[ubuntu/trusty-security] openafs 1.6.7-1ubuntu1.1 (Accepted)
openafs (1.6.7-1ubuntu1.1) trusty-security; urgency=low * SECURITY UPDATES (LP: #1513461): - CVE-2015-3282: Clear nvldbentry before sending on the wire - CVE-2015-3283: Use crypt for commands where spoofing could be a risk - CVE-2015-3284: Clear pioctl data interchange buffer before use - CVE-2015-3285: Use correct output buffer for FSCmd pioctl - CVE-2015-6587: Disable regex volume name processing in ListAttributesN2 - CVE-2015-7762: Apply OPENAFS-SA-2015-007 "Tattletale" patch - CVE-2015-7763: Apply OPENAFS-SA-2015-007 "Tattletale" patch - OPENAFS-SA-2015-007.patch: Rx ACK packets leak plaintext of previous packets Date: 2015-11-10 14:30:13.718480+00:00 Changed-By: Klas Mattsson Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/openafs/1.6.7-1ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] wpa 2.1-0ubuntu1.4 (Accepted)
wpa (2.1-0ubuntu1.4) trusty-security; urgency=medium * SECURITY UPDATE: unauthorized WNM Sleep Mode GTK control - debian/patches/CVE-2015-5310.patch: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use in wpa_supplicant/wnm_sta.c. - CVE-2015-5310 * SECURITY UPDATE: EAP-pwd missing last fragment length validation - debian/patches/CVE-2015-5315-1.patch: Fix last fragment length validation in src/eap_peer/eap_pwd.c. - debian/patches/CVE-2015-5315-2.patch: Fix last fragment length validation in src/eap_server/eap_server_pwd.c. - CVE-2015-5315 Date: 2015-11-09 13:43:14.156280+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/wpa/2.1-0ubuntu1.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] krb5 1.12+dfsg-2ubuntu5.2 (Accepted)
krb5 (1.12+dfsg-2ubuntu5.2) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via incorrect null bytes - d/p/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch: properly handle null bytes in src/appl/user_user/server.c, src/lib/krb5/krb/recvauth.c. - CVE-2015-5355 * SECURITY UPDATE: preauthentication requirement bypass in kdcpreauth - d/p/0031-Prevent-requires_preauth-bypass-CVE-2015-2694.patch: improve logic in src/plugins/preauth/otp/main.c, src/plugins/preauth/pkinit/pkinit_srv.c. - CVE-2015-2694 * SECURITY UPDATE: SPNEGO context aliasing bugs - d/p/0031-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch: improve logic in src/lib/gssapi/spnego/gssapiP_spnego.h, src/lib/gssapi/spnego/spnego_mech.c. - d/p/0036-Fix-SPNEGO-context-import.patch: fix SPNEGO context import in src/lib/gssapi/spnego/spnego_mech.c. - CVE-2015-2695 * SECURITY UPDATE: IAKERB context aliasing bugs - d/p/0032-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch: improve logic in src/lib/gssapi/krb5/gssapiP_krb5.h, src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c. - d/p/0034-Fix-two-IAKERB-comments.patch: fix comments in src/lib/gssapi/krb5/iakerb.c. - CVE-2015-2696 * SECURITY UPDATE: KDC crash via invalid string processing - d/p/0033-Fix-build_principal-memory-bug-CVE-2015-2697.patch: use k5memdup0() instead of strdup() in src/lib/krb5/krb/bld_princ.c. - CVE-2015-2697 * SECURITY UPDATE: memory corruption in IAKERB context export/import - d/p/0035-Fix-IAKERB-context-export-import-CVE-2015-2698.patch: dereferencing the context_handle pointer before casting it in and implement implement an IAKERB gss_import_sec_context() function in src/lib/gssapi/krb5/gssapiP_krb5.h, src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c. - CVE-2015-2698 Date: 2015-11-11 15:21:24.146725+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] strongswan 5.1.2-0ubuntu2.4 (Accepted)
strongswan (5.1.2-0ubuntu2.4) trusty-security; urgency=medium * SECURITY UPDATE: authentication bypass in eap-mschapv2 plugin - debian/patches/CVE-2015-8023.patch: only succeed authentication if MSK was established in src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c. - CVE-2015-8023 Date: 2015-11-16 13:38:15.031165+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/strongswan/5.1.2-0ubuntu2.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libxml2 2.9.1+dfsg1-3ubuntu4.5 (Accepted)
libxml2 (2.9.1+dfsg1-3ubuntu4.5) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via XEE attack - debian/patches/CVE-2015-1819.patch: enforce the reader to run in constant memory in buf.c, include/libxml/tree.h, xmlreader.c. - CVE-2015-1819 * SECURITY UPDATE: denial of service via out-of-bounds read - debian/patches/CVE-2015-7941.patch: stop parsing on entities boundaries errors in parser.c. - CVE-2015-7941 * SECURITY UPDATE: overflow in conditional sections - debian/patches/CVE-2015-7942.patch: properly check input in parser.c. - CVE-2015-7942 * SECURITY UPDATE: denial of service via crafted document with xz - debian/patches/CVE-2015-8035.patch: check for error in xzlib.c. - CVE-2015-8035 Date: 2015-11-13 14:36:17.702380+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libxml2/2.9.1+dfsg1-3ubuntu4.5 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nvidia-graphics-drivers-340-updates 340.96-0ubuntu0.14.04.1 (Accepted)
nvidia-graphics-drivers-340-updates (340.96-0ubuntu0.14.04.1) trusty-security; urgency=medium * debian/templates/dkms_nvidia.conf.in: - Drop all the patches. * debian/substvars: - Add support for X ABI 20. * SECURITY UPDATE: - CVE-2015-7869 (LP: #1512414). * New upstream release: - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). Date: 2015-11-16 19:56:18.130069+00:00 Changed-By: Alberto Milone Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340-updates/340.96-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nvidia-graphics-drivers-304-updates 304.131-0ubuntu0.14.04.1 (Accepted)
nvidia-graphics-drivers-304-updates (304.131-0ubuntu0.14.04.1) trusty-security; urgency=medium * debian/substvars: - Add support for X ABI 20. * SECURITY UPDATE: - CVE-2015-7869 (LP: #1512414). * New upstream release: - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). Date: 2015-11-16 20:21:13.413581+00:00 Changed-By: Alberto Milone Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304-updates/304.131-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nvidia-graphics-drivers-352-updates 352.63-0ubuntu0.14.04.1 (Accepted)
nvidia-graphics-drivers-352-updates (352.63-0ubuntu0.14.04.1) trusty-security; urgency=medium * Initial release. * SECURITY UPDATE: - CVE-2015-7869 (LP: #1512414). Date: 2015-11-16 19:45:14.653442+00:00 Changed-By: Alberto Milone Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-352-updates/352.63-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nvidia-graphics-drivers-352 352.63-0ubuntu0.14.04.1 (Accepted)
nvidia-graphics-drivers-352 (352.63-0ubuntu0.14.04.1) trusty-security; urgency=medium * Initial release. * SECURITY UPDATE: - CVE-2015-7869 (LP: #1512414). Date: 2015-11-16 19:43:13.079433+00:00 Changed-By: Alberto Milone Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-352/352.63-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nvidia-graphics-drivers-340 340.96-0ubuntu0.14.04.1 (Accepted)
nvidia-graphics-drivers-340 (340.96-0ubuntu0.14.04.1) trusty-security; urgency=medium * debian/templates/dkms_nvidia.conf.in: - Drop all the patches. * debian/substvars: - Add support for X ABI 20. * SECURITY UPDATE: - CVE-2015-7869 (LP: #1512414). * New upstream release: - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). Date: 2015-11-16 19:55:13.152191+00:00 Changed-By: Alberto Milone Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/340.96-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nvidia-graphics-drivers-304 304.131-0ubuntu0.14.04.1 (Accepted)
nvidia-graphics-drivers-304 (304.131-0ubuntu0.14.04.1) trusty-security; urgency=medium * debian/substvars: - Add support for X ABI 20. * SECURITY UPDATE: - CVE-2015-7869 (LP: #1512414). * New upstream release: - Fixed a bug that could cause texture corruption in some OpenGL applications when video memory is exhausted by a combination of simultaneously running graphical and compute workloads. - Added support for X.Org xserver ABI 20 (xorg-server 1.18). Date: 2015-11-16 20:20:13.901723+00:00 Changed-By: Alberto Milone Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-304/304.131-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libpng 1.2.50-1ubuntu2.14.04.1 (Accepted)
libpng (1.2.50-1ubuntu2.14.04.1) trusty-security; urgency=medium [ Andrew Starr-Bochicchio ] * SECURITY UPDATE: Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE (LP: #1516592). - debian/patches/CVE-2015-8126.diff: Prevent writing over-length PLTE chunk and silently truncate over-length PLTE chunk while reading. Backported from upstream patch. - CVE-2015-8126 [ Marc Deslauriers ] * SECURITY UPDATE: out of bounds read in png_set_tIME - debian/patches/CVE-2015-7981.patch: check bounds in png.c and pngset.c. - CVE-2015-7981 Date: 2015-11-19 13:51:19.106571+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libpng/1.2.50-1ubuntu2.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] python-django 1.6.1-2ubuntu0.11 (Accepted)
python-django (1.6.1-2ubuntu0.11) trusty-security; urgency=medium * SECURITY UPDATE: Settings leak possibility in date template filter - debian/patches/CVE-2015-8213.patch: check format type in django/utils/formats.py, added test to tests/i18n/tests.py. - CVE-2015-8213 Date: 2015-11-18 20:47:18.325065+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.11 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] icedtea-web 1.5.3-0ubuntu0.14.04.1 (Accepted)
icedtea-web (1.5.3-0ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to upstream version 1.5.3 to fix two security issues: - CVE-2015-5234: applet URL sanitization issue - CVE-2015-5235: unsigned applet origin issue Date: 2015-11-20 19:47:15.629585+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/icedtea-web/1.5.3-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] dpkg 1.17.5ubuntu5.5 (Accepted)
dpkg (1.17.5ubuntu5.5) trusty-security; urgency=medium * SECURITY UPDATE: multiple security issues - dpkg-deb/extract.c: Fix off-by-one write access on versionbuf variable. - dpkg-deb/extract.c: Fix off-by-one write access on ctrllenbuf variable. (CVE-2015-0860) - lib/dpkg/ar.c: Fix an off-by-one read access in ar member name variable. - Thanks to Guillem Jover and Hanno Böck for the patches! Date: 2015-11-26 13:17:19.679496+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/dpkg/1.17.5ubuntu5.5 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] gnutls26 2.12.23-12ubuntu2.3 (Accepted)
gnutls26 (2.12.23-12ubuntu2.3) trusty-security; urgency=medium * SECURITY UPDATE: Poodle TLS issue - debian/patches/fix_tls_poodle.patch: fixes off by one issue in padding check. Patch created by Hanno Boeck (https://hboeck.de/) (LP: #1510163) Date: 2015-11-26 17:08:13.350251+00:00 Changed-By: Bryan Quigley Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.3 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] qemu 2.0.0+dfsg-2ubuntu1.21 (Accepted)
qemu (2.0.0+dfsg-2ubuntu1.21) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via jumbo frame flood in virtio - debian/patches/CVE-2015-7295.patch: drop truncated packets in hw/net/virtio-net.c, hw/virtio/virtio.c, include/hw/virtio/virtio.h. - CVE-2015-7295 * SECURITY UPDATE: loopback mode heap overflow vulnerability in pcnet - debian/patches/CVE-2015-7504.patch: leave room for CRC code in hw/net/pcnet.c. - CVE-2015-7504 * SECURITY UPDATE: non-loopback mode buffer overflow in pcnet - debian/patches/CVE-2015-7512.patch: check packet length in hw/net/pcnet.c. - CVE-2015-7512 * SECURITY UPDATE: infinite loop in eepro100 - debian/patches/CVE-2015-8345.patch: prevent endless loop in hw/net/eepro100.c. - CVE-2015-8345 qemu (2.0.0+dfsg-2ubuntu1.20) trusty; urgency=low * debian/patches/upstream-fix-irq-route-entries.patch Fix "kvm_irqchip_commit_routes: Assertion 'ret == 0' failed" (LP: #1465935) Date: 2015-12-02 12:27:28.070317+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.21 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] openssl 1.0.1f-1ubuntu2.16 (Accepted)
openssl (1.0.1f-1ubuntu2.16) trusty-security; urgency=medium * SECURITY UPDATE: Certificate verify crash with missing PSS parameter - debian/patches/CVE-2015-3194.patch: add PSS parameter check to crypto/rsa/rsa_ameth.c. - CVE-2015-3194 * SECURITY UPDATE: X509_ATTRIBUTE memory leak - debian/patches/CVE-2015-3195.patch: fix leak in crypto/asn1/tasn_dec.c. - CVE-2015-3195 * SECURITY UPDATE: Race condition handling PSK identify hint - debian/patches/CVE-2015-3196.patch: fix PSK handling in ssl/s3_clnt.c, ssl/s3_srvr.c. - CVE-2015-3196 Date: 2015-12-04 13:50:13.354848+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.16 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] cups-filters 1.0.52-0ubuntu1.6 (Accepted)
cups-filters (1.0.52-0ubuntu1.6) trusty-security; urgency=medium * SECURITY UPDATE: code execution via improper escaping in foomatic-rip - debian/patches/CVE-2015-8327.patch: add backtick to list of shell escape characters in filter/foomatic-rip/util.c. - CVE-2015-8327 Date: 2015-12-03 14:33:58.691107+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/cups-filters/1.0.52-0ubuntu1.6 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libsndfile 1.0.25-7ubuntu2.1 (Accepted)
libsndfile (1.0.25-7ubuntu2.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via out-of-bounds read - debian/patches/CVE-2014-9496.patch: check map offset and rsrc marker in src/sd2.c. - CVE-2014-9496 * SECURITY UPDATE: denial of service via division-by-zero - debian/patches/CVE-2014-9756.patch: check bytes and items in src/file_io.c. - CVE-2014-9756 * SECURITY UPDATE: heap overflow via AIFF file headindex value - debian/patches/CVE-2015-7805.patch: use headend in src/common.c. - CVE-2015-7805 Date: 2015-12-07 15:18:12.671527+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libsndfile/1.0.25-7ubuntu2.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libxml2 2.9.1+dfsg1-3ubuntu4.6 (Accepted)
libxml2 (2.9.1+dfsg1-3ubuntu4.6) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via entity expansion issue - debian/patches/CVE-2015-5312.patch: properly exit when entity expansion is detected in parser.c. - CVE-2015-5312 * SECURITY UPDATE: heap buffer overflow in xmlDictComputeFastQKey - debian/patches/CVE-2015-7497.patch: check offset in dict.c. - CVE-2015-7497 * SECURITY UPDATE: denial of service via encoding conversion failures - debian/patches/CVE-2015-7498.patch: avoid processing entities after encoding conversion failures in parser.c. - CVE-2015-7498 * SECURITY UPDATE: out of bounds read in xmlGROW - debian/patches/CVE-2015-7499-1.patch: add xmlHaltParser() to stop the parser in parser.c. - debian/patches/CVE-2015-7499-2.patch: check input in parser.c. - CVE-2015-7499 * SECURITY UPDATE: out of bounds read in xmlParseMisc - debian/patches/CVE-2015-7500.patch: check entity boundaries in parser.c. - CVE-2015-7500 * SECURITY UPDATE: denial of service via extra processing of MarkupDecl - debian/patches/CVE-2015-8241.patch: add extra EOF check in parser.c. - CVE-2015-8241 * SECURITY UPDATE: buffer overead with HTML parser in push mode - debian/patches/CVE-2015-8242.patch: use pointer in the input in HTMLparser.c. - CVE-2015-8242 * SECURITY UPDATE: denial of service via encoding failures - debian/patches/CVE-2015-8317-1.patch: do not process encoding values if the declaration is broken in parser.c. - debian/patches/CVE-2015-8317-2.patch: fail parsing if the encoding conversion failed in parser.c. - CVE-2015-8317 Date: 2015-12-09 17:53:24.648039+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libxml2/2.9.1+dfsg1-3ubuntu4.6 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] git 1:1.9.1-1ubuntu0.2 (Accepted)
git (1:1.9.1-1ubuntu0.2) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary code execution issues via URLs - debian/diff/0011-CVE-2015-7545-1.patch: add a protocol-whitelist environment variable. - debian/diff/0012-CVE-2015-7545-2.patch: allow only certain protocols for submodule fetches. - debian/diff/0013-CVE-2015-7545-3.patch: refactor protocol whitelist code. - debian/diff/0014-CVE-2015-7545-4.patch: limit redirection to protocol-whitelist. - debian/diff/0015-CVE-2015-7545-5.patch: limit redirection depth. - debian/rules: make new tests executable. - CVE-2015-7545 Date: 2015-12-11 20:11:17.683513+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] grub2 2.02~beta2-9ubuntu1.6 (Accepted)
grub2 (2.02~beta2-9ubuntu1.6) trusty-security; urgency=medium * SECURITY UPDATE: password bypass via backspace key buffer overflow - debian/patches/CVE-2015-8370.patch: check length before accepting a backspace character in grub-core/lib/crypto.c, grub-core/normal/auth.c. - CVE-2015-8370 Date: 2015-12-15 15:50:15.015104+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.6 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-proposed] grub2_2.02~beta2-9ubuntu1.6_amd64.tar.gz - (Accepted)
grub2 (2.02~beta2-9ubuntu1.6) trusty-security; urgency=medium * SECURITY UPDATE: password bypass via backspace key buffer overflow - debian/patches/CVE-2015-8370.patch: check length before accepting a backspace character in grub-core/lib/crypto.c, grub-core/normal/auth.c. - CVE-2015-8370 Date: Tue, 15 Dec 2015 09:11:24 -0500 Changed-By: Marc Deslauriers Maintainer: Launchpad Build Daemon Format: 1.8 Date: Tue, 15 Dec 2015 09:11:24 -0500 Source: grub2 Binary: grub2 grub-linuxbios grub-efi grub-common grub2-common grub-emu grub-emu-dbg grub-pc-bin grub-pc-dbg grub-pc grub-rescue-pc grub-coreboot-bin grub-coreboot-dbg grub-coreboot grub-efi-ia32-bin grub-efi-ia32-dbg grub-efi-ia32 grub-efi-amd64-bin grub-efi-amd64-dbg grub-efi-amd64 grub-efi-ia64-bin grub-efi-ia64-dbg grub-efi-ia64 grub-efi-arm-bin grub-efi-arm-dbg grub-efi-arm grub-efi-arm64-bin grub-efi-arm64-dbg grub-efi-arm64 grub-ieee1275-bin grub-ieee1275-dbg grub-ieee1275 grub-firmware-qemu grub-uboot-bin grub-uboot-dbg grub-uboot grub-xen-bin grub-xen-dbg grub-xen grub-yeeloong-bin grub-yeeloong-dbg grub-yeeloong grub-theme-starfield grub-mount-udeb Architecture: amd64 amd64_translations Version: 2.02~beta2-9ubuntu1.6 Distribution: trusty Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: grub-common - GRand Unified Bootloader (common files) grub-coreboot - GRand Unified Bootloader, version 2 (Coreboot version) grub-coreboot-bin - GRand Unified Bootloader, version 2 (Coreboot binaries) grub-coreboot-dbg - GRand Unified Bootloader, version 2 (Coreboot debug files) grub-efi - GRand Unified Bootloader, version 2 (dummy package) grub-efi-amd64 - GRand Unified Bootloader, version 2 (EFI-AMD64 version) grub-efi-amd64-bin - GRand Unified Bootloader, version 2 (EFI-AMD64 binaries) grub-efi-amd64-dbg - GRand Unified Bootloader, version 2 (EFI-AMD64 debug files) grub-efi-arm - GRand Unified Bootloader, version 2 (ARM UEFI version) grub-efi-arm-bin - GRand Unified Bootloader, version 2 (ARM UEFI binaries) grub-efi-arm-dbg - GRand Unified Bootloader, version 2 (ARM UEFI debug files) grub-efi-arm64 - GRand Unified Bootloader, version 2 (ARM64 UEFI version) grub-efi-arm64-bin - GRand Unified Bootloader, version 2 (ARM64 UEFI binaries) grub-efi-arm64-dbg - GRand Unified Bootloader, version 2 (ARM64 UEFI debug files) grub-efi-ia32 - GRand Unified Bootloader, version 2 (EFI-IA32 version) grub-efi-ia32-bin - GRand Unified Bootloader, version 2 (EFI-IA32 binaries) grub-efi-ia32-dbg - GRand Unified Bootloader, version 2 (EFI-IA32 debug files) grub-efi-ia64 - GRand Unified Bootloader, version 2 (IA64 version) grub-efi-ia64-bin - GRand Unified Bootloader, version 2 (IA64 binaries) grub-efi-ia64-dbg - GRand Unified Bootloader, version 2 (IA64 debug files) grub-emu - GRand Unified Bootloader, version 2 (emulated version) grub-emu-dbg - GRand Unified Bootloader, version 2 (emulated debug files) grub-firmware-qemu - GRUB firmware image for QEMU grub-ieee1275 - GRand Unified Bootloader, version 2 (Open Firmware version) grub-ieee1275-bin - GRand Unified Bootloader, version 2 (Open Firmware binaries) grub-ieee1275-dbg - GRand Unified Bootloader, version 2 (Open Firmware debug files) grub-linuxbios - GRand Unified Bootloader, version 2 (dummy package) grub-mount-udeb - export GRUB filesystems using FUSE (udeb) grub-pc- GRand Unified Bootloader, version 2 (PC/BIOS version) grub-pc-bin - GRand Unified Bootloader, version 2 (PC/BIOS binaries) grub-pc-dbg - GRand Unified Bootloader, version 2 (PC/BIOS debug files) grub-rescue-pc - GRUB bootable rescue images, version 2 (PC/BIOS version) grub-theme-starfield - GRand Unified Bootloader, version 2 (starfield theme) grub-uboot - GRand Unified Bootloader, version 2 (ARM U-Boot version) grub-uboot-bin - GRand Unified Bootloader, version 2 (ARM U-Boot binaries) grub-uboot-dbg - GRand Unified Bootloader, version 2 (ARM U-Boot debug files) grub-xen - GRand Unified Bootloader, version 2 (Xen version) grub-xen-bin - GRand Unified Bootloader, version 2 (Xen binaries) grub-xen-dbg - GRand Unified Bootloader, version 2 (Xen debug files) grub-yeeloong - GRand Unified Bootloader, version 2 (Yeeloong version) grub-yeeloong-bin - GRand Unified Bootloader, version 2 (Yeeloong binaries) grub-yeeloong-dbg - GRand Unified Bootloader, version 2 (Yeeloong debug files) grub2 - GRand Unified Bootloader, version 2 (dummy package) grub2-common - GRand Unified Bootloader (common files for version 2) Changes: grub2 (2.02~beta2-9ubuntu1.6) trusty-security; urgency=medium . * SECURITY UPDATE: password bypass via backspace key buffer overflow - debian/patches/CVE-2015-8370.patch: check length before accepting a backspace character in grub-core/lib/crypto.c, grub-core/normal/auth.c. - CVE-2015-8370 Checksums-Sha1: f664a8889075770b1293b2111f8732af9543a48a 2554 grub2_2.02~beta2-9ubuntu1.6_amd64
[ubuntu/trusty-updates] grub2_2.02~beta2-9ubuntu1.6_amd64.tar.gz - (Accepted)
grub2 (2.02~beta2-9ubuntu1.6) trusty-security; urgency=medium * SECURITY UPDATE: password bypass via backspace key buffer overflow - debian/patches/CVE-2015-8370.patch: check length before accepting a backspace character in grub-core/lib/crypto.c, grub-core/normal/auth.c. - CVE-2015-8370 Date: Tue, 15 Dec 2015 09:11:24 -0500 Changed-By: Marc Deslauriers Maintainer: Launchpad Build Daemon Format: 1.8 Date: Tue, 15 Dec 2015 09:11:24 -0500 Source: grub2 Binary: grub2 grub-linuxbios grub-efi grub-common grub2-common grub-emu grub-emu-dbg grub-pc-bin grub-pc-dbg grub-pc grub-rescue-pc grub-coreboot-bin grub-coreboot-dbg grub-coreboot grub-efi-ia32-bin grub-efi-ia32-dbg grub-efi-ia32 grub-efi-amd64-bin grub-efi-amd64-dbg grub-efi-amd64 grub-efi-ia64-bin grub-efi-ia64-dbg grub-efi-ia64 grub-efi-arm-bin grub-efi-arm-dbg grub-efi-arm grub-efi-arm64-bin grub-efi-arm64-dbg grub-efi-arm64 grub-ieee1275-bin grub-ieee1275-dbg grub-ieee1275 grub-firmware-qemu grub-uboot-bin grub-uboot-dbg grub-uboot grub-xen-bin grub-xen-dbg grub-xen grub-yeeloong-bin grub-yeeloong-dbg grub-yeeloong grub-theme-starfield grub-mount-udeb Architecture: amd64 amd64_translations Version: 2.02~beta2-9ubuntu1.6 Distribution: trusty Urgency: medium Maintainer: Launchpad Build Daemon Changed-By: Marc Deslauriers Description: grub-common - GRand Unified Bootloader (common files) grub-coreboot - GRand Unified Bootloader, version 2 (Coreboot version) grub-coreboot-bin - GRand Unified Bootloader, version 2 (Coreboot binaries) grub-coreboot-dbg - GRand Unified Bootloader, version 2 (Coreboot debug files) grub-efi - GRand Unified Bootloader, version 2 (dummy package) grub-efi-amd64 - GRand Unified Bootloader, version 2 (EFI-AMD64 version) grub-efi-amd64-bin - GRand Unified Bootloader, version 2 (EFI-AMD64 binaries) grub-efi-amd64-dbg - GRand Unified Bootloader, version 2 (EFI-AMD64 debug files) grub-efi-arm - GRand Unified Bootloader, version 2 (ARM UEFI version) grub-efi-arm-bin - GRand Unified Bootloader, version 2 (ARM UEFI binaries) grub-efi-arm-dbg - GRand Unified Bootloader, version 2 (ARM UEFI debug files) grub-efi-arm64 - GRand Unified Bootloader, version 2 (ARM64 UEFI version) grub-efi-arm64-bin - GRand Unified Bootloader, version 2 (ARM64 UEFI binaries) grub-efi-arm64-dbg - GRand Unified Bootloader, version 2 (ARM64 UEFI debug files) grub-efi-ia32 - GRand Unified Bootloader, version 2 (EFI-IA32 version) grub-efi-ia32-bin - GRand Unified Bootloader, version 2 (EFI-IA32 binaries) grub-efi-ia32-dbg - GRand Unified Bootloader, version 2 (EFI-IA32 debug files) grub-efi-ia64 - GRand Unified Bootloader, version 2 (IA64 version) grub-efi-ia64-bin - GRand Unified Bootloader, version 2 (IA64 binaries) grub-efi-ia64-dbg - GRand Unified Bootloader, version 2 (IA64 debug files) grub-emu - GRand Unified Bootloader, version 2 (emulated version) grub-emu-dbg - GRand Unified Bootloader, version 2 (emulated debug files) grub-firmware-qemu - GRUB firmware image for QEMU grub-ieee1275 - GRand Unified Bootloader, version 2 (Open Firmware version) grub-ieee1275-bin - GRand Unified Bootloader, version 2 (Open Firmware binaries) grub-ieee1275-dbg - GRand Unified Bootloader, version 2 (Open Firmware debug files) grub-linuxbios - GRand Unified Bootloader, version 2 (dummy package) grub-mount-udeb - export GRUB filesystems using FUSE (udeb) grub-pc- GRand Unified Bootloader, version 2 (PC/BIOS version) grub-pc-bin - GRand Unified Bootloader, version 2 (PC/BIOS binaries) grub-pc-dbg - GRand Unified Bootloader, version 2 (PC/BIOS debug files) grub-rescue-pc - GRUB bootable rescue images, version 2 (PC/BIOS version) grub-theme-starfield - GRand Unified Bootloader, version 2 (starfield theme) grub-uboot - GRand Unified Bootloader, version 2 (ARM U-Boot version) grub-uboot-bin - GRand Unified Bootloader, version 2 (ARM U-Boot binaries) grub-uboot-dbg - GRand Unified Bootloader, version 2 (ARM U-Boot debug files) grub-xen - GRand Unified Bootloader, version 2 (Xen version) grub-xen-bin - GRand Unified Bootloader, version 2 (Xen binaries) grub-xen-dbg - GRand Unified Bootloader, version 2 (Xen debug files) grub-yeeloong - GRand Unified Bootloader, version 2 (Yeeloong version) grub-yeeloong-bin - GRand Unified Bootloader, version 2 (Yeeloong binaries) grub-yeeloong-dbg - GRand Unified Bootloader, version 2 (Yeeloong debug files) grub2 - GRand Unified Bootloader, version 2 (dummy package) grub2-common - GRand Unified Bootloader (common files for version 2) Changes: grub2 (2.02~beta2-9ubuntu1.6) trusty-security; urgency=medium . * SECURITY UPDATE: password bypass via backspace key buffer overflow - debian/patches/CVE-2015-8370.patch: check length before accepting a backspace character in grub-core/lib/crypto.c, grub-core/normal/auth.c. - CVE-2015-8370 Checksums-Sha1: f664a8889075770b1293b2111f8732af9543a48a 2554 grub2_2.02~beta2-9ubuntu1.6_amd64
[ubuntu/trusty-security] bind9 1:9.9.5.dfsg-3ubuntu0.6 (Accepted)
bind9 (1:9.9.5.dfsg-3ubuntu0.6) trusty-security; urgency=medium * SECURITY UPDATE: REQUIRE failure via incorrect class - properly handle class in lib/dns/include/dns/message.h, lib/dns/message.c, lib/dns/resolver.c, lib/dns/xfrin.c. - CVE-2015-8000 Date: 2015-12-14 19:17:13.850565+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/bind9/1:9.9.5.dfsg-3ubuntu0.6 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] cups-filters 1.0.52-0ubuntu1.7 (Accepted)
cups-filters (1.0.52-0ubuntu1.7) trusty-security; urgency=medium * SECURITY UPDATE: code execution via improper escaping in foomatic-rip - debian/patches/CVE-2015-8560.patch: add semicolon to list of shell escape characters in filter/foomatic-rip/util.c. - CVE-2015-8560 Date: 2015-12-16 13:37:18.618970+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/cups-filters/1.0.52-0ubuntu1.7 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] cups 1.7.2-0ubuntu1.7 (Accepted)
cups (1.7.2-0ubuntu1.7) trusty-security; urgency=medium * Disable SSLv3 with option to turn back on. - debian/patches/disable-sslv3.patch: AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just the RC4 cypers. (LP: #1505328) Date: 2015-12-11 19:00:22.024359+00:00 Changed-By: Bryan Quigley Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/cups/1.7.2-0ubuntu1.7 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] xen 4.4.2-0ubuntu0.14.04.4 (Accepted)
xen (4.4.2-0ubuntu0.14.04.4) trusty-security; urgency=low * Applying Xen Security Advisories: - CVE-2015-8550 / XSA-155 * blkif: Avoid double access to src->nr_segments * xenfb: avoid reading twice the same fields from the shared page * xen: Add RING_COPY_REQUEST() * blktap2: Use RING_COPY_REQUEST * libvchan: Read prod/cons only once. - CVE-2015-8338 / XSA-158 * memory: split and tighten maximum order permitted in memops - CVE-2015-8339, CVE-2015-8340 / XSA-159 * memory: fix XENMEM_exchange error handling - CVE-2015-8341 / XSA-160 * libxl: Fix bootloader-related virtual memory leak on pv build failure - CVE-2015-7504 / XSA-162 * net: pcnet: add check to validate receive data size - CVE-2015-8554 / XSA-164 * MSI-X: avoid array overrun upon MSI-X table writes - CVE-2015-8555 / XSA-165 * x86: don't leak ST(n)/XMMn values to domains first using them - CVE-2015- / XSA-166 * x86/HVM: avoid reading ioreq state more than once Date: 2015-12-16 19:16:18.616878+00:00 Changed-By: Stefan Bader Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/xen/4.4.2-0ubuntu0.14.04.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] samba 2:4.1.6+dfsg-1ubuntu2.14.04.11 (Accepted)
samba (2:4.1.6+dfsg-1ubuntu2.14.04.11) trusty-security; urgency=medium * SECURITY UPDATE: denial of service in ldb_wildcard_compare function - debian/patches/CVE-2015-3223.patch: handle empty strings and embedded zeros in lib/ldb/common/ldb_match.c. - CVE-2015-3223 * SECURITY UPDATE: file-access restrictions bypass via symlink - debian/patches/CVE-2015-5252.patch: validate matching component in source3/smbd/vfs.c. - CVE-2015-5252 * SECURITY UPDATE: man-in-the-middle attack via encrypted-to-unencrypted downgrade - debian/patches/CVE-2015-5296.patch: force signing in libcli/smb/smbXcli_base.c, source3/libsmb/clidfs.c, source3/libsmb/libsmb_server.c. - CVE-2015-5296 * SECURITY UPDATE: snapshot access via shadow copy directory - debian/patches/CVE-2015-5299.patch: fix missing access checks in source3/modules/vfs_shadow_copy2.c. - CVE-2015-5299 * SECURITY UPDATE: information leak via incorrect string length handling - debian/patches/CVE-2015-5330.patch: fix string length handling in lib/ldb/common/ldb_dn.c, lib/util/charset/charset.h, lib/util/charset/codepoints.c, lib/util/charset/util_str.c, lib/util/charset/util_unistr.c. - CVE-2015-5330 * SECURITY UPDATE: LDAP server denial of service - debian/patches/CVE-2015-7540.patch: check returns in lib/util/asn1.c, libcli/ldap/ldap_message.c, libcli/ldap/ldap_message.h, source4/libcli/ldap/ldap_controls.c. - CVE-2015-7540 * SECURITY UPDATE: access restrictions bypass in machine account creation - debian/patches/CVE-2015-8467.patch: restrict swapping between account types in source4/dsdb/samdb/ldb_modules/samldb.c. - CVE-2015-8467 * debian/control: bump libldb-dev Build-Depends to security update version. * This update does _not_ contain the changes from samba 2:4.1.6+dfsg-1ubuntu2.14.04.10 in trusty-proposed. samba (2:4.1.6+dfsg-1ubuntu2.14.04.9) trusty; urgency=medium * debian/patches/0001-byteorder-do-not-assume-PowerPC-is-big-endian.patch: deal with the fact that POWER8 can be little-endian, so don't use special instructions to write in little-endian in that case. (LP: #1472584) samba (2:4.1.6+dfsg-1ubuntu2.14.04.8) trusty; urgency=medium * Fix for "no talloc stackframe at" warning messages (LP: #1257186) Date: 2016-01-04 17:38:14.334200+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/samba/2:4.1.6+dfsg-1ubuntu2.14.04.11 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] ldb 1:1.1.16-1ubuntu0.1 (Accepted)
ldb (1:1.1.16-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service in ldb_wildcard_compare function - debian/patches/CVE-2015-3223.patch: handle empty strings and embedded zeros in lib/ldb/common/ldb_match.c. - CVE-2015-3223 * SECURITY UPDATE: information leak via incorrect string length handling - debian/patches/CVE-2015-5330.patch: fix string length handling in lib/ldb/common/ldb_dn.c. - CVE-2015-5330 Date: 2016-01-04 15:33:14.050502+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/ldb/1:1.1.16-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libpng 1.2.50-1ubuntu2.14.04.2 (Accepted)
libpng (1.2.50-1ubuntu2.14.04.2) trusty-security; urgency=medium * SECURITY UPDATE: overflows in png_handle_zTXt(), png_handle_sPLT(), png_handle_pCAL(), and png_set_PLTE() - debian/patches/CVE-2015-8472.patch: check lengths in pngrutil.c, properly use info_ptr in pngset.c. - CVE-2015-8472 * SECURITY UPDATE: out-of-range read in png_check_keyword() - debian/patches/CVE-2015-8540.patch: check key_len in pngwutil.c. - CVE-2015-8540 Date: 2015-12-18 15:15:16.028049+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libpng/1.2.50-1ubuntu2.14.04.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nss 2:3.19.2.1-0ubuntu0.14.04.2 (Accepted)
nss (2:3.19.2.1-0ubuntu0.14.04.2) trusty-security; urgency=medium * SECURITY UPDATE: incorrect MD5 support with TLS 1.2 - debian/patches/CVE-2015-7575.patch: remove MD5 in nss/lib/ssl/ssl3con.c. - CVE-2015-7575 Date: 2016-01-07 18:45:26.277872+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nss/2:3.19.2.1-0ubuntu0.14.04.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] gnutls26 2.12.23-12ubuntu2.4 (Accepted)
gnutls26 (2.12.23-12ubuntu2.4) trusty-security; urgency=medium * SECURITY UPDATE: incorrect RSA+MD5 support with TLS 1.2 - debian/patches/CVE-2015-7575.patch: do not consider any values from the extension data to decide acceptable algorithms in lib/ext_signature.c. - CVE-2015-7575 Date: 2016-01-07 16:39:17.209783+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libvirt 1.2.2-0ubuntu13.1.16 (Accepted)
libvirt (1.2.2-0ubuntu13.1.16) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via incorrect ACL check handling - debian/patches/CVE-2014-8136.patch: properly unlock vm on failed ACL check in src/qemu/qemu_driver.c. - CVE-2014-8136 * SECURITY UPDATE: VNC password leak via snapshots and save images - debian/patches/CVE-2015-0236.patch: check ACLs when dumping security info in src/qemu/qemu_driver.c, src/remote/remote_protocol.x. - CVE-2015-0236 * SECURITY UPDATE: ACL bypass using storage pool directory traversal - debian/patches/CVE-2015-5313.patch: filter filesystem volume names in src/storage/storage_backend_fs.c. - CVE-2015-5313 * This package does _not_ contain the changes from 1.2.2-0ubuntu13.1.15 in trusty-proposed. libvirt (1.2.2-0ubuntu13.1.14) trusty; urgency=medium [ Seyeong Kim ] * d/p/fix_libvirtd_killed_by_sigsegv.patch: fix incorrect backport (LP: #1464175) libvirt (1.2.2-0ubuntu13.1.13) trusty; urgency=medium [ Seyeong Kim ] * virObjectUnref() libvirtd killed by SIGSEGV (LP: #1464175) - upstream, util: identity: Harden virIdentitySetCurrent() - upstream, daemon: Clear fake domain def object that is used to check ACL prior to use - upstream, rpc: Don't unref identity object while callbacks still can be executed [ Edward Hope-Morley ] * Add post-start to upstart (/etc/init/libvirt-bin.conf) and sysv (/etc/init.d/libvirt-bin) to ensure libvirt-sock created before up (LP: #1455608) * Re-enable Support-incoming-migration-from-13.10-hosts.patch. (LP: #1425619) libvirt (1.2.2-0ubuntu13.1.12) trusty-proposed; urgency=medium * Drop Support-incoming-migration-from-13.10-hosts.patch as it failed verification. libvirt (1.2.2-0ubuntu13.1.11) trusty-proposed; urgency=medium * Support-incoming-migration-from-13.10-hosts.patch (LP: #1425619) * qemu-filterref-crash.patch: fix crash when removing filterref from interfaces (LP: #1448205) * storage_backend_rbd-correct-arg-order-to-rbd_create3: fix reversed arguments to rbd_create3. (LP: #1447030) libvirt (1.2.2-0ubuntu13.1.10) trusty-proposed; urgency=medium * 9035-qemu-snapshot-save-persistent-domain-config: upstream fix for a regression where persistent domain config was not saved after an external snapshot. (LP: #1403841) * 9036-dont-fail-without-cpu-model.patch: fix virsh safe with cpu mode = host-passthrough (LP: #1262641) libvirt (1.2.2-0ubuntu13.1.9) trusty-proposed; urgency=medium * apparmor libvirt-qemu template: allow reading charm-specific ceph config and allow reading under /tmp and /var/tmp (for SRU only) (LP: #1403648) * numa-cgroups-fix-cpuset-mems-init.patch - cherrypicked, refreshed patch (by Richard Laager) to fix failure to start on numa node 1 (LP: #1404388) * libvirt-qemu: add r to sgabios.bin (LP: #1393548) libvirt (1.2.2-0ubuntu13.1.8) trusty-proposed; urgency=medium * complete the 9p support: (LP: #1378434) - libvirt-qemu: add fowner and fsetid - virt-aa-helper: add 'l' to 9p file options * libvirt-qemu apparmor template: add /sys/firmware/devicetree/** r (LP: #1374554) * add mising apparmor permissions for slof (LP: #1374554) Date: 2016-01-08 16:00:26.017856+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libvirt/1.2.2-0ubuntu13.1.16 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] isc-dhcp 4.2.4-7ubuntu12.4 (Accepted)
isc-dhcp (4.2.4-7ubuntu12.4) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via incorrect UDP payload length - debian/patches/CVE-2015-8605.patch: properly check payload length in common/packet.c. - CVE-2015-8605 Date: 2016-01-11 13:13:20.193804+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/isc-dhcp/4.2.4-7ubuntu12.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] openssh 1:6.6p1-2ubuntu2.4 (Accepted)
openssh (1:6.6p1-2ubuntu2.4) trusty-security; urgency=medium * SECURITY UPDATE: information leak and overflow in roaming support - debian/patches/CVE-2016-077x.patch: completely disable roaming option in readconf.c. - CVE-2016-0777 - CVE-2016-0778 Date: 2016-01-13 16:26:14.891062+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] bind9 1:9.9.5.dfsg-3ubuntu0.7 (Accepted)
bind9 (1:9.9.5.dfsg-3ubuntu0.7) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via string formatting operations - lib/dns/rdata/in_1/apl_42.c: use correct length. - CVE-2015-8704 Date: 2016-01-18 13:36:14.975007+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/bind9/1:9.9.5.dfsg-3ubuntu0.7 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libxml2 2.9.1+dfsg1-3ubuntu4.7 (Accepted)
libxml2 (2.9.1+dfsg1-3ubuntu4.7) trusty-security; urgency=medium * SECURITY UPDATE: incomplete fix for out of bounds read in xmlGROW (LP: #1525996) - add extra commits to this previously-fixed CVE - debian/patches/CVE-2015-7499-3.patch: reuse xmlHaltParser() where it makes sense in parser.c. - debian/patches/CVE-2015-7499-4.patch: do not print error context when there is none in error.c. - CVE-2015-7499 * SECURITY UPDATE: out of bounds memory access via unclosed html comment - debian/patches/CVE-2015-8710.patch: fix parsing short unclosed comment uninitialized access in HTMLparser.c. - CVE-2015-8710 Date: 2016-01-14 18:54:12.478932+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libxml2/2.9.1+dfsg1-3ubuntu4.7 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] rsync 3.1.0-2ubuntu0.2 (Accepted)
rsync (3.1.0-2ubuntu0.2) trusty-security; urgency=medium * SECURITY UPDATE: rsync path spoofing attack - debian/patches/CVE-2014-9512-0.patch: reject invalid filenames in filelist in flist.c, rsync.h, util.c. - debian/patches/CVE-2014-9512-1.patch: complain if an inc-recursive path is not right for its dir in flist.c, io.c, main.c, rsync.c. - debian/patches/CVE-2014-9512-2.patch: add parent-dir validation for --no-inc-recurse too in flist.c, generator.c. - CVE-2014-9512 Date: 2016-01-20 13:07:23.092434+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/rsync/3.1.0-2ubuntu0.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mysql-5.6 5.6.28-0ubuntu0.14.04.1 (Accepted)
mysql-5.6 (5.6.28-0ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: Update to 5.6.27 to fix security issues (LP: #1537750) - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0503 - CVE-2016-0504 - CVE-2016-0505 - CVE-2016-0546 - CVE-2016-0595 - CVE-2016-0596 - CVE-2016-0597 - CVE-2016-0598 - CVE-2016-0600 - CVE-2016-0606 - CVE-2016-0607 - CVE-2016-0608 - CVE-2016-0609 - CVE-2016-0610 - CVE-2016-0611 * debian/patches/fix_testsuite_date.patch: removed, upstream. Date: 2016-01-25 17:59:13.416209+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/mysql-5.6/5.6.28-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mysql-5.5 5.5.47-0ubuntu0.14.04.1 (Accepted)
mysql-5.5 (5.5.47-0ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: Update to 5.5.47 to fix security issues (LP: #1537750) - http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html - CVE-2016-0505 - CVE-2016-0546 - CVE-2016-0596 - CVE-2016-0597 - CVE-2016-0598 - CVE-2016-0600 - CVE-2016-0606 - CVE-2016-0608 - CVE-2016-0609 - CVE-2016-0616 * debian/patches/fix_testsuite_date.patch: removed, upstream. Date: 2016-01-25 18:06:13.986087+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.47-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] pinba-engine-mysql 1.0.0-4ubuntu0.14.04.1 (Accepted)
pinba-engine-mysql (1.0.0-4ubuntu0.14.04.1) trusty-security; urgency=medium * Rebuild against mysql 5.5.47. Date: 2016-01-26 12:39:25.917549+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/pinba-engine-mysql/1.0.0-4ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] curl 7.35.0-1ubuntu2.6 (Accepted)
curl (7.35.0-1ubuntu2.6) trusty-security; urgency=medium * SECURITY UPDATE: NTLM credentials not-checked for proxy connection re-use - debian/patches/CVE-2016-0755.patch: fix ConnectionExists to compare Proxy credentials in lib/url.c. - CVE-2016-0755 Date: 2016-01-26 19:29:16.598052+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.6 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] qemu 2.0.0+dfsg-2ubuntu1.22 (Accepted)
qemu (2.0.0+dfsg-2ubuntu1.22) trusty-security; urgency=medium * SECURITY UPDATE: msi-x null pointer dereference - debian/patches/CVE-2015-7549.patch: implement pba write in hw/pci/msix.c. - CVE-2015-7549 * SECURITY UPDATE: vnc floating point exception - debian/patches/CVE-2015-8504.patch: handle zero values in ui/vnc.c. - CVE-2015-8504 * SECURITY UPDATE: paravirtualized drivers incautious about shared memory contents - debian/patches/CVE-2015-8550-1.patch: avoid double access in hw/block/xen_blkif.h. - debian/patches/CVE-2015-8550-2.patch: avoid reading twice in hw/display/xenfb.c. - CVE-2015-8550 * SECURITY UPDATE: infinite loop in ehci_advance_state - debian/patches/CVE-2015-8558.patch: make idt processing more robust in hw/usb/hcd-ehci.c. - CVE-2015-8558 * SECURITY UPDATE: host memory leakage in vmxnet3 - debian/patches/CVE-2015-856x.patch: avoid memory leakage in hw/net/vmxnet3.c. - CVE-2015-8567 - CVE-2015-8568 * SECURITY UPDATE: buffer overflow in megasas_ctrl_get_info - debian/patches/CVE-2015-8613.patch: initialise info object with appropriate size in hw/scsi/megasas.c. - CVE-2015-8613 * SECURITY UPDATE: DoS via Human Monitor Interface - debian/patches/CVE-2015-8619.patch: fix sendkey out of bounds write in hmp.c, include/ui/console.h, ui/input-legacy.c. - CVE-2015-8619 * SECURITY UPDATE: buffer overrun during VM migration - debian/patches/CVE-2015-8666.patch: handle full length bytes in hw/acpi/core.c. - CVE-2015-8666 * SECURITY UPDATE: ne2000 OOB r/w in ioport operations - debian/patches/CVE-2015-8743.patch: fix bounds check in ioport operations in hw/net/ne2000.c. - CVE-2015-8743 * SECURITY UPDATE: incorrect l2 header validation in vmxnet3 - debian/patches/CVE-2015-8744.patch: properly validate header in hw/net/vmxnet3.c, hw/net/vmxnet_tx_pkt.c. - CVE-2015-8744 * SECURITY UPDATE: crash via reading IMR registers in vmxnet3 - debian/patches/CVE-2015-8745.patch: support reading IMR registers in hw/net/vmxnet3.c. - CVE-2015-8745 * SECURITY UPDATE: ahci use-after-free vulnerability in aio port commands - debian/patches/CVE-2016-1568.patch: reset ncq object to unused on error in hw/ide/ahci.c. - CVE-2016-1568 * SECURITY UPDATE: firmware configuration device OOB rw access - debian/patches/CVE-2016-1714.patch: avoid calculating invalid current entry pointer in hw/nvram/fw_cfg.c. - CVE-2016-1714 * SECURITY UPDATE: DoS via null pointer dereference in vapic_write() - debian/patches/CVE-2016-1922.patch: avoid null pointer dereference in hw/i386/kvmvapic.c. - CVE-2016-1922 * SECURITY UPDATE: e1000 infinite loop - debian/patches/CVE-2016-1981.patch: eliminate infinite loops on out-of-bounds transfer start in hw/net/e1000.c - CVE-2016-1981 * SECURITY UPDATE: ehci null pointer dereference in ehci_caps_write - debian/patches/CVE-2016-2198.patch: add capability mmio write function in hw/usb/hcd-ehci.c. - CVE-2016-2198 Date: 2016-02-02 14:19:15.129970+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.22 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nginx 1.4.6-1ubuntu3.4 (Accepted)
nginx (1.4.6-1ubuntu3.4) trusty-security; urgency=medium * SECURITY UPDATE: multiple resolver security issues (LP: #1538165) - debian/patches/CVE-2016-074x-1.patch: fix possible segmentation fault on DNS format error. - debian/patches/CVE-2016-074x-2.patch: fix crashes in timeout handler. - debian/patches/CVE-2016-074x-3.patch: fixed CNAME processing for several requests. - debian/patches/CVE-2016-074x-4.patch: change the ngx_resolver_create_*_query() arguments. - debian/patches/CVE-2016-074x-5.patch: fix use-after-free memory accesses with CNAME. - debian/patches/CVE-2016-074x-6.patch: limited CNAME recursion. - CVE-2016-0742 - CVE-2016-0743 - CVE-2016-0744 nginx (1.4.6-1ubuntu3.3) trusty-proposed; urgency=medium * debian/nginx-common.nginx.init: Fix pidfile extraction, due to multiple failure cases, using Debian's solution. (LP: #1314740) nginx (1.4.6-1ubuntu3.2) trusty-proposed; urgency=medium * d/modules/nginx-http-push: Apply upstream bugfix. (LP: #1216817) * src/ngx_http_push_module_setup.c: Modify push module code with upstream changes to fix an issue with initialization when using `fastcgi_cache` or `proxy_cache`. * tests/nginx-cachemanager.conf: (new file) Include upstream change of adding an nginx-cachemanager.conf file to the tests. Date: 2016-02-03 16:22:14.144174+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] postgresql-9.1 9.1.20-0ubuntu0.14.04 (Accepted)
postgresql-9.1 (9.1.20-0ubuntu0.14.04) trusty-security; urgency=medium * New upstream release (LP: #1544576). No effective changes for PL/Perl, the version must just be higher than the one in precise, to not break upgrades. Date: 2016-02-11 15:54:13.334579+00:00 Changed-By: Martin Pitt Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/postgresql-9.1/9.1.20-0ubuntu0.14.04 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] postgresql-9.3 9.3.11-0ubuntu0.14.04 (Accepted)
postgresql-9.3 (9.3.11-0ubuntu0.14.04) trusty-security; urgency=medium * New upstream security/bug fix release: (LP: #1544576) - Fix infinite loops and buffer-overrun problems in regular expressions. Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773) - Prevent certain PL/Java parameters from being set by non-superusers. This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also. - See release notes for details about other fixes. Date: 2016-02-11 15:51:13.839297+00:00 Changed-By: Martin Pitt Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/postgresql-9.3/9.3.11-0ubuntu0.14.04 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libgcrypt11 1.5.3-2ubuntu4.3 (Accepted)
libgcrypt11 (1.5.3-2ubuntu4.3) trusty-security; urgency=medium * SECURITY UPDATE: side-channel attack on ECDH - debian/patches/CVE-2015-7511.patch: perform input validation in cipher/ecc.c, src/mpi.h, use constant-time multiplication in mpi/ec.c. - CVE-2015-7511 Date: 2016-02-10 16:28:12.887781+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.3-2ubuntu4.3 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nettle 2.7.1-1ubuntu0.1 (Accepted)
nettle (2.7.1-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: miscomputation bugs in secp-256r1 modulo functions - debian/patches/CVE-2015-8803_8805.patch: fix carry propagation bugs in ecc-256.c. - CVE-2015-8803 - CVE-2015-8805 * SECURITY UPDATE: carry folding bug in x86_64 ecc_384_modp - debian/patches/CVE-2015-8804.patch: fix carry propagation bug in x86_64/ecc-384-modp.asm. - CVE-2015-8804 Date: 2016-02-10 19:15:25.784520+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nettle/2.7.1-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] gtk+2.0 2.24.23-0ubuntu1.4 (Accepted)
gtk+2.0 (2.24.23-0ubuntu1.4) trusty-security; urgency=medium * gdkcairo-Avoid-integer-overflow.patch: new patch. Cherry-pick upstream commit from GTK+3 to avoid integer overflow when allocating a large block of memory in gdk_cairo_set_source_pixbuf. (LP: #1540811) - CVE-2013-7447 Date: 2016-02-12 15:58:18.863910+00:00 Changed-By: Monsta Maintainer: Ubuntu Desktop Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/gtk+2.0/2.24.23-0ubuntu1.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] eog 3.10.2-0ubuntu5.1 (Accepted)
eog (3.10.2-0ubuntu5.1) trusty-security; urgency=medium * SECURITY UPDATE: integer overflow via large sized image - debian/patches/CVE-2013-7447.patch: use g_malloc_n in create_surface_from_pixbuf in src/eog-print-preview.c. - CVE-2013-7447 Date: 2016-02-12 19:08:35.751810+00:00 Changed-By: Marc Deslauriers Maintainer: Ubuntu Desktop https://launchpad.net/ubuntu/+source/eog/3.10.2-0ubuntu5.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] samba 2:4.1.6+dfsg-1ubuntu2.14.04.12 (Accepted)
samba (2:4.1.6+dfsg-1ubuntu2.14.04.12) trusty-security; urgency=medium * Fixes regression introduced by debian/patches/CVE-2015-5252.patch. (LP: #1545750) Date: 2016-02-15 17:47:25.612202+00:00 Changed-By: Dariusz Gadomski Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/samba/2:4.1.6+dfsg-1ubuntu2.14.04.12 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libreoffice 1:4.2.8-0ubuntu4 (Accepted)
libreoffice (1:4.2.8-0ubuntu4) trusty-security; urgency=medium * various lwp fixes Date: 2016-02-13 00:44:13.825474+00:00 Changed-By: Björn Michaelsen Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libreoffice/1:4.2.8-0ubuntu4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] eglibc 2.19-0ubuntu6.7 (Accepted)
eglibc (2.19-0ubuntu6.7) trusty-security; urgency=medium * SECURITY UPDATE: glibc getaddrinfo stack-based buffer overflow - debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in resolv/nss_dns/dns-host.c. - debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in include/resolv.h, resolv/gethnamaddr.c, resolv/nss_dns/dns-canon.c, resolv/nss_dns/dns-host.c, resolv/nss_dns/dns-network.c, resolv/res_query.c, resolv/res_send.c. - debian/patches/any/CVE-2015-7547.diff: fix buffer handling in resolv/nss_dns/dns-host.c, resolv/res_query.c, resolv/res_send.c. - CVE-2015-7547 Date: 2016-02-16 18:04:26.122263+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/eglibc/2.19-0ubuntu6.7 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] xdelta3 3.0.7-dfsg-2ubuntu0.2 (Accepted)
xdelta3 (3.0.7-dfsg-2ubuntu0.2) trusty-security; urgency=medium * SECURITY UPDATE: buffer overflow in main_get_appheader - debian/patches/CVE-2014-9765.patch: add check to xdelta3-main.h, add test to xdelta3-test.h. - CVE-2014-9765 * debian/patches/fix_lzma_test.patch: fix lzma test so we can run the builtin tests. Date: 2016-02-17 13:29:13.502868+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/xdelta3/3.0.7-dfsg-2ubuntu0.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] graphite2 1.2.4-1ubuntu1.1 (Accepted)
graphite2 (1.2.4-1ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/CVE-2016-152x-1.patch: fix out of bounds access in src/Bidi.cpp. - debian/patches/CVE-2016-152x-2.patch: handle fonts with 0 features in src/FeatureMap.cpp, src/inc/FeatureMap.h. - debian/patches/CVE-2016-152x-3.patch: check size in src/TtfUtil.cpp. - debian/patches/CVE-2016-152x-4.patch: check for cntxtItem misalignment in src/Code.cpp. - debian/patches/CVE-2016-152x-5.patch: disallow nested cntxt_item in src/Code.cpp. - CVE-2016-1521 - CVE-2016-1522 - CVE-2016-1523 - CVE-2016-1526 * debian/patches/no-icons.diff: run a2x without --icons to avoid FTBFS. Date: 2016-02-11 16:20:13.229461+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/graphite2/1.2.4-1ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nss 2:3.21-0ubuntu0.14.04.1 (Accepted)
nss (2:3.21-0ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to upstream 3.21 to fix a security issue and get a new CA certificate bundle. * SECURITY UPDATE: improper division in mp_div and mp_exptmod - CVE-2016-1938 * debian/libnss3.symbols: updated for new version. * debian/patches/95_add_spi+cacert_ca_certs.patch: dropped, no longer want the SPI cert * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: dropped, no longer needed * debian/patches/CVE-2015-7575.patch: dropped, upstream * debian/patches/ftbfs_ppc64el.patch: don't enable -Werror on ppc64el, there are too many uninitialized variable false positives. Date: 2016-02-04 18:18:16.516004+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nss/2:3.21-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] cpio 2.11+dfsg-1ubuntu1.2 (Accepted)
cpio (2.11+dfsg-1ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: file overwrite via symlink attack - debian/patches/CVE-2015-1197.patch: don't write files over symlinks unless --extract-over-symlinks is used in doc/cpio.1, src/copyin.c, src/extern.h, src/global.c, src/main.c. - CVE-2015-1197 * SECURITY UPDATE: out-of-bounds write - debian/patches/CVE-2016-2037.patch: make sure there is at least two bytes available in src/copyin.c, added comment to src/util.c. - CVE-2016-2037 * debian/patches/fix-symlink-test.patch: fix date-sensitive test. Date: 2016-02-18 16:07:28.373378+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/cpio/2.11+dfsg-1ubuntu1.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libssh 0.6.1-0ubuntu3.3 (Accepted)
libssh (0.6.1-0ubuntu3.3) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via incorrect SSH_MSG_NEWKEYS and KEXDH_REPLY packet handling - debian/patches/CVE-2015-3146.patch: fix state validation in src/packet_cb.c, src/server.c, src/buffer.c. - CVE-2015-3146 * SECURITY UPDATE: weakness in diffie-hellman secret key generation - debian/patches/CVE-2016-0739.patch: fix bits/bytes confusion bug in src/dh.c. - CVE-2016-0739 Date: 2016-02-23 12:50:21.301376+00:00 Changed-By: Marc Deslauriers Maintainer: Kubuntu Members https://launchpad.net/ubuntu/+source/libssh/0.6.1-0ubuntu3.3 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] ca-certificates 20160104ubuntu0.14.04.1 (Accepted)
ca-certificates (20160104ubuntu0.14.04.1) trusty-security; urgency=medium * Update ca-certificates database to 20160104: - backport changes from the Ubuntu 16.04 LTS 20160104 package Date: 2016-02-08 15:40:21.271375+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/ca-certificates/20160104ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] gnutls26 2.12.23-12ubuntu2.5 (Accepted)
gnutls26 (2.12.23-12ubuntu2.5) trusty-security; urgency=medium * debian/patches/compare_ca_name_and_key.patch: when comparing a CA certificate with the trusted list compare the name and key. This will allow the future removal of 1024-bit RSA keys from the ca-certificates package. Date: 2016-02-08 15:09:13.726752+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.5 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] openssl 1.0.1f-1ubuntu2.17 (Accepted)
openssl (1.0.1f-1ubuntu2.17) trusty-security; urgency=medium * debian/patches/alt-cert-chains-*.patch: backport series of upstream commits to add alternate chains support. This will allow the future removal of 1024-bit RSA keys from the ca-certificates package. Date: 2016-02-08 15:07:16.031593+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.17 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] glib-networking 2.40.0-1ubuntu0.1 (Accepted)
glib-networking (2.40.0-1ubuntu0.1) trusty-security; urgency=medium * debian/patches/alt-cert-chains.patch: backport upstream fix to add alternate chains support. This will allow the future removal of 1024-bit RSA keys from the ca-certificates package. Date: 2016-02-08 15:03:16.614654+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/glib-networking/2.40.0-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] xen 4.4.2-0ubuntu0.14.04.5 (Accepted)
xen (4.4.2-0ubuntu0.14.04.5) trusty-security; urgency=low * Applying Xen Security Advisories: - CVE-2016-2270 / XSA-154 * x86: enforce consistent cachability of MMIO mappings - CVE-2016-1570 / XSA-167 * x86/mm: PV superpage handling lacks sanity checks - CVE-2016-1571 / XSA-168 * x86/VMX: prevent INVVPID failure due to non-canonical guest address - CVE-2015-8615 / XSA-169 * x86: make debug output consistent in hvm_set_callback_via - CVE-2016-2271 / XSA-170 * x86/VMX: sanitize rIP before re-entering guest Date: 2016-02-24 20:37:15.419799+00:00 Changed-By: Stefan Bader Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/xen/4.4.2-0ubuntu0.14.04.5 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] openssl 1.0.1f-1ubuntu2.18 (Accepted)
openssl (1.0.1f-1ubuntu2.18) trusty-security; urgency=medium * SECURITY UPDATE: side channel attack on modular exponentiation - debian/patches/CVE-2016-0702.patch: use constant-time calculations in crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c, crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h. - CVE-2016-0702 * SECURITY UPDATE: double-free in DSA code - debian/patches/CVE-2016-0705.patch: fix double-free in crypto/dsa/dsa_ameth.c. - CVE-2016-0705 * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption - debian/patches/CVE-2016-0797.patch: prevent overflow in crypto/bn/bn_print.c, crypto/bn/bn.h. - CVE-2016-0797 * SECURITY UPDATE: memory leak in SRP database lookups - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and introduce new SRP_VBASE_get1_by_user function that handled seed properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c, util/libeay.num, openssl.ld. - CVE-2016-0798 * SECURITY UPDATE: memory issues in BIO_*printf functions - debian/patches/CVE-2016-0799.patch: prevent overflow in crypto/bio/b_print.c. - CVE-2016-0799 * debian/patches/preserve_digests_for_sni.patch: preserve negotiated digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c. (LP: #1550643) Date: 2016-02-29 18:05:14.757801+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.18 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] python-django 1.6.1-2ubuntu0.12 (Accepted)
python-django (1.6.1-2ubuntu0.12) trusty-security; urgency=medium * SECURITY UPDATE: malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth - debian/patches/CVE-2016-2512.patch: prevent spoofing in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2016-2512 * SECURITY UPDATE: user enumeration through timing difference on password hasher work factor upgrade - debian/patches/CVE-2016-2513.patch: fix timing in django/contrib/auth/hashers.py, added note to docs/topics/auth/passwords.txt, added tests to django/contrib/auth/tests/test_hashers.py. - debian/control: added python-mock to Build-Depends - CVE-2016-2513 Date: 2016-02-26 13:00:17.042881+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.12 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] perl 5.18.2-2ubuntu1.1 (Accepted)
perl (5.18.2-2ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via regular expression invalid backreference - debian/patches/fixes/CVE-2013-7422.patch: properly handle big backreferences in regcomp.c. - CVE-2013-7422 * SECURITY UPDATE: denial of service in Data::Dumper - debian/patches/fixes/CVE-2014-4330.patch: limit recursion in MANIFEST, dist/Data-Dumper/Dumper.pm, dist/Data-Dumper/Dumper.xs, dist/Data-Dumper/t/recurse.t. - CVE-2014-4330 * SECURITY UPDATE: environment variable confusion issue - debian/patches/fixes/CVE-2016-2381.patch: remove duplicate environment variables from environ in perl.c. - CVE-2016-2381 Date: 2016-03-01 16:45:15.971473+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/perl/5.18.2-2ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] pixman 0.30.2-2ubuntu1.1 (Accepted)
pixman (0.30.2-2ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution via overflow in create_bits - debian/patches/CVE-2014-9766.patch: cast to size_t in pixman/pixman-bits-image.c. - CVE-2014-9766 Date: 2016-03-02 21:22:14.367591+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/pixman/0.30.2-2ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] python-django 1.6.1-2ubuntu0.13 (Accepted)
python-django (1.6.1-2ubuntu0.13) trusty-security; urgency=medium * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - debian/patches/CVE-2016-2512-regression.patch: force url to unicode in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2016-2512 Date: 2016-03-04 16:51:15.140705+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.13 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] squid3 3.3.8-1ubuntu6.6 (Accepted)
squid3 (3.3.8-1ubuntu6.6) trusty-security; urgency=medium [ Scott Moser ] * debian/patches/increase-default-forward-max-tries.patch: change the default setting of 'forward_max_tries' from 10 to 25. (LP: #1547640) [ Marc Deslauriers ] * SECURITY UPDATE: denial of service via crafted UDP SNMP request - debian/patches/CVE-2014-6270.patch: fix off-by-one in src/snmp_core.cc. - CVE-2014-6270 * SECURITY UPDATE: error handling vulnerability - debian/patches/CVE-2016-2571.patch: better handling of huge response headers in src/http.cc. - CVE-2016-2571 * Fix security issues that only apply when package is rebuilt with the enable-ssl flag, which is not the case in the Ubuntu archive. - debian/patches/CVE-2014-0128.patch: denial of service via a crafted range request. - debian/patches/CVE-2015-3455.patch: incorrect X509 server certificate domain matching. squid3 (3.3.8-1ubuntu6.4) trusty-proposed; urgency=low * d/squid3.upstart: Use SIGINT to terminate squid and wait at most 40 seconds for it to finish. (LP: #1073478) squid3 (3.3.8-1ubuntu6.3) trusty-proposed; urgency=low * d/patches/fix-caching-vary-header.patch: Added upstream patch for the bug which prevented squid from caching responses with Vary header. (LP: #1336742) Based on work by Oleg Strikov. Date: 2016-03-04 20:42:14.254911+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/squid3/3.3.8-1ubuntu6.6 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] python-django 1.6.1-2ubuntu0.14 (Accepted)
python-django (1.6.1-2ubuntu0.14) trusty-security; urgency=medium * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - debian/patches/CVE-2016-2512-regression.patch: updated to final upstream fix. - CVE-2016-2512 Date: 2016-03-07 14:11:13.874841+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/python-django/1.6.1-2ubuntu0.14 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] samba 2:4.1.6+dfsg-1ubuntu2.14.04.13 (Accepted)
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium * SECURITY UPDATE: incorrect ACL get/set allowed on symlink path - debian/patches/CVE-2015-7560-pre1.patch: add vfs_stat_smb_basename() to source3/smbd/proto.h, source3/smbd/vfs.c. - debian/patches/CVE-2015-7560.patch: properly handle symlinks in source3/client/client.c, source3/libsmb/clifile.c, source3/libsmb/proto.h, source3/smbd/nttrans.c, source3/smbd/trans2.c, added tests to selftest/knownfail, source3/selftest/tests.py, source3/torture/torture.c. - CVE-2015-7560 * SECURITY UPDATE: out-of-bounds read in internal DNS server - debian/patches/CVE-2016-0771.patch: fix dns handling in librpc/idl/dns.idl, librpc/idl/dnsp.idl, librpc/idl/dnsserver.idl, librpc/ndr/ndr_dns.c, librpc/ndr/ndr_dnsp.c, librpc/ndr/ndr_dnsp.h, librpc/wscript_build, source4/dns_server/dns_query.c, source4/dns_server/dns_update.c, source4/librpc/wscript_build, added tests to python/samba/tests/dns.py, python/samba/tests/get_opt.py, selftest/tests.py, source4/selftest/tests.py. - CVE-2016-0771 Date: 2016-03-03 17:49:14.180112+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/samba/2:4.1.6+dfsg-1ubuntu2.14.04.13 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] bsh 2.0b4-15ubuntu0.14.04.1 (Accepted)
bsh (2.0b4-15ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: remote code execution vulnerability via deserialization - debian/patches/CVE-2016-2510.patch: prevent deserialization of Handler in src/bsh/XThis.java. - CVE-2016-2510 Date: 2016-03-03 19:21:16.891614+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/bsh/2.0b4-15ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] nss 2:3.21-0ubuntu0.14.04.2 (Accepted)
nss (2:3.21-0ubuntu0.14.04.2) trusty-security; urgency=medium * SECURITY UPDATE: buffer overflow during ASN.1 decoding - debian/patches/CVE-2016-1950.patch: check lengths in nss/lib/util/secasn1d.c. - CVE-2016-1950 Date: 2016-03-09 13:23:18.357327+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/nss/2:3.21-0ubuntu0.14.04.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] bind9 1:9.9.5.dfsg-3ubuntu0.8 (Accepted)
bind9 (1:9.9.5.dfsg-3ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via rndc control channel input parsing error - properly check data in bin/named/control.c, bin/named/controlconf.c, bin/rndc/rndc.c, lib/isccc/cc.c. - CVE-2016-1285 * SECURITY UPDATE: denial of service via resource record signatures parsing issue - fix improper DNAME handling in lib/dns/resolver.c. - CVE-2016-1286 Date: 2016-03-08 14:47:14.937219+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/bind9/1:9.9.5.dfsg-3ubuntu0.8 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libotr 4.0.0-2.2ubuntu1.1 (Accepted)
libotr (4.0.0-2.2ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: memory corruption vulnerability - debian/patches/CVE-2016-2851.patch: prevent integer overflow in src/proto.c. - CVE-2016-2851 Date: 2016-03-10 13:51:14.191327+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libotr/4.0.0-2.2ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] graphite2 1.3.6-1ubuntu0.14.04.1 (Accepted)
graphite2 (1.3.6-1ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to new upstream release 1.3.6 to fix multiple security issues. - CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792, CVE-2016-2793, CVE-2016-2794, CVE-2016-2795, CVE-2016-2796, CVE-2016-2797, CVE-2016-2798, CVE-2016-2799, CVE-2016-2800, CVE-2016-2801, CVE-2016-2802 * Dropped upstreamed patches: - include-and-libraries.diff, no-specific-nunit-version.diff, soname.diff, CVE-2016-152x-1.patch, CVE-2016-152x-2.patch, CVE-2016-152x-3.patch, CVE-2016-152x-4.patch, CVE-2016-152x-5.patch * Updated patches for 1.3.6: - no-icons.diff * debian/patches/disable_tests.diff: disable tests that require the fonttools package from universe. Date: 2016-03-10 19:26:14.652278+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/graphite2/1.3.6-1ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] exim4 4.82-3ubuntu2.1 (Accepted)
exim4 (4.82-3ubuntu2.1) trusty-security; urgency=medium * SECURITY UPDATE: privilege escalation via crafted lookup value - debian/patches/CVE-2014-2972.patch: only expand integers for integer math once. - CVE-2014-2972 * SECURITY UPDATE: privilege escalation when used with perl_startup - debian/patches/CVE-2016-1531.patch: add new add_environment and keep_environment configuration options. - debian/patches/CVE-2016-1531-2.patch: don't issue env warning if env is empty. - debian/patches/CVE-2016-1531-3.patch: store the initial working directory, expand $initial_cwd. - debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened the main config. - Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the new options. Set "keep_environment =" by default to avoid a runtime warning. - Bump exim4-config Breaks to exim4-daemon-* (<< 4.82-3ubuntu2.1). - debian/exim4-config.NEWS: Add entry to warn of potential breakage. - CVE-2016-1531 * WARNING: This update may break existing installations. Date: 2016-03-14 18:16:13.701473+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/exim4/4.82-3ubuntu2.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] pam 1.1.8-1ubuntu2.2 (Accepted)
pam (1.1.8-1ubuntu2.2) trusty-security; urgency=medium * SECURITY REGRESSION: multiarch update issue (LP: #1558114) - debian/patches-applied/cve-2015-3238.patch: removed manpage changes so they don't get regenerated during build. - CVE-2015-3238 Date: 2016-03-16 17:43:38.832052+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/pam/1.1.8-1ubuntu2.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] pam 1.1.8-1ubuntu2.1 (Accepted)
pam (1.1.8-1ubuntu2.1) trusty-security; urgency=medium * SECURITY UPDATE: pam_userdb case-insensitive search issue - debian/patches-applied/cve-2013-7041.patch: fix password hash comparison in modules/pam_userdb/pam_userdb.c. - CVE-2013-7041 * SECURITY UPDATE: directory traversal issue in pam_timestamp - debian/patches-applied/cve-2014-2583.patch: fix potential directory traversal issue in modules/pam_timestamp/pam_timestamp.c. - CVE-2014-2583 * SECURITY UPDATE: username enumeration via large passwords - debian/patches-applied/cve-2015-3238.patch: limit password size to prevent a helper function hang in modules/pam_exec/pam_exec.8.xml, modules/pam_exec/pam_exec.c, modules/pam_unix/pam_unix.8.xml, modules/pam_unix/pam_unix_passwd.c, modules/pam_unix/passverify.c, modules/pam_unix/passverify.h, modules/pam_unix/support.c. - CVE-2015-3238 Date: 2016-03-15 19:38:18.507791+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/pam/1.1.8-1ubuntu2.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] webkitgtk 2.4.10-0ubuntu0.14.04.1 (Accepted)
webkitgtk (2.4.10-0ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: Updated to 2.4.10 to fix multiple security issues (LP: #1556964) - CVE-2015-1120, CVE-2015-1076, CVE-2015-1071, CVE-2015-1081, CVE-2015-1122, CVE-2015-1155, CVE-2014-1748, CVE-2015-3752, CVE-2015-5809, CVE-2015-5928, CVE-2015-3749, CVE-2015-3659, CVE-2015-3748, CVE-2015-3743, CVE-2015-3731, CVE-2015-3745, CVE-2015-5822, CVE-2015-3658, CVE-2015-3741, CVE-2015-3727, CVE-2015-5801, CVE-2015-5788, CVE-2015-3747, CVE-2015-5794, CVE-2015-1127, CVE-2015-1153, CVE-2015-1083 * Dropped upstreamed patches: - fix-gtkdoc-error.patch, atomic_build_fix.patch, fix-textrel-x86.patch, ppc64-align.patch, render-text-control.patch, nullptr-frameprogresstracker.patch, nullptr-accessibilitymenulistoption.patch, ax-focus-events.patch, fix-ftbfs-pluginpackage.patch. Date: 2016-03-16 12:21:14.468738+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/webkitgtk/2.4.10-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] tiff 4.0.3-7ubuntu0.4 (Accepted)
tiff (4.0.3-7ubuntu0.4) trusty-security; urgency=medium * SECURITY UPDATE: out-of-bounds reads in TIFFRGBAImage - debian/patches/CVE-2015-8665-8683.patch: fix out-of-bounds reads in libtiff/tif_getimage.c. - CVE-2015-8665 - CVE-2015-8683 * SECURITY UPDATE: out-of-bounds writes in decode function - debian/patches/CVE-2015-8781-8782-8783.patch: fix out-of-bounds writes and an out-of-bounds read in libtiff/tif_luv.c. - CVE-2015-8781 - CVE-2015-8782 - CVE-2015-8783 * SECURITY UPDATE: out-of-bounds write in NeXTDecode() - debian/patches/CVE-2015-8784.patch: fix out-of-bounds write in libtiff/tif_next.c. - CVE-2015-8784 Date: 2016-03-23 15:11:13.465242+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/tiff/4.0.3-7ubuntu0.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] activemq 5.6.0+dfsg-1+deb7u2build0.14.04.1 (Accepted)
activemq (5.6.0+dfsg-1+deb7u2build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian activemq (5.6.0+dfsg-1+deb7u2) wheezy-security; urgency=high * Team upload. * Fix CVE-2015-5254: Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. Date: 2016-03-23 11:37:23.429589+00:00 Changed-By: Marc Deslauriers Maintainer: Debian Java Maintainers https://launchpad.net/ubuntu/+source/activemq/5.6.0+dfsg-1+deb7u2build0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] quagga 0.99.22.4-3ubuntu1.1 (Accepted)
quagga (0.99.22.4-3ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service or arbitrary code execution via Labeled-VPN SAFI and crafted packet - debian/patches/CVE-2016-2342.patch: sanity check lengths in bgpd/bgp_mplsvpn.c. - CVE-2016-2342 Date: 2016-03-23 13:02:19.386546+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/quagga/0.99.22.4-3ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] pcre3 1:8.31-2ubuntu2.2 (Accepted)
pcre3 (1:8.31-2ubuntu2.2) trusty-security; urgency=medium * SECURITY UPDATE: fix multiple security issues by applying patches from Debian jessie package: - 0001-Fix-overflow-when-ovector-has-size-1.patch - 794589-information-disclosure.patch - 0001-Fix-buffer-overflow-for-lookbehind-within-mutually-r.patch - 0001-Add-integer-overflow-check-to-n-code.patch - 0001-Fix-bug-for-classes-containing-sequences.patch - 0001-Fix-run-for-ever-bug-for-deeply-nested-sequences.patch - 0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch - 0001-Add-missing-integer-overflow-checks.patch - 0001-Fix-compile-time-loop-for-recursive-reference-within.patch - 0001-Fix-named-forward-reference-to-duplicate-group-numbe.patch - CVE-2015-2328, CVE-2015-8380, CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394 * SECURITY UPDATE: denial of service via pattern containing (*ACCEPT) substring with nested parantheses - debian/patches/apply-upstream-revision-1631-closes-8159: fix workspace overflow for (*ACCEPT) with deeply nested parentheses in pcreposix.c, pcre_compile.c, pcre_internal.h, add tests to testdata/testoutput11-8, testdata/testoutput11-16, testdata/testinput11. - CVE-2016-3191 * debian/rules: set make check to verbose. Date: 2016-03-25 15:01:18.399588+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/pcre3/1:8.31-2ubuntu2.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] hexchat 2.9.6.1-2ubuntu0.1 (Accepted)
hexchat (2.9.6.1-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: no ssl hostname verification (LP: #1565000) - debian/patches/validate_ssl_hostnames.patch: properly validate hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h. - CVE number pending * SECURITY UPDATE: missing ssl certificate handled incorrectly - debian/patches/handle_missing_ssl_cert.patch: fail connection if certificate isn't found in src/common/server.c. - No CVE number Date: 2016-04-02 00:10:12.609765+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/hexchat/2.9.6.1-2ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] xchat-gnome 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2 (Accepted)
xchat-gnome (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2) trusty-security; urgency=medium * SECURITY UPDATE: no ssl hostname verification (LP: #1565000) - debian/patches/validate_ssl_hostnames.patch: properly validate hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h. - CVE number pending * SECURITY UPDATE: missing ssl certificate handled incorrectly - debian/patches/handle_missing_ssl_cert.patch: fail connection if certificate isn't found in src/common/server.c. - No CVE number Date: 2016-04-01 18:09:19.170868+00:00 Changed-By: Marc Deslauriers Maintainer: Ubuntu Desktop https://launchpad.net/ubuntu/+source/xchat-gnome/1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libebml 1.3.0-2+deb8u1build0.14.04.1 (Accepted)
libebml (1.3.0-2+deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian Date: 2016-04-14 18:18:12.531999+00:00 Changed-By: Marc Deslauriers Maintainer: Debian Multimedia Maintainers https://launchpad.net/ubuntu/+source/libebml/1.3.0-2+deb8u1build0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] talloc 2.1.5-0ubuntu0.14.04.1 (Accepted)
talloc (2.1.5-0ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to upstream 2.1.5 as required by Samba security update. - debian/rules: adjusted location of files to be cleaned. - debian/*.symbols: updated for new version. Date: 2016-04-06 18:01:17.355419+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/talloc/2.1.5-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] tevent 0.9.26-0ubuntu0.14.04.1 (Accepted)
tevent (0.9.26-0ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to upstream 0.9.26 as required by Samba security update. - debian/patches/01_fix_ld_library_path: set LD_LIBRARY_PATH during tests to fix FTBFS. - debian/rules: adjusted location of files to be cleaned. - debian/libtevent0.symbols: updated for new version. Date: 2016-04-07 13:33:15.377955+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/tevent/0.9.26-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] ldb 1:1.1.24-0ubuntu0.14.04.1 (Accepted)
ldb (1:1.1.24-0ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to upstream 1.1.24 as required by Samba security update. - debian/patches/01_exclude_symbols: removed, upstream. - debian/patches/CVE-2015-3223.patch: removed, upstream. - debian/patches/CVE-2015-5330.patch: removed, upstream. - debian/rules: adjusted location of files to be cleaned. - debian/*.symbols: updated for new version. - debian/control: bump tdb Build-Depends. Date: 2016-04-07 15:44:26.328758+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/ldb/1:1.1.24-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] tdb 1.3.8-0ubuntu0.14.04.1 (Accepted)
tdb (1.3.8-0ubuntu0.14.04.1) trusty-security; urgency=medium * Updated to upstream 1.3.8 as required by Samba security update. - debian/rules: adjusted location of files to be cleaned. - debian/libtdb1.symbols: updated for new version. Date: 2016-04-07 14:39:23.252740+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/tdb/1.3.8-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] samba 2:4.3.8+dfsg-0ubuntu0.14.04.2 (Accepted)
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium * SECURITY UPDATE: Updated to 4.3.8 to fix multiple security issues - CVE-2015-5370: Multiple errors in DCE-RPC code - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP - CVE-2016-2111: NETLOGON Spoofing Vulnerability - CVE-2016-2112: The LDAP client and server don't enforce integrity protection - CVE-2016-2113: Missing TLS certificate validation allows man in the middle attacks - CVE-2016-2114: "server signing = mandatory" not enforced - CVE-2016-2115: SMB client connections for IPC traffic are not integrity protected - CVE-2016-2118: SAMR and LSA man in the middle attacks possible * Backported most packaging changes from (2:4.3.6+dfsg-1ubuntu1) in Ubuntu 16.04 LTS, except for the following: - Don't remove samba-doc package - Don't remove libpam-smbpass package - Don't remove libsmbsharemodes0 and libsmbsharemodes-dev packages - Don't build with dh-systemd - Don't build ctdb and cluster support - Restore recommends for the separate libnss-winbind and libpam-winbind - Use correct epoch for ldb - Don't remove samba init script in postinst * debian/patches/fix_pam_smbpass.patch: fix double free in pam_smbpass. * debian/patches/winbind_trusted_domains.patch: make sure domain members can talk to trusted domains DCs. Date: 2016-04-12 12:17:14.143790+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/samba/2:4.3.8+dfsg-0ubuntu0.14.04.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] optipng 0.6.4-1ubuntu0.14.04.1 (Accepted)
optipng (0.6.4-1ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: out of bounds read/writes via malformed image - debian/patches/CVE-2016-2191.patch: properly check bounds in src/pngxtern/pngxrbmp.c. - CVE-2016-2191 * SECURITY UPDATE: denial of service via use-after-free - debian/patches/CVE-2015-7801.patch: fix free in src/opngoptim.c. - CVE-2015-7801 * SECURITY UPDATE: harmless out-of-bounds read - debian/patches/CVE-2015-7802.patch: properly set last_byte in src/gifread/gifread.c. - CVE-2015-7802 Date: 2016-04-13 18:16:14.102080+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/optipng/0.6.4-1ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] php5 5.5.9+dfsg-1ubuntu4.16 (Accepted)
php5 (5.5.9+dfsg-1ubuntu4.16) trusty-security; urgency=medium * SECURITY UPDATE: directory traversal in ZipArchive::extractTo - debian/patches/CVE-2014-9767.patch: use proper path in ext/zip/php_zip.c, added test to ext/zip/tests/bug70350.phpt. - CVE-2014-9767 * SECURITY UPDATE: type confusion issue in SoapClient - debian/patches/CVE-2015-8835.patch: check types in ext/soap/php_http.c. - CVE-2015-8835 - CVE-2016-3185 * SECURITY UPDATE: mysqlnd is vulnerable to BACKRONYM - debian/patches/CVE-2015-8838.patch: fix ssl handling in ext/mysqlnd/mysqlnd.c. - CVE-2015-8838 * SECURITY UPDATE: denial of service or memory disclosure in gd via large bgd_color argument to imagerotate - debian/patches/CVE-2016-1903.patch: check bgcolor in ext/gd/libgd/gd_interpolation.c, added test to ext/gd/tests/bug70976.phpt. - CVE-2016-1903 * SECURITY UPDATE: stack overflow when decompressing tar archives - debian/patches/CVE-2016-2554.patch: handle non-terminated linknames in ext/phar/tar.c. - CVE-2016-2554 * SECURITY UPDATE: use-after-free in WDDX - debian/patches/CVE-2016-3141.patch: fix stack in ext/wddx/wddx.c, added test to ext/wddx/tests/bug71587.phpt. - CVE-2016-3141 * SECURITY UPDATE: out-of-Bound Read in phar_parse_zipfile() - debian/patches/CVE-2016-3142.patch: check bounds in ext/phar/zip.c. - CVE-2016-3142 * SECURITY UPDATE: libxml_disable_entity_loader setting is shared between threads - debian/patches/bug64938.patch: enable entity loader in ext/libxml/libxml.c. - No CVE number * SECURITY UPDATE: openssl_random_pseudo_bytes() is not cryptographically secure - debian/patches/bug70014.patch: use RAND_bytes instead of deprecated RAND_pseudo_bytes in ext/openssl/openssl.c. - No CVE number * SECURITY UPDATE: buffer over-write in finfo_open with malformed magic file - debian/patches/bug71527.patch: properly calculate length in ext/fileinfo/libmagic/funcs.c, added test to ext/fileinfo/tests/bug71527.magic. - CVE number pending * SECURITY UPDATE: php_snmp_error() format string Vulnerability - debian/patches/bug71704.patch: use format string in ext/snmp/snmp.c. - CVE number pending * SECURITY UPDATE: integer overflow in php_raw_url_encode - debian/patches/bug71798.patch: use size_t in ext/standard/url.c. - CVE number pending * SECURITY UPDATE: invalid memory write in phar on filename containing NULL - debian/patches/bug71860.patch: require valid paths in ext/phar/phar.c, ext/phar/phar_object.c, fix tests in ext/phar/tests/badparameters.phpt, ext/phar/tests/create_path_error.phpt, ext/phar/tests/phar_extract.phpt, ext/phar/tests/phar_isvalidpharfilename.phpt, ext/phar/tests/phar_unlinkarchive.phpt, ext/phar/tests/pharfileinfo_construct.phpt. - CVE number pending * SECURITY UPDATE: invalid negative size in mbfl_strcut - debian/patches/bug71906.patch: fix length checks in ext/mbstring/libmbfl/mbfl/mbfilter.c. - CVE number pending * This package does _NOT_ contain the changes from php5 (5.5.9+dfsg-1ubuntu4.15) in trusty-proposed. Date: 2016-04-20 14:08:14.071566+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.16 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mysql-5.5 5.5.49-0ubuntu0.14.04.1 (Accepted)
mysql-5.5 (5.5.49-0ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: Update to 5.5.49 to fix security issues (LP: #1572559) - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html - CVE-2016-0640 - CVE-2016-0641 - CVE-2016-0642 - CVE-2016-0643 - CVE-2016-0644 - CVE-2016-0646 - CVE-2016-0647 - CVE-2016-0648 - CVE-2016-0649 - CVE-2016-0650 - CVE-2016-0666 - CVE-2016-2047 Date: 2016-04-20 15:50:12.593270+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/mysql-5.5/5.5.49-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] pinba-engine-mysql 1.0.0-4ubuntu0.14.04.2 (Accepted)
pinba-engine-mysql (1.0.0-4ubuntu0.14.04.2) trusty-security; urgency=medium * Rebuild against mysql 5.5.49. Date: 2016-04-20 21:01:12.838646+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/pinba-engine-mysql/1.0.0-4ubuntu0.14.04.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mysql-5.6 5.6.30-0ubuntu0.14.04.1 (Accepted)
mysql-5.6 (5.6.30-0ubuntu0.14.04.1) trusty-security; urgency=medium * SECURITY UPDATE: Update to 5.6.30 to fix security issues (LP: #1572559) - http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html - CVE-2016-0639 - CVE-2016-0640 - CVE-2016-0641 - CVE-2016-0642 - CVE-2016-0643 - CVE-2016-0644 - CVE-2016-0646 - CVE-2016-0647 - CVE-2016-0648 - CVE-2016-0649 - CVE-2016-0650 - CVE-2016-0655 - CVE-2016-0661 - CVE-2016-0665 - CVE-2016-0666 - CVE-2016-0668 - CVE-2016-2047 Date: 2016-04-21 17:44:14.382447+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/mysql-5.6/5.6.30-0ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libsoup2.4 2.44.2-1ubuntu2.1 (Accepted)
libsoup2.4 (2.44.2-1ubuntu2.1) trusty-security; urgency=medium * debian/patches/new_samba_compat.patch: fix regression in NTLM authentication caused by Samba security update (LP: #1573494) Date: 2016-04-22 14:51:19.085297+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libsoup2.4/2.44.2-1ubuntu2.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
