[Group.of.nepali.translators] [Bug 2028863] [NEW] Denial of service via gvar table loading
*** This bug is a security vulnerability *** Public security bug reported: focal and earlier need this commit to prevent a DoS: https://gitlab.freedesktop.org/freetype/freetype/-/commit/216e077600a58346bb022d8409fd82e9d914a10a ** Affects: freetype (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: freetype (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: freetype (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: freetype (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: freetype (Ubuntu Focal) Importance: Low Status: Confirmed ** Also affects: freetype (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: freetype (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: freetype (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: freetype (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: freetype (Ubuntu) Status: New => Fix Released ** Changed in: freetype (Ubuntu Focal) Status: New => Confirmed ** Changed in: freetype (Ubuntu Focal) Importance: Undecided => Low -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/2028863 Title: Denial of service via gvar table loading Status in freetype package in Ubuntu: Fix Released Status in freetype source package in Trusty: New Status in freetype source package in Xenial: New Status in freetype source package in Bionic: New Status in freetype source package in Focal: Confirmed Bug description: focal and earlier need this commit to prevent a DoS: https://gitlab.freedesktop.org/freetype/freetype/-/commit/216e077600a58346bb022d8409fd82e9d914a10a To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2028863/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1885633] Re: [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability
** Changed in: apport (Ubuntu Eoan) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1885633 Title: [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability Status in apport package in Ubuntu: Fix Released Status in apport source package in Xenial: Fix Released Status in apport source package in Bionic: Fix Released Status in apport source package in Eoan: Won't Fix Status in apport source package in Focal: Fix Released Bug description: -- VULNERABILITY DETAILS * Version tested:18.04.4 LTS amd64 server * Installer file:ubuntu-18.04.4-live-server-amd64.iso * Platform tested:- --- ### Analysis Apport which is crash reporter in Ubuntu will execute gdbus to check if pid is in a closing user session. Before executing the binary, it drop privilege to crashed process's uid. But it doesn't drop group id, so it can be used to leak file which is owned by root group. It leads to anyone can read the file which can only be read by root group, but the file size must be 16bytes. reproduce step ``` ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile ubuntu@ubuntu:/tmp$ sudo chown root:root securefile ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile ubuntu@ubuntu:/tmp$ su - zdi Password: zdi@ubuntu:~$ id uid=1001(zdi) gid=1001(zdi) groups=1001(zdi) zdi@ubuntu:~$ cd /tmp/ zdi@ubuntu:/tmp$ ls -al securefile -r--r- 1 root root 16 Jun 16 04:33 securefile zdi@ubuntu:/tmp$ cat securefile cat: securefile: Permission denied
[Group.of.nepali.translators] [Bug 1944481] Re: Distrust "DST Root CA X3"
** Changed in: ca-certificates (Ubuntu Impish) Status: New => Fix Committed ** Changed in: ca-certificates (Ubuntu Trusty) Status: New => Fix Released ** Changed in: ca-certificates (Ubuntu Xenial) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1944481 Title: Distrust "DST Root CA X3" Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Hirsute: Fix Released Status in ca-certificates source package in Impish: Fix Committed Bug description: [Impact] * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1" * ca-certificates also trusts the CA certificate "DST Root CA X3" which cross-signs letencrypt CA * "DST Root CA X3" is about to expire, however it has issued an updated cross-signature to letsencrypt beyond its own expiry * This causes issues with older implementations of openssl & gnutls that reject such chains when offered to clients by servers. * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, however trusty systems remain affected. Also any self built old copies of openssl/gnutls remain suspeptible to this expiry. * One solution is to blacklist the "DST Root CA X3" from the ca-certificates package as described at https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to work unmodified. * This is similar to how this was handled for AddTrust before "* mozilla/blacklist.txt: blacklist expired AddTrust External Root CA." [Test Plan] * Install old/current ca-certificates faketime wget curl libcurl3-gnutls # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by '/C=US/O=Let\'s Encrypt/CN=R3': Issued certificate has expired. To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'. # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 0 00 00 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: certificate has expired * Install new ca-certificates package # faketime 2021-10-01 wget https://pskov.surgut.co.uk --2021-10-01 00:00:00-- https://pskov.surgut.co.uk/ Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 49.12.37.5 Connecting to pskov.surgut.co.uk (pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 612 [text/html] Saving to: 'index.html.3' 100%[>] 612 --.-K/s in 0s 2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612] LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 curl https://pskov.surgut.co.uk >/dev/null % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed 100 612 100 6120 0 5794 0 --:--:-- --:--:-- --:--:-- 5828 Download is successful. [Where problems could occur] * Connectivity to "DST Root CA X3" websites only, even under faketime set to dates prior to 30th of September 2021 will not work, as "DST Root CA X3" certificate is no longer installed. users should locally install and enable that CA certificate, or allow dangerous unverified connectivity to websites using expired CA certs. [Other Info] * Related openssl and gnutls28 bugs are https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group
[Group.of.nepali.translators] [Bug 1926300] Re: clamdscan - MULTISCAN parameter causes Segmentation fault error
Please stop changing the status on this bug. Since Xenial is now in Extended Security Maintenance, the fix was pushed to the ESM repository for Xenial. The "Fix Released" status on this bug is accurate. See the following for more information on Extended Security Maintenance: https://lists.ubuntu.com/archives/ubuntu-security-announce/2021-March/005930.html ** Changed in: clamav (Ubuntu Xenial) Status: Triaged => Fix Released ** Changed in: clamav (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1926300 Title: clamdscan - MULTISCAN parameter causes Segmentation fault error Status in ClamAV: Unknown Status in clamav package in Ubuntu: Fix Released Status in clamav source package in Xenial: Fix Released Status in clamav source package in Bionic: Fix Released Status in clamav source package in Focal: Fix Released Status in clamav source package in Groovy: Fix Released Status in clamav source package in Hirsute: Fix Released Bug description: While running clamdscan with the --multiscan parameter we get the following error: Segmentation fault (core dumped) The scan starts without '--multiscan' but it cause performance issues The issue is present on Ubuntu 16.04.7 LTS, Ubuntu 18.04.5 LTS, Ubuntu 20.04.2 LTS from dmesg log: [Wed Apr 21 13:45:30 2021] clamdscan[5805]: segfault at 0 ip 7f42b5128bf5 sp 7fff89b76088 error 4 in libc-2.27.so[7f42b5072000+1e7000] [Wed Apr 21 13:45:30 2021] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 8f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8 11 0f ClamAV 0.103.2/26152/Mon Apr 26 11:04:28 2021 clamav 0.103.2+dfsg-0ubuntu0.16.04.1 amd64 clamav-base 0.103.2+dfsg-0ubuntu0.16.04.1 all clamav-daemon0.103.2+dfsg-0ubuntu0.16.04.1 amd64 clamav-docs 0.103.2+dfsg-0ubuntu0.16.04.1 all clamav-freshclam 0.103.2+dfsg-0ubuntu0.16.04.1 amd64 clamdscan0.103.2+dfsg-0ubuntu0.16.04.1 amd64 To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1926300/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1917812] Re: extracting archives from within nautilus omits subfolders
** Also affects: gnome-autoar (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: gnome-autoar (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gnome-autoar (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: gnome-autoar (Ubuntu Hirsute) Importance: High Status: Fix Released ** Also affects: gnome-autoar (Ubuntu Groovy) Importance: Undecided Status: New ** Changed in: gnome-autoar (Ubuntu Xenial) Status: New => In Progress ** Changed in: gnome-autoar (Ubuntu Bionic) Status: New => In Progress ** Changed in: gnome-autoar (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnome-autoar (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnome-autoar (Ubuntu Focal) Status: New => In Progress ** Changed in: gnome-autoar (Ubuntu Focal) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnome-autoar (Ubuntu Groovy) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnome-autoar (Ubuntu Groovy) Status: New => In Progress ** No longer affects: gnome-autoar (Ubuntu Xenial) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1917812 Title: extracting archives from within nautilus omits subfolders Status in gnome-autoar package in Ubuntu: Fix Released Status in gnome-autoar source package in Bionic: In Progress Status in gnome-autoar source package in Focal: In Progress Status in gnome-autoar source package in Groovy: In Progress Status in gnome-autoar source package in Hirsute: Fix Released Bug description: When extracting ZIP archives from within nautilus (e.g. right-click -> "Extract Here") the extracted file structure is missing subfolders. Reproduce: 1. download a ZIP archive that includes files and folders in the root (e.g. https://github.com/electron/electron/releases/download/v12.0.0/electron-v12.0.0-linux-x64.zip) 2. within nautilus right-click on the archive and select "Extract Here" 3. check the extracted folder, you will see that only the files have been extracted, the folders are missing This is an issue that was recently introduced, as this used to work a while ago on Ubuntu 20.04. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: nautilus 1:3.36.3-0ubuntu1 ProcVersionSignature: Ubuntu 5.8.0-44.50~20.04.1-generic 5.8.18 Uname: Linux 5.8.0-44-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Thu Mar 4 22:09:52 2021 SourcePackage: nautilus UpgradeStatus: No upgrade log present (probably fresh install) usr_lib_nautilus: To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1917812/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1905741] Re: poppler 0.62.0-2ubuntu2.11 and 0.41.0-0ubuntu1.15 security updates break Splash output
Thanks for reporting this, I'll back out the fix and will release updates shortly. ** Also affects: poppler (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: poppler (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: poppler (Ubuntu) Status: New => Invalid ** Changed in: poppler (Ubuntu Xenial) Status: New => In Progress ** Changed in: poppler (Ubuntu Bionic) Status: New => In Progress ** Changed in: poppler (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: poppler (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1905741 Title: poppler 0.62.0-2ubuntu2.11 and 0.41.0-0ubuntu1.15 security updates break Splash output Status in poppler package in Ubuntu: Invalid Status in poppler source package in Xenial: In Progress Status in poppler source package in Bionic: In Progress Bug description: The security updates 0.62.0-2ubuntu2.11 and 0.41.0-0ubuntu1.15 break the Splash output rendering, for example if using the xpdf utility that relies on Poppler splash output, or as used by the GDAL library (the issue was detected due to breakage in GDAL continuous integration tests) I've traced the root cause to those security updates enabling in 'rules' CMYK (--enable-cmyk for 0.41.0-0ubuntu1.15 and -DSPLASH_CMYK=ON for 0.62.0-2ubuntu2.11) Building without CMYK restore poppler in a working state. It should be noted that even on the upstream 0.41.0 version, enabling CMYK result in a non-functional build, so it is not related to the patches applied on top of it, but really on enabling CMYK The issue can be verified with "xpdf test_ogc_bp.pdf" with the attached test_ogc_bp.pdf file. With the new packages, xpdf crashes, whereas with older ones it displays a 20x20 greyscale image. Or with "gdal_translate test_ogc_bp.pdf out.png -of PNG" when installing the "gdal-bin" package, that currently errors out with a message like "ERROR 1: Bitmap decoded size (18623872x0) doesn't match raster size (20x20)" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1905741/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)
This has now been fixed: https://ubuntu.com/security/notices/USN-4504-1 ** Changed in: openssl (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1895294 Title: Fix Raccoon vulnerability (CVE-2020-1968) Status in openssl package in Ubuntu: Fix Released Status in openssl source package in Xenial: Fix Released Bug description: Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been patched yet against the Raccoon Attack (CVE-2020-1968): - https://www.openssl.org/news/secadv/20200909.txt - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968 - https://raccoon-attack.com/ Ubuntu's CVE tracker still lists this as NEEDED for Xenial: - https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1968.html - https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html Other supported Ubuntu releases use versions of OpenSSL that are not affected. Indeed: $ apt-cache policy openssl openssl: Installed: 1.0.2g-1ubuntu4.16 $ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched" Not patched What is the status? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1890265] Re: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap
** Changed in: squid3 (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1890265 Title: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap Status in squid3 package in Ubuntu: Fix Released Status in squid3 source package in Xenial: Fix Released Status in squid3 source package in Bionic: Fix Released Status in squid3 package in Debian: New Bug description: Using ubuntu 18.04 I had a squid config using c-icap to scan requests/responses using ClamAV. It was working OK since long time ago. Today, squid has (security)updated to 3.5.27-1ubuntu1.7 and now, connection to icap is broken. That is the error at squid-cache.log 2020/08/04 09:44:08 kid1| essential ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/virus_scan [down,!opt] After downgrading to 3.5.27-1ubuntu1.6 it starts working again. The icap service is working fine, tested with `c-icap-client -i 127.0.0.1 -p 1344 -s virus_scan` Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1890265/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1890265] Re: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap
** Also affects: squid3 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965012 Importance: Unknown Status: Unknown ** Also affects: squid3 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: squid3 (Ubuntu Xenial) Status: New => Confirmed ** Changed in: squid3 (Ubuntu Xenial) Importance: Undecided => High ** Changed in: squid3 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: squid3 (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1890265 Title: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap Status in squid3 package in Ubuntu: Triaged Status in squid3 source package in Xenial: Confirmed Status in squid3 source package in Bionic: Confirmed Status in squid3 package in Debian: Unknown Bug description: Using ubuntu 18.04 I had a squid config using c-icap to scan requests/responses using ClamAV. It was working OK since long time ago. Today, squid has (security)updated to 3.5.27-1ubuntu1.7 and now, connection to icap is broken. That is the error at squid-cache.log 2020/08/04 09:44:08 kid1| essential ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/virus_scan [down,!opt] After downgrading to 3.5.27-1ubuntu1.6 it starts working again. The icap service is working fine, tested with `c-icap-client -i 127.0.0.1 -p 1344 -s virus_scan` Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1890265/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1888160] Re: ClamAV needs updated to reflect security fixes
https://ubuntu.com/security/notices/USN-4435-1 ** Changed in: clamav (Ubuntu) Status: Triaged => Fix Released ** Changed in: clamav (Ubuntu Xenial) Status: New => Fix Released ** Changed in: clamav (Ubuntu Bionic) Status: New => Fix Released ** Changed in: clamav (Ubuntu Eoan) Status: New => Fix Released ** Changed in: clamav (Ubuntu Focal) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1888160 Title: ClamAV needs updated to reflect security fixes Status in clamav package in Ubuntu: Fix Released Status in clamav source package in Xenial: Fix Released Status in clamav source package in Bionic: Fix Released Status in clamav source package in Eoan: Fix Released Status in clamav source package in Focal: Fix Released Bug description: Description: Ubuntu 18.04.4 LTS Release: 18.04 apt-cache policy clamav clamav: Installed: 0.102.3+dfsg-0ubuntu0.18.04.1 Candidate: 0.102.3+dfsg-0ubuntu0.18.04.1 The current version of ClamAV for 18.04.4 LTS is 0.102.3+dfsg- 0ubuntu0.18.04.1. The current stable version of ClamAV is 0.102.4. There have been patches released that fix security related bugs as shown below: ClamAV 0.102.4 is a bug patch release to address the following issues: CVE-2020-3350 Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc. CVE-2020-3327 Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue. CVE-2020-3481 Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions. Request that ClamAV be updated to the latest version 0.102.4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1888160/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1889206] Re: Regression in USN-4436-1
** Changed in: librsvg (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1889206 Title: Regression in USN-4436-1 Status in librsvg: Unknown Status in librsvg package in Ubuntu: Invalid Status in librsvg source package in Xenial: Fix Released Status in librsvg source package in Bionic: Fix Released Bug description: The security fix for librsvg introduced a regression in aisleriot. Steps to reproduce: 1- install gnome-cards-data 2- run "sol" to start Aislerot 3- Switch card layout to "Anglo" 4- Notice some cards are missing graphics To manage notifications about this bug go to: https://bugs.launchpad.net/librsvg/+bug/1889206/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1889206] Re: Regression in USN-4436-1
** Attachment added: "eog displaying issue rendering anglo cardset" https://bugs.launchpad.net/ubuntu/+source/librsvg/+bug/1889206/+attachment/5396555/+files/anglo-issue.png ** Bug watch added: gitlab.gnome.org/GNOME/librsvg/-/issues #612 https://gitlab.gnome.org/GNOME/librsvg/-/issues/612 ** Also affects: librsvg via https://gitlab.gnome.org/GNOME/librsvg/-/issues/612 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1889206 Title: Regression in USN-4436-1 Status in librsvg: Unknown Status in librsvg package in Ubuntu: Confirmed Status in librsvg source package in Xenial: Confirmed Status in librsvg source package in Bionic: Confirmed Bug description: The security fix for librsvg introduced a regression in aisleriot. Steps to reproduce: 1- install gnome-cards-data 2- run "sol" to start Aislerot 3- Switch card layout to "Anglo" 4- Notice some cards are missing graphics To manage notifications about this bug go to: https://bugs.launchpad.net/librsvg/+bug/1889206/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1889206] [NEW] Regression in USN-4436-1
*** This bug is a security vulnerability *** Public security bug reported: The security fix for librsvg introduced a regression in aisleriot. Steps to reproduce: 1- install gnome-cards-data 2- run "sol" to start Aislerot 3- Switch card layout to "Anglo" 4- Notice some cards are missing graphics ** Affects: librsvg (Ubuntu) Importance: Undecided Status: New ** Affects: librsvg (Ubuntu Xenial) Importance: Undecided Assignee: Marc Deslauriers (mdeslaur) Status: Confirmed ** Affects: librsvg (Ubuntu Bionic) Importance: Undecided Assignee: Marc Deslauriers (mdeslaur) Status: Confirmed ** Also affects: librsvg (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: librsvg (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: librsvg (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: librsvg (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: librsvg (Ubuntu Xenial) Status: New => Confirmed ** Changed in: librsvg (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1889206 Title: Regression in USN-4436-1 Status in librsvg package in Ubuntu: New Status in librsvg source package in Xenial: Confirmed Status in librsvg source package in Bionic: Confirmed Bug description: The security fix for librsvg introduced a regression in aisleriot. Steps to reproduce: 1- install gnome-cards-data 2- run "sol" to start Aislerot 3- Switch card layout to "Anglo" 4- Notice some cards are missing graphics To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/librsvg/+bug/1889206/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1882244] Re: GnuTLS Session Ticket Key Vulnerability
This issue doesn't affect Ubuntu 16.04 LTS or Ubuntu 18.04 LTS. ** Information type changed from Private Security to Public Security ** Also affects: gnutls28 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: gnutls28 (Ubuntu Xenial) Status: New => Invalid ** Changed in: gnutls28 (Ubuntu Bionic) Status: New => Invalid ** Changed in: gnutls28 (Ubuntu Eoan) Status: New => In Progress ** Changed in: gnutls28 (Ubuntu Focal) Status: New => In Progress ** Changed in: gnutls28 (Ubuntu Groovy) Status: New => In Progress ** Changed in: gnutls28 (Ubuntu Eoan) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls28 (Ubuntu Focal) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls28 (Ubuntu Groovy) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls28 (Ubuntu Eoan) Importance: Undecided => High ** Changed in: gnutls28 (Ubuntu Focal) Importance: Undecided => High ** Changed in: gnutls28 (Ubuntu Groovy) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1882244 Title: GnuTLS Session Ticket Key Vulnerability Status in gnutls28 package in Ubuntu: In Progress Status in gnutls28 source package in Xenial: Invalid Status in gnutls28 source package in Bionic: Invalid Status in gnutls28 source package in Eoan: In Progress Status in gnutls28 source package in Focal: In Progress Status in gnutls28 source package in Groovy: In Progress Bug description: Dear Launchpad Team, A security vulnerability affects versions 3.x of GnuTLS: https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03 I noticed this problem on Ubuntu 16 and Ubuntu 18 operating systems. In particular, on Ubuntu 16 last version of libgnutls30 is 3.4.10, whereas on Ubuntu 18 it is 3.5.18. Please provide an update. I thank you in advance. Kind regards, it0001 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1882244/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1881533] Re: Remove expired AddTrust_External_Root.crt because it breaks software
** Changed in: ca-certificates (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1881533 Title: Remove expired AddTrust_External_Root.crt because it breaks software Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Eoan: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Groovy: Fix Released Bug description: The AddTrust_External_Root.crt certificate has expired: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Validity Not Before: May 30 10:48:38 2000 GMT Not After : May 30 10:48:38 2020 GMT Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: This causes various client-side errors on Ubuntu 16.04 machines, about SSL certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem OK. Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca- certificates.conf and running 'update-ca-certificates -f -v' helps. I'm not sure if removing it is universally the best solution, but I can't find any other bug reports about this on Launchpad, and this seems the quickest way to fix all clients. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881533/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1881533] Re: Remove expired AddTrust_External_Root.crt because it breaks software
Updates for this issue have now been published: https://usn.ubuntu.com/4377-1/ ** Changed in: ca-certificates (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: ca-certificates (Ubuntu Bionic) Status: In Progress => Fix Released ** Changed in: ca-certificates (Ubuntu Eoan) Status: In Progress => Fix Released ** Changed in: ca-certificates (Ubuntu Focal) Status: In Progress => Fix Released ** Changed in: ca-certificates (Ubuntu Groovy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1881533 Title: Remove expired AddTrust_External_Root.crt because it breaks software Status in ca-certificates package in Ubuntu: Fix Committed Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Bionic: Fix Released Status in ca-certificates source package in Eoan: Fix Released Status in ca-certificates source package in Focal: Fix Released Status in ca-certificates source package in Groovy: Fix Committed Bug description: The AddTrust_External_Root.crt certificate has expired: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Validity Not Before: May 30 10:48:38 2000 GMT Not After : May 30 10:48:38 2020 GMT Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: This causes various client-side errors on Ubuntu 16.04 machines, about SSL certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem OK. Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca- certificates.conf and running 'update-ca-certificates -f -v' helps. I'm not sure if removing it is universally the best solution, but I can't find any other bug reports about this on Launchpad, and this seems the quickest way to fix all clients. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881533/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1881533] Re: Remove expired AddTrust_External_Root.crt because it breaks software
** Also affects: ca-certificates (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Groovy) Importance: Undecided Status: Confirmed ** Also affects: ca-certificates (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: ca-certificates (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: ca-certificates (Ubuntu Xenial) Importance: Undecided => Critical ** Changed in: ca-certificates (Ubuntu Bionic) Importance: Undecided => Critical ** Changed in: ca-certificates (Ubuntu Eoan) Importance: Undecided => Critical ** Changed in: ca-certificates (Ubuntu Focal) Importance: Undecided => Critical ** Changed in: ca-certificates (Ubuntu Groovy) Importance: Undecided => Critical ** Changed in: ca-certificates (Ubuntu Xenial) Status: New => In Progress ** Changed in: ca-certificates (Ubuntu Bionic) Status: New => In Progress ** Changed in: ca-certificates (Ubuntu Eoan) Status: New => In Progress ** Changed in: ca-certificates (Ubuntu Focal) Status: New => In Progress ** Changed in: ca-certificates (Ubuntu Groovy) Status: Confirmed => In Progress ** Changed in: ca-certificates (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Eoan) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Focal) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ca-certificates (Ubuntu Groovy) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1881533 Title: Remove expired AddTrust_External_Root.crt because it breaks software Status in ca-certificates package in Ubuntu: In Progress Status in ca-certificates source package in Xenial: In Progress Status in ca-certificates source package in Bionic: In Progress Status in ca-certificates source package in Eoan: In Progress Status in ca-certificates source package in Focal: In Progress Status in ca-certificates source package in Groovy: In Progress Bug description: The AddTrust_External_Root.crt certificate has expired: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Validity Not Before: May 30 10:48:38 2000 GMT Not After : May 30 10:48:38 2020 GMT Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: This causes various client-side errors on Ubuntu 16.04 machines, about SSL certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem OK. Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca- certificates.conf and running 'update-ca-certificates -f -v' helps. I'm not sure if removing it is universally the best solution, but I can't find any other bug reports about this on Launchpad, and this seems the quickest way to fix all clients. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881533/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1835596] Re: incorrect argument to file_printable in [PATCH] PR/62
** Also affects: file (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: file (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: file (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: file (Ubuntu Groovy) Importance: Undecided Assignee: Marc Deslauriers (mdeslaur) Status: Confirmed ** Also affects: file (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: file (Ubuntu Eoan) Status: New => Fix Released ** Changed in: file (Ubuntu Focal) Status: New => Fix Released ** Changed in: file (Ubuntu Groovy) Status: Confirmed => Fix Released ** Changed in: file (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: file (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: file (Ubuntu Xenial) Status: New => In Progress ** Changed in: file (Ubuntu Bionic) Status: New => In Progress ** Changed in: file (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: file (Ubuntu Bionic) Importance: Undecided => Medium -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1835596 Title: incorrect argument to file_printable in [PATCH] PR/62 Status in file package in Ubuntu: Fix Released Status in file source package in Xenial: In Progress Status in file source package in Bionic: In Progress Status in file source package in Eoan: Fix Released Status in file source package in Focal: Fix Released Status in file source package in Groovy: Fix Released Bug description: In last patch below +From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001 +From: Christos Zoulas +Date: Mon, 18 Feb 2019 17:46:56 + +Subject: [PATCH] PR/62: spinpx: limit size of file_printable. +=== +--- file-5.32.orig/src/readelf.c 2019-03-13 12:38:58.854781641 -0400 file-5.32/src/readelf.c 2019-03-13 12:39:43.450945506 -0400 +@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsig + if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, " + "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)", + file_printable(sbuf, sizeof(sbuf), +-CAST(char *, pi.cpi_name)), ++RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)), + elf_getu32(swap, pi.cpi_pid), + elf_getu32(swap, pi.cpi_euid), + elf_getu32(swap, pi.cpi_egid), +@@ -1564,7 +1564,8 @@ dophn_exec(struct magic_set *ms, int cla + return -1; + if (interp[0]) + if (file_printf(ms, ", interpreter %s", +-file_printable(ibuf, sizeof(ibuf), interp)) == -1) ++file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp))) ++== -1) + return -1; + return 0; + } sizeof(interp) is passed to file_printable as the `slen' parameter, since interp is of type `char *', sizeof(interp) will be 8 or 4 const value for different pointer types, this makes the `interpreter' extraction for elf file limited to 8 bytes under x64. A example for this, under ubuntu 18.04: $ file /bin/dash /bin/dash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=a783260e3a5fe0afdae77417eea7f bf8d645219e, stripped notice that the interpreter portion is `/lib64/l', which is 8 bytes long and only a part of the actual interpreter path. the `slen' parameter here should be something like `sizeof(char) * length_of_buffer' instead of sizeof(char *). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/file/+bug/1835596/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1875798] Re: Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0)
I have now published the regression fix: https://usn.ubuntu.com/4341-3/ Please let me know if you still experience issues after installing the new package. Thanks. ** Changed in: samba (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1875798 Title: Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0) Status in samba package in Ubuntu: Invalid Status in samba source package in Xenial: Fix Released Bug description: Latest security update breaks LDAP auth LDAP request size (81) exceeds (0) Samba works but LDAP auth for external applications is not working anymore with the error above ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: samba 2:4.3.11+dfsg-0ubuntu0.16.04.26 ProcVersionSignature: Ubuntu 4.4.0-177.207-generic 4.4.214 Uname: Linux 4.4.0-177-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.23 Architecture: amd64 BothFailedConnect: Yes Date: Wed Apr 29 08:50:49 2020 InstallationDate: Installed on 2018-12-13 (502 days ago) InstallationMedia: Ubuntu-Server 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731) ProcEnviron: TERM=screen PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=it_IT.UTF-8 SHELL=/bin/bash SambaServerRegression: Yes SmbConfIncluded: No SourcePackage: samba UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.logrotate.d.samba: [modified] mtime.conffile..etc.logrotate.d.samba: 2019-05-20T15:58:46.634276 upstart.nmbd.override: manual upstart.smbd.override: manual To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1875798/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1875798] Re: Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0)
** Changed in: samba (Ubuntu) Importance: Undecided => Critical ** Also affects: samba (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: samba (Ubuntu Xenial) Status: New => Confirmed ** Changed in: samba (Ubuntu Xenial) Importance: Undecided => Critical ** Changed in: samba (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1875798 Title: Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0) Status in samba package in Ubuntu: Confirmed Status in samba source package in Xenial: Confirmed Bug description: Latest security update breaks LDAP auth LDAP request size (81) exceeds (0) Samba works but LDAP auth for external applications is not working anymore with the error above ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: samba 2:4.3.11+dfsg-0ubuntu0.16.04.26 ProcVersionSignature: Ubuntu 4.4.0-177.207-generic 4.4.214 Uname: Linux 4.4.0-177-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.23 Architecture: amd64 BothFailedConnect: Yes Date: Wed Apr 29 08:50:49 2020 InstallationDate: Installed on 2018-12-13 (502 days ago) InstallationMedia: Ubuntu-Server 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731) ProcEnviron: TERM=screen PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=it_IT.UTF-8 SHELL=/bin/bash SambaServerRegression: Yes SmbConfIncluded: No SourcePackage: samba UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.logrotate.d.samba: [modified] mtime.conffile..etc.logrotate.d.samba: 2019-05-20T15:58:46.634276 upstart.nmbd.override: manual upstart.smbd.override: manual To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1875798/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1861534] Re: Spamassassin needs updated to 3.4.4 to reflect security fixes
Security updates were already released for these two CVEs here: https://usn.ubuntu.com/4265-1/ ** Changed in: spamassassin (Ubuntu Xenial) Status: New => Fix Released ** Changed in: spamassassin (Ubuntu Bionic) Status: New => Fix Released ** Changed in: spamassassin (Ubuntu Disco) Status: New => Invalid ** Changed in: spamassassin (Ubuntu Disco) Status: Invalid => Won't Fix ** Changed in: spamassassin (Ubuntu Eoan) Status: New => Fix Released ** Changed in: spamassassin (Ubuntu Trusty) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1861534 Title: Spamassassin needs updated to 3.4.4 to reflect security fixes Status in spamassassin package in Ubuntu: Triaged Status in spamassassin source package in Trusty: Fix Released Status in spamassassin source package in Xenial: Fix Released Status in spamassassin source package in Bionic: Fix Released Status in spamassassin source package in Disco: Won't Fix Status in spamassassin source package in Eoan: Fix Released Status in spamassassin source package in Focal: Triaged Bug description: lsb_release -rd Description: Ubuntu 18.04.4 LTS Release: 18.04 apt-cache policy spamassassin spamassassin: Installed: 3.4.2-0ubuntu0.18.04.2 Candidate: 3.4.2-0ubuntu0.18.04.2 The current version of Spamassassin is 3.4.2, the newest version, 3.4.4 fixes two security issues: CVE-2020-1930 A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges. CVE-2020-1931 A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. Request that Spamassassin be updated to the latest version, 3.4.4, as soon as possible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1861534/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1860656] Re: SHA1 security update regression prohibits connectivity
** Changed in: gnutls28 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1860656 Title: SHA1 security update regression prohibits connectivity Status in gnutls28 package in Ubuntu: Fix Released Status in gnutls28 source package in Xenial: Confirmed Status in gnutls28 source package in Bionic: Confirmed Bug description: more details to follow SHA1 security update regression prohibits connectivity To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1860606] Re: TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated'
** Changed in: ubuntu-release-upgrader (Ubuntu Xenial) Status: Confirmed => Invalid ** Changed in: ubuntu-release-upgrader (Ubuntu Bionic) Status: Confirmed => Invalid ** Changed in: ubuntu-release-upgrader (Ubuntu Disco) Status: Confirmed => Invalid ** Changed in: ubuntu-release-upgrader (Ubuntu Eoan) Status: Confirmed => Invalid ** Changed in: ubuntu-release-upgrader (Ubuntu Focal) Status: Confirmed => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1860606 Title: TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated' Status in python-apt package in Ubuntu: Confirmed Status in ubuntu-release-upgrader package in Ubuntu: Invalid Status in python-apt source package in Xenial: Fix Released Status in ubuntu-release-upgrader source package in Xenial: Invalid Status in python-apt source package in Bionic: Fix Released Status in ubuntu-release-upgrader source package in Bionic: Invalid Status in python-apt source package in Disco: Fix Released Status in ubuntu-release-upgrader source package in Disco: Invalid Status in python-apt source package in Eoan: Fix Released Status in ubuntu-release-upgrader source package in Eoan: Invalid Status in python-apt source package in Focal: Confirmed Status in ubuntu-release-upgrader source package in Focal: Invalid Bug description: I was upgrading my workstation from 19.04 to 19.10 and following that to 20.04. In each case I used do-release-upgrade (without and with -d respectively). The 20.04 upgrade failed as the tool crashed on invalid function signature: Original exception was: Traceback (most recent call last): File "/tmp/ubuntu-release-upgrader-f_816ncr/focal", line 8, in sys.exit(main()) File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeMain.py", line 238, in main if app.run(): File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", line 2082, in run return self.fullUpgrade() File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", line 1998, in fullUpgrade if not self.doDistUpgradeFetching(): File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", line 1233, in doDistUpgradeFetching self.cache._fetch_archives(self.fetcher, pm) TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1860606/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1860606] Re: TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated'
** Also affects: python-apt (Ubuntu) Importance: Undecided Status: New ** Changed in: python-apt (Ubuntu Xenial) Importance: Undecided => High ** Changed in: python-apt (Ubuntu Xenial) Status: New => Confirmed ** Changed in: python-apt (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python-apt (Ubuntu Bionic) Importance: Undecided => High ** Changed in: python-apt (Ubuntu Bionic) Status: New => Confirmed ** Changed in: python-apt (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python-apt (Ubuntu Disco) Importance: Undecided => High ** Changed in: python-apt (Ubuntu Disco) Status: New => Confirmed ** Changed in: python-apt (Ubuntu Disco) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python-apt (Ubuntu Eoan) Importance: Undecided => High ** Changed in: python-apt (Ubuntu Eoan) Status: New => Confirmed ** Changed in: python-apt (Ubuntu Eoan) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python-apt (Ubuntu Focal) Importance: Undecided => High ** Changed in: python-apt (Ubuntu Focal) Status: New => Confirmed ** Changed in: python-apt (Ubuntu Focal) Assignee: (unassigned) => Julian Andres Klode (juliank) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1860606 Title: TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated' Status in python-apt package in Ubuntu: Confirmed Status in ubuntu-release-upgrader package in Ubuntu: Confirmed Status in python-apt source package in Xenial: Confirmed Status in ubuntu-release-upgrader source package in Xenial: Confirmed Status in python-apt source package in Bionic: Confirmed Status in ubuntu-release-upgrader source package in Bionic: Confirmed Status in python-apt source package in Disco: Confirmed Status in ubuntu-release-upgrader source package in Disco: Confirmed Status in python-apt source package in Eoan: Confirmed Status in ubuntu-release-upgrader source package in Eoan: Confirmed Status in python-apt source package in Focal: Confirmed Status in ubuntu-release-upgrader source package in Focal: Confirmed Bug description: I was upgrading my workstation from 19.04 to 19.10 and following that to 20.04. In each case I used do-release-upgrade (without and with -d respectively). The 20.04 upgrade failed as the tool crashed on invalid function signature: Original exception was: Traceback (most recent call last): File "/tmp/ubuntu-release-upgrader-f_816ncr/focal", line 8, in sys.exit(main()) File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeMain.py", line 238, in main if app.run(): File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", line 2082, in run return self.fullUpgrade() File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", line 1998, in fullUpgrade if not self.doDistUpgradeFetching(): File "/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", line 1233, in doDistUpgradeFetching self.cache._fetch_archives(self.fetcher, pm) TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1860606/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1858691] Re: Warning about using older GnuTLS versions for bionic
https://usn.ubuntu.com/4233-1/ ** Changed in: gnutls28 (Ubuntu Xenial) Status: Confirmed => Fix Released ** Changed in: gnutls28 (Ubuntu Bionic) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1858691 Title: Warning about using older GnuTLS versions for bionic Status in gnutls28 package in Ubuntu: Fix Released Status in gnutls28 source package in Xenial: Fix Released Status in gnutls28 source package in Bionic: Fix Released Bug description: It seems that the current GnuTLS version in bionic is vulnerable to this https://mail.gnome.org/archives/distributor- list/2020-January/msg0.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1858691/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1858691] Re: Warning about using older GnuTLS versions for bionic
** Also affects: gnutls28 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Xenial) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** Changed in: gnutls28 (Ubuntu Xenial) Status: New => Confirmed ** Changed in: gnutls28 (Ubuntu Bionic) Status: New => Confirmed ** Changed in: gnutls28 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls28 (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gnutls28 (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1858691 Title: Warning about using older GnuTLS versions for bionic Status in gnutls28 package in Ubuntu: Fix Released Status in gnutls28 source package in Xenial: Confirmed Status in gnutls28 source package in Bionic: Confirmed Bug description: It seems that the current GnuTLS version in bionic is vulnerable to this https://mail.gnome.org/archives/distributor- list/2020-January/msg0.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1858691/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1845216] Re: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284]
** Changed in: openscap (Ubuntu Disco) Status: New => Fix Released ** Changed in: openscap (Ubuntu Eoan) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1845216 Title: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe /openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284] Status in openscap package in Ubuntu: Fix Released Status in openscap source package in Xenial: Confirmed Status in openscap source package in Bionic: Confirmed Status in openscap source package in Disco: Fix Released Status in openscap source package in Eoan: Fix Released Bug description: /usr/share/openscap/cpe/openscap-cpe-dict.xml is included in later versions such as 1.2.16-2: https://packages.debian.org/buster/amd64/libopenscap8/filelist How to reproduce with Ubuntu 18.04 LTS: $ sudo apt install libopenscap8 ssg-debderived $ oscap info /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml Document type: Source Data Stream Imported: 2017-08-11T09:18:08 ... Dictionaries: Ref-Id: scap_org.open-scap_cref_output--ssg-ubuntu1604-cpe-dictionary.xml OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284] Failed to add default CPE to newly created CPE Session. [../../../src/CPE/cpe_session.c:58] ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libopenscap8 1.2.15-1build1 ProcVersionSignature: User Name 4.15.0-58.64-generic 4.15.18 Uname: Linux 4.15.0-58-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 Date: Tue Sep 24 14:13:09 2019 ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash SourcePackage: openscap UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1845216/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1845216] Re: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284]
** Also affects: openscap (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: openscap (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: openscap (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: openscap (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: openscap (Ubuntu Xenial) Status: New => Confirmed ** Changed in: openscap (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1845216 Title: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe /openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284] Status in openscap package in Ubuntu: New Status in openscap source package in Xenial: Confirmed Status in openscap source package in Bionic: Confirmed Status in openscap source package in Disco: New Status in openscap source package in Eoan: New Bug description: /usr/share/openscap/cpe/openscap-cpe-dict.xml is included in later versions such as 1.2.16-2: https://packages.debian.org/buster/amd64/libopenscap8/filelist How to reproduce with Ubuntu 18.04 LTS: $ sudo apt install libopenscap8 ssg-debderived $ oscap info /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml Document type: Source Data Stream Imported: 2017-08-11T09:18:08 ... Dictionaries: Ref-Id: scap_org.open-scap_cref_output--ssg-ubuntu1604-cpe-dictionary.xml OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284] Failed to add default CPE to newly created CPE Session. [../../../src/CPE/cpe_session.c:58] ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libopenscap8 1.2.15-1build1 ProcVersionSignature: User Name 4.15.0-58.64-generic 4.15.18 Uname: Linux 4.15.0-58-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.7 Architecture: amd64 Date: Tue Sep 24 14:13:09 2019 ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash SourcePackage: openscap UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1845216/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1738259] Re: need to ensure microcode updates are available to all bare-metal installs of Ubuntu
** Changed in: linux-meta (Ubuntu Precise) Status: New => Won't Fix ** Changed in: linux-meta-hwe (Ubuntu) Status: New => Fix Released ** Changed in: linux-meta-hwe-edge (Ubuntu) Status: New => Fix Released ** Changed in: linux-meta-lts-xenial (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1738259 Title: need to ensure microcode updates are available to all bare-metal installs of Ubuntu Status in linux-meta package in Ubuntu: Fix Released Status in linux-meta-hwe package in Ubuntu: Fix Released Status in linux-meta-hwe-edge package in Ubuntu: Fix Released Status in linux-meta-lts-xenial package in Ubuntu: Fix Released Status in linux-meta-oem package in Ubuntu: Fix Released Status in linux-meta source package in Precise: Won't Fix Status in linux-meta source package in Trusty: Fix Released Status in linux-meta source package in Xenial: Fix Released Status in linux-meta-hwe source package in Xenial: Fix Released Status in linux-meta-hwe-edge source package in Xenial: Fix Released Status in linux-meta-lts-xenial source package in Xenial: Fix Released Status in linux-meta-oem source package in Xenial: Fix Released Status in linux-meta source package in Zesty: Invalid Status in linux-meta source package in Artful: Fix Released Status in linux-meta source package in Bionic: Fix Released Bug description: From time to time, CPU vendors release updates to microcode that can be loaded into the CPU from the OS. For x86, we have these updates available in the archive as amd64-microcode and intel-microcode. Sometimes, these microcode updates have addressed security issues with the CPU. They almost certainly will again in the future. We should ensure that all users of Ubuntu on baremetal x86 receive these security updates, and have them applied to the CPU in early boot where at all feasible. Because these are hardware-dependent packages which we don't want to install except on baremetal (so: not in VMs or containers), the logical place to pull them into the system is via the kernel, so that only the kernel baremetal flavors pull them in. This is analogous to linux-firmware, which is already a dependency of the linux- image-{lowlatency,generic} metapackages, and whose contents are applied to the hardware by the kernel similar to microcode. So, please update the linux-image-{lowlatency,generic} metapackages to add a dependency on amd64-microcode [amd64], intel-microcode [amd64], and the corresponding hwe metapackages also. Please time this change to coincide with the next updates of the microcode packages in the archive. I believe we will also need to promote the *-microcode packages to main from restricted as part of this (again, by analogy with linux- firmware). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1738259/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib
** Also affects: python2.7 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: python2.7 (Ubuntu Eoan) Importance: High Status: Triaged ** Also affects: python2.7 (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: python3.5 (Ubuntu) Importance: Undecided Status: New ** Changed in: python3.5 (Ubuntu Bionic) Status: New => Invalid ** Changed in: python3.5 (Ubuntu Cosmic) Status: New => Invalid ** Changed in: python3.5 (Ubuntu Disco) Status: New => Invalid ** Changed in: python3.5 (Ubuntu Eoan) Status: New => Invalid ** Changed in: python3.5 (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: python3.5 (Ubuntu Xenial) Status: New => In Progress ** Changed in: python3.5 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python2.7 (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: python2.7 (Ubuntu Xenial) Status: New => In Progress ** Changed in: python2.7 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python2.7 (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: python2.7 (Ubuntu Bionic) Status: New => In Progress ** Changed in: python2.7 (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: python2.7 (Ubuntu Cosmic) Status: New => Won't Fix ** Changed in: python2.7 (Ubuntu Disco) Importance: Undecided => Medium ** Changed in: python2.7 (Ubuntu Disco) Status: New => In Progress ** Changed in: python2.7 (Ubuntu Disco) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1835135 Title: FIPS OpenSSL crashes Python2 hashlib Status in python2.7 package in Ubuntu: Triaged Status in python3.5 package in Ubuntu: Invalid Status in python2.7 source package in Xenial: In Progress Status in python3.5 source package in Xenial: In Progress Status in python2.7 source package in Bionic: In Progress Status in python3.5 source package in Bionic: Invalid Status in python2.7 source package in Cosmic: Won't Fix Status in python3.5 source package in Cosmic: Invalid Status in python2.7 source package in Disco: In Progress Status in python3.5 source package in Disco: Invalid Status in python2.7 source package in Eoan: Triaged Status in python3.5 source package in Eoan: Invalid Bug description: If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with SSL_library_init, then Python2's hashlib bindings for MD5 can trigger a SIGSEGV via a NULL pointer dereference (if calling the .update method) or a SIGABRT (if passing input to the constructor or passing no input and invoking the .final method). This happens if, for example, PyOpenSSL is imported before hashlib. Canonical's FIPS patches for OpenSSL introduce some odd behavior that arguably should be revisited, but the (TL;DR) core bug is that Python2 hashlib doesn't properly check the return value of EVP_DigestInit, preventing hashlib from falling back to it's internal MD5 implementation and instead setting things up for use of the MD5 context to trigger SIGSEGV or SIGABRT. Python3 correctly checks the return value, so the fix is to backport the relevant code into Python2 (see python2.7-2.7.12/Modules/_hashopenssl.c). See attached good.py and bad.py files which exhibit the import order- dependent crashing issue. See attached fips-md5-python-init-bug.c which shows the FIPS OpenSSL behaviors that conditionally tickle the Python2 bug. The C file also contains a much more detailed description of the Python2 bug and other behavior which I'd rather not repeat here. I discovered this bug investigating an issue with the third-party apt- boto-s3 package. See https://github.com/boto/boto3/issues/2021 Note that this bug effects Splunk, Inc, which has a corporate Ubuntu Advantage license. My login account is attached to a different, single-seat license. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1832257] Re: regression: sudo returns exit code 0 if child is killed with SIGTERM
Oh wow, I'm not sure how that happened. I'll release an update for this. ** Changed in: sudo (Ubuntu) Status: New => Confirmed ** Changed in: sudo (Ubuntu) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Also affects: sudo (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: sudo (Ubuntu) Status: Confirmed => Fix Released ** Changed in: sudo (Ubuntu Xenial) Status: New => Confirmed ** Changed in: sudo (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: sudo (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1832257 Title: regression: sudo returns exit code 0 if child is killed with SIGTERM Status in sudo package in Ubuntu: Fix Released Status in sudo source package in Xenial: Confirmed Bug description: hey there- it looks like we accidentally removed the patch that fixed this problem when releasing sudo 1.8.16-0ubuntu1.6 - https://git.launchpad.net/ubuntu/+source/sudo/commit/?h=ubuntu/xenial- updates&id=15345b19b82f587498573b38554e24ec0ab816cb note that `terminate-with-commands-signal.patch` is removed from debian/patches/series in that commit and the behavior described in the original bug (LP 1686803) has returned in xenial. can we get this back into the current sudo package? the fix still exists upstream so it feels like this was an accidental reversion. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1832257/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1827924] Re: Panic or segfault in Samba
** Changed in: samba (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1827924 Title: Panic or segfault in Samba Status in samba: Unknown Status in samba package in Ubuntu: Fix Released Status in samba source package in Xenial: Fix Released Status in samba source package in Bionic: Fix Released Bug description: The Samba 'panic action' script, /usr/share/samba/panic-action, was called for PID 8336 (/usr/sbin/smbd). This means there was a problem with the program, such as a segfault. Below is a backtrace for this process generated with gdb, which shows the state of the program at the time the error occurred. The Samba log files may contain additional information about the problem. If the problem persists, you are encouraged to first install the samba-dbg package, which contains the debugging symbols for the Samba binaries. Then submit the provided information as a bug report to Ubuntu by visiting this link: https://launchpad.net/ubuntu/+source/samba/+filebug [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 0x7f892084507a in __GI___waitpid (pid=8341, stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29 #0 0x7f892084507a in __GI___waitpid (pid=8341, stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29 #1 0x7f89207bdfbb in do_system (line=) at ../sysdeps/posix/system.c:148 #2 0x7f89232698d1 in smb_panic_s3 () from /usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0 #3 0x7f8923fdcf1f in smb_panic () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0 #4 0x7f8923fdd136 in ?? () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0 #5 #6 0x7f8923bd5c6f in smbXsrv_session_create () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #7 0x7f8923b6e643 in reply_sesssetup_and_X () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #8 0x7f8923baae67 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #9 0x7f8923bacbb3 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #10 0x7f8923bae21c in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #11 0x7f8921efc917 in run_events_poll () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #12 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #13 0x7f8920b46d3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #14 0x7f8920b46edb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #15 0x7f8923baf578 in smbd_process () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #16 0x5585ef73fe12 in ?? () #17 0x7f8921efc917 in run_events_poll () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #18 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #19 0x7f8920b46d3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #20 0x7f8920b46edb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #21 0x5585ef73e099 in main () A debugging session is active. Inferior 1 [process 8336] will be detached. To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1827924/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1827924] Re: Panic or segfault in Samba
** Also affects: samba via https://bugzilla.samba.org/show_bug.cgi?id=13315 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1827924 Title: Panic or segfault in Samba Status in samba: Unknown Status in samba package in Ubuntu: Confirmed Status in samba source package in Xenial: Confirmed Status in samba source package in Bionic: Confirmed Bug description: The Samba 'panic action' script, /usr/share/samba/panic-action, was called for PID 8336 (/usr/sbin/smbd). This means there was a problem with the program, such as a segfault. Below is a backtrace for this process generated with gdb, which shows the state of the program at the time the error occurred. The Samba log files may contain additional information about the problem. If the problem persists, you are encouraged to first install the samba-dbg package, which contains the debugging symbols for the Samba binaries. Then submit the provided information as a bug report to Ubuntu by visiting this link: https://launchpad.net/ubuntu/+source/samba/+filebug [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". 0x7f892084507a in __GI___waitpid (pid=8341, stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29 #0 0x7f892084507a in __GI___waitpid (pid=8341, stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29 #1 0x7f89207bdfbb in do_system (line=) at ../sysdeps/posix/system.c:148 #2 0x7f89232698d1 in smb_panic_s3 () from /usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0 #3 0x7f8923fdcf1f in smb_panic () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0 #4 0x7f8923fdd136 in ?? () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0 #5 #6 0x7f8923bd5c6f in smbXsrv_session_create () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #7 0x7f8923b6e643 in reply_sesssetup_and_X () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #8 0x7f8923baae67 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #9 0x7f8923bacbb3 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #10 0x7f8923bae21c in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #11 0x7f8921efc917 in run_events_poll () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #12 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #13 0x7f8920b46d3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #14 0x7f8920b46edb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #15 0x7f8923baf578 in smbd_process () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0 #16 0x5585ef73fe12 in ?? () #17 0x7f8921efc917 in run_events_poll () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #18 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0 #19 0x7f8920b46d3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #20 0x7f8920b46edb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0 #21 0x5585ef73e099 in main () A debugging session is active. Inferior 1 [process 8336] will be detached. To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1827924/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1828401] Re: 9.26~dfsg+0-0ubuntu0.18.04.9 breaks cups printing of pdf
I will release updates for this regression today. ** Also affects: cups-filters (Ubuntu Cosmic) Importance: Undecided Status: New ** Changed in: cups-filters (Ubuntu Cosmic) Status: New => In Progress ** Changed in: cups-filters (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: cups-filters (Ubuntu Cosmic) Importance: Undecided => High ** Changed in: cups-filters (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: cups-filters (Ubuntu Cosmic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Also affects: cups-filters (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: cups-filters (Ubuntu Xenial) Status: New => In Progress ** Changed in: cups-filters (Ubuntu Xenial) Importance: Undecided => High ** Changed in: cups-filters (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1828401 Title: 9.26~dfsg+0-0ubuntu0.18.04.9 breaks cups printing of pdf Status in cups-filters package in Ubuntu: Fix Released Status in cups-filters source package in Xenial: In Progress Status in cups-filters source package in Bionic: In Progress Status in cups-filters source package in Cosmic: In Progress Bug description: Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic PROBLEM: 9.26~dfsg+0-0ubuntu0.18.04.9 breaks printing pdf on cups error in cups logs: ... D [09/May/2019:13:44:33 +0200] [Job 68] GPL Ghostscript 9.26: Unrecoverable error, exit code 1 D [09/May/2019:13:44:33 +0200] [Job 68] Process is dying with \"Unable to determine number of pages, page count: -1 D [09/May/2019:13:44:33 +0200] [Job 68] \", exit stat 3 ... details of this bug here: https://bugs.archlinux.org/task/62251 POSSIBLE SOLUTION: release an update of cups-filters to 1.22.5 WORKAROUND: downgrade ghostscript to 9.22~dfsg+1-0ubuntu1 sudo apt install ghostscript=9.22~dfsg+1-0ubuntu1 libgs9=9.22~dfsg+1-0ubuntu1 libgs9-common=9.22~dfsg+1-0ubuntu1 ghostscript-x=9.22~dfsg+1-0ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups-filters/+bug/1828401/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1815339] Re: Printer stopped printing paper size 4"x6" after update ghostscript to 9.26
** Changed in: ghostscript (Ubuntu Disco) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1815339 Title: Printer stopped printing paper size 4"x6" after update ghostscript to 9.26 Status in GS-GPL: Fix Released Status in ghostscript package in Ubuntu: Fix Released Status in ghostscript source package in Trusty: Fix Released Status in ghostscript source package in Xenial: Fix Released Status in ghostscript source package in Bionic: Fix Released Status in ghostscript source package in Cosmic: Fix Released Status in ghostscript source package in Disco: Fix Released Bug description: I have an issue with Ghostscript and printing. I use Gutenprint for my Canon MG5440, and I cannot print a photo 4"x6" (or 6"x4"), it does not print anything, however I still able to print A4 paper size. I use Ubuntu 18.04 and Gutenprint 5.3.1. The printing fail with message: [Job 143] Start rendering... [Job 143] Processing page 1... [Job 143] Unable to open the initial device, quitting. [Job 143] Rendering completed ... [Job 143] PID 24869 (/usr/lib/cups/filter/gstoraster) stopped with status 1. ... [Job 143] printer-state-message="Filter failed" [Job 143] printer-state-reasons=none The message "Unable to open the initial device, quitting" comes from Ghostscript. When I downgrade Ghostscript to 9.22, I am again able to print 4"x6" paper size. To downgrade: apt install ghostscript=9.22~dfsg+1-0ubuntu1 libgs9=9.22~dfsg+1-0ubuntu1 libgs9-common=9.22~dfsg+1-0ubuntu1 I found similar issue for HP printer at Debian https://bugs.debian.org /cgi-bin/bugreport.cgi?bug=908205 System info: Description: Ubuntu 18.04.1 LTS Release: 18.04 ghostscript: Installed: 9.26~dfsg+0-0ubuntu0.18.04.4 Candidate: 9.26~dfsg+0-0ubuntu0.18.04.4 Versions: *** 9.26~dfsg+0-0ubuntu0.18.04.4 500 500 http://ua.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status 9.22~dfsg+1-0ubuntu1 500 500 http://ua.archive.ubuntu.com/ubuntu bionic/main amd64 Packages cups: Installed: 2.2.7-1ubuntu2.3 Candidate: 2.2.7-1ubuntu2.3 Versions: *** 2.2.7-1ubuntu2.3 500 500 http://ua.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.2.7-1ubuntu2.2 500 500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages 2.2.7-1ubuntu2 500 500 http://ua.archive.ubuntu.com/ubuntu bionic/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/gs-gpl/+bug/1815339/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1815624] Re: PostGIS DoS vulnerability in Trusty and Xenial
** Information type changed from Private Security to Public Security ** Also affects: postgis (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: postgis (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: postgis (Ubuntu) Status: New => Fix Released ** Changed in: postgis (Ubuntu Trusty) Status: New => Confirmed ** Changed in: postgis (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1815624 Title: PostGIS DoS vulnerability in Trusty and Xenial Status in postgis package in Ubuntu: Fix Released Status in postgis source package in Trusty: Confirmed Status in postgis source package in Xenial: Confirmed Bug description: PostGIS < 2.3.3 is vulberable. In Ubuntu Trusty and Xenial Postgres can be DoSed via PostGIS. Please upgrade packages. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postgis/+bug/1815624/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1772919] Re: pam-gnome-keyring.so reveals user’s password credential as a plaintext form
** Also affects: gnome-keyring (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gnome-keyring (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: gnome-keyring (Ubuntu) Status: New => Fix Released ** Changed in: gnome-keyring (Ubuntu Trusty) Status: New => Confirmed ** Changed in: gnome-keyring (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1772919 Title: pam-gnome-keyring.so reveals user’s password credential as a plaintext form Status in gnome-keyring package in Ubuntu: Fix Released Status in gnome-keyring source package in Trusty: Confirmed Status in gnome-keyring source package in Xenial: Confirmed Bug description: When I perform memory dump of session-child process, user’s login credential, including user accounts and their password, is revealed as a plaintext form. In ‘pam_sm_authenticate’ function, user’s password is stored in the heap memory of ‘pam_handle->data” to perform unlock the keyring in later. After unlocking the keyring, the pam module does not free/overwrite the memory area though the password is no longer used. We thus could find user’s login credentials. This raises concerns over the credential being misused for illegal behavior, such as acquiring user’s session key. It would be better to clean the heap memory. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: gnome-keyring 3.18.3-0ubuntu2 ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 CurrentDesktop: Unity Date: Wed May 23 22:53:12 2018 InstallationDate: Installed on 2018-04-20 (32 days ago) InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228) SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) upstart.gnome-keyring-ssh.log: grep: /home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1812353] Re: content injection in http method (CVE-2019-3462)
** Changed in: apt (Ubuntu Precise) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1812353 Title: content injection in http method (CVE-2019-3462) Status in apt package in Ubuntu: In Progress Status in apt source package in Precise: Fix Released Status in apt source package in Trusty: Fix Released Status in apt source package in Xenial: Fix Released Status in apt source package in Bionic: Fix Released Status in apt source package in Cosmic: Fix Released Status in apt source package in Disco: In Progress Bug description: apt, starting with version 0.8.15, decodes target URLs of redirects, but does not check them for newlines, allowing MiTM attackers (or repository mirrors) to inject arbitrary headers into the result returned to the main process. If the URL embeds hashes of the supposed file, it can thus be used to disable any validation of the downloaded file, as the fake hashes will be prepended in front of the right hashes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1805348] Re: Recent security update broke server-side keyboard-interactive authentication
Thanks for reporting this pitti, I'll prepare a regression fix! ** Changed in: libssh (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: libssh (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: libssh (Ubuntu Cosmic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Also affects: libssh (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: libssh (Ubuntu Trusty) Status: New => Triaged ** Changed in: libssh (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: libssh (Ubuntu Trusty) Importance: Undecided => High ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1805348 Title: Recent security update broke server-side keyboard-interactive authentication Status in libssh package in Ubuntu: Fix Released Status in libssh source package in Trusty: Triaged Status in libssh source package in Xenial: Triaged Status in libssh source package in Bionic: Triaged Status in libssh source package in Cosmic: Triaged Status in libssh package in Debian: New Bug description: 0.8.4 and the backported fixes for CVE-2018-10933 cause server-side keyboard-interactive authentication to completely break. See https://bugs.libssh.org/T117 for details and a reproducer. This was fixed upstream as part of the 0.8.5 release, so disco is fine. For 16.04/18.04/18.10, please backport the fix: https://git.libssh.org/projects/libssh.git/commit/?id=4ea46eecce9f4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1805348/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability
** Changed in: openssh (Ubuntu Cosmic) Status: In Progress => Fix Released ** Changed in: openssh (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1794629 Title: CVE-2018-15473 - User enumeration vulnerability Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Trusty: Fix Released Status in openssh source package in Xenial: Fix Released Status in openssh source package in Bionic: Fix Released Status in openssh source package in Cosmic: Fix Released Bug description: https://nvd.nist.gov/vuln/detail/CVE-2018-15473 OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. Fixed in Debian: https://www.debian.org/security/2018/dsa-4280 Currently pending triage? https://people.canonical.com/~ubuntu- security/cve/2018/CVE-2018-15473.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1796863] Re: Upgrade to version 3.4.2 for Bionic
** Also affects: spamassassin (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: spamassassin (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: spamassassin (Ubuntu Cosmic) Importance: Medium Status: Triaged ** Also affects: spamassassin (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: spamassassin (Ubuntu Trusty) Status: New => Confirmed ** Changed in: spamassassin (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: spamassassin (Ubuntu Xenial) Status: New => Confirmed ** Changed in: spamassassin (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: spamassassin (Ubuntu Bionic) Status: New => Confirmed ** Changed in: spamassassin (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: spamassassin (Ubuntu Cosmic) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1796863 Title: Upgrade to version 3.4.2 for Bionic Status in spamassassin package in Ubuntu: Fix Released Status in spamassassin source package in Trusty: Confirmed Status in spamassassin source package in Xenial: Confirmed Status in spamassassin source package in Bionic: Confirmed Status in spamassassin source package in Cosmic: Fix Released Bug description: lsb_release -rd Description: Ubuntu 18.04.1 LTS Release: 18.04 apt-cache policy spamassassin spamassassin: Installed: 3.4.1-8build1 Candidate: 3.4.1-8build1 According to the release notes for Spamassassin 3.4.2 there have been significant bug fixes and changes made in the newer package. Some are noted below. Suggest that a 3.4.2 version of Spamassassin be released for 18.04LTS. "There is one specific pressing reason to upgrade. Specifically, we will stop producing SHA-1 signatures for rule updates. This means that while we produce rule updates with the focus on them working for any release from v3.3.2 forward, they will start failing SHA-1 validation for sa-update. *** If you do not update to 3.4.2, you will be stuck at the last ruleset with SHA-1 signatures in the near future. ***" "Four CVE security bug fixes are included in this release for PDFInfo.pm and the SA core: CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781" CVE-2017-15705 - "A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts." https://launchpad.net/bugs/cve/CVE-2017-15705 CVE-2016-1238 - https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1238.html According to the link above it appears that Bionic is not affected by this. CVE-2018-11780 - "A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2." https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11780.html CVE-2018-11781 - "Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax." https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11781.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1796863/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1793742] Re: xdvi stops showing emedded figures after updating ghostscript
I have released ghostscript 9.25 to all stable releases. That should fix this issue. Thanks! ** Changed in: ghostscript (Ubuntu Trusty) Status: In Progress => Fix Released ** Changed in: ghostscript (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: ghostscript (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1793742 Title: xdvi stops showing emedded figures after updating ghostscript Status in ghostscript package in Ubuntu: Fix Released Status in ghostscript source package in Trusty: Fix Released Status in ghostscript source package in Xenial: Fix Released Status in ghostscript source package in Bionic: Fix Released Status in ghostscript source package in Cosmic: Fix Released Bug description: I like to report a problem with using xdvi after upgrading ghostscript (and libgs9) in Trusty Tahr from version 9.10~dfsg-0ubuntu10.12 to version 9.10~dfsg-0ubuntu10.13. The error message after invoking xdvi looks as below. $ xdvi scaling.dvi gs: Error: /undefined in flushpage gs: Operand stack: gs: gs: Execution stack: gs:%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- gs:2 %stopped_push --nostringval-- --nostringval-- --nostringval-- fals gs: e 1 %stopped_push 1916 1 3 %oparray_pop 1915 1 3 %oparray_pop gs:1899 1 3 %oparray_pop 1787 1 3 %oparray_pop --nostringval-- gs: %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- gs: 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nost gs: ringval-- gs: Dictionary stack: gs:--dict:957/1684(ro)(G)-- --dict:0/20(G)-- --dict:81/200(L)-- gs: Current allocation mode is local gs: Last OS error: No such file or directory gs: GPL Ghostscript 9.10: Unrecoverable error, exit code 1 xdvi.bin: Warning: Read_from_gs returned 0 bytes For the (unlikely) possibility that this error could be due to the update of some other package I also include the full list of the packages that were installed at the same time. Setting up libglib2.0-data (2.40.2-0ubuntu1.1) ... Setting up libglib2.0-0:amd64 (2.40.2-0ubuntu1.1) ... Setting up libglib2.0-bin (2.40.2-0ubuntu1.1) ... Setting up libglib2.0-dev (2.40.2-0ubuntu1.1) ... Setting up liblcms2-2:amd64 (2.5-0ubuntu4.2) ... Setting up libopencv-core2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-flann2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-imgproc2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-features2d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-calib3d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-highgui2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-ml2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-video2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-legacy2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-objdetect2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-contrib2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libisc95 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libdns100 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libisccc90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libisccfg90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libbind9-90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up liblwres90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up bind9-host (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up dnsutils (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libgs9-common (9.10~dfsg-0ubuntu10.13) ... Setting up libgs9 (9.10~dfsg-0ubuntu10.13) ... Setting up ghostscript (9.10~dfsg-0ubuntu10.13) ... Setting up ghostscript-x (9.10~dfsg-0ubuntu10.13) ... Description:Ubuntu 14.04.5 LTS Release:14.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1793742/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1793485] Re: segfault in png to gif conversion
Thanks for reporting this issue. Looks like we're possibly missing a couple of commits: https://github.com/ImageMagick/ImageMagick6/commit/e5e87c087ed48db886be0ff3aff4041d38218192 https://github.com/ImageMagick/ImageMagick6/commit/f5d04fc678f67984a1f8c1008dc8eac8ee7e3629 I'll prepare a regression fix. ** Also affects: imagemagick (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: imagemagick (Ubuntu Bionic) Status: New => Fix Released ** Changed in: imagemagick (Ubuntu) Status: New => Fix Released ** Changed in: imagemagick (Ubuntu Trusty) Status: New => In Progress ** Changed in: imagemagick (Ubuntu Xenial) Status: New => In Progress ** Changed in: imagemagick (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: imagemagick (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: imagemagick (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1793485 Title: segfault in png to gif conversion Status in imagemagick package in Ubuntu: Fix Released Status in imagemagick source package in Trusty: In Progress Status in imagemagick source package in Xenial: In Progress Status in imagemagick source package in Bionic: Fix Released Bug description: Regression between 8:6.8.9.9-7ubuntu5.9 and 8:6.8.9.9-7ubuntu5.12. Test case: 1. Download the attached pngs. 2. Run: /usr/bin/convert -limit memory 512MiB -limit map 0MiB -limit file 10 -delay 16 -loop 0 -coalesce -deconstruct ./*.png ./output.gif Expected result: Process finishes with resulting output.gif. Actual result: Process is aborted with SIGSEGV: Other information: In my tests looks like it has been introduced in 8:6.8.9.9-7ubuntu5.11 and does not occur on Bionic. Stack trace: #0 EncodeImage (image_info=0x645c40, data_size=, image=0x636890) at ../../coders/gif.c:676 #1 WriteGIFImage (image_info=0x640700, image=0x636890) at ../../coders/gif.c:1905 #2 0x779a5f0f in WriteImage (image_info=image_info@entry=0x618680, image=image@entry=0x62cb30) at ../../magick/constitute.c:1184 #3 0x779a684f in WriteImages (image_info=image_info@entry=0x60fcd0, images=, images@entry=0x62cb30, filename=, exception=exception@entry=0x602ea0) at ../../magick/constitute.c:1335 #4 0x7763e84e in ConvertImageCommand (image_info=0x60fcd0, argc=19, argv=0x6143b0, metadata=0x0, exception=0x602ea0) at ../../wand/convert.c:3215 #5 0x776ab527 in MagickCommandGenesis ( image_info=image_info@entry=0x60aab0, command=0x4007f0 , argc=argc@entry=19, argv=argv@entry=0x7fffdc68, metadata=metadata@entry=0x0, exception=exception@entry=0x602ea0) at ../../wand/mogrify.c:168 #6 0x00400877 in ConvertMain (argv=0x7fffdc68, argc=19) at ../../utilities/convert.c:81 #7 main (argc=19, argv=0x7fffdc68) at ../../utilities/convert.c:92 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1793485/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1793742] Re: xdvi stops showing emedded figures after updating ghostscript
Thanks for reporting this issue. It looks like upstream reverted a change in later releases. http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=19ebb5f1f497b6f2d50fe13d17d3e627dfb6c868 I'll prepare a regression fix soon. ** Also affects: ghostscript (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: ghostscript (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: ghostscript (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: ghostscript (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: ghostscript (Ubuntu Cosmic) Status: New => Fix Released ** Changed in: ghostscript (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ghostscript (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ghostscript (Ubuntu Bionic) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: ghostscript (Ubuntu Trusty) Status: New => Confirmed ** Changed in: ghostscript (Ubuntu Xenial) Status: New => Confirmed ** Changed in: ghostscript (Ubuntu Trusty) Status: Confirmed => In Progress ** Changed in: ghostscript (Ubuntu Xenial) Status: Confirmed => In Progress ** Changed in: ghostscript (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1793742 Title: xdvi stops showing emedded figures after updating ghostscript Status in ghostscript package in Ubuntu: Fix Released Status in ghostscript source package in Trusty: In Progress Status in ghostscript source package in Xenial: In Progress Status in ghostscript source package in Bionic: In Progress Status in ghostscript source package in Cosmic: Fix Released Bug description: I like to report a problem with using xdvi after upgrading ghostscript (and libgs9) in Trusty Tahr from version 9.10~dfsg-0ubuntu10.12 to version 9.10~dfsg-0ubuntu10.13. The error message after invoking xdvi looks as below. $ xdvi scaling.dvi gs: Error: /undefined in flushpage gs: Operand stack: gs: gs: Execution stack: gs:%interp_exit .runexec2 --nostringval-- --nostringval-- --nostringval-- gs:2 %stopped_push --nostringval-- --nostringval-- --nostringval-- fals gs: e 1 %stopped_push 1916 1 3 %oparray_pop 1915 1 3 %oparray_pop gs:1899 1 3 %oparray_pop 1787 1 3 %oparray_pop --nostringval-- gs: %errorexec_pop .runexec2 --nostringval-- --nostringval-- --nostringval-- gs: 2 %stopped_push --nostringval-- --nostringval-- %loop_continue --nost gs: ringval-- gs: Dictionary stack: gs:--dict:957/1684(ro)(G)-- --dict:0/20(G)-- --dict:81/200(L)-- gs: Current allocation mode is local gs: Last OS error: No such file or directory gs: GPL Ghostscript 9.10: Unrecoverable error, exit code 1 xdvi.bin: Warning: Read_from_gs returned 0 bytes For the (unlikely) possibility that this error could be due to the update of some other package I also include the full list of the packages that were installed at the same time. Setting up libglib2.0-data (2.40.2-0ubuntu1.1) ... Setting up libglib2.0-0:amd64 (2.40.2-0ubuntu1.1) ... Setting up libglib2.0-bin (2.40.2-0ubuntu1.1) ... Setting up libglib2.0-dev (2.40.2-0ubuntu1.1) ... Setting up liblcms2-2:amd64 (2.5-0ubuntu4.2) ... Setting up libopencv-core2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-flann2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-imgproc2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-features2d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-calib3d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-highgui2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-ml2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-video2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-legacy2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-objdetect2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libopencv-contrib2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ... Setting up libisc95 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libdns100 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libisccc90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libisccfg90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libbind9-90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up liblwres90 (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up bind9-host (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up dnsutils (1:9.9.5.dfsg-3ubuntu0.18) ... Setting up libgs9-common (9.10~dfsg-0ubuntu10.13) ... Setting up libgs9 (9.10~dfsg-0ubuntu10.13) ... Setting up ghostscript (9.10~dfsg-0ubuntu10.13) ...
[Group.of.nepali.translators] [Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8
** Also affects: openscap (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: openscap (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: openscap (Ubuntu Bionic) Status: New => Fix Released ** Changed in: openscap (Ubuntu) Status: Confirmed => Fix Released ** Changed in: openscap (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1782031 Title: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8 Status in openscap package in Ubuntu: Fix Released Status in openscap source package in Xenial: Confirmed Status in openscap source package in Bionic: Fix Released Status in openscap package in Debian: Fix Released Bug description: [Impact] Canonical security certification team is automating Ubuntu specific security hardening guides using Security Content Automation Protcol (SCAP). SCAP requires Open Vulnerability and Assessment Language (xccdf and xml) to implement SCAP content. The openSCAP implementation processes SCAP content, but has been extended to also process python and bash scripts via a Script Check Engine (SCE). This ability to process bash and python scripts is needed because OVAL is somewhat limited in what it can do. We have had to write a few python and bash scripts. SCE is not enabled by default, and will require the addition of the "--enable-sce" option in the "debian/rules" file to turn it on. There are security hardening rules for systemd. There is also OVAL schema implemented as "probes" in openSCAP. The systemd probe to be enabled requires libdbus-1-dev during build. This would be set in the debian/control file The attached patch has all the necessary code change. These 2 changes were made in more current versions of libopenscap8 in Debian as indicated above. As a result, Artful, Bionic and Cosmic also have these changes. The automation we are working on is required for Xenial though. [Test Case] 1. run the command "oscap --v", and should see following with SEC option enabled, Capabilities added by auto-loaded plugins SCE Version: 1.0 (from libopenscap_sce.so.8) without the SCE option enabled, the list of plugins is empty. Also, should see under " Supported OVAL objects and associated OpenSCAP probes " systemdunitproperty probe_systemdunitproperty systemdunitdependencyprobe_systemdunitdependency 2. The second testcase requires running our SCAP content and verifying that those rules using scripts are run and those rules using systemd probes are run. [Regression Potential] The regression potential should be small. The changes proposed enables new functionality that is already included in the source package, and does not change the behavior of existing functionality. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1721129] Re: Version 2017072601 is needed as it include the upcoming root KSK
** Also affects: dns-root-data (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: dns-root-data (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: dns-root-data (Ubuntu Cosmic) Importance: Undecided Status: Confirmed ** Also affects: dns-root-data (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: dns-root-data (Ubuntu Cosmic) Status: Confirmed => Fix Released ** Changed in: dns-root-data (Ubuntu Bionic) Status: New => Fix Committed ** Changed in: dns-root-data (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: dns-root-data (Ubuntu Artful) Status: New => Fix Released ** Changed in: dns-root-data (Ubuntu Xenial) Status: New => Confirmed ** Changed in: dns-root-data (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1721129 Title: Version 2017072601 is needed as it include the upcoming root KSK Status in dns-root-data package in Ubuntu: Fix Released Status in dns-root-data source package in Xenial: Confirmed Status in dns-root-data source package in Artful: Fix Released Status in dns-root-data source package in Bionic: Fix Released Status in dns-root-data source package in Cosmic: Fix Released Bug description: Version 2017072601 should be SRU'ed from Artful to Xenial and Zesty. This will bring the upcoming root KSK (in VALID state) which is required for new installs of other packages (like Unbound) that happen after September 11. See https://unbound.net/root-11sep-11oct.html for details. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1721129/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1663281] Re: opendir("ssh2.sftp://..") fails after upgrade to 7.0.13 from xenial-updates
For php5 code: http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=093906ec1c065e86ad1cd4dabbc89b1ccae11938 For php7 code: http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=17680cf039f0cfac53b5a2531fdb715b95e9cc42 http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=756e2f1369f2d5ff006222d978806f4fd91659e1 ** Also affects: php-ssh2 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: php-ssh2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: php-ssh2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: php-ssh2 (Ubuntu Bionic) Importance: Undecided Status: Confirmed ** Also affects: php-ssh2 (Ubuntu Artful) Importance: Undecided Status: New ** Changed in: php-ssh2 (Ubuntu Precise) Status: New => Confirmed ** Changed in: php-ssh2 (Ubuntu Trusty) Status: New => Confirmed ** Changed in: php-ssh2 (Ubuntu Xenial) Status: New => Confirmed ** Changed in: php-ssh2 (Ubuntu Artful) Status: New => Fix Released ** Changed in: php-ssh2 (Ubuntu Bionic) Status: Confirmed => Fix Released ** Changed in: php-ssh2 (Ubuntu Precise) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: php-ssh2 (Ubuntu Trusty) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) ** Changed in: php-ssh2 (Ubuntu Xenial) Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1663281 Title: opendir("ssh2.sftp://..";) fails after upgrade to 7.0.13 from xenial- updates Status in php-ssh2 package in Ubuntu: Fix Released Status in php-ssh2 source package in Precise: Confirmed Status in php-ssh2 source package in Trusty: Confirmed Status in php-ssh2 source package in Xenial: Confirmed Status in php-ssh2 source package in Artful: Fix Released Status in php-ssh2 source package in Bionic: Fix Released Bug description: opendir() for a "ssh2.sftp://.."-style url fails after upgrade to php 7.0.13 from xenial-updates. This is a known bug fixed upstream in php-ssh2, commit 17680cf039f0cfac53b5a2531fdb715b95e9cc42. I've rebuilt the package locally using the attached patch. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-ssh2/+bug/1663281/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1697785] Re: Update to 2.8.14 in Xenial
ACK on the debdiff in comment #3. Package is being released now. Thanks! ** Also affects: ffmpeg (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: ffmpeg (Ubuntu) Status: Confirmed => Invalid ** Changed in: ffmpeg (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1697785 Title: Update to 2.8.14 in Xenial Status in ffmpeg package in Ubuntu: Invalid Status in ffmpeg source package in Xenial: Fix Released Bug description: https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/2.8:/Changelog version 2.8.13: - avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() - avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() - avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. - avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() - avcodec/hevc_ps: Fix undefined shift in pcm code - avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() - avformat/mvdec: Fix DoS due to lack of eof check - avformat/rl2: Fix DoS due to lack of eof check - avformat/cinedec: Fix DoS due to lack of eof check - avformat/asfdec: Fix DoS due to lack of eof check - avformat/hls: Fix DoS due to infinite loop - ffprobe: Fix NULL pointer handling in color parameter printing - ffprobe: Fix null pointer dereference with color primaries - avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() - avformat/aviobuf: Fix signed integer overflow in avio_seek() - avformat/mov: Fix signed integer overflows with total_size - avcodec/aacdec_template: Fix running cleanup in decode_ics_info() - avcodec/me_cmp: Fix crashes on ARM due to misalignment - avcodec/fic: Fixes signed integer overflow - avcodec/snowdec: Fix off by 1 error - avcodec/diracdec: Check perspective_exp and zrs_exp. - avcodec/mpeg4videodec: Clear mcsel before decoding an image - avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* - avcodec/aacdec_fixed: fix invalid shift in predict() - avcodec/h264_slice: Fix overflow in slice offset - avformat/utils: fix memory leak in avformat_free_context - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() - avcodec/diracdec: Fix integer overflow in divide3() - avcodec/takdec: Fix integer overflow in decode_subframe() - avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 - avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 - avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 - avformat/oggparsecelt: Do not re-allocate os->private - avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() - avcodec/aacdec_fixed: fix: left shift of negative value -1 - doc/filters: typo in frei0r - avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later - avcodec/mjpegdec: Clip DC also on the negative side. - avcodec/aacps (fixed point): Fix multiple signed integer overflows - avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() - avcodec/wavpack: Fix invalid shift - avcodec/hevc_ps: Fix integer overflow with beta/tc offsets - avcodec/vb: Check vertical GMC component before multiply - avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() - avcodec/apedec: Fix integer overflow - avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() - avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 - avcodec/wavpack: Fix integer overflow - avcodec/takdec: Fix integer overflow - avcodec/tiff: Update pointer only when the result is used - avcodec/hevc_filter: Fix invalid shift - avcodec/mpeg4videodec: Fix overflow in virtual_ref computation - avcodec/wavpack: Fix undefined integer negation - avcodec/aacdec_fixed: Check s for being too small - avcodec/h264: Fix mix of lossless and lossy MBs decoding - avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 - avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 - avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output - avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows - avcodec/hevcpred_template: Fix left shift of negative value - avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() - avcodec/jpeg2000dec: Check nonzerobits more completely - avcodec/shorten: Sanity check maxnlpc - avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() - avcodec/hevcdec: Check nb_sps - avcodec/hevc_refs: Check nb_refs in add_candidate_ref() - avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. - avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case - avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()
[Group.of.nepali.translators] [Bug 1761289] [NEW] WSA-2018-0003 security update
*** This bug is a security vulnerability *** Public security bug reported: https://webkitgtk.org/security/WSA-2018-0003.html We need to update webkit2gtk to 2.20. ** Affects: webkit2gtk (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: webkit2gtk (Ubuntu Xenial) Importance: Medium Status: Confirmed ** Affects: webkit2gtk (Ubuntu Artful) Importance: Medium Status: Confirmed ** Affects: webkit2gtk (Ubuntu Bionic) Importance: Undecided Status: Fix Released ** Also affects: webkit2gtk (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: webkit2gtk (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: webkit2gtk (Ubuntu Artful) Importance: Undecided Status: New ** Changed in: webkit2gtk (Ubuntu Bionic) Status: New => Fix Released ** Changed in: webkit2gtk (Ubuntu Artful) Status: New => Confirmed ** Changed in: webkit2gtk (Ubuntu Xenial) Status: New => Confirmed ** Changed in: webkit2gtk (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: webkit2gtk (Ubuntu Artful) Importance: Undecided => Medium -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1761289 Title: WSA-2018-0003 security update Status in webkit2gtk package in Ubuntu: Fix Released Status in webkit2gtk source package in Xenial: Confirmed Status in webkit2gtk source package in Artful: Confirmed Status in webkit2gtk source package in Bionic: Fix Released Bug description: https://webkitgtk.org/security/WSA-2018-0003.html We need to update webkit2gtk to 2.20. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/1761289/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1752591] Re: CVE-2017-7651 and CVE-2017-7652
ACK on the debdiffs in comments #2 and #3. I added the bug number to the changelog and adjusted the artful versioning. Packages are building now and will be released as security updates today. Thanks! ** Also affects: mosquitto (Ubuntu Bionic) Importance: Undecided Status: Confirmed ** Also affects: mosquitto (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: mosquitto (Ubuntu Artful) Importance: Undecided Status: New ** Changed in: mosquitto (Ubuntu Bionic) Status: Confirmed => Fix Released ** Changed in: mosquitto (Ubuntu Xenial) Status: New => Fix Committed ** Changed in: mosquitto (Ubuntu Artful) Status: New => Fix Committed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1752591 Title: CVE-2017-7651 and CVE-2017-7652 Status in mosquitto package in Ubuntu: Fix Released Status in mosquitto source package in Xenial: Fix Committed Status in mosquitto source package in Artful: Fix Committed Status in mosquitto source package in Bionic: Fix Released Bug description: The current available version of mosquitto pacakged in ubuntu (for all versions) is vulnerable to 2 cve's announced recently, including one for a potential DOS attach from unauthorized users. More details on this can be found at: https://mosquitto.org/blog/2018/02/security- advisory-cve-2017-7651-cve-2017-7652/ which includes links to patches for the CVEs. Or we can just update to 1.4.15 which should be backwards compatible. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1752591/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1752761] Re: Regression in vga handling ubuntu10.21 to ubuntu10.22
** Also affects: qemu (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: qemu (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: qemu (Ubuntu Trusty) Status: New => In Progress ** Changed in: qemu (Ubuntu Xenial) Status: New => In Progress ** Changed in: qemu (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: qemu (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: qemu (Ubuntu) Status: New => Invalid ** Changed in: qemu (Ubuntu Trusty) Importance: Undecided => High ** Changed in: qemu (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1752761 Title: Regression in vga handling ubuntu10.21 to ubuntu10.22 Status in qemu package in Ubuntu: Invalid Status in qemu source package in Trusty: In Progress Status in qemu source package in Xenial: In Progress Bug description: Hi, Corporate environment, Windows XenU platforms, using QEMU HVM (qemu- system-x86) on multiple Ubuntu Xen0 platforms. Established stable production environment (for > 1-5 years), Ubuntu and Windows nodes getting latest patches etc. Dell R6XX series server hardware. After updates from mainline: 1:2.5+dfsg-5ubuntu10 to 1:2.5+dfsg- 5ubuntu10.22 a reboot of XenU VMs very slow and repeated BlueScreening. Windows Server 2012, does come up after 4+ minutes booting. Windows Server 2008R8, Windows 7 Pro, Windows 10 Pro VMs fail to boot with blue screen "framebuf" STOP. (PNG available). Boot to safe mode (very slow ~ 4mins to login screen) and remove video drivers, reboot succeeds, windows drivers auto updated, reboot fails. Testing completed on Windows Server 2008R8 images including migration of VM Disk devices to other Dell rack servers: o Xenial Xen0 server - Same issues o Trusty Xen0 server - Same issues o Precise Xen0 server - Fast boot / no issues On Xenial systems, downgrading qemu-system-x86 to version 1:2.5+dfsg- 5ubuntu10 reverts to previous performance / stability (~25 secs to loginscreen) = all good. Tested PPA versions of qemu-system-x86 with local dpkg installs, version ubuntu10.21 works fine, ubuntu10.22 fails. Proposed ubuntu10.23 also fails. QEMU Command line used (unchanged between good and back observations): /usr/bin/qemu-system-i386 -xen-domid 9 -chardev socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-9,server,nowait -no-shutdown -mon chardev=libxl-cmd,mode=control -chardev socket,id=libxenstat-cmd,path=/var/run/xen/qmp-libxenstat-9,server,nowait -mon chardev=libxenstat-cmd,mode=control -nodefaults -name HOSTNAME -vnc :,to=99 -display none -serial pty -device cirrus-vga,vgamem_mb=8 -boot order=c -usb -usbdevice tablet -smp 2,maxcpus=2 -device rtl8139,id=nic0,netdev=net0,mac=XX:XX:XX:XX:XX:XX -netdev type=tap,id=net0,ifname=vif9.0-emu,script=no,downscript=no -machine xenfv -m 6992 -drive file=/dev/VG-xen/HOSTNAME-disk,if=ide,index=0,media=disk,format=raw,cache=writeback Xen CFG: name = '' builder = 'hvm' memory = 7000 vcpus=2 shadow_memory = 8 acpi=1 vif = ['type=ioemu, bridge=xenbr0'] disk = [ 'phy:/dev/VG-xen/HOSTNMAE-disk,hda,w'] boot='c' usbdevice='tablet' vnc=1 vncdisplay= vnclisten='' vncconsole=1 serial='pty' on_poweroff = 'destroy' on_reboot = 'restart' on_crash= 'restart' Xen GPL gplpv_Vista2008x64_0.11.0.373.msi drivers being used ( https://wiki.univention.de/index.php/Installing-signed-GPLPV-drivers ) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1752761/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1745635] Re: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380)
** Changed in: clamav (Ubuntu Precise) Status: Confirmed => Fix Released ** Changed in: clamav (Ubuntu Bionic) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1745635 Title: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380) Status in clamav package in Ubuntu: Fix Released Status in clamav source package in Precise: Fix Released Status in clamav source package in Trusty: Fix Released Status in clamav source package in Xenial: Fix Released Status in clamav source package in Artful: Fix Released Status in clamav source package in Bionic: Fix Released Status in clamav package in Debian: Fix Released Status in clamav package in Fedora: Fix Committed Status in clamav package in Suse: Fix Released Bug description: Please upgrade clamav to 0.99.3 in Ubuntu LTS to fix critical security vulnerabilities http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html CVE-2017-12374 1. ClamAV UAF (use-after-free) Vulnerabilities The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations. If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H https://bugzilla.clamav.net/show_bug.cgi?id=11939 CVE-2017-12375 2. ClamAV Buffer Overflow Vulnerability The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing functions. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition on an affected device. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L https://bugzilla.clamav.net/show_bug.cgi?id=11940 CVE-2017-12376 3. ClamAV Buffer Overflow in handle_pdfname Vulnerability ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause a buffer overflow when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code. https://bugzilla.clamav.net/show_bug.cgi?id=11942 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12377 4. ClamAV Mew Packet Heap Overflow Vulnerability ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in mew packet files sent to an affected device. A successful exploit could cause a heap overflow condition when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code on the affected device. https://bugzilla.clamav.net/show_bug.cgi?id=11943 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L CVE-2017-12378 5. ClamAV Buffer Over Read Vulnerability ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms of .tar (Tape Archive) files sent to an affected device. A successful exploit could cause a buffer over-read condition when ClamAV scans the malicious .tar file, potentially allowing the attacker to cause a DoS condition on the affected device. https
[Group.of.nepali.translators] [Bug 1748310] Re: [SRU][xenial]boot stalls looking for entropy in FIPS mode
** Also affects: libgcrypt20 (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748310 Title: [SRU][xenial]boot stalls looking for entropy in FIPS mode Status in libgcrypt20 package in Ubuntu: New Status in libgcrypt20 source package in Xenial: New Bug description: [IMPACT] libgcrypt20 is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option currently in the library. Hence FIPS code paths are always executed on a FIPS enabled machine. In FIPS mode, it runs self tests and integrity checks and it looks for quality entropy from /dev/random. On encrypted installations, cryptsetup uses libgcrypt20. During boot on an encrypted machine running in FIPS mode, cryptsetup invokes libgcrypt and it stalls looking for quality entropy from /dev/random. This results in significant delays during startup. The issue was reported by a FIPS customer. This issue impacts xenial's version of libgcrypt. In later version of libgcrypt in Bionic, the entropy device is a global configurable option via /etc/gcrypt/random.conf config file. The config setting "only-urandom" can be used to set the entropy device to /dev/urandom globally in libgcrypt. lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 version - 1.6.5-2ubuntu0.3 [FIX] Get entropy from /dev/urandom device in FIPS mode. This does not block. [TEST] Tested on a VM installed with xenial desktop iso and one with xenial server iso. Enabled full disk encryption during install. Tested with and without FIPS. No delays were observed during boot after the fix patch was applied. With FIPS enabled on encrypted install, without the patch fix, the boot stalls before and after prompting for decryption password. [REGRESSION POTENTIAL] The regression potential for this is small. This patch does not take away current functionality. It changes the entropy device in FIPS mode to /dev/urandom to get faster entropy. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1743762] Re: Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486]
I am unsubscribing ubuntu-security-sponsors for now since there is no artful debdiff to review. Please subscribe ubuntu-security-sponsors again once an appropriate debdiff is available. Thanks! ** Changed in: xmltooling (Ubuntu Bionic) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1743762 Title: Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486] Status in xmltooling package in Ubuntu: Fix Released Status in xmltooling source package in Trusty: Fix Released Status in xmltooling source package in Xenial: Fix Released Status in xmltooling source package in Artful: Triaged Status in xmltooling source package in Bionic: Fix Released Bug description: From the Debian bug report at https://www.debian.org/security/2018/dsa-4085: Philip Huppert discovered the Shibboleth service provider is vulnerable to impersonation attacks and information disclosure due to mishandling of DTDs in the XMLTooling XML parsing library. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20180112.txt For the oldstable distribution (jessie), this problem has been fixed in version 1.5.3-2+deb8u2. The stable distribution (stretch) is not affected. We recommend that you upgrade your xmltooling packages. For the detailed security status of xmltooling please refer to its security tracker page at: https://security- tracker.debian.org/tracker/xmltooling This bug is fixed upstream in Debian. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1743762/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli
ACK on the debdiff in comment #1. Package is building now and will be released as a security update. Thanks! ** Also affects: brotli (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: brotli (Ubuntu) Status: New => Fix Released ** Changed in: brotli (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1737364 Title: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli Status in brotli package in Ubuntu: Fix Released Status in brotli source package in Xenial: Fix Committed Bug description: Impact -- Integer underflow could be targeted as a buffer overflow https://security-tracker.debian.org/tracker/source-package/brotli Debdiff attached. Because brotli is embedded in web browsers for WOFF2 support (to be somewhat fixed by the proposed brotli MIR), this issue was already mentioned in https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox) Luke Li discovered a buffer overflow during Brotli decompression in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2016-1968) https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide) An integer underflow was discovered in Brotli. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2016-1624) Regression Potential This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from late March to mid June 2016 when it was superseded by a newer version. The Ubuntu security sync tool wasn't able to retrieve this version now. brotli has no reverse dependencies in Ubuntu and is in universe. Testing Done Only a simple build test. There is a build test to ensure basic functionality of brotli with both python2 and python3. Other Info -- The main purpose of this security update is to clear up the security history section of MIR LP: #1737053. It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to be backported to Ubuntu 16.04 and 17.10 as a security update (and promoted to main there), after 17.04 reaches End of Life. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1745635] Re: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380)
These are now published: https://usn.ubuntu.com/usn/usn-3550-1/ ** Changed in: clamav (Ubuntu Trusty) Status: Confirmed => Fix Released ** Changed in: clamav (Ubuntu Xenial) Status: Confirmed => Fix Released ** Changed in: clamav (Ubuntu Artful) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1745635 Title: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380) Status in clamav package in Ubuntu: Confirmed Status in clamav source package in Precise: Confirmed Status in clamav source package in Trusty: Fix Released Status in clamav source package in Xenial: Fix Released Status in clamav source package in Artful: Fix Released Status in clamav source package in Bionic: Confirmed Status in clamav package in Debian: Fix Released Status in clamav package in Fedora: Fix Released Status in clamav package in Suse: Fix Released Bug description: Please upgrade clamav to 0.99.3 in Ubuntu LTS to fix critical security vulnerabilities http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html CVE-2017-12374 1. ClamAV UAF (use-after-free) Vulnerabilities The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations. If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H https://bugzilla.clamav.net/show_bug.cgi?id=11939 CVE-2017-12375 2. ClamAV Buffer Overflow Vulnerability The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing functions. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted email to the affected device. This action could cause a buffer overflow condition when ClamAV scans the malicious email, allowing the attacker to potentially cause a DoS condition on an affected device. CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L https://bugzilla.clamav.net/show_bug.cgi?id=11940 CVE-2017-12376 3. ClamAV Buffer Overflow in handle_pdfname Vulnerability ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms when handling Portable Document Format (.pdf) files sent to an affected device. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted .pdf file to an affected device. This action could cause a buffer overflow when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code. https://bugzilla.clamav.net/show_bug.cgi?id=11942 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-12377 4. ClamAV Mew Packet Heap Overflow Vulnerability ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. The vulnerability is due to improper input validation checking mechanisms in mew packet files sent to an affected device. A successful exploit could cause a heap overflow condition when ClamAV scans the malicious file, allowing the attacker to cause a DoS condition or potentially execute arbitrary code on the affected device. https://bugzilla.clamav.net/show_bug.cgi?id=11943 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L CVE-2017-12378 5. ClamAV Buffer Over Read Vulnerability ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to improper input validation checking mechanisms of .tar (Tape Archive) files sent to an affected device. A successful exploit could cause a buffer over-read condition whe
[Group.of.nepali.translators] [Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
I just published updates for this. Thanks. ** Changed in: enigmail (Ubuntu Trusty) Status: Confirmed => Fix Released ** Changed in: enigmail (Ubuntu Xenial) Status: Confirmed => Fix Released ** Changed in: enigmail (Ubuntu Artful) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit Status in enigmail package in Ubuntu: Fix Released Status in enigmail source package in Trusty: Fix Released Status in enigmail source package in Xenial: Fix Released Status in enigmail source package in Artful: Fix Released Status in enigmail source package in Bionic: Fix Released Bug description: Enigmail was recently audited by the security firm Cure53. According to the Enigmail changelog at https://www.enigmail.net/index.php/en/download/changelog regarding version 1.9.9, "This release addresses security vulnerabilities discovered by Cure53." The "enigmail" package in all supported versions of Ubuntu should be updated to version 1.9.9. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1742933] Re: Regression in 2018-01-08 updates
** Changed in: intel-microcode (Ubuntu Zesty) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1742933 Title: Regression in 2018-01-08 updates Status in intel-microcode package in Ubuntu: Confirmed Status in intel-microcode source package in Trusty: Fix Released Status in intel-microcode source package in Xenial: Fix Released Status in intel-microcode source package in Zesty: Won't Fix Status in intel-microcode source package in Artful: Fix Released Status in intel-microcode source package in Bionic: Confirmed Status in intel-microcode package in Debian: New Bug description: There is a regression in the Intel 20180108 microcode updates that is causing issues for some devices: https://newsroom.intel.com/news/intel-security-issue-update- addressing-reboot-issues/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1742933/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit
** Also affects: enigmail (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: enigmail (Ubuntu Bionic) Importance: Undecided Status: Incomplete ** Also affects: enigmail (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: enigmail (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: enigmail (Ubuntu Bionic) Status: Incomplete => Fix Released ** Changed in: enigmail (Ubuntu Trusty) Status: New => Confirmed ** Changed in: enigmail (Ubuntu Xenial) Status: New => Confirmed ** Changed in: enigmail (Ubuntu Artful) Status: New => Confirmed ** Changed in: enigmail (Ubuntu Trusty) Importance: Undecided => High ** Changed in: enigmail (Ubuntu Xenial) Importance: Undecided => High ** Changed in: enigmail (Ubuntu Artful) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1740323 Title: Enigmail should be updated to version 1.9.9 following Cure53 audit Status in enigmail package in Ubuntu: Fix Released Status in enigmail source package in Trusty: Confirmed Status in enigmail source package in Xenial: Confirmed Status in enigmail source package in Artful: Confirmed Status in enigmail source package in Bionic: Fix Released Bug description: Enigmail was recently audited by the security firm Cure53. According to the Enigmail changelog at https://www.enigmail.net/index.php/en/download/changelog regarding version 1.9.9, "This release addresses security vulnerabilities discovered by Cure53." The "enigmail" package in all supported versions of Ubuntu should be updated to version 1.9.9. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1742364] Re: Updated microcode for Spectre fix
Updates have been released: https://usn.ubuntu.com/usn/usn-3531-1 ** Changed in: intel-microcode (Ubuntu Trusty) Status: Confirmed => Fix Released ** Changed in: intel-microcode (Ubuntu Xenial) Status: Confirmed => Fix Released ** Changed in: intel-microcode (Ubuntu Zesty) Status: Confirmed => Fix Released ** Changed in: intel-microcode (Ubuntu Artful) Status: Confirmed => Fix Released ** Changed in: intel-microcode (Ubuntu Bionic) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1742364 Title: Updated microcode for Spectre fix Status in intel: New Status in intel-microcode package in Ubuntu: Fix Released Status in intel-microcode source package in Trusty: Fix Released Status in intel-microcode source package in Xenial: Fix Released Status in intel-microcode source package in Zesty: Fix Released Status in intel-microcode source package in Artful: Fix Released Status in intel-microcode source package in Bionic: Fix Released Bug description: Intel have finally released the updated microcode for the Spectre bug. See https://downloadcenter.intel.com/download/27431/Linux-Processor- Microcode-Data-File?v=t From the release note: Intel Processor Microcode Package for Linux 20180108 Release -- Updates upon 20171117 release -- IVT C0(06-3e-04:ed) 428->42a SKL-U/Y D0(06-4e-03:c0) ba->c2 BDW-U/Y E/F (06-3d-04:c0) 25->28 HSW-ULT Cx/Dx (06-45-01:72) 20->21 Crystalwell Cx(06-46-01:32) 17->18 BDW-H E/G (06-47-01:22) 17->1b HSX-EX E0 (06-3f-04:80) 0f->10 SKL-H/S R0(06-5e-03:36) ba->c2 HSW Cx/Dx (06-3c-03:32) 22->23 HSX C0(06-3f-02:6f) 3a->3b BDX-DE V0/V1 (06-56-02:10) 0f->14 BDX-DE V2 (06-56-03:10) 70d->711 KBL-U/Y H0(06-8e-09:c0) 62->80 KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80 KBL-H/S B0(06-9e-09:2a) 5e->80 CFL U0(06-9e-0a:22) 70->80 CFL B0(06-9e-0b:02) 72->80 SKX H0(06-55-04:b7) 235->23c GLK B0(06-7a-01:01) 1e->22 These should be released ASAP since they will be needed for the upcoming Spectre fixes in the Kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/intel/+bug/1742364/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1717981] Re: Regression in CVE-2017-3142
Oh, yeah, that's the same regression. Sorry, I forgot I had opened this bug. Closing now. Thanks! ** Changed in: bind9 (Ubuntu Trusty) Status: New => Fix Released ** Changed in: bind9 (Ubuntu Xenial) Status: New => Fix Released ** Changed in: bind9 (Ubuntu Zesty) Status: New => Fix Released ** Changed in: bind9 (Ubuntu Artful) Status: Fix Committed => Fix Released ** Changed in: bind9 (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1717981 Title: Regression in CVE-2017-3142 Status in bind9 package in Ubuntu: Fix Released Status in bind9 source package in Trusty: Fix Released Status in bind9 source package in Xenial: Fix Released Status in bind9 source package in Zesty: Fix Released Status in bind9 source package in Artful: Fix Released Status in bind9 package in Debian: Fix Released Bug description: The CVE-2017-3142 patch included in USN-3346-1 contained a regression. See: https://lists.isc.org/pipermail/bind-announce/2017-July/001054.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1717981/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1617617] Re: Firewall configuration can be modified by any logged in user
@Lucas: you marked the bug as "Fix Released", so it's not appearing on any lists. I'll set it back to Confirmed. ** Changed in: firewalld (Ubuntu Xenial) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1617617 Title: Firewall configuration can be modified by any logged in user Status in firewalld package in Ubuntu: Fix Released Status in firewalld source package in Xenial: Confirmed Status in firewalld package in Debian: Fix Released Bug description: Copying from the Debian bug: --- The following vulnerability was published for firewalld. CVE-2016-5410[0]: Firewall configuration can be modified by any logged in user If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5410 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1360135 [2] http://seclists.org/oss-sec/2016/q3/291 [3] https://github.com/t-woerner/firewalld/commit/0371995a58ec4c777960007b7dbee93933f760cb --- This only affects firewalld >= 0.3.12 & < 0.4.3.3 (so trusty is not affected). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1721219] Re: CVE-2017-6266 CVE-2017-6267 CVE-2017-6272
This has been published. Thanks! https://usn.ubuntu.com/usn/usn-3461-1/ ** Changed in: nvidia-graphics-drivers-375 (Ubuntu) Status: In Progress => Fix Released ** Changed in: nvidia-graphics-drivers-375 (Ubuntu Trusty) Status: In Progress => Fix Released ** Changed in: nvidia-graphics-drivers-375 (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: nvidia-graphics-drivers-375 (Ubuntu Zesty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1721219 Title: CVE-2017-6266 CVE-2017-6267 CVE-2017-6272 Status in nvidia-graphics-drivers-375 package in Ubuntu: Fix Released Status in nvidia-graphics-drivers-375 source package in Trusty: Fix Released Status in nvidia-graphics-drivers-375 source package in Xenial: Fix Released Status in nvidia-graphics-drivers-375 source package in Zesty: Fix Released Bug description: CVE-2017-6266 CVE-2017-6267 CVE-2017-6272: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 The packages are available for testing in the following PPA: https://launchpad.net/~albertomilone/+archive/ubuntu/nvidia-security-1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-375/+bug/1721219/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1719851] Re: ca-certificates isn't updated in LTS 16.04
The ca-certificates package has been updated for all releases: https://usn.ubuntu.com/usn/usn-3432-1/ Marking bug as Fix Released. Thanks! ** Changed in: ca-certificates (Ubuntu Trusty) Status: New => Fix Released ** Changed in: ca-certificates (Ubuntu Xenial) Status: New => Fix Released ** Changed in: ca-certificates (Ubuntu Zesty) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1719851 Title: ca-certificates isn't updated in LTS 16.04 Status in ca-certificates package in Ubuntu: Fix Released Status in ca-certificates source package in Trusty: Fix Released Status in ca-certificates source package in Xenial: Fix Released Status in ca-certificates source package in Zesty: Fix Released Status in ca-certificates source package in Artful: Fix Released Bug description: ca-certificates should contain root certificates for new CA from Amazon They are added in version 20170717, The Artful Aardvark (pre-release freeze) But that isn't reflected neither in zesty, nor backports or security We recently got a letter from Amazon to update our SSL certs till October 25. Would be extremely great if ca-certificates will be updated via unattended upgrades in-time. Marking as security, because several CAs were removed (compromised?). Or maybe there is a reason, why root cert list isn't updated on LTS releases? ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: ca-certificates 20161130 ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11 Uname: Linux 4.10.0-21-generic x86_64 ApportVersion: 2.20.4-0ubuntu4.5 Architecture: amd64 Date: Wed Sep 27 11:10:01 2017 Ec2AMI: ami-6edd3078 Ec2AMIManifest: (unknown) Ec2AvailabilityZone: us-east-1d Ec2InstanceType: m3.medium Ec2Kernel: unavailable Ec2Ramdisk: unavailable PackageArchitecture: all SourcePackage: ca-certificates UpgradeStatus: Upgraded to zesty on 2017-05-19 (131 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1719851/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
** Also affects: git (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: git (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: git (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: git (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection Status in git package in Ubuntu: In Progress Status in git source package in Trusty: In Progress Status in git source package in Xenial: In Progress Status in git source package in Zesty: In Progress Status in git source package in Artful: In Progress Bug description: From oss-security[1]: [ Authors ] joernchen Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) https://git-scm.com [ Vendor communication ] 2017-09-08 Sent vulnerability details to the git-security list 2017-09-09 Acknowledgement of the issue, git maintainers ask if a patch could be provided 2017-09-10 Patch is provided 2017-09-11 Further backtick operations are patched by the git maintainers, corrections on the provided patch 2017-09-11 Revised patch is sent out 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default invocation from `git-shell` 2017-09-22 Draft release for git 2.14.2 is created including the fixes 2017-09-26 Release of this advisory, release of fixed git versions [ Description ] The `git` subcommand `cvsserver` is a Perl script which makes excessive use of the backtick operator to invoke `git`. Unfortunately user input is used within some of those invocations. It should be noted, that `git-cvsserver` will be invoked by `git-shell` by default without further configuration. [ Example ] Below a example of a OS Command Injection within `git-cvsserver` triggered via `git-shell`: =8<= [git@...t ~]$ cat .ssh/authorized_keys command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa B3NzaC [joernchen@...t ~]$ ssh git@...alhost cvs server Root /tmp E /tmp/ does not seem to be a valid GIT repository E error 1 /tmp/ is not a valid repository Directory . `id>foo` add fatal: Not a git repository: '/tmp/' Invalid module '`id>foo`' at /usr/lib/git-core/git-cvsserver line 3807, line 4. [joernchen@...t ~]$ [git@...t ~]$ cat foo uid=619(git) gid=618(git) groups=618(git) [git@...t ~]$ =>8= [ Solution ] Upgrade to one of the following git versions: * 2.14.2 * 2.13.6 * 2.12.5 * 2.11.4 * 2.10.5 [ end of file ] --- No CVE has been assigned yet, but a fix has been released upstream and as seen above, the fixes are already in Debian. [1] http://www.openwall.com/lists/oss-security/2017/09/26/9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1718222] Re: CVE-2017-9375 fix cause qemu crash
** Also affects: qemu (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: qemu (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: qemu (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: qemu (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: qemu (Ubuntu Artful) Status: New => Fix Released ** Changed in: qemu (Ubuntu Trusty) Status: New => Confirmed ** Changed in: qemu (Ubuntu Xenial) Status: New => In Progress ** Changed in: qemu (Ubuntu Trusty) Status: Confirmed => In Progress ** Changed in: qemu (Ubuntu Zesty) Status: New => In Progress ** Changed in: qemu (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: qemu (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: qemu (Ubuntu Zesty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: qemu (Ubuntu Trusty) Importance: Undecided => High ** Changed in: qemu (Ubuntu Xenial) Importance: Undecided => High ** Changed in: qemu (Ubuntu Zesty) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1718222 Title: CVE-2017-9375 fix cause qemu crash Status in qemu package in Ubuntu: Fix Released Status in qemu source package in Trusty: In Progress Status in qemu source package in Xenial: In Progress Status in qemu source package in Zesty: In Progress Status in qemu source package in Artful: Fix Released Status in qemu package in Debian: Fix Released Bug description: CVE-2017-9375 fix cause qemu crash on Ubuntu 17.04 if USB 3 controller is selected in virtual machine properties. To reproduce this issue: 1. Install Ubuntu 17.04 2. Install package ubuntu-virt 3. Create virtual machine with USB 3 controller 4. Try to start this virtual machine Error message from libvirt log: qemu-system-x86_64: /build/qemu-g5EXBU/qemu-2.8+dfsg/hw/usb/hcd-xhci.c:2169: xhci_kick_epctx: Assertion `!epctx->kick_active' failed. Workaround: Switch controller type to USB 2, but AFAIK this is not applicable if user need to passthrough many USB devices to guest, or if user actually need USB 3 speed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1718222/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1698689] Re: USN-3269-1: partially applies to MariaDB too
** Changed in: mariadb-10.1 (Ubuntu Artful) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1698689 Title: USN-3269-1: partially applies to MariaDB too Status in mariadb-10.0 package in Ubuntu: Invalid Status in mariadb-10.1 package in Ubuntu: Fix Released Status in mariadb-5.5 package in Ubuntu: Invalid Status in mariadb-5.5 source package in Trusty: Fix Released Status in mariadb-10.0 source package in Xenial: Fix Released Status in mariadb-10.0 source package in Yakkety: Won't Fix Status in mariadb-10.1 source package in Zesty: Fix Released Status in mariadb-10.1 source package in Artful: Fix Released Bug description: https://www.ubuntu.com/usn/usn-3269-1/ The security notice above also affect MariaDB and the latest release includes fixes. I will produce a security release soon and attach more information to this bug report for: - mariadb.5.5 in Trusty - mariadb-10.0 in Xenial and Yakkety - mariadb-10.1 in Zesty (Artful can sync from Debian) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1698689/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1709193] Re: Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer
** Also affects: ssmtp (Ubuntu Artful) Importance: Undecided Status: Invalid ** Also affects: gnutls26 (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: ssmtp (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: gnutls26 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: ssmtp (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gnutls26 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: ssmtp (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: gnutls26 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: gnutls28 (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: gnutls26 (Ubuntu Trusty) Status: New => Confirmed ** Changed in: gnutls26 (Ubuntu Xenial) Status: New => Invalid ** Changed in: gnutls26 (Ubuntu Zesty) Status: New => Invalid ** Changed in: gnutls26 (Ubuntu Artful) Status: New => Invalid ** Changed in: ssmtp (Ubuntu Trusty) Status: New => Invalid ** Changed in: ssmtp (Ubuntu Xenial) Status: New => Invalid ** No longer affects: ssmtp (Ubuntu) ** Changed in: ssmtp (Ubuntu Zesty) Status: New => Invalid ** Changed in: gnutls28 (Ubuntu Trusty) Status: New => Won't Fix ** Changed in: gnutls28 (Ubuntu Xenial) Status: New => Confirmed ** Changed in: gnutls28 (Ubuntu Zesty) Status: New => Confirmed ** Changed in: gnutls28 (Ubuntu Artful) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1709193 Title: Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer Status in gnutls26 package in Ubuntu: Invalid Status in gnutls28 package in Ubuntu: Confirmed Status in gnutls26 source package in Trusty: Confirmed Status in gnutls28 source package in Trusty: Won't Fix Status in ssmtp source package in Trusty: Invalid Status in gnutls26 source package in Xenial: Invalid Status in gnutls28 source package in Xenial: Confirmed Status in ssmtp source package in Xenial: Invalid Status in gnutls26 source package in Zesty: Invalid Status in gnutls28 source package in Zesty: Confirmed Status in ssmtp source package in Zesty: Invalid Status in gnutls26 source package in Artful: Invalid Status in gnutls28 source package in Artful: Confirmed Status in ssmtp source package in Artful: Invalid Status in gnutls28 package in Debian: Fix Released Bug description: sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with it. Here's a packet capture when ssmtp connects to smtp.sdeziel.info:587 that offers TLSv1.0 and higher: $ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)' Version: TLS 1.0 (0x0301) Handshake Protocol: Client Hello Version: TLS 1.0 (0x0301) Cipher Suites Length: 30 Cipher Suites (15 suites) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl s_client is able to do: $ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)' Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Additional information: $ lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 1
[Group.of.nepali.translators] [Bug 1707015] Re: image composite functions not working in php
Removing the patch was just a temporary fix until a proper solution is found. Re-opening bug. ** Changed in: imagemagick (Ubuntu Trusty) Status: Fix Released => Triaged ** Changed in: imagemagick (Ubuntu Xenial) Status: Fix Released => Triaged ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1707015 Title: image composite functions not working in php Status in imagemagick package in Ubuntu: Invalid Status in imagemagick source package in Trusty: Triaged Status in imagemagick source package in Xenial: Triaged Status in imagemagick package in Debian: Unknown Bug description: We use php-imagick to make image compositions on our servers. On July 25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to 8:6.8.9.9-7ubuntu5.8. After that upgrade our webservers, using the php imagick bindings, stopped making composites. The composite images just have the background layer showing, with no overlay layer composited on top. In PHP there are no errors or exceptions, and other imagick functions work fine. Reading images, scaling, making new images, rendering to bytes, all work fine. It is only the composite functions, in php bindings, that are not working. I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is still available in the ubuntu archives, and the php composite functions started working again. 6.8.9.9-7ubuntu5.7 is no longer available in the archives (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/). A test script to reproduce the bug is attached to this ticket. On version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray background. On the latest version, 6.8.9.9-7ubuntu5.8, this will show garbled fragments of the ubuntu logo over gray background, or perhaps just an empty gray background. This bug was identified on Ubuntu 16.04.2 LTS as a result of an automatic upgrade from ubuntu security. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1707015] Re: image composite functions not working in php
** Bug watch added: Debian Bug tracker #870273 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870273 ** Also affects: imagemagick (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870273 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1707015 Title: image composite functions not working in php Status in imagemagick package in Ubuntu: Invalid Status in imagemagick source package in Trusty: In Progress Status in imagemagick source package in Xenial: In Progress Status in imagemagick package in Debian: Unknown Bug description: We use php-imagick to make image compositions on our servers. On July 25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to 8:6.8.9.9-7ubuntu5.8. After that upgrade our webservers, using the php imagick bindings, stopped making composites. The composite images just have the background layer showing, with no overlay layer composited on top. In PHP there are no errors or exceptions, and other imagick functions work fine. Reading images, scaling, making new images, rendering to bytes, all work fine. It is only the composite functions, in php bindings, that are not working. I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is still available in the ubuntu archives, and the php composite functions started working again. 6.8.9.9-7ubuntu5.7 is no longer available in the archives (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/). A test script to reproduce the bug is attached to this ticket. On version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray background. On the latest version, 6.8.9.9-7ubuntu5.8, this will show garbled fragments of the ubuntu logo over gray background, or perhaps just an empty gray background. This bug was identified on Ubuntu 16.04.2 LTS as a result of an automatic upgrade from ubuntu security. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1707015] Re: image composite functions not working in php
Thanks for reporting this issue, I can reproduce it on Ubuntu 14.04 LTS and Ubuntu 16.04. I will investigate the regression and will publish an update to correct this shortly. ** Also affects: imagemagick (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: imagemagick (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: imagemagick (Ubuntu) Status: New => Invalid ** Changed in: imagemagick (Ubuntu Trusty) Status: New => Confirmed ** Changed in: imagemagick (Ubuntu Xenial) Status: New => In Progress ** Changed in: imagemagick (Ubuntu Trusty) Status: Confirmed => In Progress ** Changed in: imagemagick (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: imagemagick (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: imagemagick (Ubuntu Trusty) Importance: Undecided => High ** Changed in: imagemagick (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1707015 Title: image composite functions not working in php Status in imagemagick package in Ubuntu: Invalid Status in imagemagick source package in Trusty: In Progress Status in imagemagick source package in Xenial: In Progress Bug description: We use php-imagick to make image compositions on our servers. On July 25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to 8:6.8.9.9-7ubuntu5.8. After that upgrade our webservers, using the php imagick bindings, stopped making composites. The composite images just have the background layer showing, with no overlay layer composited on top. In PHP there are no errors or exceptions, and other imagick functions work fine. Reading images, scaling, making new images, rendering to bytes, all work fine. It is only the composite functions, in php bindings, that are not working. I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is still available in the ubuntu archives, and the php composite functions started working again. 6.8.9.9-7ubuntu5.7 is no longer available in the archives (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/). A test script to reproduce the bug is attached to this ticket. On version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray background. On the latest version, 6.8.9.9-7ubuntu5.8, this will show garbled fragments of the ubuntu logo over gray background, or perhaps just an empty gray background. This bug was identified on Ubuntu 16.04.2 LTS as a result of an automatic upgrade from ubuntu security. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1706900] Re: CVE-2016-9877 RabbitMQ authentication vulnerability
** Also affects: rabbitmq-server (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: rabbitmq-server (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: rabbitmq-server (Ubuntu) Status: Triaged => Fix Released ** Changed in: rabbitmq-server (Ubuntu Trusty) Status: New => Confirmed ** Changed in: rabbitmq-server (Ubuntu Xenial) Status: New => Confirmed ** Changed in: rabbitmq-server (Ubuntu Trusty) Importance: Undecided => High ** Changed in: rabbitmq-server (Ubuntu Xenial) Importance: Undecided => High ** Changed in: rabbitmq-server (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: rabbitmq-server (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1706900 Title: CVE-2016-9877 RabbitMQ authentication vulnerability Status in RabbitMQ: Fix Released Status in rabbitmq-server package in Ubuntu: Fix Released Status in rabbitmq-server source package in Trusty: Confirmed Status in rabbitmq-server source package in Xenial: Confirmed Bug description: https://pivotal.io/security/cve-2016-9877 "MQTT (MQ Telemetry Transport) connection authentication with a username/password pair succeeds if an existing username is provided but the password is omitted from the connection request. Connections that use TLS with a client-provided certificate are not affected." Affects RabbitMQ "3.x versions prior to 3.5.8" Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1, and according to its changelog, Pivotal's fix for CVE-2016-9877 has not been included. To manage notifications about this bug go to: https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1693893] Re: Possible remote code execution related to subtitles
** Also affects: vlc (Ubuntu Artful) Importance: Undecided Assignee: Simon Quigley (tsimonq2) Status: In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1693893 Title: Possible remote code execution related to subtitles Status in vlc package in Ubuntu: In Progress Status in vlc source package in Xenial: In Progress Status in vlc source package in Zesty: In Progress Status in vlc source package in Artful: In Progress Bug description: VLC 2.2.5.1 fixes buffer overflow and out of bound read bugs related to subtitle decoding. A company called "Check Point" appears to have reported them, but they did not release any details. [1] At least the following 5 commits relate to these bugs: [2] Presumably all currently supported Ubuntu releases are affected by at least one bug fixed by the patches. By the way, there seem to be other security related commits in VLC that might need backporting, e.g. [3] [4] [1]: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ [2]: https://github.com/videolan/vlc/search?q=checkpoint&type=Commits&utf8=%E2%9C%93 [3]: https://github.com/videolan/vlc/search?o=desc&p=1&q=overflow&s=committer-date&type=Commits&utf8=%E2%9C%93 [4]: https://github.com/videolan/vlc/search?o=desc&q=out+of+bound&s=committer-date&type=Commits&utf8=%E2%9C%93 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/1693893/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1397091] Re: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches.
** Changed in: wireshark (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1397091 Title: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches. Status in wireshark package in Ubuntu: Fix Released Status in wireshark source package in Precise: Won't Fix Status in wireshark source package in Trusty: Fix Released Status in wireshark source package in Utopic: Fix Released Status in wireshark source package in Xenial: Fix Released Status in wireshark source package in Yakkety: Fix Released Status in wireshark source package in Zesty: Fix Released Bug description: In further discussion with the security team and others, it's probably easier (and more acceptable all over at this time) to backport all the fixes for the bugs into the various affected Wireshark versions already present in the repositories. The original description for the bug is below, and is kept for historical reasons. Additional changes and actions on the bug will be in the comments. == [Original Description] In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker. During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic. Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate updating the software to as close to latest as we can. Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package. -- The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package. The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build: Precise: * debian/control: - libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise - Remove qt build deps, to prevent the Qt builds from being done/attempted. - Remove the wireshark-qt package. * debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue. * debian/wireshark-qt.*: Remove the wireshark-qt package Trusty: * debian/control: program - libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty - Remove qt build deps, to prevent the Qt builds from being done/attempted. - Remove the wireshark-qt package. * debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue. * debian/wireshark-qt.*: Remove the wireshark-qt package Utopic: No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed. -- There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed. -- Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here: https://launchpad.net/~teward/+archive/ubu
[Group.of.nepali.translators] [Bug 1686768] Re: Restricted contacts can see servers that do not belong to them
** Changed in: nagios3 (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1686768 Title: Restricted contacts can see servers that do not belong to them Status in nagios3 package in Ubuntu: Fix Released Status in nagios3 source package in Trusty: Fix Released Status in nagios3 source package in Xenial: Fix Released Status in nagios3 source package in Yakkety: Fix Released Status in nagios3 source package in Zesty: Fix Released Bug description: [Impact] * It is possible for users to see information about servers that they have not been given permission to see * A fix should be backported because this is a security problem and causes Nagios to leak data * The patch introduces the proper checks on hostgroup permissions as per Nagios 4.2.2 [Test Case] * Configure Nagios to monitor multiple servers * Create a second contact called "jbloggs" (in /etc/nagios/conf.d/contacts_nagios2.cfg) * Create a second contact group called "oneserver" containing the second contact (in /etc/nagios/conf.d/contacts_nagios2.cfg) * Set the contact_groups property for one of the servers to be "admins,oneserver" * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user * Login to Nagios as "jbloggs" * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and "Hostgroups -> Grid", and observe that the "jbloggs" user can view information about servers they don't have permission to see (full details including screenshots can be found on the Nagios forum link below) [Regression Potential] * It's possible that this may create other issues when viewing hostgroups in the Nagios web interface although I have not seen any such issues, and this fix was deemed to be acceptable by the Nagios core team in Nagios 4.2.2 (tracker link below) so I think the chances of any issues are very low. [Other Info] * This fix is the same fix that was applied upstream in Nagios 4.2.2, although as Ubuntu doesn't ship that version the fix never made it in * This problem didn't exist under Precise as that ran Nagios 3.2.x so this was an upstream regression that happened after that version [Original Description] There is a problem with the hostgroups reports that allows restricted contacts to see servers that do not belong to them provided they are in the same hostgroup. This issue was reported to the Nagios project in 2013 here (with screenshots, sample configs, etc): https://support.nagios.com/forum/viewtopic.php?f=7&t=21794 It was fixed in Nagios 4.2.2 here: https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1 #diff-b89a219dd5a0ac3e4e07f1dfd721dd78 This problem exists in Nagios 3.5.x that did not exist under 3.2.x, however it seems likely that the fix in 4.2.2 could be backported to Nagios 3.5.x. lsb_release -rd output: Description: Ubuntu 16.04.2 LTS Release: 16.04 apt-cache policy nagios3 nagios3-cgi output: nagios3: Installed: 3.5.1.dfsg-2.1ubuntu1.1 Candidate: 3.5.1.dfsg-2.1ubuntu1.1 Version table: *** 3.5.1.dfsg-2.1ubuntu1.1 500 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 3.5.1.dfsg-2.1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages nagios3-cgi: Installed: 3.5.1.dfsg-2.1ubuntu1.1 Candidate: 3.5.1.dfsg-2.1ubuntu1.1 Version table: *** 3.5.1.dfsg-2.1ubuntu1.1 500 500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 3.5.1.dfsg-2.1ubuntu1 500 500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1690380] Re: "Cannot open log file '/var/log/nagios3/nagios.log' for reading" error from nagios web UI when view alert history etc.
** Also affects: nagios3 (Ubuntu Artful) Importance: Undecided Status: Triaged ** Also affects: nagios3 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: nagios3 (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: nagios3 (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: nagios3 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: nagios3 (Ubuntu Yakkety) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: nagios3 (Ubuntu Zesty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: nagios3 (Ubuntu Artful) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: nagios3 (Ubuntu Trusty) Status: New => In Progress ** Changed in: nagios3 (Ubuntu Xenial) Status: New => In Progress ** Changed in: nagios3 (Ubuntu Yakkety) Status: New => In Progress ** Changed in: nagios3 (Ubuntu Zesty) Status: New => In Progress ** Changed in: nagios3 (Ubuntu Artful) Status: Triaged => In Progress ** Changed in: nagios3 (Ubuntu Trusty) Importance: Undecided => High ** Changed in: nagios3 (Ubuntu Xenial) Importance: Undecided => High ** Changed in: nagios3 (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: nagios3 (Ubuntu Zesty) Importance: Undecided => High ** Changed in: nagios3 (Ubuntu Artful) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1690380 Title: "Cannot open log file '/var/log/nagios3/nagios.log' for reading" error from nagios web UI when view alert history etc. Status in nagios3 package in Ubuntu: In Progress Status in nagios3 source package in Trusty: In Progress Status in nagios3 source package in Xenial: In Progress Status in nagios3 source package in Yakkety: In Progress Status in nagios3 source package in Zesty: In Progress Status in nagios3 source package in Artful: In Progress Bug description: Ubuntu 16.04.2 LTS nagios3 and nagios3-cgi 3.5.1.dfsg-2.1ubuntu1.1 If install nagios3 package and then view Alert History, Notification History or Events pages (and maybe others), e.g.: http://localhost/cgi-bin/nagios3/history.cgi?host=localhost Then get the following error in place of the information that should be there: Error: Cannot open log file '/var/log/nagios3/nagios.log' for reading! This issue: https://github.com/NagiosEnterprises/nagioscore/issues/303 ...suggests that this is caused by the fix for CVE-2016-9566: https://github.com/NagiosEnterprises/nagioscore/commit/ff22fd0de4938781edcbd48512d2494ca3c9c41a ...which has been back ported to 3.5.1.dfsg-2.1ubuntu1.1 according to: https://launchpad.net/ubuntu/xenial/+source/nagios3/+changelog The permissions and ownership of nagios.log are: $ ls -l /var/log/nagios3/nagios.log -rw--- 1 nagios adm 189 May 12 13:45 /var/log/nagios3/nagios.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1690380/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1670036] Re: Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG compressed files
Thanks for reporting this issue and for the updated patch. I'll prepare a security regression updates and will publish them this week, likely tomorrow. Thanks! ** Also affects: tiff (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: tiff (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: tiff (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: tiff (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: tiff (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: tiff (Ubuntu Trusty) Status: New => Confirmed ** Changed in: tiff (Ubuntu Xenial) Status: New => Confirmed ** Changed in: tiff (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: tiff (Ubuntu Yakkety) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: tiff (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1670036 Title: Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG compressed files Status in LibTIFF: New Status in tiff package in Ubuntu: Invalid Status in tiff source package in Trusty: Confirmed Status in tiff source package in Xenial: Confirmed Status in tiff source package in Yakkety: Confirmed Bug description: The patches applied to libtiff 4.0.6 in 4.0.6-2ubuntu01 seem to break JPEG tiff read and write. To reproduce: $ tiffcp -c jpeg k2a.tif x.tif (where k2a.tif is a simple uncompressed RGB strip tiff) appears to work. However, x.tif, the output, will now not read without warnings: $ tiffcp x.tif y.tif TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in null byte. Forcing it to be null. JPEGLib: Warning, Premature end of JPEG file. This was working fine until a couple of days ago, so I guess it's one of the most recent patches. Some packages using libtiff seem to be broken too. For example, openslide, which uses libtiff to load jp2k-compressed slide images, is no longer working: $ openslide-write-png CMU-1-Small-Region.svs 0 0 0 100 100 x.png TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in null byte. Forcing it to be null. TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in null byte. Forcing it ... repeats 8 more times openslide-write-png: Premature end of JPEG file and x.png is not a valid PNG image. The test .svs image may be downloaded here: http://openslide.cs.cmu.edu/download/openslide-testdata/Aperio/ To manage notifications about this bug go to: https://bugs.launchpad.net/libtiff/+bug/1670036/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1689759] Re: CVE 2017-8422 - kauth: Local privilege escalation
** Changed in: kde4libs (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1689759 Title: CVE 2017-8422 - kauth: Local privilege escalation Status in kauth package in Ubuntu: Fix Released Status in kde4libs package in Ubuntu: Fix Released Status in kauth source package in Trusty: Invalid Status in kde4libs source package in Trusty: Fix Released Status in kauth source package in Xenial: In Progress Status in kde4libs source package in Xenial: Fix Released Status in kauth source package in Yakkety: Confirmed Status in kde4libs source package in Yakkety: Fix Released Status in kauth source package in Zesty: Fix Released Status in kde4libs source package in Zesty: Fix Released Status in kauth source package in Artful: Fix Released Status in kde4libs source package in Artful: Fix Released Bug description: KDE Project Security Advisory = Title: kauth: Local privilege escalation Risk Rating:High CVE:CVE-2017-8422 Versions: kauth < 5.34, kdelibs < 4.14.32 Date: 10 May 2017 Overview KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account. Solution Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released) Or apply the following patches: kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab Credits === Thanks to Sebastian Krahmer from SUSE for the report and to Albert Astals Cid from KDE for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kauth/+bug/1689759/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1689759] Re: CVE 2017-8422 - kauth: Local privilege escalation
ACK on the debdiffs in comments #1 and #2. I have uploaded them for releasing as a security update, with a few minor changes, such as targeting the security pocket, some whitespace changes in the changelog, and adding the new patch to the end of the series file rather than at the beginning. Thanks! ** Also affects: kde4libs (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: kauth (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Artful) Importance: Undecided Status: Confirmed ** Also affects: kauth (Ubuntu Artful) Importance: Undecided Status: Confirmed ** Also affects: kde4libs (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: kauth (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: kauth (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: kauth (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: kde4libs (Ubuntu Trusty) Importance: Undecided => High ** Changed in: kde4libs (Ubuntu Trusty) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: kde4libs (Ubuntu Xenial) Importance: Undecided => High ** Changed in: kde4libs (Ubuntu Xenial) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: kde4libs (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Zesty) Importance: Undecided => High ** Changed in: kde4libs (Ubuntu Zesty) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Zesty) Status: Confirmed => In Progress ** Changed in: kauth (Ubuntu Trusty) Status: New => Invalid ** Changed in: kauth (Ubuntu Xenial) Importance: Undecided => High ** Changed in: kauth (Ubuntu Xenial) Status: New => Confirmed ** Changed in: kauth (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: kauth (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: kauth (Ubuntu Zesty) Importance: Undecided => High ** Changed in: kauth (Ubuntu Zesty) Status: New => Confirmed ** Changed in: kauth (Ubuntu Zesty) Status: Confirmed => In Progress ** Changed in: kauth (Ubuntu Artful) Importance: Undecided => High ** Changed in: kde4libs (Ubuntu Artful) Importance: Undecided => High ** Changed in: kde4libs (Ubuntu Trusty) Status: Confirmed => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1689759 Title: CVE 2017-8422 - kauth: Local privilege escalation Status in kauth package in Ubuntu: Confirmed Status in kde4libs package in Ubuntu: Confirmed Status in kauth source package in Trusty: Invalid Status in kde4libs source package in Trusty: In Progress Status in kauth source package in Xenial: Confirmed Status in kde4libs source package in Xenial: Confirmed Status in kauth source package in Yakkety: Confirmed Status in kde4libs source package in Yakkety: Confirmed Status in kauth source package in Zesty: In Progress Status in kde4libs source package in Zesty: In Progress Status in kauth source package in Artful: Confirmed Status in kde4libs source package in Artful: Confirmed Bug description: KDE Project Security Advisory = Title: kauth: Local privilege escalation Risk Rating:High CVE:CVE-2017-8422 Versions: kauth < 5.34, kdelibs < 4.14.32 Date: 10 May 2017 Overview KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account. Solution Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released) Or apply the following patches: kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab Credits === Thanks to Sebastian Krahmer from SUSE for the report and to Albert Astals Cid from KDE for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kauth/+bug/1689759/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscri
[Group.of.nepali.translators] [Bug 1529276] Re: Local keyboard layout is selected only after entering full system encryption key
** Also affects: ubiquity (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: ubiquity (Ubuntu Zesty) Importance: Undecided Status: Confirmed ** Also affects: ubiquity (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: ubiquity (Ubuntu Xenial) Status: New => Confirmed ** Changed in: ubiquity (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: ubiquity (Ubuntu Xenial) Importance: Undecided => High ** Changed in: ubiquity (Ubuntu Yakkety) Importance: Undecided => High ** Changed in: ubiquity (Ubuntu Zesty) Importance: Undecided => High ** Changed in: ubiquity (Ubuntu Xenial) Assignee: (unassigned) => Dimitri John Ledkov (xnox) ** Changed in: ubiquity (Ubuntu Yakkety) Assignee: (unassigned) => Dimitri John Ledkov (xnox) ** Changed in: ubiquity (Ubuntu Zesty) Assignee: (unassigned) => Dimitri John Ledkov (xnox) ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1529276 Title: Local keyboard layout is selected only after entering full system encryption key Status in ubiquity package in Ubuntu: Confirmed Status in ubiquity source package in Xenial: Confirmed Status in ubiquity source package in Yakkety: Confirmed Status in ubiquity source package in Zesty: Confirmed Bug description: When choosing to do a full system encryption while installing Ubuntu, the user is asked to set the encryption key *before* they have the opportunity to select the correct keymap. E.g. I use a german keyboard but when I enter my desired encryption key the keymap is still in "US" mode, so some letters and symbols are on different positions on the keyboard. This is confusing because the user has to enter the desired key in "US" mode and has to find out where the right symbols are located in order to get the "correct" encryption key afterwards. Not using these keys is not a great solution, because not being able to use most symbols sacrifices the ability to enter a strong encryption key. ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: ubiquity (not installed) ProcVersionSignature: Ubuntu 4.2.0-16.19-generic 4.2.3 Uname: Linux 4.2.0-16-generic x86_64 ApportVersion: 2.19.1-0ubuntu3 Architecture: amd64 CurrentDesktop: MATE Date: Fri Dec 25 18:38:02 2015 InstallationDate: Installed on 2015-12-25 (0 days ago) InstallationMedia: Ubuntu-MATE 15.10 "Wily Werewolf" - Release amd64 (20151021) SourcePackage: ubiquity UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1529276/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1672686] Re: CVE-2017-2784 - Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
Since there is nothing left to sponsor, I am unsubscribing ubuntu- security-sponsors. Please re-subscribe the group when attaching another debdiff. Thanks! ** Also affects: polarssl (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: mbedtls (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: polarssl (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: mbedtls (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: mbedtls (Ubuntu Xenial) Status: New => Fix Released ** Changed in: mbedtls (Ubuntu Yakkety) Status: New => Fix Committed ** Changed in: mbedtls (Ubuntu Yakkety) Status: Fix Committed => Fix Released ** Changed in: polarssl (Ubuntu Xenial) Status: New => Confirmed ** Changed in: polarssl (Ubuntu Yakkety) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1672686 Title: CVE-2017-2784 - Freeing of memory allocated on stack when validating a public key with a secp224k1 curve Status in mbedtls package in Ubuntu: Fix Released Status in polarssl package in Ubuntu: Incomplete Status in mbedtls source package in Xenial: Fix Released Status in polarssl source package in Xenial: Confirmed Status in mbedtls source package in Yakkety: Fix Released Status in polarssl source package in Yakkety: Confirmed Status in mbedtls package in Debian: Fix Released Status in polarssl package in Debian: Confirmed Bug description: The following security bug was published for mbedtls: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve [Vulnerability] If a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack. [Impact] Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be exploited to allow remote code execution with the same privileges as the host application. [Resolution] Affected users should upgrade to mbed TLS 1.3.19, mbed TLS 2.1.7 or mbed TLS 2.4.2. https://tls.mbed.org/tech-updates/security-advisories/mbedtls- security-advisory-2017-01 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mbedtls/+bug/1672686/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1669764] Re: security update spams log file
** Changed in: munin (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1669764 Title: security update spams log file Status in munin package in Ubuntu: Fix Released Status in munin source package in Trusty: Fix Released Status in munin source package in Xenial: Fix Released Status in munin source package in Yakkety: Fix Released Status in munin package in Debian: Fix Released Bug description: The munin security update caused a regression that is spamming the log file with: 2017/03/02 06:53:56 [PERL WARNING] Use of uninitialized value $size_x in string eq at /usr/lib/munin/cgi/munin-cgi-graph line 453. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/munin/+bug/1669764/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1675698] Re: Cannot access anything under a subdirectory if symlinks are disallowed
** Changed in: samba (Ubuntu Zesty) Status: Confirmed => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1675698 Title: Cannot access anything under a subdirectory if symlinks are disallowed Status in samba: Unknown Status in samba package in Ubuntu: Invalid Status in samba source package in Precise: Fix Released Status in samba source package in Trusty: Fix Released Status in samba source package in Xenial: Fix Released Status in samba source package in Yakkety: Fix Released Status in samba source package in Zesty: Invalid Status in samba package in Debian: Confirmed Bug description: After upgrading to 4.3.11+dfsg-0ubuntu0.14.04.6, some of my shares broke in a curious way. The affected shares have `follow symlinks = no`; the ones with `follow symlinks = yes` aren't affected AFAICT. Allowing symlinks on one of the affected shares mitigates the issue for that share. The issue is that access to anything under a direct subdirectory of the share doesn't work. I can create a directory in `\\srv\share`, e.g. `\\srv\share\foo`, but I can't create any files or directories inside it, e.g. creating `\\srv\share\foo\bar` ends up with error 50 (The request is not supported). Attempts to access existing files or directories at this level produce error 59 (An unexpected network error occured). The log at level 2 says: ``` ../source3/smbd/vfs.c:1298(check_reduced_name) check_reduced_name: Bad access attempt: branches is a symlink to foo/bar ``` ... or: ``` ../source3/smbd/vfs.c:1298(check_reduced_name) check_reduced_name: Bad access attempt: . is a symlink to foo ``` To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1675698/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1674005] Re: audiofile: Multiple security issues from March 2017
** Changed in: audiofile (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1674005 Title: audiofile: Multiple security issues from March 2017 Status in audiofile package in Ubuntu: Fix Released Status in audiofile source package in Precise: Fix Released Status in audiofile source package in Trusty: Fix Released Status in audiofile source package in Xenial: Fix Released Status in audiofile source package in Yakkety: Fix Released Bug description: https://security-tracker.debian.org/tracker/source-package/audiofile http://openwall.com/lists/oss-security/2017/02/26/ https://github.com/mpruett/audiofile/issues/32 https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp https://github.com/mpruett/audiofile/commit/c48e4c6503 Fixed in Debian unstable 0.3.6-4 and synced to zesty. debdiffs attached for 14.04 LTS and up. For 12.04 LTS, audiofile was in main so someone should probably try to apply the patches there too. I've done no testing of these packages. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1674005/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1674005] Re: audiofile: Multiple security issues from March 2017
ACK on the debdiffs in comments 1, 2 and 3. I'm building them now with a slight change to add a missing CVE. I'll publish them once I've finished backporting to precise and have tested precise and trusty. Thanks! ** Also affects: audiofile (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: audiofile (Ubuntu Precise) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1674005 Title: audiofile: Multiple security issues from March 2017 Status in audiofile package in Ubuntu: New Status in audiofile source package in Precise: New Status in audiofile source package in Trusty: New Status in audiofile source package in Xenial: New Status in audiofile source package in Yakkety: New Bug description: https://security-tracker.debian.org/tracker/source-package/audiofile http://openwall.com/lists/oss-security/2017/02/26/ https://github.com/mpruett/audiofile/issues/32 https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp https://github.com/mpruett/audiofile/commit/c48e4c6503 Fixed in Debian unstable 0.3.6-4 and synced to zesty. debdiffs attached for 14.04 LTS and up. For 12.04 LTS, audiofile was in main so someone should probably try to apply the patches there too. I've done no testing of these packages. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1674005/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1669764] Re: security update spams log file
https://github.com/munin-monitoring/munin/issues/804 ** Also affects: munin (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: munin (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: munin (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: munin (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: munin (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: munin (Ubuntu Yakkety) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1669764 Title: security update spams log file Status in munin package in Ubuntu: New Status in munin source package in Trusty: New Status in munin source package in Xenial: New Status in munin source package in Yakkety: New Status in munin package in Debian: Unknown Bug description: The munin security update caused a regression that is spamming the log file with: 2017/03/02 06:53:56 [PERL WARNING] Use of uninitialized value $size_x in string eq at /usr/lib/munin/cgi/munin-cgi-graph line 453. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/munin/+bug/1669764/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1666358] Re: iio-sensor-proxy: Insecure configuration of dbus service
** Changed in: iio-sensor-proxy (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1666358 Title: iio-sensor-proxy: Insecure configuration of dbus service Status in IIO Sensor Proxy: Fix Released Status in iio-sensor-proxy package in Ubuntu: Fix Released Status in iio-sensor-proxy source package in Xenial: Fix Released Status in iio-sensor-proxy source package in Yakkety: Fix Released Status in iio-sensor-proxy package in Debian: Fix Released Bug description: The dbus configuration for iio-sensor-proxy allowed any process on the system bus to send an org.freedesktop.DBus.Properties.Set() call to any other process on the system bus, even if the destination process expected to be only accessible by root. https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2 This was fixed in the upstream version 2.1 and in Debian's 2.0-4 (which was autosynced to zesty). Test Case = dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \ --print-reply / org.freedesktop.DBus.Properties.Set string:Foo variant:string:bar Bad response: Error org.freedesktop.DBus.Error.UnknownMethod: No such interface 'org.freedesktop.DBus.Properties' on object at path / Good response: Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 matched rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527 comm="dbus-send --system --dest=org.freedesktop.nm_dispa") interface="org.freedesktop.DBus.Properties" member="Set" error name="(unset)" requested_reply="0" destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528 comm="/usr/lib/NetworkManager/nm-dispatcher ") Testing Done I built the packages in my PPA and installed to Ubuntu GNOME 16.04.2 and 16.10. The test cases completed successfully after install; no log out required. To manage notifications about this bug go to: https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1648998] Re: Fix CVE-2016-9839 & CVE-2017-5522
** Also affects: mapserver (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: mapserver (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: mapserver (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: mapserver (Ubuntu Zesty) Importance: Medium Status: Triaged ** Also affects: mapserver (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: mapserver (Ubuntu Zesty) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1648998 Title: Fix CVE-2016-9839 & CVE-2017-5522 Status in mapserver package in Ubuntu: Fix Released Status in mapserver source package in Precise: Fix Released Status in mapserver source package in Trusty: Fix Released Status in mapserver source package in Xenial: Fix Released Status in mapserver source package in Yakkety: Fix Released Status in mapserver source package in Zesty: Fix Released Bug description: In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connection fails. https://people.canonical.com/~ubuntu- security/cve/2016/CVE-2016-9839.html Packages for Debian have been updated - we should apply the same in Ubuntu. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/1648998/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1638125] Re: USN-3109-1: MySQL vulnerabilities partially applies to MariaDB too
** Changed in: mariadb-10.0 (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1638125 Title: USN-3109-1: MySQL vulnerabilities partially applies to MariaDB too Status in mariadb-10.0 package in Ubuntu: Fix Released Status in mariadb-5.5 source package in Trusty: Fix Released Status in mariadb-10.0 source package in Xenial: Fix Released Status in mariadb-10.0 source package in Yakkety: Fix Released Status in mariadb-10.0 source package in Zesty: Fix Released Bug description: The mentioned security notice also affect MariaDB and the latest release includes fixes. I will produce a security release soon and attach more information to this bug report for: - mariadb.5.5 in Trusty - mariadb-10.0 in Xenial and Yakkety (zesty can sync from Debian) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1638125/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1629085] Re: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery
** Changed in: c-ares (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1629085 Title: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery Status in c-ares package in Ubuntu: Fix Released Status in c-ares source package in Precise: Fix Released Status in c-ares source package in Trusty: Fix Released Status in c-ares source package in Xenial: Fix Released Status in c-ares source package in Yakkety: Fix Released Status in c-ares package in Debian: Fix Released Bug description: A new upstream version of c-ares has been released which addresses a security vulnerability. From: Daniel Stenberg Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST) `ares_create_query` single byte out of buffer write = Project c-ares Security Advisory, September 29, 2016 - [Permalink](https://c-ares.haxx.se/adv_20160929.html) VULNERABILITY - When a string is passed in to `ares_create_query` or `ares_mkquery` and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the the allocated buffer with one byte. The wrongly written byte is the least significant byte of the 'dnsclass' argument; most commonly 1. We have been seen proof of concept code showing how this can be exploited in a real-world system, but we are not aware of any such instances having actually happened in the wild. INFO The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-5180 to this issue. AFFECTED VERSIONS - This flaw exists in the following c-ares versions. - Affected versions: libcurl 1.0.0 to and including 1.11.0 - Not affected versions: c-ares >= 1.12.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/c-ares/+bug/1629085/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1643901] Re: flxdec security update tracking bug
** Changed in: gst-plugins-good0.10 (Ubuntu Precise) Status: In Progress => Fix Released ** Changed in: gst-plugins-good0.10 (Ubuntu Trusty) Status: In Progress => Fix Released ** Changed in: gst-plugins-good0.10 (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: gst-plugins-good1.0 (Ubuntu Trusty) Status: In Progress => Fix Released ** Changed in: gst-plugins-good1.0 (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1643901 Title: flxdec security update tracking bug Status in gst-plugins-good0.10 package in Ubuntu: Invalid Status in gst-plugins-good1.0 package in Ubuntu: Confirmed Status in gst-plugins-good0.10 source package in Precise: Fix Released Status in gst-plugins-good1.0 source package in Precise: Invalid Status in gst-plugins-good0.10 source package in Trusty: Fix Released Status in gst-plugins-good1.0 source package in Trusty: Fix Released Status in gst-plugins-good0.10 source package in Xenial: Fix Released Status in gst-plugins-good1.0 source package in Xenial: Fix Released Status in gst-plugins-good0.10 source package in Yakkety: Invalid Status in gst-plugins-good1.0 source package in Yakkety: Fix Released Status in gst-plugins-good0.10 source package in Zesty: Invalid Status in gst-plugins-good1.0 source package in Zesty: Confirmed Bug description: This bug is to track the security update to fix the flxdec out-of- bounds write. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gst-plugins-good0.10/+bug/1643901/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1643901] [NEW] flxdec security update tracking bug
*** This bug is a security vulnerability *** Public security bug reported: This bug is to track the security update to fix the flxdec out-of-bounds write. ** Affects: gst-plugins-good0.10 (Ubuntu) Importance: Undecided Status: Invalid ** Affects: gst-plugins-good1.0 (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: gst-plugins-good0.10 (Ubuntu Precise) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: In Progress ** Affects: gst-plugins-good1.0 (Ubuntu Precise) Importance: Undecided Status: Invalid ** Affects: gst-plugins-good0.10 (Ubuntu Trusty) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: In Progress ** Affects: gst-plugins-good1.0 (Ubuntu Trusty) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: In Progress ** Affects: gst-plugins-good0.10 (Ubuntu Xenial) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: In Progress ** Affects: gst-plugins-good1.0 (Ubuntu Xenial) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: In Progress ** Affects: gst-plugins-good0.10 (Ubuntu Yakkety) Importance: Undecided Status: Invalid ** Affects: gst-plugins-good1.0 (Ubuntu Yakkety) Importance: Medium Assignee: Marc Deslauriers (mdeslaur) Status: In Progress ** Affects: gst-plugins-good0.10 (Ubuntu Zesty) Importance: Undecided Status: Invalid ** Affects: gst-plugins-good1.0 (Ubuntu Zesty) Importance: Undecided Status: Confirmed ** Also affects: gst-plugins-good1.0 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: gst-plugins-good1.0 (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: gst-plugins-good1.0 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: gst-plugins-good1.0 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gst-plugins-good1.0 (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: gst-plugins-good0.10 (Ubuntu) Importance: Undecided Status: New ** Changed in: gst-plugins-good1.0 (Ubuntu Precise) Status: New => Invalid ** Changed in: gst-plugins-good0.10 (Ubuntu Yakkety) Status: New => Invalid ** Changed in: gst-plugins-good0.10 (Ubuntu Zesty) Status: New => Invalid ** Changed in: gst-plugins-good0.10 (Ubuntu Precise) Importance: Undecided => Medium ** Changed in: gst-plugins-good0.10 (Ubuntu Precise) Status: New => In Progress ** Changed in: gst-plugins-good0.10 (Ubuntu Precise) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gst-plugins-good0.10 (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: gst-plugins-good0.10 (Ubuntu Trusty) Status: New => In Progress ** Changed in: gst-plugins-good0.10 (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gst-plugins-good0.10 (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: gst-plugins-good0.10 (Ubuntu Xenial) Status: New => In Progress ** Changed in: gst-plugins-good0.10 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gst-plugins-good1.0 (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: gst-plugins-good1.0 (Ubuntu Trusty) Status: New => In Progress ** Changed in: gst-plugins-good1.0 (Ubuntu Trusty) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gst-plugins-good1.0 (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: gst-plugins-good1.0 (Ubuntu Xenial) Status: New => In Progress ** Changed in: gst-plugins-good1.0 (Ubuntu Xenial) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety) Status: New => In Progress ** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety) Assignee: (unassigned) => Marc Deslauriers (mdeslaur) ** Changed in: gst-plugins-good1.0 (Ubuntu Zesty) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1643901 Title: flxdec security update tracking bug Status in gst-plugins-good0.10 package in Ubuntu: Invalid Status in gst-plugins-good1.0 package in Ubuntu: Confirmed Status in gst-plugins-good0.10 source package in Precise: In Progress Status in gst-plugins-good1.0 source package in Precise: Invalid Status in gst-plugins-good0.10 source package in Trusty: In Progress Status in gst-plugins-good1.0 source package in Trusty: In Progress Stat
[Group.of.nepali.translators] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG
Thanks for the debdiffs! While they look good, there is some discussion in the upstream bug, and the fix hasn't been committed yet. I'll wait until the fix is committed before releasing updates for the stable releases. ** Also affects: cairo (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: cairo (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: cairo (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: cairo (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: cairo (Ubuntu Precise) Status: New => Confirmed ** Changed in: cairo (Ubuntu Trusty) Status: New => Confirmed ** Changed in: cairo (Ubuntu Xenial) Status: New => Confirmed ** Changed in: cairo (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: cairo (Ubuntu) Status: Confirmed => Fix Released ** Changed in: cairo (Ubuntu Precise) Importance: Undecided => Medium ** Changed in: cairo (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: cairo (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: cairo (Ubuntu Yakkety) Importance: Undecided => Medium -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1639372 Title: CVE-2016-9082: DOS attack in converting SVG to PNG Status in cairo: Unknown Status in cairo package in Ubuntu: Fix Released Status in cairo source package in Precise: Confirmed Status in cairo source package in Trusty: Confirmed Status in cairo source package in Xenial: Confirmed Status in cairo source package in Yakkety: Confirmed Status in cairo package in Debian: Fix Released Bug description: I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone else can work on the precise update. Proof of Concept at http://seclists.org/oss-sec/2016/q4/44 I didn't get gdb to work, but when I tried to convert the file, I got a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash . After the update, no crash happened. I reproduced the crash and verified that the new package doesn't crash on yakkety. In xenial I wasn't able to reproduce the crash. I did not test on trusty. To manage notifications about this bug go to: https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1596486] Re: libmuse_core.so: cannot open shared object file
** Also affects: muse (Ubuntu Zesty) Importance: High Status: Fix Released ** Also affects: muse (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: muse (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: muse (Ubuntu Yakkety) Status: New => In Progress ** Changed in: muse (Ubuntu Yakkety) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1596486 Title: libmuse_core.so: cannot open shared object file Status in muse package in Ubuntu: Fix Released Status in muse source package in Xenial: In Progress Status in muse source package in Yakkety: In Progress Status in muse source package in Zesty: Fix Released Bug description: [Impact] Since Ubuntu 15.10, muse does not start and gives the following error: $ muse muse: error while loading shared libraries: libmuse_core.so: cannot open shared object file: No such file or directory The fix for this should be backported to Xenial since muse is currently useless "as is". [Technical Details] Force muse modules to be installed under /usr/lib/muse Ubuntu CMake contains the script 'MultiArchCross.cmake' which is invoked for all Make packages and sets CMAKE_INSTALL_LIBDIR to include the multiarch path without the install prefix (ie something like "lib/x86_64-linux-gnu"). This variable is not defined when building on Debian. Muse constructs a LIB_INSTALL_DIR variable (when it's not defined) using CMAKE_INSTALL_LIBDIR or an alternate fallback. Unfortunately later on in the script when handling the RPATH settings, Muse assumes that LIB_INSTALL_DIR is an absolute path. This is true on Debian, but not on Ubuntu. This causes a bogus RPATH to be inserted into the main Muse executable which prevents Muse from finding any of it's modules and immediately crashes on startup. The simple fix is to force LIB_INSTALL_DIR=/usr/lib. Although an Ubuntu specific problem, it does no harm to do this on Debian as well. [Test Case] From within a terminal window, run "muse". The following error is printed: muse: error while loading shared libraries: libmuse_core.so: cannot open shared object file: No such file or directory When working normally, the muse arranger window should appear. If an error appears about Jack not running, you can ignore it. [Regression Potential] Muse is a totally independent application with no reverse dependencies in the archive. Therefore it is unlikely there will be any regressions in other packages. Since Muse is completely non-functional in Xenial, it's difficult for it to regress any further. :) [Other Info] A workaround for this bug is to set the linker path manually when running muse. For example: LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu/muse/modules muse To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/muse/+bug/1596486/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1617505] Re: gcin didnt work in gnome-terminal after updating ubuntu
** Also affects: gcin (Ubuntu Zesty) Importance: Medium Status: Confirmed ** Also affects: gcin (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: gcin (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: gcin (Ubuntu Xenial) Status: New => Confirmed ** Changed in: gcin (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: gcin (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: gcin (Ubuntu Yakkety) Importance: Undecided => Medium ** Changed in: gcin (Ubuntu Zesty) Status: Confirmed => Fix Committed ** Changed in: gcin (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1617505 Title: gcin didnt work in gnome-terminal after updating ubuntu Status in gcin package in Ubuntu: Fix Released Status in gcin source package in Xenial: Confirmed Status in gcin source package in Yakkety: Confirmed Status in gcin source package in Zesty: Fix Released Bug description: After update Ubuntu to 16.04.1 gcin didnt work in gnome-terminal, and send out the message. > /usr/bin/gnome-terminal Error creating terminal: Message recipient disconnected from message bus without replying To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcin/+bug/1617505/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1610878] Re: pmp-check-unix-memory stopped working because of new output from free
** Also affects: nagios-plugins-contrib (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: nagios-plugins-contrib (Ubuntu Zesty) Importance: Medium Status: Confirmed ** Also affects: nagios-plugins-contrib (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: nagios-plugins-contrib (Ubuntu Xenial) Status: New => Confirmed ** Changed in: nagios-plugins-contrib (Ubuntu Yakkety) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1610878 Title: pmp-check-unix-memory stopped working because of new output from free Status in nagios-plugins-contrib package in Ubuntu: Fix Committed Status in nagios-plugins-contrib source package in Xenial: Confirmed Status in nagios-plugins-contrib source package in Yakkety: Confirmed Status in nagios-plugins-contrib source package in Zesty: Fix Committed Bug description: Hello, Current pmp-check-unix-memory in package nagios-plugins-contrib does not work anymore, from Ubuntu Xenial. It can't fetch free memory and therefor presents it incorrectly. E.g: $ ./pmp-check-unix-memory OK Memory % used | memory_used=0;90;95;0;100 As of version 3.3.10 of package procps, the command "free" uses a different output. See: http://upstream.rosalinux.ru/changelogs/procps- ng/3.3.10/changelog.html How free memory is calculated was changed in kernel here: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34e431b0ae398fc54ea69ff85ec700722c9da773 This problem has been fixed in the percona-monitoring-plugins repo on GitHub: https://github.com/percona/percona-monitoring- plugins/commit/b4636c49f0188d2af1235293d01396abeddacf7f I have ported and tested the fix and it is working, both on a computer with older procps and on a computer running Ubuntu Xenial. Will submit a debdiff with proposed patch shortly. Best regards, Christian Biamont To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nagios-plugins-contrib/+bug/1610878/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1627055] Re: CVE-2016-7382, 2016-7389
** Changed in: nvidia-graphics-drivers-304 (Ubuntu) Status: Triaged => Fix Released ** Changed in: nvidia-graphics-drivers-340 (Ubuntu) Status: Triaged => Fix Released ** Changed in: nvidia-graphics-drivers-367 (Ubuntu) Status: Triaged => Fix Released ** Changed in: nvidia-graphics-drivers-367 (Ubuntu Precise) Status: New => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1627055 Title: CVE-2016-7382, 2016-7389 Status in nvidia-graphics-drivers-304 package in Ubuntu: Fix Released Status in nvidia-graphics-drivers-340 package in Ubuntu: Fix Released Status in nvidia-graphics-drivers-367 package in Ubuntu: Fix Released Status in nvidia-graphics-drivers-304 source package in Precise: Fix Released Status in nvidia-graphics-drivers-340 source package in Precise: Fix Released Status in nvidia-graphics-drivers-367 source package in Precise: Invalid Status in nvidia-graphics-drivers-304 source package in Trusty: Fix Released Status in nvidia-graphics-drivers-340 source package in Trusty: Fix Released Status in nvidia-graphics-drivers-367 source package in Trusty: Fix Released Status in nvidia-graphics-drivers-304 source package in Xenial: Fix Released Status in nvidia-graphics-drivers-340 source package in Xenial: Fix Released Status in nvidia-graphics-drivers-367 source package in Xenial: Fix Released Bug description: The NVIDIA drivers are affected by a couple of vulnerabilities (CVE-2016-7382, 2016-7389), which NVIDIA are going to disclose on 10/19. All the NVIDIA drivers in all the supported Ubuntu releases (12.04, 14.04, 16.04) are affected. I am going to take care of the packaging and of the migrations to the new driver packages. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/+bug/1627055/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1632244] Re: CVE-2016-6893 in Mailman
This was released: https://www.ubuntu.com/usn/usn-3118-1/ ** Changed in: mailman (Ubuntu) Status: In Progress => Fix Released ** Changed in: mailman (Ubuntu Precise) Status: In Progress => Fix Released ** Changed in: mailman (Ubuntu Trusty) Status: In Progress => Fix Released ** Changed in: mailman (Ubuntu Xenial) Status: In Progress => Fix Released ** Changed in: mailman (Ubuntu Yakkety) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1632244 Title: CVE-2016-6893 in Mailman Status in mailman package in Ubuntu: Fix Released Status in mailman source package in Precise: Fix Released Status in mailman source package in Trusty: Fix Released Status in mailman source package in Xenial: Fix Released Status in mailman source package in Yakkety: Fix Released Bug description: Hi, when you plan to solve the CVE-2016-6893 in Mailman in Mailman for Ubuntu? See https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6893.html Best regards To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1632244/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1630702] Re: Fix for CVE-2016-8332 and CVE-2016-7163
** Also affects: openjpeg2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: openjpeg2 (Ubuntu Yakkety) Importance: Medium Assignee: Nikita Yerenkov-Scott (yerenkov-scott) Status: Confirmed ** Changed in: openjpeg2 (Ubuntu Xenial) Status: New => Confirmed ** Changed in: openjpeg2 (Ubuntu Xenial) Importance: Undecided => Medium -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1630702 Title: Fix for CVE-2016-8332 and CVE-2016-7163 Status in openjpeg2 package in Ubuntu: Confirmed Status in openjpeg2 source package in Xenial: Confirmed Status in openjpeg2 source package in Yakkety: Confirmed Bug description: * Impact - CVE-2016-8332: Out-of-bound heap write possible resulting in heap corruption and arbitrary code execution - CVE-2016-7163: Integer overflow possible resulting in arbitrary code execution via a crafted JP2 file, triggering out-of-bound read or write * Test case - CVE-2016-8332: Information on exploit: http://www.talosintelligence.com/reports/TALOS-2016-0193/ - CVE-2016-7163: I haven't been able to find information on the exploit for this except for the information given here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163 * Regression potential These patches have not been tested as I currently do not have the resources to do so. -- Original report: A security vulnerability was recently disclosed in OpenJPEG and assigned the CVE number of CVE-2016-8332. The vulnerability is described here (http://www.zdnet.com/article /openjpeg-zero-day-flaw-leads-to-remote-code-execution/): " Cisco Talos researchers have uncovered a severe zero-day flaw in the OpenJPEG JPEG 2000 codec which could lead to remote code execution on compromised systems. On Friday, researchers from Cisco revealed the existence of the zero- day flaw in the JPEG 2000 image file format parser implemented in OpenJPEG library. The out-of-bounds vulnerability, assigned as CVE-2016-8332, could allow an out-of-bound heap write to occur resulting in heap corruption and arbitrary code execution. OpenJPEG is an open-source JPEG 2000 codec. Written in C, the software was created to promote JPEG 2000, an image compression standard which is in popular use and is often used for tasks including embedding images within PDF documents through software including Poppler, MuPDF and Pdfium. The bug, assigned a CVSS score of 7.5, was caused by errors in parsing mcc records in the jpeg2000 file, resulting in "an erroneous read and write of adjacent heap area memory." If manipulated, these errors can lead to heap metadata process memory corruption. In a security advisory, the team said the security vulnerability can be exploited by attackers if victims open specifically crafted, malicious JPEG 2000 images. For example, if this content was within a phishing email or hosted on legitimate services such as Google Drive or Dropbox, once downloaded to their system, the path is created for attackers to execute code remotely. The vulnerability was discovered by Aleksander Nikolic from the Cisco Talos security team in OpenJpeg openjp2 version 2.1.1. Cisco Talos disclosed the vulnerability to affected vendors on 26 July, granting them time to prepare patches to fix the problem before public release. " I am filing this report as a fix for the issue doesn't seem to have yet been backported in and given the importance of the issue and the ease in exploiting it, it would be good if this is done soon. This is the fix on GitHub: https://github.com/uclouvain/openjpeg/pull/820/files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjpeg2/+bug/1630702/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer
Unsubscribing ubuntu-security-sponsors for now since there is nothing to sponsor. Once a debdiff is attached, please re-subscribe the group. Thanks! ** Changed in: kcoreaddons (Ubuntu Trusty) Status: New => Fix Released ** Changed in: kcoreaddons (Ubuntu Precise) Status: In Progress => Invalid ** Changed in: kcoreaddons (Ubuntu Trusty) Status: Fix Released => Invalid ** Changed in: kcoreaddons (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1630700 Title: CVE - KMail - HTML injection in plain text viewer Status in kcoreaddons package in Ubuntu: Fix Released Status in kcoreaddons source package in Precise: Invalid Status in kcoreaddons source package in Trusty: Invalid Status in kcoreaddons source package in Xenial: Confirmed Status in kcoreaddons source package in Yakkety: Fix Released Bug description: KDE Project Security Advisory = Title: KMail: HTML injection Risk Rating: Important CVE: #TODO Platforms: All Versions: kmail >= 4.4.0 Author: #TODO Date:#TODO Overview Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact == An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround == None. Solution For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: https://quickgit.kde.org/? p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 For KDE 4 apply the following patch: https://quickgit.kde.org/? p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits === Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp