https://fedoraproject.org/wiki/Changes/RPM-4.17
== Summary ==
Update RPM to the [https://rpm.org/wiki/Releases/4.17.0 4.17] release.
== Owner ==
* Name: [[User:pmatilai|Panu Matilainen]]
* Email: [pmatilai@redhat.com]
== Detailed Description ==
RPM 4.17 contains numerous improvements over previous versions
* More robust install failure handling
* Many macro improvements, in particular much improved Lua integration
* Strict checking for unpackaged content in builds
* Libraries no longer need executable permission for dependency
generation and is automatically removed for non-executable libraries
* Long needed transaction APIs enhancements
* Improved documentation
* Tentative (planned but not committed as of this writing)
** Split debugedit to its own project and package
** Split language-specific packaging aids to separate projects
(Python, Perl, Ocaml...)
** Dynamic spec generation
The plan is to get 4.17-alpha into rawhide as early as possible
(during April) to sort out any initial rough edges long before the
general feature deadline rush. Final version is expected to be
released well in time before F35 beta.
== Benefit to Fedora ==
See description for overall benefits, but in particular:
* All users benefit from the more robust installation
* Packaging sanity wrt libraries
* Macro authors will have a much saner experience creating complex macros in Lua
* DNF for the enhanced transaction APIs
== Scope ==
* Proposal owners:
** Rebase RPM
** Assist with dealing with incompatibilities
* Other developers:
** Test new release, report issues and bugs
** Adjust packaging to adhere to the strict buildroot content checking
* Release engineering: [https://pagure.io/releng/issue/10072 #10072]
* Policies and guidelines:
** Guidelines have nothing on unpackaged contents in buildroot, so
don't necessarily need updating. Many packages will fail to build
because of the stricter checking though: with rpm >= 4.17 unpackaged
content is not permitted in the buildroot at all.
** Libraries no longer need to be executable for dependency
generation, and executable bit will in fact be removed if invalidly
set on a library. Guidelines only have a vague "executable if
appropriate" mention so it does not *need* changing but could now be
clarified/tightened if desired.
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: no relation to current objectives
== Upgrade/compatibility impact ==
* Many existing packages will fail to build due to the stricter
buildroot content checking. Fixing this in the packaging is always
backwards compatible. We could temporarily set
`%_unpackaged_files_terminate_build 0` in rawhide to alleviate initial
impact if necessary.
* Rpm no longer implicitly creates databases on read-only access, this
may require changes to existing scripts/tooling. Ensuring mock/dnf
works is a pre-requisite to landing this change into rawhide, and will
be handled, one way or the other, by the rpm maintainers.
== How To Test ==
Rpm receives a thorough and constant testing via every single package
build, system installs and updates. New features can be tested
specifically as per their documentation.
== User Experience ==
The user-experience remains largely as-is, but install failures are
handled more gracefully.
== Dependencies ==
* dnf and/or mock will likely need some adjusting for the lack of
implicit database creation. If necessary, rpm maintainers will provide
patches prior to landing this change.
* soname bump is not expected so rebuilds should not be required
== Contingency Plan ==
* Contingency mechanism: Revert back to RPM 4.16, but the risk of
having to do should be negligible
* Contingency deadline: Beta freeze
* Blocks release? No
== Documentation ==
Work-in-progress release notes at https://rpm.org/wiki/Releases/4.17.0
and reference manual at
https://github.com/rpm-software-management/rpm/blob/master/doc/manual/index.md
--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Wednesday, March 31, 2021
[USN-4898-1] curl vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4898-1
March 31, 2021
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Viktor Szakats discovered that curl did not strip off user credentials
from referrer header fields. A remote attacker could possibly use this
issue to obtain sensitive information. (CVE-2021-22876)
Mingtao Yang discovered that curl incorrectly handled session tickets when
using an HTTPS proxy. A remote attacker in control of an HTTPS proxy could
use this issue to bypass certificate checks and intercept communications.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 20.10.
(CVE-2021-22890)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
curl 7.68.0-1ubuntu4.3
libcurl3-gnutls 7.68.0-1ubuntu4.3
libcurl3-nss 7.68.0-1ubuntu4.3
libcurl4 7.68.0-1ubuntu4.3
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.5
libcurl3-gnutls 7.68.0-1ubuntu2.5
libcurl3-nss 7.68.0-1ubuntu2.5
libcurl4 7.68.0-1ubuntu2.5
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.13
libcurl3-gnutls 7.58.0-2ubuntu3.13
libcurl3-nss 7.58.0-2ubuntu3.13
libcurl4 7.58.0-2ubuntu3.13
Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.19
libcurl3 7.47.0-1ubuntu2.19
libcurl3-gnutls 7.47.0-1ubuntu2.19
libcurl3-nss 7.47.0-1ubuntu2.19
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4898-1
CVE-2021-22876, CVE-2021-22890
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu4.3
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.5
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.13
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.19
Ubuntu Security Notice USN-4898-1
March 31, 2021
curl vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
curl could be made to expose sensitive information over the network.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Viktor Szakats discovered that curl did not strip off user credentials
from referrer header fields. A remote attacker could possibly use this
issue to obtain sensitive information. (CVE-2021-22876)
Mingtao Yang discovered that curl incorrectly handled session tickets when
using an HTTPS proxy. A remote attacker in control of an HTTPS proxy could
use this issue to bypass certificate checks and intercept communications.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 20.10.
(CVE-2021-22890)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
curl 7.68.0-1ubuntu4.3
libcurl3-gnutls 7.68.0-1ubuntu4.3
libcurl3-nss 7.68.0-1ubuntu4.3
libcurl4 7.68.0-1ubuntu4.3
Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.5
libcurl3-gnutls 7.68.0-1ubuntu2.5
libcurl3-nss 7.68.0-1ubuntu2.5
libcurl4 7.68.0-1ubuntu2.5
Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.13
libcurl3-gnutls 7.58.0-2ubuntu3.13
libcurl3-nss 7.58.0-2ubuntu3.13
libcurl4 7.58.0-2ubuntu3.13
Ubuntu 16.04 LTS:
curl 7.47.0-1ubuntu2.19
libcurl3 7.47.0-1ubuntu2.19
libcurl3-gnutls 7.47.0-1ubuntu2.19
libcurl3-nss 7.47.0-1ubuntu2.19
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4898-1
CVE-2021-22876, CVE-2021-22890
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu4.3
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.5
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.13
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.19
Tuesday, March 30, 2021
Planned Outage - System upgrades - 2021-04-01 19:00 UTC
There will be an outage starting at 2021-04-01 19:00 UTC,
which will last approximately 5 hours.
To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:
date -d '2021-04-01 19:00UTC'
Reason for outage:
We will be updating and rebooting various servers to bring them up to date and confirm changes from the recent account system migration.
During the outage window services may be up or down as various systems reboot. No one service should be affected very long.
Affected Services:
Most services will be affected, with the exception of: mirrorlists, docs, hotspot, geoip, and getfedora.
Ticket Link:
https://pagure.io/fedora-infrastructure/issue/9814
Please join #fedora-admin or #fedora-noc on irc.freenode.net
or add comments to the ticket for this outage above.
which will last approximately 5 hours.
To convert UTC to your local time, take a look at
http://fedoraproject.org/wiki/Infrastructure/UTCHowto
or run:
date -d '2021-04-01 19:00UTC'
Reason for outage:
We will be updating and rebooting various servers to bring them up to date and confirm changes from the recent account system migration.
During the outage window services may be up or down as various systems reboot. No one service should be affected very long.
Affected Services:
Most services will be affected, with the exception of: mirrorlists, docs, hotspot, geoip, and getfedora.
Ticket Link:
https://pagure.io/fedora-infrastructure/issue/9814
Please join #fedora-admin or #fedora-noc on irc.freenode.net
or add comments to the ticket for this outage above.
企业绩效考核与薪酬体系设计实战特训班
企业绩效考核与薪酬体系设计实战特训班
时间地点:
4月16-18日北京、5月14-16日广州
5月21-23日上海、6月18-20日北京
7月16-18日深圳、7月23-25日上海
8月20-22日北京、9月17-19日广州
9月24-26日上海、10月22-24日北京
11月12-14日深圳、11月19-21日上海
12月10-12日北京、12月17-19日广州
学员对象:企、事业单位董事长、总经理、人力资源总监、人力资源经理、绩效、薪酬等。
费 用:6800元/人 (包含:课程、讲义、午餐、茶点等费用)
温馨提示:本课程是2+1课程,第1-2天《绩效考核暨KPI+BSC 实战训练营》第3天为《岗位分析与薪酬设计管理培训》
认证费用:中级证书1000元/人;高级证书1200元/人(参加认证考试的学员须交纳此费用,不参加认证考试的学员无须交纳)
备 注:
1.高级证书申请须同时进行理论考试和提交论文考试,学员在报名参加培训和认证时请提前准备好论文并随理论考试试卷一同提交。
2.凡希望参加认证考试之学员,在培训结束后参加认证考试并合格者,颁发与所参加培训课程专业领域相同之:"香港培训认证中心HKTCC国际职业资格认证中心《国际注册中(高)级人力资源管理(师)》职业资格证书"。(国际认证/全球通行/雇主认可/联网查询)。
3.课程结束后10日内将证书快递寄给学员;
课程背景:
现代企业管理,更注重"以人为本"的人性化管理模式,企业管理的重点也日趋体现在对人的管理策略上。作为现代企业的人力资源管理者,应以战略高度构建高效实用的人力资源管理系统,建立科学考核激励制度和先进的企业薪酬体系,以最大限度地激发人才潜能,来创建优秀团队,并推动组织变革与创新,最终实现组织的持续发展。我们针对中国企业在推行西方管理模式中的种种弊端和疑惑,以及中国企业目前正处于改革与创新时期,特举办"企业绩效考核与薪酬管理实战特训班"。由著名人力资源专家蔡巍讲授,旨在帮助企业家、人力资源经理开阔思路,激发灵感,培养带领企业持续健康发展的卓越人力资源管理人才,欢迎参加!
课程目标:
了解薪酬改革背景,更新观念,理清改革思路,明确改革目标,
解岗位测评的相关知识,科学进行岗位测评;
认识绩效管理的重要性、并正确理解绩效管理,
学习考核的方法,全面了解绩效管理的运作程序和设计方法,
重点学习KPI、并介绍平衡计分卡,
了解绩效管理推进中的问题、并避免运作中的误区。
培训内容:
绩效考核暨KPI+BSC 实战训练营大纲(2天):
第一部分 绩效管理概述
作为绩效管理的推行者,需要将推行绩效当作一个产品来看,既然是产品,就需要满足客户的需求,那么,推行绩效需要什么的"产品",每个产品的难点在什么地方?
一、人力资源部设计绩效管理体系的三大产出
绩效制度需要包含的内容是什么
指标体系
绩效合同需要包含的内容是什么
二、绩效管理效果不好的问题分析
1.企业建立绩效体系所面临的方法问题;
以感觉为基础判断还是以事实为基础判断?
短期考核还是长期考核?
短期利益还是长期利益?
关键业绩还是非关键业绩?
绩效管理如何与战略接口?
KPI成绩与奖金挂钩的问题?
2.经理人与员工的认识对推行绩效管理的影响;
传统文化对绩效管理的影响
为什么不愿意实现大大超额目标
为什么推行绩效管理这么困难?
3.管理基础对推行KPI的影响
第二部分:绩效管理制度的设计
绩效制度,是绩效管理的纲要性问题,需要明确我们的绩效使用什么样的方法,每个方法的利弊是什么?另外,设计制度最重要的就是需要明确如何将绩效的结果与激励挂钩,要不要绩效排名?如果要,如何排名?
一、绩效制度设计――考核所采用的方法
1.行为还是业绩
2.模糊感觉判断法;
3.关键事件法
4.360°评估的是是非非;
5.人人都反对强制分布法,为什么大牌企业依然采用强制分布法;
6.绩效排名最容易被吐槽的问题点分析
要不要排名?
绩效排名设几档才合理;
绩效排名每个档次设计什么比例才合理;
谁和谁排名几个三种常见的方式的优缺点设计;
部门人数很少怎么排名?
主管是否要和员工一起排名?
按照编制排名还是按照实际人数排名?
经理给员工轮流坐庄怎么办?
排名是要激励大多数,还是激励一小部分人?
排名的程序
7.kpi与okr;
8.几种方法之间的关系
二、绩效管理的周期
1.短期考核与长期考核
2.短期与长期如何结合
3.长期考核成绩就是短期考核的平均吗?
第三部分如何建立公司以业绩为核心的指标体系与绩效合同
一、KPI操作中的几个基本问题
1.评价什么,就得到什么,kpi背后人的行为问题,正面行为与负面行为
2.为什么一设置指标,部门就找借口――可控不可控问题
3.选择kpi的维度
为什么考核指标总是得100分――有效性
为什么找出来一堆指标,却指标落实不下去――操作成本
区分度
二、平衡计分卡――公司整体指标的设计
绩效管理,往往需要和公司的战略结合,如何与公司的战略结合?需要编制战略地图,战略地图的核心思想是什么?如何编制?编制出了战略地图后,如何变成公司、部门的考核指标?、
1.什么是平衡计分卡;
2.企业操作平衡计分卡的误区;
3.战略与平衡计分卡有什么关系?――战略与战略地图;
4.编制战略地图的四大步骤
5.战略地图编制需要注意的10个问题
6.平衡计算分卡落实的三种方式;
7.如何从公司战略地图中识别出指标
三、如何分解KPI
KPI如果不分解落实下去,就会失去了基础,但是分解KPI的过程中会遇到很多问题,比如:一个kpi指标和好多部门都有关系,到底考核谁好呢?
如何解决这些问题呢?如何将KPI分解落实下去呢?
1.指标分解所需要解决的问题
团队业绩与个体业绩之间的矛盾
2.分解指标的2种基本思想
按照驱动因素分解指标;
按照责任人分解指标;
3.按照驱动因素分解的三种方法
按照指标的结构分解法;
OAM分解法;
贡献路径图法;
流程关键控制点法;
企业如何结合自己的实际情况选择分解的方法;
4.分解KPI指标的注意问题:
权利对指标分解的影响、
组织结构的影响、
职责划分对指标分解的影响
硬件条件与软件条件对指标分解的影响
四、指标词典的编制
指标找到了就万事大吉了?还存在什么问题呢?为什么需要定义KPI,怎样定义KPI?数据来源如何确定?
1.为什么需要定义KPI
2.财务指标定义时,需要注意的问题;
销售收入类指标需要注意的问题
成本指标考核需要注意的问题
费用类指标需要注意的问题
3.非财务指标,定义时需要注意的问题;
4.指标的数据搜集不到或者渠道有问题,都会导致指标无法落实,谁来提供数据――自己提供,别人提供,利益相关者提供?
五、无法量化任务指标如何定义――职能部门考核问题
职能部门的指标,有些无法量化,该如何操作?
1.职能部门工作的特点;
2.难度不同的任务如何公平的考核;
3.工作量不均衡如何处理?
4.谁来制定任务?
5.临时任务多如何处理?
6.任务指标的定义模式;
7.不同领导对员工考核,把握尺度,不一样要如何处理?
六、目标值的确定
每次确定定量指标的目标值,都会讨价还价,讨价还价正常吗?讨价还价之后,大家就会抢夺资源,有什么办法合理的分配资源,让资源支撑目标的实现?
1.设定目标的痛苦;
2.没有历史数据怎么办?
先定目标在修改,还是先不考核,先积累数据再考核?
3.原点法定目标?还是突破法定目标?
4.原点法需要注意的问题:一刀切?回归分析?
5.突破法定目标需要注意的问题:预测的不准确,是否要修改目标?
6.能不能不定目标,让员工你追我赶――赛马法
7.资源配置对目标设定的影响――内部招投标与对赌制
8.淡季旺季,对目标设定的影响;
9.制定目标的程序
10.目标冲突的处理
七、KPI的计分方式
企业到底鼓励什么?打击什么?什么时候应该只加分而不扣分?什么时候需要只扣分而不加分?
1.计分规则有哪些类别
比率法;
层差法;
说明法;
2.计分规则设计要素
要不要封顶?
难度不同怎么区分?
要不要倒扣分
不同计分规则设计的要素;
八.权重的设计
1.什么是指标的组合方式;
2.组合方式的种类;
3.设置权重的步骤与注意问题;
第四部分 如何推行绩效
1.如何解决人的认识问题
2.上级领导的支持
3.如何找到同盟军――同事们的支持
4.推行的策略
岗位分析与薪酬设计课程大纲(1天):
第一部分 概述
二个目标,一个核心,五大基本要素
一、薪酬设计的目标是什么
二、员工关注薪酬的问题点:劳动所得与公平问题
三、企业关注薪酬的问题点:投入产出比、管理手段、市场行情
四、薪酬设计考需要考虑的问题点:
职位、技能、市场、业绩、企业的财务状况
五、薪酬设计的矛盾点:
以岗定薪还是按照技能定薪?
能力强的人业绩一定好吗?――按照技能还是按照业绩定薪
我们认为重要的职位就一定薪酬高吗?――内部公平与外部公平的矛盾
公司业绩好,个人业绩不好奖金如何发?――团队与个体的矛盾
按照绩效排名发钱还是按照考核分数发钱?――绩效工资的问题
营销人员是按照提成制?还是奖金制?
第二部分
一、岗位分析:
1、 岗位分析的三大目标
优化分工与职责设置
编制任职资格
确定编制
2、职责编制的方法
如何开展部门职能和岗位说明书的编制?
职责编制的方法;
分工需要考虑的问题;
纵向分工
横向分工――专业化还是工作扩大化
如何编制岗位职责;
3、任职资格与晋升通道的设计
职位族划分与晋升通道的设计;
岗位任职资格编制的方法;
4、如何确定编制的工具方法
业务数据分析法;
劳动效率定编法;
比例法;
预算控制法;
第三部分 薪酬设计
一、薪酬设计需要解决的矛盾――内部公平性
内部同事之间互相攀比工资高低,企业需要统一的一把尺度进行价值衡量
1.为什么要职位评估;
2.职位评估所使用的方法;
3.常见的职位评估的工具介绍;
4.如何设计或者选择职位评估模型;
5.职位评估的程序与注意问题;
6.职位评估案例
二、薪酬设计需要解决的矛盾――外部公平性
一但薪酬脱离了市场行情,要么企业找不到合适的员工,要么现有的员工会离职,所以,企业需要了解薪酬的市场行情,同时用自己的薪酬水平与市场进行比较,进而进行薪酬决策,才不会脱离外部环境。
1.什么是外部公平性;
2.如何进行薪酬调查;
如何自己做调查;
如何选择薪酬调查公司;
3.如何处理薪酬调查的数据;
4.回归曲线的编制;
5.如何确定薪酬水平;
6.薪酬水平数据分析,企业确定工资水平时考虑哪些因素?
三、薪酬结构的划分;
薪酬的带宽设计不合理,要么薪酬体系很快被突破,要么有些岗位的人无法引进,如何设计合理的带宽?另外,固定薪酬浮动薪酬是一个什么样的比例合理?绩效的钱从哪里出,都是企业不得不面对的问题
1、什么是薪酬结构;
2、各项工资结构及功能,具体如何运用?
3、薪酬的幅度与重叠度的计算;
4、宽带还是窄带;
5、薪级的划分;
6、固定与变动比例的划分需要考虑的问题
薪酬水平
行业特点
管理层次
历史传统;
职位序列;
四、薪酬与能力的关系
为什么需要按照技能定薪?什么时候不要按照技能定薪酬?很多企业都走过这样的弯路,我们如何避免走弯路?
1.薪酬为什么需要和能力挂钩;
2.什么情况下需要与能力挂钩;
3.技能薪酬帮助企业解决的三个问题;
4.如何评估员工能力;
5.加薪是以能力为核心,还是以业绩为核心;
五、营销人员工资发放需要考虑的问题
提成还是奖金,是营销人员绩效工资发放的两大类方法,什么时候用提成制?什么时候用奖金制?提成制需要注意什么问题?
1、提成制与奖金制的特点
2、什么时候用提成,什么时候用奖金
3、提成制需要注意的问题点
4、奖金制度需要注意的问题点
六、奖金制操作中需要注意的问题
除了营销的提成与生产的计件制以外,企业内的岗位都是奖金制,奖金制操作中需要注意什么问题?年终奖,老板往往希望与公司业绩、部门业绩、个人业绩挂钩,应该如何挂钩?
1、按照分数发还是按照绩效排名;
2、绩效排名需要考虑的问题
3、年终奖设计如何使公司、部门、个人三挂钩;
几种公司、部门、个人奖金挂钩模式的思考;
几种模式优缺点的对比;
集团公司下属分子公司的效益是否要与集团公司挂钩?
七、奖金设计与外部因素的影响
行业市场剧烈变化,大大超过目标,或者远远没有达到目标,奖金没有封顶或者保底,奖金是发还是不发? 如何规避这种风险?
1、老总的奖金究竟该不该发?
2、采购经理的奖金究竟该不该发?
3、如果过滤外部因素的影响;
八、研发人员的项目奖金应该如何发放
研发人员按照项目发钱,经常出现挑肥拣瘦,应该如何处理?项目内部成员的钱应该如何分配才公平合理?
1、项目整体奖金应该如何确定
2、项目成员如何分配?
九、发奖金的周期
1、奖金周期与考核周期;
2、年终奖还是年中奖;
3、时机选择要考虑的要点;
4、奖金的滞后性;
十、薪酬管理
如何分析薪酬体系是否起到了激励作用,体系是否有效,是老板非常关注的问题,投入就必须有产出,如何从宏观微观角度分析薪酬?
1、薪酬分析;
企业宏观的薪酬分析――投入产出;
微观的薪酬分析――内部竞争比率与外部竞争比率;
企业如何进行人工成本管理?人工成本是如何构成的,如何进行分析与风险控制?
2、如何给员工设计加薪
按照业绩考核成绩加薪;
分数与排名对加薪的影响;
按照能力加薪;
按照能力与业绩综合考虑加薪;
按照能力与业绩与员工在宽带中的位置加薪;
培训讲师:蔡巍
毕业于西南交通大学,工商管理硕士。
2000年加入顾问行业,19年顾问从业经验。曾为汽车、电力、家电、金融、酒店、互联网企业等多个行业的企业进行过全面的人力资源咨询服务。
2005年开始,结合多年顾问的管理实践经验,开始边做咨询边做培训。 课程主要围绕绩效、薪酬设计展开,曾经为数千家企业提供过公开课内训服务。
在18年的顾问生涯中,先后与姜定维先生合著出版了将平衡计分卡在各组织层面落实的绩效管理书籍《奔跑的蜈蚣――如何以考核促进成长》,和将薪酬设计技术与企业管理模式、企业文化、企业战略相结合的薪酬原理书籍《吹口哨的黄牛――以薪酬留住员工》。名列国内各大经管图书排行榜,多次重印,获得了良好的评价。
与国内知名教育公司时代光华合作,将《奔跑的蜈蚣》开发成培训情景剧VCD,得到了广泛的认可和欢迎。北京大学出版社合作出版了新书《KPI――关键绩效指引成功》《BSC―平衡保证发展》,之后出版了《如何发奖金》获得业界的广泛好评。
咨询、培训客户主要有:
百度、金信、伊利集团、浦东机场、青岛机场、深圳机场、深圳航空公司、国际航空公司、首都机场、中国中铁、大连港股份、神华集团天津煤码头、南方电网集团、广东电网、山西电网、云南电网、贵州电网、国华徐电、国华宁电、万家乐、老板电器、海信科龙、海信集团、创维、一汽集团总部、一汽马自达、一汽轿车、一汽吉林汽车、一汽大众、奥迪销售事业部、一汽汽车研究院、奔腾汽车销售公司、东风本田、奇瑞控股、奇瑞汽车、金龙客车、青岛黄岛城投公司、京基地产、佳兆业地产、兰江地产、武汉高创集团、和讯科技、新农化工、彩虹集团、好利来连锁、新感觉连锁、鹏开中国、青岛海悦地产、广州秀珀化工、振杰国际、仙琚制药、华宁服饰、久泰化工、大富豪家具、广西水电工程局。
【报名方式1?微信报名(推荐)】:请添加主办方销售经理Jack Zhang?的微信号(18621603778)并索要报名表,添加微信时备注"报名培训"
【报名方式2?邮件报名】:请填写以下"回执"回复到指定报名邮箱?jack.zhang@shanghai-jiheng.com.cn???并CC:?18621603778@163.com??即可报名成功,1个工作日内会和您跟进后续事宜.
?
参会人员信息
公司名称:
公司地址:
姓名:
性别:
职位:
电话:
邮箱:
手机(必填):
发票信息(请附上):?
付款方式(请在选择处打 √ ):[ ]课前汇款[ ]其他
是否提前寄送发票:(请在选择处打 √ ):[ ]否?[ ]是,寄送地址:
温 馨 提 示?Friendly Tips:
本课程可针对企业需求,上门服务,组织内训,欢迎咨询。
我公司收到报名表和汇款后,会将《报名确认函》发送至您的邮箱。
报名后,请务必出席。如遇特殊情况,无法出席,请务必于开课前一周之前通知我们。
培训当天,请根据我们提供的《参会提醒函》,提前15分钟至指定地点签到处办理报到手续
时间地点:
4月16-18日北京、5月14-16日广州
5月21-23日上海、6月18-20日北京
7月16-18日深圳、7月23-25日上海
8月20-22日北京、9月17-19日广州
9月24-26日上海、10月22-24日北京
11月12-14日深圳、11月19-21日上海
12月10-12日北京、12月17-19日广州
学员对象:企、事业单位董事长、总经理、人力资源总监、人力资源经理、绩效、薪酬等。
费 用:6800元/人 (包含:课程、讲义、午餐、茶点等费用)
温馨提示:本课程是2+1课程,第1-2天《绩效考核暨KPI+BSC 实战训练营》第3天为《岗位分析与薪酬设计管理培训》
认证费用:中级证书1000元/人;高级证书1200元/人(参加认证考试的学员须交纳此费用,不参加认证考试的学员无须交纳)
备 注:
1.高级证书申请须同时进行理论考试和提交论文考试,学员在报名参加培训和认证时请提前准备好论文并随理论考试试卷一同提交。
2.凡希望参加认证考试之学员,在培训结束后参加认证考试并合格者,颁发与所参加培训课程专业领域相同之:"香港培训认证中心HKTCC国际职业资格认证中心《国际注册中(高)级人力资源管理(师)》职业资格证书"。(国际认证/全球通行/雇主认可/联网查询)。
3.课程结束后10日内将证书快递寄给学员;
课程背景:
现代企业管理,更注重"以人为本"的人性化管理模式,企业管理的重点也日趋体现在对人的管理策略上。作为现代企业的人力资源管理者,应以战略高度构建高效实用的人力资源管理系统,建立科学考核激励制度和先进的企业薪酬体系,以最大限度地激发人才潜能,来创建优秀团队,并推动组织变革与创新,最终实现组织的持续发展。我们针对中国企业在推行西方管理模式中的种种弊端和疑惑,以及中国企业目前正处于改革与创新时期,特举办"企业绩效考核与薪酬管理实战特训班"。由著名人力资源专家蔡巍讲授,旨在帮助企业家、人力资源经理开阔思路,激发灵感,培养带领企业持续健康发展的卓越人力资源管理人才,欢迎参加!
课程目标:
了解薪酬改革背景,更新观念,理清改革思路,明确改革目标,
解岗位测评的相关知识,科学进行岗位测评;
认识绩效管理的重要性、并正确理解绩效管理,
学习考核的方法,全面了解绩效管理的运作程序和设计方法,
重点学习KPI、并介绍平衡计分卡,
了解绩效管理推进中的问题、并避免运作中的误区。
培训内容:
绩效考核暨KPI+BSC 实战训练营大纲(2天):
第一部分 绩效管理概述
作为绩效管理的推行者,需要将推行绩效当作一个产品来看,既然是产品,就需要满足客户的需求,那么,推行绩效需要什么的"产品",每个产品的难点在什么地方?
一、人力资源部设计绩效管理体系的三大产出
绩效制度需要包含的内容是什么
指标体系
绩效合同需要包含的内容是什么
二、绩效管理效果不好的问题分析
1.企业建立绩效体系所面临的方法问题;
以感觉为基础判断还是以事实为基础判断?
短期考核还是长期考核?
短期利益还是长期利益?
关键业绩还是非关键业绩?
绩效管理如何与战略接口?
KPI成绩与奖金挂钩的问题?
2.经理人与员工的认识对推行绩效管理的影响;
传统文化对绩效管理的影响
为什么不愿意实现大大超额目标
为什么推行绩效管理这么困难?
3.管理基础对推行KPI的影响
第二部分:绩效管理制度的设计
绩效制度,是绩效管理的纲要性问题,需要明确我们的绩效使用什么样的方法,每个方法的利弊是什么?另外,设计制度最重要的就是需要明确如何将绩效的结果与激励挂钩,要不要绩效排名?如果要,如何排名?
一、绩效制度设计――考核所采用的方法
1.行为还是业绩
2.模糊感觉判断法;
3.关键事件法
4.360°评估的是是非非;
5.人人都反对强制分布法,为什么大牌企业依然采用强制分布法;
6.绩效排名最容易被吐槽的问题点分析
要不要排名?
绩效排名设几档才合理;
绩效排名每个档次设计什么比例才合理;
谁和谁排名几个三种常见的方式的优缺点设计;
部门人数很少怎么排名?
主管是否要和员工一起排名?
按照编制排名还是按照实际人数排名?
经理给员工轮流坐庄怎么办?
排名是要激励大多数,还是激励一小部分人?
排名的程序
7.kpi与okr;
8.几种方法之间的关系
二、绩效管理的周期
1.短期考核与长期考核
2.短期与长期如何结合
3.长期考核成绩就是短期考核的平均吗?
第三部分如何建立公司以业绩为核心的指标体系与绩效合同
一、KPI操作中的几个基本问题
1.评价什么,就得到什么,kpi背后人的行为问题,正面行为与负面行为
2.为什么一设置指标,部门就找借口――可控不可控问题
3.选择kpi的维度
为什么考核指标总是得100分――有效性
为什么找出来一堆指标,却指标落实不下去――操作成本
区分度
二、平衡计分卡――公司整体指标的设计
绩效管理,往往需要和公司的战略结合,如何与公司的战略结合?需要编制战略地图,战略地图的核心思想是什么?如何编制?编制出了战略地图后,如何变成公司、部门的考核指标?、
1.什么是平衡计分卡;
2.企业操作平衡计分卡的误区;
3.战略与平衡计分卡有什么关系?――战略与战略地图;
4.编制战略地图的四大步骤
5.战略地图编制需要注意的10个问题
6.平衡计算分卡落实的三种方式;
7.如何从公司战略地图中识别出指标
三、如何分解KPI
KPI如果不分解落实下去,就会失去了基础,但是分解KPI的过程中会遇到很多问题,比如:一个kpi指标和好多部门都有关系,到底考核谁好呢?
如何解决这些问题呢?如何将KPI分解落实下去呢?
1.指标分解所需要解决的问题
团队业绩与个体业绩之间的矛盾
2.分解指标的2种基本思想
按照驱动因素分解指标;
按照责任人分解指标;
3.按照驱动因素分解的三种方法
按照指标的结构分解法;
OAM分解法;
贡献路径图法;
流程关键控制点法;
企业如何结合自己的实际情况选择分解的方法;
4.分解KPI指标的注意问题:
权利对指标分解的影响、
组织结构的影响、
职责划分对指标分解的影响
硬件条件与软件条件对指标分解的影响
四、指标词典的编制
指标找到了就万事大吉了?还存在什么问题呢?为什么需要定义KPI,怎样定义KPI?数据来源如何确定?
1.为什么需要定义KPI
2.财务指标定义时,需要注意的问题;
销售收入类指标需要注意的问题
成本指标考核需要注意的问题
费用类指标需要注意的问题
3.非财务指标,定义时需要注意的问题;
4.指标的数据搜集不到或者渠道有问题,都会导致指标无法落实,谁来提供数据――自己提供,别人提供,利益相关者提供?
五、无法量化任务指标如何定义――职能部门考核问题
职能部门的指标,有些无法量化,该如何操作?
1.职能部门工作的特点;
2.难度不同的任务如何公平的考核;
3.工作量不均衡如何处理?
4.谁来制定任务?
5.临时任务多如何处理?
6.任务指标的定义模式;
7.不同领导对员工考核,把握尺度,不一样要如何处理?
六、目标值的确定
每次确定定量指标的目标值,都会讨价还价,讨价还价正常吗?讨价还价之后,大家就会抢夺资源,有什么办法合理的分配资源,让资源支撑目标的实现?
1.设定目标的痛苦;
2.没有历史数据怎么办?
先定目标在修改,还是先不考核,先积累数据再考核?
3.原点法定目标?还是突破法定目标?
4.原点法需要注意的问题:一刀切?回归分析?
5.突破法定目标需要注意的问题:预测的不准确,是否要修改目标?
6.能不能不定目标,让员工你追我赶――赛马法
7.资源配置对目标设定的影响――内部招投标与对赌制
8.淡季旺季,对目标设定的影响;
9.制定目标的程序
10.目标冲突的处理
七、KPI的计分方式
企业到底鼓励什么?打击什么?什么时候应该只加分而不扣分?什么时候需要只扣分而不加分?
1.计分规则有哪些类别
比率法;
层差法;
说明法;
2.计分规则设计要素
要不要封顶?
难度不同怎么区分?
要不要倒扣分
不同计分规则设计的要素;
八.权重的设计
1.什么是指标的组合方式;
2.组合方式的种类;
3.设置权重的步骤与注意问题;
第四部分 如何推行绩效
1.如何解决人的认识问题
2.上级领导的支持
3.如何找到同盟军――同事们的支持
4.推行的策略
岗位分析与薪酬设计课程大纲(1天):
第一部分 概述
二个目标,一个核心,五大基本要素
一、薪酬设计的目标是什么
二、员工关注薪酬的问题点:劳动所得与公平问题
三、企业关注薪酬的问题点:投入产出比、管理手段、市场行情
四、薪酬设计考需要考虑的问题点:
职位、技能、市场、业绩、企业的财务状况
五、薪酬设计的矛盾点:
以岗定薪还是按照技能定薪?
能力强的人业绩一定好吗?――按照技能还是按照业绩定薪
我们认为重要的职位就一定薪酬高吗?――内部公平与外部公平的矛盾
公司业绩好,个人业绩不好奖金如何发?――团队与个体的矛盾
按照绩效排名发钱还是按照考核分数发钱?――绩效工资的问题
营销人员是按照提成制?还是奖金制?
第二部分
一、岗位分析:
1、 岗位分析的三大目标
优化分工与职责设置
编制任职资格
确定编制
2、职责编制的方法
如何开展部门职能和岗位说明书的编制?
职责编制的方法;
分工需要考虑的问题;
纵向分工
横向分工――专业化还是工作扩大化
如何编制岗位职责;
3、任职资格与晋升通道的设计
职位族划分与晋升通道的设计;
岗位任职资格编制的方法;
4、如何确定编制的工具方法
业务数据分析法;
劳动效率定编法;
比例法;
预算控制法;
第三部分 薪酬设计
一、薪酬设计需要解决的矛盾――内部公平性
内部同事之间互相攀比工资高低,企业需要统一的一把尺度进行价值衡量
1.为什么要职位评估;
2.职位评估所使用的方法;
3.常见的职位评估的工具介绍;
4.如何设计或者选择职位评估模型;
5.职位评估的程序与注意问题;
6.职位评估案例
二、薪酬设计需要解决的矛盾――外部公平性
一但薪酬脱离了市场行情,要么企业找不到合适的员工,要么现有的员工会离职,所以,企业需要了解薪酬的市场行情,同时用自己的薪酬水平与市场进行比较,进而进行薪酬决策,才不会脱离外部环境。
1.什么是外部公平性;
2.如何进行薪酬调查;
如何自己做调查;
如何选择薪酬调查公司;
3.如何处理薪酬调查的数据;
4.回归曲线的编制;
5.如何确定薪酬水平;
6.薪酬水平数据分析,企业确定工资水平时考虑哪些因素?
三、薪酬结构的划分;
薪酬的带宽设计不合理,要么薪酬体系很快被突破,要么有些岗位的人无法引进,如何设计合理的带宽?另外,固定薪酬浮动薪酬是一个什么样的比例合理?绩效的钱从哪里出,都是企业不得不面对的问题
1、什么是薪酬结构;
2、各项工资结构及功能,具体如何运用?
3、薪酬的幅度与重叠度的计算;
4、宽带还是窄带;
5、薪级的划分;
6、固定与变动比例的划分需要考虑的问题
薪酬水平
行业特点
管理层次
历史传统;
职位序列;
四、薪酬与能力的关系
为什么需要按照技能定薪?什么时候不要按照技能定薪酬?很多企业都走过这样的弯路,我们如何避免走弯路?
1.薪酬为什么需要和能力挂钩;
2.什么情况下需要与能力挂钩;
3.技能薪酬帮助企业解决的三个问题;
4.如何评估员工能力;
5.加薪是以能力为核心,还是以业绩为核心;
五、营销人员工资发放需要考虑的问题
提成还是奖金,是营销人员绩效工资发放的两大类方法,什么时候用提成制?什么时候用奖金制?提成制需要注意什么问题?
1、提成制与奖金制的特点
2、什么时候用提成,什么时候用奖金
3、提成制需要注意的问题点
4、奖金制度需要注意的问题点
六、奖金制操作中需要注意的问题
除了营销的提成与生产的计件制以外,企业内的岗位都是奖金制,奖金制操作中需要注意什么问题?年终奖,老板往往希望与公司业绩、部门业绩、个人业绩挂钩,应该如何挂钩?
1、按照分数发还是按照绩效排名;
2、绩效排名需要考虑的问题
3、年终奖设计如何使公司、部门、个人三挂钩;
几种公司、部门、个人奖金挂钩模式的思考;
几种模式优缺点的对比;
集团公司下属分子公司的效益是否要与集团公司挂钩?
七、奖金设计与外部因素的影响
行业市场剧烈变化,大大超过目标,或者远远没有达到目标,奖金没有封顶或者保底,奖金是发还是不发? 如何规避这种风险?
1、老总的奖金究竟该不该发?
2、采购经理的奖金究竟该不该发?
3、如果过滤外部因素的影响;
八、研发人员的项目奖金应该如何发放
研发人员按照项目发钱,经常出现挑肥拣瘦,应该如何处理?项目内部成员的钱应该如何分配才公平合理?
1、项目整体奖金应该如何确定
2、项目成员如何分配?
九、发奖金的周期
1、奖金周期与考核周期;
2、年终奖还是年中奖;
3、时机选择要考虑的要点;
4、奖金的滞后性;
十、薪酬管理
如何分析薪酬体系是否起到了激励作用,体系是否有效,是老板非常关注的问题,投入就必须有产出,如何从宏观微观角度分析薪酬?
1、薪酬分析;
企业宏观的薪酬分析――投入产出;
微观的薪酬分析――内部竞争比率与外部竞争比率;
企业如何进行人工成本管理?人工成本是如何构成的,如何进行分析与风险控制?
2、如何给员工设计加薪
按照业绩考核成绩加薪;
分数与排名对加薪的影响;
按照能力加薪;
按照能力与业绩综合考虑加薪;
按照能力与业绩与员工在宽带中的位置加薪;
培训讲师:蔡巍
毕业于西南交通大学,工商管理硕士。
2000年加入顾问行业,19年顾问从业经验。曾为汽车、电力、家电、金融、酒店、互联网企业等多个行业的企业进行过全面的人力资源咨询服务。
2005年开始,结合多年顾问的管理实践经验,开始边做咨询边做培训。 课程主要围绕绩效、薪酬设计展开,曾经为数千家企业提供过公开课内训服务。
在18年的顾问生涯中,先后与姜定维先生合著出版了将平衡计分卡在各组织层面落实的绩效管理书籍《奔跑的蜈蚣――如何以考核促进成长》,和将薪酬设计技术与企业管理模式、企业文化、企业战略相结合的薪酬原理书籍《吹口哨的黄牛――以薪酬留住员工》。名列国内各大经管图书排行榜,多次重印,获得了良好的评价。
与国内知名教育公司时代光华合作,将《奔跑的蜈蚣》开发成培训情景剧VCD,得到了广泛的认可和欢迎。北京大学出版社合作出版了新书《KPI――关键绩效指引成功》《BSC―平衡保证发展》,之后出版了《如何发奖金》获得业界的广泛好评。
咨询、培训客户主要有:
百度、金信、伊利集团、浦东机场、青岛机场、深圳机场、深圳航空公司、国际航空公司、首都机场、中国中铁、大连港股份、神华集团天津煤码头、南方电网集团、广东电网、山西电网、云南电网、贵州电网、国华徐电、国华宁电、万家乐、老板电器、海信科龙、海信集团、创维、一汽集团总部、一汽马自达、一汽轿车、一汽吉林汽车、一汽大众、奥迪销售事业部、一汽汽车研究院、奔腾汽车销售公司、东风本田、奇瑞控股、奇瑞汽车、金龙客车、青岛黄岛城投公司、京基地产、佳兆业地产、兰江地产、武汉高创集团、和讯科技、新农化工、彩虹集团、好利来连锁、新感觉连锁、鹏开中国、青岛海悦地产、广州秀珀化工、振杰国际、仙琚制药、华宁服饰、久泰化工、大富豪家具、广西水电工程局。
【报名方式1?微信报名(推荐)】:请添加主办方销售经理Jack Zhang?的微信号(18621603778)并索要报名表,添加微信时备注"报名培训"
【报名方式2?邮件报名】:请填写以下"回执"回复到指定报名邮箱?jack.zhang@shanghai-jiheng.com.cn???并CC:?18621603778@163.com??即可报名成功,1个工作日内会和您跟进后续事宜.
?
参会人员信息
公司名称:
公司地址:
姓名:
性别:
职位:
电话:
邮箱:
手机(必填):
发票信息(请附上):?
付款方式(请在选择处打 √ ):[ ]课前汇款[ ]其他
是否提前寄送发票:(请在选择处打 √ ):[ ]否?[ ]是,寄送地址:
温 馨 提 示?Friendly Tips:
本课程可针对企业需求,上门服务,组织内训,欢迎咨询。
我公司收到报名表和汇款后,会将《报名确认函》发送至您的邮箱。
报名后,请务必出席。如遇特殊情况,无法出席,请务必于开课前一周之前通知我们。
培训当天,请根据我们提供的《参会提醒函》,提前15分钟至指定地点签到处办理报到手续
[USN-4897-1] Pygments vulnerability
==========================================================================
Ubuntu Security Notice USN-4897-1
March 30, 2021
pygments vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Pygments could be made to hang if it opened a specially crafted file.
Software Description:
- pygments: Generic syntax highlighter
Details:
Ben Caller discovered that Pygments incorrectly handled parsing certain
files. If a user or automated system were tricked into parsing a specially
crafted file, a remote attacker could cause Pygments to hang or consume
resources, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
python3-pygments 2.3.1+dfsg-4ubuntu0.2
Ubuntu 20.04 LTS:
python-pygments 2.3.1+dfsg-1ubuntu2.2
python3-pygments 2.3.1+dfsg-1ubuntu2.2
Ubuntu 18.04 LTS:
python-pygments 2.2.0+dfsg-1ubuntu0.2
python3-pygments 2.2.0+dfsg-1ubuntu0.2
Ubuntu 16.04 LTS:
python-pygments 2.1+dfsg-1ubuntu0.2
python3-pygments 2.1+dfsg-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4897-1
CVE-2021-27291
Package Information:
https://launchpad.net/ubuntu/+source/pygments/2.3.1+dfsg-4ubuntu0.2
https://launchpad.net/ubuntu/+source/pygments/2.3.1+dfsg-1ubuntu2.2
https://launchpad.net/ubuntu/+source/pygments/2.2.0+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/pygments/2.1+dfsg-1ubuntu0.2
Ubuntu Security Notice USN-4897-1
March 30, 2021
pygments vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Pygments could be made to hang if it opened a specially crafted file.
Software Description:
- pygments: Generic syntax highlighter
Details:
Ben Caller discovered that Pygments incorrectly handled parsing certain
files. If a user or automated system were tricked into parsing a specially
crafted file, a remote attacker could cause Pygments to hang or consume
resources, resulting in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
python3-pygments 2.3.1+dfsg-4ubuntu0.2
Ubuntu 20.04 LTS:
python-pygments 2.3.1+dfsg-1ubuntu2.2
python3-pygments 2.3.1+dfsg-1ubuntu2.2
Ubuntu 18.04 LTS:
python-pygments 2.2.0+dfsg-1ubuntu0.2
python3-pygments 2.2.0+dfsg-1ubuntu0.2
Ubuntu 16.04 LTS:
python-pygments 2.1+dfsg-1ubuntu0.2
python3-pygments 2.1+dfsg-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4897-1
CVE-2021-27291
Package Information:
https://launchpad.net/ubuntu/+source/pygments/2.3.1+dfsg-4ubuntu0.2
https://launchpad.net/ubuntu/+source/pygments/2.3.1+dfsg-1ubuntu2.2
https://launchpad.net/ubuntu/+source/pygments/2.2.0+dfsg-1ubuntu0.2
https://launchpad.net/ubuntu/+source/pygments/2.1+dfsg-1ubuntu0.2
[USN-4896-1] lxml vulnerability
==========================================================================
Ubuntu Security Notice USN-4896-1
March 30, 2021
lxml vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
lxml could allow cross-site scripting (XSS) attacks.
Software Description:
- lxml: pythonic binding for the libxml2 and libxslt libraries
Details:
It was discovered that lxml incorrectly handled certain HTML attributes. A
remote attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
python3-lxml 4.5.2-1ubuntu0.4
Ubuntu 20.04 LTS:
python-lxml 4.5.0-1ubuntu0.3
python3-lxml 4.5.0-1ubuntu0.3
Ubuntu 18.04 LTS:
python-lxml 4.2.1-1ubuntu0.4
python3-lxml 4.2.1-1ubuntu0.4
Ubuntu 16.04 LTS:
python-lxml 3.5.0-1ubuntu0.4
python3-lxml 3.5.0-1ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4896-1
CVE-2021-28957
Package Information:
https://launchpad.net/ubuntu/+source/lxml/4.5.2-1ubuntu0.4
https://launchpad.net/ubuntu/+source/lxml/4.5.0-1ubuntu0.3
https://launchpad.net/ubuntu/+source/lxml/4.2.1-1ubuntu0.4
https://launchpad.net/ubuntu/+source/lxml/3.5.0-1ubuntu0.4
Ubuntu Security Notice USN-4896-1
March 30, 2021
lxml vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
lxml could allow cross-site scripting (XSS) attacks.
Software Description:
- lxml: pythonic binding for the libxml2 and libxslt libraries
Details:
It was discovered that lxml incorrectly handled certain HTML attributes. A
remote attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
python3-lxml 4.5.2-1ubuntu0.4
Ubuntu 20.04 LTS:
python-lxml 4.5.0-1ubuntu0.3
python3-lxml 4.5.0-1ubuntu0.3
Ubuntu 18.04 LTS:
python-lxml 4.2.1-1ubuntu0.4
python3-lxml 4.2.1-1ubuntu0.4
Ubuntu 16.04 LTS:
python-lxml 3.5.0-1ubuntu0.4
python3-lxml 3.5.0-1ubuntu0.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4896-1
CVE-2021-28957
Package Information:
https://launchpad.net/ubuntu/+source/lxml/4.5.2-1ubuntu0.4
https://launchpad.net/ubuntu/+source/lxml/4.5.0-1ubuntu0.3
https://launchpad.net/ubuntu/+source/lxml/4.2.1-1ubuntu0.4
https://launchpad.net/ubuntu/+source/lxml/3.5.0-1ubuntu0.4
Monday, March 29, 2021
[USN-4894-1] WebKitGTK vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4894-1
March 29, 2021
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
libjavascriptcoregtk-4.0-18 2.30.6-0ubuntu0.20.10.1
libwebkit2gtk-4.0-37 2.30.6-0ubuntu0.20.10.1
Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.30.6-0ubuntu0.20.04.1
libwebkit2gtk-4.0-37 2.30.6-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
libjavascriptcoregtk-4.0-18 2.30.6-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 2.30.6-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4894-1
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789,
CVE-2021-1799, CVE-2021-1801, CVE-2021-1870
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.30.6-0ubuntu0.20.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.30.6-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.30.6-0ubuntu0.18.04.1
Ubuntu Security Notice USN-4894-1
March 29, 2021
webkit2gtk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in WebKitGTK.
Software Description:
- webkit2gtk: Web content engine library for GTK+
Details:
A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
libjavascriptcoregtk-4.0-18 2.30.6-0ubuntu0.20.10.1
libwebkit2gtk-4.0-37 2.30.6-0ubuntu0.20.10.1
Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.30.6-0ubuntu0.20.04.1
libwebkit2gtk-4.0-37 2.30.6-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
libjavascriptcoregtk-4.0-18 2.30.6-0ubuntu0.18.04.1
libwebkit2gtk-4.0-37 2.30.6-0ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4894-1
CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789,
CVE-2021-1799, CVE-2021-1801, CVE-2021-1870
Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.30.6-0ubuntu0.20.10.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.30.6-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/webkit2gtk/2.30.6-0ubuntu0.18.04.1
[USN-4895-1] Squid vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4895-1
March 29, 2021
squid, squid3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server
Details:
Alex Rousskov and Amit Klein discovered that Squid incorrectly handled
certain Content-Length headers. A remote attacker could possibly use this
issue to perform an HTTP request smuggling attack, resulting in cache
poisoning. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-15049)
Jianjun Chen discovered that Squid incorrectly validated certain input. A
remote attacker could use this issue to perform HTTP Request Smuggling and
possibly access services forbidden by the security controls.
(CVE-2020-25097)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
squid 4.13-1ubuntu2.1
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.3
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.10
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.16
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4895-1
CVE-2020-15049, CVE-2020-25097
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.13-1ubuntu2.1
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.3
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.10
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.16
Ubuntu Security Notice USN-4895-1
March 29, 2021
squid, squid3 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in Squid.
Software Description:
- squid: Web proxy cache server
- squid3: Web proxy cache server
Details:
Alex Rousskov and Amit Klein discovered that Squid incorrectly handled
certain Content-Length headers. A remote attacker could possibly use this
issue to perform an HTTP request smuggling attack, resulting in cache
poisoning. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-15049)
Jianjun Chen discovered that Squid incorrectly validated certain input. A
remote attacker could use this issue to perform HTTP Request Smuggling and
possibly access services forbidden by the security controls.
(CVE-2020-25097)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
squid 4.13-1ubuntu2.1
Ubuntu 20.04 LTS:
squid 4.10-1ubuntu1.3
Ubuntu 18.04 LTS:
squid 3.5.27-1ubuntu1.10
Ubuntu 16.04 LTS:
squid 3.5.12-1ubuntu7.16
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4895-1
CVE-2020-15049, CVE-2020-25097
Package Information:
https://launchpad.net/ubuntu/+source/squid/4.13-1ubuntu2.1
https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.3
https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.10
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.16
Orphaned packages looking for new maintainers
The following packages are orphaned and will be retired when they
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will fail to install and/or build when the affected package gets retired.
Request package ownership via the *Take* button in he left column on
https://src.fedoraproject.org/rpms/<pkgname>
Full report available at:
https://churchyard.fedorapeople.org/orphans-2021-03-29.txt
grep it for your FAS username and follow the dependency chain.
For human readable dependency chains,
see https://packager-dashboard.fedoraproject.org/
For all orphaned packages,
see https://packager-dashboard.fedoraproject.org/orphan
Package (co)maintainers Status Change
================================================================================
CuraEngine-lulzbot orphan 3 weeks ago
OpenIPMI branto, jridky, orphan, 2 weeks ago
pknirsch
arp-scan moceap, orphan, xmrbrz 5 weeks ago
balance lbazan, orphan 5 weeks ago
bareftp chreide, orphan 5 weeks ago
bucardo lbazan, orphan 5 weeks ago
ccls orphan 2 weeks ago
connman orphan 1 weeks ago
cri-tools dwalsh, fkluknav, lsm5, 5 weeks ago
orphan, umohnani
ctorrent orphan 5 weeks ago
cura-lulzbot orphan, spot 3 weeks ago
dianara orphan 5 weeks ago
dionaea orphan 2 weeks ago
drehatlas-warender-bibliothek- orphan 5 weeks ago
fonts
drehatlas-xaporho-fonts orphan 5 weeks ago
ez-ipupdate abo, jlayton, orphan 5 weeks ago
fillets-ng-data orphan, thias 2 weeks ago
flexdock orphan 2 weeks ago
freeipmi branto, cicku, jridky, orphan, 2 weeks ago
pknirsch
grc orphan 2 weeks ago
gsignond orphan 2 weeks ago
gsignond-plugin-lastfm orphan 2 weeks ago
gsignond-plugin-mail orphan 2 weeks ago
gsignond-plugin-oauth orphan 2 weeks ago
gsignond-plugin-sasl orphan 2 weeks ago
httpunit fnasser, mizdebsk, orphan 5 weeks ago
ipmitool branto, jridky, orphan, 2 weeks ago
praveenp
jakarta-messaging orphan 3 weeks ago
jboss-el-3.0-api orphan 3 weeks ago
jboss-jsp-2.3-api orphan 1 weeks ago
jboss-jstl-1.2-api orphan 1 weeks ago
jboss-servlet-3.1-api orphan 3 weeks ago
kanjistrokeorders-fonts orphan 5 weeks ago
libaccounts-glib orphan 2 weeks ago
libarcus-lulzbot orphan 3 weeks ago
libmirage orphan 5 weeks ago
lulzbot-marlin-firmware orphan, spot 3 weeks ago
maven-verifier mizdebsk, orphan 3 weeks ago
mydns orphan 5 weeks ago
netresolve orphan, pemensik 1 weeks ago
pen cicku, danniel, orphan 5 weeks ago
perl-DBIx-Safe orphan 5 weeks ago
phpwapmail orphan 4 weeks ago
powermock jerboaa, lef, neugens, orphan 3 weeks ago
python-cocotb orphan 0 weeks ago
python-fasjson-client infra-sig, orphan 0 weeks ago
python-flask-babelex devrim, orphan 5 weeks ago
python-flask-gravatar devrim, orphan 5 weeks ago
python-flask-mail devrim, orphan 5 weeks ago
python-flask-paranoid devrim, orphan 5 weeks ago
python-flask-pymongo orphan 5 weeks ago
python-flask-security devrim, orphan 5 weeks ago
python-flask-sphinx-themes devrim, orphan 5 weeks ago
python-pytest4 churchyard, mrunge, orphan, 3 weeks ago
python-sig, radez, thm
python-sshtunnel orphan 5 weeks ago
python-uranium-lulzbot orphan 3 weeks ago
python-vcversioner fab, orphan 5 weeks ago
python3-simplepam leonn, orion, orphan 2 weeks ago
pyxtrlock leonn, orphan 2 weeks ago
quvi orphan 2 weeks ago
racoon2 orphan 1 weeks ago
reiserfs-utils cicku, orphan 5 weeks ago
rnv orphan 1 weeks ago
rubygem-net-ssh-gateway orphan, tdawson 2 weeks ago
rubygem-raindrops orphan 2 weeks ago
rubygem-recaptcha orphan 2 weeks ago
saxpath akurtakov, mizdebsk, orphan 3 weeks ago
signon-glib dvratil, kde-sig, orphan 2 weeks ago
sofia-sip orphan 5 weeks ago
sump-analyzer orphan 2 weeks ago
sumwars orphan 5 weeks ago
tlomt-junction-fonts orphan 5 weeks ago
trac-privateticketsplugin orphan 4 weeks ago
ttyd orphan 5 weeks ago
ubuntu-title-fonts orphan 5 weeks ago
vollkorn-fonts orphan 5 weeks ago
wput orphan 5 weeks ago
xiphos cicku, deji, orphan 2 weeks ago
yanone-tagesschrift-fonts orphan 5 weeks ago
The following packages require above mentioned packages:
Report too long, see the full version at
https://churchyard.fedorapeople.org/orphans-2021-03-29.txt
See dependency chains of your packages at
https://packager-dashboard.fedoraproject.org/
See all orphaned packages at https://packager-dashboard.fedoraproject.org/orphan
Affected (co)maintainers (either directly or via packages' dependencies):
abo: ez-ipupdate
akurtakov: saxpath
anvil: ipmitool
besser82: freeipmi, ipmitool
branto: freeipmi, OpenIPMI, ipmitool
charlesrose: freeipmi
cheeselee: ipmitool
chreide: bareftp
churchyard: python-pytest4, ipmitool
cicku: freeipmi, pen, ipmitool, xiphos, reiserfs-utils
cqi: python-fasjson-client
cwickert: ipmitool
danniel: pen
deji: xiphos
devrim: python-flask-mail, python-flask-babelex, python-flask-paranoid,
python-flask-sphinx-themes, python-flask-gravatar, python-flask-security
dsommers: freeipmi
dvratil: libaccounts-glib, signon-glib
dwalsh: cri-tools
fab: freeipmi, OpenIPMI, python-vcversioner
filiperosset: saxpath
fkluknav: cri-tools
fnasser: httpunit
gbcox: libaccounts-glib
germano: ipmitool
heliocastro: libaccounts-glib
ianweller: python-fasjson-client
ignatenkobrain: python-fasjson-client
infra-sig: python-flask-mail, python-fasjson-client
jcpunk: freeipmi, ipmitool
jerboaa: powermock
jgrulich: libaccounts-glib, signon-glib
jirka: freeipmi
jkastner: freeipmi
jlayton: ez-ipupdate
jreznik: kanjistrokeorders-fonts, libaccounts-glib, signon-glib
jridky: freeipmi, OpenIPMI, ipmitool
jsteffan: freeipmi, OpenIPMI
karsten: OpenIPMI
kde-sig: kanjistrokeorders-fonts, libaccounts-glib, signon-glib
kevin: freeipmi, OpenIPMI, python-fasjson-client, ipmitool
kkofler: libaccounts-glib
lbazan: balance, perl-DBIx-Safe, bucardo
lef: powermock
leigh123linux: freeipmi, ipmitool
leonn: pyxtrlock, python3-simplepam
liangsuilong: ipmitool
limb: python-fasjson-client, ipmitool
lmacken: python-fasjson-client
lsm5: cri-tools
martinkg: connman
marx: ipmitool
mbayer: freeipmi, OpenIPMI
mck182: libaccounts-glib, signon-glib
melmorabity: ipmitool
mhlavink: freeipmi, OpenIPMI
mizdebsk: httpunit, saxpath, maven-verifier
mkyral: libaccounts-glib
moceap: arp-scan
mohanboddu: python-fasjson-client
mprahl: python-fasjson-client
mrunge: freeipmi, OpenIPMI, python-pytest4
nb: ipmitool
neugens: powermock
ngompa: python-flask-mail
nonamedotc: freeipmi, ipmitool
nucleo: libaccounts-glib
nushio: ipmitool
oalbrigt: ipmitool
orion: freeipmi, OpenIPMI, python3-simplepam
pcpa: python-flask-sphinx-themes
pemensik: netresolve
pkfed: freeipmi
pknirsch: freeipmi, OpenIPMI
praiskup: rnv
praveenp: ipmitool
pwalter: ipmitool
pwu: ipmitool
python-sig: python-pytest4
radez: python-pytest4
ralph: python-fasjson-client
rathann: freeipmi, ipmitool
rdieter: kanjistrokeorders-fonts, libaccounts-glib, signon-glib
rdossant: OpenIPMI
ruben: freeipmi, OpenIPMI
sayanchowdhury: python-fasjson-client
sharkcz: freeipmi, OpenIPMI
slankes: libaccounts-glib
spot: CuraEngine-lulzbot, cura-lulzbot, libarcus-lulzbot,
python-uranium-lulzbot, lulzbot-marlin-firmware
stevetraylen: freeipmi, OpenIPMI
suve: connman
taaem: ipmitool
tagoh: ipmitool
tartare: freeipmi
tdawson: rubygem-net-ssh-gateway
tejas: libaccounts-glib
than: kanjistrokeorders-fonts, libaccounts-glib
thias: fillets-ng-data
thm: python-pytest4
tibbs: python-fasjson-client
tuxbrewr: freeipmi
umohnani: cri-tools
vascom: freeipmi, libaccounts-glib, ipmitool
vda: freeipmi
volter: OpenIPMI
wakko666: OpenIPMI
wolnei: libaccounts-glib
xaeth: freeipmi, OpenIPMI
xmrbrz: arp-scan
yanqiyu: ipmitool
zsun: ipmitool
--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/main/f/scripts/find_unblocked_orphans.py
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life
Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will fail to install and/or build when the affected package gets retired.
Request package ownership via the *Take* button in he left column on
https://src.fedoraproject.org/rpms/<pkgname>
Full report available at:
https://churchyard.fedorapeople.org/orphans-2021-03-29.txt
grep it for your FAS username and follow the dependency chain.
For human readable dependency chains,
see https://packager-dashboard.fedoraproject.org/
For all orphaned packages,
see https://packager-dashboard.fedoraproject.org/orphan
Package (co)maintainers Status Change
================================================================================
CuraEngine-lulzbot orphan 3 weeks ago
OpenIPMI branto, jridky, orphan, 2 weeks ago
pknirsch
arp-scan moceap, orphan, xmrbrz 5 weeks ago
balance lbazan, orphan 5 weeks ago
bareftp chreide, orphan 5 weeks ago
bucardo lbazan, orphan 5 weeks ago
ccls orphan 2 weeks ago
connman orphan 1 weeks ago
cri-tools dwalsh, fkluknav, lsm5, 5 weeks ago
orphan, umohnani
ctorrent orphan 5 weeks ago
cura-lulzbot orphan, spot 3 weeks ago
dianara orphan 5 weeks ago
dionaea orphan 2 weeks ago
drehatlas-warender-bibliothek- orphan 5 weeks ago
fonts
drehatlas-xaporho-fonts orphan 5 weeks ago
ez-ipupdate abo, jlayton, orphan 5 weeks ago
fillets-ng-data orphan, thias 2 weeks ago
flexdock orphan 2 weeks ago
freeipmi branto, cicku, jridky, orphan, 2 weeks ago
pknirsch
grc orphan 2 weeks ago
gsignond orphan 2 weeks ago
gsignond-plugin-lastfm orphan 2 weeks ago
gsignond-plugin-mail orphan 2 weeks ago
gsignond-plugin-oauth orphan 2 weeks ago
gsignond-plugin-sasl orphan 2 weeks ago
httpunit fnasser, mizdebsk, orphan 5 weeks ago
ipmitool branto, jridky, orphan, 2 weeks ago
praveenp
jakarta-messaging orphan 3 weeks ago
jboss-el-3.0-api orphan 3 weeks ago
jboss-jsp-2.3-api orphan 1 weeks ago
jboss-jstl-1.2-api orphan 1 weeks ago
jboss-servlet-3.1-api orphan 3 weeks ago
kanjistrokeorders-fonts orphan 5 weeks ago
libaccounts-glib orphan 2 weeks ago
libarcus-lulzbot orphan 3 weeks ago
libmirage orphan 5 weeks ago
lulzbot-marlin-firmware orphan, spot 3 weeks ago
maven-verifier mizdebsk, orphan 3 weeks ago
mydns orphan 5 weeks ago
netresolve orphan, pemensik 1 weeks ago
pen cicku, danniel, orphan 5 weeks ago
perl-DBIx-Safe orphan 5 weeks ago
phpwapmail orphan 4 weeks ago
powermock jerboaa, lef, neugens, orphan 3 weeks ago
python-cocotb orphan 0 weeks ago
python-fasjson-client infra-sig, orphan 0 weeks ago
python-flask-babelex devrim, orphan 5 weeks ago
python-flask-gravatar devrim, orphan 5 weeks ago
python-flask-mail devrim, orphan 5 weeks ago
python-flask-paranoid devrim, orphan 5 weeks ago
python-flask-pymongo orphan 5 weeks ago
python-flask-security devrim, orphan 5 weeks ago
python-flask-sphinx-themes devrim, orphan 5 weeks ago
python-pytest4 churchyard, mrunge, orphan, 3 weeks ago
python-sig, radez, thm
python-sshtunnel orphan 5 weeks ago
python-uranium-lulzbot orphan 3 weeks ago
python-vcversioner fab, orphan 5 weeks ago
python3-simplepam leonn, orion, orphan 2 weeks ago
pyxtrlock leonn, orphan 2 weeks ago
quvi orphan 2 weeks ago
racoon2 orphan 1 weeks ago
reiserfs-utils cicku, orphan 5 weeks ago
rnv orphan 1 weeks ago
rubygem-net-ssh-gateway orphan, tdawson 2 weeks ago
rubygem-raindrops orphan 2 weeks ago
rubygem-recaptcha orphan 2 weeks ago
saxpath akurtakov, mizdebsk, orphan 3 weeks ago
signon-glib dvratil, kde-sig, orphan 2 weeks ago
sofia-sip orphan 5 weeks ago
sump-analyzer orphan 2 weeks ago
sumwars orphan 5 weeks ago
tlomt-junction-fonts orphan 5 weeks ago
trac-privateticketsplugin orphan 4 weeks ago
ttyd orphan 5 weeks ago
ubuntu-title-fonts orphan 5 weeks ago
vollkorn-fonts orphan 5 weeks ago
wput orphan 5 weeks ago
xiphos cicku, deji, orphan 2 weeks ago
yanone-tagesschrift-fonts orphan 5 weeks ago
The following packages require above mentioned packages:
Report too long, see the full version at
https://churchyard.fedorapeople.org/orphans-2021-03-29.txt
See dependency chains of your packages at
https://packager-dashboard.fedoraproject.org/
See all orphaned packages at https://packager-dashboard.fedoraproject.org/orphan
Affected (co)maintainers (either directly or via packages' dependencies):
abo: ez-ipupdate
akurtakov: saxpath
anvil: ipmitool
besser82: freeipmi, ipmitool
branto: freeipmi, OpenIPMI, ipmitool
charlesrose: freeipmi
cheeselee: ipmitool
chreide: bareftp
churchyard: python-pytest4, ipmitool
cicku: freeipmi, pen, ipmitool, xiphos, reiserfs-utils
cqi: python-fasjson-client
cwickert: ipmitool
danniel: pen
deji: xiphos
devrim: python-flask-mail, python-flask-babelex, python-flask-paranoid,
python-flask-sphinx-themes, python-flask-gravatar, python-flask-security
dsommers: freeipmi
dvratil: libaccounts-glib, signon-glib
dwalsh: cri-tools
fab: freeipmi, OpenIPMI, python-vcversioner
filiperosset: saxpath
fkluknav: cri-tools
fnasser: httpunit
gbcox: libaccounts-glib
germano: ipmitool
heliocastro: libaccounts-glib
ianweller: python-fasjson-client
ignatenkobrain: python-fasjson-client
infra-sig: python-flask-mail, python-fasjson-client
jcpunk: freeipmi, ipmitool
jerboaa: powermock
jgrulich: libaccounts-glib, signon-glib
jirka: freeipmi
jkastner: freeipmi
jlayton: ez-ipupdate
jreznik: kanjistrokeorders-fonts, libaccounts-glib, signon-glib
jridky: freeipmi, OpenIPMI, ipmitool
jsteffan: freeipmi, OpenIPMI
karsten: OpenIPMI
kde-sig: kanjistrokeorders-fonts, libaccounts-glib, signon-glib
kevin: freeipmi, OpenIPMI, python-fasjson-client, ipmitool
kkofler: libaccounts-glib
lbazan: balance, perl-DBIx-Safe, bucardo
lef: powermock
leigh123linux: freeipmi, ipmitool
leonn: pyxtrlock, python3-simplepam
liangsuilong: ipmitool
limb: python-fasjson-client, ipmitool
lmacken: python-fasjson-client
lsm5: cri-tools
martinkg: connman
marx: ipmitool
mbayer: freeipmi, OpenIPMI
mck182: libaccounts-glib, signon-glib
melmorabity: ipmitool
mhlavink: freeipmi, OpenIPMI
mizdebsk: httpunit, saxpath, maven-verifier
mkyral: libaccounts-glib
moceap: arp-scan
mohanboddu: python-fasjson-client
mprahl: python-fasjson-client
mrunge: freeipmi, OpenIPMI, python-pytest4
nb: ipmitool
neugens: powermock
ngompa: python-flask-mail
nonamedotc: freeipmi, ipmitool
nucleo: libaccounts-glib
nushio: ipmitool
oalbrigt: ipmitool
orion: freeipmi, OpenIPMI, python3-simplepam
pcpa: python-flask-sphinx-themes
pemensik: netresolve
pkfed: freeipmi
pknirsch: freeipmi, OpenIPMI
praiskup: rnv
praveenp: ipmitool
pwalter: ipmitool
pwu: ipmitool
python-sig: python-pytest4
radez: python-pytest4
ralph: python-fasjson-client
rathann: freeipmi, ipmitool
rdieter: kanjistrokeorders-fonts, libaccounts-glib, signon-glib
rdossant: OpenIPMI
ruben: freeipmi, OpenIPMI
sayanchowdhury: python-fasjson-client
sharkcz: freeipmi, OpenIPMI
slankes: libaccounts-glib
spot: CuraEngine-lulzbot, cura-lulzbot, libarcus-lulzbot,
python-uranium-lulzbot, lulzbot-marlin-firmware
stevetraylen: freeipmi, OpenIPMI
suve: connman
taaem: ipmitool
tagoh: ipmitool
tartare: freeipmi
tdawson: rubygem-net-ssh-gateway
tejas: libaccounts-glib
than: kanjistrokeorders-fonts, libaccounts-glib
thias: fillets-ng-data
thm: python-pytest4
tibbs: python-fasjson-client
tuxbrewr: freeipmi
umohnani: cri-tools
vascom: freeipmi, libaccounts-glib, ipmitool
vda: freeipmi
volter: OpenIPMI
wakko666: OpenIPMI
wolnei: libaccounts-glib
xaeth: freeipmi, OpenIPMI
xmrbrz: arp-scan
yanqiyu: ipmitool
zsun: ipmitool
--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/main/f/scripts/find_unblocked_orphans.py
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Saturday, March 27, 2021
Updated Debian 10: 10.9 released
------------------------------------------------------------------------
The Debian Project https://www.debian.org/
Updated Debian 10: 10.9 released press@debian.org
March 27th, 2021 https://www.debian.org/News/2021/20210327
------------------------------------------------------------------------
The Debian project is pleased to announce the ninth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| avahi [1] | Remove avahi-daemon-check-dns
|
| | mechanism, which is no longer needed |
| | |
| base-files [2] | Update /etc/debian_version for the 10.9 |
| | point release |
| | |
| cloud-init [3] | Avoid logging generated passwords to
|
| | world-readable log files [CVE-2021- |
| | 3429] |
| | |
| debian-archive- | Add bullseye keys; retire jessie keys |
| keyring [4] |
|
| | |
| debian-installer [5] | Use 4.19.0-16 Linux kernel ABI
|
| | |
| debian-installer-netboot- | Rebuild against proposed-updates |
| images [6] |
|
| | |
| exim4 [7] | Fix use of concurrent TLS connections
|
| | under GnuTLS; fix TLS certificate |
| | verification with CNAMEs; |
| | README.Debian: document the limitation/ |
| | extent of server certificate |
| | verification in the default |
| | configuration |
| | |
| fetchmail [8] | No longer report "System error during
|
| | SSL_connect(): Success" ; remove |
| | OpenSSL version check |
| | |
| fwupd [9] | Add SBAT support
|
| | |
| fwupd-amd64-signed [10] | Add SBAT support
|
| | |
| fwupd-arm64-signed [11] | Add SBAT support
|
| | |
| fwupd-armhf-signed [12] | Add SBAT support
|
| | |
| fwupd-i386-signed [13] | Add SBAT support
|
| | |
| fwupdate [14] | Add SBAT support
|
| | |
| fwupdate-amd64- | Add SBAT support |
| signed [15] |
|
| | |
| fwupdate-arm64- | Add SBAT support |
| signed [16] |
|
| | |
| fwupdate-armhf- | Add SBAT support |
| signed [17] |
|
| | |
| fwupdate-i386-signed [18] | Add SBAT support
|
| | |
| gdnsd [19] | Fix stack overflow with overly-large
|
| | IPv6 addresses [CVE-2019-13952] |
| | |
| groff [20] | Rebuild against ghostscript 9.27
|
| | |
| hwloc-contrib [21] | Enable support for the ppc64el
|
| | architecture |
| | |
| intel-microcode [22] | Update various microcode
|
| | |
| iputils [23] | Fix ping rounding errors; fix tracepath |
| | target corruption |
| | |
| jquery [24] | Fix untrusted code execution
|
| | vulnerabilities [CVE-2020-11022 |
| | CVE-2020-11023] |
| | |
| libbsd [25] | Fix out-of-bounds read issue [CVE-2019- |
| | 20367] |
| | |
| libpano13 [26] | Fix format string vulnerability
|
| | |
| libreoffice [27] | Do not load encodings.py from current
|
| | directoy |
| | |
| linux [28] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| linux-latest [29] | Update to -15 kernel ABI; update for
|
| | -16 kernel ABI |
| | |
| linux-signed-amd64 [30] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| linux-signed-arm64 [31] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| linux-signed-i386 [32] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| lirc [33] | Normalize embedded $
|
| | {DEB_HOST_MULTIARCH} value in /etc/ |
| | lirc/lirc_options.conf to find |
| | unmodified configuration files on all |
| | architectures; recommend gir1.2- |
| | vte-2.91 instead of non-existent |
| | gir1.2-vte |
| | |
| m2crypto [34] | Fix test failure with recent OpenSSL
|
| | versions |
| | |
| openafs [35] | Fix outgoing connections after unix
|
| | epoch time 0x60000000 (14 January 2021) |
| | |
| portaudio19 [36] | Handle EPIPE from
|
| | alsa_snd_pcm_poll_descriptors, fixing |
| | crash |
| | |
| postgresql-11 [37] | New upstream stable release; fix
|
| | information leakage in constraint- |
| | violation error messages [CVE-2021- |
| | 3393]; fix CREATE INDEX CONCURRENTLY to |
| | wait for concurrent prepared |
| | transactions |
| | |
| privoxy [38] | Security issues [CVE-2020-35502
|
| | CVE-2021-20209 CVE-2021-20210 CVE-2021- |
| | 20211 CVE-2021-20212 CVE-2021-20213 |
| | CVE-2021-20214 CVE-2021-20215 CVE-2021- |
| | 20216 CVE-2021-20217 CVE-2021-20272 |
| | CVE-2021-20273 CVE-2021-20275 CVE-2021- |
| | 20276] |
| | |
| python3.7 [39] | Fix CRLF injection in http.client
|
| | [CVE-2020-26116]; fix buffer overflow |
| | in PyCArg_repr in _ctypes/callproc.c |
| | [CVE-2021-3177] |
| | |
| redis [40] | Fix a series of integer overflow issues |
| | on 32-bit systems [CVE-2021-21309] |
| | |
| ruby-mechanize [41] | Fix command injection issue [CVE-2021-
|
| | 21289] |
| | |
| systemd [42] | core: make sure to restore the control
|
| | command id, too, fixing a segfault; |
| | seccomp: allow turning off of seccomp |
| | filtering via an environment variable |
| | |
| uim [43] | libuim-data: Perform symlink_to_dir
|
| | conversion of /usr/share/doc/libuim- |
| | data in the resurrected package for |
| | clean upgrades from stretch |
| | |
| xcftools [44] | Fix integer overflow vulnerability
|
| | [CVE-2019-5086 CVE-2019-5087] |
| | |
| xterm [45] | Correct upper-limit for selection
|
| | buffer, accounting for combining |
| | characters [CVE-2021-27135] |
| | |
+---------------------------+-----------------------------------------+
1: https://packages.debian.org/src:avahi
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:cloud-init
4: https://packages.debian.org/src:debian-archive-keyring
5: https://packages.debian.org/src:debian-installer
6: https://packages.debian.org/src:debian-installer-netboot-images
7: https://packages.debian.org/src:exim4
8: https://packages.debian.org/src:fetchmail
9: https://packages.debian.org/src:fwupd
10: https://packages.debian.org/src:fwupd-amd64-signed
11: https://packages.debian.org/src:fwupd-arm64-signed
12: https://packages.debian.org/src:fwupd-armhf-signed
13: https://packages.debian.org/src:fwupd-i386-signed
14: https://packages.debian.org/src:fwupdate
15: https://packages.debian.org/src:fwupdate-amd64-signed
16: https://packages.debian.org/src:fwupdate-arm64-signed
17: https://packages.debian.org/src:fwupdate-armhf-signed
18: https://packages.debian.org/src:fwupdate-i386-signed
19: https://packages.debian.org/src:gdnsd
20: https://packages.debian.org/src:groff
21: https://packages.debian.org/src:hwloc-contrib
22: https://packages.debian.org/src:intel-microcode
23: https://packages.debian.org/src:iputils
24: https://packages.debian.org/src:jquery
25: https://packages.debian.org/src:libbsd
26: https://packages.debian.org/src:libpano13
27: https://packages.debian.org/src:libreoffice
28: https://packages.debian.org/src:linux
29: https://packages.debian.org/src:linux-latest
30: https://packages.debian.org/src:linux-signed-amd64
31: https://packages.debian.org/src:linux-signed-arm64
32: https://packages.debian.org/src:linux-signed-i386
33: https://packages.debian.org/src:lirc
34: https://packages.debian.org/src:m2crypto
35: https://packages.debian.org/src:openafs
36: https://packages.debian.org/src:portaudio19
37: https://packages.debian.org/src:postgresql-11
38: https://packages.debian.org/src:privoxy
39: https://packages.debian.org/src:python3.7
40: https://packages.debian.org/src:redis
41: https://packages.debian.org/src:ruby-mechanize
42: https://packages.debian.org/src:systemd
43: https://packages.debian.org/src:uim
44: https://packages.debian.org/src:xcftools
45: https://packages.debian.org/src:xterm
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+----------------------------+
| Advisory ID | Package |
+----------------+----------------------------+
| DSA-4826 [46] | nodejs [47] |
| | |
| DSA-4844 [48] | dnsmasq [49] |
| | |
| DSA-4845 [50] | openldap [51] |
| | |
| DSA-4846 [52] | chromium [53] |
| | |
| DSA-4847 [54] | connman [55] |
| | |
| DSA-4849 [56] | firejail [57] |
| | |
| DSA-4850 [58] | libzstd [59] |
| | |
| DSA-4851 [60] | subversion [61] |
| | |
| DSA-4853 [62] | spip [63] |
| | |
| DSA-4854 [64] | webkit2gtk [65] |
| | |
| DSA-4855 [66] | openssl [67] |
| | |
| DSA-4856 [68] | php7.3 [69] |
| | |
| DSA-4857 [70] | bind9 [71] |
| | |
| DSA-4858 [72] | chromium [73] |
| | |
| DSA-4859 [74] | libzstd [75] |
| | |
| DSA-4860 [76] | openldap [77] |
| | |
| DSA-4861 [78] | screen [79] |
| | |
| DSA-4862 [80] | firefox-esr [81] |
| | |
| DSA-4863 [82] | nodejs [83] |
| | |
| DSA-4864 [84] | python-aiohttp [85] |
| | |
| DSA-4865 [86] | docker.io [87] |
| | |
| DSA-4867 [88] | grub-efi-amd64-signed [89] |
| | |
| DSA-4867 [90] | grub-efi-arm64-signed [91] |
| | |
| DSA-4867 [92] | grub-efi-ia32-signed [93] |
| | |
| DSA-4867 [94] | grub2 [95] |
| | |
| DSA-4868 [96] | flatpak [97] |
| | |
| DSA-4869 [98] | tiff [99] |
| | |
| DSA-4870 [100] | pygments [101] |
| | |
| DSA-4871 [102] | tor [103] |
| | |
| DSA-4872 [104] | shibboleth-sp [105] |
| | |
+----------------+----------------------------+
46: https://www.debian.org/security/2021/dsa-4826
47: https://packages.debian.org/src:nodejs
48: https://www.debian.org/security/2021/dsa-4844
49: https://packages.debian.org/src:dnsmasq
50: https://www.debian.org/security/2021/dsa-4845
51: https://packages.debian.org/src:openldap
52: https://www.debian.org/security/2021/dsa-4846
53: https://packages.debian.org/src:chromium
54: https://www.debian.org/security/2021/dsa-4847
55: https://packages.debian.org/src:connman
56: https://www.debian.org/security/2021/dsa-4849
57: https://packages.debian.org/src:firejail
58: https://www.debian.org/security/2021/dsa-4850
59: https://packages.debian.org/src:libzstd
60: https://www.debian.org/security/2021/dsa-4851
61: https://packages.debian.org/src:subversion
62: https://www.debian.org/security/2021/dsa-4853
63: https://packages.debian.org/src:spip
64: https://www.debian.org/security/2021/dsa-4854
65: https://packages.debian.org/src:webkit2gtk
66: https://www.debian.org/security/2021/dsa-4855
67: https://packages.debian.org/src:openssl
68: https://www.debian.org/security/2021/dsa-4856
69: https://packages.debian.org/src:php7.3
70: https://www.debian.org/security/2021/dsa-4857
71: https://packages.debian.org/src:bind9
72: https://www.debian.org/security/2021/dsa-4858
73: https://packages.debian.org/src:chromium
74: https://www.debian.org/security/2021/dsa-4859
75: https://packages.debian.org/src:libzstd
76: https://www.debian.org/security/2021/dsa-4860
77: https://packages.debian.org/src:openldap
78: https://www.debian.org/security/2021/dsa-4861
79: https://packages.debian.org/src:screen
80: https://www.debian.org/security/2021/dsa-4862
81: https://packages.debian.org/src:firefox-esr
82: https://www.debian.org/security/2021/dsa-4863
83: https://packages.debian.org/src:nodejs
84: https://www.debian.org/security/2021/dsa-4864
85: https://packages.debian.org/src:python-aiohttp
86: https://www.debian.org/security/2021/dsa-4865
87: https://packages.debian.org/src:docker.io
88: https://www.debian.org/security/2021/dsa-4867
89: https://packages.debian.org/src:grub-efi-amd64-signed
90: https://www.debian.org/security/2021/dsa-4867
91: https://packages.debian.org/src:grub-efi-arm64-signed
92: https://www.debian.org/security/2021/dsa-4867
93: https://packages.debian.org/src:grub-efi-ia32-signed
94: https://www.debian.org/security/2021/dsa-4867
95: https://packages.debian.org/src:grub2
96: https://www.debian.org/security/2021/dsa-4868
97: https://packages.debian.org/src:flatpak
98: https://www.debian.org/security/2021/dsa-4869
99: https://packages.debian.org/src:tiff
100: https://www.debian.org/security/2021/dsa-4870
101: https://packages.debian.org/src:pygments
102: https://www.debian.org/security/2021/dsa-4871
103: https://packages.debian.org/src:tor
104: https://www.debian.org/security/2021/dsa-4872
105: https://packages.debian.org/src:shibboleth-sp
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/buster/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
The Debian Project https://www.debian.org/
Updated Debian 10: 10.9 released press@debian.org
March 27th, 2021 https://www.debian.org/News/2021/20210327
------------------------------------------------------------------------
The Debian project is pleased to announce the ninth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.
Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.
Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.
New installation images will be available soon at the regular locations.
Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:
https://www.debian.org/mirror/list
Miscellaneous Bugfixes
----------------------
This stable update adds a few important corrections to the following
packages:
+---------------------------+-----------------------------------------+
| Package | Reason |
+---------------------------+-----------------------------------------+
| avahi [1] | Remove avahi-daemon-check-dns
|
| | mechanism, which is no longer needed |
| | |
| base-files [2] | Update /etc/debian_version for the 10.9 |
| | point release |
| | |
| cloud-init [3] | Avoid logging generated passwords to
|
| | world-readable log files [CVE-2021- |
| | 3429] |
| | |
| debian-archive- | Add bullseye keys; retire jessie keys |
| keyring [4] |
|
| | |
| debian-installer [5] | Use 4.19.0-16 Linux kernel ABI
|
| | |
| debian-installer-netboot- | Rebuild against proposed-updates |
| images [6] |
|
| | |
| exim4 [7] | Fix use of concurrent TLS connections
|
| | under GnuTLS; fix TLS certificate |
| | verification with CNAMEs; |
| | README.Debian: document the limitation/ |
| | extent of server certificate |
| | verification in the default |
| | configuration |
| | |
| fetchmail [8] | No longer report "System error during
|
| | SSL_connect(): Success" ; remove |
| | OpenSSL version check |
| | |
| fwupd [9] | Add SBAT support
|
| | |
| fwupd-amd64-signed [10] | Add SBAT support
|
| | |
| fwupd-arm64-signed [11] | Add SBAT support
|
| | |
| fwupd-armhf-signed [12] | Add SBAT support
|
| | |
| fwupd-i386-signed [13] | Add SBAT support
|
| | |
| fwupdate [14] | Add SBAT support
|
| | |
| fwupdate-amd64- | Add SBAT support |
| signed [15] |
|
| | |
| fwupdate-arm64- | Add SBAT support |
| signed [16] |
|
| | |
| fwupdate-armhf- | Add SBAT support |
| signed [17] |
|
| | |
| fwupdate-i386-signed [18] | Add SBAT support
|
| | |
| gdnsd [19] | Fix stack overflow with overly-large
|
| | IPv6 addresses [CVE-2019-13952] |
| | |
| groff [20] | Rebuild against ghostscript 9.27
|
| | |
| hwloc-contrib [21] | Enable support for the ppc64el
|
| | architecture |
| | |
| intel-microcode [22] | Update various microcode
|
| | |
| iputils [23] | Fix ping rounding errors; fix tracepath |
| | target corruption |
| | |
| jquery [24] | Fix untrusted code execution
|
| | vulnerabilities [CVE-2020-11022 |
| | CVE-2020-11023] |
| | |
| libbsd [25] | Fix out-of-bounds read issue [CVE-2019- |
| | 20367] |
| | |
| libpano13 [26] | Fix format string vulnerability
|
| | |
| libreoffice [27] | Do not load encodings.py from current
|
| | directoy |
| | |
| linux [28] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| linux-latest [29] | Update to -15 kernel ABI; update for
|
| | -16 kernel ABI |
| | |
| linux-signed-amd64 [30] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| linux-signed-arm64 [31] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| linux-signed-i386 [32] | New upstream stable release; update ABI |
| | to -16; rotate secure boot signing |
| | keys; rt: update to 4.19.173-rt72 |
| | |
| lirc [33] | Normalize embedded $
|
| | {DEB_HOST_MULTIARCH} value in /etc/ |
| | lirc/lirc_options.conf to find |
| | unmodified configuration files on all |
| | architectures; recommend gir1.2- |
| | vte-2.91 instead of non-existent |
| | gir1.2-vte |
| | |
| m2crypto [34] | Fix test failure with recent OpenSSL
|
| | versions |
| | |
| openafs [35] | Fix outgoing connections after unix
|
| | epoch time 0x60000000 (14 January 2021) |
| | |
| portaudio19 [36] | Handle EPIPE from
|
| | alsa_snd_pcm_poll_descriptors, fixing |
| | crash |
| | |
| postgresql-11 [37] | New upstream stable release; fix
|
| | information leakage in constraint- |
| | violation error messages [CVE-2021- |
| | 3393]; fix CREATE INDEX CONCURRENTLY to |
| | wait for concurrent prepared |
| | transactions |
| | |
| privoxy [38] | Security issues [CVE-2020-35502
|
| | CVE-2021-20209 CVE-2021-20210 CVE-2021- |
| | 20211 CVE-2021-20212 CVE-2021-20213 |
| | CVE-2021-20214 CVE-2021-20215 CVE-2021- |
| | 20216 CVE-2021-20217 CVE-2021-20272 |
| | CVE-2021-20273 CVE-2021-20275 CVE-2021- |
| | 20276] |
| | |
| python3.7 [39] | Fix CRLF injection in http.client
|
| | [CVE-2020-26116]; fix buffer overflow |
| | in PyCArg_repr in _ctypes/callproc.c |
| | [CVE-2021-3177] |
| | |
| redis [40] | Fix a series of integer overflow issues |
| | on 32-bit systems [CVE-2021-21309] |
| | |
| ruby-mechanize [41] | Fix command injection issue [CVE-2021-
|
| | 21289] |
| | |
| systemd [42] | core: make sure to restore the control
|
| | command id, too, fixing a segfault; |
| | seccomp: allow turning off of seccomp |
| | filtering via an environment variable |
| | |
| uim [43] | libuim-data: Perform symlink_to_dir
|
| | conversion of /usr/share/doc/libuim- |
| | data in the resurrected package for |
| | clean upgrades from stretch |
| | |
| xcftools [44] | Fix integer overflow vulnerability
|
| | [CVE-2019-5086 CVE-2019-5087] |
| | |
| xterm [45] | Correct upper-limit for selection
|
| | buffer, accounting for combining |
| | characters [CVE-2021-27135] |
| | |
+---------------------------+-----------------------------------------+
1: https://packages.debian.org/src:avahi
2: https://packages.debian.org/src:base-files
3: https://packages.debian.org/src:cloud-init
4: https://packages.debian.org/src:debian-archive-keyring
5: https://packages.debian.org/src:debian-installer
6: https://packages.debian.org/src:debian-installer-netboot-images
7: https://packages.debian.org/src:exim4
8: https://packages.debian.org/src:fetchmail
9: https://packages.debian.org/src:fwupd
10: https://packages.debian.org/src:fwupd-amd64-signed
11: https://packages.debian.org/src:fwupd-arm64-signed
12: https://packages.debian.org/src:fwupd-armhf-signed
13: https://packages.debian.org/src:fwupd-i386-signed
14: https://packages.debian.org/src:fwupdate
15: https://packages.debian.org/src:fwupdate-amd64-signed
16: https://packages.debian.org/src:fwupdate-arm64-signed
17: https://packages.debian.org/src:fwupdate-armhf-signed
18: https://packages.debian.org/src:fwupdate-i386-signed
19: https://packages.debian.org/src:gdnsd
20: https://packages.debian.org/src:groff
21: https://packages.debian.org/src:hwloc-contrib
22: https://packages.debian.org/src:intel-microcode
23: https://packages.debian.org/src:iputils
24: https://packages.debian.org/src:jquery
25: https://packages.debian.org/src:libbsd
26: https://packages.debian.org/src:libpano13
27: https://packages.debian.org/src:libreoffice
28: https://packages.debian.org/src:linux
29: https://packages.debian.org/src:linux-latest
30: https://packages.debian.org/src:linux-signed-amd64
31: https://packages.debian.org/src:linux-signed-arm64
32: https://packages.debian.org/src:linux-signed-i386
33: https://packages.debian.org/src:lirc
34: https://packages.debian.org/src:m2crypto
35: https://packages.debian.org/src:openafs
36: https://packages.debian.org/src:portaudio19
37: https://packages.debian.org/src:postgresql-11
38: https://packages.debian.org/src:privoxy
39: https://packages.debian.org/src:python3.7
40: https://packages.debian.org/src:redis
41: https://packages.debian.org/src:ruby-mechanize
42: https://packages.debian.org/src:systemd
43: https://packages.debian.org/src:uim
44: https://packages.debian.org/src:xcftools
45: https://packages.debian.org/src:xterm
Security Updates
----------------
This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:
+----------------+----------------------------+
| Advisory ID | Package |
+----------------+----------------------------+
| DSA-4826 [46] | nodejs [47] |
| | |
| DSA-4844 [48] | dnsmasq [49] |
| | |
| DSA-4845 [50] | openldap [51] |
| | |
| DSA-4846 [52] | chromium [53] |
| | |
| DSA-4847 [54] | connman [55] |
| | |
| DSA-4849 [56] | firejail [57] |
| | |
| DSA-4850 [58] | libzstd [59] |
| | |
| DSA-4851 [60] | subversion [61] |
| | |
| DSA-4853 [62] | spip [63] |
| | |
| DSA-4854 [64] | webkit2gtk [65] |
| | |
| DSA-4855 [66] | openssl [67] |
| | |
| DSA-4856 [68] | php7.3 [69] |
| | |
| DSA-4857 [70] | bind9 [71] |
| | |
| DSA-4858 [72] | chromium [73] |
| | |
| DSA-4859 [74] | libzstd [75] |
| | |
| DSA-4860 [76] | openldap [77] |
| | |
| DSA-4861 [78] | screen [79] |
| | |
| DSA-4862 [80] | firefox-esr [81] |
| | |
| DSA-4863 [82] | nodejs [83] |
| | |
| DSA-4864 [84] | python-aiohttp [85] |
| | |
| DSA-4865 [86] | docker.io [87] |
| | |
| DSA-4867 [88] | grub-efi-amd64-signed [89] |
| | |
| DSA-4867 [90] | grub-efi-arm64-signed [91] |
| | |
| DSA-4867 [92] | grub-efi-ia32-signed [93] |
| | |
| DSA-4867 [94] | grub2 [95] |
| | |
| DSA-4868 [96] | flatpak [97] |
| | |
| DSA-4869 [98] | tiff [99] |
| | |
| DSA-4870 [100] | pygments [101] |
| | |
| DSA-4871 [102] | tor [103] |
| | |
| DSA-4872 [104] | shibboleth-sp [105] |
| | |
+----------------+----------------------------+
46: https://www.debian.org/security/2021/dsa-4826
47: https://packages.debian.org/src:nodejs
48: https://www.debian.org/security/2021/dsa-4844
49: https://packages.debian.org/src:dnsmasq
50: https://www.debian.org/security/2021/dsa-4845
51: https://packages.debian.org/src:openldap
52: https://www.debian.org/security/2021/dsa-4846
53: https://packages.debian.org/src:chromium
54: https://www.debian.org/security/2021/dsa-4847
55: https://packages.debian.org/src:connman
56: https://www.debian.org/security/2021/dsa-4849
57: https://packages.debian.org/src:firejail
58: https://www.debian.org/security/2021/dsa-4850
59: https://packages.debian.org/src:libzstd
60: https://www.debian.org/security/2021/dsa-4851
61: https://packages.debian.org/src:subversion
62: https://www.debian.org/security/2021/dsa-4853
63: https://packages.debian.org/src:spip
64: https://www.debian.org/security/2021/dsa-4854
65: https://packages.debian.org/src:webkit2gtk
66: https://www.debian.org/security/2021/dsa-4855
67: https://packages.debian.org/src:openssl
68: https://www.debian.org/security/2021/dsa-4856
69: https://packages.debian.org/src:php7.3
70: https://www.debian.org/security/2021/dsa-4857
71: https://packages.debian.org/src:bind9
72: https://www.debian.org/security/2021/dsa-4858
73: https://packages.debian.org/src:chromium
74: https://www.debian.org/security/2021/dsa-4859
75: https://packages.debian.org/src:libzstd
76: https://www.debian.org/security/2021/dsa-4860
77: https://packages.debian.org/src:openldap
78: https://www.debian.org/security/2021/dsa-4861
79: https://packages.debian.org/src:screen
80: https://www.debian.org/security/2021/dsa-4862
81: https://packages.debian.org/src:firefox-esr
82: https://www.debian.org/security/2021/dsa-4863
83: https://packages.debian.org/src:nodejs
84: https://www.debian.org/security/2021/dsa-4864
85: https://packages.debian.org/src:python-aiohttp
86: https://www.debian.org/security/2021/dsa-4865
87: https://packages.debian.org/src:docker.io
88: https://www.debian.org/security/2021/dsa-4867
89: https://packages.debian.org/src:grub-efi-amd64-signed
90: https://www.debian.org/security/2021/dsa-4867
91: https://packages.debian.org/src:grub-efi-arm64-signed
92: https://www.debian.org/security/2021/dsa-4867
93: https://packages.debian.org/src:grub-efi-ia32-signed
94: https://www.debian.org/security/2021/dsa-4867
95: https://packages.debian.org/src:grub2
96: https://www.debian.org/security/2021/dsa-4868
97: https://packages.debian.org/src:flatpak
98: https://www.debian.org/security/2021/dsa-4869
99: https://packages.debian.org/src:tiff
100: https://www.debian.org/security/2021/dsa-4870
101: https://packages.debian.org/src:pygments
102: https://www.debian.org/security/2021/dsa-4871
103: https://packages.debian.org/src:tor
104: https://www.debian.org/security/2021/dsa-4872
105: https://packages.debian.org/src:shibboleth-sp
Debian Installer
----------------
The installer has been updated to include the fixes incorporated into
stable by the point release.
URLs
----
The complete lists of packages that have changed with this revision:
http://ftp.debian.org/debian/dists/buster/ChangeLog
The current stable distribution:
http://ftp.debian.org/debian/dists/stable/
Proposed updates to the stable distribution:
http://ftp.debian.org/debian/dists/proposed-updates
stable distribution information (release notes, errata etc.):
https://www.debian.org/releases/stable/
Security announcements and information:
https://www.debian.org/security/
About Debian
------------
The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.
Contact Information
-------------------
For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Friday, March 26, 2021
[CentOS-announce] CESA-2021:0996 Important CentOS 7 thunderbird Security Update
CentOS Errata and Security Advisory 2021:0996 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2021:0996
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
412317b2522f388f60a8b9846d99020fa2c884e8557b0552ad09b4218e97803d thunderbird-78.9.0-3.el7.centos.x86_64.rpm
Source:
9b3ff2329273f188e644f9e8fb481e12ff32397fac7f7f9b4a689aa99d84529b thunderbird-78.9.0-3.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2021:0996
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
412317b2522f388f60a8b9846d99020fa2c884e8557b0552ad09b4218e97803d thunderbird-78.9.0-3.el7.centos.x86_64.rpm
Source:
9b3ff2329273f188e644f9e8fb481e12ff32397fac7f7f9b4a689aa99d84529b thunderbird-78.9.0-3.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
[CentOS-announce] CESA-2021:0992 Important CentOS 7 firefox Security Update
CentOS Errata and Security Advisory 2021:0992 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2021:0992
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
67cc5f25f8e6a42f9536eb9dbe7e22e3fab22c55d87d37db23cb90136913067e firefox-78.9.0-1.el7.centos.i686.rpm
44600066daf3f3b57b9e269737e0b0dfcd410f3a524fbbd74aec3162d6f84f7c firefox-78.9.0-1.el7.centos.x86_64.rpm
Source:
bedd47ac6fc527b008c2ed93845707f248f2a8eae9ad4201508728e2b54283ad firefox-78.9.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2021:0992
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
67cc5f25f8e6a42f9536eb9dbe7e22e3fab22c55d87d37db23cb90136913067e firefox-78.9.0-1.el7.centos.i686.rpm
44600066daf3f3b57b9e269737e0b0dfcd410f3a524fbbd74aec3162d6f84f7c firefox-78.9.0-1.el7.centos.x86_64.rpm
Source:
bedd47ac6fc527b008c2ed93845707f248f2a8eae9ad4201508728e2b54283ad firefox-78.9.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Thursday, March 25, 2021
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-21:07.openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-21:07.openssl Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSL
Category: contrib
Module: openssl
Announced: 2021-03-25
Affects: FreeBSD 12.2 and later
Corrected: 2021-03-25 15:45:19 UTC (stable/13, 13.0-STABLE)
2021-03-25 16:25:06 UTC (releng/13.0, 13.0-RC3-p1)
2021-03-25 17:14:46 UTC (stable/12, 12.2-STABLE)
2021-03-25 23:45:45 UTC (releng/12.2, 12.2-RELEASE-p5)
CVE Name: CVE-2021-3449, CVE-2021-3450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
also a general-purpose cryptography library.
II. Problem Description
This advisory covers two distinct OpenSSL issues:
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in the
chain that have explicitly encoded elliptic curve parameters was added as an
additional strict check. An error in the implementation of this check meant
that the result of a previous check to confirm that certificates in the chain
are valid CA certificates was overwritten. This effectively bypasses the
check that non-CA certificates must not be able to issue other certificates.
[CVE-2021-3450]
A TLSv1.2 renegotiation ClientHello message sent to a TLS server that omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension results in a
NULL pointer dereference in the server. [CVE-2021-3449]
III. Impact
The X509_V_FLAG_X509_STRICT issue can result in a bypass of the check that
non-CA certificates must not be able to issue other certificates.
The renegotiation issue can result in a crash and a denial of service attack.
IV. Workaround
For the X509_V_FLAG_X509_STRICT issue, no workaround is available, but
software that doesn't explicitly set the X509_V_FLAG_X509_STRICT flag is
unaffected.
For the renegotiation issue, either turning off TLSv1.2 (as TLSv1.3 is
unaffected) or turning off renegotiation on the TLS server mitigates the
issue.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# <restart any daemons that use the library>
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-13.patch
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-13.patch.asc
# gpg --verify openssl-13.patch.asc
[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-12.patch
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-12.patch.asc
# gpg --verify openssl-12.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/13/ b6c1fdcdf5033d20c61cc77d66f58f31cc65e2ba
releng/13.0/ 7d3f5a19f455e0e3fb17ac3f9af288e8c7fffc15
stable/12/ r369521
releng/12.2/ r369523
- -------------------------------------------------------------------------
[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision
hash:
# git show --stat NNNNNN
Or visit the following URL, replace NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
[FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20210325.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBdIi4ACgkQ05eS9J6n
5cJ3lRAAgeIfMDB04FRSVkOr4/GL5hAHwUmTfxJU2oPFJMELYD3NbVJR51fsXuuV
bHf1X9xq9jlYLyoLNpG89g1/jVYBPikZl3BraIm8/Rxp3/PeYEbkJKoaVaqdV8Lg
fQURad6z3cFSFTiZXuDaSvcXzuT5X/0U+UFncSsQJ2oF6YqWtAQzilTyti7mWxDR
/j0pS10GDmiEbHI/XVt683rNPhlzvha+npzpLhY+PFUQ4gwUQJrJVwoYHbPYEV2M
KngxHQ/P1u3jBnAtreEbfCEOfQYmhj7mNPMUl4KWRTvPsczTVohx4X96zi+rXgBw
RqNntzhLsRYsKGP4xgRmuIQjNA+udctCjrz1vDioZkG8YOYBWK9ygr7OwEyRWYar
65kykuQhKmqGqCx+r/rw7WzxwkJH+9fNKkQ+27mv7ibfqS8yD+CfELb+7aepuxGj
r8o2wLk+hfWttCV2fN3GIPhYAoU3UlvNWIMvxJXP8KL9Hf5JCte2ePKzVFLoYsQK
rdizxBhgngbWEISghZdmm2Qx4vG714z2bkmOjRn3muvZ5B2o9xP45Auj7nA3hZN1
ET3jSWJHWutZds5wWlHfL7m4xr39D6BR/+6F1cmgmKr5O5YNSGWYEIqnh2G65KrM
ULNSgrlOfDr4oodovCXeRxXOplINMFNU4b4OpgyIQNvGysyLle0=
=+CMP
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Hash: SHA512
=============================================================================
FreeBSD-SA-21:07.openssl Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSL
Category: contrib
Module: openssl
Announced: 2021-03-25
Affects: FreeBSD 12.2 and later
Corrected: 2021-03-25 15:45:19 UTC (stable/13, 13.0-STABLE)
2021-03-25 16:25:06 UTC (releng/13.0, 13.0-RC3-p1)
2021-03-25 17:14:46 UTC (stable/12, 12.2-STABLE)
2021-03-25 23:45:45 UTC (releng/12.2, 12.2-RELEASE-p5)
CVE Name: CVE-2021-3449, CVE-2021-3450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
also a general-purpose cryptography library.
II. Problem Description
This advisory covers two distinct OpenSSL issues:
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in the
chain that have explicitly encoded elliptic curve parameters was added as an
additional strict check. An error in the implementation of this check meant
that the result of a previous check to confirm that certificates in the chain
are valid CA certificates was overwritten. This effectively bypasses the
check that non-CA certificates must not be able to issue other certificates.
[CVE-2021-3450]
A TLSv1.2 renegotiation ClientHello message sent to a TLS server that omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension results in a
NULL pointer dereference in the server. [CVE-2021-3449]
III. Impact
The X509_V_FLAG_X509_STRICT issue can result in a bypass of the check that
non-CA certificates must not be able to issue other certificates.
The renegotiation issue can result in a crash and a denial of service attack.
IV. Workaround
For the X509_V_FLAG_X509_STRICT issue, no workaround is available, but
software that doesn't explicitly set the X509_V_FLAG_X509_STRICT flag is
unaffected.
For the renegotiation issue, either turning off TLSv1.2 (as TLSv1.3 is
unaffected) or turning off renegotiation on the TLS server mitigates the
issue.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# <restart any daemons that use the library>
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-13.patch
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-13.patch.asc
# gpg --verify openssl-13.patch.asc
[FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-12.patch
# fetch https://security.FreeBSD.org/patches/SA-21:07/openssl-12.patch.asc
# gpg --verify openssl-12.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/13/ b6c1fdcdf5033d20c61cc77d66f58f31cc65e2ba
releng/13.0/ 7d3f5a19f455e0e3fb17ac3f9af288e8c7fffc15
stable/12/ r369521
releng/12.2/ r369523
- -------------------------------------------------------------------------
[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision
hash:
# git show --stat NNNNNN
Or visit the following URL, replace NNNNNN with the revision hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
[FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.openssl.org/news/secadv/20210325.txt>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3449>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmBdIi4ACgkQ05eS9J6n
5cJ3lRAAgeIfMDB04FRSVkOr4/GL5hAHwUmTfxJU2oPFJMELYD3NbVJR51fsXuuV
bHf1X9xq9jlYLyoLNpG89g1/jVYBPikZl3BraIm8/Rxp3/PeYEbkJKoaVaqdV8Lg
fQURad6z3cFSFTiZXuDaSvcXzuT5X/0U+UFncSsQJ2oF6YqWtAQzilTyti7mWxDR
/j0pS10GDmiEbHI/XVt683rNPhlzvha+npzpLhY+PFUQ4gwUQJrJVwoYHbPYEV2M
KngxHQ/P1u3jBnAtreEbfCEOfQYmhj7mNPMUl4KWRTvPsczTVohx4X96zi+rXgBw
RqNntzhLsRYsKGP4xgRmuIQjNA+udctCjrz1vDioZkG8YOYBWK9ygr7OwEyRWYar
65kykuQhKmqGqCx+r/rw7WzxwkJH+9fNKkQ+27mv7ibfqS8yD+CfELb+7aepuxGj
r8o2wLk+hfWttCV2fN3GIPhYAoU3UlvNWIMvxJXP8KL9Hf5JCte2ePKzVFLoYsQK
rdizxBhgngbWEISghZdmm2Qx4vG714z2bkmOjRn3muvZ5B2o9xP45Auj7nA3hZN1
ET3jSWJHWutZds5wWlHfL7m4xr39D6BR/+6F1cmgmKr5O5YNSGWYEIqnh2G65KrM
ULNSgrlOfDr4oodovCXeRxXOplINMFNU4b4OpgyIQNvGysyLle0=
=+CMP
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-announce@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
[USN-4893-1] Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4893-1
March 25, 2021
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2021-23981, CVE-2021-23982,
CVE-2021-23983, CVE-2021-23987, CVE-2021-23988)
It was discovered that extensions could open popup windows with control
of the window title in some circumstances. If a user were tricked into
installing a specially crafted extension, an attacker could potentially
exploit this to spook a website and trick the user into providing
credentials. (CVE-2021-23984)
It was discovered that the DevTools remote debugging feature could be
enabled without an indication to the user. If a local attacker could
modify the browser configuration, a remote attacker could potentially
exploit this to obtain sensitive information. (CVE-2021-23985)
It was discovered that extensions could read the response of cross
origin requests in some circumstances. If a user were tricked into
installing a specially crafted extension, an attacker could potentially
exploit this to obtain sensitive information. (CVE-2021-23986)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
firefox 87.0+build3-0ubuntu0.20.10.1
Ubuntu 20.04 LTS:
firefox 87.0+build3-0ubuntu0.20.04.2
Ubuntu 18.04 LTS:
firefox 87.0+build3-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
firefox 87.0+build3-0ubuntu0.16.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4893-1
CVE-2021-23981, CVE-2021-23982, CVE-2021-23983, CVE-2021-23984,
CVE-2021-23985, CVE-2021-23986, CVE-2021-23987, CVE-2021-23988
Package Information:
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.20.10.1
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.16.04.2
Ubuntu Security Notice USN-4893-1
March 25, 2021
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2021-23981, CVE-2021-23982,
CVE-2021-23983, CVE-2021-23987, CVE-2021-23988)
It was discovered that extensions could open popup windows with control
of the window title in some circumstances. If a user were tricked into
installing a specially crafted extension, an attacker could potentially
exploit this to spook a website and trick the user into providing
credentials. (CVE-2021-23984)
It was discovered that the DevTools remote debugging feature could be
enabled without an indication to the user. If a local attacker could
modify the browser configuration, a remote attacker could potentially
exploit this to obtain sensitive information. (CVE-2021-23985)
It was discovered that extensions could read the response of cross
origin requests in some circumstances. If a user were tricked into
installing a specially crafted extension, an attacker could potentially
exploit this to obtain sensitive information. (CVE-2021-23986)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
firefox 87.0+build3-0ubuntu0.20.10.1
Ubuntu 20.04 LTS:
firefox 87.0+build3-0ubuntu0.20.04.2
Ubuntu 18.04 LTS:
firefox 87.0+build3-0ubuntu0.18.04.2
Ubuntu 16.04 LTS:
firefox 87.0+build3-0ubuntu0.16.04.2
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4893-1
CVE-2021-23981, CVE-2021-23982, CVE-2021-23983, CVE-2021-23984,
CVE-2021-23985, CVE-2021-23986, CVE-2021-23987, CVE-2021-23988
Package Information:
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.20.10.1
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.18.04.2
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.16.04.2
[USN-4888-2] ldb vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4888-2
March 25, 2021
ldb vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in ldb.
Software Description:
- ldb: LDAP-like embedded database
Details:
USN-4888-1 fixed several vulnerabilities in ldb. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
Douglas Bagnall discovered that ldb, when used with Samba, incorrectly
handled certain LDAP attributes. A remote attacker could possibly use this
issue to cause the LDAP server to crash, resulting in a denial of service.
(CVE-2021-20277)
Douglas Bagnall discovered that ldb, when used with Samba, incorrectly
handled certain DN strings. A remote attacker could use this issue to
cause the LDAP server to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2020-27840)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
libldb1 1:1.1.24-0ubuntu0.14.04.2+esm1
After a standard system update you need to restart applications using ldb,
such as Samba, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4888-2
https://ubuntu.com/security/notices/USN-4888-1
CVE-2020-27840, CVE-2021-20277
Ubuntu Security Notice USN-4888-2
March 25, 2021
ldb vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in ldb.
Software Description:
- ldb: LDAP-like embedded database
Details:
USN-4888-1 fixed several vulnerabilities in ldb. This update provides
the corresponding update for Ubuntu 14.04 ESM.
Original advisory details:
Douglas Bagnall discovered that ldb, when used with Samba, incorrectly
handled certain LDAP attributes. A remote attacker could possibly use this
issue to cause the LDAP server to crash, resulting in a denial of service.
(CVE-2021-20277)
Douglas Bagnall discovered that ldb, when used with Samba, incorrectly
handled certain DN strings. A remote attacker could use this issue to
cause the LDAP server to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2020-27840)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
libldb1 1:1.1.24-0ubuntu0.14.04.2+esm1
After a standard system update you need to restart applications using ldb,
such as Samba, to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4888-2
https://ubuntu.com/security/notices/USN-4888-1
CVE-2020-27840, CVE-2021-20277
[USN-3685-2] Ruby regression
==========================================================================
Ubuntu Security Notice USN-3685-2
March 25, 2021
ruby2.0 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
USN-3685-1 introduced a regression in Ruby.
Software Description:
- ruby2.0: Object-oriented scripting language
Details:
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arbitrary code. (CVE-2017-0903)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to expose sensitive information.
(CVE-2017-14064)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execute arbitrary code. (CVE-2017-10784)
It was discovered that Ruby incorrectly handled certain network requests.
An attacker could possibly use this to inject a crafted key into a HTTP
response. (CVE-2017-17742)
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this to execute arbitrary code.
This update is only addressed to ruby2.0. (CVE-2018-1000074)
It was discovered that Ruby incorrectly handled certain network requests.
An attacker could possibly use this to cause a denial of service.
(CVE-2018-8777)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
libruby2.0 2.0.0.484-1ubuntu2.13+esm1
ruby2.0 2.0.0.484-1ubuntu2.13+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-3685-2
https://ubuntu.com/security/notices/USN-3685-1
CVE-2017-0903, https://bugs.launchpad.net/ubuntu/+source/ruby2.0/+bug/1777174
Ubuntu Security Notice USN-3685-2
March 25, 2021
ruby2.0 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
USN-3685-1 introduced a regression in Ruby.
Software Description:
- ruby2.0: Object-oriented scripting language
Details:
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arbitrary code. (CVE-2017-0903)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to expose sensitive information.
(CVE-2017-14064)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to execute arbitrary code. (CVE-2017-10784)
It was discovered that Ruby incorrectly handled certain network requests.
An attacker could possibly use this to inject a crafted key into a HTTP
response. (CVE-2017-17742)
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this to execute arbitrary code.
This update is only addressed to ruby2.0. (CVE-2018-1000074)
It was discovered that Ruby incorrectly handled certain network requests.
An attacker could possibly use this to cause a denial of service.
(CVE-2018-8777)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
libruby2.0 2.0.0.484-1ubuntu2.13+esm1
ruby2.0 2.0.0.484-1ubuntu2.13+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-3685-2
https://ubuntu.com/security/notices/USN-3685-1
CVE-2017-0903, https://bugs.launchpad.net/ubuntu/+source/ruby2.0/+bug/1777174
[USN-4891-1] OpenSSL vulnerability
==========================================================================
Ubuntu Security Notice USN-4891-1
March 25, 2021
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
OpenSSL could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL incorrectly handled certain renegotiation
ClientHello messages. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
libssl1.1 1.1.1f-1ubuntu4.3
Ubuntu 20.04 LTS:
libssl1.1 1.1.1f-1ubuntu2.3
Ubuntu 18.04 LTS:
libssl1.1 1.1.1-1ubuntu2.1~18.04.9
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4891-1
CVE-2021-3449
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu4.3
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9
Ubuntu Security Notice USN-4891-1
March 25, 2021
openssl vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
OpenSSL could be made to crash or run programs if it received specially
crafted network traffic.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL incorrectly handled certain renegotiation
ClientHello messages. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.10:
libssl1.1 1.1.1f-1ubuntu4.3
Ubuntu 20.04 LTS:
libssl1.1 1.1.1f-1ubuntu2.3
Ubuntu 18.04 LTS:
libssl1.1 1.1.1-1ubuntu2.1~18.04.9
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-4891-1
CVE-2021-3449
Package Information:
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu4.3
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3
https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9
Wednesday, March 24, 2021
[USN-4890-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-4890-1
March 25, 2021
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,
linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,
linux-oracle, linux-signed, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly compute a speculative execution limit on pointer arithmetic in
some situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2020-27171)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly apply speculative execution limits on some pointer types. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2020-27170)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1015-dell300x 4.15.0-1015.19
linux-image-4.15.0-1068-oracle 4.15.0-1068.76
linux-image-4.15.0-1088-kvm 4.15.0-1088.90
linux-image-4.15.0-1096-gcp 4.15.0-1096.109
linux-image-4.15.0-1097-aws 4.15.0-1097.104
linux-image-4.15.0-1099-snapdragon 4.15.0-1099.108
linux-image-4.15.0-1111-azure 4.15.0-1111.123
linux-image-4.15.0-140-generic 4.15.0-140.144
linux-image-4.15.0-140-generic-lpae 4.15.0-140.144
linux-image-4.15.0-140-lowlatency 4.15.0-140.144
linux-image-aws-lts-18.04 4.15.0.1097.100
linux-image-azure-lts-18.04 4.15.0.1111.84
linux-image-dell300x 4.15.0.1015.17
linux-image-gcp-lts-18.04 4.15.0.1096.114
linux-image-generic 4.15.0.140.127
linux-image-generic-lpae 4.15.0.140.127
linux-image-kvm 4.15.0.1088.84
linux-image-lowlatency 4.15.0.140.127
linux-image-oracle-lts-18.04 4.15.0.1068.78
linux-image-powerpc-e500mc 4.15.0.140.127
linux-image-powerpc-smp 4.15.0.140.127
linux-image-powerpc64-emb 4.15.0.140.127
linux-image-powerpc64-smp 4.15.0.140.127
linux-image-snapdragon 4.15.0.1099.102
linux-image-virtual 4.15.0.140.127
Ubuntu 16.04 LTS:
linux-image-4.15.0-1068-oracle 4.15.0-1068.76~16.04.1
linux-image-4.15.0-1096-gcp 4.15.0-1096.109~16.04.1
linux-image-4.15.0-1097-aws 4.15.0-1097.104~16.04.1
linux-image-4.15.0-1111-azure 4.15.0-1111.123~16.04.1
linux-image-4.15.0-140-generic 4.15.0-140.144~16.04.1
linux-image-4.15.0-140-generic-lpae 4.15.0-140.144~16.04.1
linux-image-4.15.0-140-lowlatency 4.15.0-140.144~16.04.1
linux-image-aws-hwe 4.15.0.1097.90
linux-image-azure 4.15.0.1111.102
linux-image-gcp 4.15.0.1096.97
linux-image-generic-hwe-16.04 4.15.0.140.135
linux-image-generic-lpae-hwe-16.04 4.15.0.140.135
linux-image-gke 4.15.0.1096.97
linux-image-lowlatency-hwe-16.04 4.15.0.140.135
linux-image-oem 4.15.0.140.135
linux-image-oracle 4.15.0.1068.56
linux-image-virtual-hwe-16.04 4.15.0.140.135
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-4890-1
CVE-2020-27170, CVE-2020-27171
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-140.144
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1097.104
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1111.123
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1015.19
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1096.109
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1088.90
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1068.76
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1099.108
https://launchpad.net/ubuntu/+source/linux-aws-hwe/4.15.0-1097.104~16.04.1
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1111.123~16.04.1
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1096.109~16.04.1
https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-140.144~16.04.1
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1068.76~16.04.1
Ubuntu Security Notice USN-4890-1
March 25, 2021
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,
linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,
linux-oracle, linux-signed, linux-snapdragon vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-dell300x: Linux kernel for Dell 300x platforms
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors
- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly compute a speculative execution limit on pointer arithmetic in
some situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2020-27171)
Piotr Krysiuk discovered that the BPF subsystem in the Linux kernel did not
properly apply speculative execution limits on some pointer types. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2020-27170)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
linux-image-4.15.0-1015-dell300x 4.15.0-1015.19
linux-image-4.15.0-1068-oracle 4.15.0-1068.76
linux-image-4.15.0-1088-kvm 4.15.0-1088.90
linux-image-4.15.0-1096-gcp 4.15.0-1096.109
linux-image-4.15.0-1097-aws 4.15.0-1097.104
linux-image-4.15.0-1099-snapdragon 4.15.0-1099.108
linux-image-4.15.0-1111-azure 4.15.0-1111.123
linux-image-4.15.0-140-generic 4.15.0-140.144
linux-image-4.15.0-140-generic-lpae 4.15.0-140.144
linux-image-4.15.0-140-lowlatency 4.15.0-140.144
linux-image-aws-lts-18.04 4.15.0.1097.100
linux-image-azure-lts-18.04 4.15.0.1111.84
linux-image-dell300x 4.15.0.1015.17
linux-image-gcp-lts-18.04 4.15.0.1096.114
linux-image-generic 4.15.0.140.127
linux-image-generic-lpae 4.15.0.140.127
linux-image-kvm 4.15.0.1088.84
linux-image-lowlatency 4.15.0.140.127
linux-image-oracle-lts-18.04 4.15.0.1068.78
linux-image-powerpc-e500mc 4.15.0.140.127
linux-image-powerpc-smp 4.15.0.140.127
linux-image-powerpc64-emb 4.15.0.140.127
linux-image-powerpc64-smp 4.15.0.140.127
linux-image-snapdragon 4.15.0.1099.102
linux-image-virtual 4.15.0.140.127
Ubuntu 16.04 LTS:
linux-image-4.15.0-1068-oracle 4.15.0-1068.76~16.04.1
linux-image-4.15.0-1096-gcp 4.15.0-1096.109~16.04.1
linux-image-4.15.0-1097-aws 4.15.0-1097.104~16.04.1
linux-image-4.15.0-1111-azure 4.15.0-1111.123~16.04.1
linux-image-4.15.0-140-generic 4.15.0-140.144~16.04.1
linux-image-4.15.0-140-generic-lpae 4.15.0-140.144~16.04.1
linux-image-4.15.0-140-lowlatency 4.15.0-140.144~16.04.1
linux-image-aws-hwe 4.15.0.1097.90
linux-image-azure 4.15.0.1111.102
linux-image-gcp 4.15.0.1096.97
linux-image-generic-hwe-16.04 4.15.0.140.135
linux-image-generic-lpae-hwe-16.04 4.15.0.140.135
linux-image-gke 4.15.0.1096.97
linux-image-lowlatency-hwe-16.04 4.15.0.140.135
linux-image-oem 4.15.0.140.135
linux-image-oracle 4.15.0.1068.56
linux-image-virtual-hwe-16.04 4.15.0.140.135
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-4890-1
CVE-2020-27170, CVE-2020-27171
Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-140.144
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1097.104
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1111.123
https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1015.19
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1096.109
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1088.90
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1068.76
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1099.108
https://launchpad.net/ubuntu/+source/linux-aws-hwe/4.15.0-1097.104~16.04.1
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1111.123~16.04.1
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1096.109~16.04.1
https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-140.144~16.04.1
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1068.76~16.04.1
Subscribe to:
Posts (Atom)