Today, on 2018-Mar-06, we reach two important milestones of the Fedora
28 release [1]:
== Change Checkpoint: 100% Code Complete Deadline [2] ==
* New accepted changes must be code complete, meaning all the code
required to enable a new Change is finished.
* The level of code completeness is reflected in tracker bug as state
"ON_QA". The change does not have to be fully tested by this deadline.
== Beta Freeze [3] ==
Only packages fixing a bug approved as Accepted Blocker or Freeze
Exception [4] will be marked as 'stable' and included in Beta
composes. Other builds will remain in updates-testing until the Beta
release is approved, at which point the Beta Freeze is lifted and
packages can move to 'stable' as usual until the Final Freeze.
[1] https://fedoraproject.org/wiki/Releases/28/Schedule
[2] https://fedoraproject.org/wiki/Changes/Policy
[3] https://fedoraproject.org/wiki/Milestone_freezes
[4] https://qa.fedoraproject.org/blockerbugs/milestone/28/beta/buglist
Regards,
Jan
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Tuesday, March 6, 2018
[USN-3585-1] Twisted vulnerability
==========================================================================
Ubuntu Security Notice USN-3585-1
March 05, 2018
twisted vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Twisted could be made to run programs if it received specially crafted
network traffic.
Software Description:
- twisted: Event-based framework for internet applications
Details:
It was discovered that Twisted incorrectly handled certain HTTP
requests. An attacker could possibly use this issue to execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
python-twisted 16.0.0-1ubuntu0.2
python-twisted-bin 16.0.0-1ubuntu0.2
python-twisted-web 16.0.0-1ubuntu0.2
python3-twisted 16.0.0-1ubuntu0.2
Ubuntu 14.04 LTS:
python-twisted 13.2.0-1ubuntu1.2
python-twisted-bin 13.2.0-1ubuntu1.2
python-twisted-web 13.2.0-1ubuntu1.2
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3585-1
CVE-2016-1000111
Package Information:
https://launchpad.net/ubuntu/+source/twisted/16.0.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/twisted/13.2.0-1ubuntu1.2
Ubuntu Security Notice USN-3585-1
March 05, 2018
twisted vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Twisted could be made to run programs if it received specially crafted
network traffic.
Software Description:
- twisted: Event-based framework for internet applications
Details:
It was discovered that Twisted incorrectly handled certain HTTP
requests. An attacker could possibly use this issue to execute
arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
python-twisted 16.0.0-1ubuntu0.2
python-twisted-bin 16.0.0-1ubuntu0.2
python-twisted-web 16.0.0-1ubuntu0.2
python3-twisted 16.0.0-1ubuntu0.2
Ubuntu 14.04 LTS:
python-twisted 13.2.0-1ubuntu1.2
python-twisted-bin 13.2.0-1ubuntu1.2
python-twisted-web 13.2.0-1ubuntu1.2
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3585-1
CVE-2016-1000111
Package Information:
https://launchpad.net/ubuntu/+source/twisted/16.0.0-1ubuntu0.2
https://launchpad.net/ubuntu/+source/twisted/13.2.0-1ubuntu1.2
Monday, March 5, 2018
Fedora 28 Bodhi Activation Point
Hi all,
Today's an important day on the Fedora 28 schedule[1], with several significant cut-offs. First of all today is the Bodhi activation point [2]. That means that from now all Fedora 28 packages must be submitted to updates-testing and pass the relevant requirements[3] before they will be marked as 'stable' and moved to the fedora repository.
Today is also the Software String freeze[4], which means that strings marked for translation in Fedora-translated projects should not now be changed for Fedora 28.
Finally, today is the 'completion deadline' Change Checkpoint[5], meaning that Fedora 28 Changes must now be 'feature complete or close enough to completion that a majority of its functionality can be tested'.
Regards
Release Engineering.
[USN-3588-1] Memcached vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3588-1
March 05, 2018
memcached vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Memcached.
Software Description:
- memcached: high-performance memory object caching system
Details:
Daniel Shapira discovered an integer overflow issue in Memcached. A remote
attacker could use this to cause a denial of service (daemon crash).
(CVE-2017-9951)
It was discovered that Memcached listened to UDP by default. A remote
attacker could use this as part of a distributed denial of service attack.
(CVE-2018-1000115)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
memcached 1.4.33-1ubuntu3.2
Ubuntu 16.04 LTS:
memcached 1.4.25-2ubuntu1.3
Ubuntu 14.04 LTS:
memcached 1.4.14-0ubuntu9.2
In general, a standard system update will make all the necessary changes.
Please note that after applying this update, Memcached will no longer
listen to UDP by default. If UDP service is desired, please add
'-U 11211' to /etc/memcached.conf and restart the memcached service.
References:
https://usn.ubuntu.com/usn/usn-3588-1
CVE-2017-9951, CVE-2018-1000115
Package Information:
https://launchpad.net/ubuntu/+source/memcached/1.4.33-1ubuntu3.2
https://launchpad.net/ubuntu/+source/memcached/1.4.25-2ubuntu1.3
https://launchpad.net/ubuntu/+source/memcached/1.4.14-0ubuntu9.2
Ubuntu Security Notice USN-3588-1
March 05, 2018
memcached vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Memcached.
Software Description:
- memcached: high-performance memory object caching system
Details:
Daniel Shapira discovered an integer overflow issue in Memcached. A remote
attacker could use this to cause a denial of service (daemon crash).
(CVE-2017-9951)
It was discovered that Memcached listened to UDP by default. A remote
attacker could use this as part of a distributed denial of service attack.
(CVE-2018-1000115)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
memcached 1.4.33-1ubuntu3.2
Ubuntu 16.04 LTS:
memcached 1.4.25-2ubuntu1.3
Ubuntu 14.04 LTS:
memcached 1.4.14-0ubuntu9.2
In general, a standard system update will make all the necessary changes.
Please note that after applying this update, Memcached will no longer
listen to UDP by default. If UDP service is desired, please add
'-U 11211' to /etc/memcached.conf and restart the memcached service.
References:
https://usn.ubuntu.com/usn/usn-3588-1
CVE-2017-9951, CVE-2018-1000115
Package Information:
https://launchpad.net/ubuntu/+source/memcached/1.4.33-1ubuntu3.2
https://launchpad.net/ubuntu/+source/memcached/1.4.25-2ubuntu1.3
https://launchpad.net/ubuntu/+source/memcached/1.4.14-0ubuntu9.2
[USN-3587-1] Dovecot vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJanUFLAAoJEGVp2FWnRL6TakcP/2aWIfPN35WFXyCD651nu/7I
CV0mHtq9vYhQkXUvo+c4VuJ2/SOTi0hymguQ7R/TPHof0ys0s8cfRtFZQWeCe/Rk
GTg5w9EhvBYfMRLArLVFWrtgDm92g7A1olsdyJL8LemsfJlmqZ6OM3YGjgAkcA4L
0+GlcxixbuaHU5vJR5v06B/UF36kcpsdX5GaKwQLIc1pCX2kWmxFPI2LtzViFpTv
/82q3KvFDeZM1axBrc2wBA5ElW2kpTnL9wzqGsnqyXOOWX+xyQJyHdJZlTE/9pWr
xqU/axUfQO15ZBvC0KU0vWX+by0v47POSCOPWgdEC4KKGZFvRbQihtSTgaRAvmBg
+YEpryEza42dItSDAYNbrq9D4XWQrpGyPyILQOzYz6YBGUaHO9R/3Brlx9xKjGG6
ZWCEuHsP56JkuYx6RCzuME4P4OzYRf/qnIS4wLZJxe9kAMV54FkVub6TOnzB4gP/
xfq6etJi5RqgTUedJatb3m+ZDVLuGhbysnIWbzc/1iUgHaVJne6QqZg/joS5qFhA
roeBKpGm9nzSXcAnQg/o5M55n5LA5qjEgUzShRC2ZOudKlxiNa9V4SsFhqo5R877
z6befVuk/f94MhacXyE153AQCr49ypyGDVTsS6J+nvkzF2/MkUfDjwKWxFdXNLLH
DTPqa/RAT6BiUfv5ih5i
=Kwvo
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3587-1
March 05, 2018
dovecot vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Dovecot.
Software Description:
- dovecot: IMAP and POP3 email server
Details:
It was discovered that Dovecot incorrectly handled parsing certain email
addresses. A remote attacker could use this issue to cause Dovecot to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2017-14461)
It was discovered that Dovecot incorrectly handled TLS SNI config lookups.
A remote attacker could possibly use this issue to cause Dovecot to crash,
resulting in a denial of service. (CVE-2017-15130)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
dovecot-core 1:2.2.27-3ubuntu1.3
Ubuntu 16.04 LTS:
dovecot-core 1:2.2.22-1ubuntu2.7
Ubuntu 14.04 LTS:
dovecot-core 1:2.2.9-1ubuntu2.4
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3587-1
CVE-2017-14461, CVE-2017-15130
Package Information:
https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3
https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7
https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4
iQIcBAEBCgAGBQJanUFLAAoJEGVp2FWnRL6TakcP/2aWIfPN35WFXyCD651nu/7I
CV0mHtq9vYhQkXUvo+c4VuJ2/SOTi0hymguQ7R/TPHof0ys0s8cfRtFZQWeCe/Rk
GTg5w9EhvBYfMRLArLVFWrtgDm92g7A1olsdyJL8LemsfJlmqZ6OM3YGjgAkcA4L
0+GlcxixbuaHU5vJR5v06B/UF36kcpsdX5GaKwQLIc1pCX2kWmxFPI2LtzViFpTv
/82q3KvFDeZM1axBrc2wBA5ElW2kpTnL9wzqGsnqyXOOWX+xyQJyHdJZlTE/9pWr
xqU/axUfQO15ZBvC0KU0vWX+by0v47POSCOPWgdEC4KKGZFvRbQihtSTgaRAvmBg
+YEpryEza42dItSDAYNbrq9D4XWQrpGyPyILQOzYz6YBGUaHO9R/3Brlx9xKjGG6
ZWCEuHsP56JkuYx6RCzuME4P4OzYRf/qnIS4wLZJxe9kAMV54FkVub6TOnzB4gP/
xfq6etJi5RqgTUedJatb3m+ZDVLuGhbysnIWbzc/1iUgHaVJne6QqZg/joS5qFhA
roeBKpGm9nzSXcAnQg/o5M55n5LA5qjEgUzShRC2ZOudKlxiNa9V4SsFhqo5R877
z6befVuk/f94MhacXyE153AQCr49ypyGDVTsS6J+nvkzF2/MkUfDjwKWxFdXNLLH
DTPqa/RAT6BiUfv5ih5i
=Kwvo
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3587-1
March 05, 2018
dovecot vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Dovecot.
Software Description:
- dovecot: IMAP and POP3 email server
Details:
It was discovered that Dovecot incorrectly handled parsing certain email
addresses. A remote attacker could use this issue to cause Dovecot to
crash, resulting in a denial of service, or possibly obtain sensitive
information. (CVE-2017-14461)
It was discovered that Dovecot incorrectly handled TLS SNI config lookups.
A remote attacker could possibly use this issue to cause Dovecot to crash,
resulting in a denial of service. (CVE-2017-15130)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
dovecot-core 1:2.2.27-3ubuntu1.3
Ubuntu 16.04 LTS:
dovecot-core 1:2.2.22-1ubuntu2.7
Ubuntu 14.04 LTS:
dovecot-core 1:2.2.9-1ubuntu2.4
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3587-1
CVE-2017-14461, CVE-2017-15130
Package Information:
https://launchpad.net/ubuntu/+source/dovecot/1:2.2.27-3ubuntu1.3
https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.7
https://launchpad.net/ubuntu/+source/dovecot/1:2.2.9-1ubuntu2.4
[USN-3575-2] QEMU regression
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJanSTLAAoJEGVp2FWnRL6TZDcP/0vrAB1A/ihVPiEy9OzT7CZb
7gFP7HwwMGh0s+B2j7Bb2qWT96B0eZ1nJIUt+IxJx7WpgQi0bVX89p+7ekCVf3v7
icaNua3qHHtyEOqKz84G/rfo2C3Huk2OBfOKRb7ZU8irnmwupOq6JTw7KByv9fe5
M1sNBKW8G3+eUunz8I9GKK6DjZe6jFmiUaZmWeuS1YB7wisG8JOm3YU3zaeOIkoV
bhsV0u5HrhDnr9gKJJt1yMqe0sL6m4rDXoj4KR28BimBiYNPC2q5PqKJxlXFtbF9
5uj/Mxo2Om0urs/RPnkw5r1B/34cYo1bZ+xjC99S1FGtMUAzdOpGACXiDbQ2ggln
dWDJ9IVdfJKdiy1x6X3oHwX4PvNrPKqtWOwAUg4xiLkJaqZJuBxLK14nfR9VQafE
YS17wbdfuKhkPaK4/7YjUPQxw/9rKm8ACMvlpjlz6VQGObzilQDMXvDBymkhxU+2
JA/Q+n12naQCFM1YfThlQHq4pg52JSytOgzYwrvvAJIFI4sQgCd08jo0X9GfBqOG
5lmnkOGvU4iaha9l/Pux39M4uxFACgqo+pdei/RMwKeTMUsQAn/8SffL24asBdkH
eHw5EbisUgBhtXoiOLH0Xn7JLkDM1QAA7pY61ch4x/qxvLCA8Vl43CDOqNw+nJnX
KvdbGNOUVyvbeQ7d+Lmi
=jHfF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3575-2
March 05, 2018
qemu regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-3575-1 introduced a regression in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused
a regression in Xen environments. This update removes the problematic fix
pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that QEMU incorrectly handled guest ram. A privileged
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-11334)
David Buchanan discovered that QEMU incorrectly handled the VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 17.10. (CVE-2017-13672)
Thomas Garnier discovered that QEMU incorrectly handled multiboot. An
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service, or possibly execute arbitrary code on the host. In the default
installation, when QEMU is used with libvirt, attackers would be isolated
by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-14167)
Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory
sharing. An attacker could use this issue to obtain sensitive information
from host memory. (CVE-2017-15038)
Eric Blake discovered that QEMU incorrectly handled memory in the
NBD server. An attacker could use this issue to cause the NBD server to
crash, resulting in a denial of service. This issue only affected Ubuntu
17.10. (CVE-2017-15118)
Eric Blake discovered that QEMU incorrectly handled certain options to the
NBD server. An attacker could use this issue to cause the NBD server to
crash, resulting in a denial of service. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119)
Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A
remote attacker could possibly use this issue to consume memory, resulting
in a denial of service. This issue was only addressed in Ubuntu 17.10.
(CVE-2017-15124)
Carl Brassey discovered that QEMU incorrectly handled certain websockets. A
remote attacker could possibly use this issue to consume memory, resulting
in a denial of service. This issue only affected Ubuntu 17.10.
(CVE-2017-15268)
Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA
device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289)
Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values
during migration. An attacker could possibly use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2017-16845)
It was discovered that QEMU incorrectly handled the Virtio Vring
implementation. An attacker could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 17.10. (CVE-2017-17381)
Eric Blake discovered that QEMU incorrectly handled certain rounding
operations. An attacker could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043)
Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the
VGA device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
qemu 1:2.5+dfsg-5ubuntu10.24
Ubuntu 14.04 LTS:
qemu 2.0.0+dfsg-2ubuntu1.40
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3575-2
https://usn.ubuntu.com/usn/usn-3575-1
https://launchpad.net/bugs/1752761
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.24
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.40
iQIcBAEBCgAGBQJanSTLAAoJEGVp2FWnRL6TZDcP/0vrAB1A/ihVPiEy9OzT7CZb
7gFP7HwwMGh0s+B2j7Bb2qWT96B0eZ1nJIUt+IxJx7WpgQi0bVX89p+7ekCVf3v7
icaNua3qHHtyEOqKz84G/rfo2C3Huk2OBfOKRb7ZU8irnmwupOq6JTw7KByv9fe5
M1sNBKW8G3+eUunz8I9GKK6DjZe6jFmiUaZmWeuS1YB7wisG8JOm3YU3zaeOIkoV
bhsV0u5HrhDnr9gKJJt1yMqe0sL6m4rDXoj4KR28BimBiYNPC2q5PqKJxlXFtbF9
5uj/Mxo2Om0urs/RPnkw5r1B/34cYo1bZ+xjC99S1FGtMUAzdOpGACXiDbQ2ggln
dWDJ9IVdfJKdiy1x6X3oHwX4PvNrPKqtWOwAUg4xiLkJaqZJuBxLK14nfR9VQafE
YS17wbdfuKhkPaK4/7YjUPQxw/9rKm8ACMvlpjlz6VQGObzilQDMXvDBymkhxU+2
JA/Q+n12naQCFM1YfThlQHq4pg52JSytOgzYwrvvAJIFI4sQgCd08jo0X9GfBqOG
5lmnkOGvU4iaha9l/Pux39M4uxFACgqo+pdei/RMwKeTMUsQAn/8SffL24asBdkH
eHw5EbisUgBhtXoiOLH0Xn7JLkDM1QAA7pY61ch4x/qxvLCA8Vl43CDOqNw+nJnX
KvdbGNOUVyvbeQ7d+Lmi
=jHfF
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3575-2
March 05, 2018
qemu regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
USN-3575-1 introduced a regression in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused
a regression in Xen environments. This update removes the problematic fix
pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that QEMU incorrectly handled guest ram. A privileged
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-11334)
David Buchanan discovered that QEMU incorrectly handled the VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue was only addressed in
Ubuntu 17.10. (CVE-2017-13672)
Thomas Garnier discovered that QEMU incorrectly handled multiboot. An
attacker could use this issue to cause QEMU to crash, resulting in a denial
of service, or possibly execute arbitrary code on the host. In the default
installation, when QEMU is used with libvirt, attackers would be isolated
by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS
and Ubuntu 16.04 LTS. (CVE-2017-14167)
Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory
sharing. An attacker could use this issue to obtain sensitive information
from host memory. (CVE-2017-15038)
Eric Blake discovered that QEMU incorrectly handled memory in the
NBD server. An attacker could use this issue to cause the NBD server to
crash, resulting in a denial of service. This issue only affected Ubuntu
17.10. (CVE-2017-15118)
Eric Blake discovered that QEMU incorrectly handled certain options to the
NBD server. An attacker could use this issue to cause the NBD server to
crash, resulting in a denial of service. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119)
Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A
remote attacker could possibly use this issue to consume memory, resulting
in a denial of service. This issue was only addressed in Ubuntu 17.10.
(CVE-2017-15124)
Carl Brassey discovered that QEMU incorrectly handled certain websockets. A
remote attacker could possibly use this issue to consume memory, resulting
in a denial of service. This issue only affected Ubuntu 17.10.
(CVE-2017-15268)
Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA
device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289)
Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values
during migration. An attacker could possibly use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.
(CVE-2017-16845)
It was discovered that QEMU incorrectly handled the Virtio Vring
implementation. An attacker could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 17.10. (CVE-2017-17381)
Eric Blake discovered that QEMU incorrectly handled certain rounding
operations. An attacker could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043)
Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the
VGA device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
qemu 1:2.5+dfsg-5ubuntu10.24
Ubuntu 14.04 LTS:
qemu 2.0.0+dfsg-2ubuntu1.40
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3575-2
https://usn.ubuntu.com/usn/usn-3575-1
https://launchpad.net/bugs/1752761
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.24
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.40
Friday, March 2, 2018
[lfs-announce] LFS and BLFS Version 8.2 are released
The Linux From Scratch community is pleased to announce the release of LFS
Version 8.2, LFS Version 8.2 (systemd), BLFS Version 8.2, and BLFS Version
8.2 (systemd).
Version 8.2, LFS Version 8.2 (systemd), BLFS Version 8.2, and BLFS Version
8.2 (systemd).
This release is a major update to both LFS and BLFS.
The LFS release includes updates to glibc-2.27, binutils-2.30, and
gcc-7.3.0. In addition five new packages have been moved to the base LFS
book from BLFS: libffi, openssl, Python3, ninja, and meson. Changes to
text have been made throughout the book. The Linux kernel has also been
updated to version 4.15.3.
The BLFS version includes approximately 900 packages beyond the base Linux
From Scratch Version 8.2 book. This release has 813 updates from the
previous version in addition to numerous text and formatting changes.
Thanks for this release goes to many contributors. Notably:
DJ Lucas
Pierre Labastie
Ken Moffat
Thomas Trepl
You can read the books online[0]-[3], or download[4]-[7] to read locally.
Please direct any comments about this release to the LFS development
team at lfs-dev@linuxfromscratch.org or blfs-dev@linuxfromscratch.org.
Registration for the mailing lists is required to avoid junk email.
-- Bruce Dubbs
LFS
[0] http://www.linuxfromscratch.org/lfs/view/8.2/
[1] http://www.linuxfromscratch.org/blfs/view/8.2/
[2] http://www.linuxfromscratch.org/lfs/view/8.2-systemd/
[3] http://www.linuxfromscratch.org/blfs/view/8.2-systemd/
[4] http://www.linuxfromscratch.org/lfs/downloads/8.2/
[5] http://www.linuxfromscratch.org/blfs/downloads/8.2/
[6] http://www.linuxfromscratch.org/lfs/downloads/8.2-systemd/
[7] http://www.linuxfromscratch.org/blfs/downloads/8.2-systemd/
--
http://lists.linuxfromscratch.org/listinfo/lfs-announce
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
Thursday, March 1, 2018
Ubuntu 16.04.4 LTS released
The Ubuntu team is pleased to announce the release of Ubuntu 16.04.4 LTS
(Long-Term Support) for its Desktop, Server, and Cloud products, as well
as other flavours of Ubuntu with long-term support.
(Long-Term Support) for its Desktop, Server, and Cloud products, as well
as other flavours of Ubuntu with long-term support.
Like previous LTS series', 16.04.4 includes hardware enablement stacks
for use on newer hardware. This support is offered on all architectures
except for 32-bit powerpc, and is installed by default when using one of
the desktop images. Ubuntu Server defaults to installing the GA kernel,
however you may select the HWE kernel from the installer bootloader.
As usual, this point release includes many updates, and updated
installation media has been provided so that fewer updates will need to
be downloaded after installation. These include security updates and
corrections for other high-impact bugs, with a focus on maintaining
stability and compatibility with Ubuntu 16.04 LTS.
Kubuntu 16.04.4 LTS, Xubuntu 16.04.4 LTS, Mythbuntu 16.04.4 LTS,
Ubuntu GNOME 16.04.4 LTS, Lubuntu 16.04.4 LTS, Ubuntu Kylin 16.04.4 LTS,
Ubuntu MATE 16.04.4 LTS and Ubuntu Studio 16.04.4 LTS are also now
available. More details can be found in their individual release notes:
https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#Official_flavours
Maintenance updates will be provided for 5 years for Ubuntu Desktop,
Ubuntu Server, Ubuntu Cloud, Ubuntu Base, and Ubuntu Kylin. All the
remaining flavours will be supported for 3 years.
To get Ubuntu 16.04.4
---------------------
In order to download Ubuntu 16.04.4, visit:
http://www.ubuntu.com/download
Users of Ubuntu 14.04 will be offered an automatic upgrade to
16.04.4 via Update Manager. For further information about upgrading,
see:
https://help.ubuntu.com/community/XenialUpgrades
As always, upgrades to the latest version of Ubuntu are entirely free of
charge.
We recommend that all users read the 16.04.4 release notes, which
document caveats and workarounds for known issues, as well as more
in-depth notes on the release itself. They are available at:
https://wiki.ubuntu.com/XenialXerus/ReleaseNotes
If you have a question, or if you think you may have found a bug but
aren't sure, you can try asking in any of the following places:
#ubuntu on irc.freenode.net
http://lists.ubuntu.com/mailman/listinfo/ubuntu-users
http://www.ubuntuforums.org
http://askubuntu.com
Help Shape Ubuntu
-----------------
If you would like to help shape Ubuntu, take a look at the list of ways
you can participate at:
http://www.ubuntu.com/community/get-involved
About Ubuntu
------------
Ubuntu is a full-featured Linux distribution for desktops, laptops,
clouds and servers, with a fast and easy installation and regular
releases. A tightly-integrated selection of excellent applications is
included, and an incredible variety of add-on software is just a few
clicks away.
Professional services including support are available from Canonical and
hundreds of other companies around the world. For more information
about support, visit:
More Information
----------------
You can learn more about Ubuntu and about this release on our website
listed below:
To sign up for future Ubuntu announcements, please subscribe to Ubuntu's
very low volume announcement list at:
http://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
On behalf of the Ubuntu Release Team,
Łukasz 'sil2100' Zemczak
--
ubuntu-announce mailing list
ubuntu-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce
[USN-3586-1] DHCP vulnerabilities
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJamFDfAAoJEGVp2FWnRL6Tng8P/1Uh3tj40NiWzES4uoe4LN2I
TigLrpcMJeEgXoW17a2LaYWd1M74hxvXakSGj04ySdiel+3eO31M8r9g1SZ0ghRd
L8KfH2/pdcHlcsqtN2dbfdGPnK0uFM/8nCEUK6yRMss4kvRCezMAax87rG3/7/Ej
h/nbMZQ4xlL1kkWjDwbzafisigMt4p7S3AtBl1Xc6agbd31acv/amuwZ3deQiblh
eduVXTGJ02vubjCUjn9bWrw4uZmU6Hc1bFVVgego+HADop905omwvslKuQWdGYXf
a9PCc7sNknkH+PhZpy7miSFNx1S/d7F7n32r0dUSgFIkfCsmNZsknsseJTzjGAMc
n4HeWXBE1Y2HqKtuOvP0qjVYdFSG53bjMERmtZSjHF0zOSdqNVTmTFHJRRQpsTlh
kMTSpV59jePRJE/5PMaYyI2EYOPN6VM50vPBSvTlH8xkgrWTV3dUQlFUlQYMIR1+
ZIq3lQ0pvvBeWQ7aZmkDooNY1u2cfqgg+QMdWubUlc+3YMt1Inkx4L97vRm3MZoO
jwUL3CkGNTS6vthPwDDM01rEFqDz1N92G4UQkC/dO/tj/rd6jKlhOKvlTkm2cL8g
1wR56/SIeF6Az3njl6x/P9FIdy3oTuH3ob+k+JKSdsFQKxXZm4pNHerJ/3kUPnu+
IXA6iwZeBLeECGs7Z04H
=HajI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3586-1
March 01, 2018
isc-dhcp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in DHCP.
Software Description:
- isc-dhcp: DHCP server and client
Details:
Konstantin Orekhov discovered that the DHCP server incorrectly handled a
large number of concurrent TCP sessions. A remote attacker could possibly
use this issue to cause a denial of service. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2774)
It was discovered that the DHCP server incorrectly handled socket
descriptors. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2017-3144)
Felix Wilhelm discovered that the DHCP client incorrectly handled certain
malformed responses. A remote attacker could use this issue to cause the
DHCP client to crash, resulting in a denial of service, or possibly execute
arbitrary code. In the default installation, attackers would be isolated by
the dhclient AppArmor profile. (CVE-2018-5732)
Felix Wilhelm discovered that the DHCP server incorrectly handled reference
counting. A remote attacker could possibly use this issue to cause the DHCP
server to crash, resulting in a denial of service. (CVE-2018-5733)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
isc-dhcp-client 4.3.5-3ubuntu2.2
isc-dhcp-relay 4.3.5-3ubuntu2.2
isc-dhcp-server 4.3.5-3ubuntu2.2
isc-dhcp-server-ldap 4.3.5-3ubuntu2.2
Ubuntu 16.04 LTS:
isc-dhcp-client 4.3.3-5ubuntu12.9
isc-dhcp-relay 4.3.3-5ubuntu12.9
isc-dhcp-server 4.3.3-5ubuntu12.9
isc-dhcp-server-ldap 4.3.3-5ubuntu12.9
Ubuntu 14.04 LTS:
isc-dhcp-client 4.2.4-7ubuntu12.12
isc-dhcp-relay 4.2.4-7ubuntu12.12
isc-dhcp-server 4.2.4-7ubuntu12.12
isc-dhcp-server-ldap 4.2.4-7ubuntu12.12
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3586-1
CVE-2016-2774, CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Package Information:
https://launchpad.net/ubuntu/+source/isc-dhcp/4.3.5-3ubuntu2.2
https://launchpad.net/ubuntu/+source/isc-dhcp/4.3.3-5ubuntu12.9
https://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu12.12
iQIcBAEBCgAGBQJamFDfAAoJEGVp2FWnRL6Tng8P/1Uh3tj40NiWzES4uoe4LN2I
TigLrpcMJeEgXoW17a2LaYWd1M74hxvXakSGj04ySdiel+3eO31M8r9g1SZ0ghRd
L8KfH2/pdcHlcsqtN2dbfdGPnK0uFM/8nCEUK6yRMss4kvRCezMAax87rG3/7/Ej
h/nbMZQ4xlL1kkWjDwbzafisigMt4p7S3AtBl1Xc6agbd31acv/amuwZ3deQiblh
eduVXTGJ02vubjCUjn9bWrw4uZmU6Hc1bFVVgego+HADop905omwvslKuQWdGYXf
a9PCc7sNknkH+PhZpy7miSFNx1S/d7F7n32r0dUSgFIkfCsmNZsknsseJTzjGAMc
n4HeWXBE1Y2HqKtuOvP0qjVYdFSG53bjMERmtZSjHF0zOSdqNVTmTFHJRRQpsTlh
kMTSpV59jePRJE/5PMaYyI2EYOPN6VM50vPBSvTlH8xkgrWTV3dUQlFUlQYMIR1+
ZIq3lQ0pvvBeWQ7aZmkDooNY1u2cfqgg+QMdWubUlc+3YMt1Inkx4L97vRm3MZoO
jwUL3CkGNTS6vthPwDDM01rEFqDz1N92G4UQkC/dO/tj/rd6jKlhOKvlTkm2cL8g
1wR56/SIeF6Az3njl6x/P9FIdy3oTuH3ob+k+JKSdsFQKxXZm4pNHerJ/3kUPnu+
IXA6iwZeBLeECGs7Z04H
=HajI
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-3586-1
March 01, 2018
isc-dhcp vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in DHCP.
Software Description:
- isc-dhcp: DHCP server and client
Details:
Konstantin Orekhov discovered that the DHCP server incorrectly handled a
large number of concurrent TCP sessions. A remote attacker could possibly
use this issue to cause a denial of service. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2774)
It was discovered that the DHCP server incorrectly handled socket
descriptors. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2017-3144)
Felix Wilhelm discovered that the DHCP client incorrectly handled certain
malformed responses. A remote attacker could use this issue to cause the
DHCP client to crash, resulting in a denial of service, or possibly execute
arbitrary code. In the default installation, attackers would be isolated by
the dhclient AppArmor profile. (CVE-2018-5732)
Felix Wilhelm discovered that the DHCP server incorrectly handled reference
counting. A remote attacker could possibly use this issue to cause the DHCP
server to crash, resulting in a denial of service. (CVE-2018-5733)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
isc-dhcp-client 4.3.5-3ubuntu2.2
isc-dhcp-relay 4.3.5-3ubuntu2.2
isc-dhcp-server 4.3.5-3ubuntu2.2
isc-dhcp-server-ldap 4.3.5-3ubuntu2.2
Ubuntu 16.04 LTS:
isc-dhcp-client 4.3.3-5ubuntu12.9
isc-dhcp-relay 4.3.3-5ubuntu12.9
isc-dhcp-server 4.3.3-5ubuntu12.9
isc-dhcp-server-ldap 4.3.3-5ubuntu12.9
Ubuntu 14.04 LTS:
isc-dhcp-client 4.2.4-7ubuntu12.12
isc-dhcp-relay 4.2.4-7ubuntu12.12
isc-dhcp-server 4.2.4-7ubuntu12.12
isc-dhcp-server-ldap 4.2.4-7ubuntu12.12
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3586-1
CVE-2016-2774, CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
Package Information:
https://launchpad.net/ubuntu/+source/isc-dhcp/4.3.5-3ubuntu2.2
https://launchpad.net/ubuntu/+source/isc-dhcp/4.3.3-5ubuntu12.9
https://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu12.12
lists.linuxfromscratch.org mailing list memberships reminder
This is a reminder, sent out once a month, about your
lists.linuxfromscratch.org mailing list memberships. It includes your
subscription info and how to use it to change it or unsubscribe from a
list.
lists.linuxfromscratch.org mailing list memberships. It includes your
subscription info and how to use it to change it or unsubscribe from a
list.
You can visit the URLs to change your membership status or
configuration, including unsubscribing, setting digest-style delivery
or disabling delivery altogether (e.g., for a vacation), and so on.
In addition to the URL interfaces, you can also use email to make such
changes. For more info, send a message to the '-request' address of
the list (for example, mailman-request@lists.linuxfromscratch.org)
containing just the word 'help' in the message body, and an email
message will be sent to you with instructions.
If you have questions, problems, comments, etc, send them to
mailman-owner@lists.linuxfromscratch.org. Thanks!
Passwords for reallost1.fbsd2233449@blogger.com:
List Password // URL
---- --------
lfs-announce@lists.linuxfromscratch.org vaozebru
http://lists.linuxfromscratch.org/options/lfs-announce/reallost1.fbsd2233449%40blogger.com
f28-ppc64le chroots finally working in COPR
Hello,
the fedora-28-ppc64le chroot was no working up until now due to lack of compose. This was resolved however in issue. https://pagure.io/releng/issue/7357Open Seats on the Fedora Packaging Committee
The Fedora Packaging Committee has some open seats and is accepting
submissions from interested candidates to serve on the FPC.
The FPC would like to thank Ralf Corsepius, Dominik 'Rathann'
Mierzejewski, and Thomas Spura for their service.
This position involves not only reviewing Packaging Guideline drafts
submitted to the FPC for consideration, but also helping rewrite drafts
to resolve issues in a more acceptable fashion. Additionally, the FPC
reviews UID/GID soft static assignment.
Currently the FPC meets on IRC weekly, on alternate
Wednesdays/Thursdays based around 12:00 EST, for approximately an
hour.
However that is likely to change back to a single day/time slot, and
the time would depend on when is good for all the members (East Coast
US and German TZs, at least).
FPC members serve for as long as they are willing, there are currently
no term limits. All decisions are voted on using a +1 (for), 0
(abstain), and -1 (against) mechanism, and all decisions must be
approved by a majority (+5). FPC Meetings do not happen if quorum (5)
is not present. Candidates who are interested should provide the
following details to the FPC for consideration, by emailing it directly
to me (james(a)fedoraproject.org).
The FPC will consider all candidates, but strongly prefers candidates
who have extensive experience packaging in Fedora. We will accept
applications for the next two weeks (deadline Wednesday, 2018-03-14).
Name:
FAS Account:
Provenpackager? (Yes/No):
Main area of packaging interest/expertise:
Reason(s) for wanting to join the FPC:
Thanks in advance,
~James
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
submissions from interested candidates to serve on the FPC.
The FPC would like to thank Ralf Corsepius, Dominik 'Rathann'
Mierzejewski, and Thomas Spura for their service.
This position involves not only reviewing Packaging Guideline drafts
submitted to the FPC for consideration, but also helping rewrite drafts
to resolve issues in a more acceptable fashion. Additionally, the FPC
reviews UID/GID soft static assignment.
Currently the FPC meets on IRC weekly, on alternate
Wednesdays/Thursdays based around 12:00 EST, for approximately an
hour.
However that is likely to change back to a single day/time slot, and
the time would depend on when is good for all the members (East Coast
US and German TZs, at least).
FPC members serve for as long as they are willing, there are currently
no term limits. All decisions are voted on using a +1 (for), 0
(abstain), and -1 (against) mechanism, and all decisions must be
approved by a majority (+5). FPC Meetings do not happen if quorum (5)
is not present. Candidates who are interested should provide the
following details to the FPC for consideration, by emailing it directly
to me (james(a)fedoraproject.org).
The FPC will consider all candidates, but strongly prefers candidates
who have extensive experience packaging in Fedora. We will accept
applications for the next two weeks (deadline Wednesday, 2018-03-14).
Name:
FAS Account:
Provenpackager? (Yes/No):
Main area of packaging interest/expertise:
Reason(s) for wanting to join the FPC:
Thanks in advance,
~James
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org
Subscribe to:
Posts (Atom)