubuntu
18.04 LTS. (CVE-2020-10756)
Eric Blake and Xueqiang Wei discovered that the QEMU NDB implementation
incorrectly handled certain requests. A remote attacker could possibly use
this issue to cause QEMU to crash, resulting in a denial of service. This
issue only affected Ubuntu 20.04 LTS. (CVE-2020-10761)
Ziming Zhang discovered that the QEMU SM501 graphics driver incorrectly
handled certain operations. An attacker inside a guest could use this issue
to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2020-12829)
It was discovered that the QEMU SD memory card implementation incorrectly
handled certain memory operations. An attacker inside a guest could
possibly use this issue to cause QEMU to crash, resulting in a denial of
service. (CVE-2020-13253)
Ren Ding and Hanqing Zhao discovered that the QEMU ES1370 audio driver
incorrectly handled certain invalid frame counts. An attacker inside a
guest could possibly use this issue to cause QEMU to crash, resulting in a
denial of service. (CVE-2020-13361)
Ren Ding and Hanqing Zhao discovered that the QEMU MegaRAID SAS SCSI driver
incorrectly handled certain memory operations. An attacker inside a guest
could possibly use this issue to cause QEMU to crash, resulting in a denial
of service. (CVE-2020-13362)
Alexander Bulekov discovered that QEMU MegaRAID SAS SCSI driver incorrectly
handled certain memory space operations. An attacker inside a guest could
possibly use this issue to cause QEMU to crash, resulting in a denial of
service. (CVE-2020-13659)
Ren Ding, Hanqing Zhao, Alexander Bulekov, and Anatoly Trosinenko
discovered that the QEMU incorrectly handled certain msi-x mmio operations.
An attacker inside a guest could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2020-13754)
It was discovered that QEMU incorrectly handled certain memory copy
operations when loading ROM contents. If a user were tricked into running
an untrusted kernel image, a remote attacker could possibly use this issue
to run arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2020-13765)
Ren Ding, Hanqing Zhao, and Yi Ren discovered that the QEMU ATI video
driver incorrectly handled certain index values. An attacker inside a guest
could possibly use this issue to cause QEMU to crash, resulting in a denial
of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-13800)
Ziming Zhang discovered that the QEMU OSS audio driver incorrectly handled
certain operations. An attacker inside a guest could possibly use this
issue to cause QEMU to crash, resulting in a denial of service. This issue
only affected Ubuntu 20.04 LTS. (CVE-2020-14415)
Ziming Zhang discovered that the QEMU XGMAC Ethernet controller incorrectly
handled packet transmission. An attacker inside a guest could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2020-15863)
Ziming Zhang discovered that the QEMU e1000e Ethernet controller
incorrectly handled packet processing. An attacker inside a guest could
possibly use this issue to cause QEMU to crash, resulting in a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-16092)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
qemu 1:4.2-3ubuntu6.4
qemu-system 1:4.2-3ubuntu6.4
qemu-system-arm 1:4.2-3ubuntu6.4
qemu-system-mips 1:4.2-3ubuntu6.4
qemu-system-ppc 1:4.2-3ubuntu6.4
qemu-system-s390x 1:4.2-3ubuntu6.4
qemu-system-sparc 1:4.2-3ubuntu6.4
qemu-system-x86 1:4.2-3ubuntu6.4
qemu-system-x86-microvm 1:4.2-3ubuntu6.4
qemu-system-x86-xen 1:4.2-3ubuntu6.4
Ubuntu 18.04 LTS:
qemu 1:2.11+dfsg-1ubuntu7.31
qemu-system 1:2.11+dfsg-1ubuntu7.31
qemu-system-mips 1:2.11+dfsg-1ubuntu7.31
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.31
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.31
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.31
qemu-system-x86 1:2.11+dfsg-1ubuntu7.31
Ubuntu 16.04 LTS:
qemu 1:2.5+dfsg-5ubuntu10.45
qemu-system 1:2.5+dfsg-5ubuntu10.45
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.45
qemu-system-arm 1:2.5+dfsg-5ubuntu10.45
qemu-system-mips 1:2.5+dfsg-5ubuntu10.45
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.45
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.45
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.45
qemu-system-x86 1:2.5+dfsg-5ubuntu10.45
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://usn.ubuntu.com/4467-1
CVE-2020-10756, CVE-2020-10761, CVE-2020-12829, CVE-2020-13253,
CVE-2020-13361, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754,
CVE-2020-13765, CVE-2020-13800, CVE-2020-14415, CVE-2020-15863,
CVE-2020-16092
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.4
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.31
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.45
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl89XP4ACgkQZWnYVadE
vpMd1hAAvG8V1A+mnqWO+LchsfdG5N3g924Dcq1nxSmxW1RxO1n4GZ02W0MPC/If
jp/8RP86QCYWyWU/AQ5QA4pw+4K2e5XrzXQI/402ebpgZwnQ53K29GIJXB0SwskP
ICCdvuDDcv64QW2iHsj0RrS7mR//iL4djtadyA3r54YLGw2++VUwwRScT0I3qkVz
Ykcw2RjaWoc84byPX2f2DKjB05uRJVWpxrt3pIhNtFJmb8rAvE30nxnDcmhxS6wh
Vhjaa4+AIdpuaGP5g5SLD55A5DFXqx3xjEg5+2nMQyk+65qb2VEWpRZLPGlDi64g
sMffPv12uoWNGZGddpP09bkWd0FES45szx95hkKAFmj4isewD7TrTM1WJ/pkSUE9
HPOBLdEjC5uxgwlRQtgAXoyaef5vpmgVOdUUI0u4GsntSaMg6UWujd+5scF/kqPe
810EEOVjHethT9HbLQ4bX2uHr77lQndqb+FSf7mtH94Syj9XMVoXYBOHzDy/sJ1l
h9Z7X2HoI128icIKa7nhMe+c15i0WgQ+o6+etRcO3HSBjXULISq0cgSASY9yP317
RQ5XRlLIM1ZQQ5JcTU5ICepUZZ+i1EfRzozomThCDyJcyBgQVV0Wd6NVXrZZanRr
vUOuUgMvLYh6EpoEmfOsDhS6hujvgGs0ZeaQ2GRT4+owBjh3+hw=
=980k
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4467-1
August 19, 2020
qemu vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
Ziming Zhang and VictorV discovered that the QEMU SLiRP networking
implementation incorrectly handled replying to certain ICMP echo requests.
An attacker inside a guest could possibly use this issue to leak host
memory to obtain sensitive information. This issue only affected Ubuntu
18.04 LTS. (CVE-2020-10756)
Eric Blake and Xueqiang Wei discovered that the QEMU NDB implementation
incorrectly handled certain requests. A remote attacker could possibly use
this issue to cause QEMU to crash, resulting in a denial of service. This
issue only affected Ubuntu 20.04 LTS. (CVE-2020-10761)
Ziming Zhang discovered that the QEMU SM501 graphics driver incorrectly
handled certain operations. An attacker inside a guest could use this issue
to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2020-12829)
It was discovered that the QEMU SD memory card implementation incorrectly
handled certain memory operations. An attacker inside a guest could
possibly use this issue to cause QEMU to crash, resulting in a denial of
service. (CVE-2020-13253)
Ren Ding and Hanqing Zhao discovered that the QEMU ES1370 audio driver
incorrectly handled certain invalid frame counts. An attacker inside a
guest could possibly use this issue to cause QEMU to crash, resulting in a
denial of service. (CVE-2020-13361)
Ren Ding and Hanqing Zhao discovered that the QEMU MegaRAID SAS SCSI driver
incorrectly handled certain memory operations. An attacker inside a guest
could possibly use this issue to cause QEMU to crash, resulting in a denial
of service. (CVE-2020-13362)
Alexander Bulekov discovered that QEMU MegaRAID SAS SCSI driver incorrectly
handled certain memory space operations. An attacker inside a guest could
possibly use this issue to cause QEMU to crash, resulting in a denial of
service. (CVE-2020-13659)
Ren Ding, Hanqing Zhao, Alexander Bulekov, and Anatoly Trosinenko
discovered that the QEMU incorrectly handled certain msi-x mmio operations.
An attacker inside a guest could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2020-13754)
It was discovered that QEMU incorrectly handled certain memory copy
operations when loading ROM contents. If a user were tricked into running
an untrusted kernel image, a remote attacker could possibly use this issue
to run arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu
18.04 LTS. (CVE-2020-13765)
Ren Ding, Hanqing Zhao, and Yi Ren discovered that the QEMU ATI video
driver incorrectly handled certain index values. An attacker inside a guest
could possibly use this issue to cause QEMU to crash, resulting in a denial
of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-13800)
Ziming Zhang discovered that the QEMU OSS audio driver incorrectly handled
certain operations. An attacker inside a guest could possibly use this
issue to cause QEMU to crash, resulting in a denial of service. This issue
only affected Ubuntu 20.04 LTS. (CVE-2020-14415)
Ziming Zhang discovered that the QEMU XGMAC Ethernet controller incorrectly
handled packet transmission. An attacker inside a guest could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2020-15863)
Ziming Zhang discovered that the QEMU e1000e Ethernet controller
incorrectly handled packet processing. An attacker inside a guest could
possibly use this issue to cause QEMU to crash, resulting in a denial of
service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-16092)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
qemu 1:4.2-3ubuntu6.4
qemu-system 1:4.2-3ubuntu6.4
qemu-system-arm 1:4.2-3ubuntu6.4
qemu-system-mips 1:4.2-3ubuntu6.4
qemu-system-ppc 1:4.2-3ubuntu6.4
qemu-system-s390x 1:4.2-3ubuntu6.4
qemu-system-sparc 1:4.2-3ubuntu6.4
qemu-system-x86 1:4.2-3ubuntu6.4
qemu-system-x86-microvm 1:4.2-3ubuntu6.4
qemu-system-x86-xen 1:4.2-3ubuntu6.4
Ubuntu 18.04 LTS:
qemu 1:2.11+dfsg-1ubuntu7.31
qemu-system 1:2.11+dfsg-1ubuntu7.31
qemu-system-mips 1:2.11+dfsg-1ubuntu7.31
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.31
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.31
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.31
qemu-system-x86 1:2.11+dfsg-1ubuntu7.31
Ubuntu 16.04 LTS:
qemu 1:2.5+dfsg-5ubuntu10.45
qemu-system 1:2.5+dfsg-5ubuntu10.45
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.45
qemu-system-arm 1:2.5+dfsg-5ubuntu10.45
qemu-system-mips 1:2.5+dfsg-5ubuntu10.45
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.45
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.45
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.45
qemu-system-x86 1:2.5+dfsg-5ubuntu10.45
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://usn.ubuntu.com/4467-1
CVE-2020-10756, CVE-2020-10761, CVE-2020-12829, CVE-2020-13253,
CVE-2020-13361, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754,
CVE-2020-13765, CVE-2020-13800, CVE-2020-14415, CVE-2020-15863,
CVE-2020-16092
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.4
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.31
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.45
[USN-4466-1] curl vulnerability
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl89ItMACgkQZWnYVadE
vpNCFBAAtkTTU/e+fq3QwLVZN9Os4hiRbwcReTqHc1pvN4J4MJf4tcDwnhhtHtBC
0gGAeRGUe3HvQSPBbYnWMsfecWzhFh0BUbpp8Wcht9wr4Nfz0x6NEy84ARvOEsCM
RAMY5JjPMemDiuxNO88YTy7ZxPOilzaCAT3e4dZsCQ1107dNF5dqDbw+hPo5SVC+
Ce/SDW91X30PXvinVz0t/N9lEc89wPrDSe1GO0h8h1sReb2nbGSQtdEzfaeApJmf
5TcQgR2Aj24Az3Pwg4xz9Kkbb3HnG/Oj/B+nQ2kIHj9Ek+CASuAbIkR+NVwFXxf+
xX5diNcjr7ZI6equSzHCMwB49gJTYdvj1GnuZfBA/Uj1fQN2TIHwp4l/nu1IolaI
ceM/aR8+BuYl8Qk4QLw9UzkqYITqDf11R5T+wTo49ZLg0yJzCKYIprVXrFsOW2Yu
0n5wYOjpOF74ymzrB+Ym5zvTCxfZu4sCqQvGd6uLjIA/zxJXvJ8TnfY6UHHL95d+
UuKQDkkoBo2+3Fndm4nwDUgzhsVox59/VO/madtVvMib8WVbVrV2E6mJN/2+K7KI
S2LMUOiOcgS1zE/ekif+/F5FblPcGexZSuWowWuQ2iQfnJ+FJk2J3KVOPORbpQ4r
VVubzvvZ2BzumHZNbi9cBVEaKbL+knC0WXIWbGfLHVcrSHfWHA0=
=y6HF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4466-1
August 19, 2020
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Marc Aldorasi discovered that curl incorrectly handled the libcurl
CURLOPT_CONNECT_ONLY option. This could result in data being sent to the
wrong destination, possibly exposing sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.2
libcurl3-gnutls 7.68.0-1ubuntu2.2
libcurl3-nss 7.68.0-1ubuntu2.2
libcurl4 7.68.0-1ubuntu2.2
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.10
libcurl3-gnutls 7.58.0-2ubuntu3.10
libcurl3-nss 7.58.0-2ubuntu3.10
libcurl4 7.58.0-2ubuntu3.10
Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.16
libcurl3 7.47.0-1ubuntu2.16
libcurl3-gnutls 7.47.0-1ubuntu2.16
libcurl3-nss 7.47.0-1ubuntu2.16
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4466-1
CVE-2020-8231
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.10
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.16
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl89ItMACgkQZWnYVadE
vpNCFBAAtkTTU/e+fq3QwLVZN9Os4hiRbwcReTqHc1pvN4J4MJf4tcDwnhhtHtBC
0gGAeRGUe3HvQSPBbYnWMsfecWzhFh0BUbpp8Wcht9wr4Nfz0x6NEy84ARvOEsCM
RAMY5JjPMemDiuxNO88YTy7ZxPOilzaCAT3e4dZsCQ1107dNF5dqDbw+hPo5SVC+
Ce/SDW91X30PXvinVz0t/N9lEc89wPrDSe1GO0h8h1sReb2nbGSQtdEzfaeApJmf
5TcQgR2Aj24Az3Pwg4xz9Kkbb3HnG/Oj/B+nQ2kIHj9Ek+CASuAbIkR+NVwFXxf+
xX5diNcjr7ZI6equSzHCMwB49gJTYdvj1GnuZfBA/Uj1fQN2TIHwp4l/nu1IolaI
ceM/aR8+BuYl8Qk4QLw9UzkqYITqDf11R5T+wTo49ZLg0yJzCKYIprVXrFsOW2Yu
0n5wYOjpOF74ymzrB+Ym5zvTCxfZu4sCqQvGd6uLjIA/zxJXvJ8TnfY6UHHL95d+
UuKQDkkoBo2+3Fndm4nwDUgzhsVox59/VO/madtVvMib8WVbVrV2E6mJN/2+K7KI
S2LMUOiOcgS1zE/ekif+/F5FblPcGexZSuWowWuQ2iQfnJ+FJk2J3KVOPORbpQ4r
VVubzvvZ2BzumHZNbi9cBVEaKbL+knC0WXIWbGfLHVcrSHfWHA0=
=y6HF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4466-1
August 19, 2020
curl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Marc Aldorasi discovered that curl incorrectly handled the libcurl
CURLOPT_CONNECT_ONLY option. This could result in data being sent to the
wrong destination, possibly exposing sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.2
libcurl3-gnutls 7.68.0-1ubuntu2.2
libcurl3-nss 7.68.0-1ubuntu2.2
libcurl4 7.68.0-1ubuntu2.2
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.10
libcurl3-gnutls 7.58.0-2ubuntu3.10
libcurl3-nss 7.58.0-2ubuntu3.10
libcurl4 7.58.0-2ubuntu3.10
Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.16
libcurl3 7.47.0-1ubuntu2.16
libcurl3-gnutls 7.47.0-1ubuntu2.16
libcurl3-nss 7.47.0-1ubuntu2.16
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4466-1
CVE-2020-8231
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.10
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.16
Subscribe to:
Posts (Atom)