[USN-4562-1] kramdown vulnerability

==========================================================================
Ubuntu Security Notice USN-4562-1
September 30, 2020

ruby-kramdown vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

kramdown could be made to crash, run programs, or leak sensitive information if
it opened a specially crafted file.

Software Description:
- ruby-kramdown: Fast, pure-Ruby Markdown-superset converter - ruby library

Details:

It was discovered that kramdown insecurely handled certain crafted input.
An attacker could use this vulnerability to read restricted files or
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
kramdown 1.17.0-4ubuntu0.1
ruby-kramdown 1.17.0-4ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4562-1
CVE-2020-14001

Package Information:
https://launchpad.net/ubuntu/+source/ruby-kramdown/1.17.0-4ubuntu0.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

[USN-4561-1] Rack vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4561-1
September 30, 2020

ruby-rack vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Rack could be made to expose sensitive information over the network.

Software Description:
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly handled certain paths. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-8161)

It was discovered that Rack incorrectly validated cookies. An attacker
could possibly use this issue to forge a secure cookie. (CVE-2020-8184)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
ruby-rack 1.6.4-4ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4561-1
CVE-2020-8161, CVE-2020-8184

Package Information:
https://launchpad.net/ubuntu/+source/ruby-rack/1.6.4-4ubuntu0.2

[USN-4560-1] Gon gem vulnerability

==========================================================================
Ubuntu Security Notice USN-4560-1
September 30, 2020

ruby-gon vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Gon gem could be made to run programs if it received specially crafted network
traffic.

Software Description:
- ruby-gon: Ruby library to send data to JavaScript from a Ruby application

Details:

It was discovered that Gon gem did not properly escape certain input. An
attacker could use this vulnerability to execute a cross-site scripting
(XSS) attack.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
ruby-gon 6.1.0-1+deb9u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4560-1
CVE-2020-25739

Package Information:
https://launchpad.net/ubuntu/+source/ruby-gon/6.1.0-1+deb9u1build0.18.04.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

[USN-4559-1] Samba update

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl90lcgACgkQZWnYVadE
vpNyYw//YVFP4Hb6VgElVufBpE9BrDh9mrXUIvo/LNjmicmVjtlLpF6RGt262Xut
Dj1U2mM+U3xwNKHTHziDltlifefQJ59NWcvGYDhVFplTGGDcg/tgpwaovdxUKC0o
kNEUuE6iZeQc8hc9Vv8C4pwoOSp42wd79FpRmrb0hj+EMUs6weSB/ubeK+SwHT7m
ALUvo10LVWG9VofC+xA0A1oWbHphMhwxF7ikb+mLVaWMMvDir+tkTGVef6+NVCSw
8hfus7d2BwwTuKeN7G57wbR5OUFLSAS+Cq2v/RZyi/WaaZ4UGLixfq+UMPqg5t/d
sJAH+mIN8G8gS77elx6ZPSO+W48K42UwHL0WQGCfFaGCkYHcG1v+OcbeOsVQynga
ltmJokcc4h4eQr+97Ol/egQuKD4AHGeDDSmCzJaaPe+kqe/jVhHzxZjv2r21vdHN
WMuumjmO1QdecJU8/IbdtlFXJH5Rdrf/GMImPloNBEBuLQeAtPjcOOYI9KWzcvOz
W0Myqs3rvDKkU+si/a8hwOa4Kh3YimfdBYUz1mkJEGqt7f21mHhf4rS9qlgZriIM
tpkhKlZ1L1w3O5OJ7KnRf5jN1MYksAu40gF+GlylxS4izD+rOIv2OgybwJ6vTrNr
XCuOER2oyIAc7ZjZ3mskqfwVEOzZz1uiWaamdsZUuK7yMBVMTa4=
=UVS1
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4559-1
September 30, 2020

samba update
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security improvements were added to Samba.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Tom Tervoort discovered that the Netlogon protocol implemented by Samba
incorrectly handled the authentication scheme. A remote attacker could use
this issue to forge an authentication token and steal the credentials of
the domain admin.

While a previous security update fixed the issue by changing the "server
schannel" setting to default to "yes", instead of "auto", which forced a
secure netlogon channel, this update provides additional improvements.

For compatibility reasons with older devices, Samba now allows specifying
an insecure netlogon configuration per machine. See the following link for
examples: https://www.samba.org/samba/security/CVE-2020-1472.html

In addition, this update adds additional server checks for the protocol
attack in the client-specified challenge to provide some protection when
'server schannel = no/auto' and avoid the false-positive results when
running the proof-of-concept exploit.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
samba 2:4.11.6+dfsg-0ubuntu1.5

Ubuntu 18.04 LTS:
samba 2:4.7.6+dfsg~ubuntu-0ubuntu2.20

Ubuntu 16.04 LTS:
samba 2:4.3.11+dfsg-0ubuntu0.16.04.31

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4559-1
CVE-2020-1472

Package Information:
https://launchpad.net/ubuntu/+source/samba/2:4.11.6+dfsg-0ubuntu1.5
https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.20
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.31

[USN-4557-1] Tomcat vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4557-1
September 30, 2020

tomcat6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
- tomcat6: Servlet and JSP engine

Details:

It was discovered that the Tomcat realm implementations incorrectly handled
passwords when a username didn't exist. A remote attacker could possibly
use this issue to enumerate usernames. (CVE-2016-0762)

Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly
limited use of a certain utility method. A malicious application could
possibly use this to bypass Security Manager restrictions. (CVE-2016-5018)

It was discovered that Tomcat incorrectly controlled reading system
properties. A malicious application could possibly use this to bypass
Security Manager restrictions. (CVE-2016-6794)

It was discovered that Tomcat incorrectly controlled certain configuration
parameters. A malicious application could possibly use this to bypass
Security Manager restrictions. (CVE-2016-6796)

It was discovered that Tomcat incorrectly limited access to global JNDI
resources. A malicious application could use this to access any global JNDI
resource without an explicit ResourceLink. (CVE-2016-6797)

Regis Leroy discovered that Tomcat incorrectly filtered certain invalid
characters from the HTTP request line. A remote attacker could possibly
use this issue to inject data into HTTP responses. (CVE-2016-6816)

Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not
implement a recommended fix. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2016-8735)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libservlet2.5-java 6.0.45+dfsg-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4557-1
CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796,
CVE-2016-6797, CVE-2016-6816, CVE-2016-8735

Package Information:
https://launchpad.net/ubuntu/+source/tomcat6/6.0.45+dfsg-1ubuntu0.1

[USN-4558-1] libapreq2 vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4558-1
September 30, 2020

libapreq2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

libapreq2 could be made to crash if it received specially crafted network
traffic.

Software Description:
- libapreq2: a safe, standards-compliant, high-performance library used for
parsing HTTP cookies, query-strings and POST data

Details:

It was discovered that libapreq2 did not properly sanitize the Content-Type
field in certain, crafted HTTP requests. An attacker could use this
vulnerability to cause libapreq2 to crash.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
libapache2-mod-apreq2 2.13-7~deb10u1build0.18.04.1
libapache2-request-perl 2.13-7~deb10u1build0.18.04.1
libapreq2-3 2.13-7~deb10u1build0.18.04.1
libapreq2-dev 2.13-7~deb10u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4558-1
CVE-2019-12412

Package Information:
https://launchpad.net/ubuntu/+source/libapreq2/2.13-7~deb10u1build0.18.04.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Planned Outage - pagure.io - 2020-10-01 08:00 UTC

There will be an outage starting at 2020-10-01 08:00 UTC,
which will last approximately 4 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2020-10-01 08:00 UTC'

Reason for outage:

We are moving the service to a new server running RHEL8 and python3.

Affected Services:

pagure.io
pagure.org

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/9355

Please join #fedora-admin or #fedora-noc on irc.freenode.net
or add comments to the ticket for this outage above.
_______________________________________________
announce mailing list -- announce@lists.fedoraproject.org
To unsubscribe send an email to announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/announce@lists.fedoraproject.org

Planned Outage - pagure.io - 2020-10-01 08:00 UTC

There will be an outage starting at 2020-10-01 08:00 UTC,
which will last approximately 4 hours.

To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:

date -d '2020-10-01 08:00 UTC'

Reason for outage:

We are moving the service to a new server running RHEL8 and python3.

Affected Services:

pagure.io
pagure.org

Ticket Link:

https://pagure.io/fedora-infrastructure/issue/9355

Please join #fedora-admin or #fedora-noc on irc.freenode.net
or add comments to the ticket for this outage above.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

F34 Change proposal: DNS Over TLS (System-Wide Change)

https://fedoraproject.org/wiki/Changes/DNS_Over_TLS

== Summary ==
Fedora will attempt to use DNS over TLS (DoT) if supported by
configured DNS servers.

== Owner ==
* Name: [[User:catanzaro|Michael Catanzaro]]
* Email: <mcatanzaro@redhat.com>
* Name: [[User:Zbyszek|Zbigniew Jędrzejewski-Szmek]]
* Email: <zbyszek@in.waw.pl>

== Detailed Description ==

We will build systemd with `-Ddefault-dns-over-tls=opportunistic` to
protect DNS queries against passive network attackers. An active
network attacker can trivially subvert this protection, but we cannot
make DoT mandatory because other operating systems do not do so and
many (or most?) DNS servers do not support it. DoT will only be used
if the configured DNS server supports it and if it is not blocked by
an active network attacker.

Note that DoT is different from DNS over HTTPS (DoH). In particular,
DoT is not an anti-censorship tool like DoH. It does not look like
regular HTTPS traffic, and it can be blocked by network administrators
if desired, so it should not be a problem for corporate networks.


== Benefit to Fedora ==

DNS queries are encrypted and private by default, if the user's ISP
supports DoT. Most probably don't, but users who manually configure a
custom DNS server (e.g. Cloudflare or Google) will automatically
benefit from DNS over TLS.

== Scope ==
* Proposal owners: change meson flags in systemd.spec
* Other developers: N/A (nothing should be required)
* Release engineering: [https://pagure.io/releng/issue/9772 #9772] (a
check of an impact with Release Engineering is needed)
* Policies and guidelines: N/A (nothing should be required)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: Nope

== Upgrade/compatibility impact ==
DoT will be enabled automatically on upgrade to F34. If DoT is
unsupported, systemd-resolved will fall back to unencrypted DNS, so
there should be no compatibility impact.

== How To Test ==
Load any website in a web browser. If you succeed, then name
resolution probably works.

Try using `resolvectl query fedoraproject.org` to see that resolvectl
still works.

Bonus points: set your DNS server to 1.1.1.1 or 8.8.8.8, then use
Wireshark to see if your DNS is really encrypted or not.

== User Experience ==
Users should not notice any difference in behavior.

== Dependencies ==
No dependencies.

== Contingency Plan ==

* Contingency mechanism: revert the change
* Contingency deadline: can be done at any time, before F34 beta
freeze would be best
* Blocks release? No
* Blocks product? No

== Documentation ==
See the section `DNSOverTLS=` in the manpage `resolved.conf(5)`

== Release Notes ==
systemd-resolved now enables DNS over TLS (DoT) support by default, in
opportunistic mode. DoT will be used only if supported by your DNS
server, and provides only best-effort encryption to protect against
passive network observers. For compatibility with existing DNS
servers, systemd-resolved will fall back to unencrypted DNS if DoT
does not appear to be supported, reducing the security benefit. If you
wish to manually configure systemd-resolved to prevent fallback to
unencrypted DNS, set `DNSOverTLS=yes` in `/etc/systemd/resolved.conf`.
Note that DoT is different than DNS over HTTPS (DoH) in that it does
not use HTTPS and is therefore easy to distinguish from HTTPS traffic.


--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

F34 Change proposal: Debug Info LLDB Index (System-Wide change)

https://fedoraproject.org/wiki/Changes/DebugInfoLldbIndex

== Summary ==
Provide .debug_names debug info index for LLDB for clang-built
binaries using: clang -gdwarf-5 -gpubnames

Debuginfo index significantly accelerates loading of *.debug files by
debugger. Fedora currently provides ELF section .gdb_index for
[https://www.gnu.org/software/gdb/ GDB debugger].
[https://lldb.llvm.org/ LLDB debugger] cannot use .gdb_index (as it is
missing DIE offsets for more effective processing by LLDB) but LLDB
can use .debug_names index.

== Owner ==
* Name: [[User:jankratochvil| Jan Kratochvil ]]
* Email: jan.kratochvil@redhat.com

== Detailed Description ==

There are currently 3 formats of debug info index:

* .gdb_index: It is currently produced in Fedora by GDB
(/usr/bin/gdb-add-index), it is a part of rpmbuild process. It is
compatible with GDB but incompatible with LLDB as it is missing
essential DIE offsets needed by LLDB due to more effective (faster)
reading of DWARF by LLDB.

* .debug_names from GDB (augmentation "GDB\x00"): It can be produced
by GDB (/usr/bin/gdb-add-index -dwarf-5) but its format is
non-conforming to [http://www.dwarfstd.org/doc/DWARF5.pdf DWARF-5
standard]. LLDB expects DWARF-5 standard compliant .debug_names and
therefore it is incompatible with this format. It can be expected GDB
will fix the conformance in the future. Currently GDB .debug_names
format has no advantage over GDB .gdb_index format.

* .debug_names from clang (augmentation "LLVM0700"): It can be
produced by clang (clang -gdwarf-5 -gpubnames) for LLDB. It is
conforming to [http://www.dwarfstd.org/doc/DWARF5.pdf DWARF-5
standard], one can expect GDB will be able to read it in the future.

It would be good to produce index from GCC by GDB and to produce index
from clang by clang as the compatibility inside the same toolchain is
best tested and supported. Using index across toolchains (index from
GDB by LLDB or index from clang by GDB) should theoretically work but
in practice there exist subtle differences in interpretation of more
complicated DWARF constructs. It would be best to fix those but that
will be always an afterthought.



== Benefit to Fedora ==
* Faster startup of LLDB debugger using Fedora system *.debug files.

== Scope ==
* Proposal owners: It affects all clang-built packages generating
*-debuginfo.rpm.
* Other developers: none
* Policies and guidelines: All the needed changes should be done in
[https://src.fedoraproject.org/rpms/redhat-rpm-config
redhat-rpm-config]. The [https://src.fedoraproject.org/rpms/dwz dwz
package] can be then retired.
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: The size differences are only for
*-debuginfo.rpm which is outside of scope of the listed objectives.


Currently the change will affect only packages using:
%global toolchain clang
Those are currently only these packages being built by clang and using
this %toolchain framework: dotnet3.1 libcxxabi mtxclient nheko simde
wine

FIXME: Which other Fedora packages are being built by clang?

== Upgrade/compatibility impact ==
Existing tools not supporting .debug_names will just ignore the
additional ELF section. The only issue is current GDB would get
confused by the clang .debug_names as it expects .debug_names to be in
its incompatible GDB format - FIXME: Provide a GDB bugfix patch.

Also each *-debuginfo.rpm has to exactly match NVRA of its binary
package the Fedora change compatibility is not applicable.

== How To Test ==
GDB should not get affected by the new .debug_names index from clang.

LLDB should load Fedora system *.debug files faster. LLDB
functionality should not be affected by the index from clang (that is
a part of LLVM development/testsuite).

"llvm-dwarfdump -debug-names *.debug" should show: Augmentation: 'LLVM0700'

== User Experience ==
No user visible change. This affects what tools can developers use.

== Dependencies ==
This Change is dependent on how is decided [[Changes/DebugInfoStandardization]].

This Change is dependent on RHEL-5 F-34 feature expected to be filed
by Mark Wielaard.

Mass rebuild is not required. Packages inherited from F-33 will just
miss the LLDB index and LLDB will load them more slower.

* .debug_names would need to be updated by DWZ but DWZ does not plan
to support .debug_names (according to Mark Wielaard).
** If DWZ is dropped ([[Changes/DebugInfoStandardization]] gets
approved) then clang can normally produce .debug_names for LLDB.
** If DWZ stays in use ([[Changes/DebugInfoStandardization]] gets
rejected) then there are multiple options. LLDB currently cannot
produce .debug_names (only clang can). GDB currently produces
incompatible .debug_names format.
*** [[Changes/DebugInfoStandardization]] should be applied at least
for clang-built packages, preferred by this proposal.
*** There was an idea DWZ would remove .debug_names. That would
effectively reject this Change and make LLVM Toolchain slower due to a
deficiency of the DWZ tool.
*** There isn't anyone willing to implement updating of .debug_names
into DWZ, moreover DWARF-5 standard does not specify a needed format
for combination of both DWZ and .debug_names. Also LLDB currently does
not support the DWZ format anyway.
*** When GDB produces .debug_names compatible with DWARF-5 in the
future it could theoretically produce .debug_names for LLDB. But that
would mean the index for LLDB (and therefore interpretation of DWARF
by LLDB) would be affected by interpretation of DWARF by GDB, that is
a toolchain compatibility nightmare.
* clang produces more effective .debug_names (one per executable; not
one per *.o compilation unit) when using -flto which is
[[LTOByDefault|default since F-33]] now.

== Contingency Plan ==
* Contingency mechanism: Revert the change in
[https://src.fedoraproject.org/rpms/redhat-rpm-config
redhat-rpm-config]. LLDB can continue loading Fedora system *.debug
files slightly slower.
* Contingency deadline: beta freeze
* Blocks release? No
* Blocks product? N/A

== Documentation ==

* [http://www.dwarfstd.org/doc/DWARF5.pdf DWARF-5] 6.1.1 Lookup by Name




--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

F34 Change proposal: Compress Kernel Firmware (Self-Contained Change)

https://fedoraproject.org/wiki/Changes/CompressKernelFirmware

== Summary ==
Compress Kernel Firmwares to reduce on disk size

== Owner ==
* Name: [[User:pbrobinson| Peter Robinson]]
* Email: [mailto:pbrobinson@fedoraproject.org| pbrobinson@fedoraproject.org]

== Detailed Description ==

Since the linux 5.3 kernel there has been support for loading firmware
from xz compressed firmware. The upstream linux-firmware respository
is now over 900Mb, not including other kernel firmware that are in
Fedora but come from other sources. By compessing the firmware with
"xz -C crc32", the only option currently supported in the kernel, we
can reduce the ondisk size of the firmware by almost half.

== Benefit to Fedora ==

Reduced on disk size of the firmware used by the kernel.

== Scope ==
* Proposal owners:
** Add support upstream to the linux-firmware copy-firmware script to
compess the firmware and create the symlinks to the compressed
firmware
** Enable the upstream support in the Fedora linux-firmware package to
compress the firmware at build time
** Enable compressing firmware in packages that contain firmware used
by the kernel: eg alsa-sof-firmware, atmel-firmware, zd1211-firmware
** Enable the CONFIG_FW_LOADER_COMPRESS kernel option (long complete)
* Other developers:
** No impact
* Policies and guidelines: N/A (not a System Wide Change)
* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==

There should be no upgrade impact, the support was added to the
generic firmware loader interface in the kernel.

== How To Test ==

Check devices that need firmware still work. Some devices that need
firmware include:
* GPU drivers such as nvidia, AMD and i915
* Wireless drivers such as those from Intel, Broadcom/Cyprus, TI,
Qualcomm and Marvel
* Wired network interfaces
* Storage drivers
* USB controllers and drivers

== User Experience ==

Generally users should notice little to no difference.

== Dependencies ==
N/A (not a System Wide Change)

== Contingency Plan ==

* Contingency mechanism: Don't compress kernel firmware
* Contingency deadline: GA
* Blocks release? No.
* Blocks product? No.

== Documentation ==
N/A (not a System Wide Change)

== Release Notes ==
N/A


--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[USN-4556-1] netqmail vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4556-1
September 29, 2020

netqmail vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

netqmail could be made to crash or run programs as any user (except root) if it
received specially crafted network traffic.

Software Description:
- netqmail: a secure, reliable, efficient, simple message transfer agent

Details:

It was discovered that netqmail did not properly handle certain input. Both
remote and local attackers could use this vulnerability to cause netqmail
to crash or execute arbitrary code. (CVE-2005-1513, CVE-2005-1514,
CVE-2005-1515)

It was discovered that netqmail did not properly handle certain input when
validating email addresses. An attacker could use this to bypass email
address validation. (CVE-2020-3811)

It was discovered that netqmail did not properly handle certain input when
validating email addresses. An attacker could use this vulnerability to
cause netqmail to disclose sensitive information. (CVE-2020-3812)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
qmail 1.06-6.2~deb10u1build0.20.04.1
qmail-uids-gids 1.06-6.2~deb10u1build0.20.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4556-1
CVE-2005-1513, CVE-2005-1514, CVE-2005-1515, CVE-2020-3811,
CVE-2020-3812

Package Information:
https://launchpad.net/ubuntu/+source/netqmail/1.06-6.2~deb10u1build0.20.04.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Fedora 33 Beta Release Announcement

Fedora 33 Beta Released
----------------------------------

The Fedora Project is pleased to announce the immediate availability
of Fedora 33 Beta, the next step towards our planned Fedora 33 release
at the end of October.

Download the prerelease from our Get Fedora site:
* Get Fedora 33 Beta Workstation: https://getfedora.org/workstation/download/
* Get Fedora 33 Beta Server: https://getfedora.org/server/download/
* Get Fedora 33 IoT: https://getfedora.org/iot/download/

Or, check out one of our popular variants, including KDE Plasma, Xfce,
and other desktop environments, as well as images for ARM devices:

* Get Fedora 33 Beta Spins: https://spins.fedoraproject.org/prerelease
* Get Fedora 33 Beta Labs: https://labs.fedoraproject.org/prerelease
* Get Fedora 33 Beta ARM: https://arm.fedoraproject.org/prerelease

## Beta Release Highlights

* All of the desktop variants of Fedora 33 Beta will use BTRFS as the
default filesystem.

* Fedora 33 Workstation Beta includes GNOME 3.38

* With Fedora 33 Beta, Fedora IoT is now an official Fedora Edition.

* And more ...

For more details about the release, read the full announcement at

* https://fedoramagazine.org/announcing-the-release-of-fedora-33-beta/

or look for the prerelease pages in the download sections at

* https://getfedora.org/

Since this is a Beta release, we expect that you may encounter bugs or
missing features. To report issues encountered during testing, contact
the Fedora QA team via the test@lists.fedoraproject.org mailing list or
in #fedora-qa on Freenode.

Regards,
Mohan Boddu
Fedora Release Engineering.
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[FreeBSD-Announce] Join us for November 2020 FreeBSD Vendor Summit

On behalf of the FreeBSD Core Team and the Vendor Summit Planning
Committee, I'd like to invite you to attend the online 2020 FreeBSD Vendor
Summit. The event will consist of virtual, half day sessions, taking place
November 11-13, 2020. Some of the vendor sessions include talks by ARM,
Beckhoff, Seagate, and more. In addition to vendor talks, discussion
sessions will also be part of the main track. Should interest arise,
separate discussion spaces may be available. If you have a specific topic
you'd like to discuss, please contact devsummit@freebsd.org.

The summit is free to attend, but we ask that you register with the eventbrite
system
<https://www.eventbrite.com/e/november-2020-freebsd-vendor-summit-tickets-121242494565>
(
https://www.eventbrite.com/e/november-2020-freebsd-vendor-summit-tickets-121242494565)
to gain access to the meeting room(s). You can also add yourself to the wiki
<https://wiki.freebsd.org/DevSummit/202011> (
https://wiki.freebsd.org/DevSummit/202011).

The event will be live streamed for those who are interested in watching
but not actively participating, and the sessions will be recorded. More
logistical information and the full schedule will be available soon.

Thanks!
Anne

--
Anne Dickison
Marketing Director
FreeBSD Foundation
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"

[USN-4547-2] SSVNC vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4547-2
September 28, 2020

ssvnc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in SSVNC.

Software Description:
- ssvnc: Enhanced TightVNC viewer with SSL/SSH tunnel helper

Details:

It was discovered that the LibVNCClient vendored in SSVNC incorrectly handled
certain packet lengths. A remote attacker could possibly use this issue to
obtain sensitive information, cause a denial of service, or execute arbitrary
code. (CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-2024)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
ssvnc 1.0.29-2+deb8u1build0.16.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4547-2
https://usn.ubuntu.com/4547-1
CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20024

Package Information:
https://launchpad.net/ubuntu/+source/ssvnc/1.0.29-2+deb8u1build0.16.04.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

[USN-4554-1] libPGF vulnerability

==========================================================================
Ubuntu Security Notice USN-4554-1
September 28, 2020

libpgf vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS

Summary:

libPGF could be made to crash if it opened a specially crafted
file.

Software Description:
- libpgf: Progressive Graphics File (PGF) library

Details:

It was discovered that libPGF lacked proper validation when opening a
specially crafted PGF file. An attacker could possibly use this issue to
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libpgf6 6.14.12-3.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4554-1
CVE-2015-6673

Package Information:
https://launchpad.net/ubuntu/+source/libpgf/6.14.12-3.1ubuntu0.1

[USN-4550-1] DPDK vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9yKCgACgkQZWnYVadE
vpPBYRAAr67kaJqg4x/mZSYdRvgNWMDPe3A3MzC2VenaPqJvcRXFeHESdUdkQH7E
SknmVMSf3I+V9dlcoI5KXdIGkzT3BPj0khD1ic+Am8RLZP8iMkx+1sRdtAPNLDcj
15++EudU8QWTSizgj/lFpzy3QliPKwi7nvD6l9DjLEZ9txBUWP4z4P4Su2EijBcw
j3MYrizf/03jhTd6xKxzG6ULq9GmpELhh7o//Q9NhzZZTpa5FTK31UabEOB83/bc
SRAKJR/LeTrcCnkny23mNrAcSNLB7sUCE666knMgpK5syLY7hWhAozAH09MM7pBC
dDRqOBE6KUGWNVNT4IwFDpPHvDlt3NHy3TgyzwzA537uqWIAmVShed+s6ekdb1bs
dlLAP7I6H6v1USEnmnM7ygwXAWZNhlsH249Ts5gMmLHC9n3jtQSSNL3SZSZFRcUR
9JIS+j61Rj86ZxgeP21SLZxn/iuZVXvdx3vIURV8qllyA3hjPk1sVoZ7bTvA2dGK
vy+Ya/Xap6Fd9cWy4HtKstE4Atz0DrrYUZZ6gf+7o3mRQtScd1l+gZKwrtIx5iFm
UunCaIo9J+UvDFXbWhYxanovitPYpl5vw0GZlY2Sk6wZsqCkBoQlNna7qEq6A/eg
Aot36jCsYyLJAYkAiTj0yzTC6X3BwVyeLYb0wpAGXDbwfdtoU20=
=CH8g
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4550-1
September 28, 2020

dpdk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in DPDK.

Software Description:
- dpdk: set of libraries for fast packet processing

Details:

Ryan Hall discovered that DPDK incorrectly handled vhost crypto. An
attacker inside a guest could use these issues to perform multiple attacks,
including denial of service attacks, obtaining sensitive information from
the host, and possibly executing arbitrary code on the host.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
dpdk 19.11.3-0ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4550-1
CVE-2020-14374, CVE-2020-14375, CVE-2020-14376, CVE-2020-14377,
CVE-2020-14378

Package Information:
https://launchpad.net/ubuntu/+source/dpdk/19.11.3-0ubuntu0.2

[USN-4551-1] Squid vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl9yKDkACgkQZWnYVadE
vpM7Og/+LGek8DTxpRbd6sQ3tpsYkk/t2Kn6aJgQDXlEZxenjW8Xonp+fn9z0/X7
2c+JncoTLCyKiAohAK6d2jGq2TgVF9m8N6fbgGhzSpAjESGBn9OnrD6U/BFLukSw
Bzr1r1dKnup8hWvXa4q1WJpLgiyZtah5dopRMHTp0ONEzu7sXb6qNQK3dgpX68qF
/O3W1MfAZIwgmJI/F1W8pKFlMMnwxQFo4L1URIKbWi/jbIU1OFnlpprKr3bCwjpc
l+BLatTXPsdPOP4Mof0UYqE9vFAd1GdKbpe8K6qdjgC2bfiARxbl/PyBUMtGWdEE
bOiHgwhOXCcq3yi7gWu9tGFclELbdphrWGXguxM0OeVYdSBpfvIOPDOln2+giZY/
WrbevhXFaPwMvasVaN7xrh8TaPm+dmXeIogUq7XDp6idCrc0hWA4LVnKWfo12f94
If4ZZyevuyvcTwpAo7N6Re2Yk/0zUSVMwTqp88QYWa0f6sNdrtNpPDY9dfxLVhU8
Rg8FhwvloR3kuyl2cH9ajk/6w3OTlm9HQMdsvMs6W/78wi0SdDgMVCbzoUoAtAMb
GJcNu7bNQuqVtNuE9ipsRoNDWJfquvjhEOEVX/jOF8EkOtAYvZ3mmslqAg5tIlZs
FHwE2L7/36ovzMd2L8B46OHDKq7rBbJVVmwC7YmUZsBP5EmzQvg=
=rb/d
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4551-1
September 28, 2020

squid3 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Squid.

Software Description:
- squid3: Web proxy cache server

Details:

Alex Rousskov and Amit Klein discovered that Squid incorrectly handled
certain Content-Length headers. A remote attacker could possibly use this
issue to perform an HTTP request smuggling attack, resulting in cache
poisoning. (CVE-2020-15049)

Amit Klein discovered that Squid incorrectly validated certain data. A
remote attacker could possibly use this issue to perform an HTTP request
smuggling attack, resulting in cache poisoning. (CVE-2020-15810)

Régis Leroy discovered that Squid incorrectly validated certain data. A
remote attacker could possibly use this issue to perform an HTTP request
splitting attack, resulting in cache poisoning. (CVE-2020-15811)

Lubos Uhliarik discovered that Squid incorrectly handled certain Cache
Digest response messages sent by trusted peers. A remote attacker could
possibly use this issue to cause Squid to consume resources, resulting in a
denial of service. (CVE-2020-24606)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.9

Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.15

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4551-1
CVE-2020-15049, CVE-2020-15810, CVE-2020-15811, CVE-2020-24606

Package Information:
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.9
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.15

[USN-4552-1] Pam-python vulnerability

==========================================================================
Ubuntu Security Notice USN-4552-1
September 28, 2020

pam-python vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Pam-python could be made to crash or run programs as an administrator
if certain environment variables are set.

Software Description:
- pam-python: Enables PAM modules to be written in Python

Details:

Malte Kraus discovered that Pam-python mishandled certain environment variables.
A local attacker could potentially use this vulnerability to execute programs
as root.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
libpam-python 1.0.6-1.1+deb10u1build0.18.04.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4552-1
CVE-2019-16729

Package Information:
https://launchpad.net/ubuntu/+source/pam-python/1.0.6-1.1+deb10u1build0.18.04.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

[USN-4553-1] Teeworlds vulnerability

==========================================================================
Ubuntu Security Notice USN-4553-1
September 28, 2020

teeworlds vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Teeworlds could be made to crash if it received specially crafted network
traffic.

Software Description:
- teeworlds: online multi-player platform 2D shooter

Details:

It was discovered that Teeworlds server did not properly handler certain
network traffic. A remote, unauthenticated attacker could use this
vulnerability to cause Teeworlds server to crash.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
teeworlds-server 0.7.2-5ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4553-1
CVE-2020-12066

Package Information:
https://launchpad.net/ubuntu/+source/teeworlds/0.7.2-5ubuntu1.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

[USN-4547-1] iTALC vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4547-1
September 28, 2020

italc vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in iTALC.

Software Description:
- italc: didact tool which allows teachers to view and control computer labs

Details:

It was discovered that an information disclosure vulnerability existed in the
LibVNCServer vendored in iTALC when sending a ServerCutText message. An
attacker could possibly use this issue to expose sensitive information.
(CVE-2019-15681)

It was discovered that the LibVNCServer and LibVNCClient vendored in iTALC
incorrectly handled certain packet lengths. A remote attacker could possibly
use this issue to obtain sensitive information, cause a denial of service, or
execute arbitrary code.
(CVE-2018-15127 CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022,
CVE-2018-20023, CVE-2018-20024, CVE-2018-20748, CVE-2018-20749, CVE-2018-20750,
CVE-2018-7225, CVE-2019-15681)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
italc-client 1:3.0.3+dfsg1-3ubuntu0.1
italc-master 1:3.0.3+dfsg1-3ubuntu0.1
libitalccore 1:3.0.3+dfsg1-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4547-1
CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021,
CVE-2018-20022, CVE-2018-20023, CVE-2018-20024, CVE-2018-20748,
CVE-2018-20749, CVE-2018-20750, CVE-2018-7225, CVE-2019-15681

Package Information:
https://launchpad.net/ubuntu/+source/italc/1:3.0.3+dfsg1-3ubuntu0.1

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

[USN-4548-1] libuv vulnerability

==========================================================================
Ubuntu Security Notice USN-4548-1
September 28, 2020

libuv1 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

libuv could be made to crash or execute arbitrary code if it received a specially
crafted path.

Software Description:
- libuv1: asynchronous event notification library - runtime library

Details:

It was discovered that libuv incorrectly handled certain paths.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
libuv1 1.34.2-1ubuntu1.1

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
https://usn.ubuntu.com/4548-1
CVE-2020-8252

Package Information:
https://launchpad.net/ubuntu/+source/libuv1/1.34.2-1ubuntu1.1

[USN-4549-1] ImageMagick vulnerabilities

==========================================================================
Ubuntu Security Notice USN-4549-1
September 28, 2020

imagemagick vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

ImageMagick could be made to crash if it opened a specially crafted
file.

Software Description:
- imagemagick: Image manipulation programs and library

Details:

It was discovered that ImageMagick incorrectly handled certain specially
crafted image files. If a user or automated system using ImageMagick were
tricked into opening a specially crafted image, an attacker could exploit
this to cause a denial of service or other unspecified impact.
(CVE-2019-19948, CVE-2019-19949)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
imagemagick 8:6.9.10.23+dfsg-2.1ubuntu11.1
imagemagick-6.q16 8:6.9.10.23+dfsg-2.1ubuntu11.1
libmagick++-6.q16-8 8:6.9.10.23+dfsg-2.1ubuntu11.1
libmagickcore-6.q16-6 8:6.9.10.23+dfsg-2.1ubuntu11.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4549-1
CVE-2019-19948, CVE-2019-19949

Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.23+dfsg-2.1ubuntu11.1

[NO ACTION REQUIRED] ELN Module Enablement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

We wanted to send out a heads-up to let folks know that once Infrastructure
Freeze is lifted this week, we will be enabling modular builds for Fedora ELN.
Once this happens, `platform:eln` will become available as a target for module
builds. For anyone building packages with a BuildRequires of `platform: []`,
building for ELN will happen automatically. If you have an explicit set of
releases you build for, this will be unaffected.

If your modules begin building for ELN, please ignore any output from the
build-system at this time. We are working on infrastructure to enable
automatic rebuilding of the `platform:rawhide` content only when a module
is part of the explicit ELN set, but that portion of the tooling is not yet
available at this time.

* YOU DO NOT NEED TO ADDRESS ISSUES IN ELN MODULES AT THIS TIME *

Our first step here is to ensure that the pipeline is working properly. The
module maintainers are not on the hook at this time for addressing ELN-
specific issues. You also do not need to modify your build scripts to either
explicitly include or exclude ELN builds. Once the tooling becomes more
advanced, you will no longer see ELN builds unless the module in question is
explicitly intended for inclusion.
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEhQqd0dvyrMxvxJSRRduFpWgobREFAl9x/LUACgkQRduFpWgo
bRFcAwv/QeT4X3Q7ltUIx3RYP3LFoCTMOrMTgXn6eewrARBcgDDaBOIZVt7EIrKK
xhIbols9iXiK9lL57fxl7GiMQMkYAvlJtpUy+w/dp6UJj29rPc+SYjo8QKvl5KFm
ewHzb+KSwRhoHWCo2ItxCI0bAbuqc0+PVuxyzlC8bRpv80YrhMYju6b2zg8lY2EW
HPQs2KMyESTn4SwwXuvjUinStVSiPweOGbJEKgsdtNVgaT96Rpgph05uk49gTiUa
AIwJT/kCXmX1k3cHj2/O3CO00+U2dbWCaR3i2sGJjdJ7CIv7cjheBY3fE0SIyhqC
kMlv29ax/fXkhIobDcdJksD94P1E+BhiNogxdJ/1s+V7DYbyCm4V8hGu5ofXhGk1
wSDRYVgWgKK3DlTcIOiqoWYiTFgEaGily7Z9RPX7LkdFyLg1nMWhelw0VpZcTz0a
E+K2k/QEJ+wC+XAfI4Y8PSRbcQfELYEkmOXokFE/jl4PHjwpQG7gAygcjdQWM8Is
HuD2AwPg
=z4z1
-----END PGP SIGNATURE-----
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

[USN-3968-3] Sudo vulnerabilities

==========================================================================
Ubuntu Security Notice USN-3968-3
September 28, 2020

sudo vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Sudo.

Software Description:
- sudo: Provide limited super user privileges to specific users

Details:

USN-3968-1 fixed several vulnerabilities in Sudo. This update provides
the corresponding update for Ubuntu 14.04 ESM.

Original advisory details:

Florian Weimer discovered that Sudo incorrectly handled the noexec
restriction when used with certain applications. A local attacker could
possibly use this issue to bypass configured restrictions and execute
arbitrary commands. (CVE-2016-7076, CVE-2016-7032)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 ESM:
sudo 1.8.9p5-1ubuntu1.5+esm5
sudo-ldap 1.8.9p5-1ubuntu1.5+esm5

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/3968-3
https://usn.ubuntu.com/3968-1
CVE-2016-7032, CVE-2016-7076

[USN-4546-1] Firefox vulnerabilities

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEERN//5MGgCOgyKeIFYR+97NWUbg8FAl9xsDwACgkQYR+97NWU
bg9A/Af/f4vXXnczKyWtq+P2lvZCZ2MuGiEXZitmXZuvhCa/NtY6bOZSz7e82ros
eDdK4swslO2dZrNNmjfDnzE4mX6EaJG53ydUilLRWwg57hW91+V7+eg1Aceaxqok
WRjqQvcndFPexP8G3/cDqi7HxARE9LzGkoOeQIgIrqh8kIPa05yFLwmBHaaJa1Jc
Y5nyBVNMzawar+5ubnongVyjpFX+SHF9grgPUzWvt6mEJkJfZ7A6xvKFP96D+cKB
0sgjELqUNiKMFyvfS8NwQabGyKBtl/gZH9iuFzDBuaqsFbFl1x/RK8kElXB3cFjc
XIuE5uxYZcCFrBXK8BZNznejiGTc/Q==
=Wwwf
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-4546-1
September 28, 2020

firefox vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, conduct cross-site
scripting (XSS) attacks, spoof the site displayed in the download dialog,
or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
firefox 81.0+build2-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
firefox 81.0+build2-0ubuntu0.18.04.1

Ubuntu 16.04 LTS:
firefox 81.0+build2-0ubuntu0.16.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
https://usn.ubuntu.com/4546-1
CVE-2020-15673, CVE-2020-15674, CVE-2020-15675, CVE-2020-15676,
CVE-2020-15677, CVE-2020-15678

Package Information:
https://launchpad.net/ubuntu/+source/firefox/81.0+build2-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/81.0+build2-0ubuntu0.18.04.1
https://launchpad.net/ubuntu/+source/firefox/81.0+build2-0ubuntu0.16.04.1

f33 latest build issues

Greetings.

Since Fedora 33 Beta was GO on thursday, and after tagging all the beta
rpms, releng pushed all the pending f33 stable updates.

However, this resulted in some issues where an older build was pushed
after a newer one and used. This can happen when an update already is
pending stable, and another update is created and bodhi is unable to
obsolete the old update. Then they both go stable and it's chance which
one "wins".

I've cleaned up these issues. Here is the full list:

catatonit-0.1.5-1.fc33 < catatonit-0.1.5-3.fc33
retagged catatonit-0.1.5-3.fc33 to f33
fabtests-1.11.0-1.fc33 < fabtests-1.11.0rc2-1.fc33
retagged fabtests-1.11.0rc2-1.fc33 to f33
google-api-python-client-1.10.1-1.fc33 < google-api-python-client-1.6.7-13.fc33
retagged google-api-python-client-1.6.7-13.fc33 to f33
igt-gpu-tools-1.25-1.20200818git4e5f76b.fc33 < igt-gpu-tools-1.25-2.20200719git9b964d7.fc33
retagged igt-gpu-tools-1.25-2.20200719git9b964d7.fc33 to f33
libfabric-1.11.0-1.fc33 < libfabric-1.11.0rc2-1.fc33
retagged libfabric-1.11.0rc2-1.fc33 to f33
magic-8.3.50-1.fc33 < magic-8.3.54-1.fc33
retagged magic-8.3.54-1.fc33 to f33
ocaml-lacaml-9.3.2-24.fc33 < ocaml-lacaml-9.3.2-25.fc33.1
retagged ocaml-lacaml-9.3.2-25.fc33.1 to f33
ovn-20.06.2-3.fc33 < ovn-20.06.2-4.fc33
retagged ovn-20.06.2-4.fc33 to f33
php-horde-Horde-Core-2.31.15-1.fc33 < php-horde-Horde-Core-2.31.16-1.fc33
retagged php-horde-Horde-Core-2.31.16-1.fc33 to f33
php-nrk-Predis-1.1.4-1.fc33 < php-nrk-Predis-1.1.6-1.fc33
retagged php-nrk-Predis-1.1.6-1.fc33 to f33
plplot-5.15.0-19.fc33 < plplot-5.15.0-19.fc33.1
retagged plplot-5.15.0-19.fc33.1 to f33
pywbem-0.14.6-6.fc33 < pywbem-1.0.1-1.fc33
retagged pywbem-1.0.1-1.fc33 to f33
qt-creator-4.13.1-1.fc33 < qt-creator-4.13.1-2.fc33
retagged qt-creator-4.13.1-2.fc33 to f33
qt5-qtwebengine-5.15.0-4.fc33 < qt5-qtwebengine-5.15.1-1.fc33
retagged qt5-qtwebengine-5.15.1-1.fc33 to f33
qt5-qtwebkit-5.212.0-0.51.alpha4.fc33 < qt5-qtwebkit-5.212.0-0.52.alpha4.fc33
retagged qt5-qtwebkit-5.212.0-0.52.alpha4.fc33 to f33
slirp4netns-1.1.4-1.fc33 < slirp4netns-1.1.4-4.dev.giteecccdb.fc33
retagged slirp4netns-1.1.4-4.dev.giteecccdb.fc33 to f33
stdair-1.00.10-5.fc33 < stdair-1.00.10-6.fc33
retagged stdair-1.00.10-6.fc33 to f33
sympa-6.2.56-2.fc33 < sympa-6.2.56-2.fc33.1
retagged sympa-6.2.56-2.fc33.1 to f33
systemd-246.3-1.fc33 < systemd-246.4-2.fc33
retagged systemd-246.4-2.fc33 to f33
uboot-tools-2020.10-0.3.rc2.fc33 < uboot-tools-2020.10-0.4.rc4.fc33
retagged uboot-tools-2020.10-0.4.rc4.fc33 to f33
video-downloader-0.5.5-1.fc33 < video-downloader-0.5.6-1.fc33
retagged video-downloader-0.5.6-1.fc33 to f33
yacreader-9.7.0-1.fc33 < yacreader-9.7.1-1.fc33
retagged yacreader-9.7.1-1.fc33 to f33

Hopefully bodhi will grow the ability to stop this from happening in
future milestones.

kevin

Updated Debian 10: 10.6 released

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEZin0RNRxg3W3fj8cTDhhvcxwa3QFAl9vNBsACgkQTDhhvcxw
a3RDcQwAil4WwaUCSkvmwMdg5tS7TjwhlObtE2FiQ71ax0/M/zrKmhp9U8SO+yCH
Sz5GM+Y9PK8fgQTd9CT30umITvyGX4SFq+vxkQVLedxR0jIRlGzIRqnXDw5WAaqI
SFvmYE9sCMPtj0U5dsRVe1HqV8Y6lPwYSZ22oPWDYxw+IkajNydX8SP/0ZJg7a8i
Pf7V4QKxgBhV2DJ5jYwQdoJoxCzJn/5+0oocMpToflnb7XvfgUAnXdp+bLHPbH7l
OemSxjTzDtThzUV9uYokYRgaRqbTbJpqT1r1deX79gUOaFv1FFnByR0WvL1j6P1c
xHa2HC84L3xLYkq8lAuE4aBWHBDyDCxDPytyF3gvv3CB5Q8bHw2QjitWb7N/84tV
Qdat/QLdnViNrPTAjBj0laRHy4k416UDA9bMipmBmWOnopg2+gvo2h7v/ZdfN9y3
uBSvul6IAo7U3OlfoL7g+OGpPBW9XskYFfZz72c9eqXU+WxxLVEzPtMtzUQTothv
yOnwDI7x
=tEeg
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 10: 10.6 released press@debian.org
September 26th, 2020 https://www.debian.org/News/2020/20200926
------------------------------------------------------------------------


The Debian project is pleased to announce the sixth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages.

Note that, due to build issues, the updates for the cargo, rustc and
rustc-bindgen packages are currently not available for the "armel"
architecture. They may be added at a later date if the issues are
resolved.

+--------------------------+------------------------------------------+
| Package | Reason |
+--------------------------+------------------------------------------+
| arch-test [1] | Fix detection of s390x sometimes failing |
| | |
| asterisk [2] | Fix crash when negotiating for T.38 with |
| | a declined stream [CVE-2019-15297], |
| | "SIP request can change address of a SIP |
| | peer" [CVE-2019-18790], "AMI user |
| | could execute system |
| | commands" [CVE-2019-18610], segfault in |
| | pjsip show history with IPv6 peers |
| | |
| bacula [3] | Fix "oversized digest strings allow a |
| | malicious client to cause a heap |
| | overflow in the director's |
| | memory" [CVE-2020-11061] |
| | |
| base-files [4] | Update /etc/debian_version for the point |
| | release |
| | |
| calamares-settings- | Disable displaymanager module |
| debian [5] | |
| | |
| cargo [6] | New upstream release, to support |
| | upcoming Firefox ESR versions |
| | |
| chocolate-doom [7] | Fix missing validation [CVE-2020-14983] |
| | |
| chrony [8] | Prevent symlink race when writing to the |
| | PID file [CVE-2020-14367]; fix |
| | temperature reading |
| | |
| debian-installer [9] | Update Linux ABI to 4.19.0-11 |
| | |
| debian-installer- | Rebuild against proposed-updates |
| netboot-images [10] | |
| | |
| diaspora-installer [11] | Use --frozen option to bundle install to |
| | use upstream Gemfile.lock; don't exclude |
| | Gemfile.lock during upgrades; don't |
| | overwrite config/oidc_key.pem during |
| | upgrades; make config/schedule.yml |
| | writeable |
| | |
| dojo [12] | Fix prototype pollution in deepCopy |
| | method [CVE-2020-5258] and in jqMix |
| | method [CVE-2020-5259] |
| | |
| dovecot [13] | Fix dsync sieve filter sync regression; |
| | fix handling of getpwent result in |
| | userdb-passwd |
| | |
| facter [14] | Change Google GCE Metadata endpoint from |
| | "v1beta1" to "v1" |
| | |
| gnome-maps [15] | Fix an issue with misaligned shape layer |
| | rendering |
| | |
| gnome-shell [16] | LoginDialog: Reset auth prompt on VT |
| | switch before fade in [CVE-2020-17489] |
| | |
| gnome-weather [17] | Prevent a crash when the configured set |
| | of locations are invalid |
| | |
| grunt [18] | Use safeLoad when loading YAML files |
| | [CVE-2020-7729] |
| | |
| gssdp [19] | New upstream stable release |
| | |
| gupnp [20] | New upstream stable release; prevent the |
| | "CallStranger" attack [CVE-2020-12695]; |
| | require GSSDP 1.0.5 |
| | |
| haproxy [21] | logrotate.conf: use rsyslog helper |
| | instead of SysV init script; reject |
| | messages where "chunked" is missing |
| | from Transfer-Encoding [CVE-2019-18277] |
| | |
| icinga2 [22] | Fix symlink attack [CVE-2020-14004] |
| | |
| incron [23] | Fix cleanup of zombie processes |
| | |
| inetutils [24] | Fix remote code execution issue |
| | [CVE-2020-10188] |
| | |
| libcommons-compress- | Fix denial of service issue [CVE-2019- |
| java [25] | 12402] |
| | |
| libdbi-perl [26] | Fix memory corruption in XS functions |
| | when Perl stack is reallocated |
| | [CVE-2020-14392]; fix a buffer overflow |
| | on an overlong DBD class name [CVE-2020- |
| | 14393]; fix a NULL profile dereference |
| | in dbi_profile() [CVE-2019-20919] |
| | |
| libvncserver [27] | libvncclient: bail out if UNIX socket |
| | name would overflow [CVE-2019-20839]; |
| | fix pointer aliasing/alignment issue |
| | [CVE-2020-14399]; limit max textchat |
| | size [CVE-2020-14405]; libvncserver: add |
| | missing NULL pointer checks [CVE-2020- |
| | 14397]; fix pointer aliasing/alignment |
| | issue [CVE-2020-14400]; scale: cast to |
| | 64 bit before shifting [CVE-2020-14401]; |
| | prevent OOB accesses [CVE-2020-14402 |
| | CVE-2020-14403 CVE-2020-14404] |
| | |
| libx11 [28] | Fix integer overflows [CVE-2020-14344 |
| | CVE-2020-14363] |
| | |
| lighttpd [29] | Backport several usability and security |
| | fixes |
| | |
| linux [30] | New upstream stable release; increase |
| | ABI to 11 |
| | |
| linux-latest [31] | Update for -11 Linux kernel ABI |
| | |
| linux-signed-amd64 [32] | New upstream stable release |
| | |
| linux-signed-arm64 [33] | New upstream stable release |
| | |
| linux-signed-i386 [34] | New upstream stable release |
| | |
| llvm-toolchain-7 [35] | New upstream release, to support |
| | upcoming Firefox ESR versions; fix bugs |
| | affecting rustc build |
| | |
| lucene-solr [36] | Fix security issue in DataImportHandler |
| | configuration handling [CVE-2019-0193] |
| | |
| milkytracker [37] | Fix heap overflow [CVE-2019-14464], |
| | stack overflow [CVE-2019-14496], heap |
| | overflow [CVE-2019-14497], use after |
| | free [CVE-2020-15569] |
| | |
| node-bl [38] | Fix over-read vulnerability [CVE-2020- |
| | 8244] |
| | |
| node-elliptic [39] | Prevent malleability and overflows |
| | [CVE-2020-13822] |
| | |
| node-mysql [40] | Add localInfile option to control LOAD |
| | DATA LOCAL INFILE [CVE-2019-14939] |
| | |
| node-url-parse [41] | Fix insufficient validation and |
| | sanitization of user input [CVE-2020- |
| | 8124] |
| | |
| npm [42] | Don't show password in logs [CVE-2020- |
| | 15095] |
| | |
| orocos-kdl [43] | Remove explicit inclusion of default |
| | include path, fixing issues with cmake < |
| | 3.16 |
| | |
| postgresql-11 [44] | New upstream stable release; set a |
| | secure search_path in logical |
| | replication walsenders and apply workers |
| | [CVE-2020-14349]; make contrib modules' |
| | installation scripts more secure |
| | [CVE-2020-14350] |
| | |
| postgresql-common [45] | Don't drop plpgsql before testing |
| | extensions |
| | |
| pyzmq [46] | Asyncio: wait for POLLOUT on sender in |
| | can_connect |
| | |
| qt4-x11 [47] | Fix buffer overflow in XBM parser |
| | [CVE-2020-17507] |
| | |
| qtbase-opensource- | Fix buffer overflow in XBM parser |
| src [48] | [CVE-2020-17507]; fix clipboard breaking |
| | when timer wraps after 50 days |
| | |
| ros-actionlib [49] | Load YAML safely [CVE-2020-10289] |
| | |
| rustc [50] | New upstream release, to support |
| | upcoming Firefox ESR versions |
| | |
| rust-cbindgen [51] | New upstream release, to support |
| | upcoming Firefox ESR versions |
| | |
| ruby-ronn [52] | Fix handling of UTF-8 content in |
| | manpages |
| | |
| s390-tools [53] | Hardcode perl dependency instead of |
| | using ${perl:Depends}, fixing |
| | installation under debootstrap |
| | |
+--------------------------+------------------------------------------+

1: https://packages.debian.org/src:arch-test
2: https://packages.debian.org/src:asterisk
3: https://packages.debian.org/src:bacula
4: https://packages.debian.org/src:base-files
5: https://packages.debian.org/src:calamares-settings-debian
6: https://packages.debian.org/src:cargo
7: https://packages.debian.org/src:chocolate-doom
8: https://packages.debian.org/src:chrony
9: https://packages.debian.org/src:debian-installer
10: https://packages.debian.org/src:debian-installer-netboot-images
11: https://packages.debian.org/src:diaspora-installer
12: https://packages.debian.org/src:dojo
13: https://packages.debian.org/src:dovecot
14: https://packages.debian.org/src:facter
15: https://packages.debian.org/src:gnome-maps
16: https://packages.debian.org/src:gnome-shell
17: https://packages.debian.org/src:gnome-weather
18: https://packages.debian.org/src:grunt
19: https://packages.debian.org/src:gssdp
20: https://packages.debian.org/src:gupnp
21: https://packages.debian.org/src:haproxy
22: https://packages.debian.org/src:icinga2
23: https://packages.debian.org/src:incron
24: https://packages.debian.org/src:inetutils
25: https://packages.debian.org/src:libcommons-compress-java
26: https://packages.debian.org/src:libdbi-perl
27: https://packages.debian.org/src:libvncserver
28: https://packages.debian.org/src:libx11
29: https://packages.debian.org/src:lighttpd
30: https://packages.debian.org/src:linux
31: https://packages.debian.org/src:linux-latest
32: https://packages.debian.org/src:linux-signed-amd64
33: https://packages.debian.org/src:linux-signed-arm64
34: https://packages.debian.org/src:linux-signed-i386
35: https://packages.debian.org/src:llvm-toolchain-7
36: https://packages.debian.org/src:lucene-solr
37: https://packages.debian.org/src:milkytracker
38: https://packages.debian.org/src:node-bl
39: https://packages.debian.org/src:node-elliptic
40: https://packages.debian.org/src:node-mysql
41: https://packages.debian.org/src:node-url-parse
42: https://packages.debian.org/src:npm
43: https://packages.debian.org/src:orocos-kdl
44: https://packages.debian.org/src:postgresql-11
45: https://packages.debian.org/src:postgresql-common
46: https://packages.debian.org/src:pyzmq
47: https://packages.debian.org/src:qt4-x11
48: https://packages.debian.org/src:qtbase-opensource-src
49: https://packages.debian.org/src:ros-actionlib
50: https://packages.debian.org/src:rustc
51: https://packages.debian.org/src:rust-cbindgen
52: https://packages.debian.org/src:ruby-ronn
53: https://packages.debian.org/src:s390-tools

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+--------------------+
| Advisory ID | Package |
+----------------+--------------------+
| DSA-4662 [54] | openjdk-11 [55] |
| | |
| DSA-4734 [56] | openjdk-11 [57] |
| | |
| DSA-4736 [58] | firefox-esr [59] |
| | |
| DSA-4737 [60] | xrdp [61] |
| | |
| DSA-4738 [62] | ark [63] |
| | |
| DSA-4739 [64] | webkit2gtk [65] |
| | |
| DSA-4740 [66] | thunderbird [67] |
| | |
| DSA-4741 [68] | json-c [69] |
| | |
| DSA-4742 [70] | firejail [71] |
| | |
| DSA-4743 [72] | ruby-kramdown [73] |
| | |
| DSA-4744 [74] | roundcube [75] |
| | |
| DSA-4745 [76] | dovecot [77] |
| | |
| DSA-4746 [78] | net-snmp [79] |
| | |
| DSA-4747 [80] | icingaweb2 [81] |
| | |
| DSA-4748 [82] | ghostscript [83] |
| | |
| DSA-4749 [84] | firefox-esr [85] |
| | |
| DSA-4750 [86] | nginx [87] |
| | |
| DSA-4751 [88] | squid [89] |
| | |
| DSA-4752 [90] | bind9 [91] |
| | |
| DSA-4753 [92] | mupdf [93] |
| | |
| DSA-4754 [94] | thunderbird [95] |
| | |
| DSA-4755 [96] | openexr [97] |
| | |
| DSA-4756 [98] | lilypond [99] |
| | |
| DSA-4757 [100] | apache2 [101] |
| | |
| DSA-4758 [102] | xorg-server [103] |
| | |
| DSA-4759 [104] | ark [105] |
| | |
| DSA-4760 [106] | qemu [107] |
| | |
| DSA-4761 [108] | zeromq3 [109] |
| | |
| DSA-4762 [110] | lemonldap-ng [111] |
| | |
| DSA-4763 [112] | teeworlds [113] |
| | |
| DSA-4764 [114] | inspircd [115] |
| | |
| DSA-4765 [116] | modsecurity [117] |
| | |
+----------------+--------------------+

54: https://www.debian.org/security/2020/dsa-4662
55: https://packages.debian.org/src:openjdk-11
56: https://www.debian.org/security/2020/dsa-4734
57: https://packages.debian.org/src:openjdk-11
58: https://www.debian.org/security/2020/dsa-4736
59: https://packages.debian.org/src:firefox-esr
60: https://www.debian.org/security/2020/dsa-4737
61: https://packages.debian.org/src:xrdp
62: https://www.debian.org/security/2020/dsa-4738
63: https://packages.debian.org/src:ark
64: https://www.debian.org/security/2020/dsa-4739
65: https://packages.debian.org/src:webkit2gtk
66: https://www.debian.org/security/2020/dsa-4740
67: https://packages.debian.org/src:thunderbird
68: https://www.debian.org/security/2020/dsa-4741
69: https://packages.debian.org/src:json-c
70: https://www.debian.org/security/2020/dsa-4742
71: https://packages.debian.org/src:firejail
72: https://www.debian.org/security/2020/dsa-4743
73: https://packages.debian.org/src:ruby-kramdown
74: https://www.debian.org/security/2020/dsa-4744
75: https://packages.debian.org/src:roundcube
76: https://www.debian.org/security/2020/dsa-4745
77: https://packages.debian.org/src:dovecot
78: https://www.debian.org/security/2020/dsa-4746
79: https://packages.debian.org/src:net-snmp
80: https://www.debian.org/security/2020/dsa-4747
81: https://packages.debian.org/src:icingaweb2
82: https://www.debian.org/security/2020/dsa-4748
83: https://packages.debian.org/src:ghostscript
84: https://www.debian.org/security/2020/dsa-4749
85: https://packages.debian.org/src:firefox-esr
86: https://www.debian.org/security/2020/dsa-4750
87: https://packages.debian.org/src:nginx
88: https://www.debian.org/security/2020/dsa-4751
89: https://packages.debian.org/src:squid
90: https://www.debian.org/security/2020/dsa-4752
91: https://packages.debian.org/src:bind9
92: https://www.debian.org/security/2020/dsa-4753
93: https://packages.debian.org/src:mupdf
94: https://www.debian.org/security/2020/dsa-4754
95: https://packages.debian.org/src:thunderbird
96: https://www.debian.org/security/2020/dsa-4755
97: https://packages.debian.org/src:openexr
98: https://www.debian.org/security/2020/dsa-4756
99: https://packages.debian.org/src:lilypond
100: https://www.debian.org/security/2020/dsa-4757
101: https://packages.debian.org/src:apache2
102: https://www.debian.org/security/2020/dsa-4758
103: https://packages.debian.org/src:xorg-server
104: https://www.debian.org/security/2020/dsa-4759
105: https://packages.debian.org/src:ark
106: https://www.debian.org/security/2020/dsa-4760
107: https://packages.debian.org/src:qemu
108: https://www.debian.org/security/2020/dsa-4761
109: https://packages.debian.org/src:zeromq3
110: https://www.debian.org/security/2020/dsa-4762
111: https://packages.debian.org/src:lemonldap-ng
112: https://www.debian.org/security/2020/dsa-4763
113: https://packages.debian.org/src:teeworlds
114: https://www.debian.org/security/2020/dsa-4764
115: https://packages.debian.org/src:inspircd
116: https://www.debian.org/security/2020/dsa-4765
117: https://packages.debian.org/src:modsecurity

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/



About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.