[Group.of.nepali.translators] [Bug 2028863] [NEW] Denial of service via gvar table loading

[Marc Deslauriers]

*** This bug is a security vulnerability ***

Public security bug reported:

focal and earlier need this commit to prevent a DoS:

https://gitlab.freedesktop.org/freetype/freetype/-/commit/216e077600a58346bb022d8409fd82e9d914a10a

** Affects: freetype (Ubuntu)
 Importance: Undecided
 Status: Fix Released

** Affects: freetype (Ubuntu Trusty)
 Importance: Undecided
 Status: New

** Affects: freetype (Ubuntu Xenial)
 Importance: Undecided
 Status: New

** Affects: freetype (Ubuntu Bionic)
 Importance: Undecided
 Status: New

** Affects: freetype (Ubuntu Focal)
 Importance: Low
 Status: Confirmed

** Also affects: freetype (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: freetype (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: freetype (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: freetype (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: freetype (Ubuntu)
   Status: New => Fix Released

** Changed in: freetype (Ubuntu Focal)
   Status: New => Confirmed

** Changed in: freetype (Ubuntu Focal)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/2028863

Title:
  Denial of service via gvar table loading

Status in freetype package in Ubuntu:
  Fix Released
Status in freetype source package in Trusty:
  New
Status in freetype source package in Xenial:
  New
Status in freetype source package in Bionic:
  New
Status in freetype source package in Focal:
  Confirmed

Bug description:
  focal and earlier need this commit to prevent a DoS:

  
https://gitlab.freedesktop.org/freetype/freetype/-/commit/216e077600a58346bb022d8409fd82e9d914a10a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2028863/+subscriptions


___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1885633] Re: [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure Vulnerability

[Marc Deslauriers]

** Changed in: apport (Ubuntu Eoan)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1885633

Title:
  [ZDI-CAN-11233]: apport Unnecessary Privileges Information Disclosure
  Vulnerability

Status in apport package in Ubuntu:
  Fix Released
Status in apport source package in Xenial:
  Fix Released
Status in apport source package in Bionic:
  Fix Released
Status in apport source package in Eoan:
  Won't Fix
Status in apport source package in Focal:
  Fix Released

Bug description:
  -- VULNERABILITY DETAILS  
   
  * Version tested:18.04.4 LTS amd64 server 
   
  * Installer file:ubuntu-18.04.4-live-server-amd64.iso 
   
  * Platform tested:-   
   

   
  ---   
   

   
  ### Analysis  
   

   
  Apport which is crash reporter in Ubuntu will execute gdbus to check if pid 
is in a closing user session. Before executing the binary, it drop privilege to 
crashed process's uid. But it doesn't drop group id, so it can be used to leak 
file which is owned by root group.  
 

   
  It leads to anyone can read the file which can only be read by root group, 
but the file size must be 16bytes. 

  reproduce step
   
  ```   
   
  ubuntu@ubuntu:/tmp$ echo -ne "SECURESECRETHERE" > securefile  
   
  ubuntu@ubuntu:/tmp$ sudo chown root:root securefile   
   
  ubuntu@ubuntu:/tmp$ sudo chmod 440 securefile 
   
  ubuntu@ubuntu:/tmp$ su - zdi  
   
  Password: 
   
  zdi@ubuntu:~$ id  
   
  uid=1001(zdi) gid=1001(zdi) groups=1001(zdi)  
   
  zdi@ubuntu:~$ cd /tmp/
   
  zdi@ubuntu:/tmp$ ls -al securefile
   
  -r--r- 1 root root 16 Jun 16 04:33 securefile 
   
  zdi@ubuntu:/tmp$ cat securefile   
   
  cat: securefile: Permission denied
   

[Group.of.nepali.translators] [Bug 1944481] Re: Distrust "DST Root CA X3"

[Marc Deslauriers]

** Changed in: ca-certificates (Ubuntu Impish)
   Status: New => Fix Committed

** Changed in: ca-certificates (Ubuntu Trusty)
   Status: New => Fix Released

** Changed in: ca-certificates (Ubuntu Xenial)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1944481

Title:
  Distrust "DST Root CA X3"

Status in ca-certificates package in Ubuntu:
  Fix Committed
Status in ca-certificates source package in Trusty:
  Fix Released
Status in ca-certificates source package in Xenial:
  Fix Released
Status in ca-certificates source package in Bionic:
  Fix Released
Status in ca-certificates source package in Focal:
  Fix Released
Status in ca-certificates source package in Hirsute:
  Fix Released
Status in ca-certificates source package in Impish:
  Fix Committed

Bug description:
  [Impact]

   * ca-certificates trusts the letsencrypt CA certificate "ISRG Root X1"
   * ca-certificates also trusts the CA certificate "DST Root CA X3" which 
cross-signs letencrypt CA
   * "DST Root CA X3" is about to expire, however it has issued an updated 
cross-signature to letsencrypt beyond its own expiry
   * This causes issues with older implementations of openssl & gnutls that 
reject such chains when offered to clients by servers.
   * We have provided fixes for openssl in xenial and gnutls in bionic/xenial, 
however trusty systems remain affected. Also any self built old copies of 
openssl/gnutls remain suspeptible to this expiry.
   * One solution is to blacklist the "DST Root CA X3" from the ca-certificates 
package as described at 
https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4
 - connectivity to sites chained to "DST Root CA X3" will be unaffected, and 
servers that chain to both "ISRG Root X1" and "DST Root CA X3" should start to 
work unmodified.
   * This is similar to how this was handled for AddTrust before

  "* mozilla/blacklist.txt: blacklist expired AddTrust External Root
  CA."

  [Test Plan]

   * Install old/current ca-certificates faketime wget curl
  libcurl3-gnutls

  # faketime 2021-10-01 wget https://pskov.surgut.co.uk
  --2021-10-01 00:00:00--  https://pskov.surgut.co.uk/
  Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 
49.12.37.5
  Connecting to pskov.surgut.co.uk 
(pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
  ERROR: cannot verify pskov.surgut.co.uk's certificate, issued by 
'/C=US/O=Let\'s Encrypt/CN=R3':
    Issued certificate has expired.
  To connect to pskov.surgut.co.uk insecurely, use `--no-check-certificate'.

  # LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 
2021-10-01 curl https://pskov.surgut.co.uk >/dev/null
    % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
   Dload  Upload   Total   SpentLeft  Speed
    0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
  curl: (60) SSL certificate problem: certificate has expired

   * Install new ca-certificates package

  # faketime 2021-10-01 wget https://pskov.surgut.co.uk
  --2021-10-01 00:00:00--  https://pskov.surgut.co.uk/
  Resolving pskov.surgut.co.uk (pskov.surgut.co.uk)... 2a01:4f8:c17:3dd8::1, 
49.12.37.5
  Connecting to pskov.surgut.co.uk 
(pskov.surgut.co.uk)|2a01:4f8:c17:3dd8::1|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 612 [text/html]
  Saving to: 'index.html.3'

  100%[>] 612
  --.-K/s   in 0s

  2021-10-01 00:00:00 (71.7 MB/s) - 'index.html.3' saved [612/612]

   LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 faketime 2021-10-01 
curl https://pskov.surgut.co.uk >/dev/null
    % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
   Dload  Upload   Total   SpentLeft  Speed
  100   612  100   6120 0   5794  0 --:--:-- --:--:-- --:--:--  5828

  Download is successful.

  [Where problems could occur]

   * Connectivity to "DST Root CA X3" websites only, even under faketime
  set to dates prior to 30th of September 2021 will not work, as "DST
  Root CA X3" certificate is no longer installed. users should locally
  install and enable that CA certificate, or allow dangerous unverified
  connectivity to websites using expired CA certs.

  [Other Info]

   * Related openssl and gnutls28 bugs are
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989 and
  https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1944481/+subscriptions


___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : 

[Group.of.nepali.translators] [Bug 1926300] Re: clamdscan - MULTISCAN parameter causes Segmentation fault error

[Marc Deslauriers]

Please stop changing the status on this bug.

Since Xenial is now in Extended Security Maintenance, the fix was pushed
to the ESM repository for Xenial. The "Fix Released" status on this bug
is accurate.

See the following for more information on Extended Security Maintenance:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2021-March/005930.html


** Changed in: clamav (Ubuntu Xenial)
   Status: Triaged => Fix Released

** Changed in: clamav (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1926300

Title:
  clamdscan - MULTISCAN  parameter causes Segmentation fault error

Status in ClamAV:
  Unknown
Status in clamav package in Ubuntu:
  Fix Released
Status in clamav source package in Xenial:
  Fix Released
Status in clamav source package in Bionic:
  Fix Released
Status in clamav source package in Focal:
  Fix Released
Status in clamav source package in Groovy:
  Fix Released
Status in clamav source package in Hirsute:
  Fix Released

Bug description:
  While running clamdscan with the --multiscan parameter we get the
  following error: Segmentation fault (core dumped)

  The scan starts without '--multiscan' but it cause performance issues
  The issue is present on Ubuntu 16.04.7 LTS, Ubuntu 18.04.5 LTS, Ubuntu 
20.04.2 LTS

  
  from dmesg log:
  [Wed Apr 21 13:45:30 2021] clamdscan[5805]: segfault at 0 ip 7f42b5128bf5 
sp 7fff89b76088 error 4 in libc-2.27.so[7f42b5072000+1e7000]
  [Wed Apr 21 13:45:30 2021] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 
20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 8f 0b 00 00 66 0f ef 
c0  0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8 11 0f

  
  ClamAV 0.103.2/26152/Mon Apr 26 11:04:28 2021

  clamav   0.103.2+dfsg-0ubuntu0.16.04.1  
amd64
  clamav-base  0.103.2+dfsg-0ubuntu0.16.04.1  
all
  clamav-daemon0.103.2+dfsg-0ubuntu0.16.04.1  
amd64
  clamav-docs  0.103.2+dfsg-0ubuntu0.16.04.1  
all
  clamav-freshclam 0.103.2+dfsg-0ubuntu0.16.04.1  
amd64
  clamdscan0.103.2+dfsg-0ubuntu0.16.04.1  
amd64

To manage notifications about this bug go to:
https://bugs.launchpad.net/clamav/+bug/1926300/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1917812] Re: extracting archives from within nautilus omits subfolders

[Marc Deslauriers]

** Also affects: gnome-autoar (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: gnome-autoar (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gnome-autoar (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: gnome-autoar (Ubuntu Hirsute)
   Importance: High
   Status: Fix Released

** Also affects: gnome-autoar (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Changed in: gnome-autoar (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: gnome-autoar (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: gnome-autoar (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnome-autoar (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnome-autoar (Ubuntu Focal)
   Status: New => In Progress

** Changed in: gnome-autoar (Ubuntu Focal)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnome-autoar (Ubuntu Groovy)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnome-autoar (Ubuntu Groovy)
   Status: New => In Progress

** No longer affects: gnome-autoar (Ubuntu Xenial)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1917812

Title:
  extracting archives from within nautilus omits subfolders

Status in gnome-autoar package in Ubuntu:
  Fix Released
Status in gnome-autoar source package in Bionic:
  In Progress
Status in gnome-autoar source package in Focal:
  In Progress
Status in gnome-autoar source package in Groovy:
  In Progress
Status in gnome-autoar source package in Hirsute:
  Fix Released

Bug description:
  When extracting ZIP archives from within nautilus (e.g. right-click ->
  "Extract Here") the extracted file structure is missing subfolders.

  Reproduce:
  1. download a ZIP archive that includes files and folders in the root (e.g. 
https://github.com/electron/electron/releases/download/v12.0.0/electron-v12.0.0-linux-x64.zip)
  2. within nautilus right-click on the archive and select "Extract Here"
  3. check the extracted folder, you will see that only the files have been 
extracted, the folders are missing

  This is an issue that was recently introduced, as this used to work a
  while ago on Ubuntu 20.04.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: nautilus 1:3.36.3-0ubuntu1
  ProcVersionSignature: Ubuntu 5.8.0-44.50~20.04.1-generic 5.8.18
  Uname: Linux 5.8.0-44-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Mar  4 22:09:52 2021
  SourcePackage: nautilus
  UpgradeStatus: No upgrade log present (probably fresh install)
  usr_lib_nautilus:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-autoar/+bug/1917812/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1905741] Re: poppler 0.62.0-2ubuntu2.11 and 0.41.0-0ubuntu1.15 security updates break Splash output

[Marc Deslauriers]

Thanks for reporting this, I'll back out the fix and will release
updates shortly.

** Also affects: poppler (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: poppler (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: poppler (Ubuntu)
   Status: New => Invalid

** Changed in: poppler (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: poppler (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: poppler (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: poppler (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1905741

Title:
  poppler 0.62.0-2ubuntu2.11 and 0.41.0-0ubuntu1.15 security updates
  break Splash output

Status in poppler package in Ubuntu:
  Invalid
Status in poppler source package in Xenial:
  In Progress
Status in poppler source package in Bionic:
  In Progress

Bug description:
  The security updates 0.62.0-2ubuntu2.11 and 0.41.0-0ubuntu1.15 break
  the Splash output rendering, for example if using the xpdf utility
  that relies on Poppler splash output, or as used by the GDAL library
  (the issue was detected due to breakage in GDAL continuous integration
  tests)

  I've traced the root cause to those security updates enabling in
  'rules' CMYK (--enable-cmyk for 0.41.0-0ubuntu1.15 and
  -DSPLASH_CMYK=ON for 0.62.0-2ubuntu2.11)

  Building without CMYK restore poppler in a working state. It should be
  noted that even on the upstream 0.41.0 version, enabling CMYK result
  in a non-functional build, so it is not related to the patches applied
  on top of it, but really on enabling CMYK

  The issue can be verified with "xpdf test_ogc_bp.pdf" with the
  attached test_ogc_bp.pdf file. With the new packages, xpdf crashes,
  whereas with older ones it displays a 20x20 greyscale image.

  Or with "gdal_translate test_ogc_bp.pdf out.png -of PNG" when
  installing the "gdal-bin" package, that currently errors out with a
  message like "ERROR 1: Bitmap decoded size (18623872x0) doesn't match
  raster size (20x20)"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1905741/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1895294] Re: Fix Raccoon vulnerability (CVE-2020-1968)

[Marc Deslauriers]

This has now been fixed:

https://ubuntu.com/security/notices/USN-4504-1

** Changed in: openssl (Ubuntu Xenial)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1895294

Title:
  Fix Raccoon vulnerability (CVE-2020-1968)

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Xenial:
  Fix Released

Bug description:
  Xenial's current OpenSSL (1.0.2g-1ubuntu4.16) seems to not have been
  patched yet against the Raccoon Attack (CVE-2020-1968):

  - https://www.openssl.org/news/secadv/20200909.txt
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1968
  - https://raccoon-attack.com/

  Ubuntu's CVE tracker still lists this as NEEDED for Xenial:

  - https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1968.html
  - https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html

  Other supported Ubuntu releases use versions of OpenSSL that are not
  affected.

  Indeed:

    $ apt-cache policy openssl
    openssl:
  Installed: 1.0.2g-1ubuntu4.16

    $ apt-get changelog openssl | grep CVE-2020-1968 || echo "Not patched"
    Not patched

  What is the status?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1895294/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1890265] Re: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap

[Marc Deslauriers]

** Changed in: squid3 (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1890265

Title:
  BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap

Status in squid3 package in Ubuntu:
  Fix Released
Status in squid3 source package in Xenial:
  Fix Released
Status in squid3 source package in Bionic:
  Fix Released
Status in squid3 package in Debian:
  New

Bug description:
  Using ubuntu 18.04

  I had a squid config using c-icap to scan requests/responses using
  ClamAV.

  It was working OK since long time ago.

  Today, squid has (security)updated to 3.5.27-1ubuntu1.7 and now,
  connection to icap is broken.

  That is the error at squid-cache.log

  2020/08/04 09:44:08 kid1| essential ICAP service is down after an
  options fetch failure: icap://127.0.0.1:1344/virus_scan [down,!opt]

  
  After downgrading to 3.5.27-1ubuntu1.6 it starts working again.

  The icap service is working fine, tested with `c-icap-client -i
  127.0.0.1 -p 1344 -s virus_scan`

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1890265/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1890265] Re: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap

[Marc Deslauriers]

** Also affects: squid3 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965012
   Importance: Unknown
   Status: Unknown

** Also affects: squid3 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: squid3 (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: squid3 (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: squid3 (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: squid3 (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1890265

Title:
  BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap

Status in squid3 package in Ubuntu:
  Triaged
Status in squid3 source package in Xenial:
  Confirmed
Status in squid3 source package in Bionic:
  Confirmed
Status in squid3 package in Debian:
  Unknown

Bug description:
  Using ubuntu 18.04

  I had a squid config using c-icap to scan requests/responses using
  ClamAV.

  It was working OK since long time ago.

  Today, squid has (security)updated to 3.5.27-1ubuntu1.7 and now,
  connection to icap is broken.

  That is the error at squid-cache.log

  2020/08/04 09:44:08 kid1| essential ICAP service is down after an
  options fetch failure: icap://127.0.0.1:1344/virus_scan [down,!opt]

  
  After downgrading to 3.5.27-1ubuntu1.6 it starts working again.

  The icap service is working fine, tested with `c-icap-client -i
  127.0.0.1 -p 1344 -s virus_scan`

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1890265/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1888160] Re: ClamAV needs updated to reflect security fixes

[Marc Deslauriers]

https://ubuntu.com/security/notices/USN-4435-1

** Changed in: clamav (Ubuntu)
   Status: Triaged => Fix Released

** Changed in: clamav (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: clamav (Ubuntu Bionic)
   Status: New => Fix Released

** Changed in: clamav (Ubuntu Eoan)
   Status: New => Fix Released

** Changed in: clamav (Ubuntu Focal)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1888160

Title:
  ClamAV needs updated to reflect security fixes

Status in clamav package in Ubuntu:
  Fix Released
Status in clamav source package in Xenial:
  Fix Released
Status in clamav source package in Bionic:
  Fix Released
Status in clamav source package in Eoan:
  Fix Released
Status in clamav source package in Focal:
  Fix Released

Bug description:
  Description: Ubuntu 18.04.4 LTS
  Release: 18.04

  apt-cache policy clamav
  clamav:
Installed: 0.102.3+dfsg-0ubuntu0.18.04.1
Candidate: 0.102.3+dfsg-0ubuntu0.18.04.1

  The current version of ClamAV for 18.04.4 LTS is 0.102.3+dfsg-
  0ubuntu0.18.04.1. The current stable version of ClamAV is 0.102.4.
  There have been patches released that fix security related bugs as
  shown below:

  ClamAV 0.102.4 is a bug patch release to address the following issues:

  CVE-2020-3350
  Fixed a vulnerability a malicious user could exploit to replace a scan 
target's directory with a symlink to another path to trick clamscan, clamdscan, 
or clamonacc into removing or moving a different file (such as a critical 
system file). The issue would affect users that use the --move or --remove 
options for clamscan, clamdscan and clamonacc.

  CVE-2020-3327
  Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 
that could cause a denial-of-service (DoS) condition. Improper bounds checking 
resulted in an out-of-bounds read that could cause a crash. The previous fix 
for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the 
issue.

  CVE-2020-3481
  Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 
that could cause a denial-of-service (DoS) condition. Improper error handling 
could cause a crash due to a NULL pointer dereference. This vulnerability is 
mitigated for those using the official ClamAV signature databases because the 
file type signatures in daily.cvd will not enable the EGG archive parser in 
affected versions.

  Request that ClamAV be updated to the latest version 0.102.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1888160/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1889206] Re: Regression in USN-4436-1

[Marc Deslauriers]

** Changed in: librsvg (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1889206

Title:
  Regression in USN-4436-1

Status in librsvg:
  Unknown
Status in librsvg package in Ubuntu:
  Invalid
Status in librsvg source package in Xenial:
  Fix Released
Status in librsvg source package in Bionic:
  Fix Released

Bug description:
  The security fix for librsvg introduced a regression in aisleriot.

  Steps to reproduce:

  1- install gnome-cards-data
  2- run "sol" to start Aislerot
  3- Switch card layout to "Anglo"
  4- Notice some cards are missing graphics

To manage notifications about this bug go to:
https://bugs.launchpad.net/librsvg/+bug/1889206/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1889206] Re: Regression in USN-4436-1

[Marc Deslauriers]

** Attachment added: "eog displaying issue rendering anglo cardset"
   
https://bugs.launchpad.net/ubuntu/+source/librsvg/+bug/1889206/+attachment/5396555/+files/anglo-issue.png

** Bug watch added: gitlab.gnome.org/GNOME/librsvg/-/issues #612
   https://gitlab.gnome.org/GNOME/librsvg/-/issues/612

** Also affects: librsvg via
   https://gitlab.gnome.org/GNOME/librsvg/-/issues/612
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1889206

Title:
  Regression in USN-4436-1

Status in librsvg:
  Unknown
Status in librsvg package in Ubuntu:
  Confirmed
Status in librsvg source package in Xenial:
  Confirmed
Status in librsvg source package in Bionic:
  Confirmed

Bug description:
  The security fix for librsvg introduced a regression in aisleriot.

  Steps to reproduce:

  1- install gnome-cards-data
  2- run "sol" to start Aislerot
  3- Switch card layout to "Anglo"
  4- Notice some cards are missing graphics

To manage notifications about this bug go to:
https://bugs.launchpad.net/librsvg/+bug/1889206/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1889206] [NEW] Regression in USN-4436-1

[Marc Deslauriers]

*** This bug is a security vulnerability ***

Public security bug reported:

The security fix for librsvg introduced a regression in aisleriot.

Steps to reproduce:

1- install gnome-cards-data
2- run "sol" to start Aislerot
3- Switch card layout to "Anglo"
4- Notice some cards are missing graphics

** Affects: librsvg (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: librsvg (Ubuntu Xenial)
 Importance: Undecided
 Assignee: Marc Deslauriers (mdeslaur)
 Status: Confirmed

** Affects: librsvg (Ubuntu Bionic)
 Importance: Undecided
 Assignee: Marc Deslauriers (mdeslaur)
 Status: Confirmed

** Also affects: librsvg (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: librsvg (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: librsvg (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: librsvg (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: librsvg (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: librsvg (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1889206

Title:
  Regression in USN-4436-1

Status in librsvg package in Ubuntu:
  New
Status in librsvg source package in Xenial:
  Confirmed
Status in librsvg source package in Bionic:
  Confirmed

Bug description:
  The security fix for librsvg introduced a regression in aisleriot.

  Steps to reproduce:

  1- install gnome-cards-data
  2- run "sol" to start Aislerot
  3- Switch card layout to "Anglo"
  4- Notice some cards are missing graphics

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/librsvg/+bug/1889206/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1882244] Re: GnuTLS Session Ticket Key Vulnerability

[Marc Deslauriers]

This issue doesn't affect Ubuntu 16.04 LTS or Ubuntu 18.04 LTS.

** Information type changed from Private Security to Public Security

** Also affects: gnutls28 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Changed in: gnutls28 (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: gnutls28 (Ubuntu Bionic)
   Status: New => Invalid

** Changed in: gnutls28 (Ubuntu Eoan)
   Status: New => In Progress

** Changed in: gnutls28 (Ubuntu Focal)
   Status: New => In Progress

** Changed in: gnutls28 (Ubuntu Groovy)
   Status: New => In Progress

** Changed in: gnutls28 (Ubuntu Eoan)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls28 (Ubuntu Focal)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls28 (Ubuntu Groovy)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls28 (Ubuntu Eoan)
   Importance: Undecided => High

** Changed in: gnutls28 (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: gnutls28 (Ubuntu Groovy)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1882244

Title:
  GnuTLS Session Ticket Key Vulnerability

Status in gnutls28 package in Ubuntu:
  In Progress
Status in gnutls28 source package in Xenial:
  Invalid
Status in gnutls28 source package in Bionic:
  Invalid
Status in gnutls28 source package in Eoan:
  In Progress
Status in gnutls28 source package in Focal:
  In Progress
Status in gnutls28 source package in Groovy:
  In Progress

Bug description:
  Dear Launchpad Team,

  A security vulnerability affects versions 3.x of GnuTLS:

  https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03

  I noticed this problem on Ubuntu 16 and Ubuntu 18 operating systems.
  In particular, on Ubuntu 16 last version of libgnutls30 is 3.4.10, whereas on 
Ubuntu 18 it is 3.5.18.

  Please provide an update.

  I thank you in advance.

  Kind regards,

  it0001

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1882244/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1881533] Re: Remove expired AddTrust_External_Root.crt because it breaks software

[Marc Deslauriers]

** Changed in: ca-certificates (Ubuntu Groovy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1881533

Title:
  Remove expired AddTrust_External_Root.crt because it breaks software

Status in ca-certificates package in Ubuntu:
  Fix Released
Status in ca-certificates source package in Xenial:
  Fix Released
Status in ca-certificates source package in Bionic:
  Fix Released
Status in ca-certificates source package in Eoan:
  Fix Released
Status in ca-certificates source package in Focal:
  Fix Released
Status in ca-certificates source package in Groovy:
  Fix Released

Bug description:
  The AddTrust_External_Root.crt certificate has expired:

  Data:
  Version: 3 (0x2)
  Serial Number: 1 (0x1)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
  Validity
  Not Before: May 30 10:48:38 2000 GMT
  Not After : May 30 10:48:38 2020 GMT
  Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (2048 bit)
  Modulus:

  
  This causes various client-side errors on Ubuntu 16.04 machines, about SSL 
certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem 
OK.

  Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca-
  certificates.conf and running 'update-ca-certificates -f -v' helps.
  I'm not sure if removing it is universally the best solution, but I
  can't find any other bug reports about this on Launchpad, and this
  seems the quickest way to fix all clients.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881533/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1881533] Re: Remove expired AddTrust_External_Root.crt because it breaks software

[Marc Deslauriers]

Updates for this issue have now been published:

https://usn.ubuntu.com/4377-1/

** Changed in: ca-certificates (Ubuntu Xenial)
   Status: In Progress => Fix Released

** Changed in: ca-certificates (Ubuntu Bionic)
   Status: In Progress => Fix Released

** Changed in: ca-certificates (Ubuntu Eoan)
   Status: In Progress => Fix Released

** Changed in: ca-certificates (Ubuntu Focal)
   Status: In Progress => Fix Released

** Changed in: ca-certificates (Ubuntu Groovy)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1881533

Title:
  Remove expired AddTrust_External_Root.crt because it breaks software

Status in ca-certificates package in Ubuntu:
  Fix Committed
Status in ca-certificates source package in Xenial:
  Fix Released
Status in ca-certificates source package in Bionic:
  Fix Released
Status in ca-certificates source package in Eoan:
  Fix Released
Status in ca-certificates source package in Focal:
  Fix Released
Status in ca-certificates source package in Groovy:
  Fix Committed

Bug description:
  The AddTrust_External_Root.crt certificate has expired:

  Data:
  Version: 3 (0x2)
  Serial Number: 1 (0x1)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
  Validity
  Not Before: May 30 10:48:38 2000 GMT
  Not After : May 30 10:48:38 2020 GMT
  Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (2048 bit)
  Modulus:

  
  This causes various client-side errors on Ubuntu 16.04 machines, about SSL 
certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem 
OK.

  Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca-
  certificates.conf and running 'update-ca-certificates -f -v' helps.
  I'm not sure if removing it is universally the best solution, but I
  can't find any other bug reports about this on Launchpad, and this
  seems the quickest way to fix all clients.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881533/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1881533] Re: Remove expired AddTrust_External_Root.crt because it breaks software

[Marc Deslauriers]

** Also affects: ca-certificates (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: ca-certificates (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: ca-certificates (Ubuntu Groovy)
   Importance: Undecided
   Status: Confirmed

** Also affects: ca-certificates (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: ca-certificates (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Changed in: ca-certificates (Ubuntu Xenial)
   Importance: Undecided => Critical

** Changed in: ca-certificates (Ubuntu Bionic)
   Importance: Undecided => Critical

** Changed in: ca-certificates (Ubuntu Eoan)
   Importance: Undecided => Critical

** Changed in: ca-certificates (Ubuntu Focal)
   Importance: Undecided => Critical

** Changed in: ca-certificates (Ubuntu Groovy)
   Importance: Undecided => Critical

** Changed in: ca-certificates (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: ca-certificates (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: ca-certificates (Ubuntu Eoan)
   Status: New => In Progress

** Changed in: ca-certificates (Ubuntu Focal)
   Status: New => In Progress

** Changed in: ca-certificates (Ubuntu Groovy)
   Status: Confirmed => In Progress

** Changed in: ca-certificates (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ca-certificates (Ubuntu Bionic)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ca-certificates (Ubuntu Eoan)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ca-certificates (Ubuntu Focal)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ca-certificates (Ubuntu Groovy)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1881533

Title:
  Remove expired AddTrust_External_Root.crt because it breaks software

Status in ca-certificates package in Ubuntu:
  In Progress
Status in ca-certificates source package in Xenial:
  In Progress
Status in ca-certificates source package in Bionic:
  In Progress
Status in ca-certificates source package in Eoan:
  In Progress
Status in ca-certificates source package in Focal:
  In Progress
Status in ca-certificates source package in Groovy:
  In Progress

Bug description:
  The AddTrust_External_Root.crt certificate has expired:

  Data:
  Version: 3 (0x2)
  Serial Number: 1 (0x1)
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
  Validity
  Not Before: May 30 10:48:38 2000 GMT
  Not After : May 30 10:48:38 2020 GMT
  Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, 
CN=AddTrust External CA Root
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  Public-Key: (2048 bit)
  Modulus:

  
  This causes various client-side errors on Ubuntu 16.04 machines, about SSL 
certificate expiration, using (lib)curl for instance. Ubuntu 18.04 and up seem 
OK.

  Removing 'mozilla/AddTrust_External_Root.crt' from /etc/ca-
  certificates.conf and running 'update-ca-certificates -f -v' helps.
  I'm not sure if removing it is universally the best solution, but I
  can't find any other bug reports about this on Launchpad, and this
  seems the quickest way to fix all clients.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1881533/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1835596] Re: incorrect argument to file_printable in [PATCH] PR/62

[Marc Deslauriers]

** Also affects: file (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: file (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Also affects: file (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: file (Ubuntu Groovy)
   Importance: Undecided
 Assignee: Marc Deslauriers (mdeslaur)
   Status: Confirmed

** Also affects: file (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Changed in: file (Ubuntu Eoan)
   Status: New => Fix Released

** Changed in: file (Ubuntu Focal)
   Status: New => Fix Released

** Changed in: file (Ubuntu Groovy)
   Status: Confirmed => Fix Released

** Changed in: file (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: file (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: file (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: file (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: file (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: file (Ubuntu Bionic)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1835596

Title:
  incorrect argument to file_printable in [PATCH] PR/62

Status in file package in Ubuntu:
  Fix Released
Status in file source package in Xenial:
  In Progress
Status in file source package in Bionic:
  In Progress
Status in file source package in Eoan:
  Fix Released
Status in file source package in Focal:
  Fix Released
Status in file source package in Groovy:
  Fix Released

Bug description:
  In last patch below

  +From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001
  +From: Christos Zoulas 
  +Date: Mon, 18 Feb 2019 17:46:56 +
  +Subject: [PATCH] PR/62: spinpx: limit size of file_printable.

  +===
  +--- file-5.32.orig/src/readelf.c 2019-03-13 12:38:58.854781641 -0400
   file-5.32/src/readelf.c  2019-03-13 12:39:43.450945506 -0400
  +@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsig
  + if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
  + "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
  + file_printable(sbuf, sizeof(sbuf),
  +-CAST(char *, pi.cpi_name)),
  ++RCAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
  + elf_getu32(swap, pi.cpi_pid),
  + elf_getu32(swap, pi.cpi_euid),
  + elf_getu32(swap, pi.cpi_egid),
  +@@ -1564,7 +1564,8 @@ dophn_exec(struct magic_set *ms, int cla
  + return -1;
  + if (interp[0])
  + if (file_printf(ms, ", interpreter %s",
  +-file_printable(ibuf, sizeof(ibuf), interp)) == -1)
  ++file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
  ++== -1)
  + return -1;
  + return 0;
  + }

  sizeof(interp) is passed to file_printable as the `slen' parameter, since 
interp is of 
  type `char *', sizeof(interp) will be 8 or 4 const value for different 
pointer types, 
  this makes the `interpreter' extraction for elf file limited to 8 bytes under 
x64. 

  A example for this, under ubuntu 18.04:
  $ file /bin/dash
  /bin/dash: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), 
dynamically linked,
  interpreter /lib64/l, for GNU/Linux 3.2.0, 
BuildID[sha1]=a783260e3a5fe0afdae77417eea7f
  bf8d645219e, stripped

  notice that the interpreter portion is `/lib64/l', which is 8 bytes long and 
only a part
  of the actual interpreter path. 

  the `slen' parameter here should be something like `sizeof(char) * 
length_of_buffer'
  instead of sizeof(char *).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/file/+bug/1835596/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1875798] Re: Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0)

[Marc Deslauriers]

I have now published the regression fix:

https://usn.ubuntu.com/4341-3/

Please let me know if you still experience issues after installing the
new package. Thanks.

** Changed in: samba (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1875798

Title:
  Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds
  (0)

Status in samba package in Ubuntu:
  Invalid
Status in samba source package in Xenial:
  Fix Released

Bug description:
  Latest security update breaks LDAP auth

  LDAP request size (81) exceeds (0)

  Samba works but LDAP auth for external applications is not working
  anymore with the error above

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: samba 2:4.3.11+dfsg-0ubuntu0.16.04.26
  ProcVersionSignature: Ubuntu 4.4.0-177.207-generic 4.4.214
  Uname: Linux 4.4.0-177-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.23
  Architecture: amd64
  BothFailedConnect: Yes
  Date: Wed Apr 29 08:50:49 2020
  InstallationDate: Installed on 2018-12-13 (502 days ago)
  InstallationMedia: Ubuntu-Server 16.04.5 LTS "Xenial Xerus" - Release amd64 
(20180731)
  ProcEnviron:
   TERM=screen
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=it_IT.UTF-8
   SHELL=/bin/bash
  SambaServerRegression: Yes
  SmbConfIncluded: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.logrotate.d.samba: [modified]
  mtime.conffile..etc.logrotate.d.samba: 2019-05-20T15:58:46.634276
  upstart.nmbd.override: manual
  upstart.smbd.override: manual

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1875798/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1875798] Re: Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds (0)

[Marc Deslauriers]

** Changed in: samba (Ubuntu)
   Importance: Undecided => Critical

** Also affects: samba (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: samba (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: samba (Ubuntu Xenial)
   Importance: Undecided => Critical

** Changed in: samba (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1875798

Title:
  Samba 2:4.3.11+dfsg-0ubuntu0.16.04.26: LDAP request size (81) exceeds
  (0)

Status in samba package in Ubuntu:
  Confirmed
Status in samba source package in Xenial:
  Confirmed

Bug description:
  Latest security update breaks LDAP auth

  LDAP request size (81) exceeds (0)

  Samba works but LDAP auth for external applications is not working
  anymore with the error above

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: samba 2:4.3.11+dfsg-0ubuntu0.16.04.26
  ProcVersionSignature: Ubuntu 4.4.0-177.207-generic 4.4.214
  Uname: Linux 4.4.0-177-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.23
  Architecture: amd64
  BothFailedConnect: Yes
  Date: Wed Apr 29 08:50:49 2020
  InstallationDate: Installed on 2018-12-13 (502 days ago)
  InstallationMedia: Ubuntu-Server 16.04.5 LTS "Xenial Xerus" - Release amd64 
(20180731)
  ProcEnviron:
   TERM=screen
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=it_IT.UTF-8
   SHELL=/bin/bash
  SambaServerRegression: Yes
  SmbConfIncluded: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.logrotate.d.samba: [modified]
  mtime.conffile..etc.logrotate.d.samba: 2019-05-20T15:58:46.634276
  upstart.nmbd.override: manual
  upstart.smbd.override: manual

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1875798/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1861534] Re: Spamassassin needs updated to 3.4.4 to reflect security fixes

[Marc Deslauriers]

Security updates were already released for these two CVEs here:

https://usn.ubuntu.com/4265-1/

** Changed in: spamassassin (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: spamassassin (Ubuntu Bionic)
   Status: New => Fix Released

** Changed in: spamassassin (Ubuntu Disco)
   Status: New => Invalid

** Changed in: spamassassin (Ubuntu Disco)
   Status: Invalid => Won't Fix

** Changed in: spamassassin (Ubuntu Eoan)
   Status: New => Fix Released

** Changed in: spamassassin (Ubuntu Trusty)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1861534

Title:
  Spamassassin needs updated to 3.4.4 to reflect security fixes

Status in spamassassin package in Ubuntu:
  Triaged
Status in spamassassin source package in Trusty:
  Fix Released
Status in spamassassin source package in Xenial:
  Fix Released
Status in spamassassin source package in Bionic:
  Fix Released
Status in spamassassin source package in Disco:
  Won't Fix
Status in spamassassin source package in Eoan:
  Fix Released
Status in spamassassin source package in Focal:
  Triaged

Bug description:
  lsb_release -rd
  Description:  Ubuntu 18.04.4 LTS
  Release:  18.04

  apt-cache policy spamassassin
  spamassassin:
Installed: 3.4.2-0ubuntu0.18.04.2
Candidate: 3.4.2-0ubuntu0.18.04.2

  The current version of Spamassassin is 3.4.2, the newest version,
  3.4.4 fixes two security issues:

  CVE-2020-1930
  A command execution issue was found in Apache SpamAssassin prior to 3.4.3. 
Carefully crafted nefarious rule configuration (.cf) files can be configured to 
run system commands similar to CVE-2018-11805. With this bug unpatched, 
exploits can be injected in a number of scenarios including the same privileges 
as spamd is run which may be elevated though doing so remotely is difficult. In 
addition to upgrading to SA 3.4.4, we again recommend that users should only 
use update channels or 3rd party .cf files from trusted places. If you cannot 
upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run 
spamd as an account with elevated privileges. 

  CVE-2020-1931
  A command execution issue was found in Apache SpamAssassin prior to 3.4.3. 
Carefully crafted nefarious Configuration (.cf) files can be configured to run 
system commands similar to CVE-2018-11805. This issue is less stealthy and 
attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at 
credativ for reporting the issue ethically. With this bug unpatched, exploits 
can be injected in a number of scenarios though doing so remotely is difficult. 
In addition to upgrading to SA 3.4.4, we again recommend that users should only 
use update channels or 3rd party .cf files from trusted places. 

  Request that Spamassassin be updated to the latest version, 3.4.4, as
  soon as possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1861534/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1860656] Re: SHA1 security update regression prohibits connectivity

[Marc Deslauriers]

** Changed in: gnutls28 (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1860656

Title:
  SHA1 security update regression prohibits connectivity

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Xenial:
  Confirmed
Status in gnutls28 source package in Bionic:
  Confirmed

Bug description:
  more details to follow

  SHA1 security update regression prohibits connectivity

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1860606] Re: TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated'

[Marc Deslauriers]

** Changed in: ubuntu-release-upgrader (Ubuntu Xenial)
   Status: Confirmed => Invalid

** Changed in: ubuntu-release-upgrader (Ubuntu Bionic)
   Status: Confirmed => Invalid

** Changed in: ubuntu-release-upgrader (Ubuntu Disco)
   Status: Confirmed => Invalid

** Changed in: ubuntu-release-upgrader (Ubuntu Eoan)
   Status: Confirmed => Invalid

** Changed in: ubuntu-release-upgrader (Ubuntu Focal)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1860606

Title:
  TypeError: _fetch_archives() missing 1 required positional argument:
  'allow_unauthenticated'

Status in python-apt package in Ubuntu:
  Confirmed
Status in ubuntu-release-upgrader package in Ubuntu:
  Invalid
Status in python-apt source package in Xenial:
  Fix Released
Status in ubuntu-release-upgrader source package in Xenial:
  Invalid
Status in python-apt source package in Bionic:
  Fix Released
Status in ubuntu-release-upgrader source package in Bionic:
  Invalid
Status in python-apt source package in Disco:
  Fix Released
Status in ubuntu-release-upgrader source package in Disco:
  Invalid
Status in python-apt source package in Eoan:
  Fix Released
Status in ubuntu-release-upgrader source package in Eoan:
  Invalid
Status in python-apt source package in Focal:
  Confirmed
Status in ubuntu-release-upgrader source package in Focal:
  Invalid

Bug description:
  I was upgrading my workstation from 19.04 to 19.10 and following that
  to 20.04. In each case I used do-release-upgrade (without and with -d
  respectively). The 20.04 upgrade failed as the tool crashed on invalid
  function signature:

  Original exception was:
  Traceback (most recent call last):
File "/tmp/ubuntu-release-upgrader-f_816ncr/focal", line 8, in 
  sys.exit(main())
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeMain.py", line 
238, in main
  if app.run():
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", 
line 2082, in run
  return self.fullUpgrade()
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", 
line 1998, in fullUpgrade
  if not self.doDistUpgradeFetching():
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", 
line 1233, in doDistUpgradeFetching
  self.cache._fetch_archives(self.fetcher, pm)
  TypeError: _fetch_archives() missing 1 required positional argument: 
'allow_unauthenticated'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1860606/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1860606] Re: TypeError: _fetch_archives() missing 1 required positional argument: 'allow_unauthenticated'

[Marc Deslauriers]

** Also affects: python-apt (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: python-apt (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: python-apt (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: python-apt (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python-apt (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: python-apt (Ubuntu Bionic)
   Status: New => Confirmed

** Changed in: python-apt (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python-apt (Ubuntu Disco)
   Importance: Undecided => High

** Changed in: python-apt (Ubuntu Disco)
   Status: New => Confirmed

** Changed in: python-apt (Ubuntu Disco)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python-apt (Ubuntu Eoan)
   Importance: Undecided => High

** Changed in: python-apt (Ubuntu Eoan)
   Status: New => Confirmed

** Changed in: python-apt (Ubuntu Eoan)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python-apt (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: python-apt (Ubuntu Focal)
   Status: New => Confirmed

** Changed in: python-apt (Ubuntu Focal)
 Assignee: (unassigned) => Julian Andres Klode (juliank)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1860606

Title:
  TypeError: _fetch_archives() missing 1 required positional argument:
  'allow_unauthenticated'

Status in python-apt package in Ubuntu:
  Confirmed
Status in ubuntu-release-upgrader package in Ubuntu:
  Confirmed
Status in python-apt source package in Xenial:
  Confirmed
Status in ubuntu-release-upgrader source package in Xenial:
  Confirmed
Status in python-apt source package in Bionic:
  Confirmed
Status in ubuntu-release-upgrader source package in Bionic:
  Confirmed
Status in python-apt source package in Disco:
  Confirmed
Status in ubuntu-release-upgrader source package in Disco:
  Confirmed
Status in python-apt source package in Eoan:
  Confirmed
Status in ubuntu-release-upgrader source package in Eoan:
  Confirmed
Status in python-apt source package in Focal:
  Confirmed
Status in ubuntu-release-upgrader source package in Focal:
  Confirmed

Bug description:
  I was upgrading my workstation from 19.04 to 19.10 and following that
  to 20.04. In each case I used do-release-upgrade (without and with -d
  respectively). The 20.04 upgrade failed as the tool crashed on invalid
  function signature:

  Original exception was:
  Traceback (most recent call last):
File "/tmp/ubuntu-release-upgrader-f_816ncr/focal", line 8, in 
  sys.exit(main())
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeMain.py", line 
238, in main
  if app.run():
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", 
line 2082, in run
  return self.fullUpgrade()
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", 
line 1998, in fullUpgrade
  if not self.doDistUpgradeFetching():
File 
"/tmp/ubuntu-release-upgrader-f_816ncr/DistUpgrade/DistUpgradeController.py", 
line 1233, in doDistUpgradeFetching
  self.cache._fetch_archives(self.fetcher, pm)
  TypeError: _fetch_archives() missing 1 required positional argument: 
'allow_unauthenticated'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1860606/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1858691] Re: Warning about using older GnuTLS versions for bionic

[Marc Deslauriers]

https://usn.ubuntu.com/4233-1/

** Changed in: gnutls28 (Ubuntu Xenial)
   Status: Confirmed => Fix Released

** Changed in: gnutls28 (Ubuntu Bionic)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1858691

Title:
  Warning about using older GnuTLS versions for bionic

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Xenial:
  Fix Released
Status in gnutls28 source package in Bionic:
  Fix Released

Bug description:
  It seems that the current GnuTLS version in bionic is vulnerable to
  this https://mail.gnome.org/archives/distributor-
  list/2020-January/msg0.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1858691/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1858691] Re: Warning about using older GnuTLS versions for bionic

[Marc Deslauriers]

** Also affects: gnutls28 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Information type changed from Private Security to Public Security

** Changed in: gnutls28 (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: gnutls28 (Ubuntu Bionic)
   Status: New => Confirmed

** Changed in: gnutls28 (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls28 (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gnutls28 (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1858691

Title:
  Warning about using older GnuTLS versions for bionic

Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Xenial:
  Confirmed
Status in gnutls28 source package in Bionic:
  Confirmed

Bug description:
  It seems that the current GnuTLS version in bionic is vulnerable to
  this https://mail.gnome.org/archives/distributor-
  list/2020-January/msg0.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1858691/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1845216] Re: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284]

[Marc Deslauriers]

** Changed in: openscap (Ubuntu Disco)
   Status: New => Fix Released

** Changed in: openscap (Ubuntu Eoan)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1845216

Title:
  OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe
  /openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284]

Status in openscap package in Ubuntu:
  Fix Released
Status in openscap source package in Xenial:
  Confirmed
Status in openscap source package in Bionic:
  Confirmed
Status in openscap source package in Disco:
  Fix Released
Status in openscap source package in Eoan:
  Fix Released

Bug description:
  /usr/share/openscap/cpe/openscap-cpe-dict.xml is included in later versions 
such as 1.2.16-2:
  https://packages.debian.org/buster/amd64/libopenscap8/filelist

  
  How to reproduce with Ubuntu 18.04 LTS:

  $ sudo apt install libopenscap8 ssg-debderived

  $ oscap info /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml
  Document type: Source Data Stream
  Imported: 2017-08-11T09:18:08

  ...
  Dictionaries:
  Ref-Id: 
scap_org.open-scap_cref_output--ssg-ubuntu1604-cpe-dictionary.xml
  OpenSCAP Error: Unable to open file: 
'/usr/share/openscap/cpe/openscap-cpe-dict.xml' 
[../../../src/source/oscap_source.c:284]
  Failed to add default CPE to newly created CPE Session. 
[../../../src/CPE/cpe_session.c:58]

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: libopenscap8 1.2.15-1build1
  ProcVersionSignature: User Name 4.15.0-58.64-generic 4.15.18
  Uname: Linux 4.15.0-58-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.7
  Architecture: amd64
  Date: Tue Sep 24 14:13:09 2019
  ProcEnviron:
   TERM=screen-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=C.UTF-8
   SHELL=/bin/bash
  SourcePackage: openscap
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1845216/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1845216] Re: OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe/openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284]

[Marc Deslauriers]

** Also affects: openscap (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: openscap (Ubuntu Disco)
   Importance: Undecided
   Status: New

** Also affects: openscap (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: openscap (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: openscap (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: openscap (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1845216

Title:
  OpenSCAP Error: Unable to open file: '/usr/share/openscap/cpe
  /openscap-cpe-dict.xml' [../../../src/source/oscap_source.c:284]

Status in openscap package in Ubuntu:
  New
Status in openscap source package in Xenial:
  Confirmed
Status in openscap source package in Bionic:
  Confirmed
Status in openscap source package in Disco:
  New
Status in openscap source package in Eoan:
  New

Bug description:
  /usr/share/openscap/cpe/openscap-cpe-dict.xml is included in later versions 
such as 1.2.16-2:
  https://packages.debian.org/buster/amd64/libopenscap8/filelist

  
  How to reproduce with Ubuntu 18.04 LTS:

  $ sudo apt install libopenscap8 ssg-debderived

  $ oscap info /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml
  Document type: Source Data Stream
  Imported: 2017-08-11T09:18:08

  ...
  Dictionaries:
  Ref-Id: 
scap_org.open-scap_cref_output--ssg-ubuntu1604-cpe-dictionary.xml
  OpenSCAP Error: Unable to open file: 
'/usr/share/openscap/cpe/openscap-cpe-dict.xml' 
[../../../src/source/oscap_source.c:284]
  Failed to add default CPE to newly created CPE Session. 
[../../../src/CPE/cpe_session.c:58]

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: libopenscap8 1.2.15-1build1
  ProcVersionSignature: User Name 4.15.0-58.64-generic 4.15.18
  Uname: Linux 4.15.0-58-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.7
  Architecture: amd64
  Date: Tue Sep 24 14:13:09 2019
  ProcEnviron:
   TERM=screen-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=C.UTF-8
   SHELL=/bin/bash
  SourcePackage: openscap
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1845216/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1738259] Re: need to ensure microcode updates are available to all bare-metal installs of Ubuntu

[Marc Deslauriers]

** Changed in: linux-meta (Ubuntu Precise)
   Status: New => Won't Fix

** Changed in: linux-meta-hwe (Ubuntu)
   Status: New => Fix Released

** Changed in: linux-meta-hwe-edge (Ubuntu)
   Status: New => Fix Released

** Changed in: linux-meta-lts-xenial (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1738259

Title:
  need to ensure microcode updates are available to all bare-metal
  installs of Ubuntu

Status in linux-meta package in Ubuntu:
  Fix Released
Status in linux-meta-hwe package in Ubuntu:
  Fix Released
Status in linux-meta-hwe-edge package in Ubuntu:
  Fix Released
Status in linux-meta-lts-xenial package in Ubuntu:
  Fix Released
Status in linux-meta-oem package in Ubuntu:
  Fix Released
Status in linux-meta source package in Precise:
  Won't Fix
Status in linux-meta source package in Trusty:
  Fix Released
Status in linux-meta source package in Xenial:
  Fix Released
Status in linux-meta-hwe source package in Xenial:
  Fix Released
Status in linux-meta-hwe-edge source package in Xenial:
  Fix Released
Status in linux-meta-lts-xenial source package in Xenial:
  Fix Released
Status in linux-meta-oem source package in Xenial:
  Fix Released
Status in linux-meta source package in Zesty:
  Invalid
Status in linux-meta source package in Artful:
  Fix Released
Status in linux-meta source package in Bionic:
  Fix Released

Bug description:
  From time to time, CPU vendors release updates to microcode that can
  be loaded into the CPU from the OS.  For x86, we have these updates
  available in the archive as amd64-microcode and intel-microcode.

  Sometimes, these microcode updates have addressed security issues with
  the CPU.  They almost certainly will again in the future.

  We should ensure that all users of Ubuntu on baremetal x86 receive
  these security updates, and have them applied to the CPU in early boot
  where at all feasible.

  Because these are hardware-dependent packages which we don't want to
  install except on baremetal (so: not in VMs or containers), the
  logical place to pull them into the system is via the kernel, so that
  only the kernel baremetal flavors pull them in.  This is analogous to
  linux-firmware, which is already a dependency of the linux-
  image-{lowlatency,generic} metapackages, and whose contents are
  applied to the hardware by the kernel similar to microcode.

  So, please update the linux-image-{lowlatency,generic} metapackages to
  add a dependency on amd64-microcode [amd64], intel-microcode [amd64],
  and the corresponding hwe metapackages also.

  Please time this change to coincide with the next updates of the
  microcode packages in the archive.

  I believe we will also need to promote the *-microcode packages to
  main from restricted as part of this (again, by analogy with linux-
  firmware).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/1738259/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1835135] Re: FIPS OpenSSL crashes Python2 hashlib

[Marc Deslauriers]

** Also affects: python2.7 (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Cosmic)
   Importance: Undecided
   Status: New

** Also affects: python2.7 (Ubuntu Eoan)
   Importance: High
   Status: Triaged

** Also affects: python2.7 (Ubuntu Disco)
   Importance: Undecided
   Status: New

** Also affects: python3.5 (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: python3.5 (Ubuntu Bionic)
   Status: New => Invalid

** Changed in: python3.5 (Ubuntu Cosmic)
   Status: New => Invalid

** Changed in: python3.5 (Ubuntu Disco)
   Status: New => Invalid

** Changed in: python3.5 (Ubuntu Eoan)
   Status: New => Invalid

** Changed in: python3.5 (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: python3.5 (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: python3.5 (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python2.7 (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: python2.7 (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: python2.7 (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python2.7 (Ubuntu Bionic)
   Importance: Undecided => Medium

** Changed in: python2.7 (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: python2.7 (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: python2.7 (Ubuntu Cosmic)
   Status: New => Won't Fix

** Changed in: python2.7 (Ubuntu Disco)
   Importance: Undecided => Medium

** Changed in: python2.7 (Ubuntu Disco)
   Status: New => In Progress

** Changed in: python2.7 (Ubuntu Disco)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1835135

Title:
  FIPS OpenSSL crashes Python2 hashlib

Status in python2.7 package in Ubuntu:
  Triaged
Status in python3.5 package in Ubuntu:
  Invalid
Status in python2.7 source package in Xenial:
  In Progress
Status in python3.5 source package in Xenial:
  In Progress
Status in python2.7 source package in Bionic:
  In Progress
Status in python3.5 source package in Bionic:
  Invalid
Status in python2.7 source package in Cosmic:
  Won't Fix
Status in python3.5 source package in Cosmic:
  Invalid
Status in python2.7 source package in Disco:
  In Progress
Status in python3.5 source package in Disco:
  Invalid
Status in python2.7 source package in Eoan:
  Triaged
Status in python3.5 source package in Eoan:
  Invalid

Bug description:
  If Ubuntu/Canonical's FIPS-compliant OpenSSL is initialized with
  SSL_library_init, then Python2's hashlib bindings for MD5 can trigger
  a SIGSEGV via a NULL pointer dereference (if calling the .update
  method) or a SIGABRT (if passing input to the constructor or passing
  no input and invoking the .final method). This happens if, for
  example, PyOpenSSL is imported before hashlib.

  Canonical's FIPS patches for OpenSSL introduce some odd behavior that
  arguably should be revisited, but the (TL;DR) core bug is that Python2
  hashlib doesn't properly check the return value of EVP_DigestInit,
  preventing hashlib from falling back to it's internal MD5
  implementation and instead setting things up for use of the MD5
  context to trigger SIGSEGV or SIGABRT.

  Python3 correctly checks the return value, so the fix is to backport
  the relevant code into Python2 (see
  python2.7-2.7.12/Modules/_hashopenssl.c).

  See attached good.py and bad.py files which exhibit the import order-
  dependent crashing issue. See attached fips-md5-python-init-bug.c
  which shows the FIPS OpenSSL behaviors that conditionally tickle the
  Python2 bug. The C file also contains a much more detailed description
  of the Python2 bug and other behavior which I'd rather not repeat
  here.

  I discovered this bug investigating an issue with the third-party apt-
  boto-s3 package. See https://github.com/boto/boto3/issues/2021

  Note that this bug effects Splunk, Inc, which has a corporate Ubuntu
  Advantage license. My login account is attached to a different,
  single-seat license.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1835135/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1832257] Re: regression: sudo returns exit code 0 if child is killed with SIGTERM

[Marc Deslauriers]

Oh wow, I'm not sure how that happened. I'll release an update for this.

** Changed in: sudo (Ubuntu)
   Status: New => Confirmed

** Changed in: sudo (Ubuntu)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Also affects: sudo (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: sudo (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: sudo (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: sudo (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: sudo (Ubuntu Xenial)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1832257

Title:
  regression:  sudo returns exit code 0 if child is killed with SIGTERM

Status in sudo package in Ubuntu:
  Fix Released
Status in sudo source package in Xenial:
  Confirmed

Bug description:
  hey there- it looks like we accidentally removed the patch that fixed
  this problem when releasing sudo 1.8.16-0ubuntu1.6 -

  https://git.launchpad.net/ubuntu/+source/sudo/commit/?h=ubuntu/xenial-
  updates=15345b19b82f587498573b38554e24ec0ab816cb

  note that `terminate-with-commands-signal.patch` is removed from
  debian/patches/series in that commit

  and the behavior described in the original bug (LP 1686803) has
  returned in xenial.

  can we get this back into the current sudo package? the fix still
  exists upstream so it feels like this was an accidental reversion.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1832257/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1827924] Re: Panic or segfault in Samba

[Marc Deslauriers]

** Changed in: samba (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1827924

Title:
  Panic or segfault in Samba

Status in samba:
  Unknown
Status in samba package in Ubuntu:
  Fix Released
Status in samba source package in Xenial:
  Fix Released
Status in samba source package in Bionic:
  Fix Released

Bug description:
  The Samba 'panic action' script, /usr/share/samba/panic-action,
  was called for PID 8336 (/usr/sbin/smbd).

  This means there was a problem with the program, such as a segfault.
  Below is a backtrace for this process generated with gdb, which shows
  the state of the program at the time the error occurred.  The Samba log
  files may contain additional information about the problem.

  If the problem persists, you are encouraged to first install the
  samba-dbg package, which contains the debugging symbols for the Samba
  binaries.  Then submit the provided information as a bug report to
  Ubuntu by visiting this link:
  https://launchpad.net/ubuntu/+source/samba/+filebug

  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  0x7f892084507a in __GI___waitpid (pid=8341, 
stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at 
../sysdeps/unix/sysv/linux/waitpid.c:29
  #0  0x7f892084507a in __GI___waitpid (pid=8341, 
stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at 
../sysdeps/unix/sysv/linux/waitpid.c:29
  #1  0x7f89207bdfbb in do_system (line=) at 
../sysdeps/posix/system.c:148
  #2  0x7f89232698d1 in smb_panic_s3 () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0
  #3  0x7f8923fdcf1f in smb_panic () from 
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0
  #4  0x7f8923fdd136 in ?? () from 
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0
  #5  
  #6  0x7f8923bd5c6f in smbXsrv_session_create () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #7  0x7f8923b6e643 in reply_sesssetup_and_X () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #8  0x7f8923baae67 in ?? () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #9  0x7f8923bacbb3 in ?? () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #10 0x7f8923bae21c in ?? () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #11 0x7f8921efc917 in run_events_poll () from 
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #12 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #13 0x7f8920b46d3d in _tevent_loop_once () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #14 0x7f8920b46edb in tevent_common_loop_wait () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #15 0x7f8923baf578 in smbd_process () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #16 0x5585ef73fe12 in ?? ()
  #17 0x7f8921efc917 in run_events_poll () from 
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #18 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #19 0x7f8920b46d3d in _tevent_loop_once () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #20 0x7f8920b46edb in tevent_common_loop_wait () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #21 0x5585ef73e099 in main ()
  A debugging session is active.

  Inferior 1 [process 8336] will be detached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1827924/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1827924] Re: Panic or segfault in Samba

[Marc Deslauriers]

** Also affects: samba via
   https://bugzilla.samba.org/show_bug.cgi?id=13315
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1827924

Title:
  Panic or segfault in Samba

Status in samba:
  Unknown
Status in samba package in Ubuntu:
  Confirmed
Status in samba source package in Xenial:
  Confirmed
Status in samba source package in Bionic:
  Confirmed

Bug description:
  The Samba 'panic action' script, /usr/share/samba/panic-action,
  was called for PID 8336 (/usr/sbin/smbd).

  This means there was a problem with the program, such as a segfault.
  Below is a backtrace for this process generated with gdb, which shows
  the state of the program at the time the error occurred.  The Samba log
  files may contain additional information about the problem.

  If the problem persists, you are encouraged to first install the
  samba-dbg package, which contains the debugging symbols for the Samba
  binaries.  Then submit the provided information as a bug report to
  Ubuntu by visiting this link:
  https://launchpad.net/ubuntu/+source/samba/+filebug

  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  0x7f892084507a in __GI___waitpid (pid=8341, 
stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at 
../sysdeps/unix/sysv/linux/waitpid.c:29
  #0  0x7f892084507a in __GI___waitpid (pid=8341, 
stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at 
../sysdeps/unix/sysv/linux/waitpid.c:29
  #1  0x7f89207bdfbb in do_system (line=) at 
../sysdeps/posix/system.c:148
  #2  0x7f89232698d1 in smb_panic_s3 () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0
  #3  0x7f8923fdcf1f in smb_panic () from 
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0
  #4  0x7f8923fdd136 in ?? () from 
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0
  #5  
  #6  0x7f8923bd5c6f in smbXsrv_session_create () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #7  0x7f8923b6e643 in reply_sesssetup_and_X () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #8  0x7f8923baae67 in ?? () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #9  0x7f8923bacbb3 in ?? () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #10 0x7f8923bae21c in ?? () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #11 0x7f8921efc917 in run_events_poll () from 
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #12 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #13 0x7f8920b46d3d in _tevent_loop_once () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #14 0x7f8920b46edb in tevent_common_loop_wait () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #15 0x7f8923baf578 in smbd_process () from 
/usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
  #16 0x5585ef73fe12 in ?? ()
  #17 0x7f8921efc917 in run_events_poll () from 
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #18 0x7f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
  #19 0x7f8920b46d3d in _tevent_loop_once () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #20 0x7f8920b46edb in tevent_common_loop_wait () from 
/usr/lib/x86_64-linux-gnu/libtevent.so.0
  #21 0x5585ef73e099 in main ()
  A debugging session is active.

  Inferior 1 [process 8336] will be detached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1827924/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1828401] Re: 9.26~dfsg+0-0ubuntu0.18.04.9 breaks cups printing of pdf

[Marc Deslauriers]

I will release updates for this regression today.

** Also affects: cups-filters (Ubuntu Cosmic)
   Importance: Undecided
   Status: New

** Changed in: cups-filters (Ubuntu Cosmic)
   Status: New => In Progress

** Changed in: cups-filters (Ubuntu Bionic)
   Status: Triaged => In Progress

** Changed in: cups-filters (Ubuntu Cosmic)
   Importance: Undecided => High

** Changed in: cups-filters (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: cups-filters (Ubuntu Cosmic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Also affects: cups-filters (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: cups-filters (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: cups-filters (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: cups-filters (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1828401

Title:
  9.26~dfsg+0-0ubuntu0.18.04.9 breaks cups printing of pdf

Status in cups-filters package in Ubuntu:
  Fix Released
Status in cups-filters source package in Xenial:
  In Progress
Status in cups-filters source package in Bionic:
  In Progress
Status in cups-filters source package in Cosmic:
  In Progress

Bug description:
  Distributor ID:   Ubuntu
  Description:  Ubuntu 18.04.2 LTS
  Release:  18.04
  Codename: bionic

  
  PROBLEM:
  9.26~dfsg+0-0ubuntu0.18.04.9 breaks printing pdf on cups

  error in cups logs:

  ...
  D [09/May/2019:13:44:33 +0200] [Job 68] GPL Ghostscript 9.26: Unrecoverable 
error, exit code 1
  D [09/May/2019:13:44:33 +0200] [Job 68] Process is dying with \"Unable to 
determine number of pages, page count: -1
  D [09/May/2019:13:44:33 +0200] [Job 68] \", exit stat 3
  ...

  details of this bug here: https://bugs.archlinux.org/task/62251

  POSSIBLE SOLUTION:
  release an update of cups-filters to 1.22.5

  WORKAROUND: 
  downgrade ghostscript to 9.22~dfsg+1-0ubuntu1

  sudo apt install ghostscript=9.22~dfsg+1-0ubuntu1
  libgs9=9.22~dfsg+1-0ubuntu1 libgs9-common=9.22~dfsg+1-0ubuntu1
  ghostscript-x=9.22~dfsg+1-0ubuntu1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups-filters/+bug/1828401/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1815339] Re: Printer stopped printing paper size 4"x6" after update ghostscript to 9.26

[Marc Deslauriers]

** Changed in: ghostscript (Ubuntu Disco)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1815339

Title:
  Printer stopped printing paper size 4"x6" after update ghostscript to
  9.26

Status in GS-GPL:
  Fix Released
Status in ghostscript package in Ubuntu:
  Fix Released
Status in ghostscript source package in Trusty:
  Fix Released
Status in ghostscript source package in Xenial:
  Fix Released
Status in ghostscript source package in Bionic:
  Fix Released
Status in ghostscript source package in Cosmic:
  Fix Released
Status in ghostscript source package in Disco:
  Fix Released

Bug description:
  
  I have an issue with Ghostscript and printing.
  I use Gutenprint for my Canon MG5440, and I cannot print a photo 4"x6" (or 
6"x4"), it does not print anything, however I still able to print A4 paper size.
  I use Ubuntu 18.04 and Gutenprint 5.3.1.

  The printing fail with message:
  
  [Job 143] Start rendering...
  [Job 143] Processing page 1...
  [Job 143]  Unable to open the initial device, quitting.
  [Job 143] Rendering completed
  ...
  [Job 143] PID 24869 (/usr/lib/cups/filter/gstoraster) stopped with status 1.
  ...
  [Job 143] printer-state-message="Filter failed"
  [Job 143] printer-state-reasons=none

  The message "Unable to open the initial device, quitting" comes from
  Ghostscript.

  
  When I downgrade Ghostscript to 9.22, 
  I am again able to print 4"x6" paper size.

  To downgrade: apt install ghostscript=9.22~dfsg+1-0ubuntu1
  libgs9=9.22~dfsg+1-0ubuntu1 libgs9-common=9.22~dfsg+1-0ubuntu1

  I found similar issue for HP printer at Debian https://bugs.debian.org
  /cgi-bin/bugreport.cgi?bug=908205

  
  System info:
  Description:  Ubuntu 18.04.1 LTS
  Release:  18.04

  ghostscript:
Installed: 9.26~dfsg+0-0ubuntu0.18.04.4
Candidate: 9.26~dfsg+0-0ubuntu0.18.04.4
Versions:
   *** 9.26~dfsg+0-0ubuntu0.18.04.4 500
  500 http://ua.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   9.22~dfsg+1-0ubuntu1 500
  500 http://ua.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

  cups:
Installed: 2.2.7-1ubuntu2.3
Candidate: 2.2.7-1ubuntu2.3
Versions:
   *** 2.2.7-1ubuntu2.3 500
  500 http://ua.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
  100 /var/lib/dpkg/status
   2.2.7-1ubuntu2.2 500
  500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 
Packages
   2.2.7-1ubuntu2 500
  500 http://ua.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/gs-gpl/+bug/1815339/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1815624] Re: PostGIS DoS vulnerability in Trusty and Xenial

[Marc Deslauriers]

** Information type changed from Private Security to Public Security

** Also affects: postgis (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: postgis (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: postgis (Ubuntu)
   Status: New => Fix Released

** Changed in: postgis (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: postgis (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1815624

Title:
  PostGIS DoS vulnerability in Trusty and Xenial

Status in postgis package in Ubuntu:
  Fix Released
Status in postgis source package in Trusty:
  Confirmed
Status in postgis source package in Xenial:
  Confirmed

Bug description:
  PostGIS < 2.3.3 is vulberable. In Ubuntu Trusty and Xenial Postgres
  can be DoSed via PostGIS. Please upgrade packages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postgis/+bug/1815624/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1772919] Re: pam-gnome-keyring.so reveals user’s password credential as a plaintext form

[Marc Deslauriers]

** Also affects: gnome-keyring (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gnome-keyring (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: gnome-keyring (Ubuntu)
   Status: New => Fix Released

** Changed in: gnome-keyring (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: gnome-keyring (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1772919

Title:
  pam-gnome-keyring.so reveals user’s password credential as a plaintext
  form

Status in gnome-keyring package in Ubuntu:
  Fix Released
Status in gnome-keyring source package in Trusty:
  Confirmed
Status in gnome-keyring source package in Xenial:
  Confirmed

Bug description:
  When I perform memory dump of session-child process, user’s login
  credential, including user accounts and their password, is revealed as
  a plaintext form.

  In ‘pam_sm_authenticate’ function, user’s password is stored in the
  heap memory of ‘pam_handle->data” to perform unlock the keyring in
  later.

  After unlocking the keyring, the pam module does not free/overwrite
  the memory area though the password is no longer used.

  We thus could find user’s login credentials.

  This raises concerns over the credential being misused for illegal
  behavior, such as acquiring user’s session key.

  It would be better to clean the heap memory.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: gnome-keyring 3.18.3-0ubuntu2
  ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
  Uname: Linux 4.13.0-36-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.15
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed May 23 22:53:12 2018
  InstallationDate: Installed on 2018-04-20 (32 days ago)
  InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 
(20180228)
  SourcePackage: gnome-keyring
  UpgradeStatus: No upgrade log present (probably fresh install)
  upstart.gnome-keyring-ssh.log: grep: 
/home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or 
directory

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1812353] Re: content injection in http method (CVE-2019-3462)

[Marc Deslauriers]

** Changed in: apt (Ubuntu Precise)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1812353

Title:
  content injection in http method (CVE-2019-3462)

Status in apt package in Ubuntu:
  In Progress
Status in apt source package in Precise:
  Fix Released
Status in apt source package in Trusty:
  Fix Released
Status in apt source package in Xenial:
  Fix Released
Status in apt source package in Bionic:
  Fix Released
Status in apt source package in Cosmic:
  Fix Released
Status in apt source package in Disco:
  In Progress

Bug description:
  apt, starting with version 0.8.15, decodes target URLs of redirects,
  but does not check them for newlines, allowing MiTM attackers (or
  repository mirrors) to inject arbitrary headers into the result
  returned to the main process.

  If the URL embeds hashes of the supposed file, it can thus be used to
  disable any validation of the downloaded file, as the fake hashes will
  be prepended in front of the right hashes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1812353/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1805348] Re: Recent security update broke server-side keyboard-interactive authentication

[Marc Deslauriers]

Thanks for reporting this pitti, I'll prepare a regression fix!

** Changed in: libssh (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: libssh (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: libssh (Ubuntu Cosmic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Also affects: libssh (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: libssh (Ubuntu Trusty)
   Status: New => Triaged

** Changed in: libssh (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: libssh (Ubuntu Trusty)
   Importance: Undecided => High

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1805348

Title:
  Recent security update broke server-side keyboard-interactive
  authentication

Status in libssh package in Ubuntu:
  Fix Released
Status in libssh source package in Trusty:
  Triaged
Status in libssh source package in Xenial:
  Triaged
Status in libssh source package in Bionic:
  Triaged
Status in libssh source package in Cosmic:
  Triaged
Status in libssh package in Debian:
  New

Bug description:
  0.8.4 and the backported fixes for CVE-2018-10933 cause server-side
  keyboard-interactive authentication to completely break. See
  https://bugs.libssh.org/T117 for details and a reproducer.

  This was fixed upstream as part of the 0.8.5 release, so disco is
  fine. For 16.04/18.04/18.10, please backport the fix:

https://git.libssh.org/projects/libssh.git/commit/?id=4ea46eecce9f4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1805348/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1794629] Re: CVE-2018-15473 - User enumeration vulnerability

[Marc Deslauriers]

** Changed in: openssh (Ubuntu Cosmic)
   Status: In Progress => Fix Released

** Changed in: openssh (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1794629

Title:
  CVE-2018-15473 - User enumeration vulnerability

Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Trusty:
  Fix Released
Status in openssh source package in Xenial:
  Fix Released
Status in openssh source package in Bionic:
  Fix Released
Status in openssh source package in Cosmic:
  Fix Released

Bug description:
  https://nvd.nist.gov/vuln/detail/CVE-2018-15473

  OpenSSH through 7.7 is prone to a user enumeration vulnerability due
  to not delaying bailout for an invalid authenticating user until after
  the packet containing the request has been fully parsed, related to
  auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.

  Fixed in Debian: https://www.debian.org/security/2018/dsa-4280

  Currently pending triage? https://people.canonical.com/~ubuntu-
  security/cve/2018/CVE-2018-15473.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1794629/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1796863] Re: Upgrade to version 3.4.2 for Bionic

[Marc Deslauriers]

** Also affects: spamassassin (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: spamassassin (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: spamassassin (Ubuntu Cosmic)
   Importance: Medium
   Status: Triaged

** Also affects: spamassassin (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: spamassassin (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: spamassassin (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: spamassassin (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: spamassassin (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: spamassassin (Ubuntu Bionic)
   Status: New => Confirmed

** Changed in: spamassassin (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: spamassassin (Ubuntu Cosmic)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1796863

Title:
  Upgrade to version 3.4.2 for Bionic

Status in spamassassin package in Ubuntu:
  Fix Released
Status in spamassassin source package in Trusty:
  Confirmed
Status in spamassassin source package in Xenial:
  Confirmed
Status in spamassassin source package in Bionic:
  Confirmed
Status in spamassassin source package in Cosmic:
  Fix Released

Bug description:
  lsb_release -rd
  Description:  Ubuntu 18.04.1 LTS
  Release:  18.04

  apt-cache policy spamassassin
  spamassassin:
Installed: 3.4.1-8build1
Candidate: 3.4.1-8build1

  According to the release notes for Spamassassin 3.4.2 there have been
  significant bug fixes and changes made in the newer package. Some are
  noted below. Suggest that a 3.4.2 version of Spamassassin be released
  for 18.04LTS.

  "There is one specific pressing reason to upgrade. 
  Specifically, we will stop producing SHA-1 signatures for rule updates.  This 
means that
  while we produce rule updates with the focus on them working for any release 
from
  v3.3.2 forward, they will start failing SHA-1 validation for sa-update. 

  *** If you do not update to 3.4.2, you will be stuck at the last ruleset
  with SHA-1 signatures in the near future. ***"

  "Four CVE security bug fixes are included in this release for PDFInfo.pm and
  the SA core:
   CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781"

  CVE-2017-15705 -
  "A denial of service vulnerability was identified that exists in Apache 
SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags 
in emails that cause markup to be handled incorrectly leading to scan timeouts."
  https://launchpad.net/bugs/cve/CVE-2017-15705

  CVE-2016-1238 -
  https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1238.html
  According to the link above it appears that Bionic is not affected by this.

  CVE-2018-11780 -
  "A potential Remote Code Execution bug exists with the PDFInfo plugin in
  Apache SpamAssassin before 3.4.2."
  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11780.html

  CVE-2018-11781 -
  "Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta
  rule syntax."
  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11781.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spamassassin/+bug/1796863/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1793742] Re: xdvi stops showing emedded figures after updating ghostscript

[Marc Deslauriers]

I have released ghostscript 9.25 to all stable releases. That should fix
this issue. Thanks!

** Changed in: ghostscript (Ubuntu Trusty)
   Status: In Progress => Fix Released

** Changed in: ghostscript (Ubuntu Xenial)
   Status: In Progress => Fix Released

** Changed in: ghostscript (Ubuntu Bionic)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1793742

Title:
  xdvi stops showing emedded figures after updating ghostscript

Status in ghostscript package in Ubuntu:
  Fix Released
Status in ghostscript source package in Trusty:
  Fix Released
Status in ghostscript source package in Xenial:
  Fix Released
Status in ghostscript source package in Bionic:
  Fix Released
Status in ghostscript source package in Cosmic:
  Fix Released

Bug description:
  I like to report a problem with using xdvi after upgrading ghostscript
  (and libgs9) in Trusty Tahr from version 9.10~dfsg-0ubuntu10.12 to
  version 9.10~dfsg-0ubuntu10.13.

  The error message after invoking xdvi looks as below.

  
  $ xdvi scaling.dvi
  gs: Error: /undefined in flushpage
  gs: Operand stack:
  gs:
  gs: Execution stack:
  gs:%interp_exit   .runexec2   --nostringval--   --nostringval--   
--nostringval--
  gs:2   %stopped_push   --nostringval--   --nostringval--   
--nostringval--   fals
  gs: e   1   %stopped_push   1916   1   3   %oparray_pop   1915   1   3   
%oparray_pop
  gs:1899   1   3   %oparray_pop   1787   1   3   %oparray_pop   
--nostringval--
  gs: %errorexec_pop   .runexec2   --nostringval--   --nostringval--   
--nostringval--
  gs:   2   %stopped_push   --nostringval--   --nostringval--   %loop_continue  
 --nost
  gs: ringval--
  gs: Dictionary stack:
  gs:--dict:957/1684(ro)(G)--   --dict:0/20(G)--   --dict:81/200(L)--
  gs: Current allocation mode is local
  gs: Last OS error: No such file or directory
  gs: GPL Ghostscript 9.10: Unrecoverable error, exit code 1
  xdvi.bin: Warning: Read_from_gs returned 0 bytes

  
  For the (unlikely) possibility that this error could be due to the update of 
some other package I also include the full list of the packages that were 
installed at the same time.

  Setting up libglib2.0-data (2.40.2-0ubuntu1.1) ...
  Setting up libglib2.0-0:amd64 (2.40.2-0ubuntu1.1) ...
  Setting up libglib2.0-bin (2.40.2-0ubuntu1.1) ...
  Setting up libglib2.0-dev (2.40.2-0ubuntu1.1) ...
  Setting up liblcms2-2:amd64 (2.5-0ubuntu4.2) ...
  Setting up libopencv-core2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-flann2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-imgproc2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-features2d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-calib3d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-highgui2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-ml2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-video2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-legacy2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-objdetect2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-contrib2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libisc95 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libdns100 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libisccc90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libisccfg90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libbind9-90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up liblwres90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up bind9-host (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up dnsutils (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libgs9-common (9.10~dfsg-0ubuntu10.13) ...
  Setting up libgs9 (9.10~dfsg-0ubuntu10.13) ...
  Setting up ghostscript (9.10~dfsg-0ubuntu10.13) ...
  Setting up ghostscript-x (9.10~dfsg-0ubuntu10.13) ... 

  
  Description:Ubuntu 14.04.5 LTS
  Release:14.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/1793742/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1793485] Re: segfault in png to gif conversion

[Marc Deslauriers]

Thanks for reporting this issue. Looks like we're possibly missing a
couple of commits:

https://github.com/ImageMagick/ImageMagick6/commit/e5e87c087ed48db886be0ff3aff4041d38218192
https://github.com/ImageMagick/ImageMagick6/commit/f5d04fc678f67984a1f8c1008dc8eac8ee7e3629

I'll prepare a regression fix.


** Also affects: imagemagick (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: imagemagick (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: imagemagick (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: imagemagick (Ubuntu Bionic)
   Status: New => Fix Released

** Changed in: imagemagick (Ubuntu)
   Status: New => Fix Released

** Changed in: imagemagick (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: imagemagick (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: imagemagick (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: imagemagick (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: imagemagick (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1793485

Title:
  segfault in png to gif conversion

Status in imagemagick package in Ubuntu:
  Fix Released
Status in imagemagick source package in Trusty:
  In Progress
Status in imagemagick source package in Xenial:
  In Progress
Status in imagemagick source package in Bionic:
  Fix Released

Bug description:
  Regression between 8:6.8.9.9-7ubuntu5.9 and 8:6.8.9.9-7ubuntu5.12.

  Test case:
  1. Download the attached pngs.
  2. Run:
  /usr/bin/convert -limit memory 512MiB -limit map 0MiB -limit file 10 -delay 
16 -loop 0 -coalesce -deconstruct ./*.png ./output.gif

  Expected result:
  Process finishes with resulting output.gif.

  Actual result:
  Process is aborted with SIGSEGV:

  Other information:
  In my tests looks like it has been introduced in 8:6.8.9.9-7ubuntu5.11 and 
does not occur on Bionic.

  Stack trace:
  #0  EncodeImage (image_info=0x645c40, data_size=, 
  image=0x636890) at ../../coders/gif.c:676
  #1  WriteGIFImage (image_info=0x640700, image=0x636890)
  at ../../coders/gif.c:1905
  #2  0x779a5f0f in WriteImage (image_info=image_info@entry=0x618680, 
  image=image@entry=0x62cb30) at ../../magick/constitute.c:1184
  #3  0x779a684f in WriteImages (image_info=image_info@entry=0x60fcd0, 
  images=, images@entry=0x62cb30, filename=, 
  exception=exception@entry=0x602ea0) at ../../magick/constitute.c:1335
  #4  0x7763e84e in ConvertImageCommand (image_info=0x60fcd0, argc=19, 
  argv=0x6143b0, metadata=0x0, exception=0x602ea0)
  at ../../wand/convert.c:3215
  #5  0x776ab527 in MagickCommandGenesis (
  image_info=image_info@entry=0x60aab0, 
  command=0x4007f0 , argc=argc@entry=19, 
  argv=argv@entry=0x7fffdc68, metadata=metadata@entry=0x0, 
  exception=exception@entry=0x602ea0) at ../../wand/mogrify.c:168
  #6  0x00400877 in ConvertMain (argv=0x7fffdc68, argc=19)
  at ../../utilities/convert.c:81
  #7  main (argc=19, argv=0x7fffdc68) at ../../utilities/convert.c:92

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1793485/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1793742] Re: xdvi stops showing emedded figures after updating ghostscript

[Marc Deslauriers]

Thanks for reporting this issue. It looks like upstream reverted a
change in later releases.

http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=19ebb5f1f497b6f2d50fe13d17d3e627dfb6c868

I'll prepare a regression fix soon.

** Also affects: ghostscript (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: ghostscript (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: ghostscript (Ubuntu Cosmic)
   Importance: Undecided
   Status: New

** Also affects: ghostscript (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: ghostscript (Ubuntu Cosmic)
   Status: New => Fix Released

** Changed in: ghostscript (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ghostscript (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ghostscript (Ubuntu Bionic)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ghostscript (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: ghostscript (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: ghostscript (Ubuntu Trusty)
   Status: Confirmed => In Progress

** Changed in: ghostscript (Ubuntu Xenial)
   Status: Confirmed => In Progress

** Changed in: ghostscript (Ubuntu Bionic)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1793742

Title:
  xdvi stops showing emedded figures after updating ghostscript

Status in ghostscript package in Ubuntu:
  Fix Released
Status in ghostscript source package in Trusty:
  In Progress
Status in ghostscript source package in Xenial:
  In Progress
Status in ghostscript source package in Bionic:
  In Progress
Status in ghostscript source package in Cosmic:
  Fix Released

Bug description:
  I like to report a problem with using xdvi after upgrading ghostscript
  (and libgs9) in Trusty Tahr from version 9.10~dfsg-0ubuntu10.12 to
  version 9.10~dfsg-0ubuntu10.13.

  The error message after invoking xdvi looks as below.

  
  $ xdvi scaling.dvi
  gs: Error: /undefined in flushpage
  gs: Operand stack:
  gs:
  gs: Execution stack:
  gs:%interp_exit   .runexec2   --nostringval--   --nostringval--   
--nostringval--
  gs:2   %stopped_push   --nostringval--   --nostringval--   
--nostringval--   fals
  gs: e   1   %stopped_push   1916   1   3   %oparray_pop   1915   1   3   
%oparray_pop
  gs:1899   1   3   %oparray_pop   1787   1   3   %oparray_pop   
--nostringval--
  gs: %errorexec_pop   .runexec2   --nostringval--   --nostringval--   
--nostringval--
  gs:   2   %stopped_push   --nostringval--   --nostringval--   %loop_continue  
 --nost
  gs: ringval--
  gs: Dictionary stack:
  gs:--dict:957/1684(ro)(G)--   --dict:0/20(G)--   --dict:81/200(L)--
  gs: Current allocation mode is local
  gs: Last OS error: No such file or directory
  gs: GPL Ghostscript 9.10: Unrecoverable error, exit code 1
  xdvi.bin: Warning: Read_from_gs returned 0 bytes

  
  For the (unlikely) possibility that this error could be due to the update of 
some other package I also include the full list of the packages that were 
installed at the same time.

  Setting up libglib2.0-data (2.40.2-0ubuntu1.1) ...
  Setting up libglib2.0-0:amd64 (2.40.2-0ubuntu1.1) ...
  Setting up libglib2.0-bin (2.40.2-0ubuntu1.1) ...
  Setting up libglib2.0-dev (2.40.2-0ubuntu1.1) ...
  Setting up liblcms2-2:amd64 (2.5-0ubuntu4.2) ...
  Setting up libopencv-core2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-flann2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-imgproc2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-features2d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-calib3d2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-highgui2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-ml2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-video2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-legacy2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-objdetect2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libopencv-contrib2.4:amd64 (2.4.8+dfsg1-2ubuntu1.2) ...
  Setting up libisc95 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libdns100 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libisccc90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libisccfg90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libbind9-90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up liblwres90 (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up bind9-host (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up dnsutils (1:9.9.5.dfsg-3ubuntu0.18) ...
  Setting up libgs9-common (9.10~dfsg-0ubuntu10.13) ...
  Setting up libgs9 (9.10~dfsg-0ubuntu10.13) ...
  Setting up ghostscript (9.10~dfsg-0ubuntu10.13) ...
  Set

[Group.of.nepali.translators] [Bug 1782031] Re: [SRU][xenial] Enable SCE option and systemd probe in libopenscap8

[Marc Deslauriers]

** Also affects: openscap (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: openscap (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: openscap (Ubuntu Bionic)
   Status: New => Fix Released

** Changed in: openscap (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: openscap (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1782031

Title:
  [SRU][xenial] Enable SCE option and systemd probe in libopenscap8

Status in openscap package in Ubuntu:
  Fix Released
Status in openscap source package in Xenial:
  Confirmed
Status in openscap source package in Bionic:
  Fix Released
Status in openscap package in Debian:
  Fix Released

Bug description:
  [Impact]

  Canonical security certification team is automating Ubuntu specific
  security hardening guides using Security Content Automation Protcol
  (SCAP). SCAP requires Open Vulnerability and Assessment Language
  (xccdf and xml) to implement SCAP content.

  The openSCAP implementation processes SCAP content, but has been
  extended to also process python and bash scripts via a Script Check
  Engine (SCE). This ability to process bash and python scripts is
  needed because OVAL is somewhat limited in what it can do. We have had
  to write a few python and bash scripts.

  SCE is not enabled by default, and will require the addition of the
  "--enable-sce" option in the "debian/rules" file to turn it on.

  There are security hardening rules for systemd. There is also OVAL
  schema implemented as "probes" in openSCAP. The systemd probe to be
  enabled requires libdbus-1-dev during build. This would be set in the
  debian/control file

  The attached patch has all the necessary code change.

  These 2 changes were made in more current versions of libopenscap8 in
  Debian as indicated above. As a result, Artful, Bionic and Cosmic also
  have these changes. The automation we are working on is required for
  Xenial though.

  [Test Case]

  1. run the command "oscap --v", and should see following with SEC
  option enabled,

  Capabilities added by auto-loaded plugins 
 SCE Version: 1.0 (from libopenscap_sce.so.8)

  without the SCE option enabled, the list of plugins is empty.

  Also, should see  under " Supported OVAL objects and associated
  OpenSCAP probes "

  systemdunitproperty  probe_systemdunitproperty   
  systemdunitdependencyprobe_systemdunitdependency 

  
  2. The second testcase requires running our SCAP content and verifying that 
those rules using scripts are run and those rules using systemd probes are run.

  
  [Regression Potential]

  The regression potential should be small. The changes proposed enables
  new functionality that is already included in the source package, and
  does not change the behavior of existing functionality.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openscap/+bug/1782031/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1721129] Re: Version 2017072601 is needed as it include the upcoming root KSK

[Marc Deslauriers]

** Also affects: dns-root-data (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: dns-root-data (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: dns-root-data (Ubuntu Cosmic)
   Importance: Undecided
   Status: Confirmed

** Also affects: dns-root-data (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: dns-root-data (Ubuntu Cosmic)
   Status: Confirmed => Fix Released

** Changed in: dns-root-data (Ubuntu Bionic)
   Status: New => Fix Committed

** Changed in: dns-root-data (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

** Changed in: dns-root-data (Ubuntu Artful)
   Status: New => Fix Released

** Changed in: dns-root-data (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: dns-root-data (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1721129

Title:
  Version 2017072601 is needed as it include the upcoming root KSK

Status in dns-root-data package in Ubuntu:
  Fix Released
Status in dns-root-data source package in Xenial:
  Confirmed
Status in dns-root-data source package in Artful:
  Fix Released
Status in dns-root-data source package in Bionic:
  Fix Released
Status in dns-root-data source package in Cosmic:
  Fix Released

Bug description:
  Version 2017072601 should be SRU'ed from Artful to Xenial and Zesty.
  This will bring the upcoming root KSK (in VALID state) which is
  required for new installs of other packages (like Unbound) that happen
  after September 11.

  See https://unbound.net/root-11sep-11oct.html for details.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1721129/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1663281] Re: opendir("ssh2.sftp://..") fails after upgrade to 7.0.13 from xenial-updates

[Marc Deslauriers]

For php5 code:
http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=093906ec1c065e86ad1cd4dabbc89b1ccae11938

For php7 code:
http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=17680cf039f0cfac53b5a2531fdb715b95e9cc42
http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=756e2f1369f2d5ff006222d978806f4fd91659e1


** Also affects: php-ssh2 (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: php-ssh2 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: php-ssh2 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: php-ssh2 (Ubuntu Bionic)
   Importance: Undecided
   Status: Confirmed

** Also affects: php-ssh2 (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Changed in: php-ssh2 (Ubuntu Precise)
   Status: New => Confirmed

** Changed in: php-ssh2 (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: php-ssh2 (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: php-ssh2 (Ubuntu Artful)
   Status: New => Fix Released

** Changed in: php-ssh2 (Ubuntu Bionic)
   Status: Confirmed => Fix Released

** Changed in: php-ssh2 (Ubuntu Precise)
 Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

** Changed in: php-ssh2 (Ubuntu Trusty)
 Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

** Changed in: php-ssh2 (Ubuntu Xenial)
 Assignee: (unassigned) => Leonidas S. Barbosa (leosilvab)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1663281

Title:
  opendir("ssh2.sftp://..;) fails after upgrade to 7.0.13 from xenial-
  updates

Status in php-ssh2 package in Ubuntu:
  Fix Released
Status in php-ssh2 source package in Precise:
  Confirmed
Status in php-ssh2 source package in Trusty:
  Confirmed
Status in php-ssh2 source package in Xenial:
  Confirmed
Status in php-ssh2 source package in Artful:
  Fix Released
Status in php-ssh2 source package in Bionic:
  Fix Released

Bug description:
  opendir() for a "ssh2.sftp://.."-style url fails after upgrade to php
  7.0.13 from xenial-updates.

  This is a known bug fixed upstream in php-ssh2, commit
  17680cf039f0cfac53b5a2531fdb715b95e9cc42.

  I've rebuilt the package locally using the attached patch.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-ssh2/+bug/1663281/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1697785] Re: Update to 2.8.14 in Xenial

[Marc Deslauriers]

ACK on the debdiff in comment #3. Package is being released now.

Thanks!

** Also affects: ffmpeg (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: ffmpeg (Ubuntu)
   Status: Confirmed => Invalid

** Changed in: ffmpeg (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1697785

Title:
  Update to 2.8.14 in Xenial

Status in ffmpeg package in Ubuntu:
  Invalid
Status in ffmpeg source package in Xenial:
  Fix Released

Bug description:
  
https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/2.8:/Changelog

  version 2.8.13:
  - avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
  - avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
  - avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
  - avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
  - avcodec/hevc_ps: Fix undefined shift in pcm code
  - avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
  - avformat/mvdec: Fix DoS due to lack of eof check
  - avformat/rl2: Fix DoS due to lack of eof check
  - avformat/cinedec: Fix DoS due to lack of eof check
  - avformat/asfdec: Fix DoS due to lack of eof check
  - avformat/hls: Fix DoS due to infinite loop
  - ffprobe: Fix NULL pointer handling in color parameter printing
  - ffprobe: Fix null pointer dereference with color primaries
  - avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
  - avformat/aviobuf: Fix signed integer overflow in avio_seek()
  - avformat/mov: Fix signed integer overflows with total_size
  - avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
  - avcodec/me_cmp: Fix crashes on ARM due to misalignment
  - avcodec/fic: Fixes signed integer overflow
  - avcodec/snowdec: Fix off by 1 error
  - avcodec/diracdec: Check perspective_exp and zrs_exp.
  - avcodec/mpeg4videodec: Clear mcsel before decoding an image
  - avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
  - avcodec/aacdec_fixed: fix invalid shift in predict()
  - avcodec/h264_slice: Fix overflow in slice offset
  - avformat/utils: fix memory leak in avformat_free_context
  - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
  - avcodec/diracdec: Fix integer overflow in divide3()
  - avcodec/takdec: Fix integer overflow in decode_subframe()
  - avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
  - avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
  - avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
  - avformat/oggparsecelt: Do not re-allocate os->private
  - avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()
  - avcodec/aacdec_fixed: fix: left shift of negative value -1
  - doc/filters: typo in frei0r
  - avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid 
undefined shifts later
  - avcodec/mjpegdec: Clip DC also on the negative side.
  - avcodec/aacps (fixed point): Fix multiple signed integer overflows
  - avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise()
  - avcodec/wavpack: Fix invalid shift
  - avcodec/hevc_ps: Fix integer overflow with beta/tc offsets
  - avcodec/vb: Check vertical GMC component before multiply
  - avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
  - avcodec/apedec: Fix integer overflow
  - avcodec/wavpack: Fix integer overflow in wv_unpack_stereo()
  - avcodec/mpeg4videodec: Fix GMC with videos of dimension 1
  - avcodec/wavpack: Fix integer overflow
  - avcodec/takdec: Fix integer overflow
  - avcodec/tiff: Update pointer only when the result is used
  - avcodec/hevc_filter: Fix invalid shift
  - avcodec/mpeg4videodec: Fix overflow in virtual_ref computation
  - avcodec/wavpack: Fix undefined integer negation
  - avcodec/aacdec_fixed: Check s for being too small
  - avcodec/h264: Fix mix of lossless and lossy MBs decoding
  - avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264
  - avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4
  - avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output
  - avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer 
overflows
  - avcodec/hevcpred_template: Fix left shift of negative value
  - avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()
  - avcodec/jpeg2000dec: Check nonzerobits more completely
  - avcodec/shorten: Sanity check maxnlpc
  - avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2()
  - avcodec/hevcdec: Check nb_sps
  - avcodec/hevc_refs: Check nb_refs in add_candidate_ref()
  - avcodec/mpeg4videodec: Check sprite delta upshift against overflowing.
  - avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 
case
  - avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()
 

[Group.of.nepali.translators] [Bug 1761289] [NEW] WSA-2018-0003 security update

[Marc Deslauriers]

*** This bug is a security vulnerability ***

Public security bug reported:

https://webkitgtk.org/security/WSA-2018-0003.html

We need to update webkit2gtk to 2.20.

** Affects: webkit2gtk (Ubuntu)
 Importance: Undecided
 Status: Fix Released

** Affects: webkit2gtk (Ubuntu Xenial)
 Importance: Medium
 Status: Confirmed

** Affects: webkit2gtk (Ubuntu Artful)
 Importance: Medium
 Status: Confirmed

** Affects: webkit2gtk (Ubuntu Bionic)
 Importance: Undecided
 Status: Fix Released

** Also affects: webkit2gtk (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: webkit2gtk (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: webkit2gtk (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Changed in: webkit2gtk (Ubuntu Bionic)
   Status: New => Fix Released

** Changed in: webkit2gtk (Ubuntu Artful)
   Status: New => Confirmed

** Changed in: webkit2gtk (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: webkit2gtk (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: webkit2gtk (Ubuntu Artful)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1761289

Title:
  WSA-2018-0003 security update

Status in webkit2gtk package in Ubuntu:
  Fix Released
Status in webkit2gtk source package in Xenial:
  Confirmed
Status in webkit2gtk source package in Artful:
  Confirmed
Status in webkit2gtk source package in Bionic:
  Fix Released

Bug description:
  https://webkitgtk.org/security/WSA-2018-0003.html

  We need to update webkit2gtk to 2.20.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/1761289/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1752591] Re: CVE-2017-7651 and CVE-2017-7652

[Marc Deslauriers]

ACK on the debdiffs in comments #2 and #3. I added the bug number to the
changelog and adjusted the artful versioning.

Packages are building now and will be released as security updates
today.

Thanks!

** Also affects: mosquitto (Ubuntu Bionic)
   Importance: Undecided
   Status: Confirmed

** Also affects: mosquitto (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: mosquitto (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Changed in: mosquitto (Ubuntu Bionic)
   Status: Confirmed => Fix Released

** Changed in: mosquitto (Ubuntu Xenial)
   Status: New => Fix Committed

** Changed in: mosquitto (Ubuntu Artful)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1752591

Title:
  CVE-2017-7651 and CVE-2017-7652

Status in mosquitto package in Ubuntu:
  Fix Released
Status in mosquitto source package in Xenial:
  Fix Committed
Status in mosquitto source package in Artful:
  Fix Committed
Status in mosquitto source package in Bionic:
  Fix Released

Bug description:
  The current available version of mosquitto pacakged in ubuntu (for all
  versions) is vulnerable to 2 cve's announced recently, including one
  for a potential DOS attach from unauthorized users. More details on
  this can be found at: https://mosquitto.org/blog/2018/02/security-
  advisory-cve-2017-7651-cve-2017-7652/ which includes links to patches
  for the CVEs. Or we can just update to 1.4.15 which should be
  backwards compatible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mosquitto/+bug/1752591/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1752761] Re: Regression in vga handling ubuntu10.21 to ubuntu10.22

[Marc Deslauriers]

** Also affects: qemu (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: qemu (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: qemu (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: qemu (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: qemu (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: qemu (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: qemu (Ubuntu)
   Status: New => Invalid

** Changed in: qemu (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: qemu (Ubuntu Xenial)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1752761

Title:
  Regression in vga handling ubuntu10.21 to ubuntu10.22

Status in qemu package in Ubuntu:
  Invalid
Status in qemu source package in Trusty:
  In Progress
Status in qemu source package in Xenial:
  In Progress

Bug description:
  Hi,

  Corporate environment, Windows XenU platforms, using QEMU HVM (qemu-
  system-x86) on multiple Ubuntu Xen0 platforms.  Established stable
  production environment (for > 1-5 years), Ubuntu and Windows nodes
  getting latest patches etc.  Dell R6XX series server hardware.

  After updates from mainline: 1:2.5+dfsg-5ubuntu10 to 1:2.5+dfsg-
  5ubuntu10.22 a reboot of XenU VMs very slow and repeated
  BlueScreening.

  Windows Server 2012, does come up after 4+ minutes booting.

  
  Windows Server 2008R8, Windows 7 Pro, Windows 10 Pro VMs fail to boot with 
blue screen "framebuf" STOP.  (PNG available).

  Boot to safe mode (very slow ~ 4mins to login screen) and remove video
  drivers, reboot succeeds, windows drivers auto updated, reboot fails.

  
  Testing completed on Windows Server 2008R8 images including migration of VM 
Disk devices to other Dell rack servers:

  o Xenial Xen0 server - Same issues
  o Trusty Xen0 server - Same issues
  o Precise Xen0 server - Fast boot / no issues

  On Xenial systems, downgrading qemu-system-x86 to version 1:2.5+dfsg-
  5ubuntu10 reverts to previous performance / stability (~25 secs to
  loginscreen) = all good.

  Tested PPA versions of qemu-system-x86 with local dpkg installs,
  version ubuntu10.21 works fine,  ubuntu10.22 fails. Proposed
  ubuntu10.23 also fails.

  
  QEMU Command line used (unchanged between good and back observations):

  /usr/bin/qemu-system-i386 
  -xen-domid 9 
  -chardev socket,id=libxl-cmd,path=/var/run/xen/qmp-libxl-9,server,nowait 
  -no-shutdown 
  -mon chardev=libxl-cmd,mode=control 
  -chardev 
socket,id=libxenstat-cmd,path=/var/run/xen/qmp-libxenstat-9,server,nowait 
  -mon chardev=libxenstat-cmd,mode=control 
  -nodefaults 
  -name HOSTNAME 
  -vnc :,to=99 
  -display none 
  -serial pty 
  -device cirrus-vga,vgamem_mb=8 
  -boot order=c 
  -usb 
  -usbdevice tablet 
  -smp 2,maxcpus=2 
  -device rtl8139,id=nic0,netdev=net0,mac=XX:XX:XX:XX:XX:XX
  -netdev type=tap,id=net0,ifname=vif9.0-emu,script=no,downscript=no 
  -machine xenfv 
  -m 6992 
  -drive 
file=/dev/VG-xen/HOSTNAME-disk,if=ide,index=0,media=disk,format=raw,cache=writeback

  
  Xen CFG:
  name = ''
  builder = 'hvm'
  memory = 7000
  vcpus=2
  shadow_memory = 8
  acpi=1
  vif = ['type=ioemu, bridge=xenbr0']
  disk = [ 'phy:/dev/VG-xen/HOSTNMAE-disk,hda,w']
  boot='c'
  usbdevice='tablet'
  vnc=1
  vncdisplay=
  vnclisten=''
  vncconsole=1
  serial='pty'
  on_poweroff = 'destroy'
  on_reboot   = 'restart'
  on_crash= 'restart'

  
  Xen GPL gplpv_Vista2008x64_0.11.0.373.msi drivers being used ( 
https://wiki.univention.de/index.php/Installing-signed-GPLPV-drivers )

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1752761/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1745635] Re: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380)

[Marc Deslauriers]

** Changed in: clamav (Ubuntu Precise)
   Status: Confirmed => Fix Released

** Changed in: clamav (Ubuntu Bionic)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1745635

Title:
  Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375
  CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379
  CVE-2017-12380)

Status in clamav package in Ubuntu:
  Fix Released
Status in clamav source package in Precise:
  Fix Released
Status in clamav source package in Trusty:
  Fix Released
Status in clamav source package in Xenial:
  Fix Released
Status in clamav source package in Artful:
  Fix Released
Status in clamav source package in Bionic:
  Fix Released
Status in clamav package in Debian:
  Fix Released
Status in clamav package in Fedora:
  Fix Committed
Status in clamav package in Suse:
  Fix Released

Bug description:
  Please upgrade clamav to 0.99.3 in Ubuntu LTS to fix critical security 
vulnerabilities
  http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

  CVE-2017-12374
  1. ClamAV UAF (use-after-free) Vulnerabilities

  The ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition on an affected device.

  The vulnerability is due to a lack of input validation checking
  mechanisms during certain mail parsing operations. If successfully
  exploited, the ClamAV software could allow a variable pointing to the
  mail body which could cause a used after being free (use-after-free)
  instance which may lead to a disruption of services on an affected
  device to include a denial of service condition.

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  https://bugzilla.clamav.net/show_bug.cgi?id=11939

  CVE-2017-12375
  2. ClamAV Buffer Overflow Vulnerability

  The ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition on an affected device.

  The vulnerability is due to a lack of input validation checking
  mechanisms during certain mail parsing functions. An unauthenticated,
  remote attacker could exploit this vulnerability by sending a crafted
  email to the affected device. This action could cause a buffer
  overflow condition when ClamAV scans the malicious email, allowing the
  attacker to potentially cause a DoS condition on an affected device.

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L
  https://bugzilla.clamav.net/show_bug.cgi?id=11940

  CVE-2017-12376
  3. ClamAV Buffer Overflow in handle_pdfname Vulnerability

  ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition or potentially execute
  arbitrary code on an affected device.

  The vulnerability is due to improper input validation checking
  mechanisms when handling Portable Document Format (.pdf) files sent to
  an affected device. An unauthenticated, remote attacker could exploit
  this vulnerability by sending a crafted .pdf file to an affected
  device. This action could cause a buffer overflow when ClamAV scans
  the malicious file, allowing the attacker to cause a DoS condition or
  potentially execute arbitrary code.

  https://bugzilla.clamav.net/show_bug.cgi?id=11942
  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  CVE-2017-12377
  4. ClamAV Mew Packet Heap Overflow Vulnerability

  ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition or potentially execute
  arbitrary code on an affected device.

  The vulnerability is due to improper input validation checking
  mechanisms in mew packet files sent to an affected device. A
  successful exploit could cause a heap overflow condition when ClamAV
  scans the malicious file, allowing the attacker to cause a DoS
  condition or potentially execute arbitrary code on the affected
  device.

  https://bugzilla.clamav.net/show_bug.cgi?id=11943
  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L

  CVE-2017-12378
  5. ClamAV Buffer Over Read Vulnerability

  ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition on an affected device.

  The vulnerability is due to improper input validation checking
  mechanisms of .tar (Tape Archive) files sent to an affected device. A
  successful exploit could cause a buffer over-read condition when
  ClamAV scans the malicious .tar file, potentially allowing the
  attacker to cause a DoS condition on the affected device.

  

[Group.of.nepali.translators] [Bug 1748310] Re: [SRU][xenial]boot stalls looking for entropy in FIPS mode

[Marc Deslauriers]

** Also affects: libgcrypt20 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748310

Title:
  [SRU][xenial]boot stalls looking for entropy in FIPS mode

Status in libgcrypt20 package in Ubuntu:
  New
Status in libgcrypt20 source package in Xenial:
  New

Bug description:
  [IMPACT]
  libgcrypt20 is not a FIPS certified library. On a machine running FIPS 
enabled kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option 
currently in the library. Hence FIPS code paths are always executed on a FIPS 
enabled machine. In FIPS mode, it runs self tests and integrity checks and it 
looks for quality entropy from /dev/random.

  On encrypted installations, cryptsetup uses libgcrypt20. During boot
  on an encrypted machine running in FIPS mode, cryptsetup invokes
  libgcrypt and it stalls looking for quality entropy from /dev/random.
  This results in significant delays during startup. The issue was
  reported by a FIPS customer.

  This issue impacts xenial's version of libgcrypt. In later version of
  libgcrypt in Bionic, the entropy device is a global configurable
  option via /etc/gcrypt/random.conf config file. The config setting
  "only-urandom" can be used to set the entropy device to /dev/urandom
  globally in libgcrypt.

  lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:  16.04

  version - 1.6.5-2ubuntu0.3

  [FIX]
  Get entropy from /dev/urandom device in FIPS mode. This does not block.

  [TEST]
  Tested on a VM installed with xenial desktop iso and one with xenial server 
iso. Enabled full disk encryption during install. Tested with and without FIPS. 
No delays were observed during boot after the fix patch was applied.

  With FIPS enabled on encrypted install, without the patch fix, the
  boot stalls before and after prompting for decryption password.

  [REGRESSION POTENTIAL]
  The regression potential for this is small. This patch does not take away 
current functionality. It changes the entropy device in FIPS mode to 
/dev/urandom to get faster entropy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1743762] Re: Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486]

[Marc Deslauriers]

I am unsubscribing ubuntu-security-sponsors for now since there is no
artful debdiff to review. Please subscribe ubuntu-security-sponsors
again once an appropriate debdiff is available. Thanks!

** Changed in: xmltooling (Ubuntu Bionic)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1743762

Title:
  Security bug in XMLTooling-C before 1.6.3 [CVE-2018-0486]

Status in xmltooling package in Ubuntu:
  Fix Released
Status in xmltooling source package in Trusty:
  Fix Released
Status in xmltooling source package in Xenial:
  Fix Released
Status in xmltooling source package in Artful:
  Triaged
Status in xmltooling source package in Bionic:
  Fix Released

Bug description:
  From the Debian bug report at
  https://www.debian.org/security/2018/dsa-4085:

  Philip Huppert discovered the Shibboleth service provider is
  vulnerable to impersonation attacks and information disclosure due to
  mishandling of DTDs in the XMLTooling XML parsing library. For
  additional details please refer to the upstream advisory at
  https://shibboleth.net/community/advisories/secadv_20180112.txt

  For the oldstable distribution (jessie), this problem has been
  fixed in version 1.5.3-2+deb8u2.

  The stable distribution (stretch) is not affected.

  We recommend that you upgrade your xmltooling packages.

  For the detailed security status of xmltooling please refer to its
  security tracker page at: https://security-
  tracker.debian.org/tracker/xmltooling

  
  This bug is fixed upstream in Debian.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1743762/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1737364] Re: 16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

[Marc Deslauriers]

ACK on the debdiff in comment #1. Package is building now and will be
released as a security update. Thanks!

** Also affects: brotli (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: brotli (Ubuntu)
   Status: New => Fix Released

** Changed in: brotli (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1737364

Title:
  16.04: Fix CVE-2016-1968 and CVE-2016-1624 for brotli

Status in brotli package in Ubuntu:
  Fix Released
Status in brotli source package in Xenial:
  Fix Committed

Bug description:
  Impact
  --
  Integer underflow could be targeted as a buffer overflow
  https://security-tracker.debian.org/tracker/source-package/brotli

  Debdiff attached.

  Because brotli is embedded in web browsers for WOFF2 support (to be
  somewhat fixed by the proposed brotli MIR), this issue was already
  mentioned in

  https://usn.ubuntu.com/usn/USN-2917-1/ (Firefox)
  Luke Li discovered a buffer overflow during Brotli decompression in some
  circumstances. If a user were tricked in to opening a specially crafted
  website, an attacker could potentially exploit this to cause a denial of
  service via application crash, or execute arbitrary code with the
  privileges of the user invoking Firefox. (CVE-2016-1968)

  https://usn.ubuntu.com/usn/USN-2895-1/ (Oxide)
  An integer underflow was discovered in Brotli. If a user were tricked in
  to opening a specially crafted website, an attacker could potentially
  exploit this to cause a denial of service via application crash, or
  execute arbitrary code with the privileges of the user invoking the
  program. (CVE-2016-1624)

  Regression Potential
  
  This update was published in Debian unstable/testing as 0.3.0+dfsg-3 from 
late March to mid June 2016 when it was superseded by a newer version. The 
Ubuntu security sync tool wasn't able to retrieve this version now.

  brotli has no reverse dependencies in Ubuntu and is in universe.

  Testing Done
  
  Only a simple build test.

  There is a build test to ensure basic functionality of brotli with
  both python2 and python3.

  Other Info
  --
  The main purpose of this security update is to clear up the security history 
section of MIR LP: #1737053.

  It is mentioned in the MIR bug that it is intended for brotli 1.0.2 to
  be backported to Ubuntu 16.04 and 17.10 as a security update (and
  promoted to main there), after 17.04 reaches End of Life.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737364/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1745635] Re: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380)

[Marc Deslauriers]

These are now published:

https://usn.ubuntu.com/usn/usn-3550-1/

** Changed in: clamav (Ubuntu Trusty)
   Status: Confirmed => Fix Released

** Changed in: clamav (Ubuntu Xenial)
   Status: Confirmed => Fix Released

** Changed in: clamav (Ubuntu Artful)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1745635

Title:
  Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375
  CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379
  CVE-2017-12380)

Status in clamav package in Ubuntu:
  Confirmed
Status in clamav source package in Precise:
  Confirmed
Status in clamav source package in Trusty:
  Fix Released
Status in clamav source package in Xenial:
  Fix Released
Status in clamav source package in Artful:
  Fix Released
Status in clamav source package in Bionic:
  Confirmed
Status in clamav package in Debian:
  Fix Released
Status in clamav package in Fedora:
  Fix Released
Status in clamav package in Suse:
  Fix Released

Bug description:
  Please upgrade clamav to 0.99.3 in Ubuntu LTS to fix critical security 
vulnerabilities
  http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

  CVE-2017-12374
  1. ClamAV UAF (use-after-free) Vulnerabilities

  The ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition on an affected device.

  The vulnerability is due to a lack of input validation checking
  mechanisms during certain mail parsing operations. If successfully
  exploited, the ClamAV software could allow a variable pointing to the
  mail body which could cause a used after being free (use-after-free)
  instance which may lead to a disruption of services on an affected
  device to include a denial of service condition.

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  https://bugzilla.clamav.net/show_bug.cgi?id=11939

  CVE-2017-12375
  2. ClamAV Buffer Overflow Vulnerability

  The ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition on an affected device.

  The vulnerability is due to a lack of input validation checking
  mechanisms during certain mail parsing functions. An unauthenticated,
  remote attacker could exploit this vulnerability by sending a crafted
  email to the affected device. This action could cause a buffer
  overflow condition when ClamAV scans the malicious email, allowing the
  attacker to potentially cause a DoS condition on an affected device.

  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L
  https://bugzilla.clamav.net/show_bug.cgi?id=11940

  CVE-2017-12376
  3. ClamAV Buffer Overflow in handle_pdfname Vulnerability

  ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition or potentially execute
  arbitrary code on an affected device.

  The vulnerability is due to improper input validation checking
  mechanisms when handling Portable Document Format (.pdf) files sent to
  an affected device. An unauthenticated, remote attacker could exploit
  this vulnerability by sending a crafted .pdf file to an affected
  device. This action could cause a buffer overflow when ClamAV scans
  the malicious file, allowing the attacker to cause a DoS condition or
  potentially execute arbitrary code.

  https://bugzilla.clamav.net/show_bug.cgi?id=11942
  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  CVE-2017-12377
  4. ClamAV Mew Packet Heap Overflow Vulnerability

  ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition or potentially execute
  arbitrary code on an affected device.

  The vulnerability is due to improper input validation checking
  mechanisms in mew packet files sent to an affected device. A
  successful exploit could cause a heap overflow condition when ClamAV
  scans the malicious file, allowing the attacker to cause a DoS
  condition or potentially execute arbitrary code on the affected
  device.

  https://bugzilla.clamav.net/show_bug.cgi?id=11943
  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L

  CVE-2017-12378
  5. ClamAV Buffer Over Read Vulnerability

  ClamAV AntiVirus software versions 0.99.2 and prior contain a
  vulnerability that could allow an unauthenticated, remote attacker to
  cause a denial of service (DoS) condition on an affected device.

  The vulnerability is due to improper input validation checking
  mechanisms of .tar (Tape Archive) files sent to an affected device. A
  successful exploit could cause a buffer over-read condition 

[Group.of.nepali.translators] [Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit

[Marc Deslauriers]

I just published updates for this. Thanks.

** Changed in: enigmail (Ubuntu Trusty)
   Status: Confirmed => Fix Released

** Changed in: enigmail (Ubuntu Xenial)
   Status: Confirmed => Fix Released

** Changed in: enigmail (Ubuntu Artful)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1740323

Title:
  Enigmail should be updated to version 1.9.9 following Cure53 audit

Status in enigmail package in Ubuntu:
  Fix Released
Status in enigmail source package in Trusty:
  Fix Released
Status in enigmail source package in Xenial:
  Fix Released
Status in enigmail source package in Artful:
  Fix Released
Status in enigmail source package in Bionic:
  Fix Released

Bug description:
  Enigmail was recently audited by the security firm Cure53. According
  to the Enigmail changelog at
  https://www.enigmail.net/index.php/en/download/changelog regarding
  version 1.9.9, "This release addresses security vulnerabilities
  discovered by Cure53."

  The "enigmail" package in all supported versions of Ubuntu should be
  updated to version 1.9.9.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1742933] Re: Regression in 2018-01-08 updates

[Marc Deslauriers]

** Changed in: intel-microcode (Ubuntu Zesty)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1742933

Title:
  Regression in 2018-01-08 updates

Status in intel-microcode package in Ubuntu:
  Confirmed
Status in intel-microcode source package in Trusty:
  Fix Released
Status in intel-microcode source package in Xenial:
  Fix Released
Status in intel-microcode source package in Zesty:
  Won't Fix
Status in intel-microcode source package in Artful:
  Fix Released
Status in intel-microcode source package in Bionic:
  Confirmed
Status in intel-microcode package in Debian:
  New

Bug description:
  There is a regression in the Intel 20180108 microcode updates that is
  causing issues for some devices:

  https://newsroom.intel.com/news/intel-security-issue-update-
  addressing-reboot-issues/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1742933/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1740323] Re: Enigmail should be updated to version 1.9.9 following Cure53 audit

[Marc Deslauriers]

** Also affects: enigmail (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: enigmail (Ubuntu Bionic)
   Importance: Undecided
   Status: Incomplete

** Also affects: enigmail (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: enigmail (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: enigmail (Ubuntu Bionic)
   Status: Incomplete => Fix Released

** Changed in: enigmail (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: enigmail (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: enigmail (Ubuntu Artful)
   Status: New => Confirmed

** Changed in: enigmail (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: enigmail (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: enigmail (Ubuntu Artful)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1740323

Title:
  Enigmail should be updated to version 1.9.9 following Cure53 audit

Status in enigmail package in Ubuntu:
  Fix Released
Status in enigmail source package in Trusty:
  Confirmed
Status in enigmail source package in Xenial:
  Confirmed
Status in enigmail source package in Artful:
  Confirmed
Status in enigmail source package in Bionic:
  Fix Released

Bug description:
  Enigmail was recently audited by the security firm Cure53. According
  to the Enigmail changelog at
  https://www.enigmail.net/index.php/en/download/changelog regarding
  version 1.9.9, "This release addresses security vulnerabilities
  discovered by Cure53."

  The "enigmail" package in all supported versions of Ubuntu should be
  updated to version 1.9.9.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/enigmail/+bug/1740323/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1742364] Re: Updated microcode for Spectre fix

[Marc Deslauriers]

Updates have been released:
https://usn.ubuntu.com/usn/usn-3531-1


** Changed in: intel-microcode (Ubuntu Trusty)
   Status: Confirmed => Fix Released

** Changed in: intel-microcode (Ubuntu Xenial)
   Status: Confirmed => Fix Released

** Changed in: intel-microcode (Ubuntu Zesty)
   Status: Confirmed => Fix Released

** Changed in: intel-microcode (Ubuntu Artful)
   Status: Confirmed => Fix Released

** Changed in: intel-microcode (Ubuntu Bionic)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1742364

Title:
  Updated microcode for Spectre fix

Status in intel:
  New
Status in intel-microcode package in Ubuntu:
  Fix Released
Status in intel-microcode source package in Trusty:
  Fix Released
Status in intel-microcode source package in Xenial:
  Fix Released
Status in intel-microcode source package in Zesty:
  Fix Released
Status in intel-microcode source package in Artful:
  Fix Released
Status in intel-microcode source package in Bionic:
  Fix Released

Bug description:
  Intel have finally released the updated microcode for the Spectre bug.

  See https://downloadcenter.intel.com/download/27431/Linux-Processor-
  Microcode-Data-File?v=t

  From the release note:
  Intel Processor Microcode Package for Linux
  20180108 Release

  -- Updates upon 20171117 release --
  IVT C0(06-3e-04:ed) 428->42a
  SKL-U/Y D0(06-4e-03:c0) ba->c2
  BDW-U/Y E/F   (06-3d-04:c0) 25->28
  HSW-ULT Cx/Dx (06-45-01:72) 20->21
  Crystalwell Cx(06-46-01:32) 17->18
  BDW-H E/G (06-47-01:22) 17->1b
  HSX-EX E0 (06-3f-04:80) 0f->10
  SKL-H/S R0(06-5e-03:36) ba->c2
  HSW Cx/Dx (06-3c-03:32) 22->23
  HSX C0(06-3f-02:6f) 3a->3b
  BDX-DE V0/V1  (06-56-02:10) 0f->14
  BDX-DE V2 (06-56-03:10) 70d->711
  KBL-U/Y H0(06-8e-09:c0) 62->80
  KBL Y0 / CFL D0   (06-8e-0a:c0) 70->80
  KBL-H/S B0(06-9e-09:2a) 5e->80
  CFL U0(06-9e-0a:22) 70->80
  CFL B0(06-9e-0b:02) 72->80
  SKX H0(06-55-04:b7) 235->23c
  GLK B0(06-7a-01:01) 1e->22

  These should be released ASAP since they will be needed for the
  upcoming Spectre fixes in the Kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/intel/+bug/1742364/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1717981] Re: Regression in CVE-2017-3142

[Marc Deslauriers]

Oh, yeah, that's the same regression. Sorry, I forgot I had opened this
bug. Closing now. Thanks!

** Changed in: bind9 (Ubuntu Trusty)
   Status: New => Fix Released

** Changed in: bind9 (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: bind9 (Ubuntu Zesty)
   Status: New => Fix Released

** Changed in: bind9 (Ubuntu Artful)
   Status: Fix Committed => Fix Released

** Changed in: bind9 (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1717981

Title:
  Regression in CVE-2017-3142

Status in bind9 package in Ubuntu:
  Fix Released
Status in bind9 source package in Trusty:
  Fix Released
Status in bind9 source package in Xenial:
  Fix Released
Status in bind9 source package in Zesty:
  Fix Released
Status in bind9 source package in Artful:
  Fix Released
Status in bind9 package in Debian:
  Fix Released

Bug description:
  The CVE-2017-3142 patch included in USN-3346-1 contained a regression.

  See:
  https://lists.isc.org/pipermail/bind-announce/2017-July/001054.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1717981/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1617617] Re: Firewall configuration can be modified by any logged in user

[Marc Deslauriers]

@Lucas: you marked the bug as "Fix Released", so it's not appearing on
any lists.

I'll set it back to Confirmed.

** Changed in: firewalld (Ubuntu Xenial)
   Status: Fix Released => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1617617

Title:
  Firewall configuration can be modified by any logged in user

Status in firewalld package in Ubuntu:
  Fix Released
Status in firewalld source package in Xenial:
  Confirmed
Status in firewalld package in Debian:
  Fix Released

Bug description:
  Copying from the Debian bug:

  ---
  The following vulnerability was published for firewalld.

  CVE-2016-5410[0]:
  Firewall configuration can be modified by any logged in user

  If you fix the vulnerability please also make sure to include the
  CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

  For further information see:

  [0] https://security-tracker.debian.org/tracker/CVE-2016-5410
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=1360135
  [2] http://seclists.org/oss-sec/2016/q3/291
  [3] 
https://github.com/t-woerner/firewalld/commit/0371995a58ec4c777960007b7dbee93933f760cb
  ---

  This only affects firewalld >= 0.3.12 & < 0.4.3.3 (so trusty is not
  affected).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1617617/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1719851] Re: ca-certificates isn't updated in LTS 16.04

[Marc Deslauriers]

The ca-certificates package has been updated for all releases:

https://usn.ubuntu.com/usn/usn-3432-1/

Marking bug as Fix Released. Thanks!

** Changed in: ca-certificates (Ubuntu Trusty)
   Status: New => Fix Released

** Changed in: ca-certificates (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: ca-certificates (Ubuntu Zesty)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1719851

Title:
  ca-certificates isn't updated in LTS 16.04

Status in ca-certificates package in Ubuntu:
  Fix Released
Status in ca-certificates source package in Trusty:
  Fix Released
Status in ca-certificates source package in Xenial:
  Fix Released
Status in ca-certificates source package in Zesty:
  Fix Released
Status in ca-certificates source package in Artful:
  Fix Released

Bug description:
  ca-certificates should contain root certificates for new CA from
  Amazon

  They are added in version 20170717, The Artful Aardvark (pre-release freeze) 
  But that isn't reflected neither in zesty, nor backports or security

  We recently got a letter from Amazon to update our SSL certs till
  October 25. Would be extremely great if ca-certificates will be
  updated via unattended upgrades in-time.

  Marking as security, because several CAs were removed (compromised?).
  Or maybe there is a reason, why root cert list isn't updated on LTS releases?

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: ca-certificates 20161130
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.5
  Architecture: amd64
  Date: Wed Sep 27 11:10:01 2017
  Ec2AMI: ami-6edd3078
  Ec2AMIManifest: (unknown)
  Ec2AvailabilityZone: us-east-1d
  Ec2InstanceType: m3.medium
  Ec2Kernel: unavailable
  Ec2Ramdisk: unavailable
  PackageArchitecture: all
  SourcePackage: ca-certificates
  UpgradeStatus: Upgraded to zesty on 2017-05-19 (131 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1719851/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection

[Marc Deslauriers]

** Also affects: git (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: git (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: git (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: git (Ubuntu Zesty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1719740

Title:
  [DSA 3984-1] Git cvsserver OS Command Injection

Status in git package in Ubuntu:
  In Progress
Status in git source package in Trusty:
  In Progress
Status in git source package in Xenial:
  In Progress
Status in git source package in Zesty:
  In Progress
Status in git source package in Artful:
  In Progress

Bug description:
  From oss-security[1]:

  [ Authors ]
  joernchen   

  Phenoelit Group (http://www.phenoelit.de)

  [ Affected Products ]
  Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
  https://git-scm.com

  [ Vendor communication ]
  2017-09-08 Sent vulnerability details to the git-security list
  2017-09-09 Acknowledgement of the issue, git maintainers ask if
 a patch could be provided
  2017-09-10 Patch is provided
  2017-09-11 Further backtick operations are patched by the git
 maintainers, corrections on the provided patch
  2017-09-11 Revised patch is sent out
  2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
 invocation from `git-shell`
  2017-09-22 Draft release for git 2.14.2 is created including the
 fixes
  2017-09-26 Release of this advisory, release of fixed git versions

  [ Description ]
The `git` subcommand `cvsserver` is a Perl script which makes excessive
use of the backtick operator to invoke `git`. Unfortunately user input
  is used within some of those invocations.

  
It should be noted, that `git-cvsserver` will be invoked by `git-shell`
  by default without further configuration.

  [ Example ]
Below a example of a OS Command Injection within `git-cvsserver`
  triggered via `git-shell`:

  =8<=
  [git@...t ~]$ cat .ssh/authorized_keys
  command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa B3NzaC 

  [joernchen@...t ~]$ ssh git@...alhost cvs server
  Root /tmp
  E /tmp/ does not seem to be a valid GIT repository
  E
  error 1 /tmp/ is not a valid repository
  Directory .
  `id>foo`
  add
  fatal: Not a git repository: '/tmp/'
  Invalid module '`id>foo`' at /usr/lib/git-core/git-cvsserver line 3807, 
 line 4.
  [joernchen@...t ~]$

  [git@...t ~]$ cat foo
  uid=619(git) gid=618(git) groups=618(git)
  [git@...t ~]$
  =>8=

  [ Solution ]
  Upgrade to one of the following git versions:
  * 2.14.2
  * 2.13.6
  * 2.12.5
  * 2.11.4
  * 2.10.5

  [ end of file ]

  ---

  No CVE has been assigned yet, but a fix has been released upstream and
  as seen above, the fixes are already in Debian.

  [1] http://www.openwall.com/lists/oss-security/2017/09/26/9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1718222] Re: CVE-2017-9375 fix cause qemu crash

[Marc Deslauriers]

** Also affects: qemu (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: qemu (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: qemu (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: qemu (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: qemu (Ubuntu Artful)
   Status: New => Fix Released

** Changed in: qemu (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: qemu (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: qemu (Ubuntu Trusty)
   Status: Confirmed => In Progress

** Changed in: qemu (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: qemu (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: qemu (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: qemu (Ubuntu Zesty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: qemu (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: qemu (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: qemu (Ubuntu Zesty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1718222

Title:
  CVE-2017-9375 fix cause qemu crash

Status in qemu package in Ubuntu:
  Fix Released
Status in qemu source package in Trusty:
  In Progress
Status in qemu source package in Xenial:
  In Progress
Status in qemu source package in Zesty:
  In Progress
Status in qemu source package in Artful:
  Fix Released
Status in qemu package in Debian:
  Fix Released

Bug description:
  CVE-2017-9375 fix cause qemu crash on Ubuntu 17.04 if USB 3 controller
  is selected in virtual machine properties.

  To reproduce this issue:
  1. Install Ubuntu 17.04
  2. Install package ubuntu-virt
  3. Create virtual machine with USB 3 controller
  4. Try to start this virtual machine

  Error message from libvirt log:
  qemu-system-x86_64: /build/qemu-g5EXBU/qemu-2.8+dfsg/hw/usb/hcd-xhci.c:2169: 
xhci_kick_epctx: Assertion `!epctx->kick_active' failed.

  Workaround:
  Switch controller type to USB 2, but AFAIK this is not applicable if user 
need to passthrough many USB devices to guest, or if user actually need USB 3 
speed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1718222/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1698689] Re: USN-3269-1: partially applies to MariaDB too

[Marc Deslauriers]

** Changed in: mariadb-10.1 (Ubuntu Artful)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1698689

Title:
  USN-3269-1: partially applies to MariaDB too

Status in mariadb-10.0 package in Ubuntu:
  Invalid
Status in mariadb-10.1 package in Ubuntu:
  Fix Released
Status in mariadb-5.5 package in Ubuntu:
  Invalid
Status in mariadb-5.5 source package in Trusty:
  Fix Released
Status in mariadb-10.0 source package in Xenial:
  Fix Released
Status in mariadb-10.0 source package in Yakkety:
  Won't Fix
Status in mariadb-10.1 source package in Zesty:
  Fix Released
Status in mariadb-10.1 source package in Artful:
  Fix Released

Bug description:
  https://www.ubuntu.com/usn/usn-3269-1/

  The security notice above also affect MariaDB and the latest release
  includes fixes.

  I will produce a security release soon and attach more information to this 
bug report for:
   - mariadb.5.5 in Trusty
   - mariadb-10.0 in Xenial and Yakkety
   - mariadb-10.1 in Zesty (Artful can sync from Debian)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1698689/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1709193] Re: Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer

[Marc Deslauriers]

** Also affects: ssmtp (Ubuntu Artful)
   Importance: Undecided
   Status: Invalid

** Also affects: gnutls26 (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Artful)
   Importance: Undecided
   Status: New

** Also affects: ssmtp (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: gnutls26 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: ssmtp (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gnutls26 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: ssmtp (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: gnutls26 (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: gnutls28 (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: gnutls26 (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: gnutls26 (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: gnutls26 (Ubuntu Zesty)
   Status: New => Invalid

** Changed in: gnutls26 (Ubuntu Artful)
   Status: New => Invalid

** Changed in: ssmtp (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: ssmtp (Ubuntu Xenial)
   Status: New => Invalid

** No longer affects: ssmtp (Ubuntu)

** Changed in: ssmtp (Ubuntu Zesty)
   Status: New => Invalid

** Changed in: gnutls28 (Ubuntu Trusty)
   Status: New => Won't Fix

** Changed in: gnutls28 (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: gnutls28 (Ubuntu Zesty)
   Status: New => Confirmed

** Changed in: gnutls28 (Ubuntu Artful)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1709193

Title:
  Unable to use TLSv1.1 or 1.2 with OpenSSL compat layer

Status in gnutls26 package in Ubuntu:
  Invalid
Status in gnutls28 package in Ubuntu:
  Confirmed
Status in gnutls26 source package in Trusty:
  Confirmed
Status in gnutls28 source package in Trusty:
  Won't Fix
Status in ssmtp source package in Trusty:
  Invalid
Status in gnutls26 source package in Xenial:
  Invalid
Status in gnutls28 source package in Xenial:
  Confirmed
Status in ssmtp source package in Xenial:
  Invalid
Status in gnutls26 source package in Zesty:
  Invalid
Status in gnutls28 source package in Zesty:
  Confirmed
Status in ssmtp source package in Zesty:
  Invalid
Status in gnutls26 source package in Artful:
  Invalid
Status in gnutls28 source package in Artful:
  Confirmed
Status in ssmtp source package in Artful:
  Invalid
Status in gnutls28 package in Debian:
  Fix Released

Bug description:
  sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with
  it. Here's a packet capture when ssmtp connects to
  smtp.sdeziel.info:587 that offers TLSv1.0 and higher:

  $ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | 
grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)'
  Version: TLS 1.0 (0x0301)
  Handshake Protocol: Client Hello
  Version: TLS 1.0 (0x0301)
  Cipher Suites Length: 30
  Cipher Suites (15 suites)
  Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
  Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
  Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
  Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
  Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
  Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
  Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
  Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
  Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
  Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
  Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
  Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
  Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
  Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

  I would expect ssmtp to use TLSv1.2 and a recent cipher like the
  openssl s_client is able to do:

  $ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 
2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)'
  Protocol  : TLSv1.2
  Cipher: ECDHE-RSA-AES128-GCM-SHA256

  
  Additional information:

  $ lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:  

[Group.of.nepali.translators] [Bug 1707015] Re: image composite functions not working in php

[Marc Deslauriers]

Removing the patch was just a temporary fix until a proper solution is
found. Re-opening bug.

** Changed in: imagemagick (Ubuntu Trusty)
   Status: Fix Released => Triaged

** Changed in: imagemagick (Ubuntu Xenial)
   Status: Fix Released => Triaged

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1707015

Title:
  image composite functions not working in php

Status in imagemagick package in Ubuntu:
  Invalid
Status in imagemagick source package in Trusty:
  Triaged
Status in imagemagick source package in Xenial:
  Triaged
Status in imagemagick package in Debian:
  Unknown

Bug description:
  We use php-imagick to make image compositions on our servers.  On July
  25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to
  8:6.8.9.9-7ubuntu5.8.  After that upgrade our webservers, using the
  php imagick bindings, stopped making composites.  The composite images
  just have the background layer showing, with no overlay layer
  composited on top.

  In PHP there are no errors or exceptions, and other imagick functions
  work fine.  Reading images, scaling, making new images, rendering to
  bytes, all work fine.  It is only the composite functions, in php
  bindings, that are not working.

  I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is
  still available in the ubuntu archives, and the php composite
  functions started working again.  6.8.9.9-7ubuntu5.7 is no longer
  available in the archives
  (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/).

  A test script to reproduce the bug is attached to this ticket.  On
  version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray
  background.  On the latest version, 6.8.9.9-7ubuntu5.8, this will show
  garbled fragments of the ubuntu logo over gray background, or perhaps
  just an empty gray background.

  This bug was identified on Ubuntu 16.04.2 LTS as a result of an
  automatic upgrade from ubuntu security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1707015] Re: image composite functions not working in php

[Marc Deslauriers]

** Bug watch added: Debian Bug tracker #870273
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870273

** Also affects: imagemagick (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870273
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1707015

Title:
  image composite functions not working in php

Status in imagemagick package in Ubuntu:
  Invalid
Status in imagemagick source package in Trusty:
  In Progress
Status in imagemagick source package in Xenial:
  In Progress
Status in imagemagick package in Debian:
  Unknown

Bug description:
  We use php-imagick to make image compositions on our servers.  On July
  25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to
  8:6.8.9.9-7ubuntu5.8.  After that upgrade our webservers, using the
  php imagick bindings, stopped making composites.  The composite images
  just have the background layer showing, with no overlay layer
  composited on top.

  In PHP there are no errors or exceptions, and other imagick functions
  work fine.  Reading images, scaling, making new images, rendering to
  bytes, all work fine.  It is only the composite functions, in php
  bindings, that are not working.

  I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is
  still available in the ubuntu archives, and the php composite
  functions started working again.  6.8.9.9-7ubuntu5.7 is no longer
  available in the archives
  (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/).

  A test script to reproduce the bug is attached to this ticket.  On
  version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray
  background.  On the latest version, 6.8.9.9-7ubuntu5.8, this will show
  garbled fragments of the ubuntu logo over gray background, or perhaps
  just an empty gray background.

  This bug was identified on Ubuntu 16.04.2 LTS as a result of an
  automatic upgrade from ubuntu security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1707015] Re: image composite functions not working in php

[Marc Deslauriers]

Thanks for reporting this issue, I can reproduce it on Ubuntu 14.04 LTS
and Ubuntu 16.04.

I will investigate the regression and will publish an update to correct
this shortly.

** Also affects: imagemagick (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: imagemagick (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: imagemagick (Ubuntu)
   Status: New => Invalid

** Changed in: imagemagick (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: imagemagick (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: imagemagick (Ubuntu Trusty)
   Status: Confirmed => In Progress

** Changed in: imagemagick (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: imagemagick (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: imagemagick (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: imagemagick (Ubuntu Xenial)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1707015

Title:
  image composite functions not working in php

Status in imagemagick package in Ubuntu:
  Invalid
Status in imagemagick source package in Trusty:
  In Progress
Status in imagemagick source package in Xenial:
  In Progress

Bug description:
  We use php-imagick to make image compositions on our servers.  On July
  25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to
  8:6.8.9.9-7ubuntu5.8.  After that upgrade our webservers, using the
  php imagick bindings, stopped making composites.  The composite images
  just have the background layer showing, with no overlay layer
  composited on top.

  In PHP there are no errors or exceptions, and other imagick functions
  work fine.  Reading images, scaling, making new images, rendering to
  bytes, all work fine.  It is only the composite functions, in php
  bindings, that are not working.

  I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is
  still available in the ubuntu archives, and the php composite
  functions started working again.  6.8.9.9-7ubuntu5.7 is no longer
  available in the archives
  (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/).

  A test script to reproduce the bug is attached to this ticket.  On
  version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray
  background.  On the latest version, 6.8.9.9-7ubuntu5.8, this will show
  garbled fragments of the ubuntu logo over gray background, or perhaps
  just an empty gray background.

  This bug was identified on Ubuntu 16.04.2 LTS as a result of an
  automatic upgrade from ubuntu security.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1707015/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1706900] Re: CVE-2016-9877 RabbitMQ authentication vulnerability

[Marc Deslauriers]

** Also affects: rabbitmq-server (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: rabbitmq-server (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: rabbitmq-server (Ubuntu)
   Status: Triaged => Fix Released

** Changed in: rabbitmq-server (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: rabbitmq-server (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: rabbitmq-server (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: rabbitmq-server (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: rabbitmq-server (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: rabbitmq-server (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1706900

Title:
  CVE-2016-9877 RabbitMQ authentication vulnerability

Status in RabbitMQ:
  Fix Released
Status in rabbitmq-server package in Ubuntu:
  Fix Released
Status in rabbitmq-server source package in Trusty:
  Confirmed
Status in rabbitmq-server source package in Xenial:
  Confirmed

Bug description:
  https://pivotal.io/security/cve-2016-9877

"MQTT (MQ Telemetry Transport) connection authentication with a
  username/password pair succeeds if an existing username is provided
  but the password is omitted from the connection request. Connections
  that use TLS with a client-provided certificate are not affected."

  Affects RabbitMQ "3.x versions prior to 3.5.8"

  Ubuntu's Xenial repos are currently offering 3.5.7-1ubuntu0.16.04.1,
  and according to its changelog, Pivotal's fix for CVE-2016-9877 has
  not been included.

To manage notifications about this bug go to:
https://bugs.launchpad.net/rabbitmq/+bug/1706900/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1693893] Re: Possible remote code execution related to subtitles

[Marc Deslauriers]

** Also affects: vlc (Ubuntu Artful)
   Importance: Undecided
 Assignee: Simon Quigley (tsimonq2)
   Status: In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1693893

Title:
  Possible remote code execution related to subtitles

Status in vlc package in Ubuntu:
  In Progress
Status in vlc source package in Xenial:
  In Progress
Status in vlc source package in Zesty:
  In Progress
Status in vlc source package in Artful:
  In Progress

Bug description:
  VLC 2.2.5.1 fixes buffer overflow and out of bound read bugs related to 
subtitle decoding. A company called "Check Point" appears to have reported 
them, but they did not release any details. [1]
  At least the following 5 commits relate to these bugs: [2]

  Presumably all currently supported Ubuntu releases are affected by at
  least one bug fixed by the patches.

  By the way, there seem to be other security related commits in VLC
  that might need backporting, e.g. [3] [4]

  [1]: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
  [2]: 
https://github.com/videolan/vlc/search?q=checkpoint=Commits=%E2%9C%93
  [3]: 
https://github.com/videolan/vlc/search?o=desc=1=overflow=committer-date=Commits=%E2%9C%93
  [4]: 
https://github.com/videolan/vlc/search?o=desc=out+of+bound=committer-date=Commits=%E2%9C%93

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/1693893/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1397091] Re: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches.

[Marc Deslauriers]

** Changed in: wireshark (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1397091

Title:
  [Security] Update Wireshark in Precise, Trusty, and Utopic to include
  relevant security patches.

Status in wireshark package in Ubuntu:
  Fix Released
Status in wireshark source package in Precise:
  Won't Fix
Status in wireshark source package in Trusty:
  Fix Released
Status in wireshark source package in Utopic:
  Fix Released
Status in wireshark source package in Xenial:
  Fix Released
Status in wireshark source package in Yakkety:
  Fix Released
Status in wireshark source package in Zesty:
  Fix Released

Bug description:
  In further discussion with the security team and others, it's probably
  easier (and more acceptable all over at this time) to backport all the
  fixes for the bugs into the various affected Wireshark versions
  already present in the repositories.

  The original description for the bug is below, and is kept for
  historical reasons.  Additional changes and actions on the bug will be
  in the comments.

  ==

  [Original Description]

  In discussion with the Security team yesterday (November 26, 2014) in
  #ubuntu-hardened on IRC, I began digging through the list of Wireshark
  CVEs, attempting to correct the tracker and get the CVE statuses
  updated to reflect what actually does affect the versions in Trusty
  and later, rather than sit there with a ton of yellow and orange on
  the tracker.

  During the discussion while I was making the revisions in my own
  branch of the CVE tracker, it was proposed by Marc Deslauriers that we
  look into a full version bump in the Wireshark package for all stable
  releases.  Further discussion with Seth Arnold after that with me
  settled on targeting this for Precise, Trusty, and Utopic.

  Unfortunately, security handling of this package is... tricky.  There
  are so many CVEs that it becomes unwieldy to try and patch each
  individual CVE.  Further discussion today (November 27, 2014) and
  input from Marc supports that conclusion.  Therefore, it was suggested
  that we investigate updating the software to as close to latest as we
  can.

  Vivid already has the patches that are included in the upstream
  version 1.12.2, and therefore has CVE fixes for the ones which were
  fixed in 1.12.2.  To that end, I propose that we do a security update
  for Wireshark and apply the package from Vivid (with changes as
  necessary for releases) to earlier releases in order to fix the
  numerous security updates that are pending for the package.

  --

  The attached debdiffs are based off of the Vivid package.  The package
  in Vivid contains all the security fixes in 1.12.2.  The update would
  bring the Precise, Trusty, and Utopic into relative sync with the
  Vivid package.

  The following is the details of the changes to the package that would
  need to be done for each release (and this will be outlined in
  debdiffs later) in order to build:

  Precise:
  * debian/control:
    - libgnutls28-dev has a version specified in it.  To build, this dependency 
needs its version specification to be adjusted to an earlier version number, 
with respect to what is in Precise
    - Remove qt build deps, to prevent the Qt builds from being done/attempted.
    - Remove the wireshark-qt package.
  * debian/rules: There is a reference in the rules to the qtshark compiled 
executable.  It needs to be removed in order for the builds to continue.
  * debian/wireshark-qt.*: Remove the wireshark-qt package

  Trusty:
  * debian/control:  program
    - libgnutls28-dev has a version specified in it.  To build, this dependency 
needs its version specification to be adjusted to an earlier version number, 
with respect to what is in Trusty
    - Remove qt build deps, to prevent the Qt builds from being done/attempted.
    - Remove the wireshark-qt package.
  * debian/rules: There is a reference in the rules to the qtshark compiled 
executable.  It needs to be removed in order for the builds to continue.
  * debian/wireshark-qt.*: Remove the wireshark-qt package

  Utopic:
  No changes need to be made to the package other than a new changelog entry 
targeting utopic-security.  The Qt Wireshark package already exists in Utopic, 
therefore it did not need to be removed.

  --

  There should not be any major regressions by doing the version bump.
  There may be some UI changes, however the functionality of Wireshark
  will be improved, with most (if not all) of the current CVEs against
  the package being fixed.

  --

  Test builds for the attached debdiffs (targeted for the release
  specifically instead of the security pocket, because of it being in a
  PPA) can be found here:

  https://launchpad.net/~teward/+archive/ubuntu/wiresh

[Group.of.nepali.translators] [Bug 1686768] Re: Restricted contacts can see servers that do not belong to them

[Marc Deslauriers]

** Changed in: nagios3 (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1686768

Title:
  Restricted contacts can see servers that do not belong to them

Status in nagios3 package in Ubuntu:
  Fix Released
Status in nagios3 source package in Trusty:
  Fix Released
Status in nagios3 source package in Xenial:
  Fix Released
Status in nagios3 source package in Yakkety:
  Fix Released
Status in nagios3 source package in Zesty:
  Fix Released

Bug description:
  [Impact]

   * It is possible for users to see information about servers that they
  have not been given permission to see

   * A fix should be backported because this is a security problem and
  causes Nagios to leak data

   * The patch introduces the proper checks on hostgroup permissions as
  per Nagios 4.2.2

  [Test Case]

   * Configure Nagios to monitor multiple servers
   * Create a second contact called "jbloggs" (in 
/etc/nagios/conf.d/contacts_nagios2.cfg)
   * Create a second contact group called "oneserver" containing the second 
contact (in /etc/nagios/conf.d/contacts_nagios2.cfg)
   * Set the contact_groups property for one of the servers to be 
"admins,oneserver"
   * Add an entry to /etc/nagios3/htpasswd.users for the "jbloggs" user
   * Login to Nagios as "jbloggs"
   * On the left hand nav, visit "Hostgroups", "Hostgroups -> Summary", and 
"Hostgroups -> Grid", and observe that the "jbloggs" user can view information 
about servers they don't have permission to see (full details including 
screenshots can be found on the Nagios forum link below)

  [Regression Potential]

   * It's possible that this may create other issues when viewing
  hostgroups in the Nagios web interface although I have not seen any
  such issues, and this fix was deemed to be acceptable by the Nagios
  core team in Nagios 4.2.2 (tracker link below) so I think the chances
  of any issues are very low.

  [Other Info]
   
   * This fix is the same fix that was applied upstream in Nagios 4.2.2, 
although as Ubuntu doesn't ship that version the fix never made it in
   * This problem didn't exist under Precise as that ran Nagios 3.2.x so this 
was an upstream regression that happened after that version

  [Original Description]

  There is a problem with the hostgroups reports that allows restricted
  contacts to see servers that do not belong to them provided they are
  in the same hostgroup.

  This issue was reported to the Nagios project in 2013 here (with
  screenshots, sample configs, etc):
  https://support.nagios.com/forum/viewtopic.php?f=7=21794

  It was fixed in Nagios 4.2.2 here:
  
https://github.com/NagiosEnterprises/nagioscore/commit/d1b3a07ff72ece0d296b153d4d5c8c4543ed96c1
  #diff-b89a219dd5a0ac3e4e07f1dfd721dd78

  This problem exists in Nagios 3.5.x that did not exist under 3.2.x,
  however it seems likely that the fix in 4.2.2 could be backported to
  Nagios 3.5.x.

  lsb_release -rd output:
  Description:  Ubuntu 16.04.2 LTS
  Release:  16.04

  apt-cache policy nagios3 nagios3-cgi output:
  nagios3:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
  500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   3.5.1.dfsg-2.1ubuntu1 500
  500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  nagios3-cgi:
    Installed: 3.5.1.dfsg-2.1ubuntu1.1
    Candidate: 3.5.1.dfsg-2.1ubuntu1.1
    Version table:
   *** 3.5.1.dfsg-2.1ubuntu1.1 500
  500 http://gb.archive.ubuntu.com/ubuntu xenial-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 
Packages
  100 /var/lib/dpkg/status
   3.5.1.dfsg-2.1ubuntu1 500
  500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1686768/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1690380] Re: "Cannot open log file '/var/log/nagios3/nagios.log' for reading" error from nagios web UI when view alert history etc.

[Marc Deslauriers]

** Also affects: nagios3 (Ubuntu Artful)
   Importance: Undecided
   Status: Triaged

** Also affects: nagios3 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: nagios3 (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: nagios3 (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: nagios3 (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: nagios3 (Ubuntu Yakkety)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: nagios3 (Ubuntu Zesty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: nagios3 (Ubuntu Artful)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: nagios3 (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: nagios3 (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: nagios3 (Ubuntu Yakkety)
   Status: New => In Progress

** Changed in: nagios3 (Ubuntu Zesty)
   Status: New => In Progress

** Changed in: nagios3 (Ubuntu Artful)
   Status: Triaged => In Progress

** Changed in: nagios3 (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: nagios3 (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: nagios3 (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: nagios3 (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: nagios3 (Ubuntu Artful)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1690380

Title:
  "Cannot open log file '/var/log/nagios3/nagios.log' for reading" error
  from nagios web UI when view alert history etc.

Status in nagios3 package in Ubuntu:
  In Progress
Status in nagios3 source package in Trusty:
  In Progress
Status in nagios3 source package in Xenial:
  In Progress
Status in nagios3 source package in Yakkety:
  In Progress
Status in nagios3 source package in Zesty:
  In Progress
Status in nagios3 source package in Artful:
  In Progress

Bug description:
  Ubuntu 16.04.2 LTS
  nagios3 and nagios3-cgi 3.5.1.dfsg-2.1ubuntu1.1

  If install nagios3 package and then view Alert History, Notification
  History or Events pages (and maybe others), e.g.:

  http://localhost/cgi-bin/nagios3/history.cgi?host=localhost

  Then get the following error in place of the information that should
  be there:

  Error: Cannot open log file '/var/log/nagios3/nagios.log' for reading!

  This issue:

  https://github.com/NagiosEnterprises/nagioscore/issues/303

  ...suggests that this is caused by the fix for CVE-2016-9566:

  
https://github.com/NagiosEnterprises/nagioscore/commit/ff22fd0de4938781edcbd48512d2494ca3c9c41a

  ...which has been back ported to 3.5.1.dfsg-2.1ubuntu1.1 according to:

  https://launchpad.net/ubuntu/xenial/+source/nagios3/+changelog

  The permissions and ownership of nagios.log are:

  $ ls -l /var/log/nagios3/nagios.log
  -rw--- 1 nagios adm 189 May 12 13:45 /var/log/nagios3/nagios.log

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios3/+bug/1690380/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1670036] Re: Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG compressed files

[Marc Deslauriers]

Thanks for reporting this issue and for the updated patch. I'll prepare
a security regression updates and will publish them this week, likely
tomorrow.

Thanks!

** Also affects: tiff (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: tiff (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: tiff (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: tiff (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: tiff (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: tiff (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: tiff (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: tiff (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: tiff (Ubuntu Yakkety)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: tiff (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1670036

Title:
  Misapplied patches in 4.0.6-2ubuntu0.1 break reading and writing JPEG
  compressed files

Status in LibTIFF:
  New
Status in tiff package in Ubuntu:
  Invalid
Status in tiff source package in Trusty:
  Confirmed
Status in tiff source package in Xenial:
  Confirmed
Status in tiff source package in Yakkety:
  Confirmed

Bug description:
  The patches applied to libtiff 4.0.6 in 4.0.6-2ubuntu01 seem to break
  JPEG tiff read and write.

  To reproduce:

  $ tiffcp -c jpeg k2a.tif x.tif

  (where k2a.tif is a simple uncompressed RGB strip tiff) appears to
  work. However, x.tif, the output, will now not read without warnings:

  $ tiffcp x.tif y.tif
  TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in 
null byte. Forcing it to be null.
  JPEGLib: Warning, Premature end of JPEG file.

  This was working fine until a couple of days ago, so I guess it's one
  of the most recent patches.

  Some packages using libtiff seem to be broken too. For example,
  openslide, which uses libtiff to load jp2k-compressed slide images, is
  no longer working:

  $ openslide-write-png CMU-1-Small-Region.svs 0 0 0 100 100 x.png
  TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in 
null byte. Forcing it to be null.
  TIFFFetchNormalTag: Warning, ASCII value for tag "JPEGTables" does not end in 
null byte. Forcing it ... repeats 8 more times
  openslide-write-png: Premature end of JPEG file

  and x.png is not a valid PNG image.  The test .svs image may be
  downloaded here:

  http://openslide.cs.cmu.edu/download/openslide-testdata/Aperio/

To manage notifications about this bug go to:
https://bugs.launchpad.net/libtiff/+bug/1670036/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1689759] Re: CVE 2017-8422 - kauth: Local privilege escalation

[Marc Deslauriers]

** Changed in: kde4libs (Ubuntu Trusty)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1689759

Title:
  CVE 2017-8422 - kauth: Local privilege escalation

Status in kauth package in Ubuntu:
  Fix Released
Status in kde4libs package in Ubuntu:
  Fix Released
Status in kauth source package in Trusty:
  Invalid
Status in kde4libs source package in Trusty:
  Fix Released
Status in kauth source package in Xenial:
  In Progress
Status in kde4libs source package in Xenial:
  Fix Released
Status in kauth source package in Yakkety:
  Confirmed
Status in kde4libs source package in Yakkety:
  Fix Released
Status in kauth source package in Zesty:
  Fix Released
Status in kde4libs source package in Zesty:
  Fix Released
Status in kauth source package in Artful:
  Fix Released
Status in kde4libs source package in Artful:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  kauth: Local privilege escalation
  Risk Rating:High
  CVE:CVE-2017-8422
  Versions:   kauth < 5.34, kdelibs < 4.14.32
  Date:   10 May 2017

  
  Overview
  
  KAuth contains a logic flaw in which the service invoking dbus
  is not properly checked.

  This allows spoofing the identity of the caller and with some
  carefully crafted calls can lead to gaining root from an
  unprivileged account.

  Solution
  
  Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)

  Or apply the following patches:
kauth: 
https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
  kdelibs: 
https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

  Credits
  ===
  Thanks to Sebastian Krahmer from SUSE for the report and
  to Albert Astals Cid from KDE for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kauth/+bug/1689759/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1689759] Re: CVE 2017-8422 - kauth: Local privilege escalation

[Marc Deslauriers]

ACK on the debdiffs in comments #1 and #2. I have uploaded them for
releasing as a security update, with a few minor changes, such as
targeting the security pocket, some whitespace changes in the changelog,
and adding the new patch to the end of the series file rather than at
the beginning.

Thanks!

** Also affects: kde4libs (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: kauth (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Artful)
   Importance: Undecided
   Status: Confirmed

** Also affects: kauth (Ubuntu Artful)
   Importance: Undecided
   Status: Confirmed

** Also affects: kde4libs (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: kauth (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: kauth (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: kauth (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Changed in: kde4libs (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: kde4libs (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Zesty)
   Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Zesty)
   Status: Confirmed => In Progress

** Changed in: kauth (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: kauth (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: kauth (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: kauth (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: kauth (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: kauth (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: kauth (Ubuntu Zesty)
   Status: New => Confirmed

** Changed in: kauth (Ubuntu Zesty)
   Status: Confirmed => In Progress

** Changed in: kauth (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Trusty)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1689759

Title:
  CVE 2017-8422 - kauth: Local privilege escalation

Status in kauth package in Ubuntu:
  Confirmed
Status in kde4libs package in Ubuntu:
  Confirmed
Status in kauth source package in Trusty:
  Invalid
Status in kde4libs source package in Trusty:
  In Progress
Status in kauth source package in Xenial:
  Confirmed
Status in kde4libs source package in Xenial:
  Confirmed
Status in kauth source package in Yakkety:
  Confirmed
Status in kde4libs source package in Yakkety:
  Confirmed
Status in kauth source package in Zesty:
  In Progress
Status in kde4libs source package in Zesty:
  In Progress
Status in kauth source package in Artful:
  Confirmed
Status in kde4libs source package in Artful:
  Confirmed

Bug description:
  KDE Project Security Advisory
  =

  Title:  kauth: Local privilege escalation
  Risk Rating:High
  CVE:CVE-2017-8422
  Versions:   kauth < 5.34, kdelibs < 4.14.32
  Date:   10 May 2017

  
  Overview
  
  KAuth contains a logic flaw in which the service invoking dbus
  is not properly checked.

  This allows spoofing the identity of the caller and with some
  carefully crafted calls can lead to gaining root from an
  unprivileged account.

  Solution
  
  Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)

  Or apply the following patches:
kauth: 
https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
  kdelibs: 
https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

  Credits
  ===
  Thanks to Sebastian Krahmer from SUSE for the report and
  to Albert Astals Cid from KDE for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kauth/+bug/1689759/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscri

[Group.of.nepali.translators] [Bug 1672686] Re: CVE-2017-2784 - Freeing of memory allocated on stack when validating a public key with a secp224k1 curve

[Marc Deslauriers]

Since there is nothing left to sponsor, I am unsubscribing ubuntu-
security-sponsors. Please re-subscribe the group when attaching another
debdiff. Thanks!

** Also affects: polarssl (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: mbedtls (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: polarssl (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: mbedtls (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: mbedtls (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: mbedtls (Ubuntu Yakkety)
   Status: New => Fix Committed

** Changed in: mbedtls (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

** Changed in: polarssl (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: polarssl (Ubuntu Yakkety)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1672686

Title:
  CVE-2017-2784 - Freeing of memory allocated on stack when validating a
  public key with a secp224k1 curve

Status in mbedtls package in Ubuntu:
  Fix Released
Status in polarssl package in Ubuntu:
  Incomplete
Status in mbedtls source package in Xenial:
  Fix Released
Status in polarssl source package in Xenial:
  Confirmed
Status in mbedtls source package in Yakkety:
  Fix Released
Status in polarssl source package in Yakkety:
  Confirmed
Status in mbedtls package in Debian:
  Fix Released
Status in polarssl package in Debian:
  Confirmed

Bug description:
  The following security bug was published for mbedtls:

  Freeing of memory allocated on stack when validating a public key with
  a secp224k1 curve

  [Vulnerability]
  If a malicious peer supplies a certificate with a specially crafted secp224k1 
public key, then an attacker can cause the server or client to attempt to free 
block of memory held on stack.

  [Impact]
  Depending on the platform, this could result in a Denial of Service (client 
crash) or potentially could be exploited to allow remote code execution with 
the same privileges as the host application.

  [Resolution]
  Affected users should upgrade to mbed TLS 1.3.19, mbed TLS 2.1.7 or mbed TLS 
2.4.2.

  https://tls.mbed.org/tech-updates/security-advisories/mbedtls-
  security-advisory-2017-01

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mbedtls/+bug/1672686/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1669764] Re: security update spams log file

[Marc Deslauriers]

** Changed in: munin (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1669764

Title:
  security update spams log file

Status in munin package in Ubuntu:
  Fix Released
Status in munin source package in Trusty:
  Fix Released
Status in munin source package in Xenial:
  Fix Released
Status in munin source package in Yakkety:
  Fix Released
Status in munin package in Debian:
  Fix Released

Bug description:
  The munin security update caused a regression that is spamming the log
  file with:

  2017/03/02 06:53:56 [PERL WARNING] Use of uninitialized value $size_x
  in string eq at /usr/lib/munin/cgi/munin-cgi-graph line 453.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/munin/+bug/1669764/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1675698] Re: Cannot access anything under a subdirectory if symlinks are disallowed

[Marc Deslauriers]

** Changed in: samba (Ubuntu Zesty)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1675698

Title:
  Cannot access anything under a subdirectory if symlinks are disallowed

Status in samba:
  Unknown
Status in samba package in Ubuntu:
  Invalid
Status in samba source package in Precise:
  Fix Released
Status in samba source package in Trusty:
  Fix Released
Status in samba source package in Xenial:
  Fix Released
Status in samba source package in Yakkety:
  Fix Released
Status in samba source package in Zesty:
  Invalid
Status in samba package in Debian:
  Confirmed

Bug description:
  After upgrading to 4.3.11+dfsg-0ubuntu0.14.04.6, some of my shares
  broke in a curious way. The affected shares have `follow symlinks =
  no`; the ones with `follow symlinks = yes` aren't affected AFAICT.
  Allowing symlinks on one of the affected shares mitigates the issue
  for that share.

  The issue is that access to anything under a direct subdirectory of
  the share doesn't work. I can create a directory in `\\srv\share`,
  e.g. `\\srv\share\foo`, but I can't create any files or directories
  inside it, e.g. creating `\\srv\share\foo\bar` ends up with error 50
  (The request is not supported). Attempts to access existing files or
  directories at this level produce error 59 (An unexpected network
  error occured).

  The log at level 2 says:

  ```
  ../source3/smbd/vfs.c:1298(check_reduced_name)
check_reduced_name: Bad access attempt: branches is a symlink to foo/bar

  ```

  ... or:

  ```
  ../source3/smbd/vfs.c:1298(check_reduced_name)
check_reduced_name: Bad access attempt: . is a symlink to foo
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1675698/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1674005] Re: audiofile: Multiple security issues from March 2017

[Marc Deslauriers]

** Changed in: audiofile (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1674005

Title:
  audiofile: Multiple security issues from March 2017

Status in audiofile package in Ubuntu:
  Fix Released
Status in audiofile source package in Precise:
  Fix Released
Status in audiofile source package in Trusty:
  Fix Released
Status in audiofile source package in Xenial:
  Fix Released
Status in audiofile source package in Yakkety:
  Fix Released

Bug description:
  https://security-tracker.debian.org/tracker/source-package/audiofile
  http://openwall.com/lists/oss-security/2017/02/26/
  https://github.com/mpruett/audiofile/issues/32
  
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
  https://github.com/mpruett/audiofile/commit/c48e4c6503

  
  Fixed in Debian unstable 0.3.6-4 and synced to zesty.

  debdiffs attached for 14.04 LTS and up. For 12.04 LTS, audiofile was
  in main so someone should probably try to apply the patches there too.

  I've done no testing of these packages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1674005/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1674005] Re: audiofile: Multiple security issues from March 2017

[Marc Deslauriers]

ACK on the debdiffs in comments 1, 2 and 3. I'm building them now with a
slight change to add a missing CVE. I'll publish them once I've finished
backporting to precise and have tested precise and trusty.

Thanks!


** Also affects: audiofile (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: audiofile (Ubuntu Precise)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1674005

Title:
  audiofile: Multiple security issues from March 2017

Status in audiofile package in Ubuntu:
  New
Status in audiofile source package in Precise:
  New
Status in audiofile source package in Trusty:
  New
Status in audiofile source package in Xenial:
  New
Status in audiofile source package in Yakkety:
  New

Bug description:
  https://security-tracker.debian.org/tracker/source-package/audiofile
  http://openwall.com/lists/oss-security/2017/02/26/
  https://github.com/mpruett/audiofile/issues/32
  
https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
  https://github.com/mpruett/audiofile/commit/c48e4c6503

  
  Fixed in Debian unstable 0.3.6-4 and synced to zesty.

  debdiffs attached for 14.04 LTS and up. For 12.04 LTS, audiofile was
  in main so someone should probably try to apply the patches there too.

  I've done no testing of these packages.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audiofile/+bug/1674005/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1669764] Re: security update spams log file

[Marc Deslauriers]

https://github.com/munin-monitoring/munin/issues/804


** Also affects: munin (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: munin (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: munin (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: munin (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: munin (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: munin (Ubuntu Yakkety)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1669764

Title:
  security update spams log file

Status in munin package in Ubuntu:
  New
Status in munin source package in Trusty:
  New
Status in munin source package in Xenial:
  New
Status in munin source package in Yakkety:
  New
Status in munin package in Debian:
  Unknown

Bug description:
  The munin security update caused a regression that is spamming the log
  file with:

  2017/03/02 06:53:56 [PERL WARNING] Use of uninitialized value $size_x
  in string eq at /usr/lib/munin/cgi/munin-cgi-graph line 453.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/munin/+bug/1669764/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1666358] Re: iio-sensor-proxy: Insecure configuration of dbus service

[Marc Deslauriers]

** Changed in: iio-sensor-proxy (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1666358

Title:
  iio-sensor-proxy: Insecure configuration of dbus service

Status in IIO Sensor Proxy:
  Fix Released
Status in iio-sensor-proxy package in Ubuntu:
  Fix Released
Status in iio-sensor-proxy source package in Xenial:
  Fix Released
Status in iio-sensor-proxy source package in Yakkety:
  Fix Released
Status in iio-sensor-proxy package in Debian:
  Fix Released

Bug description:
  The dbus configuration for iio-sensor-proxy allowed any process on the
  system bus to send an org.freedesktop.DBus.Properties.Set() call to
  any other process on the system bus, even if the destination process
  expected to be only accessible by root.

  https://github.com/hadess/iio-sensor-proxy/commit/e2d81f2

  This was fixed in the upstream version 2.1
  and in Debian's 2.0-4 (which was autosynced to zesty).

  Test Case
  =
  dbus-send --system --dest=org.freedesktop.nm_dispatcher --type=method_call \
  --print-reply / org.freedesktop.DBus.Properties.Set string:Foo 
variant:string:bar

  Bad response:
  Error org.freedesktop.DBus.Error.UnknownMethod: No such interface
   'org.freedesktop.DBus.Properties' on object at path /

  Good response:
  Error org.freedesktop.DBus.Error.AccessDenied: Rejected send message, 2 
matched  rules; type="method_call", sender=":1.5523" (uid=1000 pid=13527
   comm="dbus-send --system --dest=org.freedesktop.nm_dispa")
   interface="org.freedesktop.DBus.Properties" member="Set" error
   name="(unset)" requested_reply="0"
   destination="org.freedesktop.nm_dispatcher" (uid=0 pid=13528
   comm="/usr/lib/NetworkManager/nm-dispatcher ")

  Testing Done
  
  I built the packages in my PPA and installed to Ubuntu GNOME 16.04.2 and 
16.10. The test cases completed successfully after install; no log out required.

To manage notifications about this bug go to:
https://bugs.launchpad.net/iio-sensor-proxy/+bug/1666358/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1648998] Re: Fix CVE-2016-9839 & CVE-2017-5522

[Marc Deslauriers]

** Also affects: mapserver (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: mapserver (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: mapserver (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: mapserver (Ubuntu Zesty)
   Importance: Medium
   Status: Triaged

** Also affects: mapserver (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: mapserver (Ubuntu Zesty)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648998

Title:
  Fix CVE-2016-9839 & CVE-2017-5522

Status in mapserver package in Ubuntu:
  Fix Released
Status in mapserver source package in Precise:
  Fix Released
Status in mapserver source package in Trusty:
  Fix Released
Status in mapserver source package in Xenial:
  Fix Released
Status in mapserver source package in Yakkety:
  Fix Released
Status in mapserver source package in Zesty:
  Fix Released

Bug description:
  In MapServer before 7.0.3, OGR driver error messages are too verbose
  and may leak sensitive information if data connection fails.

  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-9839.html

  Packages for Debian have been updated - we should apply the same in
  Ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/1648998/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1638125] Re: USN-3109-1: MySQL vulnerabilities partially applies to MariaDB too

[Marc Deslauriers]

** Changed in: mariadb-10.0 (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1638125

Title:
  USN-3109-1: MySQL vulnerabilities partially applies to MariaDB too

Status in mariadb-10.0 package in Ubuntu:
  Fix Released
Status in mariadb-5.5 source package in Trusty:
  Fix Released
Status in mariadb-10.0 source package in Xenial:
  Fix Released
Status in mariadb-10.0 source package in Yakkety:
  Fix Released
Status in mariadb-10.0 source package in Zesty:
  Fix Released

Bug description:
  The mentioned security notice also affect MariaDB and the latest
  release includes fixes.

  I will produce a security release soon and attach more information to this 
bug report for:
   - mariadb.5.5 in Trusty
   - mariadb-10.0 in Xenial and Yakkety (zesty can sync from Debian)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1638125/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1629085] Re: CVE-2016-5180: out-of-bounds write in ares_create_query and ares_mkquery

[Marc Deslauriers]

** Changed in: c-ares (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1629085

Title:
  CVE-2016-5180: out-of-bounds write in ares_create_query and
  ares_mkquery

Status in c-ares package in Ubuntu:
  Fix Released
Status in c-ares source package in Precise:
  Fix Released
Status in c-ares source package in Trusty:
  Fix Released
Status in c-ares source package in Xenial:
  Fix Released
Status in c-ares source package in Yakkety:
  Fix Released
Status in c-ares package in Debian:
  Fix Released

Bug description:
  A new upstream version of c-ares has been released which addresses a
  security vulnerability.

  From: Daniel Stenberg 
  Date: Thu, 29 Sep 2016 16:02:10 +0200 (CEST)

  `ares_create_query` single byte out of buffer write
  =

  Project c-ares Security Advisory, September 29, 2016 -
  [Permalink](https://c-ares.haxx.se/adv_20160929.html)

  VULNERABILITY
  -

  When a string is passed in to `ares_create_query` or `ares_mkquery` and uses
  an escaped trailing dot, like "hello\.", c-ares calculates the string length
  wrong and subsequently writes outside of the the allocated buffer with one
  byte. The wrongly written byte is the least significant byte of the 'dnsclass'
  argument; most commonly 1.

  We have been seen proof of concept code showing how this can be exploited in a
  real-world system, but we are not aware of any such instances having actually
  happened in the wild.

  INFO
  

  The Common Vulnerabilities and Exposures (CVE) project has assigned the name
  CVE-2016-5180 to this issue.

  AFFECTED VERSIONS
  -

  This flaw exists in the following c-ares versions.

  - Affected versions: libcurl 1.0.0 to and including 1.11.0
  - Not affected versions: c-ares >= 1.12.0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/c-ares/+bug/1629085/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1643901] [NEW] flxdec security update tracking bug

[Marc Deslauriers]

*** This bug is a security vulnerability ***

Public security bug reported:

This bug is to track the security update to fix the flxdec out-of-bounds
write.

** Affects: gst-plugins-good0.10 (Ubuntu)
 Importance: Undecided
 Status: Invalid

** Affects: gst-plugins-good1.0 (Ubuntu)
 Importance: Undecided
 Status: Confirmed

** Affects: gst-plugins-good0.10 (Ubuntu Precise)
 Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
 Status: In Progress

** Affects: gst-plugins-good1.0 (Ubuntu Precise)
 Importance: Undecided
 Status: Invalid

** Affects: gst-plugins-good0.10 (Ubuntu Trusty)
 Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
 Status: In Progress

** Affects: gst-plugins-good1.0 (Ubuntu Trusty)
 Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
 Status: In Progress

** Affects: gst-plugins-good0.10 (Ubuntu Xenial)
 Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
 Status: In Progress

** Affects: gst-plugins-good1.0 (Ubuntu Xenial)
 Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
 Status: In Progress

** Affects: gst-plugins-good0.10 (Ubuntu Yakkety)
 Importance: Undecided
 Status: Invalid

** Affects: gst-plugins-good1.0 (Ubuntu Yakkety)
 Importance: Medium
 Assignee: Marc Deslauriers (mdeslaur)
 Status: In Progress

** Affects: gst-plugins-good0.10 (Ubuntu Zesty)
 Importance: Undecided
 Status: Invalid

** Affects: gst-plugins-good1.0 (Ubuntu Zesty)
 Importance: Undecided
 Status: Confirmed

** Also affects: gst-plugins-good1.0 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: gst-plugins-good1.0 (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: gst-plugins-good1.0 (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: gst-plugins-good1.0 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gst-plugins-good1.0 (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: gst-plugins-good0.10 (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: gst-plugins-good1.0 (Ubuntu Precise)
   Status: New => Invalid

** Changed in: gst-plugins-good0.10 (Ubuntu Yakkety)
   Status: New => Invalid

** Changed in: gst-plugins-good0.10 (Ubuntu Zesty)
   Status: New => Invalid

** Changed in: gst-plugins-good0.10 (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: gst-plugins-good0.10 (Ubuntu Precise)
   Status: New => In Progress

** Changed in: gst-plugins-good0.10 (Ubuntu Precise)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gst-plugins-good0.10 (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: gst-plugins-good0.10 (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: gst-plugins-good0.10 (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gst-plugins-good0.10 (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: gst-plugins-good0.10 (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: gst-plugins-good0.10 (Ubuntu Xenial)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gst-plugins-good1.0 (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: gst-plugins-good1.0 (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: gst-plugins-good1.0 (Ubuntu Trusty)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gst-plugins-good1.0 (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: gst-plugins-good1.0 (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: gst-plugins-good1.0 (Ubuntu Xenial)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety)
   Importance: Undecided => Medium

** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety)
   Status: New => In Progress

** Changed in: gst-plugins-good1.0 (Ubuntu Yakkety)
 Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: gst-plugins-good1.0 (Ubuntu Zesty)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1643901

Title:
  flxdec security update tracking bug

Status in gst-plugins-good0.10 package in Ubuntu:
  Invalid
Status in gst-plugins-good1.0 package in Ubuntu:
  Confirmed
Status in gst-plugins-good0.10 source package in Precise:
  In Progress
Status in gst-plugins-good1.0 source package in Precise:
  Invalid
Status in gst-plugins-good0.10 source package in Trusty:
  In Progress
Status in gst-plugins-good1.0 source package in Trusty:
  In Progress
Stat

[Group.of.nepali.translators] [Bug 1639372] Re: CVE-2016-9082: DOS attack in converting SVG to PNG

[Marc Deslauriers]

Thanks for the debdiffs!

While they look good, there is some discussion in the upstream bug, and
the fix hasn't been committed yet. I'll wait until the fix is committed
before releasing updates for the stable releases.

** Also affects: cairo (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: cairo (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: cairo (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: cairo (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: cairo (Ubuntu Precise)
   Status: New => Confirmed

** Changed in: cairo (Ubuntu Trusty)
   Status: New => Confirmed

** Changed in: cairo (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: cairo (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: cairo (Ubuntu)
   Status: Confirmed => Fix Released

** Changed in: cairo (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: cairo (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: cairo (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: cairo (Ubuntu Yakkety)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639372

Title:
  CVE-2016-9082: DOS attack in converting SVG to PNG

Status in cairo:
  Unknown
Status in cairo package in Ubuntu:
  Fix Released
Status in cairo source package in Precise:
  Confirmed
Status in cairo source package in Trusty:
  Confirmed
Status in cairo source package in Xenial:
  Confirmed
Status in cairo source package in Yakkety:
  Confirmed
Status in cairo package in Debian:
  Fix Released

Bug description:
  I'm attaching debdiffs for trusty, xenial and yakkety. Zesty is
  already fixed by syncing cairo 1.14.6-1.1 from Debian. Maybe someone
  else can work on the precise update.

  Proof of Concept at
  http://seclists.org/oss-sec/2016/q4/44

  I didn't get gdb to work, but when I tried to convert the file, I got
  a crash report named /var/crash/_usr_bin_rsvg-convert.1000.crash .
  After the update, no crash happened.

  I reproduced the crash and verified that the new package doesn't crash
  on yakkety. In xenial I wasn't able to reproduce the crash. I did not
  test on trusty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo/+bug/1639372/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1596486] Re: libmuse_core.so: cannot open shared object file

[Marc Deslauriers]

** Also affects: muse (Ubuntu Zesty)
   Importance: High
   Status: Fix Released

** Also affects: muse (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: muse (Ubuntu Xenial)
   Status: Triaged => In Progress

** Changed in: muse (Ubuntu Yakkety)
   Status: New => In Progress

** Changed in: muse (Ubuntu Yakkety)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1596486

Title:
  libmuse_core.so: cannot open shared object file

Status in muse package in Ubuntu:
  Fix Released
Status in muse source package in Xenial:
  In Progress
Status in muse source package in Yakkety:
  In Progress
Status in muse source package in Zesty:
  Fix Released

Bug description:
  [Impact]

  Since Ubuntu 15.10, muse does not start and gives the following error:

  $ muse
  muse: error while loading shared libraries: libmuse_core.so: cannot open 
shared object file: No such file or directory

  The fix for this should be backported to Xenial since muse is
  currently useless "as is".

  [Technical Details]

  Force muse modules to be installed under /usr/lib/muse

  Ubuntu CMake contains the script 'MultiArchCross.cmake' which is invoked for 
all Make packages and sets CMAKE_INSTALL_LIBDIR to include the multiarch path
  without the install prefix (ie something like "lib/x86_64-linux-gnu"). This
  variable is not defined when building on Debian.

  Muse constructs a LIB_INSTALL_DIR variable (when it's not defined) using
  CMAKE_INSTALL_LIBDIR or an alternate fallback. Unfortunately later on in the
  script when handling the RPATH settings, Muse assumes that LIB_INSTALL_DIR is 
an absolute path. This is true on Debian, but not on Ubuntu. This causes a 
bogus RPATH to be inserted into the main Muse executable which prevents Muse 
from finding any of it's modules and immediately crashes on startup.

  The simple fix is to force LIB_INSTALL_DIR=/usr/lib. Although an
  Ubuntu specific problem, it does no harm to do this on Debian as well.

  [Test Case]

  From within a terminal window, run "muse". The following error is printed:
  muse: error while loading shared libraries: libmuse_core.so: cannot open 
shared object file: No such file or directory

  When working normally, the muse arranger window should appear. If an error
  appears about Jack not running, you can ignore it.

  [Regression Potential]

  Muse is a totally independent application with no reverse dependencies
  in the archive. Therefore it is unlikely there will be any regressions
  in other packages.

  Since Muse is completely non-functional in Xenial, it's difficult for
  it to regress any further. :)

  [Other Info]

  A workaround for this bug is to set the linker path manually when
  running muse. For example:

  LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu/muse/modules muse

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/muse/+bug/1596486/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1617505] Re: gcin didnt work in gnome-terminal after updating ubuntu

[Marc Deslauriers]

** Also affects: gcin (Ubuntu Zesty)
   Importance: Medium
   Status: Confirmed

** Also affects: gcin (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: gcin (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: gcin (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: gcin (Ubuntu Xenial)
   Importance: Undecided => Medium

** Changed in: gcin (Ubuntu Yakkety)
   Status: New => Confirmed

** Changed in: gcin (Ubuntu Yakkety)
   Importance: Undecided => Medium

** Changed in: gcin (Ubuntu Zesty)
   Status: Confirmed => Fix Committed

** Changed in: gcin (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1617505

Title:
  gcin didnt work in gnome-terminal after updating ubuntu

Status in gcin package in Ubuntu:
  Fix Released
Status in gcin source package in Xenial:
  Confirmed
Status in gcin source package in Yakkety:
  Confirmed
Status in gcin source package in Zesty:
  Fix Released

Bug description:
  After update Ubuntu to 16.04.1 gcin didnt work in gnome-terminal, and
  send out the message.

  > /usr/bin/gnome-terminal
  Error creating terminal: Message recipient disconnected from message bus 
without replying

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcin/+bug/1617505/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1610878] Re: pmp-check-unix-memory stopped working because of new output from free

[Marc Deslauriers]

** Also affects: nagios-plugins-contrib (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: nagios-plugins-contrib (Ubuntu Zesty)
   Importance: Medium
   Status: Confirmed

** Also affects: nagios-plugins-contrib (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Changed in: nagios-plugins-contrib (Ubuntu Xenial)
   Status: New => Confirmed

** Changed in: nagios-plugins-contrib (Ubuntu Yakkety)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1610878

Title:
  pmp-check-unix-memory stopped working because of new output from free

Status in nagios-plugins-contrib package in Ubuntu:
  Fix Committed
Status in nagios-plugins-contrib source package in Xenial:
  Confirmed
Status in nagios-plugins-contrib source package in Yakkety:
  Confirmed
Status in nagios-plugins-contrib source package in Zesty:
  Fix Committed

Bug description:
  Hello,

  Current pmp-check-unix-memory in package nagios-plugins-contrib does
  not work anymore, from Ubuntu Xenial. It can't fetch free memory and
  therefor presents it incorrectly.

  E.g:

  $ ./pmp-check-unix-memory 
  OK Memory % used | memory_used=0;90;95;0;100

  As of version 3.3.10 of package procps, the command "free" uses a
  different output.

  See: http://upstream.rosalinux.ru/changelogs/procps-
  ng/3.3.10/changelog.html

  How free memory is calculated was changed in kernel here:
  
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34e431b0ae398fc54ea69ff85ec700722c9da773

  This problem has been fixed in the percona-monitoring-plugins repo on
  GitHub:

  https://github.com/percona/percona-monitoring-
  plugins/commit/b4636c49f0188d2af1235293d01396abeddacf7f

  I have ported and tested the fix and it is working, both on a computer
  with older procps and on a computer running Ubuntu Xenial.

  Will submit a debdiff with proposed patch shortly.

  Best regards,
  Christian Biamont

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nagios-plugins-contrib/+bug/1610878/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1632244] Re: CVE-2016-6893 in Mailman

[Marc Deslauriers]

This was released: https://www.ubuntu.com/usn/usn-3118-1/

** Changed in: mailman (Ubuntu)
   Status: In Progress => Fix Released

** Changed in: mailman (Ubuntu Precise)
   Status: In Progress => Fix Released

** Changed in: mailman (Ubuntu Trusty)
   Status: In Progress => Fix Released

** Changed in: mailman (Ubuntu Xenial)
   Status: In Progress => Fix Released

** Changed in: mailman (Ubuntu Yakkety)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1632244

Title:
  CVE-2016-6893 in Mailman

Status in mailman package in Ubuntu:
  Fix Released
Status in mailman source package in Precise:
  Fix Released
Status in mailman source package in Trusty:
  Fix Released
Status in mailman source package in Xenial:
  Fix Released
Status in mailman source package in Yakkety:
  Fix Released

Bug description:
  Hi,

  when you plan to solve the CVE-2016-6893 in Mailman in Mailman for
  Ubuntu?

  See
  https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6893.html

  Best regards

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman/+bug/1632244/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1630700] Re: CVE - KMail - HTML injection in plain text viewer

[Marc Deslauriers]

Unsubscribing ubuntu-security-sponsors for now since there is nothing to
sponsor. Once a debdiff is attached, please re-subscribe the group.
Thanks!

** Changed in: kcoreaddons (Ubuntu Trusty)
   Status: New => Fix Released

** Changed in: kcoreaddons (Ubuntu Precise)
   Status: In Progress => Invalid

** Changed in: kcoreaddons (Ubuntu Trusty)
   Status: Fix Released => Invalid

** Changed in: kcoreaddons (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1630700

Title:
  CVE - KMail - HTML injection in plain text viewer

Status in kcoreaddons package in Ubuntu:
  Fix Released
Status in kcoreaddons source package in Precise:
  Invalid
Status in kcoreaddons source package in Trusty:
  Invalid
Status in kcoreaddons source package in Xenial:
  Confirmed
Status in kcoreaddons source package in Yakkety:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title: KMail: HTML injection
  Risk Rating:  Important
  CVE:  #TODO
  Platforms:  All
  Versions:   kmail >= 4.4.0
  Author: #TODO
  Date:#TODO

  Overview
  

  Through a malicious URL that contained a quote character it
  was possible to inject HTML code in KMail's plain text viewer.
  Due to the parser used on the URL it was not possible to include
  the equal sign (=) or a space into the injected HTML, which greatly
  reduces the available HTML functionality. Although it is possible
  to include an HTML comment indicator to hide content.

  Impact
  ==

  An unauthenticated attacker can send out mails with malicious content
  that breaks KMail's plain text HTML escape logic. Due to the limitations
  of the provided HTML in itself it might not be serious. But as a way
  to break out of KMail's restricted Plain text mode this might open
  the way to the exploitation of other vulnerabilities in the HTML viewer
  code, which is disabled by default.

  Workaround
  ==

  None.

  Solution
  

  For KDE Frameworks based releases of KMail apply the following patch to
  kcoreaddons:

  https://quickgit.kde.org/?
  p=kcoreaddons.git=commitdiff=96e562d9138c100498da38e4c5b4091a226dde12

  For KDE 4 apply the following patch:
  https://quickgit.kde.org/?
  p=kdepimlibs.git=commitdiff=176fee25ca79145ab5c8e2275d248f1a46a8d8cf

  Credits
  ===

  Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
  Intevation GmbH for analysing the problems and Laurent Montel for
  fixing this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kcoreaddons/+bug/1630700/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1388743] Re: iOS 8.1 - Could not start com.apple.mobile.installation_proxy!

[Marc Deslauriers]

libusbmuxd was updated: http://www.ubuntu.com/usn/usn-3026-2/

** Changed in: libusbmuxd (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1388743

Title:
  iOS 8.1 - Could not start com.apple.mobile.installation_proxy!

Status in libimobiledevice package in Ubuntu:
  Fix Released
Status in libusbmuxd package in Ubuntu:
  Fix Released
Status in libimobiledevice source package in Xenial:
  Fix Released

Bug description:
  * Impact
  When running ideviceinstaller -l, I get the following error:
  Could not start com.apple.mobile.installation_proxy!

  * Test case
  connect an iOS >8 device and try to use ideviceinstaller

  * Regression potential
  It's fixing code that was not working before, should create any new issue

  
  

  
  Pairing works and I can mount the phone using iFuse. iPhone 4S, iOS 8.1
  libimobiledevice is probably outdated.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: ideviceinstaller 1.0.1-0.2build1
  ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
  Uname: Linux 3.16.0-24-generic x86_64
  ApportVersion: 2.14.7-0ubuntu8
  Architecture: amd64
  CurrentDesktop: KDE
  Date: Mon Nov  3 09:33:21 2014
  InstallationDate: Installed on 2014-11-02 (0 days ago)
  InstallationMedia: Kubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
  SourcePackage: ideviceinstaller
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libimobiledevice/+bug/1388743/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1626883] Re: libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert validation to segfault

[Marc Deslauriers]

** Changed in: openssl (Ubuntu Yakkety)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1626883

Title:
  libssl 1.0.2g-1ubuntu4.4 and 1.0.1f-1ubuntu2.20 cause PHP SSL cert
  validation to segfault

Status in openssl package in Ubuntu:
  Invalid
Status in openssl source package in Precise:
  Fix Released
Status in openssl source package in Trusty:
  Fix Released
Status in openssl source package in Xenial:
  Fix Released
Status in openssl source package in Yakkety:
  Invalid

Bug description:
  Last night unattended-upgrades upgraded the openssl packages
  (libssl1.0.0, libssl-dev, openssl) from version 1.0.2g-1ubuntu4.1 to
  version 1.0.2g-1ubuntu4.4 on a CI build server. Then everything that
  used PHP to connect to a HTTPS site started crashing when verifying
  the server cert.

  Like this:

  ```
  
jenkins@ubuntutemplate:/var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop/vagrant/wordpress$
 DATABASE_DATABASE=wordpressmastere2e catchsegv wp plugin install --force 
--activate wp-cfm
  Deprecated: Methods with the same name as their class will not be 
constructors in a future version of PHP; WP_Import has a deprecated constructor 
in /var/lib/jenkins/workspace/imt-erp-e2e-flaky/webshop
/vagrant/wordpress/wp-content/plugins/wordpress-importer/wordpress-importer.php 
on line 38
  Notice: Undefined offset: 4 in 
phar:///usr/local/bin/wp/php/WP_CLI/DocParser.php on line 124
  Segmentation fault (core dumped)
  *** Segmentation fault
  Register dump:

   RAX:    RBX: 0001   RCX: 
   RDX: 000c   RSI: 55665071af59   RDI: 
   RBP: 556650a49e4e   R8 : 556652364720   R9 : 
   R10:    R11: 7fdb3c081730   R12: 55665071af59
   R13: 000c   R14:    R15: 7fdb39418cf0
   RSP: 7ffc4bad7a08

   RIP: 7fdb3bf77d16   EFLAGS: 00010293

   CS: 0033   FS:    GS: 

   Trap: 000e   Error: 0004   OldMask:    CR2: 

   FPUCW: 027f   FPUSW:    TAG: 
   RIP:    RDP: 

   ST(0)     ST(1)  
   ST(2)     ST(3)  
   ST(4)     ST(5)  
   ST(6)     ST(7)  
   mxcsr: 1fa0
   XMM0:   XMM1:  

   XMM2:   XMM3:  

   XMM4:   XMM5:  

   XMM6:   XMM7:  

   XMM8:   XMM9:  

   XMM10:  XMM11: 

   XMM12:  XMM13: 

   XMM14:  XMM15: 


  Backtrace:
  /lib/x86_64-linux-gnu/libc.so.6(strlen+0x26)[0x7fdb3bf77d16]
  php(add_assoc_string_ex+0x32)[0x556650677b12]
  php(zif_openssl_x509_parse+0x17c)[0x5566505312ec]
  php(dtrace_execute_internal+0x2a)[0x556650664b3a]
  php(+0x2e37e0)[0x5566506f97e0]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(+0x2e391d)[0x5566506f991d]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(zend_call_function+0x749)[0x55665039]
  php(zif_call_user_func+0xb5)[0x5566505b39d5]
  php(dtrace_execute_internal+0x2a)[0x556650664b3a]
  php(+0x2e37e0)[0x5566506f97e0]
  php(execute_ex+0x1b)[0x5566506b4e2b]
  php(dtrace_execute_ex+0xb1)[0x5566506649d1]
  php(zend_call_function+0x749)[0x55665039]
  

[Group.of.nepali.translators] [Bug 1610704] Re: php-xml dependency missing in 16.04

[Marc Deslauriers]

** Also affects: davical (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: davical (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: davical (Ubuntu Yakkety)
   Status: New => Fix Released

** Description changed:

+ [Impact]
+ 
  As indicated here: http://wiki.davical.org/index.php/DAViCal_Dependencies ,
  the package davical is missing the dependency php-xml and thus some HTTP 
requests fail with error 500.
+ 
+ [Test case]
+ 
+ curl --request PROPFIND --user ds:xxx --header "Content-Type: text/xml"
+ --header "Brief:t" --data ""
+ http://localhost/davical/caldav.php/ds/addresses/
+ 
+ Should not result in 'Call to undefined function xml_parser_create_ns()'
+ 
+ See https://gitlab.com/davical-project/davical/issues/91
+ 
+ [Regression Potential]
+ 
+ It's just an added dependency. At worst, it would install a useless
+ package.

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1610704

Title:
  php-xml dependency missing in 16.04

Status in davical package in Ubuntu:
  Fix Released
Status in davical source package in Xenial:
  In Progress
Status in davical source package in Yakkety:
  Fix Released

Bug description:
  [Impact]

  As indicated here: http://wiki.davical.org/index.php/DAViCal_Dependencies ,
  the package davical is missing the dependency php-xml and thus some HTTP 
requests fail with error 500.

  [Test case]

  curl --request PROPFIND --user ds:xxx --header "Content-Type:
  text/xml" --header "Brief:t" --data ""
  http://localhost/davical/caldav.php/ds/addresses/

  Should not result in 'Call to undefined function
  xml_parser_create_ns()'

  See https://gitlab.com/davical-project/davical/issues/91

  [Regression Potential]

  It's just an added dependency. At worst, it would install a useless
  package.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/davical/+bug/1610704/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1621269] Re: not possible to build yakkety packages because of gpg changes

[Marc Deslauriers]

** Also affects: sbuild (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: sbuild (Ubuntu Trusty)
   Status: New => Triaged

** Changed in: sbuild (Ubuntu Trusty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1621269

Title:
  not possible to build yakkety packages because of gpg changes

Status in sbuild package in Ubuntu:
  Invalid
Status in sbuild source package in Trusty:
  Triaged
Status in sbuild source package in Xenial:
  Triaged
Status in sbuild package in Debian:
  Fix Released

Bug description:
  I was trying to build update-manager in a yakkety sbuild chroot from a
  xenial system and encountered the following error:

  Local sources
  -

  update-manager_16.10.5.dsc exists in .; copying to chroot

  Check architectures
  ---

  
  Check dependencies
  --

  Merged Build-Depends: build-essential, fakeroot
  Filtered Build-Depends: build-essential, fakeroot
  dpkg-deb: building package 'sbuild-build-depends-core-dummy' in 
'/<>/resolver-9lYerC/apt_archive/sbuild-build-depends-core-dummy.deb'.
  gpg: /<>/resolver-9lYerC/gpg/trustdb.gpg: trustdb created
  gpg: Warning: not using 'Sbuild Signer' as default key: No secret key
  gpg: all values passed to '--default-key' ignored
  gpg: no default secret key: No secret key
  gpg: signing failed: No secret key
  Failed to sign dummy archive Release file.

  I worked around the issue by installing the yakkety version of sbuild
  on my xenial system, but the fix should be backported.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbuild/+bug/1621269/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1614210] Re: Remove incomplete fips in openssl in xenial.

[Marc Deslauriers]

Uploaded package to xenial-proposed for processing by the SRU team.

** Changed in: openssl (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

** Changed in: openssl (Ubuntu Xenial)
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1614210

Title:
  Remove incomplete fips in openssl in xenial.

Status in openssl package in Ubuntu:
  Fix Released
Status in openssl source package in Xenial:
  In Progress
Status in openssl source package in Yakkety:
  Fix Released

Bug description:
  Package: openssl-1.0.2g-1ubuntu4.1
  Distro: xenial

  The openssl contains incomplete fips patches. In light that the fips
  is incomplete and will not be completed in the main archive and they
  are impacting customers, they should be withdrawn. See lp bugs
  1593953, 1591797, 1594748, 1588524, 1613658. Removal of these fips
  patches will remove these fips-related issues.

  [Test case]
  1. Problem in 1594748
  Note: this problem was reported in upstream openssl and testcase posted there 
also.
  https://rt.openssl.org/Ticket/Display.html?id=4559

  CRYPTO_set_mem_functions() always returns 0 because library
  initialization within fips code already calls CRYPTO_malloc() and
  disables it.

  This testcase should cause openssl to abort, but instead it returns a
  context.

  #include 
  #include 
  #include 
  void * my_alloc(size_t n) { abort(); }
  void my_free(void *p) { abort(); }
  void * my_realloc(void *p, size_t n) { abort(); }
  int main(int argc, const char **argv)
  {
    const SSL_METHOD *method;
    SSL_CTX *ctx;
    CRYPTO_set_mem_functions(my_alloc, my_realloc, my_free);
    SSL_library_init();
    method = SSLv23_client_method();
    ctx = SSL_CTX_new(method);
    printf("Got ctx %p\n", ctx);
    return 0;
  }

  2. Problem in 1593953
  EC key generation allows user to generate keys using EC curves that the EC 
sign and verify
  do not support when OPENSSL_FIPS is defined.
  Testcase taken from lp #1593953

  openssl ecparam -genkey -name Oakley-EC2N-4

  will fail when OPENSSL_FIPS is defined since it causes a fips key-pair 
consistency check to be done.
  Otherwise, without OPENSSL_FIPS defined, the check is not done.

  3. Problem reported in 1588524
  Error code being skipped...

  Testcase taken from lp #1588524

  #include 
  #include 

  int main() {
  int rc;
  unsigned long fips_err;
  SSL_library_init();
  SSL_load_error_strings();
  ERR_load_crypto_strings();
  OpenSSL_add_all_algorithms();
  rc = FIPS_mode_set(1);
  fips_err = ERR_peek_last_error();

  // FIPS_mode_set will return 0 on failure, which is expected if
  // the FIPS module is not compiled. In this case, we should then
  // be able to get the error code
  // CRYPTO_R_FIPS_MODE_NOT_SUPPORTED (0xf06d065)
  // https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
  printf("%d %lu\n", rc, fips_err);
  ERR_print_errors_fp(stdout);

  ERR_free_strings();
  return 0;
  }

  Should report an error message.

  [ Regression potential ]
  Removing the fips patches should decrease regression potential of openssl in 
the main archive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1614210/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp