==========================================================================
Ubuntu Security Notice USN-6049-1
April 28, 2023
netty vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 ESM
- Ubuntu 18.04 ESM
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in Netty.
Software Description:
- netty: Java NIO client/server socket framework
Details:
It was discovered that Netty's Zlib decoders did not limit memory
allocations. A remote attacker could possibly use this issue to cause
Netty to exhaust memory via malicious input, leading to a denial of
service. This issue only affected Ubuntu 16.04 ESM and Ubuntu 20.04 ESM.
(CVE-2020-11612)
It was discovered that Netty created temporary files with excessive
permissions. A local attacker could possibly use this issue to expose
sensitive information. This issue only affected Ubuntu 16.04 ESM, Ubuntu
18.04 ESM, and Ubuntu 20.04 ESM. (CVE-2021-21290)
It was discovered that Netty did not properly validate content-length
headers. A remote attacker could possibly use this issue to smuggle
requests. This issue was only fixed in Ubuntu 20.04 ESM. (CVE-2021-21295,
CVE-2021-21409)
It was discovered that Netty's Bzip2 decompression decoder did not limit
the decompressed output data size. A remote attacker could possibly use
this issue to cause Netty to exhaust memory via malicious input, leading
to a denial of service. This issue only affected Ubuntu 18.04 ESM, Ubuntu
20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2021-37136)
It was discovered that Netty's Snappy frame decoder function did not limit
chunk lengths. A remote attacker could possibly use this issue to cause
Netty to exhaust memory via malicious input, leading to a denial of
service. (CVE-2021-37137)
It was discovered that Netty did not properly handle control chars at the
beginning and end of header names. A remote attacker could possibly use
this issue to smuggle requests. This issue only affected Ubuntu 18.04 ESM,
Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2021-43797)
It was discovered that Netty could be made into an infinite recursion when
parsing a malformed crafted message. A remote attacker could possibly use
this issue to cause Netty to crash, leading to a denial of service. This
issue only affected Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu 22.10.
(CVE-2022-41881)
It was discovered that Netty did not validate header values under certain
circumstances. A remote attacker could possibly use this issue to perform
HTTP response splitting via malicious header values. This issue only
affected Ubuntu 18.04 ESM, Ubuntu 20.04 ESM, Ubuntu 22.04 LTS, and Ubuntu
22.10. (CVE-2022-41915)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
libnetty-java 1:4.1.48-5ubuntu0.1
Ubuntu 22.04 LTS:
libnetty-java 1:4.1.48-4+deb11u1build0.22.04.1
Ubuntu 20.04 ESM:
libnetty-java 1:4.1.45-1ubuntu0.1~esm1
Ubuntu 18.04 ESM:
libnetty-java 1:4.1.7-4ubuntu0.1+esm2
Ubuntu 16.04 ESM:
libnetty-java 1:4.0.34-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6049-1
CVE-2020-11612, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409,
CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-41881,
CVE-2022-41915
Package Information:
https://launchpad.net/ubuntu/+source/netty/1:4.1.48-5ubuntu0.1
https://launchpad.net/ubuntu/+source/netty/1:4.1.48-4+deb11u1build0.22.04.1
Friday, April 28, 2023
[USN-6037-1] Apache Commons Net vulnerability
==========================================================================
Ubuntu Security Notice USN-6037-1
April 28, 2023
Apache Commons Net vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Apache Commons Net could be made to expose sensitive information
over the network.
Software Description:
- libcommons-net-java: Apache Commons Net - Java client API for basic
Internet protocols
Details:
ZeddYu Lu discovered that the FTP client from Apache Commons Net trusted
the host from PASV responses by default. A remote attacker with a
malicious FTP server could redirect the client to another server, which
could possibly result in leaked information about services running on
the private network of the client.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
libcommons-net-java 3.6-1+deb11u1build0.22.10.1
Ubuntu 22.04 LTS:
libcommons-net-java 3.6-1+deb11u1build0.22.04.1
Ubuntu 20.04 LTS:
libcommons-net-java 3.6-1+deb11u1build0.20.04.1
Ubuntu 18.04 LTS:
libcommons-net-java 3.6-1+deb11u1build0.18.04.1
Ubuntu 16.04 ESM:
libcommons-net-java 3.4-2ubuntu2+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6037-1
<https://ubuntu.com/security/notices/USN-6037-1>
CVE-2021-37533
Package Information:
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.10.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.10.1>
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.04.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.04.1>
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.20.04.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.20.04.1>
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.18.04.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.18.04.1>
Ubuntu Security Notice USN-6037-1
April 28, 2023
Apache Commons Net vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Apache Commons Net could be made to expose sensitive information
over the network.
Software Description:
- libcommons-net-java: Apache Commons Net - Java client API for basic
Internet protocols
Details:
ZeddYu Lu discovered that the FTP client from Apache Commons Net trusted
the host from PASV responses by default. A remote attacker with a
malicious FTP server could redirect the client to another server, which
could possibly result in leaked information about services running on
the private network of the client.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
libcommons-net-java 3.6-1+deb11u1build0.22.10.1
Ubuntu 22.04 LTS:
libcommons-net-java 3.6-1+deb11u1build0.22.04.1
Ubuntu 20.04 LTS:
libcommons-net-java 3.6-1+deb11u1build0.20.04.1
Ubuntu 18.04 LTS:
libcommons-net-java 3.6-1+deb11u1build0.18.04.1
Ubuntu 16.04 ESM:
libcommons-net-java 3.4-2ubuntu2+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6037-1
<https://ubuntu.com/security/notices/USN-6037-1>
CVE-2021-37533
Package Information:
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.10.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.10.1>
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.04.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.22.04.1>
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.20.04.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.20.04.1>
https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.18.04.1
<https://launchpad.net/ubuntu/+source/libcommons-net-java/3.6-1+deb11u1build0.18.04.1>
Leap Micro 5.4 GA, Leap Micro 5.2 EOL, Leap 15.5 enters RC phase
Hello openSUSE!
Leap Micro 5.4 is now globally available which also means that Leap
Micro 5.2 reached officially End Of Life.
Leap 15.5 officially entered RC with Build472.1.
I'm really happy that we were able to get IPRQ approval as well as
acceptable testing results for the RC build and still meet our
https://en.opensuse.org/openSUSE:Roadmap for both projects.
More information in our practical hands-on Leap Micro 5.4 article
https://news.opensuse.org/2023/04/27/leap-micro-54-leap-155-enters-rc/
Best regards
Lubos Kocman
openSUSE Leap Release Manager
Leap Micro 5.4 is now globally available which also means that Leap
Micro 5.2 reached officially End Of Life.
Leap 15.5 officially entered RC with Build472.1.
I'm really happy that we were able to get IPRQ approval as well as
acceptable testing results for the RC build and still meet our
https://en.opensuse.org/openSUSE:Roadmap for both projects.
More information in our practical hands-on Leap Micro 5.4 article
https://news.opensuse.org/2023/04/27/leap-micro-54-leap-155-enters-rc/
Best regards
Lubos Kocman
openSUSE Leap Release Manager
Thursday, April 27, 2023
[USN-6046-1] OpenSSL-ibmca vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6046-1
April 27, 2023
openssl-ibmca vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
OpenSSL-ibmca could be made to expose sensitive information.
Software Description:
- openssl-ibmca: libica based hardware acceleration engine for OpenSSL
Details:
It was discovered that OpenSSL-ibmca incorrectly handled certain RSA decryption.
An attacker could possibly use this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
openssl-ibmca 2.3.0-0ubuntu1.1
Ubuntu 22.04 LTS:
openssl-ibmca 2.2.3-0ubuntu1.1
Ubuntu 20.04 LTS:
openssl-ibmca 2.1.0-0ubuntu1.20.04.2
Ubuntu 18.04 LTS:
openssl-ibmca 1.4.1-0ubuntu1.2
Ubuntu 16.04 ESM:
openssl-ibmca 1.3.0-0ubuntu2.16.04.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6046-1
https://launchpad.net/bugs/2015454
Package Information:
https://launchpad.net/ubuntu/+source/openssl-ibmca/2.3.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl-ibmca/2.2.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl-ibmca/2.1.0-0ubuntu1.20.04.2
https://launchpad.net/ubuntu/+source/openssl-ibmca/1.4.1-0ubuntu1.2
Ubuntu Security Notice USN-6046-1
April 27, 2023
openssl-ibmca vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
OpenSSL-ibmca could be made to expose sensitive information.
Software Description:
- openssl-ibmca: libica based hardware acceleration engine for OpenSSL
Details:
It was discovered that OpenSSL-ibmca incorrectly handled certain RSA decryption.
An attacker could possibly use this issue to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
openssl-ibmca 2.3.0-0ubuntu1.1
Ubuntu 22.04 LTS:
openssl-ibmca 2.2.3-0ubuntu1.1
Ubuntu 20.04 LTS:
openssl-ibmca 2.1.0-0ubuntu1.20.04.2
Ubuntu 18.04 LTS:
openssl-ibmca 1.4.1-0ubuntu1.2
Ubuntu 16.04 ESM:
openssl-ibmca 1.3.0-0ubuntu2.16.04.3
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6046-1
https://launchpad.net/bugs/2015454
Package Information:
https://launchpad.net/ubuntu/+source/openssl-ibmca/2.3.0-0ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl-ibmca/2.2.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl-ibmca/2.1.0-0ubuntu1.20.04.2
https://launchpad.net/ubuntu/+source/openssl-ibmca/1.4.1-0ubuntu1.2
[USN-6047-1] Linux kernel vulnerability
==========================================================================
Ubuntu Security Notice USN-6047-1
April 27, 2023
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15,
linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke,
linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle,
linux-oracle-5.4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1048-ibm 5.4.0-1048.53
linux-image-5.4.0-1068-gkeop 5.4.0-1068.72
linux-image-5.4.0-1090-kvm 5.4.0-1090.96
linux-image-5.4.0-1098-gke 5.4.0-1098.105
linux-image-5.4.0-1100-oracle 5.4.0-1100.109
linux-image-5.4.0-1101-aws 5.4.0-1101.109
linux-image-5.4.0-1104-gcp 5.4.0-1104.113
linux-image-5.4.0-1107-azure 5.4.0-1107.113
linux-image-5.4.0-148-generic 5.4.0-148.165
linux-image-5.4.0-148-generic-lpae 5.4.0-148.165
linux-image-5.4.0-148-lowlatency 5.4.0-148.165
linux-image-aws-lts-20.04 5.4.0.1101.98
linux-image-azure-lts-20.04 5.4.0.1107.100
linux-image-gcp-lts-20.04 5.4.0.1104.106
linux-image-generic 5.4.0.148.146
linux-image-generic-hwe-18.04 5.4.0.148.146
linux-image-generic-hwe-18.04-edge 5.4.0.148.146
linux-image-generic-lpae 5.4.0.148.146
linux-image-generic-lpae-hwe-18.04 5.4.0.148.146
linux-image-generic-lpae-hwe-18.04-edge 5.4.0.148.146
linux-image-gke 5.4.0.1098.103
linux-image-gke-5.4 5.4.0.1098.103
linux-image-gkeop 5.4.0.1068.66
linux-image-gkeop-5.4 5.4.0.1068.66
linux-image-ibm 5.4.0.1048.74
linux-image-ibm-lts-20.04 5.4.0.1048.74
linux-image-kvm 5.4.0.1090.84
linux-image-lowlatency 5.4.0.148.146
linux-image-oem 5.4.0.148.146
linux-image-oem-osp1 5.4.0.148.146
linux-image-oracle-lts-20.04 5.4.0.1100.93
linux-image-virtual 5.4.0.148.146
Ubuntu 18.04 LTS:
linux-image-4.15.0-1118-oracle 4.15.0-1118.129
linux-image-4.15.0-1139-kvm 4.15.0-1139.144
linux-image-4.15.0-1149-gcp 4.15.0-1149.165
linux-image-4.15.0-1164-azure 4.15.0-1164.179
linux-image-4.15.0-210-generic 4.15.0-210.221
linux-image-4.15.0-210-generic-lpae 4.15.0-210.221
linux-image-4.15.0-210-lowlatency 4.15.0-210.221
linux-image-5.4.0-1100-oracle 5.4.0-1100.109~18.04.1
linux-image-5.4.0-1101-aws 5.4.0-1101.109~18.04.1
linux-image-5.4.0-1104-gcp 5.4.0-1104.113~18.04.1
linux-image-5.4.0-1107-azure 5.4.0-1107.113~18.04.1
linux-image-5.4.0-148-generic 5.4.0-148.165~18.04.1
linux-image-5.4.0-148-generic-lpae 5.4.0-148.165~18.04.1
linux-image-5.4.0-148-lowlatency 5.4.0-148.165~18.04.1
linux-image-aws 5.4.0.1101.79
linux-image-azure 5.4.0.1107.80
linux-image-azure-lts-18.04 4.15.0.1164.132
linux-image-gcp 5.4.0.1104.80
linux-image-gcp-lts-18.04 4.15.0.1149.163
linux-image-generic 4.15.0.210.193
linux-image-generic-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-generic-lpae 4.15.0.210.193
linux-image-generic-lpae-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-kvm 4.15.0.1139.130
linux-image-lowlatency 4.15.0.210.193
linux-image-lowlatency-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-oem 5.4.0.148.165~18.04.119
linux-image-oem-osp1 5.4.0.148.165~18.04.119
linux-image-oracle 5.4.0.1100.109~18.04.72
linux-image-oracle-lts-18.04 4.15.0.1118.123
linux-image-snapdragon-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-virtual 4.15.0.210.193
linux-image-virtual-hwe-18.04 5.4.0.148.165~18.04.119
Ubuntu 16.04 ESM:
linux-image-4.15.0-1118-oracle 4.15.0-1118.129~16.04.1
linux-image-4.15.0-1149-gcp 4.15.0-1149.165~16.04.1
linux-image-4.15.0-1164-azure 4.15.0-1164.179~16.04.1
linux-image-4.15.0-210-generic 4.15.0-210.221~16.04.1
linux-image-4.15.0-210-lowlatency 4.15.0-210.221~16.04.1
linux-image-azure 4.15.0.1164.148
linux-image-gcp 4.15.0.1149.139
linux-image-generic-hwe-16.04 4.15.0.210.195
linux-image-gke 4.15.0.1149.139
linux-image-lowlatency-hwe-16.04 4.15.0.210.195
linux-image-oem 4.15.0.210.195
linux-image-oracle 4.15.0.1118.99
linux-image-virtual-hwe-16.04 4.15.0.210.195
Ubuntu 14.04 ESM:
linux-image-4.15.0-1164-azure 4.15.0-1164.179~14.04.1
linux-image-azure 4.15.0.1164.130
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6047-1
CVE-2023-1829
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-148.165
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1101.109
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1107.113
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1104.113
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1098.105
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1068.72
https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1048.53
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1090.96
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1100.109
https://launchpad.net/ubuntu/+source/linux/4.15.0-210.221
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1101.109~18.04.1
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1164.179
https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1107.113~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1149.165
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1104.113~18.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-148.165~18.04.1
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1139.144
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1118.129
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1100.109~18.04.1
Ubuntu Security Notice USN-6047-1
April 27, 2023
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15,
linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke,
linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle,
linux-oracle-5.4 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
The system could be made to run programs as an administrator.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems
- linux-hwe-5.4: Linux hardware enablement (HWE) kernel
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems
- linux-hwe: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.4.0-1048-ibm 5.4.0-1048.53
linux-image-5.4.0-1068-gkeop 5.4.0-1068.72
linux-image-5.4.0-1090-kvm 5.4.0-1090.96
linux-image-5.4.0-1098-gke 5.4.0-1098.105
linux-image-5.4.0-1100-oracle 5.4.0-1100.109
linux-image-5.4.0-1101-aws 5.4.0-1101.109
linux-image-5.4.0-1104-gcp 5.4.0-1104.113
linux-image-5.4.0-1107-azure 5.4.0-1107.113
linux-image-5.4.0-148-generic 5.4.0-148.165
linux-image-5.4.0-148-generic-lpae 5.4.0-148.165
linux-image-5.4.0-148-lowlatency 5.4.0-148.165
linux-image-aws-lts-20.04 5.4.0.1101.98
linux-image-azure-lts-20.04 5.4.0.1107.100
linux-image-gcp-lts-20.04 5.4.0.1104.106
linux-image-generic 5.4.0.148.146
linux-image-generic-hwe-18.04 5.4.0.148.146
linux-image-generic-hwe-18.04-edge 5.4.0.148.146
linux-image-generic-lpae 5.4.0.148.146
linux-image-generic-lpae-hwe-18.04 5.4.0.148.146
linux-image-generic-lpae-hwe-18.04-edge 5.4.0.148.146
linux-image-gke 5.4.0.1098.103
linux-image-gke-5.4 5.4.0.1098.103
linux-image-gkeop 5.4.0.1068.66
linux-image-gkeop-5.4 5.4.0.1068.66
linux-image-ibm 5.4.0.1048.74
linux-image-ibm-lts-20.04 5.4.0.1048.74
linux-image-kvm 5.4.0.1090.84
linux-image-lowlatency 5.4.0.148.146
linux-image-oem 5.4.0.148.146
linux-image-oem-osp1 5.4.0.148.146
linux-image-oracle-lts-20.04 5.4.0.1100.93
linux-image-virtual 5.4.0.148.146
Ubuntu 18.04 LTS:
linux-image-4.15.0-1118-oracle 4.15.0-1118.129
linux-image-4.15.0-1139-kvm 4.15.0-1139.144
linux-image-4.15.0-1149-gcp 4.15.0-1149.165
linux-image-4.15.0-1164-azure 4.15.0-1164.179
linux-image-4.15.0-210-generic 4.15.0-210.221
linux-image-4.15.0-210-generic-lpae 4.15.0-210.221
linux-image-4.15.0-210-lowlatency 4.15.0-210.221
linux-image-5.4.0-1100-oracle 5.4.0-1100.109~18.04.1
linux-image-5.4.0-1101-aws 5.4.0-1101.109~18.04.1
linux-image-5.4.0-1104-gcp 5.4.0-1104.113~18.04.1
linux-image-5.4.0-1107-azure 5.4.0-1107.113~18.04.1
linux-image-5.4.0-148-generic 5.4.0-148.165~18.04.1
linux-image-5.4.0-148-generic-lpae 5.4.0-148.165~18.04.1
linux-image-5.4.0-148-lowlatency 5.4.0-148.165~18.04.1
linux-image-aws 5.4.0.1101.79
linux-image-azure 5.4.0.1107.80
linux-image-azure-lts-18.04 4.15.0.1164.132
linux-image-gcp 5.4.0.1104.80
linux-image-gcp-lts-18.04 4.15.0.1149.163
linux-image-generic 4.15.0.210.193
linux-image-generic-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-generic-lpae 4.15.0.210.193
linux-image-generic-lpae-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-kvm 4.15.0.1139.130
linux-image-lowlatency 4.15.0.210.193
linux-image-lowlatency-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-oem 5.4.0.148.165~18.04.119
linux-image-oem-osp1 5.4.0.148.165~18.04.119
linux-image-oracle 5.4.0.1100.109~18.04.72
linux-image-oracle-lts-18.04 4.15.0.1118.123
linux-image-snapdragon-hwe-18.04 5.4.0.148.165~18.04.119
linux-image-virtual 4.15.0.210.193
linux-image-virtual-hwe-18.04 5.4.0.148.165~18.04.119
Ubuntu 16.04 ESM:
linux-image-4.15.0-1118-oracle 4.15.0-1118.129~16.04.1
linux-image-4.15.0-1149-gcp 4.15.0-1149.165~16.04.1
linux-image-4.15.0-1164-azure 4.15.0-1164.179~16.04.1
linux-image-4.15.0-210-generic 4.15.0-210.221~16.04.1
linux-image-4.15.0-210-lowlatency 4.15.0-210.221~16.04.1
linux-image-azure 4.15.0.1164.148
linux-image-gcp 4.15.0.1149.139
linux-image-generic-hwe-16.04 4.15.0.210.195
linux-image-gke 4.15.0.1149.139
linux-image-lowlatency-hwe-16.04 4.15.0.210.195
linux-image-oem 4.15.0.210.195
linux-image-oracle 4.15.0.1118.99
linux-image-virtual-hwe-16.04 4.15.0.210.195
Ubuntu 14.04 ESM:
linux-image-4.15.0-1164-azure 4.15.0-1164.179~14.04.1
linux-image-azure 4.15.0.1164.130
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6047-1
CVE-2023-1829
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.4.0-148.165
https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1101.109
https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1107.113
https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1104.113
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1098.105
https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1068.72
https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1048.53
https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1090.96
https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1100.109
https://launchpad.net/ubuntu/+source/linux/4.15.0-210.221
https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1101.109~18.04.1
https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1164.179
https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1107.113~18.04.1
https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1149.165
https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1104.113~18.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-148.165~18.04.1
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1139.144
https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1118.129
https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1100.109~18.04.1
F39 proposal: Man-pages-ru Retirement (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/ManPagesRuRetirement
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Retiring man-pages-ru because it is already part of the man-pages-l10n.
== Owner ==
* Name: [[User:ljavorsk| Lukas Javorsky]]
* Email: ljavorsk@redhat.com
== Detailed Description ==
Upstream (man-pages-l10n) has integrated Russian translations for
man-pages. It means we no longer need to have a specific
(man-pages-ru) package for it.
[https://salsa.debian.org/manpages-l10n-team/manpages-l10n/-/commit/37b44f5a8ad3999501c79a20b67a27e17cc65630
Upstream commit containing the change]
The plan is simple:
1) Deprecate man-pages-ru package
2) Enable 'ru' translations for man-pages-l10n (temporary disabled due
to conflicts). [https://src.fedoraproject.org/rpms/man-pages-l10n/c/00a88c237e1fd7cdef9c52665128b155cf14243c?branch=rawhide
Commit disabling it]
Also add Obsolete and Provides for man-pages-ru package.
== Feedback ==
Early feedback from the community is positive, the feedback is located
in this ([https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/WGLMJ7XXB5JUER57GEOZQBFMNKHD5FSZ/
Devel list announce])
== Benefit to Fedora ==
Fedora shouldn't maintain a redundant package. This change would make
it easier for the maintainer as well as for the packages that requires
man-pages-l10n and man-pages-ru.
== Scope ==
* Proposal owners: Package man-pages-ru will be retired, and the
man-pages-l10n will contain the Russian translations.
* Other developers: Change the names of their BuildRequires/Requires
accordingly.
* Release engineering: No action required
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
When following the plan in Detailed Description there will be no need
for manual action. Everything will be handled by the automated dnf
upgrade.
== How To Test ==
== User Experience ==
== Dependencies ==
List of the packages from Fedora 39
=== man-pages-ru ===
dnf repoquery --whatrequires man-pages-ru | pkgname
<empty>
dnf repoquery --whatrequires '/usr/share/man/ru/*' | pkgname
<empty>
== Contingency Plan ==
* Contingency mechanism: Remove the man-pages-l10n build with Russian
translation enabled. Revert deprecation of the man-pages-ru package.
* Contingency deadline: Beta freeze
* Blocks release? No
''NOTE: If we don't finish this change by the deadline, it is possible
to just complete this change with the next release.''
== Documentation ==
[https://salsa.debian.org/manpages-l10n-team/manpages-l10n/-/commit/37b44f5a8ad3999501c79a20b67a27e17cc65630
Upstream issue]
[https://bugzilla.redhat.com/show_bug.cgi?id=2163421 Bugzilla tracker]
[https://sourceforge.net/p/man-pages-ru/discussion/1102373/thread/7dda92a232/
man-pages-l10n upstream discussion with man-pages-ru upstream about
this]
== Release Notes ==
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Retiring man-pages-ru because it is already part of the man-pages-l10n.
== Owner ==
* Name: [[User:ljavorsk| Lukas Javorsky]]
* Email: ljavorsk@redhat.com
== Detailed Description ==
Upstream (man-pages-l10n) has integrated Russian translations for
man-pages. It means we no longer need to have a specific
(man-pages-ru) package for it.
[https://salsa.debian.org/manpages-l10n-team/manpages-l10n/-/commit/37b44f5a8ad3999501c79a20b67a27e17cc65630
Upstream commit containing the change]
The plan is simple:
1) Deprecate man-pages-ru package
2) Enable 'ru' translations for man-pages-l10n (temporary disabled due
to conflicts). [https://src.fedoraproject.org/rpms/man-pages-l10n/c/00a88c237e1fd7cdef9c52665128b155cf14243c?branch=rawhide
Commit disabling it]
Also add Obsolete and Provides for man-pages-ru package.
== Feedback ==
Early feedback from the community is positive, the feedback is located
in this ([https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/WGLMJ7XXB5JUER57GEOZQBFMNKHD5FSZ/
Devel list announce])
== Benefit to Fedora ==
Fedora shouldn't maintain a redundant package. This change would make
it easier for the maintainer as well as for the packages that requires
man-pages-l10n and man-pages-ru.
== Scope ==
* Proposal owners: Package man-pages-ru will be retired, and the
man-pages-l10n will contain the Russian translations.
* Other developers: Change the names of their BuildRequires/Requires
accordingly.
* Release engineering: No action required
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
When following the plan in Detailed Description there will be no need
for manual action. Everything will be handled by the automated dnf
upgrade.
== How To Test ==
== User Experience ==
== Dependencies ==
List of the packages from Fedora 39
=== man-pages-ru ===
dnf repoquery --whatrequires man-pages-ru | pkgname
<empty>
dnf repoquery --whatrequires '/usr/share/man/ru/*' | pkgname
<empty>
== Contingency Plan ==
* Contingency mechanism: Remove the man-pages-l10n build with Russian
translation enabled. Revert deprecation of the man-pages-ru package.
* Contingency deadline: Beta freeze
* Blocks release? No
''NOTE: If we don't finish this change by the deadline, it is possible
to just complete this change with the next release.''
== Documentation ==
[https://salsa.debian.org/manpages-l10n-team/manpages-l10n/-/commit/37b44f5a8ad3999501c79a20b67a27e17cc65630
Upstream issue]
[https://bugzilla.redhat.com/show_bug.cgi?id=2163421 Bugzilla tracker]
[https://sourceforge.net/p/man-pages-ru/discussion/1102373/thread/7dda92a232/
man-pages-l10n upstream discussion with man-pages-ru upstream about
this]
== Release Notes ==
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Wednesday, April 26, 2023
[USN-6017-2] Ghostscript vulnerability
==========================================================================
Ubuntu Security Notice USN-6017-2
April 26, 2023
ghostscript vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
Summary:
Ghostscript could be made to crash or run programs as your login if it
received a specially crafted input.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
USN-6017-1 fixed vulnerabilities in Ghostscript. This update provides the
corresponding updates for Ubuntu 23.04.
Original advisory details:
Hadrien Perrineau discovered that Ghostscript incorrectly handled certain
inputs. An attacker could possibly use this issue to cause a denial of
service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
ghostscript 10.0.0~dfsg1-0ubuntu1.1
libgs10 10.0.0~dfsg1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6017-2
https://ubuntu.com/security/notices/USN-6017-1
CVE-2023-28879
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.0.0~dfsg1-0ubuntu1.1
Ubuntu Security Notice USN-6017-2
April 26, 2023
ghostscript vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
Summary:
Ghostscript could be made to crash or run programs as your login if it
received a specially crafted input.
Software Description:
- ghostscript: PostScript and PDF interpreter
Details:
USN-6017-1 fixed vulnerabilities in Ghostscript. This update provides the
corresponding updates for Ubuntu 23.04.
Original advisory details:
Hadrien Perrineau discovered that Ghostscript incorrectly handled certain
inputs. An attacker could possibly use this issue to cause a denial of
service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
ghostscript 10.0.0~dfsg1-0ubuntu1.1
libgs10 10.0.0~dfsg1-0ubuntu1.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6017-2
https://ubuntu.com/security/notices/USN-6017-1
CVE-2023-28879
Package Information:
https://launchpad.net/ubuntu/+source/ghostscript/10.0.0~dfsg1-0ubuntu1.1
[USN-6042-1] Cloud-init vulnerability
==========================================================================
Ubuntu Security Notice USN-6042-1
April 26, 2023
cloud-init vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
cloud-init could write sensitive information to logs.
Software Description:
- cloud-init: initialization and customization tool for cloud instances
Details:
James Glovich discovered that sensitive data could be exposed in logs. An
attacker could use this information to find hashed passwords and possibly
escalate their privilege.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
cloud-init 23.1.2-0ubuntu0~23.04.1
Ubuntu 22.10:
cloud-init 23.1.2-0ubuntu0~22.10.1
Ubuntu 22.04 LTS:
cloud-init 23.1.2-0ubuntu0~22.04.1
Ubuntu 20.04 LTS:
cloud-init 23.1.2-0ubuntu0~20.04.1
Ubuntu 18.04 LTS:
cloud-init 23.1.2-0ubuntu0~18.04.1
Ubuntu 16.04 ESM:
cloud-init 21.1-19-gbad84ad4-0ubuntu1~16.04.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6042-1
CVE-2023-1786, https://bugs.launchpad.net/cloud-init/+bug/2013967
Package Information:
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~23.04.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~22.10.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~22.04.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~20.04.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~18.04.1
Ubuntu Security Notice USN-6042-1
April 26, 2023
cloud-init vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
cloud-init could write sensitive information to logs.
Software Description:
- cloud-init: initialization and customization tool for cloud instances
Details:
James Glovich discovered that sensitive data could be exposed in logs. An
attacker could use this information to find hashed passwords and possibly
escalate their privilege.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
cloud-init 23.1.2-0ubuntu0~23.04.1
Ubuntu 22.10:
cloud-init 23.1.2-0ubuntu0~22.10.1
Ubuntu 22.04 LTS:
cloud-init 23.1.2-0ubuntu0~22.04.1
Ubuntu 20.04 LTS:
cloud-init 23.1.2-0ubuntu0~20.04.1
Ubuntu 18.04 LTS:
cloud-init 23.1.2-0ubuntu0~18.04.1
Ubuntu 16.04 ESM:
cloud-init 21.1-19-gbad84ad4-0ubuntu1~16.04.4
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6042-1
CVE-2023-1786, https://bugs.launchpad.net/cloud-init/+bug/2013967
Package Information:
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~23.04.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~22.10.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~22.04.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~20.04.1
https://launchpad.net/ubuntu/+source/cloud-init/23.1.2-0ubuntu0~18.04.1
[USN-6044-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6044-1
April 26, 2023
linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15,
linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency,
linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
- linux-lowlatency-hwe-5.15: Linux low latency kernel
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1872)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1019-gkeop 5.15.0-1019.24
linux-image-5.15.0-1029-ibm 5.15.0-1029.32
linux-image-5.15.0-1032-gke 5.15.0-1032.37
linux-image-5.15.0-1034-oracle 5.15.0-1034.40
linux-image-5.15.0-1035-aws 5.15.0-1035.39
linux-image-5.15.0-1037-azure 5.15.0-1037.44
linux-image-5.15.0-71-generic 5.15.0-71.78
linux-image-5.15.0-71-generic-64k 5.15.0-71.78
linux-image-5.15.0-71-generic-lpae 5.15.0-71.78
linux-image-5.15.0-71-lowlatency 5.15.0-71.78
linux-image-5.15.0-71-lowlatency-64k 5.15.0-71.78
linux-image-aws-lts-22.04 5.15.0.1035.34
linux-image-azure 5.15.0.1037.33
linux-image-azure-lts-22.04 5.15.0.1037.33
linux-image-generic 5.15.0.71.69
linux-image-generic-64k 5.15.0.71.69
linux-image-generic-lpae 5.15.0.71.69
linux-image-gke 5.15.0.1032.31
linux-image-gke-5.15 5.15.0.1032.31
linux-image-gkeop 5.15.0.1019.18
linux-image-gkeop-5.15 5.15.0.1019.18
linux-image-ibm 5.15.0.1029.25
linux-image-lowlatency 5.15.0.71.76
linux-image-lowlatency-64k 5.15.0.71.76
linux-image-oracle 5.15.0.1034.29
linux-image-virtual 5.15.0.71.69
Ubuntu 20.04 LTS:
linux-image-5.15.0-1032-gke 5.15.0-1032.37~20.04.1
linux-image-5.15.0-1034-oracle 5.15.0-1034.40~20.04.1
linux-image-5.15.0-1035-aws 5.15.0-1035.39~20.04.1
linux-image-5.15.0-71-generic 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-generic-64k 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-generic-lpae 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-lowlatency 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-lowlatency-64k 5.15.0-71.78~20.04.1
linux-image-aws 5.15.0.1035.39~20.04.24
linux-image-generic-64k-hwe-20.04 5.15.0.71.78~20.04.32
linux-image-generic-hwe-20.04 5.15.0.71.78~20.04.32
linux-image-generic-lpae-hwe-20.04 5.15.0.71.78~20.04.32
linux-image-gke-5.15 5.15.0.1032.37~20.04.1
linux-image-lowlatency-64k-hwe-20.04 5.15.0.71.78~20.04.29
linux-image-lowlatency-hwe-20.04 5.15.0.71.78~20.04.29
linux-image-oem-20.04 5.15.0.71.78~20.04.32
linux-image-oem-20.04b 5.15.0.71.78~20.04.32
linux-image-oem-20.04c 5.15.0.71.78~20.04.32
linux-image-oem-20.04d 5.15.0.71.78~20.04.32
linux-image-oracle 5.15.0.1034.40~20.04.1
linux-image-virtual-hwe-20.04 5.15.0.71.78~20.04.32
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6044-1
CVE-2023-1829, CVE-2023-1872
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.15.0-71.78
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1035.39
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1037.44
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1032.37
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1019.24
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1029.32
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-71.78
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1034.40
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1035.39~20.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1032.37~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-71.78~20.04.1
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-71.78~20.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1034.40~20.04.1
Ubuntu Security Notice USN-6044-1
April 26, 2023
linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15,
linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency,
linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
- linux-lowlatency-hwe-5.15: Linux low latency kernel
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that a race condition existed in the io_uring subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1872)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
linux-image-5.15.0-1019-gkeop 5.15.0-1019.24
linux-image-5.15.0-1029-ibm 5.15.0-1029.32
linux-image-5.15.0-1032-gke 5.15.0-1032.37
linux-image-5.15.0-1034-oracle 5.15.0-1034.40
linux-image-5.15.0-1035-aws 5.15.0-1035.39
linux-image-5.15.0-1037-azure 5.15.0-1037.44
linux-image-5.15.0-71-generic 5.15.0-71.78
linux-image-5.15.0-71-generic-64k 5.15.0-71.78
linux-image-5.15.0-71-generic-lpae 5.15.0-71.78
linux-image-5.15.0-71-lowlatency 5.15.0-71.78
linux-image-5.15.0-71-lowlatency-64k 5.15.0-71.78
linux-image-aws-lts-22.04 5.15.0.1035.34
linux-image-azure 5.15.0.1037.33
linux-image-azure-lts-22.04 5.15.0.1037.33
linux-image-generic 5.15.0.71.69
linux-image-generic-64k 5.15.0.71.69
linux-image-generic-lpae 5.15.0.71.69
linux-image-gke 5.15.0.1032.31
linux-image-gke-5.15 5.15.0.1032.31
linux-image-gkeop 5.15.0.1019.18
linux-image-gkeop-5.15 5.15.0.1019.18
linux-image-ibm 5.15.0.1029.25
linux-image-lowlatency 5.15.0.71.76
linux-image-lowlatency-64k 5.15.0.71.76
linux-image-oracle 5.15.0.1034.29
linux-image-virtual 5.15.0.71.69
Ubuntu 20.04 LTS:
linux-image-5.15.0-1032-gke 5.15.0-1032.37~20.04.1
linux-image-5.15.0-1034-oracle 5.15.0-1034.40~20.04.1
linux-image-5.15.0-1035-aws 5.15.0-1035.39~20.04.1
linux-image-5.15.0-71-generic 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-generic-64k 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-generic-lpae 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-lowlatency 5.15.0-71.78~20.04.1
linux-image-5.15.0-71-lowlatency-64k 5.15.0-71.78~20.04.1
linux-image-aws 5.15.0.1035.39~20.04.24
linux-image-generic-64k-hwe-20.04 5.15.0.71.78~20.04.32
linux-image-generic-hwe-20.04 5.15.0.71.78~20.04.32
linux-image-generic-lpae-hwe-20.04 5.15.0.71.78~20.04.32
linux-image-gke-5.15 5.15.0.1032.37~20.04.1
linux-image-lowlatency-64k-hwe-20.04 5.15.0.71.78~20.04.29
linux-image-lowlatency-hwe-20.04 5.15.0.71.78~20.04.29
linux-image-oem-20.04 5.15.0.71.78~20.04.32
linux-image-oem-20.04b 5.15.0.71.78~20.04.32
linux-image-oem-20.04c 5.15.0.71.78~20.04.32
linux-image-oem-20.04d 5.15.0.71.78~20.04.32
linux-image-oracle 5.15.0.1034.40~20.04.1
linux-image-virtual-hwe-20.04 5.15.0.71.78~20.04.32
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6044-1
CVE-2023-1829, CVE-2023-1872
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.15.0-71.78
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1035.39
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1037.44
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1032.37
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1019.24
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1029.32
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-71.78
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1034.40
https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1035.39~20.04.1
https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1032.37~20.04.1
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-71.78~20.04.1
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-71.78~20.04.1
https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1034.40~20.04.1
[USN-6045-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6045-1
April 26, 2023
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Gwnaun Jung discovered that the SFB packet scheduling implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-3586)
Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless
driver in the Linux kernel contained a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-4095)
It was discovered that the TIPC protocol implementation in the Linux kernel
did not properly validate the queue of socket buffers (skb) when handling
certain UDP packets. A remote attacker could use this to cause a denial of
service. (CVE-2023-1390)
It was discovered that the Xircom PCMCIA network device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2023-1670)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1119-kvm 4.4.0-1119.129
linux-image-4.4.0-1156-aws 4.4.0-1156.171
linux-image-4.4.0-240-generic 4.4.0-240.274
linux-image-4.4.0-240-lowlatency 4.4.0-240.274
linux-image-aws 4.4.0.1156.160
linux-image-generic 4.4.0.240.246
linux-image-generic-lts-xenial 4.4.0.240.246
linux-image-kvm 4.4.0.1119.116
linux-image-lowlatency 4.4.0.240.246
linux-image-lowlatency-lts-xenial 4.4.0.240.246
linux-image-virtual 4.4.0.240.246
linux-image-virtual-lts-xenial 4.4.0.240.246
Ubuntu 14.04 ESM:
linux-image-4.4.0-1118-aws 4.4.0-1118.124
linux-image-4.4.0-240-generic 4.4.0-240.274~14.04.1
linux-image-4.4.0-240-lowlatency 4.4.0-240.274~14.04.1
linux-image-aws 4.4.0.1118.115
linux-image-generic-lts-xenial 4.4.0.240.208
linux-image-lowlatency-lts-xenial 4.4.0.240.208
linux-image-virtual-lts-xenial 4.4.0.240.208
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6045-1
CVE-2022-3586, CVE-2022-4095, CVE-2023-1390, CVE-2023-1670,
CVE-2023-1829
Ubuntu Security Notice USN-6045-1
April 26, 2023
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-kvm: Linux kernel for cloud environments
- linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
Gwnaun Jung discovered that the SFB packet scheduling implementation in the
Linux kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2022-3586)
Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wireless
driver in the Linux kernel contained a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2022-4095)
It was discovered that the TIPC protocol implementation in the Linux kernel
did not properly validate the queue of socket buffers (skb) when handling
certain UDP packets. A remote attacker could use this to cause a denial of
service. (CVE-2023-1390)
It was discovered that the Xircom PCMCIA network device driver in the Linux
kernel did not properly handle device removal events. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2023-1670)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
linux-image-4.4.0-1119-kvm 4.4.0-1119.129
linux-image-4.4.0-1156-aws 4.4.0-1156.171
linux-image-4.4.0-240-generic 4.4.0-240.274
linux-image-4.4.0-240-lowlatency 4.4.0-240.274
linux-image-aws 4.4.0.1156.160
linux-image-generic 4.4.0.240.246
linux-image-generic-lts-xenial 4.4.0.240.246
linux-image-kvm 4.4.0.1119.116
linux-image-lowlatency 4.4.0.240.246
linux-image-lowlatency-lts-xenial 4.4.0.240.246
linux-image-virtual 4.4.0.240.246
linux-image-virtual-lts-xenial 4.4.0.240.246
Ubuntu 14.04 ESM:
linux-image-4.4.0-1118-aws 4.4.0-1118.124
linux-image-4.4.0-240-generic 4.4.0-240.274~14.04.1
linux-image-4.4.0-240-lowlatency 4.4.0-240.274~14.04.1
linux-image-aws 4.4.0.1118.115
linux-image-generic-lts-xenial 4.4.0.240.208
linux-image-lowlatency-lts-xenial 4.4.0.240.208
linux-image-virtual-lts-xenial 4.4.0.240.208
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6045-1
CVE-2022-3586, CVE-2022-4095, CVE-2023-1390, CVE-2023-1670,
CVE-2023-1829
[USN-6043-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6043-1
April 26, 2023
linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm,
linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-hwe-5.19: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
linux-image-5.19.0-1017-raspi 5.19.0-1017.24
linux-image-5.19.0-1017-raspi-nolpae 5.19.0-1017.24
linux-image-5.19.0-1021-ibm 5.19.0-1021.23
linux-image-5.19.0-1022-gcp 5.19.0-1022.24
linux-image-5.19.0-1022-kvm 5.19.0-1022.23
linux-image-5.19.0-1022-oracle 5.19.0-1022.25
linux-image-5.19.0-1023-lowlatency 5.19.0-1023.24
linux-image-5.19.0-1023-lowlatency-64k 5.19.0-1023.24
linux-image-5.19.0-1024-aws 5.19.0-1024.25
linux-image-5.19.0-1025-azure 5.19.0-1025.28
linux-image-5.19.0-41-generic 5.19.0-41.42
linux-image-5.19.0-41-generic-64k 5.19.0-41.42
linux-image-5.19.0-41-generic-lpae 5.19.0-41.42
linux-image-aws 5.19.0.1024.21
linux-image-azure 5.19.0.1025.20
linux-image-gcp 5.19.0.1022.18
linux-image-generic 5.19.0.41.37
linux-image-generic-64k 5.19.0.41.37
linux-image-generic-lpae 5.19.0.41.37
linux-image-ibm 5.19.0.1021.18
linux-image-kvm 5.19.0.1022.19
linux-image-lowlatency 5.19.0.1023.19
linux-image-lowlatency-64k 5.19.0.1023.19
linux-image-oracle 5.19.0.1022.18
linux-image-raspi 5.19.0.1017.16
linux-image-raspi-nolpae 5.19.0.1017.16
linux-image-virtual 5.19.0.41.37
Ubuntu 22.04 LTS:
linux-image-5.19.0-41-generic 5.19.0-41.42~22.04.1
linux-image-5.19.0-41-generic-64k 5.19.0-41.42~22.04.1
linux-image-5.19.0-41-generic-lpae 5.19.0-41.42~22.04.1
linux-image-generic-64k-hwe-22.04 5.19.0.41.42~22.04.14
linux-image-generic-hwe-22.04 5.19.0.41.42~22.04.14
linux-image-generic-lpae-hwe-22.04 5.19.0.41.42~22.04.14
linux-image-virtual-hwe-22.04 5.19.0.41.42~22.04.14
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6043-1
CVE-2023-0386, CVE-2023-1829
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.19.0-41.42
https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1024.25
https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1025.28
https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1022.24
https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1021.23
https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1022.23
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1023.24
https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1022.25
https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1017.24
https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-41.42~22.04.1
Ubuntu Security Notice USN-6043-1
April 26, 2023
linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm,
linux-kvm, linux-lowlatency, linux-oracle, linux-raspi vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-kvm: Linux kernel for cloud environments
- linux-lowlatency: Linux low latency kernel
- linux-oracle: Linux kernel for Oracle Cloud systems
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-hwe-5.19: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel did not properly perform filter deactivation in some
situations. A local attacker could possibly use this to gain elevated
privileges. Please note that with the fix for this CVE, kernel support for
the TCINDEX classifier has been removed. (CVE-2023-1829)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
linux-image-5.19.0-1017-raspi 5.19.0-1017.24
linux-image-5.19.0-1017-raspi-nolpae 5.19.0-1017.24
linux-image-5.19.0-1021-ibm 5.19.0-1021.23
linux-image-5.19.0-1022-gcp 5.19.0-1022.24
linux-image-5.19.0-1022-kvm 5.19.0-1022.23
linux-image-5.19.0-1022-oracle 5.19.0-1022.25
linux-image-5.19.0-1023-lowlatency 5.19.0-1023.24
linux-image-5.19.0-1023-lowlatency-64k 5.19.0-1023.24
linux-image-5.19.0-1024-aws 5.19.0-1024.25
linux-image-5.19.0-1025-azure 5.19.0-1025.28
linux-image-5.19.0-41-generic 5.19.0-41.42
linux-image-5.19.0-41-generic-64k 5.19.0-41.42
linux-image-5.19.0-41-generic-lpae 5.19.0-41.42
linux-image-aws 5.19.0.1024.21
linux-image-azure 5.19.0.1025.20
linux-image-gcp 5.19.0.1022.18
linux-image-generic 5.19.0.41.37
linux-image-generic-64k 5.19.0.41.37
linux-image-generic-lpae 5.19.0.41.37
linux-image-ibm 5.19.0.1021.18
linux-image-kvm 5.19.0.1022.19
linux-image-lowlatency 5.19.0.1023.19
linux-image-lowlatency-64k 5.19.0.1023.19
linux-image-oracle 5.19.0.1022.18
linux-image-raspi 5.19.0.1017.16
linux-image-raspi-nolpae 5.19.0.1017.16
linux-image-virtual 5.19.0.41.37
Ubuntu 22.04 LTS:
linux-image-5.19.0-41-generic 5.19.0-41.42~22.04.1
linux-image-5.19.0-41-generic-64k 5.19.0-41.42~22.04.1
linux-image-5.19.0-41-generic-lpae 5.19.0-41.42~22.04.1
linux-image-generic-64k-hwe-22.04 5.19.0.41.42~22.04.14
linux-image-generic-hwe-22.04 5.19.0.41.42~22.04.14
linux-image-generic-lpae-hwe-22.04 5.19.0.41.42~22.04.14
linux-image-virtual-hwe-22.04 5.19.0.41.42~22.04.14
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6043-1
CVE-2023-0386, CVE-2023-1829
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.19.0-41.42
https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1024.25
https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1025.28
https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1022.24
https://launchpad.net/ubuntu/+source/linux-ibm/5.19.0-1021.23
https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1022.23
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1023.24
https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1022.25
https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1017.24
https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-41.42~22.04.1
[USN-6010-3] Firefox regressions
==========================================================================
Ubuntu Security Notice USN-6010-3
April 26, 2023
firefox regressions
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-6010-2 caused some minor regressions in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
USN-6010-1 fixed vulnerabilities and USN-6010-2 fixed minor regressions in
Firefox. The update introduced several minor regressions. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-29537,
CVE-2023-29540, CVE-2023-29543, CVE-2023-29544, CVE-2023-29547,
CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551)
Irvan Kurniawan discovered that Firefox did not properly manage fullscreen
notifications using a combination of window.open, fullscreen requests,
window.name assignments, and setInterval calls. An attacker could
potentially exploit this issue to perform spoofing attacks. (CVE-2023-29533)
Lukas Bernhard discovered that Firefox did not properly manage memory
when doing Garbage Collector compaction. An attacker could potentially
exploits this issue to cause a denial of service. (CVE-2023-29535)
Zx from qriousec discovered that Firefox did not properly validate the
address to free a pointer provided to the memory manager. An attacker could
potentially exploits this issue to cause a denial of service.
(CVE-2023-29536)
Alexis aka zoracon discovered that Firefox did not properly validate the
URI received by the WebExtension during a load request. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-29538)
Trung Pham discovered that Firefox did not properly validate the filename
directive in the Content-Disposition header. An attacker could possibly
exploit this to perform reflected file download attacks potentially
tricking users to install malware. (CVE-2023-29539)
Ameen Basha M K discovered that Firefox did not properly validate downloads
of files ending in .desktop. An attacker could potentially exploits this
issue to execute arbitrary code. (CVE-2023-29541)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 112.0.2+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 112.0.2+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
https://ubuntu.com/security/notices/USN-6010-3
https://ubuntu.com/security/notices/USN-6010-1
https://launchpad.net/bugs/2017722
Package Information:
https://launchpad.net/ubuntu/+source/firefox/112.0.2+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/112.0.2+build1-0ubuntu0.18.04.1
Ubuntu Security Notice USN-6010-3
April 26, 2023
firefox regressions
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-6010-2 caused some minor regressions in Firefox.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
USN-6010-1 fixed vulnerabilities and USN-6010-2 fixed minor regressions in
Firefox. The update introduced several minor regressions. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2023-29537,
CVE-2023-29540, CVE-2023-29543, CVE-2023-29544, CVE-2023-29547,
CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551)
Irvan Kurniawan discovered that Firefox did not properly manage fullscreen
notifications using a combination of window.open, fullscreen requests,
window.name assignments, and setInterval calls. An attacker could
potentially exploit this issue to perform spoofing attacks. (CVE-2023-29533)
Lukas Bernhard discovered that Firefox did not properly manage memory
when doing Garbage Collector compaction. An attacker could potentially
exploits this issue to cause a denial of service. (CVE-2023-29535)
Zx from qriousec discovered that Firefox did not properly validate the
address to free a pointer provided to the memory manager. An attacker could
potentially exploits this issue to cause a denial of service.
(CVE-2023-29536)
Alexis aka zoracon discovered that Firefox did not properly validate the
URI received by the WebExtension during a load request. An attacker could
potentially exploits this to obtain sensitive information. (CVE-2023-29538)
Trung Pham discovered that Firefox did not properly validate the filename
directive in the Content-Disposition header. An attacker could possibly
exploit this to perform reflected file download attacks potentially
tricking users to install malware. (CVE-2023-29539)
Ameen Basha M K discovered that Firefox did not properly validate downloads
of files ending in .desktop. An attacker could potentially exploits this
issue to execute arbitrary code. (CVE-2023-29541)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
firefox 112.0.2+build1-0ubuntu0.20.04.1
Ubuntu 18.04 LTS:
firefox 112.0.2+build1-0ubuntu0.18.04.1
After a standard system update you need to restart Firefox to make all the
necessary changes.
References:
https://ubuntu.com/security/notices/USN-6010-3
https://ubuntu.com/security/notices/USN-6010-1
https://launchpad.net/bugs/2017722
Package Information:
https://launchpad.net/ubuntu/+source/firefox/112.0.2+build1-0ubuntu0.20.04.1
https://launchpad.net/ubuntu/+source/firefox/112.0.2+build1-0ubuntu0.18.04.1
Tuesday, April 25, 2023
F39 proposal: mkosi-initrd (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/mkosi-initrd
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
`mkosi-initrd` is an alternative builder for initrds.
It will be packaged in Fedora, so that users can use it to build
initrds locally.
A `kernel-install` plugin will be provided to build the initrd when a
kernel package is installed.
As a stretch goal, initrds will be build in koji and delivered via rpm packages.
As a further stretch goal, pre-built initrds will be used in Unified
Kernel Images that can be delivered via rpm packages.
Only a subset of installation types will be supported.
== Owner ==
* Name: [[User:zbyszek| Zbigniew Jędrzejewski-Szmek]]
* Name: [[User:lnykryn| Lukáš Nykrýn ]]
* Name: [[User:Daandemeyer| Daan De Meyer]]
* Email: zbyszek - at - in.waw.pl, lnykryn - at - redhat.com,
daandemeyer - at - fb.com
== Detailed Description ==
The process by which we create initrds is complicated and inefficient.
Initrds contain duplicate functionality and require a lot of maintainer effort.
The aim of this proposal is to introduce a vastly simplified mechanism
of initrd creation and simplified initrd contents.
The `mkosi-initrd` project is a set of config files for `mkosi`.
`mkosi` is a program to build operating system images from system packages.
An initrd is built by invoking `mkosi` with the config provided by
`mkosi-initrd`.
Instead of building initrds by scraping the file system and figuring
out dependencies again,
existing packages and normal package installation via `dnf`/`rpm` is
used to populate the initrd.
This also means that the package manager is responsible for satisfying
dependencies.
At runtime, `systemd` is responsible for setting up the execution
environment and invoking programs.
Currently, initrds built in this way are bigger than initrds built by dracut.
They also have limited functionality:
many common types of systems work just fine, but more exotic
configurations are not supported.
See [[#Scope|Scope]] below for a list of known good/bad features.
The goal of this change is to provide an ''alternative'' mechanism.
If the feedback is positive, we may consider using initrds built with
`mkosi-initrd` as default in certain scenarios.
There are no plans to remove `dracut` in the foreseeable future.
This means that for any case not supported or not working well,
`dracut` remains a natural fallback.
In this way this change is similar to
[[Changes/Unified_Kernel_Support_Phase_1]],
as it provides a preview of a new technology as an alternative to the
current established approach.
== Feedback ==
== Benefit to Fedora ==
Current initrd generation with `dracut` is showing its age.
As upstream packages evolve,
repeating the dependency resolution in `dracut` is a constant drain of
maintainer time.
Our `dracut` initrds are already using `systemd`.
But `systemd` is constantly evolving and adding new functionality
related to early boot:
decryption of disks, access to secrets, new configuration mechanisms,
state checks and boot counting.
More and more, `dracut` runtime scripting is a thin wrapper around `systemd`.
We have two job queues: the `dracut` initqueue, and the `systemd` job queue.
This duplication makes everything harder, both during preparation and
at runtime, for little benefit.
The design principle of the new approach is to remove duplicate functionality:
* package `Requires` replace dracut module dependency logic and
automatic installation of libraries based on `ldd` output
* `systemd` job management replaces the remainder of `dracut` runtime
* the environment in the initrd is just a normal linux system (albeit
on a temporary root fs)
* normal package contents replace special scripts crafted for the initrd
Generally, the new scheme requires very little new stuff.
We reuse things that are already available (and used):
`dnf` and `rpm`,
packages for all stuff that is used in the initrd,
`systemd`,
special systemd units for the initrd.
The new component is a mechanism that builds the initrd out of packages.
But it is a relatively simple step that requires very little maintenance.
The biggest part of the initial work is the creation of package lists
to install in the initrd,
and adjusting packages to to function correctly in the initrd and not
pull in unnecessary dependencies.
Afterwards, there might be occasional maintenance related to bugs or
package splits.
Initrds built with `mkosi-initrd` should be fully reproducible (in the
sense of reproducible builds).
The work done in packages has external benefits:
package minimization automatically benefits other "small" installations.
== Scope ==
* Proposal owners:
** package `mkosi-initrd`
([https://copr.fedorainfracloud.org/coprs/zbyszek/mkosi-initrd/builds/
copr], review-request
https://bugzilla.redhat.com/show_bug.cgi?id=2189633)
** verify (and fix if necessary) `mkosi-initrd`/`systemd`/other
packages to work with:
*** root on a plain partition
*** root on LVM2
*** root on LUKS
*** root on RAID
*** root on NFS
*** hibernation
** provide a `kernel-install` plugin that builds an initrd locally
** provide a `kernel-install` plugin that combines this initrd with a
kernel binary into a Unified Kernel Image locally
** make dracut not interfere with mkosi-initrd (merge
https://github.com/dracutdevs/dracut/pull/1825 or carry downstream
patch)
** work with koji developers to allow `mkosi-initrd` to run in koji
(stretch goal 1). This requires changing koji to allow access to
downloaded rpms during build.
** add a `mkosi-initrd-initrd` (name TBD) package that builds a set of
subpackages with initrds (stretch goal 2).
(Out of scope: support for root on iSCSI is not planned currently.
Our experiments with iSCSI show that the existing tooling is a bunch
of terrible scripts that don't work at all outside of dracut.)
More items may be added to Scope or listed as not planned based on feedback.
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** koji developers: help with the rpms-in-buildroot functionality and
** koji maintainers and releng: deploy changes in koji in Fedora infra
** anyone: Install the new packages to opt-in into testing the new initrds.
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
This is new functionality that will only impact people who opt-in.
== How To Test ==
* Right now:
** enable the copr and install `mkosi-initrd` (see
[https://github.com/systemd/mkosi-initrd/#mkosi-initrd--build-initrd-images-using-distro-packages
instructions])
** adjust configuration:<pre>echo 'initrd_generator=mkosi-initrd'
>>/etc/kernel/install.conf # Until
https://github.com/dracutdevs/dracut/pull/1825 is merged mkdir -p
/etc/kernel/install.d ln -s /dev/null
/etc/kernel/install.d/50-dracut.install</pre>
** Upgrade or reinstall kernel package and reboot
* After `mkosi-initrd` has an official build:
** disable the copr and update to the distro package
** Upgrade or reinstall kernel package and reboot
* After stretch goal 2:
** Install `mkosi-initrd-initrd-<variant>`
** Upgrade or reinstall kernel package and reboot
== User Experience ==
Ideally, there should be no visible change for users.
Obviously, when text logs are shown the console, the output is a bit different.
After stretch goals 2, installation will be quicker.
== Dependencies ==
Support for UKIs in grub2 was implemented in
[[Changes/Unified_Kernel_Support_Phase_1]],
but the support for UKIs in grub2 was not merged.
This support is a requirement for people who want to use mkosi-initrd
UKIs with grub2.
== Contingency Plan ==
* Contingency mechanism: Postpone introduction of features to a later
release. If it turns out that initrds are faulty, users who installed
them will need to manually switch back to dracut initrds.
* Contingency deadline: Any time.
* Blocks release? No.
== Documentation ==
https://github.com/systemd/mkosi-initrd/blob/main/docs/fedora.md
== Release Notes ==
Simplified initrds built with `mkosi-initrd` are available for testing.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
`mkosi-initrd` is an alternative builder for initrds.
It will be packaged in Fedora, so that users can use it to build
initrds locally.
A `kernel-install` plugin will be provided to build the initrd when a
kernel package is installed.
As a stretch goal, initrds will be build in koji and delivered via rpm packages.
As a further stretch goal, pre-built initrds will be used in Unified
Kernel Images that can be delivered via rpm packages.
Only a subset of installation types will be supported.
== Owner ==
* Name: [[User:zbyszek| Zbigniew Jędrzejewski-Szmek]]
* Name: [[User:lnykryn| Lukáš Nykrýn ]]
* Name: [[User:Daandemeyer| Daan De Meyer]]
* Email: zbyszek - at - in.waw.pl, lnykryn - at - redhat.com,
daandemeyer - at - fb.com
== Detailed Description ==
The process by which we create initrds is complicated and inefficient.
Initrds contain duplicate functionality and require a lot of maintainer effort.
The aim of this proposal is to introduce a vastly simplified mechanism
of initrd creation and simplified initrd contents.
The `mkosi-initrd` project is a set of config files for `mkosi`.
`mkosi` is a program to build operating system images from system packages.
An initrd is built by invoking `mkosi` with the config provided by
`mkosi-initrd`.
Instead of building initrds by scraping the file system and figuring
out dependencies again,
existing packages and normal package installation via `dnf`/`rpm` is
used to populate the initrd.
This also means that the package manager is responsible for satisfying
dependencies.
At runtime, `systemd` is responsible for setting up the execution
environment and invoking programs.
Currently, initrds built in this way are bigger than initrds built by dracut.
They also have limited functionality:
many common types of systems work just fine, but more exotic
configurations are not supported.
See [[#Scope|Scope]] below for a list of known good/bad features.
The goal of this change is to provide an ''alternative'' mechanism.
If the feedback is positive, we may consider using initrds built with
`mkosi-initrd` as default in certain scenarios.
There are no plans to remove `dracut` in the foreseeable future.
This means that for any case not supported or not working well,
`dracut` remains a natural fallback.
In this way this change is similar to
[[Changes/Unified_Kernel_Support_Phase_1]],
as it provides a preview of a new technology as an alternative to the
current established approach.
== Feedback ==
== Benefit to Fedora ==
Current initrd generation with `dracut` is showing its age.
As upstream packages evolve,
repeating the dependency resolution in `dracut` is a constant drain of
maintainer time.
Our `dracut` initrds are already using `systemd`.
But `systemd` is constantly evolving and adding new functionality
related to early boot:
decryption of disks, access to secrets, new configuration mechanisms,
state checks and boot counting.
More and more, `dracut` runtime scripting is a thin wrapper around `systemd`.
We have two job queues: the `dracut` initqueue, and the `systemd` job queue.
This duplication makes everything harder, both during preparation and
at runtime, for little benefit.
The design principle of the new approach is to remove duplicate functionality:
* package `Requires` replace dracut module dependency logic and
automatic installation of libraries based on `ldd` output
* `systemd` job management replaces the remainder of `dracut` runtime
* the environment in the initrd is just a normal linux system (albeit
on a temporary root fs)
* normal package contents replace special scripts crafted for the initrd
Generally, the new scheme requires very little new stuff.
We reuse things that are already available (and used):
`dnf` and `rpm`,
packages for all stuff that is used in the initrd,
`systemd`,
special systemd units for the initrd.
The new component is a mechanism that builds the initrd out of packages.
But it is a relatively simple step that requires very little maintenance.
The biggest part of the initial work is the creation of package lists
to install in the initrd,
and adjusting packages to to function correctly in the initrd and not
pull in unnecessary dependencies.
Afterwards, there might be occasional maintenance related to bugs or
package splits.
Initrds built with `mkosi-initrd` should be fully reproducible (in the
sense of reproducible builds).
The work done in packages has external benefits:
package minimization automatically benefits other "small" installations.
== Scope ==
* Proposal owners:
** package `mkosi-initrd`
([https://copr.fedorainfracloud.org/coprs/zbyszek/mkosi-initrd/builds/
copr], review-request
https://bugzilla.redhat.com/show_bug.cgi?id=2189633)
** verify (and fix if necessary) `mkosi-initrd`/`systemd`/other
packages to work with:
*** root on a plain partition
*** root on LVM2
*** root on LUKS
*** root on RAID
*** root on NFS
*** hibernation
** provide a `kernel-install` plugin that builds an initrd locally
** provide a `kernel-install` plugin that combines this initrd with a
kernel binary into a Unified Kernel Image locally
** make dracut not interfere with mkosi-initrd (merge
https://github.com/dracutdevs/dracut/pull/1825 or carry downstream
patch)
** work with koji developers to allow `mkosi-initrd` to run in koji
(stretch goal 1). This requires changing koji to allow access to
downloaded rpms during build.
** add a `mkosi-initrd-initrd` (name TBD) package that builds a set of
subpackages with initrds (stretch goal 2).
(Out of scope: support for root on iSCSI is not planned currently.
Our experiments with iSCSI show that the existing tooling is a bunch
of terrible scripts that don't work at all outside of dracut.)
More items may be added to Scope or listed as not planned based on feedback.
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** koji developers: help with the rpms-in-buildroot functionality and
** koji maintainers and releng: deploy changes in koji in Fedora infra
** anyone: Install the new packages to opt-in into testing the new initrds.
* Release engineering:
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
This is new functionality that will only impact people who opt-in.
== How To Test ==
* Right now:
** enable the copr and install `mkosi-initrd` (see
[https://github.com/systemd/mkosi-initrd/#mkosi-initrd--build-initrd-images-using-distro-packages
instructions])
** adjust configuration:<pre>echo 'initrd_generator=mkosi-initrd'
>>/etc/kernel/install.conf # Until
https://github.com/dracutdevs/dracut/pull/1825 is merged mkdir -p
/etc/kernel/install.d ln -s /dev/null
/etc/kernel/install.d/50-dracut.install</pre>
** Upgrade or reinstall kernel package and reboot
* After `mkosi-initrd` has an official build:
** disable the copr and update to the distro package
** Upgrade or reinstall kernel package and reboot
* After stretch goal 2:
** Install `mkosi-initrd-initrd-<variant>`
** Upgrade or reinstall kernel package and reboot
== User Experience ==
Ideally, there should be no visible change for users.
Obviously, when text logs are shown the console, the output is a bit different.
After stretch goals 2, installation will be quicker.
== Dependencies ==
Support for UKIs in grub2 was implemented in
[[Changes/Unified_Kernel_Support_Phase_1]],
but the support for UKIs in grub2 was not merged.
This support is a requirement for people who want to use mkosi-initrd
UKIs with grub2.
== Contingency Plan ==
* Contingency mechanism: Postpone introduction of features to a later
release. If it turns out that initrds are faulty, users who installed
them will need to manually switch back to dracut initrds.
* Contingency deadline: Any time.
* Blocks release? No.
== Documentation ==
https://github.com/systemd/mkosi-initrd/blob/main/docs/fedora.md
== Release Notes ==
Simplified initrds built with `mkosi-initrd` are available for testing.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[USN-6039-1] OpenSSL vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6039-1
April 25, 2023
openssl, openssl1.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL was not properly managing file locks when
processing policy constraints. If a user or automated system were tricked
into processing a certificate chain with specially crafted policy
constraints, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu
22.10. (CVE-2022-3996)
David Benjamin discovered that OpenSSL was not properly performing the
verification of X.509 certificate chains that include policy constraints,
which could lead to excessive resource consumption. If a user or automated
system were tricked into processing a specially crafted X.509 certificate
chain that includes policy constraints, a remote attacker could possibly
use this issue to cause a denial of service. (CVE-2023-0464)
David Benjamin discovered that OpenSSL was not properly handling invalid
certificate policies in leaf certificates, which would result in certain
policy checks being skipped for the certificate. If a user or automated
system were tricked into processing a specially crafted certificate, a
remote attacker could possibly use this issue to assert invalid
certificate policies and circumvent policy checking. (CVE-2023-0465)
David Benjamin discovered that OpenSSL incorrectly documented the
functionalities of function X509_VERIFY_PARAM_add0_policy, stating that
it would implicitly enable certificate policy checks when doing
certificate verifications, contrary to its implementation. This could
cause users and applications to not perform certificate policy checks
even when expected to do so. (CVE-2023-0466)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
libssl-doc 3.0.8-1ubuntu1.1
libssl3 3.0.8-1ubuntu1.1
openssl 3.0.8-1ubuntu1.1
Ubuntu 22.10:
libssl-doc 3.0.5-2ubuntu2.2
libssl3 3.0.5-2ubuntu2.2
openssl 3.0.5-2ubuntu2.2
Ubuntu 22.04 LTS:
libssl-doc 3.0.2-0ubuntu1.9
libssl3 3.0.2-0ubuntu1.9
openssl 3.0.2-0ubuntu1.9
Ubuntu 20.04 LTS:
libssl-doc 1.1.1f-1ubuntu2.18
libssl1.1 1.1.1f-1ubuntu2.18
openssl 1.1.1f-1ubuntu2.18
Ubuntu 18.04 LTS:
libssl-doc 1.1.1-1ubuntu2.1~18.04.22
libssl1.0.0 1.0.2n-1ubuntu5.12
libssl1.1 1.1.1-1ubuntu2.1~18.04.22
openssl 1.1.1-1ubuntu2.1~18.04.22
openssl1.0 1.0.2n-1ubuntu5.12
Ubuntu 16.04 ESM:
libssl-doc 1.0.2g-1ubuntu4.20+esm7
libssl1.0.0 1.0.2g-1ubuntu4.20+esm7
openssl 1.0.2g-1ubuntu4.20+esm7
Ubuntu 14.04 ESM:
libssl-doc 1.0.1f-1ubuntu2.27+esm7
libssl1.0.0 1.0.1f-1ubuntu2.27+esm7
openssl 1.0.1f-1ubuntu2.27+esm7
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6039-1
CVE-2022-3996, CVE-2023-0464, CVE-2023-0466
Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.8-1ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl/3.0.5-2ubuntu2.2
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.9
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.18
https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.22
https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.12
Ubuntu Security Notice USN-6039-1
April 25, 2023
openssl, openssl1.0 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in OpenSSL.
Software Description:
- openssl: Secure Socket Layer (SSL) cryptographic library and tools
- openssl1.0: Secure Socket Layer (SSL) cryptographic library and tools
Details:
It was discovered that OpenSSL was not properly managing file locks when
processing policy constraints. If a user or automated system were tricked
into processing a certificate chain with specially crafted policy
constraints, a remote attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu
22.10. (CVE-2022-3996)
David Benjamin discovered that OpenSSL was not properly performing the
verification of X.509 certificate chains that include policy constraints,
which could lead to excessive resource consumption. If a user or automated
system were tricked into processing a specially crafted X.509 certificate
chain that includes policy constraints, a remote attacker could possibly
use this issue to cause a denial of service. (CVE-2023-0464)
David Benjamin discovered that OpenSSL was not properly handling invalid
certificate policies in leaf certificates, which would result in certain
policy checks being skipped for the certificate. If a user or automated
system were tricked into processing a specially crafted certificate, a
remote attacker could possibly use this issue to assert invalid
certificate policies and circumvent policy checking. (CVE-2023-0465)
David Benjamin discovered that OpenSSL incorrectly documented the
functionalities of function X509_VERIFY_PARAM_add0_policy, stating that
it would implicitly enable certificate policy checks when doing
certificate verifications, contrary to its implementation. This could
cause users and applications to not perform certificate policy checks
even when expected to do so. (CVE-2023-0466)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
libssl-doc 3.0.8-1ubuntu1.1
libssl3 3.0.8-1ubuntu1.1
openssl 3.0.8-1ubuntu1.1
Ubuntu 22.10:
libssl-doc 3.0.5-2ubuntu2.2
libssl3 3.0.5-2ubuntu2.2
openssl 3.0.5-2ubuntu2.2
Ubuntu 22.04 LTS:
libssl-doc 3.0.2-0ubuntu1.9
libssl3 3.0.2-0ubuntu1.9
openssl 3.0.2-0ubuntu1.9
Ubuntu 20.04 LTS:
libssl-doc 1.1.1f-1ubuntu2.18
libssl1.1 1.1.1f-1ubuntu2.18
openssl 1.1.1f-1ubuntu2.18
Ubuntu 18.04 LTS:
libssl-doc 1.1.1-1ubuntu2.1~18.04.22
libssl1.0.0 1.0.2n-1ubuntu5.12
libssl1.1 1.1.1-1ubuntu2.1~18.04.22
openssl 1.1.1-1ubuntu2.1~18.04.22
openssl1.0 1.0.2n-1ubuntu5.12
Ubuntu 16.04 ESM:
libssl-doc 1.0.2g-1ubuntu4.20+esm7
libssl1.0.0 1.0.2g-1ubuntu4.20+esm7
openssl 1.0.2g-1ubuntu4.20+esm7
Ubuntu 14.04 ESM:
libssl-doc 1.0.1f-1ubuntu2.27+esm7
libssl1.0.0 1.0.1f-1ubuntu2.27+esm7
openssl 1.0.1f-1ubuntu2.27+esm7
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6039-1
CVE-2022-3996, CVE-2023-0464, CVE-2023-0466
Package Information:
https://launchpad.net/ubuntu/+source/openssl/3.0.8-1ubuntu1.1
https://launchpad.net/ubuntu/+source/openssl/3.0.5-2ubuntu2.2
https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.9
https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.18
https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.22
https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.12
F39 proposal: Lazarus repackaging (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/F39-Lazarus-repackaging
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Split the `lazarus` package (the Lazarus IDE for Free Pascal) into
several sub-packages (built from the same spec file) and enable
building the Lazarus Component Library for multiple widget sets,
instead of just the default GTK2.
== Owner ==
* Name: [[User:suve|Artur Frenszek-Iwicki]]
* Email: <fedora@svgames.pl>
== Detailed Description ==
The `lazarus` package will be split into multiple packages:
* `lazarus-doc` - documentation
* `lazarus-ide` - the IDE itself
* `lazarus-lcl` - base package for the LCL (Lazarus Component
Library), containing common LCL parts
* `lazarus-lcl-nogui` - components for building non-graphical applications
* `lazarus-lcl-gtk` - components for building programs using the GTK2
widget library
* `lazarus-tools` - command-line tools shipped with Lazarus, e.g. `lazbuild`
The `lazarus` package will become a metapackage - it will not contain
any files itself, instead pulling in all the packages mentioned above.
Several new packages will also be introduced:
* `lazarus-lcl-gtk3` - support for building programs using the GTK3
widget library
* `lazarus-lcl-qt` - ditto, for Qt4
* `lazarus-lcl-qt5` - ditto, for Qt5
== Benefit to Fedora ==
Currently, Lazarus in Fedora only supports building programs with the
GTK2 widget set. With this change, Lazarus will gain support for
additional widget sets, allowing users to build their applications
using GTK3, Qt4 and Qt5.
Maintainers of packages depending on Lazarus can switch from
BuildRequiring `lazarus` to the following set:
* `lazarus-lcl-nogui` (may not be needed, depending on the program)
* `lazarus-lcl-gtk2` (or a different widget set, if the maintainer so wishes)
* `lazarus-tools`
This minimal package set is about ~60MiB smaller than the current
Lazarus package. This should make builds slightly faster.
== Scope ==
* Proposal owners:
** Edit `lazarus.spec` as required and rebuild the package, preferably
before the Mass Rebuild.
* Other developers: No action required.
* Release engineering: No action required.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
When upgrading Fedora 39, users who have the `lazarus` package
installed should see the following sub-packages pulled in during the
process:
* `lazarus-doc`
* `lazarus-ide`
* `lazarus-lcl`
* `lazarus-lcl-nogui`
* `lazarus-lcl-gtk2`
* `lazarus-tools`
This set of packages should provide the same files and functionality
as the current monolithic `lazarus` package.
== How To Test ==
A copr repository has been created where users can test out the
modified package:
[https://copr.fedorainfracloud.org/coprs/suve/lazarus-split/
copr/suve/lazarus-split].
== User Experience ==
For users not interested in different widget sets, this Change should
not affect their experience. Those wanting to build their programs
using GTK3, Qt4 or Qt5 will gain the ability to do so.
== Dependencies ==
None.
== Contingency Plan ==
Worst case scenario - give up, revert to an old version of
`lazarus.spec` and rebuild the package.
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
The `lazarus` package has been split into multiple sub-packages. Apart
from GTK2, the IDE now supports building programs using the GTK3, Qt4
and Qt5 widget sets - available by installing `lazarus-lcl-*`
packages.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
Split the `lazarus` package (the Lazarus IDE for Free Pascal) into
several sub-packages (built from the same spec file) and enable
building the Lazarus Component Library for multiple widget sets,
instead of just the default GTK2.
== Owner ==
* Name: [[User:suve|Artur Frenszek-Iwicki]]
* Email: <fedora@svgames.pl>
== Detailed Description ==
The `lazarus` package will be split into multiple packages:
* `lazarus-doc` - documentation
* `lazarus-ide` - the IDE itself
* `lazarus-lcl` - base package for the LCL (Lazarus Component
Library), containing common LCL parts
* `lazarus-lcl-nogui` - components for building non-graphical applications
* `lazarus-lcl-gtk` - components for building programs using the GTK2
widget library
* `lazarus-tools` - command-line tools shipped with Lazarus, e.g. `lazbuild`
The `lazarus` package will become a metapackage - it will not contain
any files itself, instead pulling in all the packages mentioned above.
Several new packages will also be introduced:
* `lazarus-lcl-gtk3` - support for building programs using the GTK3
widget library
* `lazarus-lcl-qt` - ditto, for Qt4
* `lazarus-lcl-qt5` - ditto, for Qt5
== Benefit to Fedora ==
Currently, Lazarus in Fedora only supports building programs with the
GTK2 widget set. With this change, Lazarus will gain support for
additional widget sets, allowing users to build their applications
using GTK3, Qt4 and Qt5.
Maintainers of packages depending on Lazarus can switch from
BuildRequiring `lazarus` to the following set:
* `lazarus-lcl-nogui` (may not be needed, depending on the program)
* `lazarus-lcl-gtk2` (or a different widget set, if the maintainer so wishes)
* `lazarus-tools`
This minimal package set is about ~60MiB smaller than the current
Lazarus package. This should make builds slightly faster.
== Scope ==
* Proposal owners:
** Edit `lazarus.spec` as required and rebuild the package, preferably
before the Mass Rebuild.
* Other developers: No action required.
* Release engineering: No action required.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives: N/A
== Upgrade/compatibility impact ==
When upgrading Fedora 39, users who have the `lazarus` package
installed should see the following sub-packages pulled in during the
process:
* `lazarus-doc`
* `lazarus-ide`
* `lazarus-lcl`
* `lazarus-lcl-nogui`
* `lazarus-lcl-gtk2`
* `lazarus-tools`
This set of packages should provide the same files and functionality
as the current monolithic `lazarus` package.
== How To Test ==
A copr repository has been created where users can test out the
modified package:
[https://copr.fedorainfracloud.org/coprs/suve/lazarus-split/
copr/suve/lazarus-split].
== User Experience ==
For users not interested in different widget sets, this Change should
not affect their experience. Those wanting to build their programs
using GTK3, Qt4 or Qt5 will gain the ability to do so.
== Dependencies ==
None.
== Contingency Plan ==
Worst case scenario - give up, revert to an old version of
`lazarus.spec` and rebuild the package.
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
The `lazarus` package has been split into multiple sub-packages. Apart
from GTK2, the IDE now supports building programs using the GTK3, Qt4
and Qt5 widget sets - available by installing `lazarus-lcl-*`
packages.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
F39 proposal: Perl 5.38 (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/perl5.38
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
A new ''perl 5.38'' version brings a lot of changes done over a year
of development. Perl 5.38 will be released in May 20th 2023. See
[https://metacpan.org/release/SHAY/perl-5.37.11/view/pod/perldelta.pod
perldelta for 5.37.11] for more details about new release.
== Owner ==
* Name: [[User:Jplesnik| Jitka Plesníková]], [[User:Mspacek| Michal
Josef Špaček]]
* Email: <jplesnik@redhat.com>, <mspacek@redhat.com>
== Current status ==
=== Completed Items ===
=== Items in Progress ===
=== Items to Be Done ===
* Get dedicated build-root from rel-engs (''f39-perl'')
* Upstream to release Perl 5.38
* Define perl_bootstrap in perl-srpm-macros
* Rebase perl to 5.38.0
* Rebuild all dual-lived packages (83) - otherwise dnf recommends
--skip-broken and fails
* Rebuild packages needed for minimal build-root
* Rebuild packages needed for building source packages from git repository
* Rebuild packages requiring ''libperl.so'' or versioned
''perl(MODULE_COMPAT)'': Use Fedora::Rebuild dependency solver
* Undefine perl_bootstrap
* Rebuild packages having perl_bootstrap condition in spec file (XX packages)
* Rebuild all updated packages
* [https://jplesnik.fedorapeople.org/5.38/ Final lists of results]
* Merge dedicated build-root to rawhide and remove the dedicated one by rel-engs
* Synchronize packages upgraded in ''f39'' build root
* Rebuild Perl packages: 0 of 600 done (0 %)
* Failed packages (0):
* Rebuild Fedora modules: 0 of 0 (0 %)
* Create module perl:5.38 and rebuild dependencies
== Detailed Description ==
New perl is released every year and updates containing mainly bug
fixes follow during the year. The 5.38.0 version is stable release
this year.
== Benefit to Fedora ==
Up-to-date and latest perl release will be delivered to Fedora users.
== Scope ==
Every Perl package will be rebuilt in a dedicated ''f39-perl''
build-root against perl 5.38.0 and then if no major problem emerges
the packages will be merged back to ''f39'' build-root.
* Proposal owners: New perl and all packages requiring ''libperl.so''
or versioned ''perl(MODULE_COMPAT)'' will be rebuilt into ''f39-perl''
build-root.
* Other developers: Owners of packages that fail to rebuild, mainly
perl-sig users, will be asked using Bugzilla to fix or remove their
packages from the distribution.
* Release engineering: [https://pagure.io/releng/issues #Releng issue
number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Release engineers will be asked for new ''f39-perl'' build-root
inheriting from ''f39'' build-root. After successful finishing the
rebuild, they will be asked to merge ''f39-perl'' packages back to
''f39'' build-root.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Vast majority of functionality will be preserved. Only the packages
that failed to build against perl 5.38 will be removed from the
distribution. That will require to remove those packages from the
existing systems otherwise a package manager will encounter
unsatisfied dependencies. The developers in Perl language are advised
to install ''perl-doc'' and ''perl-debugger'' packages.
== How To Test ==
Try upgrading from Fedora 38 to 39. Try some Perl application to
verify they work as expected. Try embedded perl in
[https://src.fedoraproject.org/rpms/openldap slapd] or
[https://src.fedoraproject.org/rpms/net-snmp snmpd].
== User Experience ==
There should not be any remarkable change in user experience. With the
exception that previously locally installed modules with a CPAN
clients will need a reinstallation.
== Dependencies ==
There is more than 3500 packages depending on perl. It is the first
rebuild where we will rebuild only all dual-lived packages and
packages which require ''libperl.so'' or versioned
''perl(MODULE_COMPAT)''. It means only about 600 packages needs to
rebuild. Most of them are expected not to break. Finishing this change
can be endangered only by critical changes in a toolchain.
''noarch'' packages don't need to be rebuilt now.
== Contingency Plan ==
* Contingency mechanism: If we find perl 5.38 is not suitable for
Fedora 39, we will revert back to perl 5.36 and we drop the temporary
build-root with already rebuilt packages.
* Contingency deadline: branching Fedora 39 from Rawhide.
* Blocks release? No.
== Documentation ==
* 5.38.0 perldelta
* An announcement on perl-devel mailing list
* An announcement on fedora-devel mailing list
== Release Notes ==
TBD
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
A new ''perl 5.38'' version brings a lot of changes done over a year
of development. Perl 5.38 will be released in May 20th 2023. See
[https://metacpan.org/release/SHAY/perl-5.37.11/view/pod/perldelta.pod
perldelta for 5.37.11] for more details about new release.
== Owner ==
* Name: [[User:Jplesnik| Jitka Plesníková]], [[User:Mspacek| Michal
Josef Špaček]]
* Email: <jplesnik@redhat.com>, <mspacek@redhat.com>
== Current status ==
=== Completed Items ===
=== Items in Progress ===
=== Items to Be Done ===
* Get dedicated build-root from rel-engs (''f39-perl'')
* Upstream to release Perl 5.38
* Define perl_bootstrap in perl-srpm-macros
* Rebase perl to 5.38.0
* Rebuild all dual-lived packages (83) - otherwise dnf recommends
--skip-broken and fails
* Rebuild packages needed for minimal build-root
* Rebuild packages needed for building source packages from git repository
* Rebuild packages requiring ''libperl.so'' or versioned
''perl(MODULE_COMPAT)'': Use Fedora::Rebuild dependency solver
* Undefine perl_bootstrap
* Rebuild packages having perl_bootstrap condition in spec file (XX packages)
* Rebuild all updated packages
* [https://jplesnik.fedorapeople.org/5.38/ Final lists of results]
* Merge dedicated build-root to rawhide and remove the dedicated one by rel-engs
* Synchronize packages upgraded in ''f39'' build root
* Rebuild Perl packages: 0 of 600 done (0 %)
* Failed packages (0):
* Rebuild Fedora modules: 0 of 0 (0 %)
* Create module perl:5.38 and rebuild dependencies
== Detailed Description ==
New perl is released every year and updates containing mainly bug
fixes follow during the year. The 5.38.0 version is stable release
this year.
== Benefit to Fedora ==
Up-to-date and latest perl release will be delivered to Fedora users.
== Scope ==
Every Perl package will be rebuilt in a dedicated ''f39-perl''
build-root against perl 5.38.0 and then if no major problem emerges
the packages will be merged back to ''f39'' build-root.
* Proposal owners: New perl and all packages requiring ''libperl.so''
or versioned ''perl(MODULE_COMPAT)'' will be rebuilt into ''f39-perl''
build-root.
* Other developers: Owners of packages that fail to rebuild, mainly
perl-sig users, will be asked using Bugzilla to fix or remove their
packages from the distribution.
* Release engineering: [https://pagure.io/releng/issues #Releng issue
number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Release engineers will be asked for new ''f39-perl'' build-root
inheriting from ''f39'' build-root. After successful finishing the
rebuild, they will be asked to merge ''f39-perl'' packages back to
''f39'' build-root.
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with Objectives:
== Upgrade/compatibility impact ==
Vast majority of functionality will be preserved. Only the packages
that failed to build against perl 5.38 will be removed from the
distribution. That will require to remove those packages from the
existing systems otherwise a package manager will encounter
unsatisfied dependencies. The developers in Perl language are advised
to install ''perl-doc'' and ''perl-debugger'' packages.
== How To Test ==
Try upgrading from Fedora 38 to 39. Try some Perl application to
verify they work as expected. Try embedded perl in
[https://src.fedoraproject.org/rpms/openldap slapd] or
[https://src.fedoraproject.org/rpms/net-snmp snmpd].
== User Experience ==
There should not be any remarkable change in user experience. With the
exception that previously locally installed modules with a CPAN
clients will need a reinstallation.
== Dependencies ==
There is more than 3500 packages depending on perl. It is the first
rebuild where we will rebuild only all dual-lived packages and
packages which require ''libperl.so'' or versioned
''perl(MODULE_COMPAT)''. It means only about 600 packages needs to
rebuild. Most of them are expected not to break. Finishing this change
can be endangered only by critical changes in a toolchain.
''noarch'' packages don't need to be rebuilt now.
== Contingency Plan ==
* Contingency mechanism: If we find perl 5.38 is not suitable for
Fedora 39, we will revert back to perl 5.36 and we drop the temporary
build-root with already rebuilt packages.
* Contingency deadline: branching Fedora 39 from Rawhide.
* Blocks release? No.
== Documentation ==
* 5.38.0 perldelta
* An announcement on perl-devel mailing list
* An announcement on fedora-devel mailing list
== Release Notes ==
TBD
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[USN-6038-1] Go vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6038-1
April 25, 2023
golang-1.18 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Go.
Software Description:
- golang-1.18: Go programming language compiler - metapackage
Details:
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)
It was discovered that Go did not properly implemented the maximum size of
file headers in Reader.Read. An attacker could possibly use this issue to
cause a panic resulting into a denial of service. (CVE-2022-2879)
It was discovered that the Go net/http module incorrectly handled query
parameters in requests forwarded by ReverseProxy. A remote attacker could
possibly use this issue to perform an HTTP Query Parameter Smuggling attack.
(CVE-2022-2880)
It was discovered that Go did not properly manage the permissions for
Faccessat function. A attacker could possibly use this issue to expose
sensitive information. (CVE-2022-29526)
It was discovered that Go did not properly generate the values for
ticket_age_add in session tickets. An attacker could possibly use this
issue to observe TLS handshakes to correlate successive connections by
comparing ticket ages during session resumption. (CVE-2022-30629)
It was discovered that Go did not properly manage client IP addresses in
net/http. An attacker could possibly use this issue to cause ReverseProxy
to set the client IP as the value of the X-Forwarded-For header.
(CVE-2022-32148)
It was discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and do not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
golang-1.18 1.18.1-1ubuntu1.1
golang-1.18-go 1.18.1-1ubuntu1.1
golang-1.18-src 1.18.1-1ubuntu1.1
Ubuntu 20.04 LTS:
golang-1.18 1.18.1-1ubuntu1~20.04.2
golang-1.18-go 1.18.1-1ubuntu1~20.04.2
golang-1.18-src 1.18.1-1ubuntu1~20.04.2
Ubuntu 18.04 LTS:
golang-1.18 1.18.1-1ubuntu1~18.04.4
golang-1.18-go 1.18.1-1ubuntu1~18.04.4
golang-1.18-src 1.18.1-1ubuntu1~18.04.4
In general, a standard system update will make all the necessary changes.
You still need to update all the packages built with the affected version.
References:
https://ubuntu.com/security/notices/USN-6038-1
CVE-2022-1705, CVE-2022-1962, CVE-2022-27664, CVE-2022-28131,
CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629,
CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633,
CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537, CVE-2023-24538
Package Information:
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~20.04.2
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~18.04.4
Ubuntu Security Notice USN-6038-1
April 25, 2023
golang-1.18 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Go.
Software Description:
- golang-1.18: Go programming language compiler - metapackage
Details:
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)
It was discovered that Go did not properly implemented the maximum size of
file headers in Reader.Read. An attacker could possibly use this issue to
cause a panic resulting into a denial of service. (CVE-2022-2879)
It was discovered that the Go net/http module incorrectly handled query
parameters in requests forwarded by ReverseProxy. A remote attacker could
possibly use this issue to perform an HTTP Query Parameter Smuggling attack.
(CVE-2022-2880)
It was discovered that Go did not properly manage the permissions for
Faccessat function. A attacker could possibly use this issue to expose
sensitive information. (CVE-2022-29526)
It was discovered that Go did not properly generate the values for
ticket_age_add in session tickets. An attacker could possibly use this
issue to observe TLS handshakes to correlate successive connections by
comparing ticket ages during session resumption. (CVE-2022-30629)
It was discovered that Go did not properly manage client IP addresses in
net/http. An attacker could possibly use this issue to cause ReverseProxy
to set the client IP as the value of the X-Forwarded-For header.
(CVE-2022-32148)
It was discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and do not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
golang-1.18 1.18.1-1ubuntu1.1
golang-1.18-go 1.18.1-1ubuntu1.1
golang-1.18-src 1.18.1-1ubuntu1.1
Ubuntu 20.04 LTS:
golang-1.18 1.18.1-1ubuntu1~20.04.2
golang-1.18-go 1.18.1-1ubuntu1~20.04.2
golang-1.18-src 1.18.1-1ubuntu1~20.04.2
Ubuntu 18.04 LTS:
golang-1.18 1.18.1-1ubuntu1~18.04.4
golang-1.18-go 1.18.1-1ubuntu1~18.04.4
golang-1.18-src 1.18.1-1ubuntu1~18.04.4
In general, a standard system update will make all the necessary changes.
You still need to update all the packages built with the affected version.
References:
https://ubuntu.com/security/notices/USN-6038-1
CVE-2022-1705, CVE-2022-1962, CVE-2022-27664, CVE-2022-28131,
CVE-2022-2879, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629,
CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633,
CVE-2022-30635, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537, CVE-2023-24538
Package Information:
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~20.04.2
https://launchpad.net/ubuntu/+source/golang-1.18/1.18.1-1ubuntu1~18.04.4
[USN-6040-1] Linux kernel (HWE) vulnerabilities
==========================================================================
Ubuntu Security Notice USN-6040-1
April 25, 2023
linux-hwe-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-4129)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
It was discovered that the Human Interface Device (HID) support driver in
the Linux kernel contained a type confusion vulnerability in some
situations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-1073)
It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)
It was discovered that the NFS implementation in the Linux kernel did not
properly handle pending tasks in some situations. A local attacker could
use this to cause a denial of service (system crash) or expose sensitive
information (kernel memory). (CVE-2023-1652)
Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.15.0-70-generic 5.15.0-70.77~20.04.1
linux-image-5.15.0-70-generic-64k 5.15.0-70.77~20.04.1
linux-image-5.15.0-70-generic-lpae 5.15.0-70.77~20.04.1
linux-image-generic-64k-hwe-20.04 5.15.0.70.77~20.04.31
linux-image-generic-hwe-20.04 5.15.0.70.77~20.04.31
linux-image-generic-lpae-hwe-20.04 5.15.0.70.77~20.04.31
linux-image-oem-20.04 5.15.0.70.77~20.04.31
linux-image-oem-20.04b 5.15.0.70.77~20.04.31
linux-image-oem-20.04c 5.15.0.70.77~20.04.31
linux-image-oem-20.04d 5.15.0.70.77~20.04.31
linux-image-virtual-hwe-20.04 5.15.0.70.77~20.04.31
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6040-1
CVE-2022-4129, CVE-2022-47929, CVE-2022-4842, CVE-2023-0386,
CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,
CVE-2023-1652, CVE-2023-26545
Package Information:
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-70.77~20.04.1
Ubuntu Security Notice USN-6040-1
April 25, 2023
linux-hwe-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-hwe-5.15: Linux hardware enablement (HWE) kernel
Details:
It was discovered that the Traffic-Control Index (TCINDEX) implementation
in the Linux kernel contained a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-1281)
It was discovered that the OverlayFS implementation in the Linux kernel did
not properly handle copy up operation in some conditions. A local attacker
could possibly use this to gain elevated privileges. (CVE-2023-0386)
Haowei Yan discovered that a race condition existed in the Layer 2
Tunneling Protocol (L2TP) implementation in the Linux kernel. A local
attacker could possibly use this to cause a denial of service (system
crash). (CVE-2022-4129)
It was discovered that the network queuing discipline implementation in the
Linux kernel contained a null pointer dereference in some situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2022-47929)
It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)
Kyle Zeng discovered that the IPv6 implementation in the Linux kernel
contained a NULL pointer dereference vulnerability in certain situations. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-0394)
It was discovered that the Human Interface Device (HID) support driver in
the Linux kernel contained a type confusion vulnerability in some
situations. A local attacker could use this to cause a denial of service
(system crash). (CVE-2023-1073)
It was discovered that a memory leak existed in the SCTP protocol
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (memory exhaustion). (CVE-2023-1074)
It was discovered that the NFS implementation in the Linux kernel did not
properly handle pending tasks in some situations. A local attacker could
use this to cause a denial of service (system crash) or expose sensitive
information (kernel memory). (CVE-2023-1652)
Lianhui Tang discovered that the MPLS implementation in the Linux kernel
did not properly handle certain sysctl allocation failure conditions,
leading to a double-free vulnerability. An attacker could use this to cause
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
linux-image-5.15.0-70-generic 5.15.0-70.77~20.04.1
linux-image-5.15.0-70-generic-64k 5.15.0-70.77~20.04.1
linux-image-5.15.0-70-generic-lpae 5.15.0-70.77~20.04.1
linux-image-generic-64k-hwe-20.04 5.15.0.70.77~20.04.31
linux-image-generic-hwe-20.04 5.15.0.70.77~20.04.31
linux-image-generic-lpae-hwe-20.04 5.15.0.70.77~20.04.31
linux-image-oem-20.04 5.15.0.70.77~20.04.31
linux-image-oem-20.04b 5.15.0.70.77~20.04.31
linux-image-oem-20.04c 5.15.0.70.77~20.04.31
linux-image-oem-20.04d 5.15.0.70.77~20.04.31
linux-image-virtual-hwe-20.04 5.15.0.70.77~20.04.31
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-6040-1
CVE-2022-4129, CVE-2022-47929, CVE-2022-4842, CVE-2023-0386,
CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,
CVE-2023-1652, CVE-2023-26545
Package Information:
https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-70.77~20.04.1
Monday, April 24, 2023
[CentOS-announce] CESA-2023:1791 Important CentOS 7 firefox Security Update
CentOS Errata and Security Advisory 2023:1791 Important
Upstream details at : https://access.redhat.com/errata/RHSA-2023:1791
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
58a5f6025a63f07b9dc9793ec13c58029a3502315d1bb29d4c7015091c9e8dbe firefox-102.10.0-1.el7.centos.i686.rpm
a4124d55ffe94d6e2682cb82eb1191d84b8b271f2950a8cbf86be4ade606a768 firefox-102.10.0-1.el7.centos.x86_64.rpm
Source:
32ac8fa502bc25dafbb8360c60b031c2b82c92dcaf1dfd1b0cb5a40ae775b6d4 firefox-102.10.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
Upstream details at : https://access.redhat.com/errata/RHSA-2023:1791
The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )
x86_64:
58a5f6025a63f07b9dc9793ec13c58029a3502315d1bb29d4c7015091c9e8dbe firefox-102.10.0-1.el7.centos.i686.rpm
a4124d55ffe94d6e2682cb82eb1191d84b8b271f2950a8cbf86be4ade606a768 firefox-102.10.0-1.el7.centos.x86_64.rpm
Source:
32ac8fa502bc25dafbb8360c60b031c2b82c92dcaf1dfd1b0cb5a40ae775b6d4 firefox-102.10.0-1.el7.centos.src.rpm
--
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@libera.chat
Twitter: @JohnnyCentOS
_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
F39 proposal: BiggerESP (Self-Contained Change proposal)
https://fedoraproject.org/wiki/Changes/BiggerESP
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
The Fedora installer includes an EFI System Partition of between 200MB
and 600MB by default, of which the lower size is much too small for
firmware updates on modern hardware and also for future bootloader
features like UKI.
This change will increase the minimum size of the ESP to be 500MB,
which is also the same value used by Microsoft for Windows 10 and
newer.
== Owner ==
* Name: [[User:rhughes| Richard Hughes]]
* Email: richard@hughsie.com
== Detailed Description ==
Modern hardware has UEFI firmware updates that are more than 64MB in
size. The OEMs recommend a ESP free space of double the flash size
plus 20MB and fwupd now enforces this requirement to ensure flash
success. As the ESP is often shared between Windows and Linux, and
also used for firmware updates, and soon to be used by UKIs it's not
enough to just allocate a few hundreds of megabytes. Windows 10 and 11
allocates an ESP of at least 500MiB. Arch also specifies a minimum of
512 MiB.
== Feedback ==
There is no alternative -- the ESP has to scale up if we want firmware
updates to continue to work and to support UKIs for next-generation
bootloaders.
== Benefit to Fedora ==
Firmware updates will work on future hardware, and we can boot the
kernel using UKIs using next-generation bootloaders.
== Scope ==
* Proposal owners:
We need to change a number in Anaconda:
https://github.com/rhinstaller/anaconda/pull/4711
== Upgrade/compatibility impact ==
We can't grow the ESP in size, and so this change will only affect new
installs. This is fine, as this will affect new hardware more than old
hardware.
== How To Test ==
Install Fedora and observe that /boot/efi has at least 276MB free
space, even when installed alongside Windows.
== Dependencies ==
Anaconda would need to be modified, and Fedora would have a / or /home
partition that's ~300MB smaller by default than it is now.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), No
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
Fedora now defaults to a larger EFI System Partition which allows
firmware updates to work on newer hardware, and allows future
bootloader and kernel modernizations.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.
== Summary ==
The Fedora installer includes an EFI System Partition of between 200MB
and 600MB by default, of which the lower size is much too small for
firmware updates on modern hardware and also for future bootloader
features like UKI.
This change will increase the minimum size of the ESP to be 500MB,
which is also the same value used by Microsoft for Windows 10 and
newer.
== Owner ==
* Name: [[User:rhughes| Richard Hughes]]
* Email: richard@hughsie.com
== Detailed Description ==
Modern hardware has UEFI firmware updates that are more than 64MB in
size. The OEMs recommend a ESP free space of double the flash size
plus 20MB and fwupd now enforces this requirement to ensure flash
success. As the ESP is often shared between Windows and Linux, and
also used for firmware updates, and soon to be used by UKIs it's not
enough to just allocate a few hundreds of megabytes. Windows 10 and 11
allocates an ESP of at least 500MiB. Arch also specifies a minimum of
512 MiB.
== Feedback ==
There is no alternative -- the ESP has to scale up if we want firmware
updates to continue to work and to support UKIs for next-generation
bootloaders.
== Benefit to Fedora ==
Firmware updates will work on future hardware, and we can boot the
kernel using UKIs using next-generation bootloaders.
== Scope ==
* Proposal owners:
We need to change a number in Anaconda:
https://github.com/rhinstaller/anaconda/pull/4711
== Upgrade/compatibility impact ==
We can't grow the ESP in size, and so this change will only affect new
installs. This is fine, as this will affect new hardware more than old
hardware.
== How To Test ==
Install Fedora and observe that /boot/efi has at least 276MB free
space, even when installed alongside Windows.
== Dependencies ==
Anaconda would need to be modified, and Fedora would have a / or /home
partition that's ~300MB smaller by default than it is now.
== Contingency Plan ==
* Contingency mechanism: (What to do? Who will do it?) N/A (not a
System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change), No
== Documentation ==
N/A (not a System Wide Change)
== Release Notes ==
Fedora now defaults to a larger EFI System Partition which allows
firmware updates to work on newer hardware, and allows future
bootloader and kernel modernizations.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Subscribe to:
Posts (Atom)