-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Dragora team is happy in announcing the security updates #006, security issues involving the following packages are:
curl file gnupg1 gnupg2 gnutls gpgme libgpg-error libtasn1 mutt nspr openssl pidgin We recommend that you upgrade your packages as soon as possible. Details - ------- Most packages have been updated to the latest version, which cover a wide range of security advisories (and bug-fixes) that is long to list here. However, special emphasis has been put on the building to not break compatibility with the version number from the packages of Dragora 2. This includes the update of libgpg-error and libtasn1, dependencies for the last gnupg. nspr has been rebuilt to solve CVE-2013-5607. openssl-1.0.0m corrects: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470. For more information, visit: * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 Obtain the packages from * 32 bit * http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/curl-7.37.0-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/file-5.19-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnupg1-1.4.17-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnupg2-2.0.23-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnutls-2.12.23-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gpgme-1.3.2-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/libgpg-error-1.13-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/libtasn1-2.14-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/mutt-1.5.23-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/nspr-4.8.9-i486-2.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/openssl-1.0.0m-i486-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/pidgin-2.10.9-i486-1.tlz * 64 bit * http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/curl-7.37.0-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/file-5.19-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnupg1-1.4.17-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnupg2-2.0.23-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnutls-2.12.23-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gpgme-1.3.2-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/libgpg-error-1.13-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/libtasn1-2.14-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/mutt-1.5.23-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/nspr-4.8.9-x86_64-2.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/openssl-1.0.0m-x86_64-1.tlz http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/pidgin-2.10.9-x86_64-1.tlz Checksums (SHA1) - ---------------- 6839f39e9096c2e9322c8913eab33a31e68ffb59 curl-7.37.0-i486-1.tlz ef03f559ac86f66d1fcf43aae91435645de24ba3 file-5.19-i486-1.tlz 8bd9002fd057546894b7f96fbc0b9c6ee813961f gnupg1-1.4.17-i486-1.tlz ee9b4a287f921bb39f0ca99e4c7c0c05744f7875 gnupg2-2.0.23-i486-1.tlz 98378ffb9ff1a1155dc5884421c6ce97b702dbaa gnutls-2.12.23-i486-1.tlz 201b04a5648cef742cce806674f78345e1eea97e gpgme-1.3.2-i486-1.tlz 247d400cbfcf4e94a49d5d20036023bfa9a62479 libgpg-error-1.13-i486-1.tlz adca3eb63817153c1135874acc79126070056448 libtasn1-2.14-i486-1.tlz 5788eb3fc8714be474d6e1d6dbfcb6cc235332f7 mutt-1.5.23-i486-1.tlz 6a6bc386fc1f6e6e367d5b047b5782af12525c69 nspr-4.8.9-i486-2.tlz d7e5bb93deb08a0651e73275264869d418d1dda5 openssl-1.0.0m-i486-1.tlz 1d05f693dd49948af2df282d8624724718612d23 pidgin-2.10.9-i486-1.tlz 8c71d33b14e8acb097eb386e20869d0fc116c594 curl-7.37.0-x86_64-1.tlz 89acd42b8930096302075936a2f8ac6def951c71 file-5.19-x86_64-1.tlz 1be0d2524126532c434025053ec5eefb07955481 gnupg1-1.4.17-x86_64-1.tlz 587bfe9239e24dc7080a3b63c349d72fd5a5d6fd gnupg2-2.0.23-x86_64-1.tlz 845035e936cc248d4415466ed9bc003562c3a33b gnutls-2.12.23-x86_64-1.tlz b9802d559edcba08eb22cd886c156bfc500285fc gpgme-1.3.2-x86_64-1.tlz f5fbf54724223d5ccbb1d8e48de80643a098d51a libgpg-error-1.13-x86_64-1.tlz a83fe26ace933ed5c032d552f10ac0fac03fff5a libtasn1-2.14-x86_64-1.tlz 4b5f2c15865720609382de98a0c4fb0292a2597e mutt-1.5.23-x86_64-1.tlz bccfbcb4e5dc2a375c28caaccd238937b39c0097 nspr-4.8.9-x86_64-2.tlz 6cdd36a629242da6d6c236fb7ddd273f0638b6ab openssl-1.0.0m-x86_64-1.tlz 0fc84c161dbaa03c3fbab8bec71474a85853e1e7 pidgin-2.10.9-x86_64-1.tlz If you need the detached GPG signatures[1] just append .sig to the URLs above. Upgrading - --------- To upgrade a package you issue the following command: pkg upgrade <package.tlz> To upgrade multiple packages, simply type: pkg upgrade curl-7.37.0-i486-1.tlz pidgin-2.10.9-i486-1.tlz ... Notes ===== You can get all the upgrades via RSYNC, for example, to obtain 32-bit packages, type: # rsync -aviz gungre.ch::dragora/dragora-2.2/upgrades/packages/32b . Then use the sha1sum(1) tool for a complete checksumming: # sha1sums -c SHA1SUMS `pkg upgrade' can be used to upgrade all the packages (installed or not installed); for more information, take a look at: http://dragora.org/wiki/doku.php/guides/d2/pkgmanager Footnotes: [1] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify pidgin-2.10.9-i486-1.tlz.sig If that command fails because you don't have the required public key, then run these commands to import it: wget http://gungre.ch/dragora/mirror/dragora-2.2/KEY gpg --import KEY and re-run the `gpg --verify' sequence. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJTqNhMAAoJEKpCZu9BMdKoaWAH/3pT9Y7W5FAQFmTkrxihNd0n wcqhTiwAV845qyL5xJE+U5x2WClQYk6jWmsDmJub8MKwl7L+bgjXAVNMfBO/mthv 0KHtcsB+HSalLBmDHrkN5epYjYW7uGmKT1fSxZ6oHRP2krN/cySvBcaO7x6/Ls/I EsNA76l+T6Ye5Qc4WmXog9RNS+fg32Rj73nBtYfkid6Vanf8YUa9lP5IOjQUCHpg t/5df4Qy4V09qPDH5kgrx8d42ljRf4CrnjG5jUV9mRL8/y+qQySYis6LdLf0ZNcG 4pt45HW9xJLfDt2MMO0WI0ZOsj/vs/xSUozg2s+97JeDBJmhexocpCxik5T+H1s= =bsID -----END PGP SIGNATURE-----
