The Linux From Scratch community is pleased to announce the release of
LFS Version 11.2, LFS Version 11.2 (systemd), BLFS Version 11.2, and
BLFS Version 11.2 (systemd).
This release is a major update to both LFS and BLFS.
The LFS release includes updates to gcc-12.2.0, glibc-2.36, and binutils-2.39. The
Linux kernel has also been updated to version 5.19.2. Changes to text
have been made throughout the books.
The BLFS version includes approximately 1000 packages beyond the base
Linux From Scratch Version 11.2 book. This release has over 1100 updates
from the previous BLFS version including package updates and numerous text and formatting
changes.
Thanks for this release goes to many contributors. Notably:
Douglas Reno
Pierre Labastie
Xi Ruoyao
Thomas Trepl
Ken Moffat
Tim Tassonis
You can read the books online[0]-[3], or download[4]-[7] to read locally.
Please direct any comments about this release to the LFS development
team at lfs-dev@lists.linuxfromscratch.org or
blfs-dev@lists.linuxfromscratch.org. Registration for the mailing lists
is required to avoid junk email.
-- Bruce Dubbs
LFS
[0] http://www.linuxfromscratch.org/lfs/view/11.2/
[1] http://www.linuxfromscratch.org/blfs/view/11.2/
[2] http://www.linuxfromscratch.org/lfs/view/11.2-systemd/
[3] http://www.linuxfromscratch.org/blfs/view/11.2-systemd/
[4] http://www.linuxfromscratch.org/lfs/downloads/11.2/
[5] http://www.linuxfromscratch.org/blfs/downloads/11.2/
[6] http://www.linuxfromscratch.org/lfs/downloads/11.2-systemd/
[7] http://www.linuxfromscratch.org/blfs/downloads/11.2-systemd/
Wednesday, August 31, 2022
[USN-5591-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-5591-1
August 31, 2022
linux-azure, linux-gcp, linux-hwe vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the virtual terminal driver in the Linux kernel
did not properly handle VGA console font changes, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.15.0-1135-gcp 4.15.0-1135.151~16.04.2
linux-image-4.15.0-1150-azure 4.15.0-1150.165~16.04.1
linux-image-4.15.0-192-generic 4.15.0-192.203~16.04.1
linux-image-4.15.0-192-lowlatency 4.15.0-192.203~16.04.1
linux-image-azure 4.15.0.1150.137
linux-image-gcp 4.15.0.1135.129
linux-image-generic-hwe-16.04 4.15.0.192.179
linux-image-gke 4.15.0.1135.129
linux-image-lowlatency-hwe-16.04 4.15.0.192.179
linux-image-oem 4.15.0.192.179
linux-image-virtual-hwe-16.04 4.15.0.192.179
Ubuntu 14.04 ESM:
linux-image-4.15.0-1150-azure 4.15.0-1150.165~14.04.1
linux-image-azure 4.15.0.1150.119
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5591-1
CVE-2021-33656
Ubuntu Security Notice USN-5591-1
August 31, 2022
linux-azure, linux-gcp, linux-hwe vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the virtual terminal driver in the Linux kernel
did not properly handle VGA console font changes, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.15.0-1135-gcp 4.15.0-1135.151~16.04.2
linux-image-4.15.0-1150-azure 4.15.0-1150.165~16.04.1
linux-image-4.15.0-192-generic 4.15.0-192.203~16.04.1
linux-image-4.15.0-192-lowlatency 4.15.0-192.203~16.04.1
linux-image-azure 4.15.0.1150.137
linux-image-gcp 4.15.0.1135.129
linux-image-generic-hwe-16.04 4.15.0.192.179
linux-image-gke 4.15.0.1135.129
linux-image-lowlatency-hwe-16.04 4.15.0.192.179
linux-image-oem 4.15.0.192.179
linux-image-virtual-hwe-16.04 4.15.0.192.179
Ubuntu 14.04 ESM:
linux-image-4.15.0-1150-azure 4.15.0-1150.165~14.04.1
linux-image-azure 4.15.0.1150.119
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5591-1
CVE-2021-33656
Tuesday, August 30, 2022
FreeBSD Security Advisory FreeBSD-SA-22:13.zlib
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-22:13.zlib Security Advisory
The FreeBSD Project
Topic: zlib heap buffer overflow
Category: contrib
Module: zlib
Announced: 2022-08-30
Credits: Evgeny Legerov of @intevydis
Affects: All supported versions of FreeBSD.
Corrected: 2022-08-09 14:40:35 UTC (stable/13, 13.1-STABLE)
2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2)
2022-08-30 22:57:49 UTC (releng/13.0, 13.0-RELEASE-p13)
2022-08-09 14:45:04 UTC (stable/12, 12.3-STABLE)
2022-08-30 23:16:45 UTC (releng/12.3, 12.3-RELEASE-p7)
CVE Name: CVE-2022-37434
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
zlib is a software library implementing compression and decompression.
It is used in various places in the FreeBSD kernel and userland.
II. Problem Description
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field.
III. Impact
Applications that call inflateGetHeader may be vulnerable to a buffer
overflow. Note that inflateGetHeader is not used by anything in the
FreeBSD base system, but may be used by third party software.
IV. Workaround
No workaround is available, but applications that do not call
inflateGetHeader are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
restart daemons if necessary.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch
# fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch.asc
# gpg --verify zlib.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/13/ 10cc2bf5f7a5 stable/13-n252073
releng/13.1/ 289231c9634a releng/13.1-n250156
releng/13.0/ 77cd23716ffb releng/13.0-n244808
stable/12/ r372370
releng/12.3/ r372460
- -------------------------------------------------------------------------
For FreeBSD 13 and later:
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
For FreeBSD 12 and earlier:
Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:13.zlib.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmMOoG4ACgkQ05eS9J6n
5cIITA//WMND8i3L8agw4QBMZTmL8M6bbbKK+eua7bhH4MNxguruULwcWNoHvhuO
+ebgomd4cWlPfY2TJcpd9OCXCjuMGMLvwE6XmPlGzW5DuMdD893wWPdsYJtDK+6p
yMSihFyZP+ELWFbLeO3SFedRRKBQiDEmO3X2oOR1Ukj5wjsUOFPv0/dLphyBiq3t
3tn/0O9NfAmyONvHSozoVs34MIFC9Qc/8oxlp5wKjomFn6OifPRwNu4yeWDfVL/c
11IwotsKNTR6QNckdNBwbFC2NwdWfl8Tqv7gbJ3PhXDlzCDC5hOQoIeOol3Nf8et
9+FjCr9y/jTH0tzEHCgevO3U711UZYIu2s+STHTlJRNly/n+2CMG+YOn1XkKtu6A
4x4Pw+YRHl5VesQCNcJOkwVwRiyrirp5yOaaUPhSKo0teykypgV/WS9Z1U0VVfGP
xgxJ7ElcT2HoNiz06QUSG374dPyEBKqoZTo/g2tJ0mL17JLW7IAtlUpIHzU475YR
1itARL0z7O3bbUa/h35LxRTCxT2Ojt0qZO9WsS4dIraz2gb8QbHkgUXETnLAx9Ih
UwaPrLGkzqpMjkQFASDS+LeacFOZARdxT/tUFwTRCQI27Aujl1OJzy7t0drL5I9f
pO529OH4plSsT0x4j89tAUZxIHB2RQet94777vP4T0J5UcBegxc=
=y87U
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-22:13.zlib Security Advisory
The FreeBSD Project
Topic: zlib heap buffer overflow
Category: contrib
Module: zlib
Announced: 2022-08-30
Credits: Evgeny Legerov of @intevydis
Affects: All supported versions of FreeBSD.
Corrected: 2022-08-09 14:40:35 UTC (stable/13, 13.1-STABLE)
2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2)
2022-08-30 22:57:49 UTC (releng/13.0, 13.0-RELEASE-p13)
2022-08-09 14:45:04 UTC (stable/12, 12.3-STABLE)
2022-08-30 23:16:45 UTC (releng/12.3, 12.3-RELEASE-p7)
CVE Name: CVE-2022-37434
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
zlib is a software library implementing compression and decompression.
It is used in various places in the FreeBSD kernel and userland.
II. Problem Description
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field.
III. Impact
Applications that call inflateGetHeader may be vulnerable to a buffer
overflow. Note that inflateGetHeader is not used by anything in the
FreeBSD base system, but may be used by third party software.
IV. Workaround
No workaround is available, but applications that do not call
inflateGetHeader are not vulnerable.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
restart daemons if necessary.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch
# fetch https://security.FreeBSD.org/patches/SA-22:13/zlib.patch.asc
# gpg --verify zlib.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all daemons that use the library, or reboot the system.
VI. Correction details
This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/13/ 10cc2bf5f7a5 stable/13-n252073
releng/13.1/ 289231c9634a releng/13.1-n250156
releng/13.0/ 77cd23716ffb releng/13.0-n244808
stable/12/ r372370
releng/12.3/ r372460
- -------------------------------------------------------------------------
For FreeBSD 13 and later:
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
For FreeBSD 12 and earlier:
Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:13.zlib.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmMOoG4ACgkQ05eS9J6n
5cIITA//WMND8i3L8agw4QBMZTmL8M6bbbKK+eua7bhH4MNxguruULwcWNoHvhuO
+ebgomd4cWlPfY2TJcpd9OCXCjuMGMLvwE6XmPlGzW5DuMdD893wWPdsYJtDK+6p
yMSihFyZP+ELWFbLeO3SFedRRKBQiDEmO3X2oOR1Ukj5wjsUOFPv0/dLphyBiq3t
3tn/0O9NfAmyONvHSozoVs34MIFC9Qc/8oxlp5wKjomFn6OifPRwNu4yeWDfVL/c
11IwotsKNTR6QNckdNBwbFC2NwdWfl8Tqv7gbJ3PhXDlzCDC5hOQoIeOol3Nf8et
9+FjCr9y/jTH0tzEHCgevO3U711UZYIu2s+STHTlJRNly/n+2CMG+YOn1XkKtu6A
4x4Pw+YRHl5VesQCNcJOkwVwRiyrirp5yOaaUPhSKo0teykypgV/WS9Z1U0VVfGP
xgxJ7ElcT2HoNiz06QUSG374dPyEBKqoZTo/g2tJ0mL17JLW7IAtlUpIHzU475YR
1itARL0z7O3bbUa/h35LxRTCxT2Ojt0qZO9WsS4dIraz2gb8QbHkgUXETnLAx9Ih
UwaPrLGkzqpMjkQFASDS+LeacFOZARdxT/tUFwTRCQI27Aujl1OJzy7t0drL5I9f
pO529OH4plSsT0x4j89tAUZxIHB2RQet94777vP4T0J5UcBegxc=
=y87U
-----END PGP SIGNATURE-----
FreeBSD Errata Notice FreeBSD-EN-22:20.tzdata
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-22:20.tzdata Errata Notice
The FreeBSD Project
Topic: Timezone database information update
Category: contrib
Module: zoneinfo
Announced: 2022-08-30
Affects: All supported versions of FreeBSD.
Corrected: 2022-08-17 01:48:01 UTC (stable/13, 13.1-STABLE)
2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2)
2022-08-30 23:01:22 UTC (releng/13.0, 13.0-RELEASE-p13)
2022-08-17 01:56:52 UTC (stable/12, 12.3-STABLE)
2022-08-30 23:16:54 UTC (releng/12.3, 12.3-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The IANA Time Zone Database (often called tz or zoneinfo) contains code and
data that represent the history of local time for many representative
locations around the globe. It is updated periodically to reflect changes
made by political bodies to time zone boundaries, UTC offsets, and
daylight-saving rules.
FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
The tzsetup(8) utility allows the user to specify the default local time
zone. Based on the selected time zone, tzsetup(8) copies one of the files
from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
for an individual process by setting its TZ environment variable to a desired
time zone name.
II. Problem Description
Several changes to future and past timestamps have been recorded in the IANA
Time Zone Database after previous FreeBSD releases were released. This
affects many users in different parts of the world. Because of these
changes, the data in the zoneinfo files need to be updated. If the local
timezone on the running system is affected, tzsetup(8) needs to be run to
update /etc/localtime.
III. Impact
An incorrect time will be displayed on a system configured to use one of the
affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.
IV. Workaround
The system administrator can install an updated version of the IANA Time Zone
Database from the misc/zoneinfo port and run tzsetup(8).
Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Please note that some third party software, for instance PHP, Ruby, Java,
Perl and Python, may be using different zoneinfo data sources, in such cases
this software must be updated separately. Software packages that are
installed via binary packages can be upgraded by executing 'pkg upgrade'.
Following the instructions in this Errata Notice will only update the IANA
Time Zone Database installed in /usr/share/zoneinfo.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all the affected applications and daemons, or reboot the system.
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-22:20/tzdata-2022c.patch
# fetch https://security.FreeBSD.org/patches/EN-22:20/tzdata-2022c.patch.asc
# gpg --verify tzdata-2022c.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all the affected applications and daemons, or reboot the system.
VI. Correction details
This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/13/ f7cb47731675 stable/13-n252124
releng/13.1/ e86b610b8744 releng/13.1-n250157
releng/13.0/ 707cecae4e34 releng/13.0-n244809
stable/12/ r372409
releng/12.3/ r372461
- -------------------------------------------------------------------------
For FreeBSD 13 and later:
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
For FreeBSD 12 and earlier:
Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://github.com/eggert/tz/blob/2022b/NEWS>
<URL:https://github.com/eggert/tz/blob/2022c/NEWS>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:20.tzdata.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmMOoGgACgkQ05eS9J6n
5cKipg/6Axbh9KTIXF/Z/KZtna+2/Fvs4zIvV1PnT/6VJge9JrPShRtKuTOHE7at
8tFFFLplDV3uGF3PxJ0vB66sd5A7VchS8UDJoyrr8Q1kfOGlMge5W3UQbHp4u4II
DCRlvocXIv7SygmfWlrQg5Ia6c2CmIa13BcMcxNv8tu/TShsJZD8AUtu/sF01xZh
RaPQE5Y0dMErQx1FpGrxcxqw5DVNz6utpxeGgz8SU/bMRUs17u9HbktiPdDpJVzh
gw26DfMJS9CflrTBF1RKmCj6934ghz6fbHqnw7IrcnLjaitVsVqgktFjgmUje9OH
JyCvY5ysAYEQD74HxncvgiJ3OjkQ/EYTwdL2lfTZRiWqQjncfFHchZ2ioIslR84e
3NQlJYxosvWa/NIFxclR69I8d9outXRkClAEQo5tgjOPF7Q1F4TzH38IN7YMrwK7
G9N2qXO6+GQo0E2yVmqQbam9KIRsyy9rf5Yp14Lc0P9GFiD0bMok0/C1zfE+Qi9U
Y0lM7vtNFg7QM2Gi9OOhaCWJscDDf4OfuxaCWhh8Mq3cNrdaCY56t0SzPKmgF7qY
sZPRpI6YXv9+m9c8V+sklPituTMXa2maGzSYJNTOWhDNmf4Ah1YvxbMWhoxI0hsF
nSgCr/LQh0c+dTXthIW1fYv4mt5uXXNg5uMs0mIfncLin3syJ7s=
=DcSW
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-22:20.tzdata Errata Notice
The FreeBSD Project
Topic: Timezone database information update
Category: contrib
Module: zoneinfo
Announced: 2022-08-30
Affects: All supported versions of FreeBSD.
Corrected: 2022-08-17 01:48:01 UTC (stable/13, 13.1-STABLE)
2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2)
2022-08-30 23:01:22 UTC (releng/13.0, 13.0-RELEASE-p13)
2022-08-17 01:56:52 UTC (stable/12, 12.3-STABLE)
2022-08-30 23:16:54 UTC (releng/12.3, 12.3-RELEASE-p7)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
The IANA Time Zone Database (often called tz or zoneinfo) contains code and
data that represent the history of local time for many representative
locations around the globe. It is updated periodically to reflect changes
made by political bodies to time zone boundaries, UTC offsets, and
daylight-saving rules.
FreeBSD releases install the IANA Time Zone Database in /usr/share/zoneinfo.
The tzsetup(8) utility allows the user to specify the default local time
zone. Based on the selected time zone, tzsetup(8) copies one of the files
from /usr/share/zoneinfo to /etc/localtime. A time zone may also be selected
for an individual process by setting its TZ environment variable to a desired
time zone name.
II. Problem Description
Several changes to future and past timestamps have been recorded in the IANA
Time Zone Database after previous FreeBSD releases were released. This
affects many users in different parts of the world. Because of these
changes, the data in the zoneinfo files need to be updated. If the local
timezone on the running system is affected, tzsetup(8) needs to be run to
update /etc/localtime.
III. Impact
An incorrect time will be displayed on a system configured to use one of the
affected time zones if the /usr/share/zoneinfo and /etc/localtime files are
not updated, and all applications on the system that rely on the system time,
such as cron(8) and syslog(8), will be affected.
IV. Workaround
The system administrator can install an updated version of the IANA Time Zone
Database from the misc/zoneinfo port and run tzsetup(8).
Applications that store and display times in Coordinated Universal Time (UTC)
are not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Please note that some third party software, for instance PHP, Ruby, Java,
Perl and Python, may be using different zoneinfo data sources, in such cases
this software must be updated separately. Software packages that are
installed via binary packages can be upgraded by executing 'pkg upgrade'.
Following the instructions in this Errata Notice will only update the IANA
Time Zone Database installed in /usr/share/zoneinfo.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Restart all the affected applications and daemons, or reboot the system.
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-22:20/tzdata-2022c.patch
# fetch https://security.FreeBSD.org/patches/EN-22:20/tzdata-2022c.patch.asc
# gpg --verify tzdata-2022c.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart all the affected applications and daemons, or reboot the system.
VI. Correction details
This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/13/ f7cb47731675 stable/13-n252124
releng/13.1/ e86b610b8744 releng/13.1-n250157
releng/13.0/ 707cecae4e34 releng/13.0-n244809
stable/12/ r372409
releng/12.3/ r372461
- -------------------------------------------------------------------------
For FreeBSD 13 and later:
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
For FreeBSD 12 and earlier:
Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://github.com/eggert/tz/blob/2022b/NEWS>
<URL:https://github.com/eggert/tz/blob/2022c/NEWS>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:20.tzdata.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmMOoGgACgkQ05eS9J6n
5cKipg/6Axbh9KTIXF/Z/KZtna+2/Fvs4zIvV1PnT/6VJge9JrPShRtKuTOHE7at
8tFFFLplDV3uGF3PxJ0vB66sd5A7VchS8UDJoyrr8Q1kfOGlMge5W3UQbHp4u4II
DCRlvocXIv7SygmfWlrQg5Ia6c2CmIa13BcMcxNv8tu/TShsJZD8AUtu/sF01xZh
RaPQE5Y0dMErQx1FpGrxcxqw5DVNz6utpxeGgz8SU/bMRUs17u9HbktiPdDpJVzh
gw26DfMJS9CflrTBF1RKmCj6934ghz6fbHqnw7IrcnLjaitVsVqgktFjgmUje9OH
JyCvY5ysAYEQD74HxncvgiJ3OjkQ/EYTwdL2lfTZRiWqQjncfFHchZ2ioIslR84e
3NQlJYxosvWa/NIFxclR69I8d9outXRkClAEQo5tgjOPF7Q1F4TzH38IN7YMrwK7
G9N2qXO6+GQo0E2yVmqQbam9KIRsyy9rf5Yp14Lc0P9GFiD0bMok0/C1zfE+Qi9U
Y0lM7vtNFg7QM2Gi9OOhaCWJscDDf4OfuxaCWhh8Mq3cNrdaCY56t0SzPKmgF7qY
sZPRpI6YXv9+m9c8V+sklPituTMXa2maGzSYJNTOWhDNmf4Ah1YvxbMWhoxI0hsF
nSgCr/LQh0c+dTXthIW1fYv4mt5uXXNg5uMs0mIfncLin3syJ7s=
=DcSW
-----END PGP SIGNATURE-----
[USN-5590-1] Linux kernel (OEM) vulnerability
==========================================================================
Ubuntu Security Notice USN-5590-1
August 30, 2022
linux-oem-5.14 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
The system could be made to crash if it received specially crafted
network traffic.
Software Description:
- linux-oem-5.14: Linux kernel for OEM systems
Details:
Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.14.0-1050-oem 5.14.0-1050.57
linux-image-oem-20.04 5.14.0.1050.46
linux-image-oem-20.04b 5.14.0.1050.46
linux-image-oem-20.04c 5.14.0.1050.46
linux-image-oem-20.04d 5.14.0.1050.46
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5590-1
CVE-2022-36946
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1050.57
Ubuntu Security Notice USN-5590-1
August 30, 2022
linux-oem-5.14 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
The system could be made to crash if it received specially crafted
network traffic.
Software Description:
- linux-oem-5.14: Linux kernel for OEM systems
Details:
Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that truncated
packets below the packet header size. When such rules are in place, a
remote attacker could possibly use this to cause a denial of service
(system crash).
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.14.0-1050-oem 5.14.0-1050.57
linux-image-oem-20.04 5.14.0.1050.46
linux-image-oem-20.04b 5.14.0.1050.46
linux-image-oem-20.04c 5.14.0.1050.46
linux-image-oem-20.04d 5.14.0.1050.46
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5590-1
CVE-2022-36946
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1050.57
[arch-announce] Grub bootloader upgrade and configuration incompatibilities
Recent changes in `grub` added a new command option and changed the way the
command is invoked. Depending on your system hardware and setup this could
cause an unbootable system due to incompatibilities between the installed
bootloader and configuration. After a `grub` package update it is advised to
run both, installation and regeneration of configuration:
grub-install ...
grub-mkconfig -o /boot/grub/grub.cfg
For more specific information on `grub-install`, please refer to the wiki:
[GRUB - ArchWiki](https://wiki.archlinux.org/title/GRUB#Installation)
URL: https://archlinux.org/news/grub-bootloader-upgrade-and-configuration-incompatibilities/
command is invoked. Depending on your system hardware and setup this could
cause an unbootable system due to incompatibilities between the installed
bootloader and configuration. After a `grub` package update it is advised to
run both, installation and regeneration of configuration:
grub-install ...
grub-mkconfig -o /boot/grub/grub.cfg
For more specific information on `grub-install`, please refer to the wiki:
[GRUB - ArchWiki](https://wiki.archlinux.org/title/GRUB#Installation)
URL: https://archlinux.org/news/grub-bootloader-upgrade-and-configuration-incompatibilities/
[USN-5589-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5589-1
August 30, 2022
linux, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-raspi: Linux kernel for Raspberry Pi systems
Details:
Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)
Ethernet driver for the Linux kernel performed insufficient control flow
management. A local attacker could possibly use this to cause a denial
of service. (CVE-2021-33061)
It was discovered that the virtual terminal driver in the Linux kernel
did not properly handle VGA console font changes, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33656)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1069-raspi 5.4.0-1069.79
linux-image-5.4.0-125-generic 5.4.0-125.141
linux-image-5.4.0-125-generic-lpae 5.4.0-125.141
linux-image-5.4.0-125-lowlatency 5.4.0-125.141
linux-image-generic 5.4.0.125.126
linux-image-generic-lpae 5.4.0.125.126
linux-image-lowlatency 5.4.0.125.126
linux-image-oem 5.4.0.125.126
linux-image-oem-osp1 5.4.0.125.126
linux-image-raspi 5.4.0.1069.102
linux-image-raspi2 5.4.0.1069.102
linux-image-virtual 5.4.0.125.126
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5589-1
CVE-2021-33061, CVE-2021-33656
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-125.141
https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1069.79
Ubuntu Security Notice USN-5589-1
August 30, 2022
linux, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-raspi: Linux kernel for Raspberry Pi systems
Details:
Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)
Ethernet driver for the Linux kernel performed insufficient control flow
management. A local attacker could possibly use this to cause a denial
of service. (CVE-2021-33061)
It was discovered that the virtual terminal driver in the Linux kernel
did not properly handle VGA console font changes, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33656)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1069-raspi 5.4.0-1069.79
linux-image-5.4.0-125-generic 5.4.0-125.141
linux-image-5.4.0-125-generic-lpae 5.4.0-125.141
linux-image-5.4.0-125-lowlatency 5.4.0-125.141
linux-image-generic 5.4.0.125.126
linux-image-generic-lpae 5.4.0.125.126
linux-image-lowlatency 5.4.0.125.126
linux-image-oem 5.4.0.125.126
linux-image-oem-osp1 5.4.0.125.126
linux-image-raspi 5.4.0.1069.102
linux-image-raspi2 5.4.0.1069.102
linux-image-virtual 5.4.0.125.126
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5589-1
CVE-2021-33061, CVE-2021-33656
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-125.141
https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1069.79
[USN-5588-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-5588-1
August 30, 2022
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Zhenpeng Lin discovered that the network packet scheduler implementation
in the Linux kernel did not properly remove all references to a route
filter before freeing it in some situations. A local attacker could use
this to cause a denial of service (system crash) or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-3.13.0-191-generic 3.13.0-191.242
linux-image-3.13.0-191-lowlatency 3.13.0-191.242
linux-image-generic 3.13.0.191.201
linux-image-lowlatency 3.13.0.191.201
linux-image-server 3.13.0.191.201
linux-image-virtual 3.13.0.191.201
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5588-1
CVE-2022-2588
Ubuntu Security Notice USN-5588-1
August 30, 2022
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
The system could be made to crash or run programs as an administrator.
Software Description:
- linux: Linux kernel
Details:
Zhenpeng Lin discovered that the network packet scheduler implementation
in the Linux kernel did not properly remove all references to a route
filter before freeing it in some situations. A local attacker could use
this to cause a denial of service (system crash) or execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-3.13.0-191-generic 3.13.0-191.242
linux-image-3.13.0-191-lowlatency 3.13.0-191.242
linux-image-generic 3.13.0.191.201
linux-image-lowlatency 3.13.0.191.201
linux-image-server 3.13.0.191.201
linux-image-virtual 3.13.0.191.201
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5588-1
CVE-2022-2588
[USN-5572-2] Linux kernel (AWS) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5572-2
August 30, 2022
linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
Details:
Roger Pau Monné discovered that the Xen virtual block driver in the
Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-26365)
Roger Pau Monné discovered that the Xen paravirtualization frontend in
the Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-33740)
It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.4.0-1112-aws 4.4.0-1112.118
linux-image-aws 4.4.0.1112.109
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5572-2
https://ubuntu.com/security/notices/USN-5572-1
CVE-2022-26365, CVE-2022-33740, CVE-2022-33741
Ubuntu Security Notice USN-5572-2
August 30, 2022
linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
Details:
Roger Pau Monné discovered that the Xen virtual block driver in the
Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-26365)
Roger Pau Monné discovered that the Xen paravirtualization frontend in
the Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-33740)
It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 ESM:
linux-image-4.4.0-1112-aws 4.4.0-1112.118
linux-image-aws 4.4.0.1112.109
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5572-2
https://ubuntu.com/security/notices/USN-5572-1
CVE-2022-26365, CVE-2022-33740, CVE-2022-33741
[USN-5585-1] Jupyter Notebook vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5585-1
August 30, 2022
jupyter-notebook vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Jupyter Notebook.
Software Description:
- jupyter-notebook: Jupyter interactive notebook
Details:
It was discovered that Jupyter Notebook incorrectly handled certain notebooks.
An attacker could possibly use this issue of lack of Content Security Policy
in Nbconvert to perform cross-site scripting (XSS) attacks on the notebook
server. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19351)
It was discovered that Jupyter Notebook incorrectly handled certain SVG
documents. An attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 18.04 LTS.
(CVE-2018-21030)
It was discovered that Jupyter Notebook incorrectly filtered certain URLs on
the login page. An attacker could possibly use this issue to perform
open-redirect attack. This issue only affected Ubuntu 18.04 LTS.
(CVE-2019-10255)
It was discovered that Jupyter Notebook had an incomplete fix for
CVE-2019-10255. An attacker could possibly use this issue to perform
open-redirect attack using empty netloc. (CVE-2019-10856)
It was discovered that Jupyter Notebook incorrectly handled the inclusion of
remote pages on Jupyter server. An attacker could possibly use this issue to
perform cross-site script inclusion (XSSI) attacks. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-9644)
It was discovered that Jupyter Notebook incorrectly filtered certain URLs to a
notebook. An attacker could possibly use this issue to perform open-redirect
attack. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-26215)
It was discovered that Jupyter Notebook server access logs were not protected.
An attacker having access to the notebook server could possibly use this issue
to get access to steal sensitive information such as auth/cookies.
(CVE-2022-24758)
It was discovered that Jupyter Notebook incorrectly configured hidden files on
the server. An authenticated attacker could possibly use this issue to see
unwanted sensitive hidden files from the server which may result in getting
full access to the server. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-29238)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
jupyter-notebook 6.4.8-1ubuntu0.1
python3-notebook 6.4.8-1ubuntu0.1
Ubuntu 20.04 LTS:
jupyter-notebook 6.0.3-2ubuntu0.1
python3-notebook 6.0.3-2ubuntu0.1
Ubuntu 18.04 LTS:
jupyter-notebook 5.2.2-1ubuntu0.1
python-notebook 5.2.2-1ubuntu0.1
python3-notebook 5.2.2-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5585-1
CVE-2018-19351, CVE-2018-21030, CVE-2019-10255, CVE-2019-10856,
CVE-2019-9644, CVE-2020-26215, CVE-2022-24758, CVE-2022-29238
Package Information:
https://launchpad.net/ubuntu/+source/jupyter-notebook/6.4.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/jupyter-notebook/6.0.3-2ubuntu0.1
https://launchpad.net/ubuntu/+source/jupyter-notebook/5.2.2-1ubuntu0.1
Ubuntu Security Notice USN-5585-1
August 30, 2022
jupyter-notebook vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Jupyter Notebook.
Software Description:
- jupyter-notebook: Jupyter interactive notebook
Details:
It was discovered that Jupyter Notebook incorrectly handled certain notebooks.
An attacker could possibly use this issue of lack of Content Security Policy
in Nbconvert to perform cross-site scripting (XSS) attacks on the notebook
server. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19351)
It was discovered that Jupyter Notebook incorrectly handled certain SVG
documents. An attacker could possibly use this issue to perform cross-site
scripting (XSS) attacks. This issue only affected Ubuntu 18.04 LTS.
(CVE-2018-21030)
It was discovered that Jupyter Notebook incorrectly filtered certain URLs on
the login page. An attacker could possibly use this issue to perform
open-redirect attack. This issue only affected Ubuntu 18.04 LTS.
(CVE-2019-10255)
It was discovered that Jupyter Notebook had an incomplete fix for
CVE-2019-10255. An attacker could possibly use this issue to perform
open-redirect attack using empty netloc. (CVE-2019-10856)
It was discovered that Jupyter Notebook incorrectly handled the inclusion of
remote pages on Jupyter server. An attacker could possibly use this issue to
perform cross-site script inclusion (XSSI) attacks. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-9644)
It was discovered that Jupyter Notebook incorrectly filtered certain URLs to a
notebook. An attacker could possibly use this issue to perform open-redirect
attack. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-26215)
It was discovered that Jupyter Notebook server access logs were not protected.
An attacker having access to the notebook server could possibly use this issue
to get access to steal sensitive information such as auth/cookies.
(CVE-2022-24758)
It was discovered that Jupyter Notebook incorrectly configured hidden files on
the server. An authenticated attacker could possibly use this issue to see
unwanted sensitive hidden files from the server which may result in getting
full access to the server. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-29238)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
jupyter-notebook 6.4.8-1ubuntu0.1
python3-notebook 6.4.8-1ubuntu0.1
Ubuntu 20.04 LTS:
jupyter-notebook 6.0.3-2ubuntu0.1
python3-notebook 6.0.3-2ubuntu0.1
Ubuntu 18.04 LTS:
jupyter-notebook 5.2.2-1ubuntu0.1
python-notebook 5.2.2-1ubuntu0.1
python3-notebook 5.2.2-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5585-1
CVE-2018-19351, CVE-2018-21030, CVE-2019-10255, CVE-2019-10856,
CVE-2019-9644, CVE-2020-26215, CVE-2022-24758, CVE-2022-29238
Package Information:
https://launchpad.net/ubuntu/+source/jupyter-notebook/6.4.8-1ubuntu0.1
https://launchpad.net/ubuntu/+source/jupyter-notebook/6.0.3-2ubuntu0.1
https://launchpad.net/ubuntu/+source/jupyter-notebook/5.2.2-1ubuntu0.1
Monday, August 29, 2022
[USN-5583-1] systemd vulnerability
==========================================================================
Ubuntu Security Notice USN-5583-1
August 29, 2022
systemd vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
systemd could be made to crash or run programs if it received specially
crafted DNS request.
Software Description:
- systemd: system and service manager
Details:
It was discovered that systemd incorrectly handled certain DNS requests,
which leads to user-after-free vulnerability. An attacker could possibly use
this issue to cause a crash or execute arbitrary code. (CVE-2022-2526)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
systemd 237-3ubuntu10.54
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5583-1
CVE-2022-2526
Package Information:
https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.54
Ubuntu Security Notice USN-5583-1
August 29, 2022
systemd vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
systemd could be made to crash or run programs if it received specially
crafted DNS request.
Software Description:
- systemd: system and service manager
Details:
It was discovered that systemd incorrectly handled certain DNS requests,
which leads to user-after-free vulnerability. An attacker could possibly use
this issue to cause a crash or execute arbitrary code. (CVE-2022-2526)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
systemd 237-3ubuntu10.54
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5583-1
CVE-2022-2526
Package Information:
https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.54
[USN-5586-1] SDL vulnerability
==========================================================================
Ubuntu Security Notice USN-5586-1
August 29, 2022
libsdl1.2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
SDL could be made to crash or behave unexpectedly.
Software Description:
- libsdl1.2: Simple DirectMedia Layer
Details:
It was discovered that SDL (Simple DirectMedia Layer) incorrectly
handled memory. An attacker could potentially use this issue to cause
a denial of service or other unexpected behavior.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libsdl1.2debian 1.2.15+dfsg1-3ubuntu0.1+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5586-1
CVE-2022-34568
Ubuntu Security Notice USN-5586-1
August 29, 2022
libsdl1.2 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
SDL could be made to crash or behave unexpectedly.
Software Description:
- libsdl1.2: Simple DirectMedia Layer
Details:
It was discovered that SDL (Simple DirectMedia Layer) incorrectly
handled memory. An attacker could potentially use this issue to cause
a denial of service or other unexpected behavior.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libsdl1.2debian 1.2.15+dfsg1-3ubuntu0.1+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5586-1
CVE-2022-34568
F38 proposal: Strong crypto settings: phase 3, forewarning 2/2 (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2
== Summary ==
Cryptographic policies will be tightened in Fedora ''38''-39,
SHA-1 signatures will no longer be trusted by default.
Fedora ''38'' will do a "jump scare", introducing the change but then
reverting it in time for Beta.
Test your setup with TEST-FEDORA39 today and file bugs in advance so
you won't get bit by Fedora ''38''-39.
== Owner ==
* Name: [[User:Asosedkin| Alexander Sosedkin]]
* Email: asosedki@redhat.com
== Detailed Description ==
Secure defaults are an evermoving target.
Fedora 28 had [[Changes/StrongCryptoSettings|StrongCryptoSettings]].
Fedora 33 had [[Changes/StrongCryptoSettings2|StrongCryptoSettings2]].
Fedora 39 should have [[Changes/StrongCryptoSettings3|StrongCryptoSettings3]].
By Fedora 39, the policies will be, in TLS perspective:
LEGACY
MACs: All HMAC with SHA1 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: SHA-1 hash or better (no DSA)
Ciphers: all available > 112-bit key, >= 128-bit block (no RC4 or 3DES)
Key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >=2048
RSA params size: >=2048
TLS protocols: TLS >= 1.2
DEFAULT
MACs: All HMAC with SHA1 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: with SHA-224 hash or better (no DSA)
Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC)
Key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >= 2048
RSA params size: >= 2048
TLS protocols: TLS >= 1.2
FUTURE
MACs: All HMAC with SHA256 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: SHA-256 hash or better (no DSA)
Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated
Encryption (AE) ciphers
Key exchange: ECDHE, DHE
DH params size: >= 3072
RSA params size: >= 3072
TLS protocols: TLS >= 1.2
The flagship change this time will be distrusting SHA-1 signatures
on the cryptographic library level, affecting more than just TLS.
OpenSSL will start blocking signature creation and verification by default,
with the fallout anticipated to be wide enough
for us to roll out the change across multiple cycles
with multiple forewarnings
to give developers and maintainers ample time to react:
Fedora 36:
* SHA-1 signatures are distrusted in FUTURE policy (opt-in)
* TEST-FEDORA39 policy is provided
* creating and verifying SHA-1 signatures is logged to ease reporting bugs
Fedora 37 [[Changes/StrongCryptoSettings3Forewarning3|StrongCryptoSettings3Forewarning1]]:
* (was initially reserved to implement logging of SHA-1 signature operations)
'''Fedora 38 [[Changes/StrongCryptoSettings3Forewarning3|StrongCryptoSettings3Forewarning2]]''':
* policies are updated, most notably
* SHA-1 signatures are distrusted in DEFAULT policy
* changes are reverted in branched f38 in time for Beta and do not reach users
Fedora 39 [[Changes/StrongCryptoSettings3|StrongCryptoSettings3]]:
* changes reach users
The plan is subject to change if it goes sideways somewhere along the way.
So, in Fedora 36, 37 and ''38 released'' distrusting SHA-1 signatures
will be opt-in.
In ''Fedora 38 rawhide'' and Fedora 39 distrusting SHA-1 signatures
will happen by default.
== Feedback ==
[https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP
A discussion]
has been raised on fedora-devel,
[https://lwn.net/Articles/887832 a summary] is available on LWN.
A change has the potential to prove disruptive and controversial,
with much effort being focused on stretching it out in time.
There seems to be a consensus that the change has to be done eventually,
but the ideal means of implementing it are in no way clear.
The decision to discover code reliant on SHA-1 signatures
by blocking creation/verification has not gathered many fans,
but not many alternative proposals have been raised in return.
A notable one, making the library somehow log the offending operations,
has been incorporated in the proposal,
though the effectiveness of it is yet to be seen in practice.
Another notable takeaway point is the need to call for testing,
which would be done in form of writing four Fedora Changes
and testing SHA-1 signature distrusting during Fedora 37 & ''38'' Test Days.
The change owner doesn't see the plan as an ideal one
and continues to be open for feedback.
== Benefit to Fedora ==
Fedora 39 will ship with more secure defaults
to better match the everchanging landscape of cryptographic practices.
TLS 1.0 / 1.1 protocol version will be disabled
as they're [https://datatracker.ietf.org/doc/rfc8996 deprecated],
minimum key sizes will be raised to keep up with the computational advances etc.
Distrusting SHA-1 signatures specifically is expected to trigger
a topical distribution-wide crackdown
on [https://eprint.iacr.org/2020/014 weak] cryptography,
raising the security of the distribution moving forward.
== Scope ==
* Proposal owners: implement changes described in Summary and
Dependencies sections
* Other developers:
Test your applications with TEST-FEDORA39 policy.
Move away from trusting SHA-1 signatures;
ideally in time for F38 branch-off,
for F39 release at the latest.
Follow [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]]:
1. move away from trusting SHA-1 signatures entirely, or
2. distrust them by default and require explicit user opt-in to use a workaround
* Release engineering: Not sure if mass-rebuild is required if we
land the change right after f38 branch-off. Maybe a "preview"
mass-rebuild can be done with a special build in the F37 timeframe to
cut down on F38 FTBFS.
* Policies and guidelines: update needed
CryptoPolicies section of the packaging guidelines
will have to be updated to reflect that
SHA-1 signatures must not be trusted by default
and provide guidance for openssl and gnutls.
Components using workaround APIs must not use them without explicit user opt-in
and must be added to a list of applications using a workaround API.
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: not with Fedora 37-era ones
== Upgrade/compatibility impact ==
See "User experience".
Upgrade-time issues aren't specifically anticipated;
if any were to arise, testing should find them in ''Fedora 38''-times,
to be fixed by Fedora 39 release at the latest.
Administrators willing to sacrifice security
can apply LEGACY or FEDORA38 policies.
== How To Test ==
=== Testing actively ===
On a ''Fedora 38 rawhide'' system,
install crypto-policies-scripts package and switch to a more restrictive policy
with `update-crypto-policies --set TEST-FEDORA39`.
Proceed to use the system as usual,
identify the workflows which are broken by this change.
Verify that the broken functionality works again
if you the policy is relaxed back
with, e.g., `update-crypto-policies --set TEST-FEDORA39:SHA1`,
file bug reports against the affected components if not filed already.
Please start your ticket title with `StrongCryptoSettings3: `,
mention this change page, the version of crypto-policies package
and the policies under which your workflow does and does not work.
Especially brave souls can dare to try
`update-crypto-policies --set FUTURE` instead,
though this policy is more aggressive than the upcoming defaults.
=== Testing passively ===
On a ''Fedora 38 released'' system, install a special logging tool from
https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer
Run it and proceed to use your system.
Once the tool notifies you about
about soon-to-be-blocked SHA-1 signature operations,
identify the component and actions leading to these operations,
verify that repeating them leads to logging more entries.
Ideally also verify that switching to a stricter policy breaks the workflow.
File bug reports against the affected components if not filed already.
Please start your ticket title with `StrongCryptoSettings3: `
and link to this change page.
== User Experience ==
Things will break.
All kinds of things depending on SHA-1 signatures, openly and secretly.
* On Fedora 36-37 they'll break opt-in.
* '''On Fedora 38 rawhide they'll break by default.'''
* '''On Fedora 38 released they'll behave like in Fedora 37.'''
* On Fedora 39 they'll break by default again, including the released version.
== Dependencies ==
A small coordinated change with openssl is required.
In Fedora 38,
openssl should start distrusting SHA-1 signatures
when used with no configuration file.
This does not affect the majority of scenarios,
only applications that do not follow system-wide cryptographic policies.
All reverse dependencies of core cryptographic libraries are affected,
especially openssl ones relying on SHA-1 signatures.
== Contingency Plan ==
* Contingency mechanism: not needed for F38, change will be reverted
before Beta anyway
* Contingency deadline: not needed for F38, change will be reverted
before Beta anyway
* Blocks release? No
== Documentation ==
Workaround API
should be added to [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]].
Packaging guidelines should be modified accordingly.
== Release Notes ==
To be done, similarly to
https://pagure.io/fedora-docs/release-notes/issue/829
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
== Summary ==
Cryptographic policies will be tightened in Fedora ''38''-39,
SHA-1 signatures will no longer be trusted by default.
Fedora ''38'' will do a "jump scare", introducing the change but then
reverting it in time for Beta.
Test your setup with TEST-FEDORA39 today and file bugs in advance so
you won't get bit by Fedora ''38''-39.
== Owner ==
* Name: [[User:Asosedkin| Alexander Sosedkin]]
* Email: asosedki@redhat.com
== Detailed Description ==
Secure defaults are an evermoving target.
Fedora 28 had [[Changes/StrongCryptoSettings|StrongCryptoSettings]].
Fedora 33 had [[Changes/StrongCryptoSettings2|StrongCryptoSettings2]].
Fedora 39 should have [[Changes/StrongCryptoSettings3|StrongCryptoSettings3]].
By Fedora 39, the policies will be, in TLS perspective:
LEGACY
MACs: All HMAC with SHA1 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: SHA-1 hash or better (no DSA)
Ciphers: all available > 112-bit key, >= 128-bit block (no RC4 or 3DES)
Key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >=2048
RSA params size: >=2048
TLS protocols: TLS >= 1.2
DEFAULT
MACs: All HMAC with SHA1 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: with SHA-224 hash or better (no DSA)
Ciphers: >= 128-bit key, >= 128-bit block (AES, ChaCha20, including AES-CBC)
Key exchange: ECDHE, RSA, DHE (no DHE-DSS)
DH params size: >= 2048
RSA params size: >= 2048
TLS protocols: TLS >= 1.2
FUTURE
MACs: All HMAC with SHA256 or better + all modern MACs (Poly1305 etc.)
Curves: all prime >= 255 bits (including Bernstein curves)
Signature algorithms: SHA-256 hash or better (no DSA)
Ciphers: >= 256-bit key, >= 128-bit block, only Authenticated
Encryption (AE) ciphers
Key exchange: ECDHE, DHE
DH params size: >= 3072
RSA params size: >= 3072
TLS protocols: TLS >= 1.2
The flagship change this time will be distrusting SHA-1 signatures
on the cryptographic library level, affecting more than just TLS.
OpenSSL will start blocking signature creation and verification by default,
with the fallout anticipated to be wide enough
for us to roll out the change across multiple cycles
with multiple forewarnings
to give developers and maintainers ample time to react:
Fedora 36:
* SHA-1 signatures are distrusted in FUTURE policy (opt-in)
* TEST-FEDORA39 policy is provided
* creating and verifying SHA-1 signatures is logged to ease reporting bugs
Fedora 37 [[Changes/StrongCryptoSettings3Forewarning3|StrongCryptoSettings3Forewarning1]]:
* (was initially reserved to implement logging of SHA-1 signature operations)
'''Fedora 38 [[Changes/StrongCryptoSettings3Forewarning3|StrongCryptoSettings3Forewarning2]]''':
* policies are updated, most notably
* SHA-1 signatures are distrusted in DEFAULT policy
* changes are reverted in branched f38 in time for Beta and do not reach users
Fedora 39 [[Changes/StrongCryptoSettings3|StrongCryptoSettings3]]:
* changes reach users
The plan is subject to change if it goes sideways somewhere along the way.
So, in Fedora 36, 37 and ''38 released'' distrusting SHA-1 signatures
will be opt-in.
In ''Fedora 38 rawhide'' and Fedora 39 distrusting SHA-1 signatures
will happen by default.
== Feedback ==
[https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VVLHQAWI3IQ7NRLKMUHJ27JV3V2JAFDP
A discussion]
has been raised on fedora-devel,
[https://lwn.net/Articles/887832 a summary] is available on LWN.
A change has the potential to prove disruptive and controversial,
with much effort being focused on stretching it out in time.
There seems to be a consensus that the change has to be done eventually,
but the ideal means of implementing it are in no way clear.
The decision to discover code reliant on SHA-1 signatures
by blocking creation/verification has not gathered many fans,
but not many alternative proposals have been raised in return.
A notable one, making the library somehow log the offending operations,
has been incorporated in the proposal,
though the effectiveness of it is yet to be seen in practice.
Another notable takeaway point is the need to call for testing,
which would be done in form of writing four Fedora Changes
and testing SHA-1 signature distrusting during Fedora 37 & ''38'' Test Days.
The change owner doesn't see the plan as an ideal one
and continues to be open for feedback.
== Benefit to Fedora ==
Fedora 39 will ship with more secure defaults
to better match the everchanging landscape of cryptographic practices.
TLS 1.0 / 1.1 protocol version will be disabled
as they're [https://datatracker.ietf.org/doc/rfc8996 deprecated],
minimum key sizes will be raised to keep up with the computational advances etc.
Distrusting SHA-1 signatures specifically is expected to trigger
a topical distribution-wide crackdown
on [https://eprint.iacr.org/2020/014 weak] cryptography,
raising the security of the distribution moving forward.
== Scope ==
* Proposal owners: implement changes described in Summary and
Dependencies sections
* Other developers:
Test your applications with TEST-FEDORA39 policy.
Move away from trusting SHA-1 signatures;
ideally in time for F38 branch-off,
for F39 release at the latest.
Follow [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]]:
1. move away from trusting SHA-1 signatures entirely, or
2. distrust them by default and require explicit user opt-in to use a workaround
* Release engineering: Not sure if mass-rebuild is required if we
land the change right after f38 branch-off. Maybe a "preview"
mass-rebuild can be done with a special build in the F37 timeframe to
cut down on F38 FTBFS.
* Policies and guidelines: update needed
CryptoPolicies section of the packaging guidelines
will have to be updated to reflect that
SHA-1 signatures must not be trusted by default
and provide guidance for openssl and gnutls.
Components using workaround APIs must not use them without explicit user opt-in
and must be added to a list of applications using a workaround API.
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: not with Fedora 37-era ones
== Upgrade/compatibility impact ==
See "User experience".
Upgrade-time issues aren't specifically anticipated;
if any were to arise, testing should find them in ''Fedora 38''-times,
to be fixed by Fedora 39 release at the latest.
Administrators willing to sacrifice security
can apply LEGACY or FEDORA38 policies.
== How To Test ==
=== Testing actively ===
On a ''Fedora 38 rawhide'' system,
install crypto-policies-scripts package and switch to a more restrictive policy
with `update-crypto-policies --set TEST-FEDORA39`.
Proceed to use the system as usual,
identify the workflows which are broken by this change.
Verify that the broken functionality works again
if you the policy is relaxed back
with, e.g., `update-crypto-policies --set TEST-FEDORA39:SHA1`,
file bug reports against the affected components if not filed already.
Please start your ticket title with `StrongCryptoSettings3: `,
mention this change page, the version of crypto-policies package
and the policies under which your workflow does and does not work.
Especially brave souls can dare to try
`update-crypto-policies --set FUTURE` instead,
though this policy is more aggressive than the upcoming defaults.
=== Testing passively ===
On a ''Fedora 38 released'' system, install a special logging tool from
https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer
Run it and proceed to use your system.
Once the tool notifies you about
about soon-to-be-blocked SHA-1 signature operations,
identify the component and actions leading to these operations,
verify that repeating them leads to logging more entries.
Ideally also verify that switching to a stricter policy breaks the workflow.
File bug reports against the affected components if not filed already.
Please start your ticket title with `StrongCryptoSettings3: `
and link to this change page.
== User Experience ==
Things will break.
All kinds of things depending on SHA-1 signatures, openly and secretly.
* On Fedora 36-37 they'll break opt-in.
* '''On Fedora 38 rawhide they'll break by default.'''
* '''On Fedora 38 released they'll behave like in Fedora 37.'''
* On Fedora 39 they'll break by default again, including the released version.
== Dependencies ==
A small coordinated change with openssl is required.
In Fedora 38,
openssl should start distrusting SHA-1 signatures
when used with no configuration file.
This does not affect the majority of scenarios,
only applications that do not follow system-wide cryptographic policies.
All reverse dependencies of core cryptographic libraries are affected,
especially openssl ones relying on SHA-1 signatures.
== Contingency Plan ==
* Contingency mechanism: not needed for F38, change will be reverted
before Beta anyway
* Contingency deadline: not needed for F38, change will be reverted
before Beta anyway
* Blocks release? No
== Documentation ==
Workaround API
should be added to [[SHA1SignaturesGuidance | SHA1SignaturesGuidance]].
Packaging guidelines should be modified accordingly.
== Release Notes ==
To be done, similarly to
https://pagure.io/fedora-docs/release-notes/issue/829
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[USN-5584-1] Schroot vulnerability
==========================================================================
Ubuntu Security Notice USN-5584-1
August 29, 2022
schroot vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Schroot could be made to denial of service if certain
schroot names are used.
Software Description:
- schroot: Execute commands in a chroot environment
Details:
It was discovered that Schroot incorrectly handled certain Schroot names.
An attacker could possibly use this issue to break schroot's internal
state causing a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
schroot 1.6.10-12ubuntu3.1
Ubuntu 20.04 LTS:
schroot 1.6.10-9ubuntu0.1
Ubuntu 18.04 LTS:
schroot 1.6.10-4ubuntu0.1
Ubuntu 16.04 ESM:
schroot 1.6.10-1ubuntu3+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5584-1
CVE-2022-2787
Package Information:
https://launchpad.net/ubuntu/+source/schroot/1.6.10-12ubuntu3.1
https://launchpad.net/ubuntu/+source/schroot/1.6.10-9ubuntu0.1
https://launchpad.net/ubuntu/+source/schroot/1.6.10-4ubuntu0.1
Ubuntu Security Notice USN-5584-1
August 29, 2022
schroot vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Schroot could be made to denial of service if certain
schroot names are used.
Software Description:
- schroot: Execute commands in a chroot environment
Details:
It was discovered that Schroot incorrectly handled certain Schroot names.
An attacker could possibly use this issue to break schroot's internal
state causing a denial of service.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
schroot 1.6.10-12ubuntu3.1
Ubuntu 20.04 LTS:
schroot 1.6.10-9ubuntu0.1
Ubuntu 18.04 LTS:
schroot 1.6.10-4ubuntu0.1
Ubuntu 16.04 ESM:
schroot 1.6.10-1ubuntu3+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5584-1
CVE-2022-2787
Package Information:
https://launchpad.net/ubuntu/+source/schroot/1.6.10-12ubuntu3.1
https://launchpad.net/ubuntu/+source/schroot/1.6.10-9ubuntu0.1
https://launchpad.net/ubuntu/+source/schroot/1.6.10-4ubuntu0.1
Thursday, August 25, 2022
Check out the Fedora Packager Dashboard!
Hello folks,
this is just a reminder that there is a Fedora Packager Dashboard that you
might not know about:
Go to https://packager-dashboard.fedoraproject.org/
Enter your FAS username, (sit down and relax for a while if coming for the
first time) and enjoy aggregated information about your Fedora and EPEL
packages from:
- Bugzilla
- Bodhi
- ABRT
- Koschei
- src.fedoraproject.org PRs
- orphans reports
- non-installability reports
- Fedora release schedule
- Package calendars (currently GNOME and Python, but extensible)
- and possibly more in the future
With various filtering options.
Also works for FAS groups or custom views of multiple users that can be used
for triages, e.g.:
https://packager-dashboard.fedoraproject.org/dashboard?users=churchyard,pviktori,cstratak,torsava,lbalhar,thrnciar,ksurma,vstinner
See the help page for more:
https://packager-dashboard.fedoraproject.org/helpmepls
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
this is just a reminder that there is a Fedora Packager Dashboard that you
might not know about:
Go to https://packager-dashboard.fedoraproject.org/
Enter your FAS username, (sit down and relax for a while if coming for the
first time) and enjoy aggregated information about your Fedora and EPEL
packages from:
- Bugzilla
- Bodhi
- ABRT
- Koschei
- src.fedoraproject.org PRs
- orphans reports
- non-installability reports
- Fedora release schedule
- Package calendars (currently GNOME and Python, but extensible)
- and possibly more in the future
With various filtering options.
Also works for FAS groups or custom views of multiple users that can be used
for triages, e.g.:
https://packager-dashboard.fedoraproject.org/dashboard?users=churchyard,pviktori,cstratak,torsava,lbalhar,thrnciar,ksurma,vstinner
See the help page for more:
https://packager-dashboard.fedoraproject.org/helpmepls
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Wednesday, August 24, 2022
[USN-5582-1] Linux kernel (Azure CVM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5582-1
August 25, 2022
linux-azure-fde vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems
Details:
Arthur Mongodin discovered that the netfilter subsystem in the Linux kernel
did not properly perform data validation. A local attacker could use this
to escalate privileges in certain situations. (CVE-2022-34918)
Zhenpeng Lin discovered that the network packet scheduler implementation in
the Linux kernel did not properly remove all references to a route filter
before freeing it in some situations. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2588)
It was discovered that the netfilter subsystem of the Linux kernel did not
prevent one nft object from referencing an nft set in another nft table,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2586)
It was discovered that the block layer subsystem in the Linux kernel did
not properly initialize memory in some situations. A privileged local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2022-0494)
Hu Jiahui discovered that multiple race conditions existed in the Advanced
Linux Sound Architecture (ALSA) framework, leading to use-after-free
vulnerabilities. A local attacker could use these to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-1048)
Minh Yuan discovered that the floppy disk driver in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could possibly use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2022-1652)
It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)
It was discovered that the Marvell NFC device driver implementation in the
Linux kernel did not properly perform memory cleanup operations in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2022-1734)
Duoming Zhou discovered a race condition in the NFC subsystem in the Linux
kernel, leading to a use-after-free vulnerability. A privileged local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-1974)
Duoming Zhou discovered that the NFC subsystem in the Linux kernel did not
properly prevent context switches from occurring during certain atomic
context operations. A privileged local attacker could use this to cause a
denial of service (system crash). (CVE-2022-1975)
Felix Fu discovered that the Sun RPC implementation in the Linux kernel did
not properly handle socket states, leading to a use-after-free
vulnerability. A remote attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-28893)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1089-azure-fde 5.4.0-1089.94+cvm1.2
linux-image-azure-fde 5.4.0.1089.94+cvm1.29
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5582-1
CVE-2022-0494, CVE-2022-1048, CVE-2022-1652, CVE-2022-1679,
CVE-2022-1734, CVE-2022-1974, CVE-2022-1975, CVE-2022-2586,
CVE-2022-2588, CVE-2022-28893, CVE-2022-34918
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1089.94+cvm1.2
Ubuntu Security Notice USN-5582-1
August 25, 2022
linux-azure-fde vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems
Details:
Arthur Mongodin discovered that the netfilter subsystem in the Linux kernel
did not properly perform data validation. A local attacker could use this
to escalate privileges in certain situations. (CVE-2022-34918)
Zhenpeng Lin discovered that the network packet scheduler implementation in
the Linux kernel did not properly remove all references to a route filter
before freeing it in some situations. A local attacker could use this to
cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2588)
It was discovered that the netfilter subsystem of the Linux kernel did not
prevent one nft object from referencing an nft set in another nft table,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or execute arbitrary code.
(CVE-2022-2586)
It was discovered that the block layer subsystem in the Linux kernel did
not properly initialize memory in some situations. A privileged local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2022-0494)
Hu Jiahui discovered that multiple race conditions existed in the Advanced
Linux Sound Architecture (ALSA) framework, leading to use-after-free
vulnerabilities. A local attacker could use these to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2022-1048)
Minh Yuan discovered that the floppy disk driver in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could possibly use this to cause a denial of service (system
crash) or execute arbitrary code. (CVE-2022-1652)
It was discovered that the Atheros ath9k wireless device driver in the
Linux kernel did not properly handle some error conditions, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-1679)
It was discovered that the Marvell NFC device driver implementation in the
Linux kernel did not properly perform memory cleanup operations in some
situations, leading to a use-after-free vulnerability. A local attacker
could possibly use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2022-1734)
Duoming Zhou discovered a race condition in the NFC subsystem in the Linux
kernel, leading to a use-after-free vulnerability. A privileged local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-1974)
Duoming Zhou discovered that the NFC subsystem in the Linux kernel did not
properly prevent context switches from occurring during certain atomic
context operations. A privileged local attacker could use this to cause a
denial of service (system crash). (CVE-2022-1975)
Felix Fu discovered that the Sun RPC implementation in the Linux kernel did
not properly handle socket states, leading to a use-after-free
vulnerability. A remote attacker could possibly use this to cause a denial
of service (system crash) or execute arbitrary code. (CVE-2022-28893)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1089-azure-fde 5.4.0-1089.94+cvm1.2
linux-image-azure-fde 5.4.0.1089.94+cvm1.29
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5582-1
CVE-2022-0494, CVE-2022-1048, CVE-2022-1652, CVE-2022-1679,
CVE-2022-1734, CVE-2022-1974, CVE-2022-1975, CVE-2022-2586,
CVE-2022-2588, CVE-2022-28893, CVE-2022-34918
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fde/5.4.0-1089.94+cvm1.2
[USN-5581-1] Firefox vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5581-1
August 24, 2022
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the contents
of the addressbar, bypass security restrictions, or execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 104.0+build3-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 104.0+build3-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5581-1
CVE-2022-38472, CVE-2022-38473, CVE-2022-38475, CVE-2022-38477,
CVE-2022-38478
Package Information:
https://launchpad.net/ubuntu/+source/firefox/104.0+build3-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/104.0+build3-0ubuntu0.18.04.1
Ubuntu Security Notice USN-5581-1
August 24, 2022
firefox vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the contents
of the addressbar, bypass security restrictions, or execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 104.0+build3-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 104.0+build3-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5581-1
CVE-2022-38472, CVE-2022-38473, CVE-2022-38475, CVE-2022-38477,
CVE-2022-38478
Package Information:
https://launchpad.net/ubuntu/+source/firefox/104.0+build3-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/104.0+build3-0ubuntu0.18.04.1
[USN-5578-2] Open VM Tools vulnerability
==========================================================================
Ubuntu Security Notice USN-5578-2
August 24, 2022
open-vm-tools vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
open-vm-tools could be made to run programs as an administrator.
Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware
Details:
USN-5578-1 fixed a vulnerability in Open VM Tools. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Open VM Tools incorrectly handled certain requests.
An attacker inside the guest could possibly use this issue to gain root
privileges inside the virtual machine.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
open-vm-tools 2:10.2.0-3~ubuntu0.16.04.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5578-2
https://ubuntu.com/security/notices/USN-5578-1
CVE-2022-31676
Ubuntu Security Notice USN-5578-2
August 24, 2022
open-vm-tools vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
open-vm-tools could be made to run programs as an administrator.
Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware
Details:
USN-5578-1 fixed a vulnerability in Open VM Tools. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Open VM Tools incorrectly handled certain requests.
An attacker inside the guest could possibly use this issue to gain root
privileges inside the virtual machine.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
open-vm-tools 2:10.2.0-3~ubuntu0.16.04.1+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5578-2
https://ubuntu.com/security/notices/USN-5578-1
CVE-2022-31676
[USN-5580-1] Linux kernel (AWS) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5580-1
August 24, 2022
linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
Details:
It was discovered that the framebuffer driver on the Linux kernel did
not verify size limits when changing font or screen size, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33655)
It was discovered that the virtual terminal driver in the Linux kernel
did not properly handle VGA console font changes, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33656)
It was discovered that the Packet network protocol implementation in the
Linux kernel contained an out-of-bounds access. A remote attacker could
use this to expose sensitive information (kernel memory). (CVE-2022-20368)
Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that
truncated packets below the packet header size. When such rules are in
place, a remote attacker could possibly use this to cause a denial of
service (system crash). (CVE-2022-36946)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1150-aws 4.4.0-1150.165
linux-image-aws 4.4.0.1150.154
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5580-1
CVE-2021-33655, CVE-2021-33656, CVE-2022-20368, CVE-2022-36946
Ubuntu Security Notice USN-5580-1
August 24, 2022
linux-aws vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
Details:
It was discovered that the framebuffer driver on the Linux kernel did
not verify size limits when changing font or screen size, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33655)
It was discovered that the virtual terminal driver in the Linux kernel
did not properly handle VGA console font changes, leading to an
out-of-bounds write. A local attacker could use this to cause a denial
of service (system crash) or possibly execute arbitrary code.
(CVE-2021-33656)
It was discovered that the Packet network protocol implementation in the
Linux kernel contained an out-of-bounds access. A remote attacker could
use this to expose sensitive information (kernel memory). (CVE-2022-20368)
Domingo Dirutigliano and Nicola Guerrera discovered that the netfilter
subsystem in the Linux kernel did not properly handle rules that
truncated packets below the packet header size. When such rules are in
place, a remote attacker could possibly use this to cause a denial of
service (system crash). (CVE-2022-36946)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1150-aws 4.4.0-1150.165
linux-image-aws 4.4.0.1150.154
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5580-1
CVE-2021-33655, CVE-2021-33656, CVE-2022-20368, CVE-2022-36946
[USN-5579-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5579-1
August 24, 2022
linux, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
Roger Pau Monné discovered that the Xen virtual block driver in the
Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-26365)
Roger Pau Monné discovered that the Xen paravirtualization frontend in
the Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-33740)
It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1113-kvm 4.4.0-1113.123
linux-image-4.4.0-233-generic 4.4.0-233.267
linux-image-4.4.0-233-lowlatency 4.4.0-233.267
linux-image-generic 4.4.0.233.239
linux-image-kvm 4.4.0.1113.110
linux-image-lowlatency 4.4.0.233.239
linux-image-virtual 4.4.0.233.239
Ubuntu 14.04 ESM:
linux-image-4.4.0-233-generic 4.4.0-233.267~14.04.1
linux-image-4.4.0-233-lowlatency 4.4.0-233.267~14.04.1
linux-image-generic-lts-xenial 4.4.0.233.202
linux-image-lowlatency-lts-xenial 4.4.0.233.202
linux-image-virtual-lts-xenial 4.4.0.233.202
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5579-1
CVE-2022-26365, CVE-2022-33740, CVE-2022-33741
Ubuntu Security Notice USN-5579-1
August 24, 2022
linux, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
Roger Pau Monné discovered that the Xen virtual block driver in the
Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-26365)
Roger Pau Monné discovered that the Xen paravirtualization frontend in
the Linux kernel did not properly initialize memory pages to be used for
shared communication with the backend. A local attacker could use this
to expose sensitive information (guest kernel memory). (CVE-2022-33740)
It was discovered that the Xen paravirtualization frontend in the Linux
kernel incorrectly shared unrelated data when communicating with certain
backends. A local attacker could use this to cause a denial of service
(guest crash) or expose sensitive information (guest kernel memory).
(CVE-2022-33741)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1113-kvm 4.4.0-1113.123
linux-image-4.4.0-233-generic 4.4.0-233.267
linux-image-4.4.0-233-lowlatency 4.4.0-233.267
linux-image-generic 4.4.0.233.239
linux-image-kvm 4.4.0.1113.110
linux-image-lowlatency 4.4.0.233.239
linux-image-virtual 4.4.0.233.239
Ubuntu 14.04 ESM:
linux-image-4.4.0-233-generic 4.4.0-233.267~14.04.1
linux-image-4.4.0-233-lowlatency 4.4.0-233.267~14.04.1
linux-image-generic-lts-xenial 4.4.0.233.202
linux-image-lowlatency-lts-xenial 4.4.0.233.202
linux-image-virtual-lts-xenial 4.4.0.233.202
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5579-1
CVE-2022-26365, CVE-2022-33740, CVE-2022-33741
[USN-5474-2] Varnish Cache regression
==========================================================================
Ubuntu Security Notice USN-5474-2
August 23, 2022
varnish regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Varnish Cache could be made to restart if it received specially crafted input.
Software Description:
- varnish: state of the art, high-performance web accelerator
Details:
USN-5474-1 fixed vulnerabilities in Varnish Cache. Unfortunately the fix for
CVE-2020-11653 was incomplete. This update fixes the problem.
Original advisory details:
It was discovered that Varnish Cache could have an assertion failure when a
TLS termination proxy uses PROXY version 2. A remote attacker could possibly
use this issue to restart the daemon and cause a performance loss.
(CVE-2020-11653)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libvarnishapi2 6.2.1-2ubuntu0.2
varnish 6.2.1-2ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5474-2
https://ubuntu.com/security/notices/USN-5474-1
CVE-2020-11653
Package Information:
https://launchpad.net/ubuntu/+source/varnish/6.2.1-2ubuntu0.2
Ubuntu Security Notice USN-5474-2
August 23, 2022
varnish regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Varnish Cache could be made to restart if it received specially crafted input.
Software Description:
- varnish: state of the art, high-performance web accelerator
Details:
USN-5474-1 fixed vulnerabilities in Varnish Cache. Unfortunately the fix for
CVE-2020-11653 was incomplete. This update fixes the problem.
Original advisory details:
It was discovered that Varnish Cache could have an assertion failure when a
TLS termination proxy uses PROXY version 2. A remote attacker could possibly
use this issue to restart the daemon and cause a performance loss.
(CVE-2020-11653)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libvarnishapi2 6.2.1-2ubuntu0.2
varnish 6.2.1-2ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5474-2
https://ubuntu.com/security/notices/USN-5474-1
CVE-2020-11653
Package Information:
https://launchpad.net/ubuntu/+source/varnish/6.2.1-2ubuntu0.2
[LSN-0089-1] Linux kernel vulnerability
Linux kernel vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 22.04 LTS
- Ubuntu 14.04 ESM
Summary
Several security issues were fixed in the kernel.
Software Description
- linux - Linux kernel
- linux-aws - Linux kernel for Amazon Web Services (AWS) systems
- linux-azure - Linux kernel for Microsoft Azure Cloud systems
- linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke - Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop - Linux kernel for Google Container Engine (GKE) systems
- linux-ibm - Linux kernel for IBM cloud systems
- linux-oem - Linux kernel for OEM systems
Details
Aaron Adams discovered that the netfilter subsystem in the Linux kernel
did not properly handle the removal of stateful expressions in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-1966)
Ziming Zhang discovered that the netfilter subsystem in the Linux kernel
did not properly validate sets with multiple ranged fields. A local
attacker could use this to cause a denial of service or execute
arbitrary code. (CVE-2022-1972)
It was discovered that the implementation of POSIX timers in the Linux
kernel did not properly clean up timers in some situations. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2022-2585)
It was discovered that the netfilter subsystem of the Linux kernel did
not prevent one nft object from referencing an nft set in another nft
table, leading to a use-after-free vulnerability. A local attacker could
use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-2586)
Zhenpeng Lin discovered that the network packet scheduler implementation
in the Linux kernel did not properly remove all references to a route
filter before freeing it in some situations. A local attacker could use
this to cause a denial of service (system crash) or execute arbitrary
code. (CVE-2022-2588)
It was discovered that the Linux kernel did not properly restrict access
to the kernel debugger when booted in secure boot environments. A
privileged attacker could use this to bypass UEFI Secure Boot
restrictions. (CVE-2022-21499)
Kyle Zeng discovered that the Network Queuing and Scheduling subsystem
of the Linux kernel did not properly perform reference counting in some
situations, leading to a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or execute
arbitrary code. (CVE-2022-29581)
Arthur Mongodin discovered that the netfilter subsystem in the Linux
kernel did not properly perform data validation. A local attacker could
use this to escalate privileges in certain situations. (CVE-2022-34918)
Update instructions
The problem can be corrected by updating your kernel livepatch to the
following versions:
Ubuntu 20.04 LTS
aws - 89.1
azure - 89.1
azure - 89.2
gcp - 89.1
generic - 89.1
generic - 89.2
gke - 89.1
gke - 89.2
gkeop - 89.1
ibm - 89.1
lowlatency - 89.1
Ubuntu 18.04 LTS
aws - 89.1
azure - 89.1
gcp - 89.1
generic - 89.1
gke - 89.1
gke - 89.2
gkeop - 89.1
gkeop - 89.2
ibm - 89.1
lowlatency - 89.1
oem - 89.1
Ubuntu 16.04 ESM
aws - 89.1
azure - 89.1
gcp - 89.1
generic - 89.1
lowlatency - 89.1
lowlatency - 89.2
Ubuntu 22.04 LTS
aws - 89.1
azure - 89.1
gcp - 89.1
generic - 89.1
gke - 89.1
ibm - 89.1
lowlatency - 88.1
Ubuntu 14.04 ESM
generic - 89.1
lowlatency - 89.1
Support Information
Kernels older than the levels listed below do not receive livepatch
updates. If you are running a kernel version earlier than the one listed
below, please upgrade your kernel as soon as possible.
Ubuntu 20.04 LTS
linux-aws-5.15 - 5.15.0-1000
linux-aws - 5.4.0-1009
linux-azure-5.15 - 5.15.0-1069
linux-azure - 5.4.0-1010
linux-gcp-5.15 - 5.15.0-1000
linux-gcp - 5.4.0-1009
linux-gke-5.15 - 5.15.0-1000
linux-gke - 5.4.0-1033
linux-gkeop - 5.4.0-1009
linux-hwe - 5.15.0-0
linux-ibm-5.15 - 5.15.0-1000
linux-ibm - 5.4.0-1009
linux-oem - 5.4.0-26
linux - 5.4.0-26
Ubuntu 18.04 LTS
linux-aws-5.4 - 5.4.0-1069
linux-aws - 4.15.0-1054
linux-azure-4.15 - 4.15.0-1115
linux-azure-5.4 - 5.4.0-1069
linux-gcp-4.15 - 4.15.0-1121
linux-gcp-5.4 - 5.4.0-1069
linux-gke-4.15 - 4.15.0-1076
linux-gke-5.4 - 5.4.0-1009
linux-gkeop-5.4 - 5.4.0-1007
linux-hwe-5.4 - 5.4.0-26
linux-ibm-5.4 - 5.4.0-1009
linux-oem - 4.15.0-1063
linux - 4.15.0-69
Ubuntu 16.04 ESM
linux-aws-hwe - 4.15.0-1126
linux-aws - 4.4.0-1098
linux-azure - 4.15.0-1063
linux-gcp - 4.15.0-1118
linux-hwe - 4.15.0-69
linux - 4.4.0-168
linux - 4.4.0-211
Ubuntu 22.04 LTS
linux-aws - 5.15.0-1000
linux-azure - 5.15.0-1000
linux-gcp - 5.15.0-1000
linux-gke - 5.15.0-1000
linux-ibm - 5.15.0-1000
linux - 5.15.0-24
linux - 5.15.0-25
Ubuntu 14.04 ESM
linux-lts-xenial - 4.4.0-168
References
- CVE-2022-1966
- CVE-2022-1972
- CVE-2022-2585
- CVE-2022-2586
- CVE-2022-2588
- CVE-2022-21499
- CVE-2022-29581
- CVE-2022-34918
[USN-5578-1] Open VM Tools vulnerability
==========================================================================
Ubuntu Security Notice USN-5578-1
August 24, 2022
open-vm-tools vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
open-vm-tools could be made to run programs as an administrator.
Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware
Details:
It was discovered that Open VM Tools incorrectly handled certain requests.
An attacker inside the guest could possibly use this issue to gain root
privileges inside the virtual machine.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
open-vm-tools 2:11.3.5-1ubuntu4.1
Ubuntu 20.04 LTS:
open-vm-tools 2:11.3.0-2ubuntu0~ubuntu20.04.3
Ubuntu 18.04 LTS:
open-vm-tools 2:11.0.5-4ubuntu0.18.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5578-1
CVE-2022-31676
Package Information:
https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.3.5-1ubuntu4.1
https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.3.0-2ubuntu0~ubuntu20.04.3
https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.0.5-4ubuntu0.18.04.2
Ubuntu Security Notice USN-5578-1
August 24, 2022
open-vm-tools vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
open-vm-tools could be made to run programs as an administrator.
Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware
Details:
It was discovered that Open VM Tools incorrectly handled certain requests.
An attacker inside the guest could possibly use this issue to gain root
privileges inside the virtual machine.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
open-vm-tools 2:11.3.5-1ubuntu4.1
Ubuntu 20.04 LTS:
open-vm-tools 2:11.3.0-2ubuntu0~ubuntu20.04.3
Ubuntu 18.04 LTS:
open-vm-tools 2:11.0.5-4ubuntu0.18.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5578-1
CVE-2022-31676
Package Information:
https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.3.5-1ubuntu4.1
https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.3.0-2ubuntu0~ubuntu20.04.3
https://launchpad.net/ubuntu/+source/open-vm-tools/2:11.0.5-4ubuntu0.18.04.2
Tuesday, August 23, 2022
[USN-5576-1] Twisted vulnerability
==========================================================================
Ubuntu Security Notice USN-5576-1
August 24, 2022
twisted vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Twisted could be made to expose sensitive information over the
network.
Software Description:
- twisted: Event-based framework for internet applications
Details:
It was discovered that Twisted incorrectly parsed some types of HTTP requests
in its web server implementation. In certain proxy or multi-server
configurations, a remote attacker could craft malicious HTTP requests in order
to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-twisted 22.1.0-2ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5576-1
CVE-2022-24801
Package Information:
https://launchpad.net/ubuntu/+source/twisted/22.1.0-2ubuntu2.3
Ubuntu Security Notice USN-5576-1
August 24, 2022
twisted vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Twisted could be made to expose sensitive information over the
network.
Software Description:
- twisted: Event-based framework for internet applications
Details:
It was discovered that Twisted incorrectly parsed some types of HTTP requests
in its web server implementation. In certain proxy or multi-server
configurations, a remote attacker could craft malicious HTTP requests in order
to obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
python3-twisted 22.1.0-2ubuntu2.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5576-1
CVE-2022-24801
Package Information:
https://launchpad.net/ubuntu/+source/twisted/22.1.0-2ubuntu2.3
[USN-5577-1] Linux kernel (OEM) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-5577-1
August 24, 2022
linux-oem-5.14 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.14: Linux kernel for OEM systems
Details:
Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)
Ethernet driver for the Linux kernel performed insufficient control flow
management. A local attacker could possibly use this to cause a denial of
service. (CVE-2021-33061)
It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.14.0-1049-oem 5.14.0-1049.56
linux-image-oem-20.04 5.14.0.1049.45
linux-image-oem-20.04b 5.14.0.1049.45
linux-image-oem-20.04c 5.14.0.1049.45
linux-image-oem-20.04d 5.14.0.1049.45
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5577-1
CVE-2021-33061, CVE-2021-33655
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1049.56
Ubuntu Security Notice USN-5577-1
August 24, 2022
linux-oem-5.14 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-5.14: Linux kernel for OEM systems
Details:
Asaf Modelevsky discovered that the Intel(R) 10GbE PCI Express (ixgbe)
Ethernet driver for the Linux kernel performed insufficient control flow
management. A local attacker could possibly use this to cause a denial of
service. (CVE-2021-33061)
It was discovered that the framebuffer driver on the Linux kernel did not
verify size limits when changing font or screen size, leading to an out-of-
bounds write. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2021-33655)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.14.0-1049-oem 5.14.0-1049.56
linux-image-oem-20.04 5.14.0.1049.45
linux-image-oem-20.04b 5.14.0.1049.45
linux-image-oem-20.04c 5.14.0.1049.45
linux-image-oem-20.04d 5.14.0.1049.45
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-5577-1
CVE-2021-33061, CVE-2021-33655
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1049.56
F39 proposal: libsoup 3: Part two (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/libsoup_3:_Part_Two
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
libsoup 3 is a new API version of libsoup that provides support for
HTTP/2. We will remove libsoup 2 and all packages that still depend on
it.
== Owner ==
* Name: [[User:catanzaro|Michael Catanzaro]]
* Email: <mcatanzaro@redhat.com>
== Detailed Description ==
[[Changes/libsoup_3:_Part_One|We previously introduced libsoup 3 to
Fedora 37.]] Because applications will crash on startup if linked to
both libsoup 2 and libsoup 3 at the same time, and because many
libraries depend on libsoup, and because applications therefore have
limited control over which libsoup they link to transitively, this
transition was quite tricky and caused several serious problems during
the Fedora 37 development cycle. Fortunately, the trickiest part of
the migration to libsoup 3 is now behind us.
The next step is to remove libsoup 2 from Fedora. We propose to do
this for Fedora 39. This should happen sooner rather than later
because libsoup is a security-sensitive networking library and
maintaining an old version in Fedora indefinitely is inadvisable. We
know from experience that a deadline will be required in order to
ensure applications and libraries make the transition; otherwise, we
will wind up maintaining libsoup 2 indefinitely. Removing libsoup 2
from Fedora 38 seems too soon: applications need a little more time to
smoothly transition. Accordingly, we propose to remove libsoup 2 from
Fedora 39. The package will be retired in rawhide shortly after Fedora
38 is branched in February 2023. At this point, all packages that
still depend on it will break in rawhide. This rest of the year will
be available to fix broken packages before Fedora 39 is released to
users in October 2023.
This will likely cause some temporary problems and force some
compromises. E.g. we may have to drop software like ABRT or geoclue
from composes if not ported in time.
== Benefit to Fedora ==
Removing libsoup 2 ensures Fedora does not package an obsolete version
of a security-sensitive networking library. It will also eliminate the
possibility of linkage conflicts between libsoup 2 and libsoup 3,
which have been extremely annoying during the Fedora 37 development
cycle and will continue to plague us during Fedora 38 development.
== Scope ==
* Proposal owners: we will ensure the package is retired
* Other developers: software must be ported from libsoup 2 to libsoup
3. This may require substantial upstream effort.
* Release engineering: [https://pagure.io/releng/issue/10985 #10985]
* Policies and guidelines: no new policies needed
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: no alignment with objectives
== Upgrade/compatibility impact ==
Software that still depends on libsoup 2 will break.
== How To Test ==
Fortunately not much testing is needed. The main challenge of the
transition to libsoup 3 was testing applications to ensure they do not
crash on startup due to libsoup 2 vs. libsoup 3 conflicts. Such
conflicts will no longer occur once this change is implemented,
because libsoup 2 won't exist anymore. Of course, it's also good to
test applications to ensure they still work properly after being
ported to libsoup 3.
== User Experience ==
Applications that use libsoup 3 will support HTTP/2, which multiplexes
multiple HTTP requests over a single connection. Users may notice
significant performance improvements.
== Dependencies ==
$ dnf repoquery --whatdepends libsoup --latest-limit 1 --arch
'noarch,x86_64' --disablerepo='*' --enablerepo=rawhide
Fedora - Rawhide - Developmental packages for t 18 MB/s | 64 MB 00:03
Last metadata expiration check: 0:00:15 ago on Tue 23 Aug 2022 11:17:32 AM CDT.
abrt-retrace-client-0:2.15.1-4.fc37.x86_64
badwolf-0:1.2.2-3.fc37.x86_64
bookworm-0:1.1.3-0.8.20200414git.c7c3643.fc37.x86_64
cawbird-0:1.4.2-4.fc37.x86_64
cinnamon-0:5.4.11-1.fc38.x86_64
claws-mail-plugins-fancy-0:4.1.0-5.fc37.x86_64
claws-mail-plugins-gdata-0:4.1.0-5.fc37.x86_64
coin-0:1.3.0-7.fc37.x86_64
cutter-0:1.2.7-7.fc37.x86_64
darktable-0:4.0.0-3.fc37.x86_64
dino-0:0.3.0-4.fc37.x86_64
dleyna-renderer-0:0.6.0-15.fc37.x86_64
dleyna-server-0:0.6.0-14.fc37.x86_64
dmapd-0:0.0.91-4.fc37.x86_64
elementary-calendar-0:6.1.1-1.fc37.x86_64
elementary-code-0:6.2.0-2.fc37.x86_64
elementary-mail-0:6.4.0-1.fc36.x86_64
elementary-photos-0:2.7.5-2.fc37.x86_64
elementary-planner-1:3.0.7-1.fc37.x86_64
elementary-tasks-0:6.3.0-1.fc37.x86_64
emacs-1:28.1-3.fc37.x86_64
ephemeral-0:7.1.0-4.fc37.x86_64
exfalso-0:4.5.0-3.fc37.noarch
flatpak-builder-0:1.2.2-4.fc37.x86_64
fondo-0:1.6.1-3.fc37.x86_64
frogr-0:1.6-5.fc35.x86_64
gajim-0:1.4.7-1.fc37.noarch
gambas3-gb-gtk3-webview-0:3.17.3-2.fc37.x86_64
gamehub-0:0.16.3.2-5.fc37.x86_64
geany-plugins-geniuspaste-0:1.38-5.fc37.x86_64
geany-plugins-markdown-0:1.38-5.fc37.x86_64
geany-plugins-updatechecker-0:1.38-5.fc37.x86_64
geoclue2-0:2.6.0-3.fc37.x86_64
geocode-glib-0:3.26.4-1.fc37.x86_64
gfbgraph-0:0.2.5-2.fc37.x86_64
gnome-calculator-0:43~alpha-2.fc37.x86_64
gnome-games-0:40.0-3.fc36.x86_64
gnome-music-0:42.1-3.fc37.noarch
gnome-software-0:43.beta-3.fc38.x86_64
gnome-video-arcade-0:0.8.8-13.fc37.x86_64
goodvibes-0:0.7.4-2.fc37.x86_64
grilo-0:0.3.15-2.fc38.x86_64
grilo-plugins-0:0.3.15-1.fc38.x86_64
gssdp-0:1.4.0.1-3.fc37.x86_64
gssdp-utils-0:1.4.0.1-3.fc37.x86_64
gupnp-0:1.4.3-3.fc37.x86_64
gupnp-tools-0:0.10.3-2.fc37.x86_64
homebank-0:5.5.6-2.fc37.x86_64
libabiword-1:3.0.5-4.fc37.x86_64
libchamplain-0:0.12.20-7.fc37.x86_64
libdmapsharing-0:2.9.41-8.fc37.x86_64
libdmapsharing4-0:3.9.10-6.fc37.x86_64
libepc-0:0.4.0-23.fc37.x86_64
libepc-ui-0:0.4.0-23.fc37.x86_64
libgda5-tools-1:5.2.10-12.fc38.x86_64
libgda5-web-1:5.2.10-12.fc38.x86_64
libgdata-0:0.18.1-6.fc37.x86_64
libgepub-0:0.6.0-10.fc37.x86_64
libgovirt-0:0.3.8-5.fc37.x86_64
libgrss-0:0.7.0-15.fc37.x86_64
libgweather-0:40.0-4.fc37.x86_64
libmateweather-0:1.26.0-3.fc37.x86_64
libsoup-devel-0:2.74.2-3.fc37.x86_64
libtimezonemap-0:0.4.5.2-1.fc38.x86_64
libtranslate-0:0.99-113.fc37.x86_64
liferea-1:1.13.9-1.fc37.x86_64
linphone-0:3.6.1-49.fc37.x86_64
logjam-1:4.6.2-28.fc37.x86_64
meteo-0:0.9.9.1-3.fc37.x86_64
midori-0:9.0-11.fc37.x86_64
mmsd-tng-0:1.9-2.fc37.x86_64
mpdscribble-0:0.22-25.fc37.x86_64
osinfo-db-tools-0:1.10.0-4.fc37.x86_64
osm-gps-map-0:1.1.0-11.fc37.x86_64
ostree-tests-0:2022.5-2.fc37.x86_64
perl-HTTP-Soup-0:0.01-28.fc37.x86_64
polari-0:42.1-2.fc37.x86_64
pragha-0:1.3.3-23.fc37.x86_64
purple-chime-0:1.4.1-7.fc37.x86_64
python3-nbxmpp-0:3.1.1-1.fc37.noarch
remmina-0:1.4.27-5.fc37.x86_64
rest0.7-0:0.8.1-2.fc37.x86_64
rhythmbox-0:3.4.6-2.fc37.x86_64
rygel-0:0.40.4-2.fc37.x86_64
seahorse-0:42.0-2.fc37.x86_64
snapd-glib-0:1.58-5.fc37.x86_64
snapd-glib-tests-0:1.58-5.fc37.x86_64
snapd-qt-tests-0:1.58-5.fc37.x86_64
soup-sharp-0:2.42.2-7.20190810git0f36d10.fc37.x86_64
srain-0:1.4.0-3.fc37.x86_64
surf-0:2.0-14.fc37.x86_64
switchboard-plug-onlineaccounts-0:6.5.0-1.fc37.x86_64
taxi-0:2.0.1-3.fc37.x86_64
telepathy-gabble-0:0.18.4-19.fc37.x86_64
telepathy-salut-0:0.8.1-28.fc37.x86_64
uhttpmock-0:0.5.5-2.fc37.x86_64
vfrnav-0:20201231-30.fc37.x86_64
webkit2gtk4.0-0:2.37.90-1.fc38.x86_64
webkit2gtk4.0-devel-0:2.37.90-1.fc38.x86_64
xfce4-screenshooter-0:1.9.11-1.fc38.x86_64
xfce4-screenshooter-plugin-0:1.9.11-1.fc38.x86_64
xfce4-weather-plugin-0:0.11.0-4.fc37.x86_64
== Contingency Plan ==
* Contingency mechanism: restore libsoup 2 package
* Contingency deadline: beta freeze
* Blocks release? possibly, it will depend on which packages
successfully make the transition
== Documentation ==
[https://libsoup.org/libsoup-3.0/migrating-from-libsoup-2.html
Migrating from libsoup 2]
== Release Notes ==
To-do
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
libsoup 3 is a new API version of libsoup that provides support for
HTTP/2. We will remove libsoup 2 and all packages that still depend on
it.
== Owner ==
* Name: [[User:catanzaro|Michael Catanzaro]]
* Email: <mcatanzaro@redhat.com>
== Detailed Description ==
[[Changes/libsoup_3:_Part_One|We previously introduced libsoup 3 to
Fedora 37.]] Because applications will crash on startup if linked to
both libsoup 2 and libsoup 3 at the same time, and because many
libraries depend on libsoup, and because applications therefore have
limited control over which libsoup they link to transitively, this
transition was quite tricky and caused several serious problems during
the Fedora 37 development cycle. Fortunately, the trickiest part of
the migration to libsoup 3 is now behind us.
The next step is to remove libsoup 2 from Fedora. We propose to do
this for Fedora 39. This should happen sooner rather than later
because libsoup is a security-sensitive networking library and
maintaining an old version in Fedora indefinitely is inadvisable. We
know from experience that a deadline will be required in order to
ensure applications and libraries make the transition; otherwise, we
will wind up maintaining libsoup 2 indefinitely. Removing libsoup 2
from Fedora 38 seems too soon: applications need a little more time to
smoothly transition. Accordingly, we propose to remove libsoup 2 from
Fedora 39. The package will be retired in rawhide shortly after Fedora
38 is branched in February 2023. At this point, all packages that
still depend on it will break in rawhide. This rest of the year will
be available to fix broken packages before Fedora 39 is released to
users in October 2023.
This will likely cause some temporary problems and force some
compromises. E.g. we may have to drop software like ABRT or geoclue
from composes if not ported in time.
== Benefit to Fedora ==
Removing libsoup 2 ensures Fedora does not package an obsolete version
of a security-sensitive networking library. It will also eliminate the
possibility of linkage conflicts between libsoup 2 and libsoup 3,
which have been extremely annoying during the Fedora 37 development
cycle and will continue to plague us during Fedora 38 development.
== Scope ==
* Proposal owners: we will ensure the package is retired
* Other developers: software must be ported from libsoup 2 to libsoup
3. This may require substantial upstream effort.
* Release engineering: [https://pagure.io/releng/issue/10985 #10985]
* Policies and guidelines: no new policies needed
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: no alignment with objectives
== Upgrade/compatibility impact ==
Software that still depends on libsoup 2 will break.
== How To Test ==
Fortunately not much testing is needed. The main challenge of the
transition to libsoup 3 was testing applications to ensure they do not
crash on startup due to libsoup 2 vs. libsoup 3 conflicts. Such
conflicts will no longer occur once this change is implemented,
because libsoup 2 won't exist anymore. Of course, it's also good to
test applications to ensure they still work properly after being
ported to libsoup 3.
== User Experience ==
Applications that use libsoup 3 will support HTTP/2, which multiplexes
multiple HTTP requests over a single connection. Users may notice
significant performance improvements.
== Dependencies ==
$ dnf repoquery --whatdepends libsoup --latest-limit 1 --arch
'noarch,x86_64' --disablerepo='*' --enablerepo=rawhide
Fedora - Rawhide - Developmental packages for t 18 MB/s | 64 MB 00:03
Last metadata expiration check: 0:00:15 ago on Tue 23 Aug 2022 11:17:32 AM CDT.
abrt-retrace-client-0:2.15.1-4.fc37.x86_64
badwolf-0:1.2.2-3.fc37.x86_64
bookworm-0:1.1.3-0.8.20200414git.c7c3643.fc37.x86_64
cawbird-0:1.4.2-4.fc37.x86_64
cinnamon-0:5.4.11-1.fc38.x86_64
claws-mail-plugins-fancy-0:4.1.0-5.fc37.x86_64
claws-mail-plugins-gdata-0:4.1.0-5.fc37.x86_64
coin-0:1.3.0-7.fc37.x86_64
cutter-0:1.2.7-7.fc37.x86_64
darktable-0:4.0.0-3.fc37.x86_64
dino-0:0.3.0-4.fc37.x86_64
dleyna-renderer-0:0.6.0-15.fc37.x86_64
dleyna-server-0:0.6.0-14.fc37.x86_64
dmapd-0:0.0.91-4.fc37.x86_64
elementary-calendar-0:6.1.1-1.fc37.x86_64
elementary-code-0:6.2.0-2.fc37.x86_64
elementary-mail-0:6.4.0-1.fc36.x86_64
elementary-photos-0:2.7.5-2.fc37.x86_64
elementary-planner-1:3.0.7-1.fc37.x86_64
elementary-tasks-0:6.3.0-1.fc37.x86_64
emacs-1:28.1-3.fc37.x86_64
ephemeral-0:7.1.0-4.fc37.x86_64
exfalso-0:4.5.0-3.fc37.noarch
flatpak-builder-0:1.2.2-4.fc37.x86_64
fondo-0:1.6.1-3.fc37.x86_64
frogr-0:1.6-5.fc35.x86_64
gajim-0:1.4.7-1.fc37.noarch
gambas3-gb-gtk3-webview-0:3.17.3-2.fc37.x86_64
gamehub-0:0.16.3.2-5.fc37.x86_64
geany-plugins-geniuspaste-0:1.38-5.fc37.x86_64
geany-plugins-markdown-0:1.38-5.fc37.x86_64
geany-plugins-updatechecker-0:1.38-5.fc37.x86_64
geoclue2-0:2.6.0-3.fc37.x86_64
geocode-glib-0:3.26.4-1.fc37.x86_64
gfbgraph-0:0.2.5-2.fc37.x86_64
gnome-calculator-0:43~alpha-2.fc37.x86_64
gnome-games-0:40.0-3.fc36.x86_64
gnome-music-0:42.1-3.fc37.noarch
gnome-software-0:43.beta-3.fc38.x86_64
gnome-video-arcade-0:0.8.8-13.fc37.x86_64
goodvibes-0:0.7.4-2.fc37.x86_64
grilo-0:0.3.15-2.fc38.x86_64
grilo-plugins-0:0.3.15-1.fc38.x86_64
gssdp-0:1.4.0.1-3.fc37.x86_64
gssdp-utils-0:1.4.0.1-3.fc37.x86_64
gupnp-0:1.4.3-3.fc37.x86_64
gupnp-tools-0:0.10.3-2.fc37.x86_64
homebank-0:5.5.6-2.fc37.x86_64
libabiword-1:3.0.5-4.fc37.x86_64
libchamplain-0:0.12.20-7.fc37.x86_64
libdmapsharing-0:2.9.41-8.fc37.x86_64
libdmapsharing4-0:3.9.10-6.fc37.x86_64
libepc-0:0.4.0-23.fc37.x86_64
libepc-ui-0:0.4.0-23.fc37.x86_64
libgda5-tools-1:5.2.10-12.fc38.x86_64
libgda5-web-1:5.2.10-12.fc38.x86_64
libgdata-0:0.18.1-6.fc37.x86_64
libgepub-0:0.6.0-10.fc37.x86_64
libgovirt-0:0.3.8-5.fc37.x86_64
libgrss-0:0.7.0-15.fc37.x86_64
libgweather-0:40.0-4.fc37.x86_64
libmateweather-0:1.26.0-3.fc37.x86_64
libsoup-devel-0:2.74.2-3.fc37.x86_64
libtimezonemap-0:0.4.5.2-1.fc38.x86_64
libtranslate-0:0.99-113.fc37.x86_64
liferea-1:1.13.9-1.fc37.x86_64
linphone-0:3.6.1-49.fc37.x86_64
logjam-1:4.6.2-28.fc37.x86_64
meteo-0:0.9.9.1-3.fc37.x86_64
midori-0:9.0-11.fc37.x86_64
mmsd-tng-0:1.9-2.fc37.x86_64
mpdscribble-0:0.22-25.fc37.x86_64
osinfo-db-tools-0:1.10.0-4.fc37.x86_64
osm-gps-map-0:1.1.0-11.fc37.x86_64
ostree-tests-0:2022.5-2.fc37.x86_64
perl-HTTP-Soup-0:0.01-28.fc37.x86_64
polari-0:42.1-2.fc37.x86_64
pragha-0:1.3.3-23.fc37.x86_64
purple-chime-0:1.4.1-7.fc37.x86_64
python3-nbxmpp-0:3.1.1-1.fc37.noarch
remmina-0:1.4.27-5.fc37.x86_64
rest0.7-0:0.8.1-2.fc37.x86_64
rhythmbox-0:3.4.6-2.fc37.x86_64
rygel-0:0.40.4-2.fc37.x86_64
seahorse-0:42.0-2.fc37.x86_64
snapd-glib-0:1.58-5.fc37.x86_64
snapd-glib-tests-0:1.58-5.fc37.x86_64
snapd-qt-tests-0:1.58-5.fc37.x86_64
soup-sharp-0:2.42.2-7.20190810git0f36d10.fc37.x86_64
srain-0:1.4.0-3.fc37.x86_64
surf-0:2.0-14.fc37.x86_64
switchboard-plug-onlineaccounts-0:6.5.0-1.fc37.x86_64
taxi-0:2.0.1-3.fc37.x86_64
telepathy-gabble-0:0.18.4-19.fc37.x86_64
telepathy-salut-0:0.8.1-28.fc37.x86_64
uhttpmock-0:0.5.5-2.fc37.x86_64
vfrnav-0:20201231-30.fc37.x86_64
webkit2gtk4.0-0:2.37.90-1.fc38.x86_64
webkit2gtk4.0-devel-0:2.37.90-1.fc38.x86_64
xfce4-screenshooter-0:1.9.11-1.fc38.x86_64
xfce4-screenshooter-plugin-0:1.9.11-1.fc38.x86_64
xfce4-weather-plugin-0:0.11.0-4.fc37.x86_64
== Contingency Plan ==
* Contingency mechanism: restore libsoup 2 package
* Contingency deadline: beta freeze
* Blocks release? possibly, it will depend on which packages
successfully make the transition
== Documentation ==
[https://libsoup.org/libsoup-3.0/migrating-from-libsoup-2.html
Migrating from libsoup 2]
== Release Notes ==
To-do
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
F38 proposal: Pcre Deprecation (System-Wide Change proposal)
https://fedoraproject.org/wiki/PcreDeprecation
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Upstream stopped the support for the old 'pcre' package. It only
supports the new 'pcre2' version, so Fedora should deprecate it so it
could later be retired and removed from Fedora entirely.
== Owner ==
* Name: [[User:ljavorsk| Lukas Javorsky]]
* Email: ljavorsk@redhat.com
== Detailed Description ==
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked
as a final release and nothing else will be added/fixed in it. This
may lead to some unresolved CVEs, which would have to be resolved by
the maintainers. Unfortunately, due to our limited capacity, we
wouldn't have the time and experience to solve this by ourselves, so
we need to deprecate this package. After the deprecation is done, the
very next step would be starting the [[PcreRetirement|retirement
change]], so the package is removed from Fedora entirely.
The new 'pcre2' package is out for more than 7 years now and most of
the packages have already been ported to its redefined API.
[https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html
Mail] about the changes in the pcre2.
=== Plan ===
1) File the BZ trackers for all of the dependent packages.
2) Document the deprecation.
3) Start the [[PcreRetirement|new change]] with the pcre retirement.
== Feedback ==
The early feedback from the community is in
[https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/K3BUC6T5VIG7LXOV4RVFO7IUPE2LGA2J/#OPHSKMRJ4W6IX4KMLRF27K2JMSQQ2GCB
this mailing thread]
== Benefit to Fedora ==
Fedora shouldn't support unsupported packages. When the future RHEL
versions fork from Fedora, it could lead to less secure RHEL as well.
By deprecating this package, we will send the message to the
maintainers that their packages should port to new pcre2 package and
any new package would have to use only new and supported pcre2
version.
== Scope ==
* Proposal owners: 3 steps mentioned in the
[https://fedoraproject.org/wiki/PcreDeprecation#Plan Plan].
* Other developers: Port their package to support the new pcre2.
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
The old pcre package will be deprecated, so the new packages are not
able to require it and have to require the new pcre2 version of this
package.
== User Experience ==
Users will not be exposed to the possible vulnerable pcre package,
because the pcre2 is supported by the upstream community.
== Dependencies ==
This list is obtained by using and combining the output of the
following commands:
dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires
'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s
| pkgname
dnf repoquery --disablerepo='*' --enablerepo=rawhide-source
--whatrequires pcre-devel | pkgname
=== List ===
*389-ds-base
*adanaxisgpl
*aide
*aircrack-ng
*anope
*apachetop
*bti
*ccze
*cegui
*cegui06
*clamav
*ClanLib
*clisp
*clover2
*coccinelle
*collada-dom
*compton
*condor
*cppcheck
*cyrus-imapd
*deepin-file-manager
*dogtag-pki
*EMBOSS
*eterm
*Falcon
*freeradius
*gambas3
*ganglia
*ghc-highlighting-kate
*ghc-pcre-light
*ghc-regex-pcre
*GMT
*gnote
*golang
*gource
*grep
*groonga
*gsmartcontrol
*haxe
*hydra
*hyperscan
*i3
*i3-gaps
*imapfilter
*Io-language
*kdelibs
*kdelibs3
*kdevelop
*kf5-kjs
*kf5-kplotting
*libast
*liblognorm
*libmodsecurity
*lnav
*logstalgia
*lumail
*medusa
*mle
*mod_auth_openid
*mod_auth_openidc
*mod_qos
*mod_security
*monotone
*ncid
*nekovm
*ngrep
*nmap
*ocaml-pcre
*oci-umount
*octave
*openCOLLADA
*openscap
*opensips
*pads
*pcre
*pdfgrep
*perl-re-engine-PCRE
*petsc
*php-pecl-apcu
*php-pecl-http
*php-pecl-oauth
*picom
*pl
*poco
*postgis
*powwow
*prelude-lml
*privoxy
*proxysql
*python-qutepart
*python-scss
*R
*rasqal
*regexxer
*remctl
*renderdoc
*rkward
*root
*rudiments
*sigil
*slang
*sord
*sslh
*suricata
*sway
*swig
*syncevolution
*syslog-ng
*the_foundation
*the_silver_searcher
*Thunar
*tin
*tintin
*tinyfugue
*trafficserver
*uwsgi
*vdr-epgfixer
*watchman
*wireshark
*wmweather+
*xastir
*xfce4-verve-plugin
*xgrep
*xmlcopyeditor
*zsh
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not
needed for this Change)
* Contingency deadline: N/A (not needed for this Change)
* Blocks release? No
== Documentation ==
There should be documentation of this change, so the users know that
the pcre is no longer supported and cannot be required by any Fedora
package. If an existing package requires the pcre package, it is
considered as a bug.
== Release Notes ==
Release notes should contain the information about the pcre
deprecation so the users know they won't be able to use its libraries
anymore.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Upstream stopped the support for the old 'pcre' package. It only
supports the new 'pcre2' version, so Fedora should deprecate it so it
could later be retired and removed from Fedora entirely.
== Owner ==
* Name: [[User:ljavorsk| Lukas Javorsky]]
* Email: ljavorsk@redhat.com
== Detailed Description ==
Upstream stopped supporting the old 'pcre' package. The 8.45 is marked
as a final release and nothing else will be added/fixed in it. This
may lead to some unresolved CVEs, which would have to be resolved by
the maintainers. Unfortunately, due to our limited capacity, we
wouldn't have the time and experience to solve this by ourselves, so
we need to deprecate this package. After the deprecation is done, the
very next step would be starting the [[PcreRetirement|retirement
change]], so the package is removed from Fedora entirely.
The new 'pcre2' package is out for more than 7 years now and most of
the packages have already been ported to its redefined API.
[https://lists.exim.org/lurker/message/20150105.162835.0666407a.en.html
Mail] about the changes in the pcre2.
=== Plan ===
1) File the BZ trackers for all of the dependent packages.
2) Document the deprecation.
3) Start the [[PcreRetirement|new change]] with the pcre retirement.
== Feedback ==
The early feedback from the community is in
[https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/K3BUC6T5VIG7LXOV4RVFO7IUPE2LGA2J/#OPHSKMRJ4W6IX4KMLRF27K2JMSQQ2GCB
this mailing thread]
== Benefit to Fedora ==
Fedora shouldn't support unsupported packages. When the future RHEL
versions fork from Fedora, it could lead to less secure RHEL as well.
By deprecating this package, we will send the message to the
maintainers that their packages should port to new pcre2 package and
any new package would have to use only new and supported pcre2
version.
== Scope ==
* Proposal owners: 3 steps mentioned in the
[https://fedoraproject.org/wiki/PcreDeprecation#Plan Plan].
* Other developers: Port their package to support the new pcre2.
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
The old pcre package will be deprecated, so the new packages are not
able to require it and have to require the new pcre2 version of this
package.
== User Experience ==
Users will not be exposed to the possible vulnerable pcre package,
because the pcre2 is supported by the upstream community.
== Dependencies ==
This list is obtained by using and combining the output of the
following commands:
dnf repoquery --disablerepo='*' --enablerepo=rawhide --whatrequires
'libpcre.so.1()(64bit)' --whatrequires 'libpcreposix.so.0()(64bit)' -s
| pkgname
dnf repoquery --disablerepo='*' --enablerepo=rawhide-source
--whatrequires pcre-devel | pkgname
=== List ===
*389-ds-base
*adanaxisgpl
*aide
*aircrack-ng
*anope
*apachetop
*bti
*ccze
*cegui
*cegui06
*clamav
*ClanLib
*clisp
*clover2
*coccinelle
*collada-dom
*compton
*condor
*cppcheck
*cyrus-imapd
*deepin-file-manager
*dogtag-pki
*EMBOSS
*eterm
*Falcon
*freeradius
*gambas3
*ganglia
*ghc-highlighting-kate
*ghc-pcre-light
*ghc-regex-pcre
*GMT
*gnote
*golang
*gource
*grep
*groonga
*gsmartcontrol
*haxe
*hydra
*hyperscan
*i3
*i3-gaps
*imapfilter
*Io-language
*kdelibs
*kdelibs3
*kdevelop
*kf5-kjs
*kf5-kplotting
*libast
*liblognorm
*libmodsecurity
*lnav
*logstalgia
*lumail
*medusa
*mle
*mod_auth_openid
*mod_auth_openidc
*mod_qos
*mod_security
*monotone
*ncid
*nekovm
*ngrep
*nmap
*ocaml-pcre
*oci-umount
*octave
*openCOLLADA
*openscap
*opensips
*pads
*pcre
*pdfgrep
*perl-re-engine-PCRE
*petsc
*php-pecl-apcu
*php-pecl-http
*php-pecl-oauth
*picom
*pl
*poco
*postgis
*powwow
*prelude-lml
*privoxy
*proxysql
*python-qutepart
*python-scss
*R
*rasqal
*regexxer
*remctl
*renderdoc
*rkward
*root
*rudiments
*sigil
*slang
*sord
*sslh
*suricata
*sway
*swig
*syncevolution
*syslog-ng
*the_foundation
*the_silver_searcher
*Thunar
*tin
*tintin
*tinyfugue
*trafficserver
*uwsgi
*vdr-epgfixer
*watchman
*wireshark
*wmweather+
*xastir
*xfce4-verve-plugin
*xgrep
*xmlcopyeditor
*zsh
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not
needed for this Change)
* Contingency deadline: N/A (not needed for this Change)
* Blocks release? No
== Documentation ==
There should be documentation of this change, so the users know that
the pcre is no longer supported and cannot be required by any Fedora
package. If an existing package requires the pcre package, it is
considered as a bug.
== Release Notes ==
Release notes should contain the information about the pcre
deprecation so the users know they won't be able to use its libraries
anymore.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Subscribe to:
Posts (Atom)