On behalf of all of the folks working on Fedora licensing improvements,
I have a few things to announce!
New docs site for licensing and other legal topics
--------------------------------------------------
All documentation related to Fedora licensing has moved to a new
section in Fedora Docs, which you can find at:
https://docs.fedoraproject.org/en-US/legal/
Other legal documentation will follow. This follows the overall Fedora
goal of moving active user and contributor documentation away from the
wiki.
Fedora license information in a structured format
-------------------------------------------------
The "good" (allowed) and "bad" (not-allowed) licenses for Fedora are
now stored in a repository, using a simple structured file format for
each license (it's TOML). You can find this at:
https://gitlab.com/fedora/legal/fedora-license-data
This data is then presented in easy tabular format in the
documentation, at:
https://docs.fedoraproject.org/en-US/legal/allowed-licenses/
New policy for the License field in packages — SPDX identifiers!
----------------------------------------------------------------
We're changing the policy for the "License" field in package spec files
to use SPDX license identifiers. Historically, Fedora has represented
licenses using short abbreviations specific to Fedora. In the meantime,
SPDX license identifiers have emerged as a standard, and other
projects, vendors, and developers have started using them. Adopting
SPDX license identifiers provides greater accuracy as to what license
applies, and will make it easier for us to collaborate with other
projects.
Updated licensing policies and processes
----------------------------------------
Fedora licensing policies and processes have been updated to reflect
the above changes. In some cases, this forced deeper thought as to how
these things are decided and why, which led to various discussion on
Fedora mailing lists. In other cases, it prompted better articulation
of guidance that was implicitly understood but not necessarily
explicitly stated.
New guidance on "effective license" analysis
--------------------------------------------
Many software packages consist of code with different free and open
source licenses. Previous practice often involved "simplification" of
the package license field when the packager believed that one license
subsumed the other — for example, using just "GPL" when the source code
includes parts licensed under a BSD-style license as well. Going
forward, packagers and reviewers should not make this kind of analysis,
and rather use (for example) "GPL-2.0-or-later AND MIT". This approach
is easier for packagers to apply in a consistent way.
When do these changes take effect?
----------------------------------
The resulting changes in practice will be applied to new packages and
licenses going forward. It is not necessary to revise existing packages
at this time, although we have provided some guidance for package
maintainers who want to get started. We're in the process of planning a
path for updating existing packages at a larger scale — stay tuned for
more on that!
Thank you everyone!
-------------------
A huge thanks to some key people who have worked tirelessly to make
this happen: David Cantrell, Richard Fontana, Jilayne Lovejoy, Miroslav
Suchý. Behind the scenes support was also provided by David Levine,
Bryan Sutula, and Beatriz Couto. Thank you as well for the valuable
feedback from Fedora community members in various Fedora forums.
Please have a look at the updated information. If you have questions,
please post them to the Fedora Legal mailing list:
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/
--
Matthew Miller
<mattdm@fedoraproject.org>
Fedora Project Leader
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Friday, July 29, 2022
Thursday, July 28, 2022
[USN-5541-1] Linux kernel (Azure) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5541-1
July 28, 2022
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
Eric Biederman discovered that the cgroup process migration implementation
in the Linux kernel did not perform permission checks correctly in some
situations. A local attacker could possibly use this to gain administrative
privileges. (CVE-2021-4197)
Jann Horn discovered that the FUSE file system in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-1011)
Duoming Zhou discovered that the 6pack protocol implementation in the Linux
kernel did not handle detach events properly in some situations, leading to
a use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-1198)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel during device detach operations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1204)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel, leading to use-after-free
vulnerabilities. A local attacker could possibly use this to cause a denial
of service (system crash). (CVE-2022-1205)
It was discovered that the PF_KEYv2 implementation in the Linux kernel did
not properly initialize kernel memory in some situations. A local attacker
could use this to expose sensitive information (kernel memory).
(CVE-2022-1353)
It was discovered that the implementation of X.25 network protocols in the
Linux kernel did not terminate link layer sessions properly. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1516)
Zheyu Ma discovered that the Silicon Motion SM712 framebuffer driver in the
Linux kernel did not properly handle very small reads. A local attacker
could use this to cause a denial of service (system crash). (CVE-2022-2380)
It was discovered that the 8 Devices USB2CAN interface implementation in
the Linux kernel did not properly handle certain error conditions, leading
to a double-free. A local attacker could possibly use this to cause a
denial of service (system crash). (CVE-2022-28388)
It was discovered that the Microchip CAN BUS Analyzer interface
implementation in the Linux kernel did not properly handle certain error
conditions, leading to a double-free. A local attacker could possibly use
this to cause a denial of service (system crash). (CVE-2022-28389)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.15.0-1146-azure 4.15.0-1146.161~16.04.1
linux-image-azure 4.15.0.1146.133
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5541-1
CVE-2021-4197, CVE-2022-1011, CVE-2022-1198, CVE-2022-1199,
CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1516,
CVE-2022-2380, CVE-2022-28388, CVE-2022-28389
Ubuntu Security Notice USN-5541-1
July 28, 2022
linux-azure vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
Details:
Eric Biederman discovered that the cgroup process migration implementation
in the Linux kernel did not perform permission checks correctly in some
situations. A local attacker could possibly use this to gain administrative
privileges. (CVE-2021-4197)
Jann Horn discovered that the FUSE file system in the Linux kernel
contained a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2022-1011)
Duoming Zhou discovered that the 6pack protocol implementation in the Linux
kernel did not handle detach events properly in some situations, leading to
a use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash). (CVE-2022-1198)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel during device detach operations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1204)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel, leading to use-after-free
vulnerabilities. A local attacker could possibly use this to cause a denial
of service (system crash). (CVE-2022-1205)
It was discovered that the PF_KEYv2 implementation in the Linux kernel did
not properly initialize kernel memory in some situations. A local attacker
could use this to expose sensitive information (kernel memory).
(CVE-2022-1353)
It was discovered that the implementation of X.25 network protocols in the
Linux kernel did not terminate link layer sessions properly. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1516)
Zheyu Ma discovered that the Silicon Motion SM712 framebuffer driver in the
Linux kernel did not properly handle very small reads. A local attacker
could use this to cause a denial of service (system crash). (CVE-2022-2380)
It was discovered that the 8 Devices USB2CAN interface implementation in
the Linux kernel did not properly handle certain error conditions, leading
to a double-free. A local attacker could possibly use this to cause a
denial of service (system crash). (CVE-2022-28388)
It was discovered that the Microchip CAN BUS Analyzer interface
implementation in the Linux kernel did not properly handle certain error
conditions, leading to a double-free. A local attacker could possibly use
this to cause a denial of service (system crash). (CVE-2022-28389)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.15.0-1146-azure 4.15.0-1146.161~16.04.1
linux-image-azure 4.15.0.1146.133
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5541-1
CVE-2021-4197, CVE-2022-1011, CVE-2022-1198, CVE-2022-1199,
CVE-2022-1204, CVE-2022-1205, CVE-2022-1353, CVE-2022-1516,
CVE-2022-2380, CVE-2022-28388, CVE-2022-28389
[USN-5540-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5540-1
July 28, 2022
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
Liu Jian discovered that the IGMP protocol implementation in the Linux
kernel contained a race condition, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-20141)
It was discovered that the USB gadget subsystem in the Linux kernel did not
properly validate interface descriptor requests. An attacker could possibly
use this to cause a denial of service (system crash). (CVE-2022-25258)
It was discovered that the Remote NDIS (RNDIS) USB gadget implementation in
the Linux kernel did not properly validate the size of the RNDIS_MSG_SET
command. An attacker could possibly use this to expose sensitive
information (kernel memory). (CVE-2022-25375)
Arthur Mongodin discovered that the netfilter subsystem in the Linux kernel
did not properly perform data validation. A local attacker could use this
to escalate privileges in certain situations. (CVE-2022-34918)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1111-kvm 4.4.0-1111.121
linux-image-4.4.0-1146-aws 4.4.0-1146.161
linux-image-4.4.0-230-generic 4.4.0-230.264
linux-image-4.4.0-230-lowlatency 4.4.0-230.264
linux-image-aws 4.4.0.1146.150
linux-image-generic 4.4.0.230.236
linux-image-kvm 4.4.0.1111.108
linux-image-lowlatency 4.4.0.230.236
linux-image-virtual 4.4.0.230.236
Ubuntu 14.04 ESM:
linux-image-4.4.0-1110-aws 4.4.0-1110.116
linux-image-4.4.0-230-generic 4.4.0-230.264~14.04.1
linux-image-4.4.0-230-lowlatency 4.4.0-230.264~14.04.1
linux-image-aws 4.4.0.1110.107
linux-image-generic-lts-xenial 4.4.0.230.200
linux-image-lowlatency-lts-xenial 4.4.0.230.200
linux-image-virtual-lts-xenial 4.4.0.230.200
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5540-1
CVE-2022-20141, CVE-2022-25258, CVE-2022-25375, CVE-2022-34918
Ubuntu Security Notice USN-5540-1
July 28, 2022
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
Liu Jian discovered that the IGMP protocol implementation in the Linux
kernel contained a race condition, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-20141)
It was discovered that the USB gadget subsystem in the Linux kernel did not
properly validate interface descriptor requests. An attacker could possibly
use this to cause a denial of service (system crash). (CVE-2022-25258)
It was discovered that the Remote NDIS (RNDIS) USB gadget implementation in
the Linux kernel did not properly validate the size of the RNDIS_MSG_SET
command. An attacker could possibly use this to expose sensitive
information (kernel memory). (CVE-2022-25375)
Arthur Mongodin discovered that the netfilter subsystem in the Linux kernel
did not properly perform data validation. A local attacker could use this
to escalate privileges in certain situations. (CVE-2022-34918)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1111-kvm 4.4.0-1111.121
linux-image-4.4.0-1146-aws 4.4.0-1146.161
linux-image-4.4.0-230-generic 4.4.0-230.264
linux-image-4.4.0-230-lowlatency 4.4.0-230.264
linux-image-aws 4.4.0.1146.150
linux-image-generic 4.4.0.230.236
linux-image-kvm 4.4.0.1111.108
linux-image-lowlatency 4.4.0.230.236
linux-image-virtual 4.4.0.230.236
Ubuntu 14.04 ESM:
linux-image-4.4.0-1110-aws 4.4.0-1110.116
linux-image-4.4.0-230-generic 4.4.0-230.264~14.04.1
linux-image-4.4.0-230-lowlatency 4.4.0-230.264~14.04.1
linux-image-aws 4.4.0.1110.107
linux-image-generic-lts-xenial 4.4.0.230.200
linux-image-lowlatency-lts-xenial 4.4.0.230.200
linux-image-virtual-lts-xenial 4.4.0.230.200
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5540-1
CVE-2022-20141, CVE-2022-25258, CVE-2022-25375, CVE-2022-34918
[USN-5539-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5539-1
July 28, 2022
linux-bluefield, linux-gcp-5.4, linux-gke-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-bluefield: Linux kernel for NVIDIA BlueField platforms
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems
Details:
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel during device detach operations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1204)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel, leading to use-after-free
vulnerabilities. A local attacker could possibly use this to cause a denial
of service (system crash). (CVE-2022-1205)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle guest TLB mapping invalidation requests in
some situations. An attacker in a guest VM could use this to cause a denial
of service (system crash) in the host OS. (CVE-2022-1789)
It was discovered that the 8 Devices USB2CAN interface implementation in
the Linux kernel did not properly handle certain error conditions, leading
to a double-free. A local attacker could possibly use this to cause a
denial of service (system crash). (CVE-2022-28388)
Minh Yuan discovered that the floppy driver in the Linux kernel contained a
race condition in some situations, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-33981)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1042-bluefield 5.4.0-1042.47
linux-image-bluefield 5.4.0.1042.41
Ubuntu 18.04 LTS:
linux-image-5.4.0-1078-gke 5.4.0-1078.84~18.04.1
linux-image-5.4.0-1084-gcp 5.4.0-1084.92~18.04.1
linux-image-gcp 5.4.0.1084.63
linux-image-gke-5.4 5.4.0.1078.84~18.04.40
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5539-1
CVE-2022-1195, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205,
CVE-2022-1789, CVE-2022-28388, CVE-2022-33981
Package Information:
https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1042.47
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1084.92~18.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1078.84~18.04.1
Ubuntu Security Notice USN-5539-1
July 28, 2022
linux-bluefield, linux-gcp-5.4, linux-gke-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-bluefield: Linux kernel for NVIDIA BlueField platforms
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke-5.4: Linux kernel for Google Container Engine (GKE) systems
Details:
It was discovered that the implementation of the 6pack and mkiss protocols
in the Linux kernel did not handle detach events properly in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash).
(CVE-2022-1195)
Duoming Zhou discovered that the AX.25 amateur radio protocol
implementation in the Linux kernel did not handle detach events properly in
some situations. A local attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-1199)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel during device detach operations. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-1204)
Duoming Zhou discovered race conditions in the AX.25 amateur radio protocol
implementation in the Linux kernel, leading to use-after-free
vulnerabilities. A local attacker could possibly use this to cause a denial
of service (system crash). (CVE-2022-1205)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle guest TLB mapping invalidation requests in
some situations. An attacker in a guest VM could use this to cause a denial
of service (system crash) in the host OS. (CVE-2022-1789)
It was discovered that the 8 Devices USB2CAN interface implementation in
the Linux kernel did not properly handle certain error conditions, leading
to a double-free. A local attacker could possibly use this to cause a
denial of service (system crash). (CVE-2022-28388)
Minh Yuan discovered that the floppy driver in the Linux kernel contained a
race condition in some situations, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2022-33981)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1042-bluefield 5.4.0-1042.47
linux-image-bluefield 5.4.0.1042.41
Ubuntu 18.04 LTS:
linux-image-5.4.0-1078-gke 5.4.0-1078.84~18.04.1
linux-image-5.4.0-1084-gcp 5.4.0-1084.92~18.04.1
linux-image-gcp 5.4.0.1084.63
linux-image-gke-5.4 5.4.0.1078.84~18.04.40
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5539-1
CVE-2022-1195, CVE-2022-1199, CVE-2022-1204, CVE-2022-1205,
CVE-2022-1789, CVE-2022-28388, CVE-2022-33981
Package Information:
https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1042.47
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1084.92~18.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.4/5.4.0-1078.84~18.04.1
[USN-5537-2] MySQL vulnerability
==========================================================================
Ubuntu Security Notice USN-5537-2
July 28, 2022
mysql-5.7 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
Details:
USN-5537-1 fixed a vulnerability in MySQL. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.7.39 in Ubuntu 16.04 ESM.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-39.html
https://www.oracle.com/security-alerts/cpujul2022.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
mysql-server-5.7 5.7.39-0ubuntu0.16.04.1+esm2
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-5537-2
https://ubuntu.com/security/notices/USN-5537-1
CVE-2022-21515
Ubuntu Security Notice USN-5537-2
July 28, 2022
mysql-5.7 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-5.7: MySQL database
Details:
USN-5537-1 fixed a vulnerability in MySQL. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 5.7.39 in Ubuntu 16.04 ESM.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-39.html
https://www.oracle.com/security-alerts/cpujul2022.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
mysql-server-5.7 5.7.39-0ubuntu0.16.04.1+esm2
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-5537-2
https://ubuntu.com/security/notices/USN-5537-1
CVE-2022-21515
[USN-5536-1] Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5536-1
July 28, 2022
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the mouse
pointer position, bypass Subresource Integrity protections, obtain
sensitive information, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 103.0+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 103.0+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5536-1
CVE-2022-2505, CVE-2022-36315, CVE-2022-36316, CVE-2022-36318,
CVE-2022-36319, CVE-2022-36320
Package Information:
https://launchpad.net/ubuntu/+source/firefox/103.0+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/103.0+build1-0ubuntu0.18.04.1
Ubuntu Security Notice USN-5536-1
July 28, 2022
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the mouse
pointer position, bypass Subresource Integrity protections, obtain
sensitive information, or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 103.0+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 103.0+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5536-1
CVE-2022-2505, CVE-2022-36315, CVE-2022-36316, CVE-2022-36318,
CVE-2022-36319, CVE-2022-36320
Package Information:
https://launchpad.net/ubuntu/+source/firefox/103.0+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/103.0+build1-0ubuntu0.18.04.1
[USN-5538-1] libtirpc vulnerability
==========================================================================
Ubuntu Security Notice USN-5538-1
July 28, 2022
libtirpc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
libtirpc could be made to denial of service if it received a specially
crafted input.
Software Description:
- libtirpc: transport-independent RPC library - common files
Details:
It was discovered that libtirpc incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libtirpc3 1.3.2-2ubuntu0.1
Ubuntu 20.04 LTS:
libtirpc3 1.2.5-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5538-1
CVE-2021-46828
Package Information:
https://launchpad.net/ubuntu/+source/libtirpc/1.3.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libtirpc/1.2.5-1ubuntu0.1
Ubuntu Security Notice USN-5538-1
July 28, 2022
libtirpc vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
libtirpc could be made to denial of service if it received a specially
crafted input.
Software Description:
- libtirpc: transport-independent RPC library - common files
Details:
It was discovered that libtirpc incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libtirpc3 1.3.2-2ubuntu0.1
Ubuntu 20.04 LTS:
libtirpc3 1.2.5-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5538-1
CVE-2021-46828
Package Information:
https://launchpad.net/ubuntu/+source/libtirpc/1.3.2-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libtirpc/1.2.5-1ubuntu0.1
[USN-5537-1] MySQL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5537-1
July 28, 2022
mysql-5.7, mysql-8.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-8.0: MySQL database
- mysql-5.7: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 8.0.30 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Ubuntu 18.04 LTS has been updated to MySQL 5.7.39.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-39.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-30.html
https://www.oracle.com/security-alerts/cpujul2022.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
mysql-server-8.0 8.0.30-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
mysql-server-8.0 8.0.30-0ubuntu0.20.04.2
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.39-0ubuntu0.18.04.2
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-5537-1
CVE-2022-21509, CVE-2022-21515, CVE-2022-21517, CVE-2022-21522,
CVE-2022-21525, CVE-2022-21526, CVE-2022-21527, CVE-2022-21528,
CVE-2022-21529, CVE-2022-21530, CVE-2022-21531, CVE-2022-21534,
CVE-2022-21537, CVE-2022-21538, CVE-2022-21539, CVE-2022-21547,
CVE-2022-21553, CVE-2022-21569
Package Information:
https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.30-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.30-0ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.39-0ubuntu0.18.04.2
Ubuntu Security Notice USN-5537-1
July 28, 2022
mysql-5.7, mysql-8.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in MySQL.
Software Description:
- mysql-8.0: MySQL database
- mysql-5.7: MySQL database
Details:
Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.
MySQL has been updated to 8.0.30 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
Ubuntu 18.04 LTS has been updated to MySQL 5.7.39.
In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.
Please see the following for more information:
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-39.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-30.html
https://www.oracle.com/security-alerts/cpujul2022.html
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
mysql-server-8.0 8.0.30-0ubuntu0.22.04.1
Ubuntu 20.04 LTS:
mysql-server-8.0 8.0.30-0ubuntu0.20.04.2
Ubuntu 18.04 LTS:
mysql-server-5.7 5.7.39-0ubuntu0.18.04.2
This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
References:
https://ubuntu.com/security/notices/USN-5537-1
CVE-2022-21509, CVE-2022-21515, CVE-2022-21517, CVE-2022-21522,
CVE-2022-21525, CVE-2022-21526, CVE-2022-21527, CVE-2022-21528,
CVE-2022-21529, CVE-2022-21530, CVE-2022-21531, CVE-2022-21534,
CVE-2022-21537, CVE-2022-21538, CVE-2022-21539, CVE-2022-21547,
CVE-2022-21553, CVE-2022-21569
Package Information:
https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.30-0ubuntu0.22.04.1
https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.30-0ubuntu0.20.04.2
https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.39-0ubuntu0.18.04.2
[USN-5535-1] Intel Microcode vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5535-1
July 28, 2022
Intel Microcode vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Intel Microcode.
Software Description:
- intel-microcode: Processor microcode for Intel CPUs
Details:
Joseph Nuzman discovered that some Intel processors did not properly
initialise shared resources. A local attacker could use this to obtain
sensitive information. (CVE-2021-0145)
Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel
processors did not prevent test and debug logic from being activated at
runtime. A local attacker could use this to escalate
privileges. (CVE-2021-0146)
It was discovered that some Intel processors did not implement sufficient
control flow management. A local attacker could use this to cause a denial
of service (system crash). (CVE-2021-0127)
It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123,
CVE-2022-21127)
It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)
Alysa Milburn, Jason Brandt, Avishai Redelman and Nir Lavi discovered that
some Intel processors improperly optimised security-critical code. A local
attacker could possibly use this to expose sensitive
information. (CVE-2022-21151)
It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)
It was discovered that some Intel processors did not properly restrict
access in some situations. A local attacker could use this to obtain
sensitive information. (CVE-2021-33117)
Brandon Miller discovered that some Intel processors did not properly
restrict access in some situations. A local attacker could use this to
obtain sensitive information or a remote attacker could use this to
cause a denial of service (system crash). (CVE-2021-33120)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
intel-microcode 3.20220510.0ubuntu0.16.04.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5535-1
CVE-2021-0127, CVE-2021-0145, CVE-2021-0146, CVE-2021-33117,
CVE-2021-33120, CVE-2022-21123, CVE-2022-21125, CVE-2022-21127,
CVE-2022-21151, CVE-2022-21166
Ubuntu Security Notice USN-5535-1
July 28, 2022
Intel Microcode vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Intel Microcode.
Software Description:
- intel-microcode: Processor microcode for Intel CPUs
Details:
Joseph Nuzman discovered that some Intel processors did not properly
initialise shared resources. A local attacker could use this to obtain
sensitive information. (CVE-2021-0145)
Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel
processors did not prevent test and debug logic from being activated at
runtime. A local attacker could use this to escalate
privileges. (CVE-2021-0146)
It was discovered that some Intel processors did not implement sufficient
control flow management. A local attacker could use this to cause a denial
of service (system crash). (CVE-2021-0127)
It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123,
CVE-2022-21127)
It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)
Alysa Milburn, Jason Brandt, Avishai Redelman and Nir Lavi discovered that
some Intel processors improperly optimised security-critical code. A local
attacker could possibly use this to expose sensitive
information. (CVE-2022-21151)
It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)
It was discovered that some Intel processors did not properly restrict
access in some situations. A local attacker could use this to obtain
sensitive information. (CVE-2021-33117)
Brandon Miller discovered that some Intel processors did not properly
restrict access in some situations. A local attacker could use this to
obtain sensitive information or a remote attacker could use this to
cause a denial of service (system crash). (CVE-2021-33120)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
intel-microcode 3.20220510.0ubuntu0.16.04.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5535-1
CVE-2021-0127, CVE-2021-0145, CVE-2021-0146, CVE-2021-33117,
CVE-2021-33120, CVE-2022-21123, CVE-2022-21125, CVE-2022-21127,
CVE-2022-21151, CVE-2022-21166
Tuesday, July 26, 2022
[USN-5531-1] protobuf-c vulnerability
==========================================================================
Ubuntu Security Notice USN-5531-1
July 26, 2022
protobuf-c vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in protobuf-c.
Software Description:
- protobuf-c: Protocol Buffers C static library and headers (protobuf-c)
Details:
Pietro Borrello discovered that protobuf-c contained an invalid
arithmetic shift. This vulnerability allowed attackers to cause a
denial of service (system crash) via unspecified vectors
(CVE-2022-33070).
It was discovered that protobuf-c contained an unsigned integer
overflow. This vulnerability allowed attackers to cause a denial of
service (system crash) via unspecified vectors.
Todd Miller discovered that protobuf-c contained a possible NULL
dereference. This could cause a vulnerability that allowed attackers to
cause a denial of service (system crash) via unspecified vectors.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
protobuf-c-compiler 1.3.3-1ubuntu2.1
Ubuntu 20.04 LTS:
protobuf-c-compiler 1.3.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5531-1
CVE-2022-33070
Package Information:
https://launchpad.net/ubuntu/+source/protobuf-c/1.3.3-1ubuntu2.1
https://launchpad.net/ubuntu/+source/protobuf-c/1.3.3-1ubuntu0.1
Ubuntu Security Notice USN-5531-1
July 26, 2022
protobuf-c vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in protobuf-c.
Software Description:
- protobuf-c: Protocol Buffers C static library and headers (protobuf-c)
Details:
Pietro Borrello discovered that protobuf-c contained an invalid
arithmetic shift. This vulnerability allowed attackers to cause a
denial of service (system crash) via unspecified vectors
(CVE-2022-33070).
It was discovered that protobuf-c contained an unsigned integer
overflow. This vulnerability allowed attackers to cause a denial of
service (system crash) via unspecified vectors.
Todd Miller discovered that protobuf-c contained a possible NULL
dereference. This could cause a vulnerability that allowed attackers to
cause a denial of service (system crash) via unspecified vectors.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
protobuf-c-compiler 1.3.3-1ubuntu2.1
Ubuntu 20.04 LTS:
protobuf-c-compiler 1.3.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5531-1
CVE-2022-33070
Package Information:
https://launchpad.net/ubuntu/+source/protobuf-c/1.3.3-1ubuntu2.1
https://launchpad.net/ubuntu/+source/protobuf-c/1.3.3-1ubuntu0.1
[USN-5534-1] ImageMagick vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5534-1
July 26, 2022
imagemagick vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in ImageMagick.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
It was discovered that ImageMagick incorrectly handled certain values.
If a user were tricked into processing a specially crafted image file,
an attacker could possibly exploit this issue to cause a denial of
service or other unspecified impact. (CVE-2022-32545, CVE-2022-32546)
It was discovered that ImageMagick incorrectly handled memory under
certain circumstances. If a user were tricked into processing a
specially crafted image file, an attacker could possibly exploit this
issue to cause a denial of service or other unspecified impact.
(CVE-2022-32547)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
imagemagick 8:6.8.9.9-7ubuntu5.16+esm4
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.16+esm4
libimage-magick-q16-perl 8:6.8.9.9-7ubuntu5.16+esm4
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.16+esm4
libmagickcore-6-headers 8:6.8.9.9-7ubuntu5.16+esm4
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.16+esm4
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.16+esm4
libmagickwand-6.q16-2 8:6.8.9.9-7ubuntu5.16+esm4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5534-1
CVE-2022-32545, CVE-2022-32546, CVE-2022-32547
Ubuntu Security Notice USN-5534-1
July 26, 2022
imagemagick vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in ImageMagick.
Software Description:
- imagemagick: Image manipulation programs and library
Details:
It was discovered that ImageMagick incorrectly handled certain values.
If a user were tricked into processing a specially crafted image file,
an attacker could possibly exploit this issue to cause a denial of
service or other unspecified impact. (CVE-2022-32545, CVE-2022-32546)
It was discovered that ImageMagick incorrectly handled memory under
certain circumstances. If a user were tricked into processing a
specially crafted image file, an attacker could possibly exploit this
issue to cause a denial of service or other unspecified impact.
(CVE-2022-32547)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
imagemagick 8:6.8.9.9-7ubuntu5.16+esm4
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.16+esm4
libimage-magick-q16-perl 8:6.8.9.9-7ubuntu5.16+esm4
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.16+esm4
libmagickcore-6-headers 8:6.8.9.9-7ubuntu5.16+esm4
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.16+esm4
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.16+esm4
libmagickwand-6.q16-2 8:6.8.9.9-7ubuntu5.16+esm4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5534-1
CVE-2022-32545, CVE-2022-32546, CVE-2022-32547
[USN-5533-1] Vim vulnerability
==========================================================================
Ubuntu Security Notice USN-5533-1
July 26, 2022
vim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Vim could be made to crash, among other things, if it
opened a specially crafted file.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim incorrectly handled memory access. If a
user were tricked into opening a specially crafted file, an attacker
could possibly use this issue to cause the corruption of sensitive
information, a crash, or arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5533-1
CVE-2022-2129
Ubuntu Security Notice USN-5533-1
July 26, 2022
vim vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Vim could be made to crash, among other things, if it
opened a specially crafted file.
Software Description:
- vim: Vi IMproved - enhanced vi editor
Details:
It was discovered that Vim incorrectly handled memory access. If a
user were tricked into opening a specially crafted file, an attacker
could possibly use this issue to cause the corruption of sensitive
information, a crash, or arbitrary code execution.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
vim 2:7.4.1689-3ubuntu1.5+esm12
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5533-1
CVE-2022-2129
List of long term FTBFS packages to be retired in August
Dear maintainers.
Based on the current fail to build from source policy, the following packages
will be retired from Fedora 37 approximately one week before branching (August
2022).
Policy:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/
The packages in rawhide were not successfully built at least since Fedora 35.
This report is based on dist tags.
Packages collected via:
https://github.com/hroncok/fedora-report-ftbfs-retirements/blob/master/ftbfs-retirements.ipynb
If you see a package that was built, please let me know.
If you see a package that should be exempted from the process, please let me
know and we can work together to get a FESCo approval for that.
If you see a package that can be rebuilt, please do so.
Package (co)maintainers
=========================================================================
golang-grpc-go4 eclipseo, go-sig, jchaloup
lancer willb
php-aws-sdk3 lcts
php-pimple lcts
recorder ddd
rubygem-coffee-rails jaruga, ruby-packagers-sig, vondruch
rubygem-minitest-reporters pvalena
rubygem-sprockets-rails jaruga, pvalena, ruby-packagers-sig
tinygo go-sig, qulogic
uom-parent lberk, mgoodwin, nathans
xs petersen
The following packages require above mentioned packages:
Depending on: golang-grpc-go4 (1)
golang-x-build (maintained by: eclipseo, go-sig, jchaloup)
golang-x-build-0-0.19.20201229git0a4bf69.fc35.src requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
golang-x-build-devel-0-0.19.20201229git0a4bf69.fc35.noarch requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
Depending on: rubygem-sprockets-rails (22)
rubygem-actionmailbox (maintained by: pvalena)
rubygem-actionmailbox-7.0.2.3-2.fc37.src requires rubygem(sprockets-rails) =
3.2.2
rubygem-activestorage (maintained by: ruby-packagers-sig, vondruch)
rubygem-activestorage-7.0.2.3-1.fc37.src requires rubygem(sprockets-rails) =
3.2.2
rubygem-railties (maintained by: mmorsi, pvalena, tdawson, vondruch)
rubygem-railties-7.0.2.3-2.fc37.src requires rubygem(sprockets-rails) = 3.2.2
rubygem-sassc-rails (maintained by: pvalena)
rubygem-sassc-rails-2.1.2-4.fc36.noarch requires rubygem(sprockets-rails) = 3.2.2
rubygem-sassc-rails-2.1.2-4.fc36.src requires rubygem(sprockets-rails) = 3.2.2
rubygem-rails (maintained by: jstribny, kanarip, mmorsi, mtasaka, pvalena,
ruby-packagers-sig, sseago, tdawson, vondruch)
rubygem-rails-1:7.0.2.3-2.fc37.noarch requires rubygem(actionmailbox) = 7.0.2.3
rubygem-rspec-rails (maintained by: clalance, vondruch)
rubygem-rspec-rails-5.1.1-2.fc37.src requires rubygem(actionmailbox) = 7.0.2.3
rubygem-actiontext (maintained by: pvalena)
rubygem-actiontext-7.0.2.3-2.fc37.noarch requires rubygem(activestorage) =
7.0.2.3
rubygem-actiontext-7.0.2.3-2.fc37.src requires rubygem(activestorage) = 7.0.2.3
rubygem-actionpack (maintained by: jaruga, jstribny, kanarip, mmorsi, pvalena,
ruby-packagers-sig, sseago, vondruch)
rubygem-actionpack-1:7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-actionview (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-actionview-7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-activemodel (maintained by: jstribny, mmorsi, pvalena, tdawson, vondruch)
rubygem-activemodel-7.0.2.3-2.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-ammeter (maintained by: jstribny, ruby-packagers-sig, vondruch)
rubygem-ammeter-1.1.5-3.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-ammeter-1.1.5-3.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-font-awesome-rails (maintained by: abradshaw, ckyriakidou, evgeni,
fale, snecker)
rubygem-font-awesome-rails-4.7.0.8-2.fc37.noarch requires rubygem(railties) =
7.0.2.3
rubygem-font-awesome-rails-4.7.0.8-2.fc37.src requires rubygem(railties) =
7.0.2.3
rubygem-generator_spec (maintained by: ilgrad)
rubygem-generator_spec-0.9.4-12.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-generator_spec-0.9.4-12.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-globalid (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-globalid-1.0.0-3.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-haml (maintained by: kanarip, pvalena)
rubygem-haml-5.2.2-3.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-importmap-rails (maintained by: pvalena)
rubygem-importmap-rails-1.0.3-2.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-jbuilder (maintained by: pvalena, vondruch)
rubygem-jbuilder-2.11.5-2.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-jquery-rails (maintained by: jstribny, tdawson, vondruch)
rubygem-jquery-rails-4.4.0-3.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-rails-controller-testing (maintained by: valtri)
rubygem-rails-controller-testing-1.0.5-6.fc37.src requires rubygem(railties)
= 7.0.2.3
rubygem-sass-twitter-bootstrap (maintained by: tdawson)
rubygem-sass-twitter-bootstrap-2.3.0-16.fc37.noarch requires
rubygem(railties) = 7.0.2.3
rubygem-slim (maintained by: vondruch)
rubygem-slim-4.1.0-6.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-web-console (maintained by: jaruga, ruby-packagers-sig, vondruch)
rubygem-web-console-4.1.0-4.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-web-console-4.1.0-4.fc36.src requires rubygem(railties) = 7.0.2.3
Too many dependencies for rubygem-sprockets-rails, not all listed here
Affected (co)maintainers (directly and indirectly):
abradshaw: rubygem-sprockets-rails
ckyriakidou: rubygem-sprockets-rails
clalance: rubygem-sprockets-rails
ddd: recorder
eclipseo: golang-grpc-go4
evgeni: rubygem-sprockets-rails
fale: rubygem-sprockets-rails
go-sig: golang-grpc-go4, tinygo
ilgrad: rubygem-sprockets-rails
jaruga: rubygem-sprockets-rails, rubygem-coffee-rails
jchaloup: golang-grpc-go4
jstribny: rubygem-sprockets-rails
kanarip: rubygem-sprockets-rails
lberk: uom-parent
lcts: php-aws-sdk3, php-pimple
mgoodwin: uom-parent
mmorsi: rubygem-sprockets-rails
mtasaka: rubygem-sprockets-rails
nathans: uom-parent
petersen: xs
pvalena: rubygem-sprockets-rails, rubygem-minitest-reporters
qulogic: tinygo
ruby-packagers-sig: rubygem-sprockets-rails, rubygem-coffee-rails
snecker: rubygem-sprockets-rails
sseago: rubygem-sprockets-rails
tdawson: rubygem-sprockets-rails
valtri: rubygem-sprockets-rails
vondruch: rubygem-sprockets-rails, rubygem-coffee-rails
willb: lancer
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Based on the current fail to build from source policy, the following packages
will be retired from Fedora 37 approximately one week before branching (August
2022).
Policy:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/
The packages in rawhide were not successfully built at least since Fedora 35.
This report is based on dist tags.
Packages collected via:
https://github.com/hroncok/fedora-report-ftbfs-retirements/blob/master/ftbfs-retirements.ipynb
If you see a package that was built, please let me know.
If you see a package that should be exempted from the process, please let me
know and we can work together to get a FESCo approval for that.
If you see a package that can be rebuilt, please do so.
Package (co)maintainers
=========================================================================
golang-grpc-go4 eclipseo, go-sig, jchaloup
lancer willb
php-aws-sdk3 lcts
php-pimple lcts
recorder ddd
rubygem-coffee-rails jaruga, ruby-packagers-sig, vondruch
rubygem-minitest-reporters pvalena
rubygem-sprockets-rails jaruga, pvalena, ruby-packagers-sig
tinygo go-sig, qulogic
uom-parent lberk, mgoodwin, nathans
xs petersen
The following packages require above mentioned packages:
Depending on: golang-grpc-go4 (1)
golang-x-build (maintained by: eclipseo, go-sig, jchaloup)
golang-x-build-0-0.19.20201229git0a4bf69.fc35.src requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
golang-x-build-devel-0-0.19.20201229git0a4bf69.fc35.noarch requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
Depending on: rubygem-sprockets-rails (22)
rubygem-actionmailbox (maintained by: pvalena)
rubygem-actionmailbox-7.0.2.3-2.fc37.src requires rubygem(sprockets-rails) =
3.2.2
rubygem-activestorage (maintained by: ruby-packagers-sig, vondruch)
rubygem-activestorage-7.0.2.3-1.fc37.src requires rubygem(sprockets-rails) =
3.2.2
rubygem-railties (maintained by: mmorsi, pvalena, tdawson, vondruch)
rubygem-railties-7.0.2.3-2.fc37.src requires rubygem(sprockets-rails) = 3.2.2
rubygem-sassc-rails (maintained by: pvalena)
rubygem-sassc-rails-2.1.2-4.fc36.noarch requires rubygem(sprockets-rails) = 3.2.2
rubygem-sassc-rails-2.1.2-4.fc36.src requires rubygem(sprockets-rails) = 3.2.2
rubygem-rails (maintained by: jstribny, kanarip, mmorsi, mtasaka, pvalena,
ruby-packagers-sig, sseago, tdawson, vondruch)
rubygem-rails-1:7.0.2.3-2.fc37.noarch requires rubygem(actionmailbox) = 7.0.2.3
rubygem-rspec-rails (maintained by: clalance, vondruch)
rubygem-rspec-rails-5.1.1-2.fc37.src requires rubygem(actionmailbox) = 7.0.2.3
rubygem-actiontext (maintained by: pvalena)
rubygem-actiontext-7.0.2.3-2.fc37.noarch requires rubygem(activestorage) =
7.0.2.3
rubygem-actiontext-7.0.2.3-2.fc37.src requires rubygem(activestorage) = 7.0.2.3
rubygem-actionpack (maintained by: jaruga, jstribny, kanarip, mmorsi, pvalena,
ruby-packagers-sig, sseago, vondruch)
rubygem-actionpack-1:7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-actionview (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-actionview-7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-activemodel (maintained by: jstribny, mmorsi, pvalena, tdawson, vondruch)
rubygem-activemodel-7.0.2.3-2.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-ammeter (maintained by: jstribny, ruby-packagers-sig, vondruch)
rubygem-ammeter-1.1.5-3.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-ammeter-1.1.5-3.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-font-awesome-rails (maintained by: abradshaw, ckyriakidou, evgeni,
fale, snecker)
rubygem-font-awesome-rails-4.7.0.8-2.fc37.noarch requires rubygem(railties) =
7.0.2.3
rubygem-font-awesome-rails-4.7.0.8-2.fc37.src requires rubygem(railties) =
7.0.2.3
rubygem-generator_spec (maintained by: ilgrad)
rubygem-generator_spec-0.9.4-12.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-generator_spec-0.9.4-12.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-globalid (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-globalid-1.0.0-3.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-haml (maintained by: kanarip, pvalena)
rubygem-haml-5.2.2-3.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-importmap-rails (maintained by: pvalena)
rubygem-importmap-rails-1.0.3-2.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-jbuilder (maintained by: pvalena, vondruch)
rubygem-jbuilder-2.11.5-2.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-jquery-rails (maintained by: jstribny, tdawson, vondruch)
rubygem-jquery-rails-4.4.0-3.fc37.noarch requires rubygem(railties) = 7.0.2.3
rubygem-rails-controller-testing (maintained by: valtri)
rubygem-rails-controller-testing-1.0.5-6.fc37.src requires rubygem(railties)
= 7.0.2.3
rubygem-sass-twitter-bootstrap (maintained by: tdawson)
rubygem-sass-twitter-bootstrap-2.3.0-16.fc37.noarch requires
rubygem(railties) = 7.0.2.3
rubygem-slim (maintained by: vondruch)
rubygem-slim-4.1.0-6.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-web-console (maintained by: jaruga, ruby-packagers-sig, vondruch)
rubygem-web-console-4.1.0-4.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-web-console-4.1.0-4.fc36.src requires rubygem(railties) = 7.0.2.3
Too many dependencies for rubygem-sprockets-rails, not all listed here
Affected (co)maintainers (directly and indirectly):
abradshaw: rubygem-sprockets-rails
ckyriakidou: rubygem-sprockets-rails
clalance: rubygem-sprockets-rails
ddd: recorder
eclipseo: golang-grpc-go4
evgeni: rubygem-sprockets-rails
fale: rubygem-sprockets-rails
go-sig: golang-grpc-go4, tinygo
ilgrad: rubygem-sprockets-rails
jaruga: rubygem-sprockets-rails, rubygem-coffee-rails
jchaloup: golang-grpc-go4
jstribny: rubygem-sprockets-rails
kanarip: rubygem-sprockets-rails
lberk: uom-parent
lcts: php-aws-sdk3, php-pimple
mgoodwin: uom-parent
mmorsi: rubygem-sprockets-rails
mtasaka: rubygem-sprockets-rails
nathans: uom-parent
petersen: xs
pvalena: rubygem-sprockets-rails, rubygem-minitest-reporters
qulogic: tinygo
ruby-packagers-sig: rubygem-sprockets-rails, rubygem-coffee-rails
snecker: rubygem-sprockets-rails
sseago: rubygem-sprockets-rails
tdawson: rubygem-sprockets-rails
valtri: rubygem-sprockets-rails
vondruch: rubygem-sprockets-rails, rubygem-coffee-rails
willb: lancer
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[USN-5532-1] Bottle vulnerability
==========================================================================
Ubuntu Security Notice USN-5532-1
July 26, 2022
python-bottle vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Bottle could be made to leak sensitive information if it received a specially
crafted request.
Software Description:
- python-bottle: fast and simple WSGI-framework for Python
Details:
It was discovered that Bottle incorrectly handled errors during early request
binding. An attacker could possibly use this issue to disclose sensitve
information. (CVE-2022-31799)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-bottle 0.12.19-1+deb11u1build0.22.04.1
Ubuntu 20.04 LTS:
python3-bottle 0.12.15-2.1ubuntu0.2
Ubuntu 18.04 LTS:
python-bottle 0.12.13-1ubuntu0.2
python3-bottle 0.12.13-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5532-1
CVE-2022-31799
Package Information:
https://launchpad.net/ubuntu/+source/python-bottle/0.12.19-1+deb11u1build0.22.04.1
https://launchpad.net/ubuntu/+source/python-bottle/0.12.15-2.1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-bottle/0.12.13-1ubuntu0.2
Ubuntu Security Notice USN-5532-1
July 26, 2022
python-bottle vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Bottle could be made to leak sensitive information if it received a specially
crafted request.
Software Description:
- python-bottle: fast and simple WSGI-framework for Python
Details:
It was discovered that Bottle incorrectly handled errors during early request
binding. An attacker could possibly use this issue to disclose sensitve
information. (CVE-2022-31799)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-bottle 0.12.19-1+deb11u1build0.22.04.1
Ubuntu 20.04 LTS:
python3-bottle 0.12.15-2.1ubuntu0.2
Ubuntu 18.04 LTS:
python-bottle 0.12.13-1ubuntu0.2
python3-bottle 0.12.13-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5532-1
CVE-2022-31799
Package Information:
https://launchpad.net/ubuntu/+source/python-bottle/0.12.19-1+deb11u1build0.22.04.1
https://launchpad.net/ubuntu/+source/python-bottle/0.12.15-2.1ubuntu0.2
https://launchpad.net/ubuntu/+source/python-bottle/0.12.13-1ubuntu0.2
Automated reports redirected into a new mailing list: test-reports
Hello testers and developers,
please note that we've set up a new mailing list called test-reports [1] and we've redirected all automated compose/updates/test/etc reports into it. These reports were previously sent to the test list and devel list and created a lot of visual noise among regular conversations (especially in the test list). You can see test-reports archives [1] to see which emails I'm talking about. The only exception is the main rawhide compose report, which still goes to the devel list (as well as test-reports), because it was deemed useful enough to be kept there.
If you're interested in receiving these reports, please subscribe to the new list. The default reply is set to go to the test list, where we can have conversations about any suspicious changes/outcomes, but you can of course start your discussion in the devel list, if you prefer.
Cheers,
Kamil
Fedora QA
Monday, July 25, 2022
Fedora 37 mass rebuild complete
Hi all,
Per the Fedora 37 schedule[1] we started a mass rebuild for Fedora
37 on 2022/07/20. We did a mass rebuild for Fedora 37 for:
https://pagure.io/releng/issues?status=Open&tags=mass+rebuild
The mass rebuild was done in a side tag (f37-rebuild) and moved over to
f37. Failures can be seen
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-failures.html Things
still needing rebuilding
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-need-rebuild.html
21713 builds have been tagged into f37, there is currently 1144 failed
builds that need to be addressed by the package maintainers. FTBFS bugs
will be filed shortly. Please be sure to let releng know if you see any
bugs in the reporting. You can contact releng in #fedora-releng on
libera.chat, by dropping an email to our list[2], joining
#releng:fedoraproject.org on Matrix, or filing an issue in pagure[3]
Regards,
Fedora Release Engineering
[1] https://fedorapeople.org/groups/schedule/f-N/f-N-key-tasks.html
[2] https://lists.fedoraproject.org/admin/lists/rel-eng.lists.fedoraproject.org/
[3] https://pagure.io/releng/
Per the Fedora 37 schedule[1] we started a mass rebuild for Fedora
37 on 2022/07/20. We did a mass rebuild for Fedora 37 for:
https://pagure.io/releng/issues?status=Open&tags=mass+rebuild
The mass rebuild was done in a side tag (f37-rebuild) and moved over to
f37. Failures can be seen
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-failures.html Things
still needing rebuilding
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-need-rebuild.html
21713 builds have been tagged into f37, there is currently 1144 failed
builds that need to be addressed by the package maintainers. FTBFS bugs
will be filed shortly. Please be sure to let releng know if you see any
bugs in the reporting. You can contact releng in #fedora-releng on
libera.chat, by dropping an email to our list[2], joining
#releng:fedoraproject.org on Matrix, or filing an issue in pagure[3]
Regards,
Fedora Release Engineering
[1] https://fedorapeople.org/groups/schedule/f-N/f-N-key-tasks.html
[2] https://lists.fedoraproject.org/admin/lists/rel-eng.lists.fedoraproject.org/
[3] https://pagure.io/releng/
[USN-5530-1] PHP vulnerability
==========================================================================
Ubuntu Security Notice USN-5530-1
July 25, 2022
php8.1 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
PHP could be made to crash or run programs if it processed specially
crafted data.
Software Description:
- php8.1: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled certain memory operations
when obtaining file information. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libapache2-mod-php8.1 8.1.2-1ubuntu2.2
php8.1-cgi 8.1.2-1ubuntu2.2
php8.1-cli 8.1.2-1ubuntu2.2
php8.1-fpm 8.1.2-1ubuntu2.2
php8.1-mysql 8.1.2-1ubuntu2.2
php8.1-pgsql 8.1.2-1ubuntu2.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5530-1
CVE-2022-31627
Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.2
Ubuntu Security Notice USN-5530-1
July 25, 2022
php8.1 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
PHP could be made to crash or run programs if it processed specially
crafted data.
Software Description:
- php8.1: HTML-embedded scripting language interpreter
Details:
It was discovered that PHP incorrectly handled certain memory operations
when obtaining file information. A remote attacker could use this issue to
cause PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libapache2-mod-php8.1 8.1.2-1ubuntu2.2
php8.1-cgi 8.1.2-1ubuntu2.2
php8.1-cli 8.1.2-1ubuntu2.2
php8.1-fpm 8.1.2-1ubuntu2.2
php8.1-mysql 8.1.2-1ubuntu2.2
php8.1-pgsql 8.1.2-1ubuntu2.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5530-1
CVE-2022-31627
Package Information:
https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.2
Sunday, July 24, 2022
OpenBSD Errata: July 24, 2022 (xserver cron)
Errata patches for X11 server and cron daemon have been released
for OpenBSD 7.0 and 7.1.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata71.html
https://www.openbsd.org/errata70.html
for OpenBSD 7.0 and 7.1.
Binary updates for the amd64, i386 and arm64 platform are available
via the syspatch utility. Source code patches can be found on the
respective errata page:
https://www.openbsd.org/errata71.html
https://www.openbsd.org/errata70.html
Wednesday, July 20, 2022
[USN-5529-1] Linux kernel (OEM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5529-1
July 21, 2022
linux-oem-5.17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.17: Linux kernel for OEM systems
Details:
It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle guest TLB mapping invalidation requests in
some situations. An attacker in a guest VM could use this to cause a denial
of service (system crash) in the host OS. (CVE-2022-1789)
Qiuhao Li, Gaoning Pan, and Yongkang Jia discovered that the KVM hypervisor
implementation in the Linux kernel did not properly handle an illegal
instruction in a guest, resulting in a null pointer dereference. An
attacker in a guest VM could use this to cause a denial of service (system
crash) in the host OS. (CVE-2022-1852)
Gerald Lee discovered that the NTFS file system implementation in the Linux
kernel did not properly handle certain error conditions, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly expose sensitive information.
(CVE-2022-1973)
It was discovered that the netfilter subsystem in the Linux kernel
contained a buffer overflow in certain situations. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-2078)
It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123)
It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)
It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)
It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)
Minh Yuan discovered that the floppy disk driver in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could possibly use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2022-1652)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.17.0-1013-oem 5.17.0-1013.14
linux-image-oem-22.04 5.17.0.1013.12
linux-image-oem-22.04a 5.17.0.1013.12
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5529-1
CVE-2022-1652, CVE-2022-1679, CVE-2022-1789, CVE-2022-1852,
CVE-2022-1973, CVE-2022-2078, CVE-2022-21123, CVE-2022-21125,
CVE-2022-21166, CVE-2022-34494, CVE-2022-34495
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1013.14
Ubuntu Security Notice USN-5529-1
July 21, 2022
linux-oem-5.17 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.17: Linux kernel for OEM systems
Details:
It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)
Yongkang Jia discovered that the KVM hypervisor implementation in the Linux
kernel did not properly handle guest TLB mapping invalidation requests in
some situations. An attacker in a guest VM could use this to cause a denial
of service (system crash) in the host OS. (CVE-2022-1789)
Qiuhao Li, Gaoning Pan, and Yongkang Jia discovered that the KVM hypervisor
implementation in the Linux kernel did not properly handle an illegal
instruction in a guest, resulting in a null pointer dereference. An
attacker in a guest VM could use this to cause a denial of service (system
crash) in the host OS. (CVE-2022-1852)
Gerald Lee discovered that the NTFS file system implementation in the Linux
kernel did not properly handle certain error conditions, leading to a use-
after-free vulnerability. A local attacker could use this to cause a denial
of service (system crash) or possibly expose sensitive information.
(CVE-2022-1973)
It was discovered that the netfilter subsystem in the Linux kernel
contained a buffer overflow in certain situations. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2022-2078)
It was discovered that some Intel processors did not completely perform
cleanup actions on multi-core shared buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21123)
It was discovered that some Intel processors did not completely perform
cleanup actions on microarchitectural fill buffers. A local attacker could
possibly use this to expose sensitive information. (CVE-2022-21125)
It was discovered that some Intel processors did not properly perform
cleanup during specific special register write operations. A local attacker
could possibly use this to expose sensitive information. (CVE-2022-21166)
It was discovered that the virtio RPMSG bus driver in the Linux kernel
contained a double-free vulnerability in certain error conditions. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-34494, CVE-2022-34495)
Minh Yuan discovered that the floppy disk driver in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could possibly use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2022-1652)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.17.0-1013-oem 5.17.0-1013.14
linux-image-oem-22.04 5.17.0.1013.12
linux-image-oem-22.04a 5.17.0.1013.12
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5529-1
CVE-2022-1652, CVE-2022-1679, CVE-2022-1789, CVE-2022-1852,
CVE-2022-1973, CVE-2022-2078, CVE-2022-21123, CVE-2022-21125,
CVE-2022-21166, CVE-2022-34494, CVE-2022-34495
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1013.14
Some spins/labs to be dropped from F37
In accordance with FESCo's approved[1] keepalive policy, the following
Spins/Labs will be dropped from F37 unless new maintainers step up.
## Maintainer indicated they do not have time to maintain for this release
* Robotics Spin — https://fedoraproject.org/wiki/Robotics_Spin
## Maintainer did not respond to pings
* Games Spin — https://fedoraproject.org/wiki/Games_Spin
* Security Spin — https://fedoraproject.org/wiki/Security_Spin
If you'd like to become a maintainer of one of these, please comment
on the corresponding ticket in the schedule repo[2]. If you want to
know what goes into maintaining a Spin/Lab, see the Releases docs[3].
[1] https://pagure.io/fesco/issue/1972
[2] https://pagure.io/fedora-pgm/schedule/issues?tags=spins+keepalive
[3] https://docs.fedoraproject.org/en-US/releases/spins/maintaining/
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Spins/Labs will be dropped from F37 unless new maintainers step up.
## Maintainer indicated they do not have time to maintain for this release
* Robotics Spin — https://fedoraproject.org/wiki/Robotics_Spin
## Maintainer did not respond to pings
* Games Spin — https://fedoraproject.org/wiki/Games_Spin
* Security Spin — https://fedoraproject.org/wiki/Security_Spin
If you'd like to become a maintainer of one of these, please comment
on the corresponding ticket in the schedule repo[2]. If you want to
know what goes into maintaining a Spin/Lab, see the Releases docs[3].
[1] https://pagure.io/fesco/issue/1972
[2] https://pagure.io/fedora-pgm/schedule/issues?tags=spins+keepalive
[3] https://docs.fedoraproject.org/en-US/releases/spins/maintaining/
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Fedora 37 mass rebuild started
Hi all,
Per the Fedora f37 schedule[1] we have started a mass rebuild
on 2022-07-20 for Fedora f37. We are running this mass rebuild
for the changes listed in:
https://pagure.io/releng/issues?status=Open&tags=mass+rebuild
This mass rebuild will be done in a side tag (f37-rebuild) and merged
when completed.
Failures can be seen
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-failures.html
<https://kojipkgs.fedoraproject.org/mass-rebuild/f37-failures.html>
Things still needing rebuilding
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-need-rebuild.html
<https://kojipkgs.fedoraproject.org/mass-rebuild/f37-need-rebuild.html>
FTBFS (Fails To Build From Source) bugs will be filed shortly after
the mass rebuild is complete.
Please be sure to let releng know if you see any bugs in the
reporting. You can contact releng in #fedora-releng channel on Libera.Chat,
the #releng:fedoraproject.org room on Matrix, or by dropping an email
to our list[2] or filing an issue in pagure[3].
This email template is also in https://pagure.io/releng if you wish to
propose improvements or changes to it.
Regards,
Fedora Release Engineering
[1] https://fedorapeople.org/groups/schedule/f-37/f-37-key-tasks.html
[2] https://lists.fedoraproject.org/admin/lists/rel-eng.lists.fedoraproject.org/
[3] https://pagure.io/releng/
Per the Fedora f37 schedule[1] we have started a mass rebuild
on 2022-07-20 for Fedora f37. We are running this mass rebuild
for the changes listed in:
https://pagure.io/releng/issues?status=Open&tags=mass+rebuild
This mass rebuild will be done in a side tag (f37-rebuild) and merged
when completed.
Failures can be seen
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-failures.html
<https://kojipkgs.fedoraproject.org/mass-rebuild/f37-failures.html>
Things still needing rebuilding
https://kojipkgs.fedoraproject.org/mass-rebuild/f37-need-rebuild.html
<https://kojipkgs.fedoraproject.org/mass-rebuild/f37-need-rebuild.html>
FTBFS (Fails To Build From Source) bugs will be filed shortly after
the mass rebuild is complete.
Please be sure to let releng know if you see any bugs in the
reporting. You can contact releng in #fedora-releng channel on Libera.Chat,
the #releng:fedoraproject.org room on Matrix, or by dropping an email
to our list[2] or filing an issue in pagure[3].
This email template is also in https://pagure.io/releng if you wish to
propose improvements or changes to it.
Regards,
Fedora Release Engineering
[1] https://fedorapeople.org/groups/schedule/f-37/f-37-key-tasks.html
[2] https://lists.fedoraproject.org/admin/lists/rel-eng.lists.fedoraproject.org/
[3] https://pagure.io/releng/
[USN-5528-1] FreeType vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5528-1
July 20, 2022
freetype vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in FreeType.
Software Description:
- freetype: FreeType 2 is a font engine library
Details:
It was discovered that FreeType did not correctly handle certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libfreetype6 2.11.1+dfsg-1ubuntu0.1
Ubuntu 20.04 LTS:
libfreetype6 2.10.1-2ubuntu0.2
Ubuntu 18.04 LTS:
libfreetype6 2.8.1-2ubuntu2.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5528-1
CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-31782
Package Information:
https://launchpad.net/ubuntu/+source/freetype/2.11.1+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/freetype/2.10.1-2ubuntu0.2
https://launchpad.net/ubuntu/+source/freetype/2.8.1-2ubuntu2.2
Ubuntu Security Notice USN-5528-1
July 20, 2022
freetype vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in FreeType.
Software Description:
- freetype: FreeType 2 is a font engine library
Details:
It was discovered that FreeType did not correctly handle certain malformed
font files. If a user were tricked into using a specially crafted font
file, a remote attacker could cause FreeType to crash, or possibly execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libfreetype6 2.11.1+dfsg-1ubuntu0.1
Ubuntu 20.04 LTS:
libfreetype6 2.10.1-2ubuntu0.2
Ubuntu 18.04 LTS:
libfreetype6 2.8.1-2ubuntu2.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5528-1
CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-31782
Package Information:
https://launchpad.net/ubuntu/+source/freetype/2.11.1+dfsg-1ubuntu0.1
https://launchpad.net/ubuntu/+source/freetype/2.10.1-2ubuntu0.2
https://launchpad.net/ubuntu/+source/freetype/2.8.1-2ubuntu2.2
[USN-5525-1] Apache XML Security for Java vulnerability
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBGLGvrIBEADLhZXSZnoDtKkmUmncBTq46ZmO2noht7GEQKuLW90ybojVJWon
/ZU6B590pev9Nl+lSkGTU7d1ygWtYBxYGxWG1J2gKBjAdI5NlUUQi40ZBrtIK0To
6TX4BxPNZpa0LKIFs2MwxQ0aQRJZeglZcg4/ioQVW7hthEYsF19PDoqS+xygWWT9
OZ1Dml30tUiy65N8L3EHNiwIdmbPDJgDCNiqWZEFcmCDTzL7Kl/DrJ0Iao3F+E58
hy94VcJYQWhHC9esGZ1vlrStfb5/Iz3ExzNgE119apBy1nQ+32D5lDruQq4bhSLM
SV2Bvgo0+xQjOKnsWD15cicxyDQN/K6xtDDDR0t5L99Xga4Z4bAW3QHYVpCvBeeF
FSRJDQKsislThOFByWRUi983Dyq+TkbynV9RUgSR3ocndIDUH3g5jHUS6WHw5cn1
/grmh/6zpsr88cPRvNuK6dUn3Lh8H3XtOMyJWqN5NnAMChBSecxN72lTNc3JAxQA
T1tWDehZCNjSVREVpjPHHmcK9qx7g/mnHIOW8uga+bL8eSFt8v0l99/YO+s+Hukw
isr+fQvjnkcXIB8cUMxYqWGHIPCZwoouoo/PCh7S26h/Lvlhqlai7TWxPGmnknMs
ursvXo2fkg34l0rqc362F2wr7TFejMR0mvrO4O0Inmvl6e3AP3r87cX9nQARAQAB
zS1GYWJpYW4gVG9lcGZlciA8ZmFiaWFuLnRvZXBmZXJAY2Fub25pY2FsLmNvbT7C
wZQEEwEKAD4WIQTZaC2+bCZyBoQEuWcIC8rVC8PpIAUCYsa+sgIbAwUJA8JnAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIC8rVC8PpIFTDEACBAxSCsN0Ed+W/
WGmGivPul6pTEeY8Bj6KhkQK+AMmWOsFLtuXPW2rpo/lsp07yTi713XalUEo/VgZ
HFgYS/bpf9sjpV8+larOEbpaBqaKurri/s+rXHAs+Md6XA5NIo7rN4Ge5RLblxsL
v8Mn2unNNgohizAFZZdNTjEXgaakjTsvzDjMSoEG92ziB0q6MDrEiiRXz8Z84cD4
MqYthOspzV6v+gvBbG5S0PbuhYJfKdhgASzt5pgsuFEPfoMX0k5PYhlSPLBNOoMt
umTMdRUYFh8GGU0lxw+JmAj6J19LrOdLjVjBpQMi9PVd+3jmrz7JVv2TOxuaLg3V
m/qIAiS6UPHCqbWnDA/dgRRxldas+nvJiHm6NvUcV6US58Te3yLT/m6Ss6GOXxrv
piPZm2ce7gGU8mn58danFnhq8vt57oAmMXOwzzDAfM1WCGt47XmcGOCJRF7UZLdb
+fb74wkzWw7h2lEBpihVqzSrdwwXCDiPEDwH1zrDlQeZF4gfwP/vwTuJoo3f3mAV
CIbp5kswg9d3Hom1mtMRjNF5MzER+WJC27cbRffUyJ6U2hCiWHbNRM6n67wEz9qp
p68039KeqjLZ5LIsLOsl2DY6Nj3eQcGMJkDMCr/kv1/HroreuXkUke8CplfLHx5o
cnqWt26TxuNeGwpf58Qs+Ffu0mo44c7BTQRixr6yARAAuKo4KhmyztqMT/1OCTTm
jbK9ku0oy4exxeTDo/fqiT9wq2nM9aIC0/0pf7kFPGca7avAu0HPJWw5vZ6uRlsS
OMa5QGBGEeLVepnIXfPvXTOaF+6Z81sYftjSe+Nc1P+HjwpporE0xi33cyASY7Bs
o+Sc49kDg7v+Z8nyaGXaj2EVULE7mvMcrpUx+kkjDSDzJR2GXihivSX5eS7+10+c
X6J2G/U2DvSuqZXy0CDVxPn+pbv/WcU42qNe2xT/jkyDIyYQwyia0zrOMvDy8hd8
Oy/6scedu8VdRxcss8Q1R096SfIoYgYUAkIKz4iKM1hC1SrvzRhOmcFgiJWcI6zl
1fnKxb4l+dMXSZJd1gjE44mYL3Y2kivNWbSRUqZ1c1yQJQ+b55d6Ubap8aNahzDS
S4GTLjhp92vsjfNEnE5tvBuqVIwNYMyPBkdRy78obJ6VrDfVNx3eN1j+xpJ5xwy8
mA1wrKxxtFQFBkW2qGZupRscMOxj4f301BOPAPzKx+z5iAXL6JJh5SnmnszJdHy/
Kv5uEExbPL1xg2kPYxRrQOp8ncQ96hHz3ukOYTsSGXhnISiBaUAyO5MPojifyu3s
eueSiM00o4Xe/vO1HfimArqD3pZZTtlIUM/nr/V5bxbyJUWflIFey8bmoWUdqI50
Utw88Pe3os3+c7LQNsetWMMAEQEAAcLBfAQYAQoAJhYhBNloLb5sJnIGhAS5ZwgL
ytULw+kgBQJixr6yAhsMBQkDwmcAAAoJEAgLytULw+kgZCAQAJRD5sSd1qEOaNbh
EPd41UOaZz11oJSVaeRSLCWKte0f9onCC6NlJs/V9YTcrsEqbm0miVEQqGjDGSQj
XO0or/GVoOkoPR4Yg9SIlTN/rPmMx/tG02H4bnkYznxsIzIeYHlzltqNISZS0WYa
MXdkUs/gl6ZLzVuNZogZX5XMNYGnDsYkMdQoTDW5K1WsPl8QAuJnjO1ykbztMdkG
MuQAMlTE4DWEeomVMJLYEiaDOaoCLcbeKs4M2/K3PP0MGrYA9Ag4y6LOVVr+NHHa
KIew8+BBQNDmO4K6/R669sNpDZy80KU1IQxRPpPb0+RWlFxIsT5TccMvvXVtCUq9
9Oi3eOmKgBQoO/X9RZscEWcFR2yEcb0oafvGkSuvUpZeCXpuspAszItk2WV5hC63
I7xxbzwjeroFEpCecK7UyGIzNPus5x9s0pWpuLCxR9oZGjo46aLxBNRYIZbHjcFf
f8c0XVNOz4Khq7ZOjOK4sL84YhkeLUeotbfSYuQF6FWKuIto7jk9CcIfXBSCvWmc
7eRjZFyQJ6Vt5QVlUzyHK53Ownq7BSrl/nzUNKmEnTvS/3379P+jvlqZdCyjG7zV
jtHU29SueLjJCln01r/Xog+FIedsyp/uF5cEc4sqauF4cbyvEjlC+k+LyifNzbhP
QBQxRQ+QjhG3hEo1YimQrQmViRCf
=vcIR
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5525-1
July 20, 2022
libxml-security-java vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Apache XML Security for Java could be made to expose sensitive information.
Software Description:
- libxml-security-java: Apache XML Security for Java
Details:
It was discovered that Apache XML Security for Java incorrectly passed a
configuration property when creating specific key elements. This allows an
attacker to abuse an XPath Transform to extract sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libxml-security-java 2.0.10-2+deb11u1build0.20.04.1
Ubuntu 18.04 LTS:
libxml-security-java 2.0.10-2~18.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5525-1
CVE-2021-40690
Package Information:
https://launchpad.net/ubuntu/+source/libxml-security-java/2.0.10-2+deb11u1build0.20.04.1
https://launchpad.net/ubuntu/+source/libxml-security-java/2.0.10-2~18.04.1
xsFNBGLGvrIBEADLhZXSZnoDtKkmUmncBTq46ZmO2noht7GEQKuLW90ybojVJWon
/ZU6B590pev9Nl+lSkGTU7d1ygWtYBxYGxWG1J2gKBjAdI5NlUUQi40ZBrtIK0To
6TX4BxPNZpa0LKIFs2MwxQ0aQRJZeglZcg4/ioQVW7hthEYsF19PDoqS+xygWWT9
OZ1Dml30tUiy65N8L3EHNiwIdmbPDJgDCNiqWZEFcmCDTzL7Kl/DrJ0Iao3F+E58
hy94VcJYQWhHC9esGZ1vlrStfb5/Iz3ExzNgE119apBy1nQ+32D5lDruQq4bhSLM
SV2Bvgo0+xQjOKnsWD15cicxyDQN/K6xtDDDR0t5L99Xga4Z4bAW3QHYVpCvBeeF
FSRJDQKsislThOFByWRUi983Dyq+TkbynV9RUgSR3ocndIDUH3g5jHUS6WHw5cn1
/grmh/6zpsr88cPRvNuK6dUn3Lh8H3XtOMyJWqN5NnAMChBSecxN72lTNc3JAxQA
T1tWDehZCNjSVREVpjPHHmcK9qx7g/mnHIOW8uga+bL8eSFt8v0l99/YO+s+Hukw
isr+fQvjnkcXIB8cUMxYqWGHIPCZwoouoo/PCh7S26h/Lvlhqlai7TWxPGmnknMs
ursvXo2fkg34l0rqc362F2wr7TFejMR0mvrO4O0Inmvl6e3AP3r87cX9nQARAQAB
zS1GYWJpYW4gVG9lcGZlciA8ZmFiaWFuLnRvZXBmZXJAY2Fub25pY2FsLmNvbT7C
wZQEEwEKAD4WIQTZaC2+bCZyBoQEuWcIC8rVC8PpIAUCYsa+sgIbAwUJA8JnAAUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIC8rVC8PpIFTDEACBAxSCsN0Ed+W/
WGmGivPul6pTEeY8Bj6KhkQK+AMmWOsFLtuXPW2rpo/lsp07yTi713XalUEo/VgZ
HFgYS/bpf9sjpV8+larOEbpaBqaKurri/s+rXHAs+Md6XA5NIo7rN4Ge5RLblxsL
v8Mn2unNNgohizAFZZdNTjEXgaakjTsvzDjMSoEG92ziB0q6MDrEiiRXz8Z84cD4
MqYthOspzV6v+gvBbG5S0PbuhYJfKdhgASzt5pgsuFEPfoMX0k5PYhlSPLBNOoMt
umTMdRUYFh8GGU0lxw+JmAj6J19LrOdLjVjBpQMi9PVd+3jmrz7JVv2TOxuaLg3V
m/qIAiS6UPHCqbWnDA/dgRRxldas+nvJiHm6NvUcV6US58Te3yLT/m6Ss6GOXxrv
piPZm2ce7gGU8mn58danFnhq8vt57oAmMXOwzzDAfM1WCGt47XmcGOCJRF7UZLdb
+fb74wkzWw7h2lEBpihVqzSrdwwXCDiPEDwH1zrDlQeZF4gfwP/vwTuJoo3f3mAV
CIbp5kswg9d3Hom1mtMRjNF5MzER+WJC27cbRffUyJ6U2hCiWHbNRM6n67wEz9qp
p68039KeqjLZ5LIsLOsl2DY6Nj3eQcGMJkDMCr/kv1/HroreuXkUke8CplfLHx5o
cnqWt26TxuNeGwpf58Qs+Ffu0mo44c7BTQRixr6yARAAuKo4KhmyztqMT/1OCTTm
jbK9ku0oy4exxeTDo/fqiT9wq2nM9aIC0/0pf7kFPGca7avAu0HPJWw5vZ6uRlsS
OMa5QGBGEeLVepnIXfPvXTOaF+6Z81sYftjSe+Nc1P+HjwpporE0xi33cyASY7Bs
o+Sc49kDg7v+Z8nyaGXaj2EVULE7mvMcrpUx+kkjDSDzJR2GXihivSX5eS7+10+c
X6J2G/U2DvSuqZXy0CDVxPn+pbv/WcU42qNe2xT/jkyDIyYQwyia0zrOMvDy8hd8
Oy/6scedu8VdRxcss8Q1R096SfIoYgYUAkIKz4iKM1hC1SrvzRhOmcFgiJWcI6zl
1fnKxb4l+dMXSZJd1gjE44mYL3Y2kivNWbSRUqZ1c1yQJQ+b55d6Ubap8aNahzDS
S4GTLjhp92vsjfNEnE5tvBuqVIwNYMyPBkdRy78obJ6VrDfVNx3eN1j+xpJ5xwy8
mA1wrKxxtFQFBkW2qGZupRscMOxj4f301BOPAPzKx+z5iAXL6JJh5SnmnszJdHy/
Kv5uEExbPL1xg2kPYxRrQOp8ncQ96hHz3ukOYTsSGXhnISiBaUAyO5MPojifyu3s
eueSiM00o4Xe/vO1HfimArqD3pZZTtlIUM/nr/V5bxbyJUWflIFey8bmoWUdqI50
Utw88Pe3os3+c7LQNsetWMMAEQEAAcLBfAQYAQoAJhYhBNloLb5sJnIGhAS5ZwgL
ytULw+kgBQJixr6yAhsMBQkDwmcAAAoJEAgLytULw+kgZCAQAJRD5sSd1qEOaNbh
EPd41UOaZz11oJSVaeRSLCWKte0f9onCC6NlJs/V9YTcrsEqbm0miVEQqGjDGSQj
XO0or/GVoOkoPR4Yg9SIlTN/rPmMx/tG02H4bnkYznxsIzIeYHlzltqNISZS0WYa
MXdkUs/gl6ZLzVuNZogZX5XMNYGnDsYkMdQoTDW5K1WsPl8QAuJnjO1ykbztMdkG
MuQAMlTE4DWEeomVMJLYEiaDOaoCLcbeKs4M2/K3PP0MGrYA9Ag4y6LOVVr+NHHa
KIew8+BBQNDmO4K6/R669sNpDZy80KU1IQxRPpPb0+RWlFxIsT5TccMvvXVtCUq9
9Oi3eOmKgBQoO/X9RZscEWcFR2yEcb0oafvGkSuvUpZeCXpuspAszItk2WV5hC63
I7xxbzwjeroFEpCecK7UyGIzNPus5x9s0pWpuLCxR9oZGjo46aLxBNRYIZbHjcFf
f8c0XVNOz4Khq7ZOjOK4sL84YhkeLUeotbfSYuQF6FWKuIto7jk9CcIfXBSCvWmc
7eRjZFyQJ6Vt5QVlUzyHK53Ownq7BSrl/nzUNKmEnTvS/3379P+jvlqZdCyjG7zV
jtHU29SueLjJCln01r/Xog+FIedsyp/uF5cEc4sqauF4cbyvEjlC+k+LyifNzbhP
QBQxRQ+QjhG3hEo1YimQrQmViRCf
=vcIR
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
Ubuntu Security Notice USN-5525-1
July 20, 2022
libxml-security-java vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Apache XML Security for Java could be made to expose sensitive information.
Software Description:
- libxml-security-java: Apache XML Security for Java
Details:
It was discovered that Apache XML Security for Java incorrectly passed a
configuration property when creating specific key elements. This allows an
attacker to abuse an XPath Transform to extract sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libxml-security-java 2.0.10-2+deb11u1build0.20.04.1
Ubuntu 18.04 LTS:
libxml-security-java 2.0.10-2~18.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5525-1
CVE-2021-40690
Package Information:
https://launchpad.net/ubuntu/+source/libxml-security-java/2.0.10-2+deb11u1build0.20.04.1
https://launchpad.net/ubuntu/+source/libxml-security-java/2.0.10-2~18.04.1
[USN-5527-1] Checkmk vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5527-1
July 20, 2022
check-mk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Checkmk.
Software Description:
- check-mk: general purpose monitoring plugin for retrieving data
Details:
It was discovered that Checkmk incorrectly handled authentication. An attacker
could possibly use this issue to cause a race condition leading to information
disclosure. (CVE-2017-14955)
It was discovered that Checkmk incorrectly handled certain inputs. An attacker
could use these cross-site scripting issues to inject arbitrary html or
javascript code to obtain sensitive information including user information,
session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563,
CVE-2021-40906, CVE-2022-24565)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
check-mk-livestatus 1.2.8p16-1ubuntu0.2
check-mk-multisite 1.2.8p16-1ubuntu0.2
check-mk-server 1.2.8p16-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5527-1
CVE-2017-14955, CVE-2017-9781, CVE-2021-36563, CVE-2021-40906,
CVE-2022-24565
Package Information:
https://launchpad.net/ubuntu/+source/check-mk/1.2.8p16-1ubuntu0.2
Ubuntu Security Notice USN-5527-1
July 20, 2022
check-mk vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Checkmk.
Software Description:
- check-mk: general purpose monitoring plugin for retrieving data
Details:
It was discovered that Checkmk incorrectly handled authentication. An attacker
could possibly use this issue to cause a race condition leading to information
disclosure. (CVE-2017-14955)
It was discovered that Checkmk incorrectly handled certain inputs. An attacker
could use these cross-site scripting issues to inject arbitrary html or
javascript code to obtain sensitive information including user information,
session cookies and valid credentials. (CVE-2017-9781, CVE-2021-36563,
CVE-2021-40906, CVE-2022-24565)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
check-mk-livestatus 1.2.8p16-1ubuntu0.2
check-mk-multisite 1.2.8p16-1ubuntu0.2
check-mk-server 1.2.8p16-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5527-1
CVE-2017-14955, CVE-2017-9781, CVE-2021-36563, CVE-2021-40906,
CVE-2022-24565
Package Information:
https://launchpad.net/ubuntu/+source/check-mk/1.2.8p16-1ubuntu0.2
Tuesday, July 19, 2022
[USN-5526-1] PyJWT vulnerability
==========================================================================
Ubuntu Security Notice USN-5526-1
July 20, 2022
pyjwt vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
PyJWT could allow signature forgery.
Software Description:
- pyjwt: Python 3 implementation of JSON Web Token
Details:
Aapo Oksman discovered that PyJWT incorrectly handled signatures
constructed from SSH public keys. A remote attacker could use this to forge
a JWT signature.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-jwt 2.3.0-1ubuntu0.1
Ubuntu 20.04 LTS:
python3-jwt 1.7.1-2ubuntu2.1
Ubuntu 18.04 LTS:
python-jwt 1.5.3+ds1-1ubuntu0.1
python3-jwt 1.5.3+ds1-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5526-1
CVE-2022-29217
Package Information:
https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/pyjwt/1.7.1-2ubuntu2.1
https://launchpad.net/ubuntu/+source/pyjwt/1.5.3+ds1-1ubuntu0.1
Ubuntu Security Notice USN-5526-1
July 20, 2022
pyjwt vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
PyJWT could allow signature forgery.
Software Description:
- pyjwt: Python 3 implementation of JSON Web Token
Details:
Aapo Oksman discovered that PyJWT incorrectly handled signatures
constructed from SSH public keys. A remote attacker could use this to forge
a JWT signature.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-jwt 2.3.0-1ubuntu0.1
Ubuntu 20.04 LTS:
python3-jwt 1.7.1-2ubuntu2.1
Ubuntu 18.04 LTS:
python-jwt 1.5.3+ds1-1ubuntu0.1
python3-jwt 1.5.3+ds1-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5526-1
CVE-2022-29217
Package Information:
https://launchpad.net/ubuntu/+source/pyjwt/2.3.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/pyjwt/1.7.1-2ubuntu2.1
https://launchpad.net/ubuntu/+source/pyjwt/1.5.3+ds1-1ubuntu0.1
Upcoming F37 schedule dates
It's me again with some more schedule reminders
* 2022-07-19 (TODAY!) — F37 Self-Contained Change proposals due
* 2022-07-20 (TOMORROW) — Mass rebuild begins
* 2022-07-26 — Software string freeze
* 2022-08-09 — F37 branches from Rawhide, Change complete (testable) deadline
More schedule details are available at
https://fedorapeople.org/groups/schedule/f-37/f-37-key-tasks.html
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
* 2022-07-19 (TODAY!) — F37 Self-Contained Change proposals due
* 2022-07-20 (TOMORROW) — Mass rebuild begins
* 2022-07-26 — Software string freeze
* 2022-08-09 — F37 branches from Rawhide, Change complete (testable) deadline
More schedule details are available at
https://fedorapeople.org/groups/schedule/f-37/f-37-key-tasks.html
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[USN-5524-1] HarfBuzz vulnerability
==========================================================================
Ubuntu Security Notice USN-5524-1
July 19, 2022
harfbuzz vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
HarfBuzz could be made to crash if it opened specially crafted data.
Software Description:
- harfbuzz: OpenType text shaping engine
Details:
It was discovered that HarfBuzz incorrectly handled certain glyph sizes. A
remote attacker could use this issue to cause HarfBuzz to crash, resulting
in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libharfbuzz0b 2.7.4-1ubuntu3.1
Ubuntu 20.04 LTS:
libharfbuzz0b 2.6.4-1ubuntu4.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5524-1
CVE-2022-33068
Package Information:
https://launchpad.net/ubuntu/+source/harfbuzz/2.7.4-1ubuntu3.1
https://launchpad.net/ubuntu/+source/harfbuzz/2.6.4-1ubuntu4.2
Ubuntu Security Notice USN-5524-1
July 19, 2022
harfbuzz vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
HarfBuzz could be made to crash if it opened specially crafted data.
Software Description:
- harfbuzz: OpenType text shaping engine
Details:
It was discovered that HarfBuzz incorrectly handled certain glyph sizes. A
remote attacker could use this issue to cause HarfBuzz to crash, resulting
in a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libharfbuzz0b 2.7.4-1ubuntu3.1
Ubuntu 20.04 LTS:
libharfbuzz0b 2.6.4-1ubuntu4.2
After a standard system update you need to restart your session to make all
the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5524-1
CVE-2022-33068
Package Information:
https://launchpad.net/ubuntu/+source/harfbuzz/2.7.4-1ubuntu3.1
https://launchpad.net/ubuntu/+source/harfbuzz/2.6.4-1ubuntu4.2
List of long term FTBFS packages to be retired in August
Dear maintainers.
Based on the current fail to build from source policy, the following packages
will be retired from Fedora 37 approximately one week before branching (August
2022).
Policy:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/
The packages in rawhide were not successfully built at least since Fedora 35.
This report is based on dist tags.
Packages collected via:
https://github.com/hroncok/fedora-report-ftbfs-retirements/blob/master/ftbfs-retirements.ipynb
If you see a package that was built, please let me know.
If you see a package that should be exempted from the process, please let me
know and we can work together to get a FESCo approval for that.
If you see a package that can be rebuilt, please do so.
Package (co)maintainers
============================================================================
golang-grpc-go4 eclipseo, go-sig, jchaloup
klamav kkofler
koffice-kivio kkofler, rdieter
lancer willb
php-aws-sdk3 lcts
php-pimple lcts
recorder ddd
rubygem-bundler_ext jaruga, ruby-packagers-sig, vondruch
rubygem-coffee-rails jaruga, ruby-packagers-sig, vondruch
rubygem-image_processing pvalena
rubygem-minitest-reporters pvalena
rubygem-sprockets-rails jaruga, pvalena, ruby-packagers-sig
tinygo go-sig, qulogic
uom-parent lberk, mgoodwin, nathans
xs petersen
The following packages require above mentioned packages:
Depending on: golang-grpc-go4 (1)
golang-x-build (maintained by: eclipseo, go-sig, jchaloup)
golang-x-build-0-0.19.20201229git0a4bf69.fc35.src requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
golang-x-build-devel-0-0.19.20201229git0a4bf69.fc35.noarch requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
Depending on: rubygem-image_processing (28)
rubygem-activestorage (maintained by: ruby-packagers-sig, vondruch)
rubygem-activestorage-7.0.2.3-1.fc37.src requires rubygem(image_processing) =
1.11.0
rubygem-actionmailbox (maintained by: pvalena)
rubygem-actionmailbox-7.0.2.3-1.fc37.noarch requires rubygem(activestorage) =
7.0.2.3
rubygem-actionmailbox-7.0.2.3-1.fc37.src requires rubygem(activestorage) =
7.0.2.3
rubygem-actiontext (maintained by: pvalena)
rubygem-actiontext-7.0.2.3-1.fc37.noarch requires rubygem(activestorage) =
7.0.2.3
rubygem-actiontext-7.0.2.3-1.fc37.src requires rubygem(activestorage) = 7.0.2.3
rubygem-rails (maintained by: jstribny, kanarip, mmorsi, mtasaka, pvalena,
ruby-packagers-sig, sseago, tdawson, vondruch)
rubygem-rails-1:7.0.2.3-1.fc37.noarch requires rubygem(activestorage) = 7.0.2.3
rubygem-railties (maintained by: mmorsi, pvalena, tdawson, vondruch)
rubygem-railties-7.0.2.3-1.fc37.src requires rubygem(activestorage) = 7.0.2.3
rubygem-rspec-rails (maintained by: clalance, vondruch)
rubygem-rspec-rails-5.1.1-1.fc37.src requires rubygem(actionmailbox) = 7.0.2.3
rubygem-apipie-rails (maintained by: ruby-packagers-sig, vondruch)
rubygem-apipie-rails-0.5.18-5.fc36.noarch requires rubygem(rails) = 7.0.2.3
rubygem-declarative_authorization (maintained by: mcpierce)
rubygem-declarative_authorization-0.5.7-17.fc36.noarch requires
rubygem(rails) = 7.0.2.3
rubygem-importmap-rails (maintained by: pvalena)
rubygem-importmap-rails-1.0.3-1.fc37.src requires rubygem(rails) = 7.0.2.3
rubygem-sass-rails (maintained by: ruby-packagers-sig, tdawson, vondruch)
rubygem-sass-rails-6.0.0-4.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-shoulda (maintained by: stahnma, tdawson)
rubygem-shoulda-3.6.0-10.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-shoulda-context (maintained by: tdawson, vondruch)
rubygem-shoulda-context-1.2.2-11.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-shoulda-matchers (maintained by: vondruch)
rubygem-shoulda-matchers-4.5.1-3.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-actionpack (maintained by: jaruga, jstribny, kanarip, mmorsi, pvalena,
ruby-packagers-sig, sseago, vondruch)
rubygem-actionpack-1:7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-actionview (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-actionview-7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-activemodel (maintained by: jstribny, mmorsi, pvalena, tdawson, vondruch)
rubygem-activemodel-7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-ammeter (maintained by: jstribny, ruby-packagers-sig, vondruch)
rubygem-ammeter-1.1.5-2.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-ammeter-1.1.5-2.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-font-awesome-rails (maintained by: abradshaw, ckyriakidou, evgeni,
fale, snecker)
rubygem-font-awesome-rails-4.7.0.8-1.fc37.noarch requires rubygem(railties) =
7.0.2.3
rubygem-font-awesome-rails-4.7.0.8-1.fc37.src requires rubygem(railties) =
7.0.2.3
rubygem-generator_spec (maintained by: ilgrad)
rubygem-generator_spec-0.9.4-11.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-generator_spec-0.9.4-11.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-globalid (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-globalid-1.0.0-2.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-haml (maintained by: kanarip, pvalena)
rubygem-haml-5.2.2-2.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-jbuilder (maintained by: pvalena, vondruch)
rubygem-jbuilder-2.11.5-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-jquery-rails (maintained by: jstribny, tdawson, vondruch)
rubygem-jquery-rails-4.4.0-2.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-rails-controller-testing (maintained by: valtri)
rubygem-rails-controller-testing-1.0.5-5.fc36.src requires rubygem(railties)
= 7.0.2.3
rubygem-sass-twitter-bootstrap (maintained by: tdawson)
rubygem-sass-twitter-bootstrap-2.3.0-15.fc36.noarch requires
rubygem(railties) = 7.0.2.3
rubygem-sassc-rails (maintained by: pvalena)
rubygem-sassc-rails-2.1.2-4.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-sassc-rails-2.1.2-4.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-slim (maintained by: vondruch)
rubygem-slim-4.1.0-5.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-web-console (maintained by: jaruga, ruby-packagers-sig, vondruch)
rubygem-web-console-4.1.0-4.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-web-console-4.1.0-4.fc36.src requires rubygem(railties) = 7.0.2.3
Too many dependencies for rubygem-image_processing, not all listed here
Affected (co)maintainers (directly and indirectly):
abradshaw: rubygem-image_processing
ckyriakidou: rubygem-image_processing
clalance: rubygem-image_processing
ddd: recorder
eclipseo: golang-grpc-go4
evgeni: rubygem-image_processing
fale: rubygem-image_processing
go-sig: tinygo, golang-grpc-go4
ilgrad: rubygem-image_processing
jaruga: rubygem-coffee-rails, rubygem-bundler_ext, rubygem-image_processing,
rubygem-sprockets-rails
jchaloup: golang-grpc-go4
jstribny: rubygem-image_processing
kanarip: rubygem-image_processing
kkofler: klamav, koffice-kivio
lberk: uom-parent
lcts: php-aws-sdk3, php-pimple
mcpierce: rubygem-image_processing
mgoodwin: uom-parent
mmorsi: rubygem-image_processing
mtasaka: rubygem-image_processing
nathans: uom-parent
petersen: xs
pvalena: rubygem-image_processing, rubygem-minitest-reporters,
rubygem-sprockets-rails
qulogic: tinygo
rdieter: koffice-kivio
ruby-packagers-sig: rubygem-coffee-rails, rubygem-bundler_ext,
rubygem-image_processing, rubygem-sprockets-rails
snecker: rubygem-image_processing
sseago: rubygem-image_processing
stahnma: rubygem-image_processing
tdawson: rubygem-image_processing
valtri: rubygem-image_processing
vondruch: rubygem-coffee-rails, rubygem-bundler_ext, rubygem-image_processing
willb: lancer
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Based on the current fail to build from source policy, the following packages
will be retired from Fedora 37 approximately one week before branching (August
2022).
Policy:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/
The packages in rawhide were not successfully built at least since Fedora 35.
This report is based on dist tags.
Packages collected via:
https://github.com/hroncok/fedora-report-ftbfs-retirements/blob/master/ftbfs-retirements.ipynb
If you see a package that was built, please let me know.
If you see a package that should be exempted from the process, please let me
know and we can work together to get a FESCo approval for that.
If you see a package that can be rebuilt, please do so.
Package (co)maintainers
============================================================================
golang-grpc-go4 eclipseo, go-sig, jchaloup
klamav kkofler
koffice-kivio kkofler, rdieter
lancer willb
php-aws-sdk3 lcts
php-pimple lcts
recorder ddd
rubygem-bundler_ext jaruga, ruby-packagers-sig, vondruch
rubygem-coffee-rails jaruga, ruby-packagers-sig, vondruch
rubygem-image_processing pvalena
rubygem-minitest-reporters pvalena
rubygem-sprockets-rails jaruga, pvalena, ruby-packagers-sig
tinygo go-sig, qulogic
uom-parent lberk, mgoodwin, nathans
xs petersen
The following packages require above mentioned packages:
Depending on: golang-grpc-go4 (1)
golang-x-build (maintained by: eclipseo, go-sig, jchaloup)
golang-x-build-0-0.19.20201229git0a4bf69.fc35.src requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
golang-x-build-devel-0-0.19.20201229git0a4bf69.fc35.noarch requires
golang(grpc.go4.org) = 0-0.9.20180421git11d0a25.fc34,
golang(grpc.go4.org/codes) = 0-0.9.20180421git11d0a25.fc34
Depending on: rubygem-image_processing (28)
rubygem-activestorage (maintained by: ruby-packagers-sig, vondruch)
rubygem-activestorage-7.0.2.3-1.fc37.src requires rubygem(image_processing) =
1.11.0
rubygem-actionmailbox (maintained by: pvalena)
rubygem-actionmailbox-7.0.2.3-1.fc37.noarch requires rubygem(activestorage) =
7.0.2.3
rubygem-actionmailbox-7.0.2.3-1.fc37.src requires rubygem(activestorage) =
7.0.2.3
rubygem-actiontext (maintained by: pvalena)
rubygem-actiontext-7.0.2.3-1.fc37.noarch requires rubygem(activestorage) =
7.0.2.3
rubygem-actiontext-7.0.2.3-1.fc37.src requires rubygem(activestorage) = 7.0.2.3
rubygem-rails (maintained by: jstribny, kanarip, mmorsi, mtasaka, pvalena,
ruby-packagers-sig, sseago, tdawson, vondruch)
rubygem-rails-1:7.0.2.3-1.fc37.noarch requires rubygem(activestorage) = 7.0.2.3
rubygem-railties (maintained by: mmorsi, pvalena, tdawson, vondruch)
rubygem-railties-7.0.2.3-1.fc37.src requires rubygem(activestorage) = 7.0.2.3
rubygem-rspec-rails (maintained by: clalance, vondruch)
rubygem-rspec-rails-5.1.1-1.fc37.src requires rubygem(actionmailbox) = 7.0.2.3
rubygem-apipie-rails (maintained by: ruby-packagers-sig, vondruch)
rubygem-apipie-rails-0.5.18-5.fc36.noarch requires rubygem(rails) = 7.0.2.3
rubygem-declarative_authorization (maintained by: mcpierce)
rubygem-declarative_authorization-0.5.7-17.fc36.noarch requires
rubygem(rails) = 7.0.2.3
rubygem-importmap-rails (maintained by: pvalena)
rubygem-importmap-rails-1.0.3-1.fc37.src requires rubygem(rails) = 7.0.2.3
rubygem-sass-rails (maintained by: ruby-packagers-sig, tdawson, vondruch)
rubygem-sass-rails-6.0.0-4.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-shoulda (maintained by: stahnma, tdawson)
rubygem-shoulda-3.6.0-10.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-shoulda-context (maintained by: tdawson, vondruch)
rubygem-shoulda-context-1.2.2-11.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-shoulda-matchers (maintained by: vondruch)
rubygem-shoulda-matchers-4.5.1-3.fc36.src requires rubygem(rails) = 7.0.2.3
rubygem-actionpack (maintained by: jaruga, jstribny, kanarip, mmorsi, pvalena,
ruby-packagers-sig, sseago, vondruch)
rubygem-actionpack-1:7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-actionview (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-actionview-7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-activemodel (maintained by: jstribny, mmorsi, pvalena, tdawson, vondruch)
rubygem-activemodel-7.0.2.3-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-ammeter (maintained by: jstribny, ruby-packagers-sig, vondruch)
rubygem-ammeter-1.1.5-2.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-ammeter-1.1.5-2.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-font-awesome-rails (maintained by: abradshaw, ckyriakidou, evgeni,
fale, snecker)
rubygem-font-awesome-rails-4.7.0.8-1.fc37.noarch requires rubygem(railties) =
7.0.2.3
rubygem-font-awesome-rails-4.7.0.8-1.fc37.src requires rubygem(railties) =
7.0.2.3
rubygem-generator_spec (maintained by: ilgrad)
rubygem-generator_spec-0.9.4-11.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-generator_spec-0.9.4-11.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-globalid (maintained by: jaruga, pvalena, ruby-packagers-sig)
rubygem-globalid-1.0.0-2.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-haml (maintained by: kanarip, pvalena)
rubygem-haml-5.2.2-2.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-jbuilder (maintained by: pvalena, vondruch)
rubygem-jbuilder-2.11.5-1.fc37.src requires rubygem(railties) = 7.0.2.3
rubygem-jquery-rails (maintained by: jstribny, tdawson, vondruch)
rubygem-jquery-rails-4.4.0-2.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-rails-controller-testing (maintained by: valtri)
rubygem-rails-controller-testing-1.0.5-5.fc36.src requires rubygem(railties)
= 7.0.2.3
rubygem-sass-twitter-bootstrap (maintained by: tdawson)
rubygem-sass-twitter-bootstrap-2.3.0-15.fc36.noarch requires
rubygem(railties) = 7.0.2.3
rubygem-sassc-rails (maintained by: pvalena)
rubygem-sassc-rails-2.1.2-4.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-sassc-rails-2.1.2-4.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-slim (maintained by: vondruch)
rubygem-slim-4.1.0-5.fc36.src requires rubygem(railties) = 7.0.2.3
rubygem-web-console (maintained by: jaruga, ruby-packagers-sig, vondruch)
rubygem-web-console-4.1.0-4.fc36.noarch requires rubygem(railties) = 7.0.2.3
rubygem-web-console-4.1.0-4.fc36.src requires rubygem(railties) = 7.0.2.3
Too many dependencies for rubygem-image_processing, not all listed here
Affected (co)maintainers (directly and indirectly):
abradshaw: rubygem-image_processing
ckyriakidou: rubygem-image_processing
clalance: rubygem-image_processing
ddd: recorder
eclipseo: golang-grpc-go4
evgeni: rubygem-image_processing
fale: rubygem-image_processing
go-sig: tinygo, golang-grpc-go4
ilgrad: rubygem-image_processing
jaruga: rubygem-coffee-rails, rubygem-bundler_ext, rubygem-image_processing,
rubygem-sprockets-rails
jchaloup: golang-grpc-go4
jstribny: rubygem-image_processing
kanarip: rubygem-image_processing
kkofler: klamav, koffice-kivio
lberk: uom-parent
lcts: php-aws-sdk3, php-pimple
mcpierce: rubygem-image_processing
mgoodwin: uom-parent
mmorsi: rubygem-image_processing
mtasaka: rubygem-image_processing
nathans: uom-parent
petersen: xs
pvalena: rubygem-image_processing, rubygem-minitest-reporters,
rubygem-sprockets-rails
qulogic: tinygo
rdieter: koffice-kivio
ruby-packagers-sig: rubygem-coffee-rails, rubygem-bundler_ext,
rubygem-image_processing, rubygem-sprockets-rails
snecker: rubygem-image_processing
sseago: rubygem-image_processing
stahnma: rubygem-image_processing
tdawson: rubygem-image_processing
valtri: rubygem-image_processing
vondruch: rubygem-coffee-rails, rubygem-bundler_ext, rubygem-image_processing
willb: lancer
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[USN-5523-1] LibTIFF vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5523-1
July 19, 2022
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in LibTIFF.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
It was discovered that LibTIFF was not properly performing checks to
guarantee that allocated memory space existed, which could lead to a
NULL pointer dereference via a specially crafted file. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2022-0907, CVE-2022-0908)
It was discovered that LibTIFF was not properly performing checks to
avoid division calculations where the denominator value was zero,
which could lead to an undefined behavior situation via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service. (CVE-2022-0909)
It was discovered that LibTIFF was not properly performing bounds
checks, which could lead to an out-of-bounds read via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information. (CVE-2022-0924)
It was discovered that LibTIFF was not properly performing the
calculation of data that would eventually be used as a reference for
bounds checking operations, which could lead to an out-of-bounds
read via a specially crafted file. An attacker could possibly use
this issue to cause a denial of service or to expose sensitive
information. (CVE-2020-19131)
It was discovered that LibTIFF was not properly terminating a
function execution when processing incorrect data, which could lead
to an out-of-bounds read via a specially crafted file. An attacker
could possibly use this issue to cause a denial of service or to
expose sensitive information. (CVE-2020-19144)
It was discovered that LibTIFF was not properly performing checks
when setting the value for data later used as reference during memory
access, which could lead to an out-of-bounds read via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information.
(CVE-2022-22844)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libtiff-opengl 4.0.6-1ubuntu0.8+esm2
libtiff-tools 4.0.6-1ubuntu0.8+esm2
libtiff5 4.0.6-1ubuntu0.8+esm2
libtiffxx5 4.0.6-1ubuntu0.8+esm2
Ubuntu 14.04 ESM:
libtiff-opengl 4.0.3-7ubuntu0.11+esm2
libtiff-tools 4.0.3-7ubuntu0.11+esm2
libtiff5 4.0.3-7ubuntu0.11+esm2
libtiffxx5 4.0.3-7ubuntu0.11+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5523-1
CVE-2020-19131, CVE-2020-19144, CVE-2022-0907, CVE-2022-0908,
CVE-2022-0909, CVE-2022-0924, CVE-2022-22844
Ubuntu Security Notice USN-5523-1
July 19, 2022
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in LibTIFF.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
It was discovered that LibTIFF was not properly performing checks to
guarantee that allocated memory space existed, which could lead to a
NULL pointer dereference via a specially crafted file. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2022-0907, CVE-2022-0908)
It was discovered that LibTIFF was not properly performing checks to
avoid division calculations where the denominator value was zero,
which could lead to an undefined behavior situation via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service. (CVE-2022-0909)
It was discovered that LibTIFF was not properly performing bounds
checks, which could lead to an out-of-bounds read via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information. (CVE-2022-0924)
It was discovered that LibTIFF was not properly performing the
calculation of data that would eventually be used as a reference for
bounds checking operations, which could lead to an out-of-bounds
read via a specially crafted file. An attacker could possibly use
this issue to cause a denial of service or to expose sensitive
information. (CVE-2020-19131)
It was discovered that LibTIFF was not properly terminating a
function execution when processing incorrect data, which could lead
to an out-of-bounds read via a specially crafted file. An attacker
could possibly use this issue to cause a denial of service or to
expose sensitive information. (CVE-2020-19144)
It was discovered that LibTIFF was not properly performing checks
when setting the value for data later used as reference during memory
access, which could lead to an out-of-bounds read via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information.
(CVE-2022-22844)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libtiff-opengl 4.0.6-1ubuntu0.8+esm2
libtiff-tools 4.0.6-1ubuntu0.8+esm2
libtiff5 4.0.6-1ubuntu0.8+esm2
libtiffxx5 4.0.6-1ubuntu0.8+esm2
Ubuntu 14.04 ESM:
libtiff-opengl 4.0.3-7ubuntu0.11+esm2
libtiff-tools 4.0.3-7ubuntu0.11+esm2
libtiff5 4.0.3-7ubuntu0.11+esm2
libtiffxx5 4.0.3-7ubuntu0.11+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5523-1
CVE-2020-19131, CVE-2020-19144, CVE-2022-0907, CVE-2022-0908,
CVE-2022-0909, CVE-2022-0924, CVE-2022-22844
Monday, July 18, 2022
Ubuntu 21.10 (Impish Indri) End of Life reached on July 14 2022
This is a follow-up to the End of Life warning sent earlier to confirm
that as of July 14, 2022, Ubuntu 21.10 is no longer supported. No more
package updates will be accepted to 21.10, and it will be archived to
old-releases.ubuntu.com in the coming weeks.
that as of July 14, 2022, Ubuntu 21.10 is no longer supported. No more
package updates will be accepted to 21.10, and it will be archived to
old-releases.ubuntu.com in the coming weeks.
The original End of Life warning follows, with upgrade instructions:
Ubuntu announced its 21.10 (Impish Indri) release almost 9 months
ago, on October 14, 2021, and its support period is now nearing its
end. Ubuntu 21.10 will reach end of life on July 14, 2022.
At that time, Ubuntu Security Notices will no longer include
information or updated packages for Ubuntu 21.10.
The supported upgrade path from Ubuntu 21.10 is via Ubuntu 22.04 LTS.
Instructions and caveats for the upgrade may be found at:
https://help.ubuntu.com/community/JammyUpgrades
Ubuntu 22.04 LTS continues to be actively supported with security
updates and select high-impact bug fixes. Announcements of security
updates for Ubuntu releases are sent to the ubuntu-security-announce
mailing list, information about which may be found at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customise or alter their software in order to meet their needs.
On behalf of the Ubuntu Release Team,
--
Brian Murray
F37 proposal: Mumble 1.4 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/Mumble1.4
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update the Mumble voice chat application from 1.3 to 1.4.
== Owner ==
* Name: [[User:carlwgeorge| Carl George]]
* Email: carl@redhat.com
== Detailed Description ==
Earlier this year the Mumble project released a new major version. The full
list of new features can be found in the
[https://www.mumble.info/blog/mumble-1.4.230/ upstream release notes].
This change also involves several notable packaging changes.
* Enable the native PipeWire audio backend
* Rename the Mumble server package from murmur to mumble-server, per
upstream preference
* Relocate Mumble server configuration file from
/etc/murmur/murmur.ini to /etc/murmur.ini, per upstream preference
== Feedback ==
== Benefit to Fedora ==
Mumble is a popular voice chat application. It is commonly used for gaming and
podcasts. Updating the Fedora package to the latest upstream version ensures
that Fedora Linux continues to be an attractive operating system for those
communities.
== Scope ==
* Proposal owners:
** Build version 1.4.x in carlwgeorge/mumble copr
** Test copr packages
** Build version 1.4.x in appropriate Fedora branches
* Other developers: N/A (not needed for this Change)
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
The Mumble developers prefer distributions to name the server package
mumble-server. Currently this is named murmur in Fedora. This change renames
the server package to align with upstream. The required provides/obsoletes
will be added per the packaging guidelines.
The Mumble developers prefer the server configuration file to be
/etc/murmur.ini. Currently this file is /etc/murmur/murmur.ini in Fedora.
This change relocates that file in an RPM scriptlet to align with upstream.
The old path will become a compatibility symlink to the new path.
== How To Test ==
As Mumble is voice chat software, to test this change you will need a
microphone and headphones/speakers. The carlwgeorge/mumble copr repository
contains the updated packages. Install the mumble package to test the client.
Install the mumble-server package to test the server. If you have other Mumble
servers you routinely connect to, connect to them with the updated mumble
package. If you are familiar with setting up a Mumble server, set one up with
the existing 1.3.x packages and then update to the 1.4.x packages. Verify that
the server configuration file gets relocated as described in this change.
== User Experience ==
Users will have the 1.4.x version of Mumble available, with all the
upstream features that provides.
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: revert to Mumble 1.3 with an epoch
* Contingency deadline: beta freeze
* Blocks release? no
== Documentation ==
* https://www.mumble.info/blog/mumble-1.4.230/
== Release Notes ==
Mumble 1.4 is available in Fedora 37.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update the Mumble voice chat application from 1.3 to 1.4.
== Owner ==
* Name: [[User:carlwgeorge| Carl George]]
* Email: carl@redhat.com
== Detailed Description ==
Earlier this year the Mumble project released a new major version. The full
list of new features can be found in the
[https://www.mumble.info/blog/mumble-1.4.230/ upstream release notes].
This change also involves several notable packaging changes.
* Enable the native PipeWire audio backend
* Rename the Mumble server package from murmur to mumble-server, per
upstream preference
* Relocate Mumble server configuration file from
/etc/murmur/murmur.ini to /etc/murmur.ini, per upstream preference
== Feedback ==
== Benefit to Fedora ==
Mumble is a popular voice chat application. It is commonly used for gaming and
podcasts. Updating the Fedora package to the latest upstream version ensures
that Fedora Linux continues to be an attractive operating system for those
communities.
== Scope ==
* Proposal owners:
** Build version 1.4.x in carlwgeorge/mumble copr
** Test copr packages
** Build version 1.4.x in appropriate Fedora branches
* Other developers: N/A (not needed for this Change)
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
== Upgrade/compatibility impact ==
The Mumble developers prefer distributions to name the server package
mumble-server. Currently this is named murmur in Fedora. This change renames
the server package to align with upstream. The required provides/obsoletes
will be added per the packaging guidelines.
The Mumble developers prefer the server configuration file to be
/etc/murmur.ini. Currently this file is /etc/murmur/murmur.ini in Fedora.
This change relocates that file in an RPM scriptlet to align with upstream.
The old path will become a compatibility symlink to the new path.
== How To Test ==
As Mumble is voice chat software, to test this change you will need a
microphone and headphones/speakers. The carlwgeorge/mumble copr repository
contains the updated packages. Install the mumble package to test the client.
Install the mumble-server package to test the server. If you have other Mumble
servers you routinely connect to, connect to them with the updated mumble
package. If you are familiar with setting up a Mumble server, set one up with
the existing 1.3.x packages and then update to the 1.4.x packages. Verify that
the server configuration file gets relocated as described in this change.
== User Experience ==
Users will have the 1.4.x version of Mumble available, with all the
upstream features that provides.
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: revert to Mumble 1.3 with an epoch
* Contingency deadline: beta freeze
* Blocks release? no
== Documentation ==
* https://www.mumble.info/blog/mumble-1.4.230/
== Release Notes ==
Mumble 1.4 is available in Fedora 37.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
F37 proposal: Emacs 28 (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/Emacs_28
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update GNU Emacs to 28.1 release. This release includes a wide variety
of new features, including native compilation of Lisp files.
== Owner ==
* Name: [[User:Bhavin192| Bhavin Gandhi]]
* Email: bhavin192@fedoraproject.org
== Detailed Description ==
The Emacs package will be updated to 28.1 release of GNU Emacs. This
will have native compilation feature enabled, and will package
additional natively compiled Lisp files.
== Benefit to Fedora ==
This major version of Emacs has bugfixes and new features which also
improve the overall speed of Emacs.
== Scope ==
* Proposal owners: Upgrade the Emacs package to 28.1
* Other developers: N/A
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
Users might see some warnings while their installed Emacs packages get
natively compiled after first launch post the upgrade. These warnings
won't break any functionality, though the users are encouraged to
update their Emacs packages.
== How To Test ==
# Run dnf update emacs
# Open Emacs and check if inbuilt functionalities and packages work as indented.
== User Experience ==
https://www.gnu.org/software/emacs/#Releases
* Lisp files are natively compiled, this results in speed improvements
for most of the functionalities
* Much improved display of Emoji and Emoji sequences
* New system for documenting groups of functions
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), No
== Documentation ==
* https://www.gnu.org/software/emacs/news/NEWS.28.1
* https://src.fedoraproject.org/rpms/emacs/pull-request/12
== Release Notes ==
The upstream release notes are available at
https://www.gnu.org/software/emacs/news/NEWS.28.1
These can also be accessed from within Emacs by doing `C-h n`.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Update GNU Emacs to 28.1 release. This release includes a wide variety
of new features, including native compilation of Lisp files.
== Owner ==
* Name: [[User:Bhavin192| Bhavin Gandhi]]
* Email: bhavin192@fedoraproject.org
== Detailed Description ==
The Emacs package will be updated to 28.1 release of GNU Emacs. This
will have native compilation feature enabled, and will package
additional natively compiled Lisp files.
== Benefit to Fedora ==
This major version of Emacs has bugfixes and new features which also
improve the overall speed of Emacs.
== Scope ==
* Proposal owners: Upgrade the Emacs package to 28.1
* Other developers: N/A
* Release engineering: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
Users might see some warnings while their installed Emacs packages get
natively compiled after first launch post the upgrade. These warnings
won't break any functionality, though the users are encouraged to
update their Emacs packages.
== How To Test ==
# Run dnf update emacs
# Open Emacs and check if inbuilt functionalities and packages work as indented.
== User Experience ==
https://www.gnu.org/software/emacs/#Releases
* Lisp files are natively compiled, this results in speed improvements
for most of the functionalities
* Much improved display of Emoji and Emoji sequences
* New system for documenting groups of functions
== Dependencies ==
N/A
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), No
== Documentation ==
* https://www.gnu.org/software/emacs/news/NEWS.28.1
* https://src.fedoraproject.org/rpms/emacs/pull-request/12
== Release Notes ==
The upstream release notes are available at
https://www.gnu.org/software/emacs/news/NEWS.28.1
These can also be accessed from within Emacs by doing `C-h n`.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Subscribe to:
Posts (Atom)