Friday, April 29, 2022

F37 Proposal: Node.js 18.x by default (System-Wide Change proposal)

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

https://fedoraproject.org/wiki/Changes/Nodejs18

== Summary ==
The latest release of Node.js to carry a 30-month lifecycle is the
18.x series. As with 16.x, 14.x, 12.x, 10.x and 8.x before it, Fedora
37 will carry 18.x as the default Node.js interpreter for the system.
The 16.x, and 14.x interpreters will remain available as non-default
module streams.

== Owner ==
* Name: [[User:Sgallagh| Stephen Gallagher]]
* Email: sgallagh@fedoraproject.org
* Responsible SIG: Node.js SIG


== Detailed Description ==

Fedora 37 will ship with the latest LTS version of Node.js. '''dnf
install nodejs''' will give users nodejs-18.x and the matching npm
package.

== Benefit to Fedora ==
Node.js is a popular server-side JavaScript engine. Keeping Fedora on
the latest release allows us to continue tracking the state-of-the-art
in that space. For those whose applications do not yet work with the
18.x release, Fedora 37 will also have the 16.x and 14.x releases
available as selectable module streams.

== Scope ==
* Proposal owners:
The packages are already built for Fedora 34, 35, and 36 in a
non-default module stream. On June 6th, 2022, the nodejs-18.x packages
will be built in the non-modular repository and thus become the
default in Fedora 37.

* Other developers: N/A (not a System Wide Change)

Any developer with a package that depends on Node.js at run-time or
build-time should test with the 18.x module stream enabled as soon as
possible. Issues should be reported to nodejs@lists.fedoraproject.org

* Release engineering: We will coordinate with the Node.js SIG to
create a side-tag to perform any necessary rebuilds before making 18.x
the default.

* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)


== Upgrade/compatibility impact ==
As with previous releases, users running Fedora 35 or Fedora 36 with
the non-modular nodejs-16.x packages will be automatically upgraded to
the 18.x packages when they upgrade to Fedora 37, which may cause
compatibility issues. If users are running software known not to
support Node.js 18.x yet, they can switch the system to use 16.x with
'''dnf module''' commands.

== How To Test ==
* Confirm that `dnf install nodejs` results in Node.js 18.x being installed.
* Confirm that upgrading from Fedora 35 or Fedora 36 with nodejs-16.x
installed (non-modular) results in an upgrade to nodejs-18.x
* Confirm that upgrading from Fedora 35 or Fedora 36 with the
`nodejs:16` module enabled does *not* result in an upgrade to 18.x and
still has the `nodejs:16` module enabled on Fedora 37.
* Confirm that upgrading from Fedora 35 or Fedora 36 with the
`nodejs:18` module enabled upgrades successfully and still has the
`nodejs:16` module stream enabled on Fedora 37.

== User Experience ==
Users will have the 18.x release of Node.js available by default. See
the "Upgrade/compatibility impact" section for specific details.

== Dependencies ==
All packages prefixed with `nodejs-` depend on this package. If they
do not work with Node.js 16.x, they will need to be updated, made
modular and dependent upon the `nodejs:16` stream or else removed from
Fedora 37.

Prior to the switchover date to Node.js 18.x as the default, packagers
are strongly encouraged to test their existing Node modules with 18.x
via the Modular version by running:

<pre>
dnf module reset nodejs
dnf module install nodejs:18/development
</pre>

Packagers can also test their builds using `mock` by creating the file
`/etc/mock/fedora-rawhide-x86_64-nodejs18.cfg` with the following
contents:

<pre>
config_opts['target_arch'] = 'x86_64'
config_opts['legal_host_arches'] = ('x86_64',)
config_opts['enable_disable_repos'] = ['--enablerepo', 'rawhide-modular']
config_opts['module_install'] = ['nodejs:18/development']

include('templates/fedora-rawhide.tpl')
</pre>

Then call
<pre>
mock -r fedora-rawhide-x86_64-nodejs18 --enablerepo=rawhide-modular nodejs-foo
</pre>

(Note that the `--enablerepo=rawhide-modular` portion looks redundant,
but this is because of
[https://github.com/rpm-software-management/mock/issues/591 a mock
bug])

== Contingency Plan ==
* Contingency mechanism: Revert to Node.js 16.x as the default Node.js
interpreter. This will require bumping epoch.
* Contingency deadline: Beta Freeze
* Blocks release? No
* Blocks product? No

== Documentation ==
* https://nodejs.org/dist/latest-v18.x/docs/api/
* https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md
* https://docs.fedoraproject.org/en-US/packaging-guidelines/Node.js/

== Release Notes ==
Fedora 37 now ships with Node.js 18.x as the default Node.js
JavaScript server-side engine. If your applications are not yet ready
for this newer version, you can revert to the 16.x series by running
the following commands

<pre>
dnf remove nodejs
dnf module reset nodejs
dnf module install nodejs:16
</pre>


--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1

== Summary ==

Cryptographic policies will be tightened in Fedora 38-39,
SHA-1 signatures will no longer be trusted by default.
Fedora 37 specifically doesn't come with any change of defaults,
and this Fedora Change is an advance warning filed for extra visibility.
Test your setup with FUTURE today and file bugs so you won't get bit
by Fedora 38-39.

== Owner ==

* Name: [[User:Asosedkin| Alexander Sosedkin]]
* Email: asosedki@redhat.com


== Detailed Description ==

Secure defaults are an evermoving target.
Fedora 28 had [[Changes/StrongCryptoSettings|StrongCryptoSettings]].
Fedora 33 had [[Changes/StrongCryptoSettings2|StrongCryptoSettings2]].
Fedora 39 should have [[Changes/StrongCryptoSettings3|StrongCryptoSettings3]].

The impact of one upcoming change, notably distrusting SHA-1 signatures,
might be so profound we're smoothing the rollout in time
to give developers and maintainers ample time to react:

Fedora 36:
* SHA-1 signatures are distrusted in FUTURE policy (opt-in)
* TEST-FEDORA39 policy is provided
* creating and verifying SHA-1 signatures is logged to ease reporting bugs

'''Fedora 37 [[Changes/StrongCryptoSettings3Forewarning3|StrongCryptoSettings3Forewarning1]]''':
* (was initially reserved to implement logging of SHA-1 signature operations)

Fedora 38 [[Changes/StrongCryptoSettings3Forewarning3|StrongCryptoSettings3Forewarning2]]:
* policies are updated, most notably
* SHA-1 signatures are distrusted in DEFAULT policy
* changes are reverted in branched f38 in time for Beta and do not reach users

Fedora 39 [[Changes/StrongCryptoSettings3|StrongCryptoSettings3]]:
* changes reach users

The plan is subject to change if it goes sideways somewhere along the way.

By Fedora 39, the policies will be, in TLS perspective:
LEGACY
MACs: All HMAC with SHA1 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: SHA-1 hash or better (no DSA)
Ciphers: all available > 112-bit key, >= 128-bit block (no RC4 or 3DES)
Key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >=2048
RSA params size: >=2048
TLS protocols: TLS >= 1.2

DEFAULT
MACs: All HMAC with SHA1 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: with SHA-224 hash or better (not DSA)
Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC)
Key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >= 2048
RSA params size: >= 2048
TLS protocols: TLS >= 1.2

FUTURE
MACs: All HMAC with SHA256 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: SHA-256 hash or better (not DSA)
Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated
Encryption (AE) ciphers
Key exchange: ECDHE, DHE
DH params size: >= 3072
RSA params size: >= 3072
TLS protocols: TLS >= 1.2

The flagship change this time will be distrusting SHA-1 signatures
on the cryptographic library level, affecting more than just TLS.

OpenSSL will start blocking signature creation and verification by default,
with the fallout anticipated to be wide enough
for us to roll out the change across multiple cycles
with multiple forewarnings.
In Fedora 36, 37 and 38 released distrusting SHA-1 signatures will be opt-in.
In Fedora 38 rawhide and Fedora 39 distrusting SHA-1 signatures
will happen by default.


== Feedback ==

[https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP
A discussion]
has been raised on fedora-devel,
[https://lwn.net/Articles/887832 a summary] is available on LWN.

A change has the potential to prove disruptive and controversial,
with much effort being focused on stretching it out in time.

There seems to be a consensus that the change has to be done eventually,
but the ideal means of implementing it are in no way clear.
The decision to discover code reliant on SHA-1 signatures
by blocking creation/verification has not gathered many fans,
but not many alternative proposals have been raised in return.
A notable one, making the library somehow log the offending operations,
has been incorporated in the proposal,
though the effectiveness of it is yet to be seen in practice.
Another notable takeaway point is the need to call for testing,
which would be done in form of writing four Fedora Changes
and testing SHA-1 signature distrusting during Fedora 37 & 38 Test Days.
The change owner doesn't see the plan as an ideal one
and continues to be open for feedback.


== Benefit to Fedora ==

Fedora 39 will ship with more secure defaults
to better match the everchanging landscape of cryptographic practices.
TLS 1.0 / 1.1 protocol version will be disabled
as they're [deprecated https://datatracker.ietf.org/doc/rfc8996],
minimum key sizes will be raised to keep up with the computational advances etc.

Distrusting SHA-1 signatures specifically is expected to trigger
a topical distribution-wide crackdown
on [https://eprint.iacr.org/2020/014 weak] cryptography,
raising the security of the distribution moving forward.


== Scope ==

* Proposal owners: implement changes described in Summary and
Dependencies sections

* Other developers:
Test your applications with FUTURE policy.
Move away from trusting SHA-1 signatures;
ideally in time for F38 branch-off,
for F39 release at the latest.

Follow [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]]:
1. move away from trusting SHA-1 signatures entirely, or
2. distrust them by default and require explicit user opt-in to use a workaround

* Release engineering: Not sure if mass-rebuild is required if we land
the change right after f38 branch-off. Maybe a "preview" mass-rebuild
can be done with a special build in the Fedora 37 timeframe to cut
down on Fedora 38 FTBFS.

* Policies and guidelines: update needed in time for Fedora 38

CryptoPolicies section of the packaging guidelines
will have to be updated to reflect that
SHA-1 signatures must not be trusted by default
and provide guidance for openssl and gnutls.
Components using workaround APIs must not use them without explicit user opt-in
and must be added to a list of applications using a workaround API.

* Trademark approval: N/A (not needed for this Change)

* Alignment with Objectives: not with Fedora 37-era ones


== Upgrade/compatibility impact ==

Nothing will change for Fedora 37 by default, the change is opt-in for now.


== How To Test ==

=== Testing actively ===

Install crypto-policies-scripts package and switch to a more restrictive policy
with either `update-crypto-policies --set FUTURE`
or `update-crypto-policies --set TEST-FEDORA39`.

Proceed to use the system as usual,
identify the workflows which are broken by this change.

Verify that the broken functionality works again
if you the policy is relaxed back
with, e.g., `update-crypto-policies --set FUTURE:SHA-1`,
file bug reports against the affected components if not filed already.
Please start your ticket title with `StrongCryptoSettings3: `,
mention this change page, the version of crypto-policies package
and the policies under which your workflow does and does not work.


=== Testing passively ===

Install a special logging tool from
https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer
Run it and proceed to use your system.
Once the tool notifies you about
about soon-to-be-blocked SHA-1 signature operations,
identify the component and actions leading to these operations,
verify that repeating them leads to logging more entries.
Ideally also verify that switching to a stricter policy breaks the workflow.
File bug reports against the affected components if not filed already.
Please start your ticket title with `StrongCryptoSettings3: `
and link to this change page.


== User Experience ==

Things will break.
All kinds of things depending on SHA-1 signatures, openly and secretly.
* '''On Fedora 37 they'll break opt-in.'''
* On Fedora 38 rawhide they'll break by default.
* On Fedora 38 released they'll behave like in Fedora 37.
* On Fedora 39 they'll break by default again, including the released version.


== Dependencies ==

While it would be welcome,
no reverse dependencies of openssl have to react in time for Fedora 37,
where the change is opt-in preview only.
For now, test, file bugs and spark discussions.
A small coordinated change with openssl is required.


== Contingency Plan ==

* Contingency mechanism: not needed for F37
* Contingency deadline: not needed for F37
* Blocks release? no


== Documentation ==
Workaround API
should be added to [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]].
Packaging guidelines should be modified accordingly.

== Release Notes ==

https://pagure.io/fedora-docs/release-notes/issue/829



--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Thursday, April 28, 2022

[USN-5398-1] Simple DirectMedia Layer vulnerability

==========================================================================
Ubuntu Security Notice USN-5398-1
April 28, 2022

libsdl1.2, libsdl2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM

Summary:

SDL (Simple DirectMedia Layer) could be made to crash or run programs if
it opened a specially crafted file.

Software Description:
- libsdl2: Cross-platform multimedia library with low access to hardware
- libsdl1.2: Simple DirectMedia Layer

Details:

It was discovered that SDL (Simple DirectMedia Layer) incorrectly handled
certain files. An attacker could possibly use this issue to cause a denial
of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
libsdl2-2.0-0 2.0.14+dfsg2-3ubuntu0.1

Ubuntu 18.04 LTS:
libsdl1.2debian 1.2.15+dfsg2-0.1ubuntu0.2

Ubuntu 16.04 ESM:
libsdl1.2debian 1.2.15+dfsg1-3ubuntu0.1+esm1

Ubuntu 14.04 ESM:
libsdl1.2debian 1.2.15-8ubuntu1.1+esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5398-1
CVE-2021-33657

Package Information:
https://launchpad.net/ubuntu/+source/libsdl2/2.0.14+dfsg2-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libsdl1.2/1.2.15+dfsg2-0.1ubuntu0.2

[USN-5397-1] curl vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5397-1
April 28, 2022

curl vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2.
An attacker could possibly use this issue to access sensitive information.
(CVE-2022-22576)

Harry Sintonen discovered that curl incorrectly handled certain requests.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
curl 7.81.0-1ubuntu1.1
libcurl3-gnutls 7.81.0-1ubuntu1.1
libcurl3-nss 7.81.0-1ubuntu1.1
libcurl4 7.81.0-1ubuntu1.1

Ubuntu 21.10:
curl 7.74.0-1.3ubuntu2.1
libcurl3-gnutls 7.74.0-1.3ubuntu2.1
libcurl3-nss 7.74.0-1.3ubuntu2.1
libcurl4 7.74.0-1.3ubuntu2.1

Ubuntu 20.04 LTS:
curl 7.68.0-1ubuntu2.10
libcurl3-gnutls 7.68.0-1ubuntu2.10
libcurl3-nss 7.68.0-1ubuntu2.10
libcurl4 7.68.0-1ubuntu2.10

Ubuntu 18.04 LTS:
curl 7.58.0-2ubuntu3.17
libcurl3-gnutls 7.58.0-2ubuntu3.17
libcurl3-nss 7.58.0-2ubuntu3.17
libcurl4 7.58.0-2ubuntu3.17

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5397-1
CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776

Package Information:
https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.1
https://launchpad.net/ubuntu/+source/curl/7.74.0-1.3ubuntu2.1
https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.10
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.17

Fedora Linux 36 Final is NO-GO

Due to outstanding blocker bugs[1], we F36 Final release candidate 3
was declared NO-GO.

The next Fedora Linux 36 Final Go/No-Go meeting[2] will be held at
1700 UTC on Thursday 5 May in #fedora-meeting. We will aim for the
"target date #3" milestone of 10 May. The release schedule[3] has been
updated accordingly.

Minutes[4] and logs[5] of the Go/No-Go meeting are available on Meetbot.

[1] https://qa.fedoraproject.org/blockerbugs/milestone/36/final/buglist
[2] https://calendar.fedoraproject.org/meeting/10242/
[3] https://fedorapeople.org/groups/schedule/f-36/f-36-key-tasks.html
[4] https://meetbot.fedoraproject.org/fedora-meeting/2022-04-28/f36-final-go_no_go-meeting.2022-04-28-17.01.html
[5] https://meetbot.fedoraproject.org/fedora-meeting/2022-04-28/f36-final-go_no_go-meeting.2022-04-28-17.01.log.html

--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[USN-5396-1] Ghostscript vulnerability

==========================================================================
Ubuntu Security Notice USN-5396-1
April 28, 2022

ghostscript vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

Ghostscript could be made to crash, access files, or run programs if it
opened a specially crafted file.

Software Description:
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that Ghostscript incorrectly handled certain PostScript
files. If a user or automated system were tricked into processing a
specially crafted file, a remote attacker could possibly use this issue to
access arbitrary files, execute arbitrary code, or cause a denial of
service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
ghostscript 9.26~dfsg+0-0ubuntu0.18.04.16
libgs9 9.26~dfsg+0-0ubuntu0.18.04.16

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5396-1
CVE-2019-25059

Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.18.04.16

[USN-5395-1] networkd-dispatcher vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5395-1
April 28, 2022

networkd-dispatcher vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in networkd-dispatcher.

Software Description:
- networkd-dispatcher: Dispatcher service for systemd-networkd
connection status changes

Details:

It was discovered that networkd-dispatcher incorrectly handled internal
scripts. A local attacker could possibly use this issue to cause a race
condition, escalate privileges and execute arbitrary code.
(CVE-2022-29799, CVE-2022-29800)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
networkd-dispatcher 2.1-2ubuntu0.22.04.1

Ubuntu 21.10:
networkd-dispatcher 2.1-2ubuntu0.21.10.1

Ubuntu 20.04 LTS:
networkd-dispatcher 2.1-2~ubuntu20.04.2

Ubuntu 18.04 LTS:
networkd-dispatcher 1.7-0ubuntu3.4

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5395-1
CVE-2022-29799, CVE-2022-29800

Package Information:

https://launchpad.net/ubuntu/+source/networkd-dispatcher/2.1-2ubuntu0.22.04.1

https://launchpad.net/ubuntu/+source/networkd-dispatcher/2.1-2ubuntu0.21.10.1

https://launchpad.net/ubuntu/+source/networkd-dispatcher/2.1-2~ubuntu20.04.2
https://launchpad.net/ubuntu/+source/networkd-dispatcher/1.7-0ubuntu3.4

[USN-5392-1] Mutt vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5392-1
April 28, 2022

mutt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Mutt.

Software Description:
- mutt: text-based mailreader supporting MIME, GPG, PGP and threading

Details:

It was discovered that Mutt incorrectly handled certain requests.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 20.04 LTS. (CVE-2021-32055)

It was discovered that Mutt incorrectly handled certain input.
An attacker could possibly use this issue to cause a crash,
or expose sensitive information. (CVE-2022-1328)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
mutt 2.1.4-1ubuntu1.1

Ubuntu 21.10:
mutt 2.0.5-4.1ubuntu0.1

Ubuntu 20.04 LTS:
mutt 1.13.2-1ubuntu0.5

Ubuntu 18.04 LTS:
mutt 1.9.4-3ubuntu0.6

Ubuntu 16.04 ESM:
mutt 1.5.24-1ubuntu0.6+esm2
mutt-patched 1.5.24-1ubuntu0.6+esm2

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5392-1
CVE-2021-32055, CVE-2022-1328

Package Information:
https://launchpad.net/ubuntu/+source/mutt/2.1.4-1ubuntu1.1
https://launchpad.net/ubuntu/+source/mutt/2.0.5-4.1ubuntu0.1
https://launchpad.net/ubuntu/+source/mutt/1.13.2-1ubuntu0.5
https://launchpad.net/ubuntu/+source/mutt/1.9.4-3ubuntu0.6

[USN-5394-1] WebKitGTK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5394-1
April 28, 2022

webkit2gtk vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in WebKitGTK.

Software Description:
- webkit2gtk: Web content engine library for GTK+

Details:

A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
libjavascriptcoregtk-4.0-18 2.36.0-0ubuntu0.21.10.3
libwebkit2gtk-4.0-37 2.36.0-0ubuntu0.21.10.3

Ubuntu 20.04 LTS:
libjavascriptcoregtk-4.0-18 2.36.0-0ubuntu0.20.04.3
libwebkit2gtk-4.0-37 2.36.0-0ubuntu0.20.04.3

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use WebKitGTK, such as Epiphany, to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5394-1
CVE-2022-22624, CVE-2022-22628, CVE-2022-22629, CVE-2022-22637

Package Information:
https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.0-0ubuntu0.21.10.3
https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.0-0ubuntu0.20.04.3

[USN-5371-2] nginx vulnerability

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGIl7V0BDAC+6Rrs/dA9eDfxCA5DutvqKqSxwodFEgiMxDLnR0OSrwlYgTFh
X+OChdT+L0AyBJsjfsrWByRCm/Eky6JE9QtnmDpusvrYwXmVm/Whe/0W+qJ6rzzU
sL0GkZoOUt2JhTdYcJ1o2A+J3RgXUuXUENMrpFhUwwpu7YOaMgCrno64C4wBgK55
KDUCd6i5bM26P4csLNjRO4+qJj4m3Hve/iJgpb510XI3aS4azY/Rm+iXGrlGMi9T
PGEDcsjoO3zT7v3l0EA5SEhpbXBHOGy94vRcMBYuUZqhwfa8Mi/h1uTtTHmT/+1f
7eWoO0tPssex6mWIodZo1epKIfjhbW63C571XIB0ZIuqfChj4k5dgthUqeJXpRDl
v3l2wd5HYzbGu3Ie37PodIeocnTa2C/o6PvN+wA4+BYWgZXCdCA5TqVrM+HCwzmF
Guc6ALYNklgpxas/4ZP6tcQxMgU8oBQ1+3Ufef46iP/jo9CvFRQ5JystLhHLfVpm
BgcILk2rYwwWjE0AEQEAAc1ARGF2aWQgRmVybmFuZGV6IEdvbnphbGV6IDxkYXZp
ZC5mZXJuYW5kZXpnb256YWxlekBjYW5vbmljYWwuY29tPsLBFAQTAQoAPhYhBIhm
zS6qttOZ5NIT3RltQSE48z9kBQJiJe1dAhsDBQkDwmcABQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEBltQSE48z9kbG0MALnqt1PxxnNeDW11/d8nV66k/rweAfYT
TqzJ0ikuNDh94AdeuLCsOLfMk64d3KMyswD+i8CaFhkKv2kIlD/QzOku3PBUo4PP
+NxKWzCWYG3ZcGApgdhr+y7G59ZvuKxO0xxzbRIQmcnAl1qr6PvHpaSQJ/w1eKMl
GTVX5PvZNxVvg3TZ6NQhX1n2gIeqCYo4C9e9aIYCk8w4Gu6NyMiUBuy0ybMkz9JL
X4wEeRc2aGuWtSAnOayqTyDpleVy0qCH7tufh1ZL0gNFN8UJptivtmVSjNh5nPwU
x+a42iTjU3uVUGZ/UdtTOpruXHAX0zporXYXNFzZUG82Um7mYB8ETx1EribDG7TC
ktYEA+XBkfZ6JhGeeKMsLt5GmcfXB/+EoKUZjSsx94kqFNAQe6X4Y/158tZ8Gt3J
k2Aj/VBZK7lSbFjIB/jdf6ydhwLRIXsAlVx8i2NYa3SxLZMfKaet8LA/y+GNZxnj
GCdRT9eEJOZ62VETYwd+pAPW5BamUv8kW87AzQRiJe1dAQwAp0ywqyunvK5Iwn7T
x+tzixODvTgwMc+uNrH3o6+Ra6+Bn+YLmuuOwiScRb+sSErXoDz/LgLF0oIB2ZIs
Be+FT0m/eUY3xLiGF8L9DvrRSmePyiiml9rrd1wduuhg6hQw6/ef08WayVEzFWCF
63sqQk18ZKatP3WnOhSd0OT5xOXcW2//NJwFni+cjfnYuUMpVNodCwFQJtEeYSZz
zxVEJd4AtfM/ynGznPyYIsybt+fUhDvVEI+neWflpLk9jrJ1XIAhObEWkmgH9KQ3
5VGN7aLVBkxdbz2yCM4Auz8+DnDyksxuvZ3wcsM/eyIPFoBLrh3xNLOrERNqjPR3
MSnEGkt3+dkiQ5LbcvOpittix8Ycc6qdYYL6Gfy4Lfr/VZUWeGrGsVc79C+aqQUe
1dJkqGMTk9CRNaGxUlSyQ5ylcyoNlLusPGO/3zPGBIY7fOlqTVR7LFmfyxHcoCmg
EqXxhooeJn2PmTOY6E2Ap5ViYr8akucmO6GPJxHXqgW7qNDdABEBAAHCwPwEGAEK
ACYWIQSIZs0uqrbTmeTSE90ZbUEhOPM/ZAUCYiXtXQIbDAUJA8JnAAAKCRAZbUEh
OPM/ZODXDACkYliQ7r5w5IbBniu2axcW5j3PGd+G9Cm90oirsd9v35qRxErYXwbP
b79gBTMxHGgw+4mIz3F2mzzynZ11joW+0Zr8Vgr3BKSNBS5hz9NfcwkdiubkGsoj
jhruNUFtQqBNyQIJh9CfECXq2puYY7H6lu13bBNb49TY6XzyvOni2A5WntQqN+Ap
/RkxkLIGnBwi4p06OYs9Atda8IrMv0zXxlzRNEqk1cniNsSyRWHruVvN6nhVuvwF
sNM6z7F48B8tTh3iKludMPVL5YgGQeVtN3rXOwPCq3f9Y6G67eJxs7HhQYtuj7Gn
c3porYgLw2xOh6BOa6dWby0/adS79+FdycEtlNRKlrLMneEL2Sk1zrKVd0uF96yX
VOS0nAHllLod67uFgjT85P2MZWN7dPD6jAhv9rOq9cgOCKB+ulACePOpoXDFzgND
w5FGDbZtHYnLrJWyyqnas4ms4pnmJsnHAyDBWYS8a6j82D7NSx/7MrH6bAFl18zK
7/zNmhJ06VU=
=JWgW
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5371-2
April 28, 2022

nginx vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

nginx could be made to redirect network traffic.

Software Description:
- nginx: small, powerful, scalable web/proxy server

Details:

USN-5371-1 fixed several vulnerabilities in nginx.
This update provides the fix for CVE-2021-3618 for Ubuntu 22.04 LTS.

Original advisory details:

 It was discovered that nginx Lua module mishandled certain inputs.
 An attacker could possibly use this issue to perform an HTTP Request
 Smuggling attack. This issue only affects Ubuntu 18.04 LTS and
 Ubuntu 20.04 LTS. (CVE-2020-11724)

 It was discovered that nginx Lua module mishandled certain inputs.
 An attacker could possibly use this issue to disclose sensitive
 information. This issue only affects Ubuntu 18.04 LTS and
 Ubuntu 20.04 LTS. (CVE-2020-36309)

 It was discovered that nginx mishandled the use of
 compatible certificates among multiple encryption protocols.
 If a remote attacker were able to intercept the communication,
 this issue could be used to redirect traffic between subdomains.
 (CVE-2021-3618)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
  nginx-core                      1.18.0-6ubuntu14.1
  nginx-extras                    1.18.0-6ubuntu14.1
  nginx-light                     1.18.0-6ubuntu14.1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-5371-2
  https://ubuntu.com/security/notices/USN-5371-1
  CVE-2021-3618

Package Information:
  https://launchpad.net/ubuntu/+source/nginx/1.18.0-6ubuntu14.1

Wednesday, April 27, 2022

[USN-5393-1] Thunderbird vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5393-1
April 27, 2022

thunderbird vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Thunderbird.

Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Multiple security issues were discovered in Thunderbird. If a user were
tricked into opening a specially crafted website in a browsing context, an
attacker could potentially exploit these to cause a denial of service,
conduct spoofing attacks, or execute arbitrary code. (CVE-2022-1097,
CVE-2022-1196, CVE-2022-28281, CVE-2022-28282, CVE-2022-28285,
CVE-2022-28286, CVE-2022-28289)

It was discovered that Thunderbird ignored OpenPGP revocation when
importing a revoked key in some circumstances. An attacker could
potentially exploit this by tricking the user into trusting the
authenticity of a message or tricking them into use a revoked key to
send an encrypted message. (CVE-2022-1197)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
thunderbird 1:91.8.1+build1-0ubuntu0.21.10.1

Ubuntu 20.04 LTS:
thunderbird 1:91.8.1+build1-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
thunderbird 1:91.8.1+build1-0ubuntu0.18.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5393-1
CVE-2022-1097, CVE-2022-1196, CVE-2022-1197, CVE-2022-28281,
CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-28289

Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:91.8.1+build1-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.8.1+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:91.8.1+build1-0ubuntu0.18.04.1

REMINDER: Fedora Linux 36 Final Go/No-Go meeting tomorrow

Hi everyone,

The Fedora Linux 36 Final Go/No-Go meeting[1] is scheduled for
Thursday 28 April at 1700 UTC in #fedora-meeting. At this time, we
will determine the status of the F36 Final for the 3 May target date
#2[2]. For more information about the Go/No-Go meeting, see the
wiki[3].

[1] https://calendar.fedoraproject.org/meeting/10242
[2] https://fedorapeople.org/groups/schedule/f-36/f-36-key-tasks.html
[3] https://fedoraproject.org/wiki/Go_No_Go_Meeting

--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[USN-5366-2] FriBidi vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5366-2
April 27, 2022

fribidi vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in fribidi.

Software Description:
- fribidi: Free Implementation of the Unicode BiDi algorithm (utility)

Details:

USN-5366-1 fixed several vulnerabilities in FriBidi. This update provides the
corresponding updates for Ubuntu 22.04 LTS.

Original advisory details:

It was discovered that FriBidi incorrectly handled processing of input strings
resulting in memory corruption. An attacker could use this issue to cause
FriBidi to crash, resulting in a denial of service, or potentially execute
arbitrary code. (CVE-2022-25308)

It was discovered that FriBidi incorrectly validated input data to its CapRTL
unicode encoder, resulting in memory corruption. An attacker could use this
issue to cause FriBidi to crash, resulting in a denial of service, or
potentially execute arbitrary code. (CVE-2022-25309)

It was discovered that FriBidi incorrectly handled empty input when removing
marks from unicode strings, resulting in a crash. An attacker could use this
to cause FriBidi to crash, resulting in a denial of service, or potentially execute
arbitrary code. (CVE-2022-25310)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
libfribidi-bin 1.0.8-2ubuntu3.1
libfribidi-dev 1.0.8-2ubuntu3.1
libfribidi0 1.0.8-2ubuntu3.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5366-2
https://ubuntu.com/security/notices/USN-5366-1
CVE-2022-25308
, CVE-2022-25309, CVE-2022-25310

Package Information:
https://launchpad.net/ubuntu/+source/fribidi/1.0.8-2ubuntu3.1

[USN-5391-1] libsepol vulnerabilities

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDNBGIl7V0BDAC+6Rrs/dA9eDfxCA5DutvqKqSxwodFEgiMxDLnR0OSrwlYgTFh
X+OChdT+L0AyBJsjfsrWByRCm/Eky6JE9QtnmDpusvrYwXmVm/Whe/0W+qJ6rzzU
sL0GkZoOUt2JhTdYcJ1o2A+J3RgXUuXUENMrpFhUwwpu7YOaMgCrno64C4wBgK55
KDUCd6i5bM26P4csLNjRO4+qJj4m3Hve/iJgpb510XI3aS4azY/Rm+iXGrlGMi9T
PGEDcsjoO3zT7v3l0EA5SEhpbXBHOGy94vRcMBYuUZqhwfa8Mi/h1uTtTHmT/+1f
7eWoO0tPssex6mWIodZo1epKIfjhbW63C571XIB0ZIuqfChj4k5dgthUqeJXpRDl
v3l2wd5HYzbGu3Ie37PodIeocnTa2C/o6PvN+wA4+BYWgZXCdCA5TqVrM+HCwzmF
Guc6ALYNklgpxas/4ZP6tcQxMgU8oBQ1+3Ufef46iP/jo9CvFRQ5JystLhHLfVpm
BgcILk2rYwwWjE0AEQEAAc1ARGF2aWQgRmVybmFuZGV6IEdvbnphbGV6IDxkYXZp
ZC5mZXJuYW5kZXpnb256YWxlekBjYW5vbmljYWwuY29tPsLBFAQTAQoAPhYhBIhm
zS6qttOZ5NIT3RltQSE48z9kBQJiJe1dAhsDBQkDwmcABQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAAAoJEBltQSE48z9kbG0MALnqt1PxxnNeDW11/d8nV66k/rweAfYT
TqzJ0ikuNDh94AdeuLCsOLfMk64d3KMyswD+i8CaFhkKv2kIlD/QzOku3PBUo4PP
+NxKWzCWYG3ZcGApgdhr+y7G59ZvuKxO0xxzbRIQmcnAl1qr6PvHpaSQJ/w1eKMl
GTVX5PvZNxVvg3TZ6NQhX1n2gIeqCYo4C9e9aIYCk8w4Gu6NyMiUBuy0ybMkz9JL
X4wEeRc2aGuWtSAnOayqTyDpleVy0qCH7tufh1ZL0gNFN8UJptivtmVSjNh5nPwU
x+a42iTjU3uVUGZ/UdtTOpruXHAX0zporXYXNFzZUG82Um7mYB8ETx1EribDG7TC
ktYEA+XBkfZ6JhGeeKMsLt5GmcfXB/+EoKUZjSsx94kqFNAQe6X4Y/158tZ8Gt3J
k2Aj/VBZK7lSbFjIB/jdf6ydhwLRIXsAlVx8i2NYa3SxLZMfKaet8LA/y+GNZxnj
GCdRT9eEJOZ62VETYwd+pAPW5BamUv8kW87AzQRiJe1dAQwAp0ywqyunvK5Iwn7T
x+tzixODvTgwMc+uNrH3o6+Ra6+Bn+YLmuuOwiScRb+sSErXoDz/LgLF0oIB2ZIs
Be+FT0m/eUY3xLiGF8L9DvrRSmePyiiml9rrd1wduuhg6hQw6/ef08WayVEzFWCF
63sqQk18ZKatP3WnOhSd0OT5xOXcW2//NJwFni+cjfnYuUMpVNodCwFQJtEeYSZz
zxVEJd4AtfM/ynGznPyYIsybt+fUhDvVEI+neWflpLk9jrJ1XIAhObEWkmgH9KQ3
5VGN7aLVBkxdbz2yCM4Auz8+DnDyksxuvZ3wcsM/eyIPFoBLrh3xNLOrERNqjPR3
MSnEGkt3+dkiQ5LbcvOpittix8Ycc6qdYYL6Gfy4Lfr/VZUWeGrGsVc79C+aqQUe
1dJkqGMTk9CRNaGxUlSyQ5ylcyoNlLusPGO/3zPGBIY7fOlqTVR7LFmfyxHcoCmg
EqXxhooeJn2PmTOY6E2Ap5ViYr8akucmO6GPJxHXqgW7qNDdABEBAAHCwPwEGAEK
ACYWIQSIZs0uqrbTmeTSE90ZbUEhOPM/ZAUCYiXtXQIbDAUJA8JnAAAKCRAZbUEh
OPM/ZODXDACkYliQ7r5w5IbBniu2axcW5j3PGd+G9Cm90oirsd9v35qRxErYXwbP
b79gBTMxHGgw+4mIz3F2mzzynZ11joW+0Zr8Vgr3BKSNBS5hz9NfcwkdiubkGsoj
jhruNUFtQqBNyQIJh9CfECXq2puYY7H6lu13bBNb49TY6XzyvOni2A5WntQqN+Ap
/RkxkLIGnBwi4p06OYs9Atda8IrMv0zXxlzRNEqk1cniNsSyRWHruVvN6nhVuvwF
sNM6z7F48B8tTh3iKludMPVL5YgGQeVtN3rXOwPCq3f9Y6G67eJxs7HhQYtuj7Gn
c3porYgLw2xOh6BOa6dWby0/adS79+FdycEtlNRKlrLMneEL2Sk1zrKVd0uF96yX
VOS0nAHllLod67uFgjT85P2MZWN7dPD6jAhv9rOq9cgOCKB+ulACePOpoXDFzgND
w5FGDbZtHYnLrJWyyqnas4ms4pnmJsnHAyDBWYS8a6j82D7NSx/7MrH6bAFl18zK
7/zNmhJ06VU=
=JWgW
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5391-1
April 27, 2022

libsepol vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in libsepol.

Software Description:
- libsepol: SELinux library for manipulating binary security policies

Details:

Nicolas Iooss discovered that libsepol incorrectly handled memory
when handling policies. An attacker could possibly use this issue
to cause a crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2021-36084)

It was discovered that libsepol incorrectly handled memory when
handling policies. An attacker could possibly use this issue to cause
a crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2021-36085)

It was discovered that libsepol incorrectly handled memory when
handling policies. An attacker could possibly use this issue to cause
a crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only affects Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 21.10. (CVE-2021-36086)

It was discovered that libsepol incorrectly validated certain data,
leading to a heap overflow. An attacker could possibly use this issue
to cause a crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2021-36087)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
  libsepol1                       3.1-1ubuntu2.1
  sepol-utils                     3.1-1ubuntu2.1

Ubuntu 20.04 LTS:
  libsepol1                       3.0-1ubuntu0.1
  sepol-utils                     3.0-1ubuntu0.1

Ubuntu 18.04 LTS:
  libsepol1                       2.7-1ubuntu0.1
  sepol-utils                     2.7-1ubuntu0.1

Ubuntu 16.04 ESM:
  libsepol1                       2.4-2ubuntu0.1~esm1
  sepol-utils                     2.4-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-5391-1
  CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087

Package Information:
  https://launchpad.net/ubuntu/+source/libsepol/3.1-1ubuntu2.1
  https://launchpad.net/ubuntu/+source/libsepol/3.0-1ubuntu0.1
  https://launchpad.net/ubuntu/+source/libsepol/2.7-1ubuntu0.1

Tuesday, April 26, 2022

[USN-5376-3] Git regression

==========================================================================
Ubuntu Security Notice USN-5376-3
April 26, 2022

git regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

UNS-5376-1 was missing patches to properly fix the addressed issues.

Software Description:
- git: fast, scalable, distributed revision control system

Details:

USN-5376-1 fixed vulnerabilities in Git, some patches were missing to properly fix
the issue. This update fixes the problem.

Original advisory details:

俞晨东 discovered that Git incorrectly handled certain repository paths
in platforms with multiple users support. An attacker could possibly use
this issue to run arbitrary commands.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
git 1:2.34.1-1ubuntu1.2

Ubuntu 21.10:
git 1:2.32.0-1ubuntu1.2

Ubuntu 20.04 LTS:
git 1:2.25.1-1ubuntu3.4

Ubuntu 18.04 LTS:
git 1:2.17.1-1ubuntu0.11

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5376-3
https://ubuntu.com/security/notices/USN-5376-1
https://launchpad.net/bugs/1970260

Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.2
https://launchpad.net/ubuntu/+source/git/1:2.32.0-1ubuntu1.2
https://launchpad.net/ubuntu/+source/git/1:2.25.1-1ubuntu3.4
https://launchpad.net/ubuntu/+source/git/1:2.17.1-1ubuntu0.11

[USN-5390-1] Linux kernel vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5390-1
April 26, 2022

linux, linux-gcp, linux-ibm, linux-lowlatency vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
- linux: Linux kernel
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-lowlatency: Linux low latency kernel

Details:

David Bouman discovered that the netfilter subsystem in the Linux kernel
did not properly validate passed user register indices. A local attacker
could use this to cause a denial of service or possibly execute arbitrary
code. (CVE-2022-1015)

David Bouman discovered that the netfilter subsystem in the Linux kernel
did not initialize memory in some situations. A local attacker could use
this to expose sensitive information (kernel memory). (CVE-2022-1016)

It was discovered that the ST21NFCA NFC driver in the Linux kernel did not
properly validate the size of certain data in EVT_TRANSACTION events. A
physically proximate attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-26490)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
linux-image-5.15.0-1003-ibm 5.15.0-1003.3
linux-image-5.15.0-1004-gcp 5.15.0-1004.7
linux-image-5.15.0-27-generic 5.15.0-27.28
linux-image-5.15.0-27-generic-64k 5.15.0-27.28
linux-image-5.15.0-27-generic-lpae 5.15.0-27.28
linux-image-5.15.0-27-lowlatency 5.15.0-27.28
linux-image-5.15.0-27-lowlatency-64k 5.15.0-27.28
linux-image-gcp 5.15.0.1004.5
linux-image-generic 5.15.0.27.30
linux-image-generic-64k 5.15.0.27.30
linux-image-generic-lpae 5.15.0.27.30
linux-image-ibm 5.15.0.1003.4
linux-image-lowlatency 5.15.0.27.28
linux-image-lowlatency-64k 5.15.0.27.28
linux-image-oem-20.04 5.15.0.27.30
linux-image-virtual 5.15.0.27.30

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://ubuntu.com/security/notices/USN-5390-1
CVE-2022-1015, CVE-2022-1016, CVE-2022-26490

Package Information:
https://launchpad.net/ubuntu/+source/linux/5.15.0-27.28
https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1004.7
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1003.3
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-27.28

[USN-5389-1] Libcroco vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5389-1
April 26, 2022

libcroco vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Libcroco.

Software Description:
- libcroco: Cascading Style Sheet (CSS) parsing and manipulation toolkit

Details:

It was discovered that Libcroco was incorrectly accessing data
structures when
reading bytes from memory, which could cause a heap buffer overflow. An
attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)

It was discovered that Libcroco was incorrectly handling invalid UTF-8
values
when processing CSS files. An attacker could possibly use this issue to
cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)

It was discovered that Libcroco was incorrectly implementing recursion
in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of service. (CVE-2020-12825)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libcroco-tools 0.6.11-1ubuntu0.1~esm1
libcroco3 0.6.11-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5389-1
CVE-2017-7960
, CVE-2017-8834, CVE-2017-8871, CVE-2020-12825

[USN-5388-2] OpenJDK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5388-2
April 26, 2022

openjdk-17 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK.

Software Description:
- openjdk-17: Open Source Java implementation

Details:

It was discovered that OpenJDK incorrectly verified ECDSA signatures. An
attacker could use this issue to bypass the signature verification process.
(CVE-2022-21449)

It was discovered that OpenJDK incorrectly limited memory when compiling a
specially crafted XPath expression. An attacker could possibly use this
issue to cause a denial of service. (CVE-2022-21426)

It was discovered that OpenJDK incorrectly handled converting certain
object arguments into their textual representations. An attacker could
possibly use this issue to cause a denial of service. (CVE-2022-21434)

It was discovered that OpenJDK incorrectly validated the encoded length of
certain object identifiers. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-21443)

It was discovered that OpenJDK incorrectly validated certain paths. An
attacker could possibly use this issue to bypass the secure validation
feature and expose sensitive information in XML files. (CVE-2022-21476)

It was discovered that OpenJDK incorrectly parsed certain URI strings. An
attacker could possibly use this issue to make applications accept
invalid of malformed URI strings. (CVE-2022-21496)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
openjdk-17-jdk 17.0.3+7-0ubuntu0.22.04.1
openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.22.04.1
openjdk-17-jre 17.0.3+7-0ubuntu0.22.04.1
openjdk-17-jre-headless 17.0.3+7-0ubuntu0.22.04.1
openjdk-17-jre-zero 17.0.3+7-0ubuntu0.22.04.1

Ubuntu 21.10:
openjdk-17-jdk 17.0.3+7-0ubuntu0.21.10.1
openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.21.10.1
openjdk-17-jre 17.0.3+7-0ubuntu0.21.10.1
openjdk-17-jre-headless 17.0.3+7-0ubuntu0.21.10.1
openjdk-17-jre-zero 17.0.3+7-0ubuntu0.21.10.1

Ubuntu 20.04 LTS:
openjdk-17-jdk 17.0.3+7-0ubuntu0.20.04.1
openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.20.04.1
openjdk-17-jre 17.0.3+7-0ubuntu0.20.04.1
openjdk-17-jre-headless 17.0.3+7-0ubuntu0.20.04.1
openjdk-17-jre-zero 17.0.3+7-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
openjdk-17-jdk 17.0.3+7-0ubuntu0.18.04.1
openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.18.04.1
openjdk-17-jre 17.0.3+7-0ubuntu0.18.04.1
openjdk-17-jre-headless 17.0.3+7-0ubuntu0.18.04.1
openjdk-17-jre-zero 17.0.3+7-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5388-2
https://ubuntu.com/security/notices/USN-5388-1
CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449,
CVE-2022-21476, CVE-2022-21496

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.18.04.1

[USN-5388-1] OpenJDK vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5388-1
April 26, 2022

openjdk-lts vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK.

Software Description:
- openjdk-lts: Open Source Java implementation

Details:

It was discovered that OpenJDK incorrectly limited memory when compiling a
specially crafted XPath expression. An attacker could possibly use this
issue to cause a denial of service. (CVE-2022-21426)

It was discovered that OpenJDK incorrectly handled converting certain
object arguments into their textual representations. An attacker could
possibly use this issue to cause a denial of service. (CVE-2022-21434)

It was discovered that OpenJDK incorrectly validated the encoded length of
certain object identifiers. An attacker could possibly use this issue to
cause a denial of service. (CVE-2022-21443)

It was discovered that OpenJDK incorrectly validated certain paths. An
attacker could possibly use this issue to bypass the secure validation
feature and expose sensitive information in XML files. (CVE-2022-21476)

It was discovered that OpenJDK incorrectly parsed certain URI strings. An
attacker could possibly use this issue to make applications accept
invalid of malformed URI strings. (CVE-2022-21496)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
openjdk-11-jdk 11.0.15+10-0ubuntu0.22.04.1
openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.22.04.1
openjdk-11-jre 11.0.15+10-0ubuntu0.22.04.1
openjdk-11-jre-headless 11.0.15+10-0ubuntu0.22.04.1
openjdk-11-jre-zero 11.0.15+10-0ubuntu0.22.04.1

Ubuntu 21.10:
openjdk-11-jdk 11.0.15+10-0ubuntu0.21.10.1
openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.21.10.1
openjdk-11-jre 11.0.15+10-0ubuntu0.21.10.1
openjdk-11-jre-headless 11.0.15+10-0ubuntu0.21.10.1
openjdk-11-jre-zero 11.0.15+10-0ubuntu0.21.10.1

Ubuntu 20.04 LTS:
openjdk-11-jdk 11.0.15+10-0ubuntu0.20.04.1
openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.20.04.1
openjdk-11-jre 11.0.15+10-0ubuntu0.20.04.1
openjdk-11-jre-headless 11.0.15+10-0ubuntu0.20.04.1
openjdk-11-jre-zero 11.0.15+10-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:
openjdk-11-jdk 11.0.15+10-0ubuntu0.18.04.1
openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.18.04.1
openjdk-11-jre 11.0.15+10-0ubuntu0.18.04.1
openjdk-11-jre-headless 11.0.15+10-0ubuntu0.18.04.1
openjdk-11-jre-zero 11.0.15+10-0ubuntu0.18.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5388-1
CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21476,
CVE-2022-21496

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.21.10.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.18.04.1

Monday, April 25, 2022

Orphaned packages looking for new maintainers

The following packages are orphaned and will be retired when they
are orphaned for six weeks, unless someone adopts them. If you know for sure
that the package should be retired, please do so now with a proper reason:
https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life

Note: If you received this mail directly you (co)maintain one of the affected
packages or a package that depends on one. Please adopt the affected package or
retire your depending package to avoid broken dependencies, otherwise your
package will fail to install and/or build when the affected package gets retired.

Request package ownership via the *Take* button in he left column on
https://src.fedoraproject.org/rpms/<pkgname>

Full report available at:
https://churchyard.fedorapeople.org/orphans-2022-04-25.txt
grep it for your FAS username and follow the dependency chain.

For human readable dependency chains,
see https://packager-dashboard.fedoraproject.org/
For all orphaned packages,
see https://packager-dashboard.fedoraproject.org/orphan

Package (co)maintainers Status Change
================================================================================
erlang-riak_api bowlofeggs, erlang-maint-sig, 1 weeks ago
orphan
erlang-riak_core bowlofeggs, erlang-maint-sig, 1 weeks ago
orphan
forbidden-apis jvanek, orphan 1 weeks ago
gnome-shell-extension-material- atim, orphan 2 weeks ago
shell
golang-github-astaxie-beego go-sig, orphan 2 weeks ago
golang-github-influxdata- go-sig, orphan 1 weeks ago
influxdb
hd-idle atim, orphan 3 weeks ago
jsoup mizdebsk, orphan 0 weeks ago
libcxl orphan 1 weeks ago
mcrcon orphan 3 weeks ago
mustache-d orphan 1 weeks ago
python-django-auth-ldap orphan 0 weeks ago
python-readthedocs-sphinx-ext jjames, orphan, python-sig 0 weeks ago
qt5-qtcanvas3d kde-sig, orphan 5 weeks ago
qt5-qtenginio kde-sig, lupinix, orphan 5 weeks ago
quake2 orphan 1 weeks ago
rubygem-request_store orphan 3 weeks ago
rust-ab_glyph orphan, rust-sig 0 weeks ago
rust-alsa orphan, rust-sig 0 weeks ago
rust-alsa-sys orphan, rust-sig 0 weeks ago
rust-bitreader orphan, rust-sig 0 weeks ago
rust-build-env orphan, rust-sig 0 weeks ago
rust-cgmath orphan, rust-sig 0 weeks ago
rust-chlorine orphan, rust-sig 0 weeks ago
rust-claxon orphan, rust-sig 0 weeks ago
rust-cloudflare-zlib orphan, rust-sig 0 weeks ago
rust-cloudflare-zlib-sys orphan, rust-sig 0 weeks ago
rust-cpal orphan, rust-sig 0 weeks ago
rust-cstr-argument orphan, rust-sig 0 weeks ago
rust-diffus-derive orphan, rust-sig 5 weeks ago
rust-fallible_collections orphan, rust-sig 0 weeks ago
rust-fontconfig-parser orphan, rust-sig 0 weeks ago
rust-genmesh orphan, rust-sig 0 weeks ago
rust-glyph_brush_layout orphan, rust-sig 0 weeks ago
rust-hound orphan, rust-sig 0 weeks ago
rust-image-roll orphan, rust-sig 0 weeks ago
rust-imgui orphan, rust-sig 0 weeks ago
rust-imgui-sys orphan, rust-sig 0 weeks ago
rust-lewton orphan, rust-sig 0 weeks ago
rust-libdeflate-sys orphan, rust-sig 0 weeks ago
rust-libdeflater orphan, rust-sig 0 weeks ago
rust-libsystemd-sys orphan, rust-sig 0 weeks ago
rust-libwebp-sys2 orphan, rust-sig 0 weeks ago
rust-minimp3 orphan, rust-sig 0 weeks ago
rust-minimp3-sys orphan, rust-sig 0 weeks ago
rust-newsblur_api orphan, rust-sig 5 weeks ago
rust-ogg orphan, rust-sig 0 weeks ago
rust-opml orphan, rust-sig 5 weeks ago
rust-pam-client orphan, rust-sig 0 weeks ago
rust-piston orphan 0 weeks ago
rust-piston-float orphan, rust-sig 0 weeks ago
rust-piston- orphan, rust-sig 0 weeks ago
graphics_api_version
rust-piston-viewport orphan, rust-sig 0 weeks ago
rust-pistoncore-event_loop orphan 0 weeks ago
rust-pistoncore-input orphan, rust-sig 0 weeks ago
rust-rental-impl orphan, rust-sig 0 weeks ago
rust-ringbuf orphan, rust-sig 0 weeks ago
rust-systemd orphan, rust-sig 0 weeks ago
rust-utf8-cstr orphan, rust-sig 0 weeks ago
rust-vcpkg orphan, rust-sig 0 weeks ago
rust-zopfli orphan, rust-sig 0 weeks ago
yecht orphan 6 weeks ago

The following packages require above mentioned packages:
Report too long, see the full version at
https://churchyard.fedorapeople.org/orphans-2022-04-25.txt

See dependency chains of your packages at
https://packager-dashboard.fedoraproject.org/
See all orphaned packages at https://packager-dashboard.fedoraproject.org/orphan

Affected (co)maintainers (either directly or via packages' dependencies):
almac: jsoup
amigadave: python-readthedocs-sphinx-ext
ankursinha: python-readthedocs-sphinx-ext
atim: hd-idle, gnome-shell-extension-material-shell
bowlofeggs: erlang-riak_core, erlang-riak_api
cdorney: jsoup
cfu: jsoup
churchyard: python-readthedocs-sphinx-ext
cicku: python-readthedocs-sphinx-ext
cstratak: python-readthedocs-sphinx-ext
dbhole: jsoup
dchen: jsoup
deamn: jsoup
didiksupriadi41: jsoup
dmsimard: python-readthedocs-sphinx-ext
echevemaster: python-readthedocs-sphinx-ext
eclipse-sig: jsoup
ellert: jsoup
epel-packagers-sig: python-readthedocs-sphinx-ext
erlang-maint-sig: erlang-riak_core, erlang-riak_api
go-sig: golang-github-influxdata-influxdb, golang-github-astaxie-beego
guidograzioli: jsoup
hhorak: jsoup
ignatenkobrain: rust-opml, rust-newsblur_api
infra-sig: python-readthedocs-sphinx-ext
jcapik: jsoup
jerboaa: jsoup
jhuttana: jsoup
jjames: jsoup, python-readthedocs-sphinx-ext
jjelen: jsoup
jmagne: jsoup
jorti: python-readthedocs-sphinx-ext
jvanek: forbidden-apis
kde-sig: qt5-qtcanvas3d, qt5-qtenginio
ke4qqq: jsoup
kni: jsoup
korkeala: jsoup
ksurma: python-readthedocs-sphinx-ext
kubo: python-readthedocs-sphinx-ext
lbalhar: python-readthedocs-sphinx-ext
lupinix: qt5-qtenginio
mbooth: jsoup
mharmsen: jsoup
mhayden: python-readthedocs-sphinx-ext
mikelo2: python-readthedocs-sphinx-ext
mizdebsk: jsoup
mjakubicek: jsoup
mkulik: jsoup
mrunge: python-readthedocs-sphinx-ext
msimacek: jsoup
neuro-sig: python-readthedocs-sphinx-ext
ngompa: python-readthedocs-sphinx-ext
odubaj: jsoup
orion: python-readthedocs-sphinx-ext
pingou: jsoup
pjp: python-readthedocs-sphinx-ext
pnemade: python-readthedocs-sphinx-ext
python-sig: python-readthedocs-sphinx-ext
raphgro: python-readthedocs-sphinx-ext
rust-sig: rust-chlorine, rust-diffus-derive, rust-systemd, rust-zopfli,
rust-imgui, rust-minimp3-sys, rust-minimp3, rust-piston-viewport,
rust-piston-graphics_api_version, rust-imgui-sys, rust-libdeflater,
rust-pam-client, rust-genmesh, rust-alsa-sys, rust-hound, rust-libwebp-sys2,
rust-rental-impl, rust-bitreader, rust-ringbuf, rust-cloudflare-zlib,
rust-lewton, rust-fontconfig-parser, rust-cgmath, rust-utf8-cstr, rust-claxon,
rust-cpal, rust-libdeflate-sys, rust-cstr-argument, rust-libsystemd-sys,
rust-newsblur_api, rust-cloudflare-zlib-sys, rust-build-env, rust-alsa,
rust-piston-float, rust-ab_glyph, rust-opml, rust-pistoncore-input, rust-ogg,
rust-vcpkg, rust-glyph_brush_layout, rust-image-roll, rust-fallible_collections
salimma: python-readthedocs-sphinx-ext
sasiddiq: jsoup
scorreia: rust-vcpkg
smani: python-readthedocs-sphinx-ext
smilner: python-readthedocs-sphinx-ext
spot: jsoup
suve: python-readthedocs-sphinx-ext
tagoh: python-readthedocs-sphinx-ext
thrnciar: python-readthedocs-sphinx-ext
ueno: rust-vcpkg
walters: jsoup
yyang: jsoup
zmiklank: jsoup

--
The script creating this output is run and developed by Fedora
Release Engineering. Please report issues at its pagure instance:
https://pagure.io/releng/
The sources of this script can be found at:
https://pagure.io/releng/blob/main/f/scripts/find_unblocked_orphans.py

Report finished at 2022-04-25 17:08:08 UTC

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[USN-5376-2] Git vulnerability

==========================================================================
Ubuntu Security Notice USN-5376-2
April 25, 2022

git vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Git could be made to run arbitrary commands in platforms with multiple users
support.

Software Description:
- git: fast, scalable, distributed revision control system

Details:

USN-5376-1 fixed vulnerabilities in Git. This update provides the corresponding
updates for Ubuntu 22.04 LTS.

Original advisory details:

俞晨东 discovered that Git incorrectly handled certain repository paths
in platforms with multiple users support. An attacker could possibly use
this issue to run arbitrary commands.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.04 LTS:
git 1:2.34.1-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5376-2
https://ubuntu.com/security/notices/USN-5376-1
CVE-2022-24765

Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.1

[USN-5387-1] Barbican vulnerabilities

==========================================================================
Ubuntu Security Notice USN-5387-1
April 25, 2022

barbican vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in barbican.

Software Description:
- barbican: OpenStack Key Management Service - API Server

Details:

Douglas Mendizábal discovered that Barbican incorrectly handled access
restrictions. An authenticated attacker could possibly use this issue to
consume protected resources and possibly cause a denial of service.
(CVE-2022-23451, CVE-2022-23452)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.10:
python3-barbican 2:13.0.0-0ubuntu1.2

Ubuntu 20.04 LTS:
python3-barbican 1:10.1.0-0ubuntu2.1

Ubuntu 18.04 LTS:
python-barbican 1:6.0.1-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5387-1
CVE-2022-23451, CVE-2022-23452

Package Information:
https://launchpad.net/ubuntu/+source/barbican/2:13.0.0-0ubuntu1.2
https://launchpad.net/ubuntu/+source/barbican/1:10.1.0-0ubuntu2.1
https://launchpad.net/ubuntu/+source/barbican/1:6.0.1-0ubuntu1.1

Saturday, April 23, 2022

LibreSSL 3.5.2 Released

We have released LibreSSL 3.5.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon. This is the
first stable release for the 3.5.x branch, also available with OpenBSD 7.1

It includes the following changes from LibreSSL 3.4.x

* New Features
- The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
regression tests were added and the code was cleaned up.
- Certificate Transparency was ported from OpenSSL. Many internal
improvements were made, resulting in cleaner and safer code.
Regress coverage was added. libssl does not yet make use of it.
* Bug fixes
- Avoid single byte overread in asn1_parse2().
- Allow name constraints with a leading dot. From Alex Wilson.
- Relax a check in x509_constraints_dirname() to allow prefixes.
From Alex Wilson.
- Fix NULL dereferences in openssl(1) cms option parsing.
- Do not zero the computed cofactor on ec_guess_cofactor() success.
- Bound cofactor in EC_GROUP_set_generator() to reduce the number of
bogus groups that can be described with nonsensical parameters.
- Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
memory conditions. Reported for HMAC by Masaru Masuda.
- Plug leak in ASN1_TIME_adj_internal().
- Avoid infinite loop for custom curves of order 1.
Issue reported by Hanno Boeck, comments by David Benjamin.
- Avoid an infinite loop on parsing DSA private keys by validating
that the provided parameters conform to FIPS 186-4.
Issue reported by Hanno Boeck, comments by David Benjamin.
- In some situations, the verifier would discard the error on an
unvalidated certificate chain. This would happen when the
verification callback was in use, instructing the verifier to
continue unconditionally. This could lead to incorrect decisions
being made in software.
- Avoid an infinite loop in SSL_shutdown()
- Fix another return 0 bug in SSL_shutdown()
- Handle zero byte reads/writes that trigger handshakes in the
TLSv1.3 stack
- A long standing memleak in libtls CRL handling was fixed
* Compatibility improvements
- Allow non-standard name constraints of the form @domain.com.
- Most structs that were previously defined in the following headers
are now opaque as they are in OpenSSL 1.1:
bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
x509.h, x509v3.h, x509_vfy.h
- Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
of using something consistent with the previous naming. Various
test suites expect these names (instead of checking for the much
more sensible cipher numbers). The old names are still accepted
as aliases.
- Subject alternative names and name constraints are now validated
when they are added to certificates. Various interoperability
problems with stacks that validate certificates more strictly
than OpenSSL can be avoided this way.
- Attempt to opportunistically use the host name for SNI in s_client
* Internal improvements
- Limit OID text conversion to 64 bits per arc.
- Clean up and simplify memory BIO code.
- Reduce number of memmove() calls in memory BIOs.
- Factor out alert handling code in the legacy stack.
- Add sanity checks on p and q in old_dsa_priv_decode()
- Cache the SHA-512 hash instead of the SHA-1 for CRLs.
- Suppress various compiler warnings for old gcc versions.
- Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i().
- Rework ownership handling in x509_constraints_validate().
- Rework ASN1_STRING_set().
- Remove const from tls1_transcript_hash_value().
- Clean up and simplify ssl3_renegotiate{,_check}().
- Rewrite legacy TLS and DTLS unexpected handshake message handling.
- Simplify SSL_do_handshake().
- Rewrite ASCII/text to ASN.1 object conversion.
- Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj().
- Split armv7 and aarch64 code into separate locations.
- Rewrote openssl(1) ts to use the new option handling and cleaned
up the C code.
- Provide asn1_get_primitive().
- Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
- Remove the minimum record length checks from dtls1_read_bytes().
- Clean up {dtls1,ssl3}_read_bytes().
- Be more careful with embedded and terminating NULs in the new
name constraints code.
- Check EVP_Digest* return codes in openssl(1) ts
- Various minor code cleanup in openssl(1) pkcs12
- Use calloc() in pkey_hmac_init().
- Simplify priv_key handling in d2i_ECPrivateKey().
- Cache the SHA-512 hash instead of the SHA-1 hash and cache
notBefore and notAfter times when X.509 certificates are parsed.
- The X.509 lookup code has been simplified and cleaned up.
- Fixed numerous issues flagged by coverity and the cryptofuzz
project
- Increased the number of Miller-Rabin checks in DH and DSA
key/parameter generation
- Started using the bytestring API in libcrypto for cleaner and
safer code
- Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
ASN1
- Convert ASN1_OBJECT_new() to calloc()
- Convert ASN1_STRING_type_new() to calloc()
- Rewrite ASN1_STRING_cmp()
- Use calloc() for X509_CRL_METHOD_new() instead of malloc()
- Convert ASN1_PCTX_new() to calloc()
- Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
function
- Consolidate {d2i,i2d}_{pr,pu}.c
- Remove handling of a NULL BUF_MEM from asn1_collect()
- Pull the recursion depth check up to the top of asn1_collect()
- Inline collect_data() in asn1_collect()
- Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
- Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
- Consolidate ASN.1 universal tag type data
- Rewrite ASN.1 identifier/length parsing in CBS
- Make OBJ_obj2nid() work correctly with NID_undef
- tlsext_tick_lifetime_hint is now an uint32_t
- Untangle ssl3_get_message() return values
- Rename tls13_buffer to tls_buffer
- Fold DTLS_STATE_INTERNAL into DTLS1_STATE
- Provide a way to determine our maximum legacy version
- Mop up enc_read_ctx and read_hash
- Fold SSL_SESSION_INTERNAL into SSL_SESSION
- Use ssl_force_want_read in the DTLS code
- Add record processing limit to DTLS code
- Add explicit CBS_contains_zero_byte() check in CBS_strdup()
- Improve SNI hostname validation
- Ensure SSL_set_tlsext_host_name() is given a valid hostname
- Fix a strange check in the auto DH codepath
- Factor out/rewrite DHE key exchange
- Convert server serialisation of DHE parameters/public key to new
functions
- Check DH public key in ssl_kex_peer_public_dhe()
- Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
- Clean up and refactor server side DHE key exchange
- Provide CBS_get_last_u8()
- Provide CBS_get_u64()
- Provide CBS_add_u64()
- Provide various CBS_peek_* functions
- Use CBS_get_last_u8() to find the content type in TLSv1.3 records
- unifdef TLS13_USE_LEGACY_CLIENT_AUTH
- Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
- Only allow zero length key shares when we know we're doing HRR
- Pull key share group/length CBB code up from
tls13_key_share_public()
- Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
validation
- Return 0 on failure from send/get kex functions in the legacy
stack
- Rename tls13_key_share to tls_key_share
- Allocate and free the EVP_AEAD_CTX struct in
tls13_record_protection
- Convert legacy TLS client to tls_key_share
- Convert legacy TLS server to tls_key_share
- Stop attempting to duplicate the public and private key of dh_tmp
- Rename dh_tmp to dhe_params
- Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
- Clean up pkey handling in ssl3_get_server_key_exchange()
- Fix GOST skip certificate verify handling
- Simplify tlsext_keyshare_server_parse()
- Plumb decode errors through key share parsing code
- Simplify SSL_get_peer_certificate()
- Cleanup/simplify ssl_cert_type()
- The S3I macro was removed
- The openssl(1) cms and smime subcommands option handling was
converted and the C source was cleaned up.
* Documentation improvements
- Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
refactoring and bug fixes.
- Fixed numerous minor grammar, spelling, wording, and punctuation
issues.
- 45 new manual pages, most of which were written from scratch.
Documentation coverage of ASN.1 and X.509 code has been
significantly improved.
* Portable Improvements
- Fixed various POSIX compliance and other portability issues
found by the port to the Sortix operating system.
- Add libmd as platform specific libraries for Solaris.
Issue reported from (ihsan <at> opencsw org) on libressl ML.
- Set IA-64 compiler flag only if it is HP-UX with IA-64.
Suggested from Larkin Nickle (me <at> larbob org) by libressl ML.
- Enabled and scheduled Coverity scan.
Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github.
- nc(1) command fixed when run on macOS.
Contributed by sebastianblunt on github.
* API additions and removals
- libssl
API additions
SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex
API stubs for compatibility
SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets
SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets
SSL_get_num_tickets SSL_set_num_tickets
- libcrypto
added API (some of these were previously available as macros):
ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free
ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new
ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex
BIO_get_init BIO_set_callback_ex BIO_set_next
BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old
BN_abs_is_word BN_get_flags BN_is_negative
BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags
BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free
CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file
CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free
CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key
CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free
CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer
CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time
CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert
CT_POLICY_EVAL_CTX_set1_issuer
CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE
CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key
DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g
DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q
ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free
EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst
EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data
EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx
EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new
EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup
EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final
EVP_MD_meth_set_flags EVP_MD_meth_set_init
EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size
EVP_MD_meth_set_update EVP_PKEY_asn1_set_check
EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check
EVP_PKEY_check EVP_PKEY_meth_set_check
EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check
EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode
FIPS_mode_set IPAddressChoice_free IPAddressChoice_new
IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free
IPAddressOrRange_new IPAddressRange_free IPAddressRange_new
OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id
OCSP_resp_get0_produced_at OCSP_resp_get0_respdata
OCSP_resp_get0_signature OCSP_resp_get0_signer
OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional
RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp
RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q
SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free
SCT_get0_extensions SCT_get0_log_id SCT_get0_signature
SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source
SCT_get_timestamp SCT_get_validation_status SCT_get_version
SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions
SCT_set0_log_id SCT_set0_signature SCT_set1_extensions
SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type
SCT_set_signature_nid SCT_set_source SCT_set_timestamp
SCT_set_version SCT_validate SCT_validation_status_string
X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey
X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject
X509_STORE_CTX_get_num_untrusted
X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify
X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain
X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth
X509_STORE_CTX_set_verify X509_STORE_get_verify
X509_STORE_get_verify_cb X509_STORE_set_verify
X509_get_X509_PUBKEY X509_get_extended_key_usage
X509_get_extension_flags X509_get_key_usage
X509v3_addr_add_inherit X509v3_addr_add_prefix
X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi
X509v3_addr_get_range X509v3_addr_inherits
X509v3_addr_is_canonical X509v3_addr_subset
X509v3_addr_validate_path X509v3_addr_validate_resource_set
X509v3_asid_add_id_or_range X509v3_asid_add_inherit
X509v3_asid_canonize X509v3_asid_inherits
X509v3_asid_is_canonical X509v3_asid_subset
X509v3_asid_validate_path X509v3_asid_validate_resource_set
d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers
d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily
d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST
i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers
i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily
i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST
i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT
i2o_SCT_LIST o2i_SCT o2i_SCT_LIST
removed API:
ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss
EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init
NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new
NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free
NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit
PEM_SealUpdate PEM_read_X509_CERT_PAIR
PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR
PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free
X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb
asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore
asn1_enc_save asn1_ex_c2i asn1_get_choice_selector
asn1_get_field_ptr asn1_set_choice_selector check_defer
d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY
d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET
d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY
i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET
i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer

The LibreSSL project continues improvement of the codebase to reflect modern,
safe programming practices. We welcome feedback and improvements from the
broader community. Thanks to all of the contributors who helped make this
release possible.