[ubuntu/xenial-security] openvpn 2.3.10-1ubuntu2.1 (Accepted)
openvpn (2.3.10-1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: birthday attack when using 64-bit block cipher - debian/patches/CVE-2016-6329.patch: print warning if 64-bit cipher is selected in src/openvpn/crypto.c, src/openvpn/crypto_openssl.c, src/openvpn/crypto_polarssl.c, tests/t_lpback.sh. - CVE-2016-6329 * SECURITY UPDATE: DoS due to Exhaustion of Packet-ID counter - debian/patches/CVE-2017-7479-pre.patch: merge packet_id_alloc_outgoing() into packet_id_write() in src/openvpn/crypto.c, src/openvpn/packet_id.c, src/openvpn/packet_id.h. - debian/patches/CVE-2017-7479.patch: drop packets instead of assert out if packet id rolls over in src/openvpn/crypto.c, src/openvpn/packet_id.c, src/openvpn/packet_id.h. - CVE-2017-7479 * SECURITY UPDATE: Remotely-triggerable ASSERT() on malformed IPv6 packet - debian/patches/CVE-2017-7508.patch: remove assert in src/openvpn/mss.c. - CVE-2017-7508 * SECURITY UPDATE: Remote-triggerable memory leaks - debian/patches/CVE-2017-7512.patch: fix leaks in src/openvpn/ssl_verify_openssl.c. - CVE-2017-7512 * SECURITY UPDATE: Pre-authentication remote crash/information disclosure for clients - debian/patches/CVE-2017-7520.patch: prevent two kinds of stack buffer OOB reads and a crash for invalid input data in src/openvpn/ntlm.c. - CVE-2017-7520 * SECURITY UPDATE: Potential double-free in --x509-alt-username and memory leaks - debian/patches/CVE-2017-7521.patch: fix double-free in src/openvpn/ssl_verify_openssl.c. - CVE-2017-7521 * SECURITY UPDATE: DoS in establish_http_proxy_passthru() - debian/patches/establish_http_proxy_passthru_dos.patch: fix null-pointer dereference in src/openvpn/proxy.c. - No CVE number Date: 2017-06-22 15:18:13.989450+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/openvpn/2.3.10-1ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] valgrind 1:3.11.0-1ubuntu4.2 (Accepted)
valgrind (1:3.11.0-1ubuntu4.2) xenial-security; urgency=medium * SECURITY UPDATE: integer overflow in string_appends - debian/patches/CVE-2016-2226.patch: check for overflow in coregrind/m_demangle/cplus-dem.c, add xmalloc_failed and xmemdup to coregrind/m_demangle/vg_libciface.h. - CVE-2016-2226 * SECURITY UPDATE: use-after-free vulnerabilities - debian/patches/CVE-2016-4487_4488.patch: set bsize and ksize in coregrind/m_demangle/cplus-dem.c. - CVE-2016-4487 - CVE-2016-4488 * SECURITY UPDATE: integer overflow in gnu_special - debian/patches/CVE-2016-4489.patch: handle case where consume_count returns -1 in coregrind/m_demangle/cplus-dem.c. - CVE-2016-4489 * SECURITY UPDATE: integer overflow after sanity checks - debian/patches/CVE-2016-4490.patch: parse numbers as integer instead of long in coregrind/m_demangle/cp-demangle.c. - CVE-2016-4490 * SECURITY UPDATE: denial of service via infinite recursion - debian/patches/CVE-2016-4491.patch: limit recursion in coregrind/m_demangle/cp-demangle.c, coregrind/m_demangle/demangle.h. - CVE-2016-4491 * SECURITY UPDATE: buffer overflow in do_type - debian/patches/CVE-2016-4492_4493.patch: properly handle large values and overflow in coregrind/m_demangle/cplus-dem.c. - CVE-2016-4492 - CVE-2016-4493 * SECURITY UPDATE: denial of service via infinite recursion - debian/patches/CVE-2016-6131.patch: prevent infinite recursion in coregrind/m_demangle/cplus-dem.c, add XDUPVEC to coregrind/m_demangle/vg_libciface.h. - CVE-2016-6131 Date: 2017-06-07 20:23:15.256146+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/valgrind/1:3.11.0-1ubuntu4.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nss 2:3.28.4-0ubuntu0.16.04.2 (Accepted)
nss (2:3.28.4-0ubuntu0.16.04.2) xenial-security; urgency=medium * SECURITY UPDATE: DoS via empty SSLv2 messages - debian/patches/CVE-2017-7502.patch: reject broken v2 records in nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h, added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc, nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn, nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc. - CVE-2017-7502 Date: 2017-06-16 13:18:14.224637+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] glibc 2.23-0ubuntu9 (Accepted)
glibc (2.23-0ubuntu9) xenial-security; urgency=medium * SECURITY UPDATE: LD_LIBRARY_PATH stack corruption - debian/patches/any/CVE-2017-1000366.patch: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 programs - CVE-2017-1000366 * SECURITY UPDATE: LD_PRELOAD stack corruption - debian/patches/any/upstream-harden-rtld-Reject-overly-long-LD_PRELOAD.patch: Reject overly long names or names containing directories in LD_PRELOAD for AT_SECURE=1 programs. * debian/patches/any/cvs-harden-glibc-malloc-metadata.patch: add additional consistency check for 1-byte overflows * debian/patches/any/cvs-harden-ignore-LD_HWCAP_MASK.patch: ignore LD_HWCAP_MASK for AT_SECURE=1 programs Date: 2017-06-16 19:21:13.761522+00:00 Changed-By: Steve Beattie <sbeat...@ubuntu.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/glibc/2.23-0ubuntu9 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] exim4 4.86.2-2ubuntu2.2 (Accepted)
exim4 (4.86.2-2ubuntu2.2) xenial-security; urgency=medium * SECURITY UPDATE: memory leak - debian/patches/93_CVE-2017-1000368.patch: free -p argument if allocation was required. - CVE-2017-1000368 Date: 2017-06-03 05:52:13.988060+00:00 Changed-By: Steve Beattie <sbeat...@ubuntu.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/exim4/4.86.2-2ubuntu2.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] zziplib 0.13.62-3ubuntu0.16.04.1 (Accepted)
zziplib (0.13.62-3ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 0.13.62-3.1 release. Thanks to Josef Moellers of SuSE and Moritz Muehlenhoff of Debian! - CVE-2017-5974, CVE-2017-5975, CVE-2017-5976, CVE-2017-5978, CVE-2017-5979, CVE-2017-5980, CVE-2017-5981 Date: 2017-06-13 14:41:17.670605+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/zziplib/0.13.62-3ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libmwaw 0.3.7-1ubuntu2.1 (Accepted)
libmwaw (0.3.7-1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: DoS and possible code exec via out-of-bounds write - debian/patches/CVE-2017-9433.patch: resize vector correctly in src/lib/MsWrd1Parser.cxx. - CVE-2017-9433 Date: 2017-06-13 19:38:13.900642+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libmwaw/0.3.7-1ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libosip2 4.1.0-2+deb8u1build0.16.04.1 (Accepted)
libosip2 (4.1.0-2+deb8u1build0.16.04.1) xenial-security; urgency=medium * fake sync from Debian libosip2 (4.1.0-2+deb8u1) jessie-security; urgency=medium * CVE-2016-10324 CVE-2016-10325 CVE-2016-10326 CVE-2017-7853 Date: 2017-06-14 15:51:16.196856+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> https://launchpad.net/ubuntu/+source/libosip2/4.1.0-2+deb8u1build0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libosip2 4.1.0-2build0.16.04.1 (Accepted)
libosip2 (4.1.0-2build0.16.04.1) xenial-security; urgency=medium * fake sync from Debian Date: 2017-06-14 14:02:28.190315+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org> https://launchpad.net/ubuntu/+source/libosip2/4.1.0-2build0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] irssi 0.8.19-1ubuntu1.4 (Accepted)
irssi (0.8.19-1ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: DoS via DCC message without source nick/host - debian/patches/CVE-2017-9468.patch: check addr in src/irc/dcc/dcc-get.c. - CVE-2017-9468 * SECURITY UPDATE: DoS via incorrectly quoted DCC files - debian/patches/CVE-2017-9469.patch: Fix oob read of one byte in src/irc/dcc/dcc-get.c, src/irc/dcc/dcc-resume.c. - CVE-2017-9469 Date: 2017-06-08 19:45:16.499742+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/irssi/0.8.19-1ubuntu1.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nagios3 3.5.1.dfsg-2.1ubuntu1.3 (Accepted)
nagios3 (3.5.1.dfsg-2.1ubuntu1.3) xenial-security; urgency=medium * SECURITY REGRESSION: event log cannot open log file (LP: #1690380) - debian/patches/CVE-2016-9566-regression.patch: relax permissions on log files in base/logging.c. - debian/nagios3-common.postinst: fix permissions on existing log file. nagios3 (3.5.1.dfsg-2.1ubuntu1.2) xenial; urgency=medium * debian/patches/fix_permissions_for_hostgroups_reports.patch: Fix permissions for hostgroups reports. Thanks to John C. Frickson <jfrick...@nagios.com>. Closes LP: #1686768. Date: 2017-06-06 13:37:20.521113+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu1.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libnl3 3.2.27-1ubuntu0.16.04.1 (Accepted)
libnl3 (3.2.27-1ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: integer-overflow in nlmsg_reserve() - debian/patches/CVE-2017-0553.patch: check len in lib/msg.c. - CVE-2017-0553 Date: 2017-06-02 13:58:14.389104+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libnl3/3.2.27-1ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] lintian 2.5.43ubuntu0.1 (Accepted)
lintian (2.5.43ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: code execution via YAML parsing - checks/upstream-metadata.pm: disable YAML parser. - t/tests/upstream-metadata-invalid-yml/skip: skip test. - 0a2f38ecbc70d34a4b77c93a030555b310bd34ff - CVE-2017-8829 Date: 2017-06-05 20:58:16.265846+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/lintian/2.5.43ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libtasn1-6 4.7-3ubuntu0.16.04.2 (Accepted)
libtasn1-6 (4.7-3ubuntu0.16.04.2) xenial-security; urgency=medium * SECURITY UPDATE: buffer overflow via specially crafted assignments file - debian/patches/CVE-2017-6891.patch: add checks to lib/parser_aux.c. - CVE-2017-6891 Date: 2017-06-01 17:50:29.590882+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libtasn1-6/4.7-3ubuntu0.16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] openldap 2.4.42+dfsg-2ubuntu3.2 (Accepted)
openldap (2.4.42+dfsg-2ubuntu3.2) xenial-security; urgency=medium * SECURITY UPDATE: denial of service via search with page size of 0 - debian/patches/CVE-2017-9287.patch: fix double-free in servers/slapd/back-mdb/search.c. - CVE-2017-9287 Date: 2017-05-31 18:37:14.580133+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/openldap/2.4.42+dfsg-2ubuntu3.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] tiff 4.0.6-1ubuntu0.2 (Accepted)
tiff (4.0.6-1ubuntu0.2) xenial-security; urgency=medium * SECURITY REGRESSION: JPEG tiff read and write issue due to misapplied patches (LP: #1670036) - debian/patches/CVE-2016-9297_and_CVE-2016-9448_correct.patch: replace two previous patches with one that applies fix to correct location. - Thanks to John Cupitt and Even Rouault Date: 2017-05-29 12:21:17.322967+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] webkit2gtk 2.16.3-0ubuntu0.16.04.1 (Accepted)
webkit2gtk (2.16.3-0ubuntu0.16.04.1) xenial-security; urgency=medium * Updated to 2.16.3 to fix multiple security issues. - CVE-2017-2496 - CVE-2017-2510 - CVE-2017-2539 webkit2gtk (2.16.2-0ubuntu0.16.04.1) xenial; urgency=medium * New upstream release (LP: #1690536) * Drop patches applied in new release - fix-google-login.patch - fix-new-youtube.patch webkit2gtk (2.16.1-0ubuntu0.16.04.2) xenial; urgency=medium * Add fix-google-login.patch: - Backport from 2.16.2 to fix Google login in Epiphany, GNOME Online Accounts, etc. (LP: #1687019) * Add fix-new-youtube.patch: - Backport from 2.16.2 to fix the new (May 2017 opt-in) YouTube Date: 2017-05-26 10:56:13.494626+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/webkit2gtk/2.16.3-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] imagemagick 8:6.8.9.9-7ubuntu5.7 (Accepted)
imagemagick (8:6.8.9.9-7ubuntu5.7) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 8:6.8.9.9-5+deb8u9 release. Once again, thanks to Bastien Roucariès for the excellent work this update is based on! - CVE-2017-7606, CVE-2017-7619, CVE-2017-7941, CVE-2017-7943, CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8350, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765, CVE-2017-8830, CVE-2017-9098, CVE-2017-9141, CVE-2017-9142, CVE-2017-9143, CVE-2017-9144 Date: 2017-05-26 13:33:23.018156+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] strongswan 5.3.5-1ubuntu3.3 (Accepted)
strongswan (5.3.5-1ubuntu3.3) xenial-security; urgency=medium * SECURITY UPDATE: Insufficient Input Validation in gmp Plugin - debian/patches/CVE-2017-9022.patch: make sure the modulus is odd and the exponent not zero in src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c. - CVE-2017-9022 * SECURITY UPDATE: Incorrect Handling of CHOICE types in ASN.1 parser and x509 plugin - debian/patches/CVE-2017-9023.patch: fix CHOICE parsing in src/libstrongswan/asn1/asn1_parser.*, src/libstrongswan/plugins/x509/x509_cert.c. - CVE-2017-9023 Date: 2017-05-24 20:15:14.289365+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu3.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] miniupnpc 1.9.20140610-2ubuntu2.16.04.1 (Accepted)
miniupnpc (1.9.20140610-2ubuntu2.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: integer signedness error - debian/patches/CVE-2017-8798_integer_signedness_error.patch: fix comparisons in miniwget.c. - CVE-2017-8798 * SECURITY UPDATE: buffer overflow in simpleUPnPcommand2 - debian/patches/More_accurate_checking_*.patch: perform better checking while writing buffer in miniupnpc.c. - No CVE number Date: 2017-05-19 15:43:14.373871+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/miniupnpc/1.9.20140610-2ubuntu2.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] jbig2dec 0.12+20150918-1ubuntu0.1 (Accepted)
jbig2dec (0.12+20150918-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: integer overflow in jbig2_image_new - debian/patches/CVE-2016-9601-pre.patch: prevent checking too early in jbig2.c. - debian/patches/CVE-2016-9601-1.patch: fix signed/unsigned warnings in jbig2.c, jbig2.h, jbig2_generic.c, jbig2_halftone.c, jbig2_huffman.c, jbig2_huffman.h, jbig2_image.c, jbig2_mmr.c, jbig2_page.c, jbig2_priv.h, jbig2_segment.c, jbig2_symbol_dict.c, jbig2_symbol_dict.h, jbig2_text.c, jbig2_text.h. - debian/patches/CVE-2016-9601-2.patch: fix warnings in jbig2_image.c, jbig2_mmr.c, jbig2_symbol_dict.c. - CVE-2016-9601 * SECURITY UPDATE: integer overflow in big2_decode_symbol_dict - debian/patches/CVE-2017-7885.patch: add extra check to jbig2_symbol_dict.c. - CVE-2017-7885 * SECURITY UPDATE: integer overflow in jbig2_build_huffman_table - debian/patches/CVE-2017-7975.patch: use uint32_t in jbig2_huffman.c. - CVE-2017-7975 * SECURITY UPDATE: integer overflow in jbig2_image_compose - debian/patches/CVE-2017-7976.patch: add bounds check to jbig2_image.c. - CVE-2017-7976 Date: 2017-05-19 14:00:37.082174+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/jbig2dec/0.12+20150918-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] samba 2:4.3.11+dfsg-0ubuntu0.16.04.7 (Accepted)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: remote code execution from a writable share - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a slash inside in source3/rpc_server/srv_pipe.c. - CVE-2017-7494 Date: 2017-05-20 17:30:14.345542+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] jasper 1.900.1-debian1-2.4ubuntu1.1 (Accepted)
jasper (1.900.1-debian1-2.4ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 1.900.1-debian1-2.4+deb8u3 release. Thanks! - CVE-2016-1867, CVE-2016-2089, CVE-2016-8654, CVE-2016-8691, CVE-2016-8692, CVE-2016-8693, CVE-2016-8882, CVE-2016-9560, CVE-2016-9591, CVE-2016-10249, CVE-2016-10251 Date: 2017-05-18 15:11:13.668803+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/jasper/1.900.1-debian1-2.4ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] bash 4.3-14ubuntu1.2 (Accepted)
bash (4.3-14ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025) - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c. - CVE-2016-0634 * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4 (LP: #1689304) - debian/patches/bash43-048.diff: check for root in variables.c. - CVE-2016-7543 * SECURITY UPDATE: restricted shell bypass via use-after-free - debian/patches/bash44-006.diff: check for negative offsets in builtins/pushd.def. - CVE-2016-9401 Date: 2017-05-16 12:41:25.708711+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/bash/4.3-14ubuntu1.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] git 1:2.7.4-0ubuntu1.1 (Accepted)
git (1:2.7.4-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: git shell restriction bypass - debian/patches/CVE-2017-8386.patch: disallow repo names beginning with dash in shell.c. - CVE-2017-8386 Date: 2017-05-12 15:19:59.981263+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/git/1:2.7.4-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] kde4libs 4:4.14.16-0ubuntu3.2 (Accepted)
kde4libs (4:4.14.16-0ubuntu3.2) xenial-security; urgency=medium * SECURITY UPDATE: Local privilege escalation (LP: #1689759) - debian/patches/kauth-local-privilege-esc-CVE-2017-8422.patch - Thanks to Sebastian Krahmer for reporting this issue, Albert Astals Cid for fixing this issue. - CVE-2017-8422 Date: 2017-05-15 12:02:25.818085+00:00 Changed-By: Rik Mills <rik.mill...@gmail.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/kde4libs/4:4.14.16-0ubuntu3.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] xen 4.6.5-0ubuntu1.1 (Accepted)
-2016-4963 / XSA-178 - Unsanitised driver domain input in libxl device handling * CVE-2016-5242 / XSA-181 - arm: Host crash caused by VMID exhaustion * CVE-2016-6258 / XSA-182 - x86: Privilege escalation in PV guests * CVE-2016-6259 / XSA-183 - x86: Missing SMAP whitelisting in 32-bit exception / event delivery * CVE-2016-7092 / XSA-185 - x86: Disallow L3 recursive pagetable for 32-bit PV guests * CVE-2016-7094 / XSA-187 - x86 HVM: Overflow of sh_ctxt->seg_reg[] * CVE-2016- / XSA-190 - CR0.TS and CR0.EM not always honored for x86 HVM guests * CVE-2016-9386 / XSA-191 - x86 null segments not always treated as unusable * CVE-2016-9382 / XSA-192 - x86 task switch to VM86 mode mis-handled * CVE-2016-9385 / XSA-193 - x86 segment base write emulation lacking canonical address checks * CVE-2016-9383 / XSA-195 - x86 64-bit bit test instruction emulation broken * CVE-2016-9377, CVE-2016-9378 / XSA-196 - x86 software interrupt injection mis-handled * CVE-2016-9379, CVE-2016-9380 / XSA-198 - delimiter injection vulnerabilities in pygrub * CVE-2016-9932 / XSA-200 - x86 CMPXCHG8B emulation fails to ignore operand size override * CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818 / XSA-201 - ARM guests may induce host asynchronous abort * CVE-2016-10024 / XSA-202 - x86 PV guests may be able to mask interrupts * CVE-2016-10025 / XSA-203 - x86: missing NULL pointer check in VMFUNC emulation * CVE-2016-10013 / XSA-204 - x86: Mishandling of SYSCALL singlestep during emulation Date: 2017-05-12 11:57:33.983289+00:00 Changed-By: Stefan Bader <stefan.ba...@canonical.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/xen/4.6.5-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] rtmpdump 2.4+20151223.gitfa8646d-1ubuntu0.1 (Accepted)
rtmpdump (2.4+20151223.gitfa8646d-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: denial of service in AMF3ReadString function - debian/patches/CVE-2015-8270.patch: init str on unsupported references in librtmp/amf.c. - CVE-2015-8270 * SECURITY UPDATE: arbitrary code execution in AMF3CD_AddProp function - debian/patches/CVE-2015-8271-1.patch: check for input buffer underrun in librtmp/amf.c. - debian/patches/CVE-2015-8271-2.patch: more input buffer checks in librtmp/amf.c. - CVE-2015-8271 * SECURITY UPDATE: denial of service via null pointer dereference - debian/patches/CVE-2015-8272.patch: ignore requests without playpath in rtmpsrv.c. - CVE-2015-8272 Date: 2017-05-05 13:54:19.503807+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/rtmpdump/2.4+20151223.gitfa8646d-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] freetype 2.6.1-0.1ubuntu2.3 (Accepted)
freetype (2.6.1-0.1ubuntu2.3) xenial-security; urgency=medium * SECURITY UPDATE: out-of-bounds write in t1_decoder_parse_charstrings - debian/patches-freetype/CVE-2017-8105.patch: add a check to src/psaux/t1decode.c. - CVE-2017-8105 * SECURITY UPDATE: out-of-bounds write in t1_builder_close_contour - debian/patches-freetype/CVE-2017-8287.patch: add a check to src/psaux/psobjs.c. - CVE-2017-8287 Date: 2017-05-04 17:03:22.225536+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/freetype/2.6.1-0.1ubuntu2.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] apache2 2.4.18-2ubuntu3.2 (Accepted)
apache2 (2.4.18-2ubuntu3.2) xenial-security; urgency=medium * SECURITY UPDATE: mod_sessioncrypto padding oracle attack issue - debian/patches/CVE-2016-0736.patch: authenticate the session data/cookie with a MAC in modules/session/mod_session_crypto.c. - CVE-2016-0736 * SECURITY UPDATE: denial of service via malicious mod_auth_digest input - debian/patches/CVE-2016-2161.patch: improve memory handling in modules/aaa/mod_auth_digest.c. - CVE-2016-2161 * SECURITY UPDATE: response splitting and cache pollution issue via incomplete RFC7230 HTTP request grammar enforcing - debian/patches/CVE-2016-8743.patch: enfore stricter parsing in include/http_core.h, include/http_protocol.h, include/httpd.h, modules/http/http_filters.c, server/core.c, server/gen_test_char.c, server/protocol.c, server/util.c, server/vhost.c. - debian/patches/hostnames_with_underscores.diff: relax hostname restrictions in server/vhost.c. - CVE-2016-8743 * WARNING: The fix for CVE-2016-8743 introduces a behavioural change and may introduce compatibility issues with clients that do not strictly follow specifications. A new configuration directive, "HttpProtocolOptions Unsafe" can be used to re-enable some of the less strict parsing restrictions, at the expense of security. Date: 2017-05-05 21:02:40.238212+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] icu 55.1-7ubuntu0.2 (Accepted)
icu (55.1-7ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: out-of-bounds write in common/utext.cpp (LP: #1684298) - debian/patches/CVE-2017-786x.patch: properly handle chunk size in source/common/utext.cpp, added test to source/test/intltest/utxttest.cpp, source/test/intltest/utxttest.h. - CVE-2017-7867 - CVE-2017-7868 Date: 2017-05-02 13:42:26.986023+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/icu/55.1-7ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libreoffice 1:5.1.6~rc2-0ubuntu1~xenial2 (Accepted)
libreoffice (1:5.1.6~rc2-0ubuntu1~xenial2) xenial-security; urgency=medium * SECURITY UPDATE: out-of-bounds write in ReadEnhWMF function - debian/patches/CVE-2016-10327.patch: add check to vcl/source/filter/wmf/enhwmf.cxx. - CVE-2016-10327 * SECURITY UPDATE: out-of-bounds write in tools::Polygon::Insert function - debian/patches/CVE-2017-7870.patch: check if ImplSplit succeeded in tools/inc/poly.h, tools/source/generic/poly.cxx. - CVE-2017-7870 Date: 2017-04-28 14:46:14.076465+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libreoffice/1:5.1.6~rc2-0ubuntu1~xenial2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nspr 2:4.13.1-0ubuntu0.16.04.1 (Accepted)
nspr (2:4.13.1-0ubuntu0.16.04.1) xenial-security; urgency=medium * Update to 4.13.1 to support nss security update. Date: 2017-04-26 15:08:16.622901+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/nspr/2:4.13.1-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mysql-5.7 5.7.18-0ubuntu0.16.04.1 (Accepted)
mysql-5.7 (5.7.18-0ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: Update to 5.7.18 to fix security issues - CVE-2017-3308, CVE-2017-3309, CVE-2017-3329, CVE-2017-3331, CVE-2017-3450, CVE-2017-3453, CVE-2017-3454, CVE-2017-3455, CVE-2017-3456, CVE-2017-3457, CVE-2017-3458, CVE-2017-3459, CVE-2017-3460, CVE-2017-3461, CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3465, CVE-2017-3467, CVE-2017-3468, CVE-2017-3599, CVE-2017-3600 * Removed patches included in new version: - debian/patches/fix_test_events_2.patch * debian/mysql-server-5.7.install: added connection_control.so * debian/server-core.install: removed my-default.cnf mysql-5.7 (5.7.17-0ubuntu0.16.04.2) xenial; urgency=medium * Add libjson-perl dependency for test suite (LP: #1631338) The last two python tests in the mtr suite were rewritten in perl, and require this package. Added for mysql-testsuite and as a build-dep. * Build with DWITH_LZ4=system (LP: #1631339) Package was previously built with bundled liblz4, though it was specified as a build-dep. * Add support for custom datadir to systemd service (LP: #1574782) The service was reporting an error if no database could be found in /var/lib/mysql. It now checks the location specified in the config. Note that user must still handle apparmor access for custom datadir. * Fix copy of soft-link datadir to /var/lib/mysql-upgrade (LP: #1474212) Upgrade would sometimes fail if mysql-upgrade already contained a link copy from a previous upgrade. * Escape special characters in password (LP: #1598992) Special characters in the root password would cause syntax errors and postinst failures. * Failing tests on platforms supported by upstream fail build (LP: #1646488) A passing test suite is now enforced on i386 and amd64 platforms at build-time. * d/copyright: Updated with information about new source files * Unstable test main.xa_prepared_binlog_off disabled pending upstream fix. Upstream bug report: http://bugs.mysql.com/bug.php?id=83340 * d/lintian-overrides: Updated line numbers Date: 2017-04-27 00:00:33.418485+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.18-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] qemu 1:2.5+dfsg-5ubuntu10.11 (Accepted)
hw/display/virtio-gpu.c. - CVE-2017-5578 * SECURITY UPDATE: DoS via memory leak in 16550A UART emulation - debian/patches/CVE-2017-5579.patch: properly free resources in hw/char/serial.c. - CVE-2017-5579 * SECURITY UPDATE: code execution via SDHCI device emulation - debian/patches/CVE-2017-5667.patch: check data length in hw/sd/sdhci.c. - CVE-2017-5667 * SECURITY UPDATE: DoS via memory leak in MegaRAID SAS device - debian/patches/CVE-2017-5856.patch: properly handle memory in hw/scsi/megasas.c. - CVE-2017-5856 * SECURITY UPDATE: DoS via memory leak in virtio GPU device - debian/patches/CVE-2017-5857.patch: properly clean up in hw/display/virtio-gpu-3d.c. - CVE-2017-5857 * SECURITY UPDATE: DoS in CCID Card device - debian/patches/CVE-2017-5898.patch: check ccid apdu length in hw/usb/dev-smartcard-reader.c. - CVE-2017-5898 * SECURITY UPDATE: DoS via infinite loop in USB xHCI controller emulator - debian/patches/CVE-2017-5973.patch: apply limits to loops in hw/usb/hcd-xhci.c, trace-events. - CVE-2017-5973 * SECURITY UPDATE: DoS via infinite loop in SDHCI device emulation - debian/patches/CVE-2017-5987-*.patch: fix transfer mode register handling in hw/sd/sdhci.c. - CVE-2017-5987 * SECURITY UPDATE: DoS via infinite loop in USB OHCI emulation - debian/patches/CVE-2017-6505.patch: limit the number of link eds in hw/usb/hcd-ohci.c. - CVE-2017-6505 * A work-around to fix live migrations (LP: #1647389) - debian/patches/CVE-2016-5403-5.patch: fix vq->inuse recalc after migration in hw/virtio/virtio.c. - debian/patches/CVE-2016-5403-6.patch: make sure vdev->vq[i].inuse never goes below 0 in hw/virtio/virtio.c. qemu (1:2.5+dfsg-5ubuntu10.10) xenial; urgency=medium [Nishanth Aravamudan] * debian/patches/ubuntu/add_force_size_option.patch: block/vpc: fix VHD size calculation. (LP: #1490611) qemu (1:2.5+dfsg-5ubuntu10.9) xenial; urgency=medium * fix ambiguous machine trusty and utopic machine types (LP: #1641532) - d/p/ubuntu/define-ubuntu-machine-types.patch update type definitions - d/qemu-system-x86.NEWS to describe the issue qemu (1:2.5+dfsg-5ubuntu10.8) xenial; urgency=medium [ Dmitrii Shcherbakov ] * d/p/ubuntu/net-fix-qemu_announce_self-not-emitting-packets.patch: Cherrypick upstream patch: net: fix qemu_announce_self not emitting packets (LP: #1656480) qemu (1:2.5+dfsg-5ubuntu10.7) xenial; urgency=medium [ Rafael David Tinoco ] * Fixed wrong migration blocker when vhost is used (LP: #1626972) - d/p/vhost_migration-blocker-only-if-shared-log-is-used.patch Date: 2017-04-05 14:58:25.077978+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.11 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] webkit2gtk 2.16.1-0ubuntu0.16.04.1 (Accepted)
webkit2gtk (2.16.1-0ubuntu0.16.04.1) xenial-security; urgency=medium * Updated to 2.16.1 to fix multiple security issues. - debian/patches/*: refreshed. - debian/control: add libgcrypt20-dev to BuildDepends, removed libgnutls28-dev. - libwebkit2gtk-4.0-37.symbols: updated for new version. Date: 2017-04-08 01:27:13.459849+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/webkit2gtk/2.16.1-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-django 1.8.7-1ubuntu5.5 (Accepted)
python-django (1.8.7-1ubuntu5.5) xenial-security; urgency=medium * SECURITY UPDATE: Open redirect and possible XSS attack via user-supplied numeric redirect URLs - debian/patches/CVE-2017-7233.patch: fix is_safe_url() with numeric URLs in django/utils/http.py, added tests to tests/utils_tests/test_http.py. - CVE-2017-7233 * SECURITY UPDATE: Open redirect vulnerability in django.views.static.serve() - debian/patches/CVE-2017-7234.patch: remove redirect from django/views/static.py. - CVE-2017-7234 Date: 2017-03-29 13:24:14.014529+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nagios3 3.5.1.dfsg-2.1ubuntu1.1 (Accepted)
nagios3 (3.5.1.dfsg-2.1ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: off-by-one errors leading to DoS or info disclosure - debian/patches/CVE-2013-7xxx.patch: fix off-by-ones and check length in cgi/avail.c, cgi/cmd.c, cgi/config.c, cgi/extinfo.c, cgi/histogram.c, cgi/notifications.c, cgi/outages.c, cgi/status.c, cgi/statusmap.c, cgi/statuswml.c, cgi/summary.c, cgi/trends.c, contrib/daemonchk.c. - CVE-2013-7108 - CVE-2013-7205 * SECURITY UPDATE: DoS via long message to cmd.cgi - debian/patches/CVE-2014-1878.patch: check len in cgi/cmd.c. - CVE-2014-1878 * SECURITY UPDATE: symlink attack on log file - debian/patches/CVE-2016-9566.patch: safely handle log file in base/logging.c. - CVE-2016-9566 Date: 2017-03-31 20:06:13.426678+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/nagios3/3.5.1.dfsg-2.1ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] samba 2:4.3.11+dfsg-0ubuntu0.16.04.6 (Accepted)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.6) xenial-security; urgency=medium * SECURITY REGRESSION: follow symlinks issue (LP: #1675698) - debian/patches/CVE-2017-2619/bug12721-*.patch: add fixes from Samba bug #12721. * Add missing prerequisite for previous update - debian/patches/CVE-2017-2619/bug12172.patch: handle non-existant files and wildcards in source3/modules/vfs_shadow_copy2.c. Date: 2017-03-28 15:04:13.936156+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-good1.0 1.8.3-1ubuntu0.4 (Accepted)
gst-plugins-good1.0 (1.8.3-1ubuntu0.4) xenial-security; urgency=medium * SECURITY UPDATE: DoS in gst_aac_parse_sink_setcaps - debian/patches/CVE-2016-10198.patch: make sure there's enough data in gst/audioparsers/gstaacparse.c. - CVE-2016-10198 * SECURITY UPDATE: DoS in qtdemux_tag_add_str_full - debian/patches/CVE-2016-10199.patch: fix out of bounds read in gst/isomp4/qtdemux.c. - CVE-2016-10199 * SECURITY UPDATE: DoS in qtdemux_parse_samples - debian/patches/CVE-2017-5840.patch: properly increment stts index in gst/isomp4/qtdemux.c. - CVE-2017-5840 * SECURITY UPDATE: DoS in gst_avi_demux_parse_ncdt - debian/patches/CVE-2017-5841.patch: fix out of bounds reads in gst/avi/gstavidemux.c. - CVE-2017-5841 * SECURITY UPDATE: DoS in gst_avi_demux_parse_ncdt - debian/patches/CVE-2017-5845.patch: check size in gst/avi/gstavidemux.c. - CVE-2017-5845 gst-plugins-good1.0 (1.8.3-1ubuntu0.3) xenial; urgency=medium * Rebase on top of security update again. gst-plugins-good1.0 (1.8.3-1ubuntu0.2) xenial; urgency=medium * Rebase on top of security update. gst-plugins-good1.0 (1.8.3-1ubuntu0.1) xenial; urgency=medium * No-change backport from yakkety to 16.04 (LP: #1619600) gst-plugins-good1.0 (1.8.3-1ubuntu1) yakkety; urgency=medium * Merge with Debian unstable; remaining changes: + Import plugins from -bad that are needed for main applications. - jpegformat - camerabin2 (+ basecamerabinsrc + photography) + Break and Replace -bad versions which contained these plugins. + Add a library package containing the shared library and a -dev package for compiling against it. Add Breaks and Replaces against the plugins packages which formerly contained files shipped here. + Add 'pluginsdir' variable to our added pcfile for compatibility with some external software + debian/control{,.in}: Update Vcs-* for Ubuntu gst-plugins-good1.0 (1.8.3-1) unstable; urgency=medium * New upstream bugfix release. Date: 2017-03-24 13:45:22.195185+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.3-1ubuntu0.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-base1.0 1.8.3-1ubuntu0.2 (Accepted)
gst-plugins-base1.0 (1.8.3-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: DoS in windows_icon_typefind - debian/patches/CVE-2016-9811.patch: add bounds check in gst/typefind/gsttypefindfunctions.c. - CVE-2016-9811 * SECURITY UPDATE: DoS in gst_riff_create_audio_caps - debian/patches/CVE-2017-5837.patch: check for valid channels/rate in gst-libs/gst/riff/riff-media.c. - CVE-2017-5837 * SECURITY UPDATE: DoS in gst_riff_create_audio_caps - debian/patches/CVE-2017-5839.patch: fix infinite recursion in gst-libs/gst/riff/riff-media.c. - CVE-2017-5839 * SECURITY UPDATE: DoS in html_context_handle_element - debian/patches/CVE-2017-5842.patch: check for non-zero length in gst/subparse/samiparse.c. - CVE-2017-5842 * SECURITY UPDATE: DoS in gst_riff_create_audio_caps - debian/patches/CVE-2017-5844.patch: fix divide by zero in gst-libs/gst/riff/riff-media.c. - CVE-2017-5844 gst-plugins-base1.0 (1.8.3-1ubuntu0.1) xenial; urgency=medium * No-change backport from yakkety to 16.04 (LP: #1619600) gst-plugins-base1.0 (1.8.3-1ubuntu1) yakkety; urgency=medium * Merge from Debian unstable. Remaining changes: + 0001-riff-Add-input-buffer-size-to-GstCaps.patch: Take patch from Alfonso Sanchez-Beato on upstream bug #737599 to add a field in the GstCaps containing the suggested buffer size for this stream. + Update Vcs-* for Ubuntu gst-plugins-base1.0 (1.8.3-1) unstable; urgency=medium * New upstream bugfix release. Date: 2017-03-24 13:41:24.877755+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.8.3-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-base0.10 0.10.36-2ubuntu0.1 (Accepted)
gst-plugins-base0.10 (0.10.36-2ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: DoS in windows_icon_typefind - debian/patches/CVE-2016-9811.patch: add bounds check in gst/typefind/gsttypefindfunctions.c. - CVE-2016-9811 * SECURITY UPDATE: DoS in gst_riff_create_audio_caps - debian/patches/CVE-2017-5837.patch: check for valid channels/rate in gst-libs/gst/riff/riff-media.c. - CVE-2017-5837 * SECURITY UPDATE: DoS in gst_riff_create_audio_caps - debian/patches/CVE-2017-5844.patch: fix divide by zero in gst-libs/gst/riff/riff-media.c. - CVE-2017-5844 * debian/patches/docs_ftbfs.patch: fix FTBFS. Date: 2017-03-24 13:43:17.272582+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gst-plugins-base0.10/0.10.36-2ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-good0.10 0.10.31-3+nmu4ubuntu2.16.04.3 (Accepted)
gst-plugins-good0.10 (0.10.31-3+nmu4ubuntu2.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: DoS in gst_aac_parse_sink_setcaps - debian/patches/CVE-2016-10198.patch: make sure there's enough data in gst/audioparsers/gstaacparse.c. - CVE-2016-10198 * SECURITY UPDATE: DoS in qtdemux_tag_add_str_full - debian/patches/CVE-2016-10199.patch: fix out of bounds read in gst/isomp4/qtdemux.c. - CVE-2016-10199 * SECURITY UPDATE: DoS in qtdemux_parse_samples - debian/patches/CVE-2017-5840.patch: properly increment stts index in gst/isomp4/qtdemux.c. - CVE-2017-5840 Date: 2017-03-24 13:48:13.896161+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> Maintainer: Ubuntu Desktop <ubuntu-desk...@lists.ubuntu.com> https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-3+nmu4ubuntu2.16.04.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] samba 2:4.3.11+dfsg-0ubuntu0.16.04.5 (Accepted)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.5) xenial-security; urgency=medium * SECURITY UPDATE: Symlink race allows access outside share definition - debian/patches/CVE-2017-2619/*.patch: backport security fix and prerequisite patches from upstream. - CVE-2017-2619 Date: 2017-03-20 18:48:45.064900+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] audiofile 0.3.6-2ubuntu0.16.04.1 (Accepted)
audiofile (0.3.6-2ubuntu0.16.04.1) xenial-security; urgency=high * SECURITY UPDATE: multiple vulnerabilities (LP: #1674005) - Apply patches from Debian 0.3.6-4: + 04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch + 05_Always-check-the-number-of-coefficients.patch + 06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch + 07_Check-for-multiplication-overflow-in-sfconvert.patch + 08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch + 09_Actually-fail-when-error-occurs-in-parseFormat.patch + 10_Check-for-division-by-zero-in-BlockCodec-runPull.patch - CVE-2017-6827, CVE-2017-6828, CVE-2017-6829, CVE-2017-6830, CVE-2017-6831, CVE-2017-6832, CVE-2017-6833, CVE-2017-6834, CVE-2017-6835, CVE-2017-6836, CVE-2017-6837, CVE-2017-6838, CVE-2017-6839 Date: 2017-03-21 17:58:39.672991+00:00 Changed-By: Jeremy Bicha <jer...@bicha.net> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] freetype 2.6.1-0.1ubuntu2.1 (Accepted)
freetype (2.6.1-0.1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: DoS and possible code execution via missing glyph name - debian/patches/CVE-2016-10244.patch: add check to src/type1/t1load.c. - CVE-2016-10244 Date: 2017-03-16 18:04:13.970868+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/freetype/2.6.1-0.1ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libxml2 2.9.3+dfsg1-1ubuntu0.2 (Accepted)
libxml2 (2.9.3+dfsg1-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: format string vulnerabilities - debian/patches/CVE-2016-4448-1.patch: fix format string warnings in HTMLparser.c, SAX2.c, catalog.c, configure.ac, debugXML.c, encoding.c, entities.c, error.c, include/libxml/parserInternals.h, include/libxml/xmlerror.h, include/libxml/xmlstring.h, libxml.h, parser.c, parserInternals.c, relaxng.c, schematron.c, testModule.c, valid.c, xinclude.c, xmlIO.c, xmllint.c, xmlreader.c, xmlschemas.c, xmlstring.c, xmlwriter.c, xpath.c, xpointer.c. - debian/patches/CVE-2016-4448-2.patch: fix format string warnings in libxml.h, relaxng.c, xmlschemas.c, xmlstring.c. - debian/libxml2.symbols: added new symbol. - CVE-2016-4448 * SECURITY UPDATE: use-after-free via namespace nodes in XPointer ranges - debian/patches/CVE-2016-4658.patch: disallow namespace nodes in XPointer ranges in xpointer.c. - CVE-2016-4658 * SECURITY UPDATE: use-after-free in XPointer range-to function - debian/patches/CVE-2016-5131-1.patch: fix XPointer paths beginning with range-to in xpath.c, xpointer.c. - debian/patches/CVE-2016-5131-2.patch: fix comparison with root node in xmlXPathCmpNodes in xpath.c. - CVE-2016-5131 * debian/patches/lp1652325.patch: XML push parser fails with bogus UTF-8 encoding error when multi-byte character in large CDATA section is split across buffer (LP: #1652325) Date: 2017-03-15 14:58:28.406219+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libxml2/2.9.3+dfsg1-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] imagemagick 8:6.8.9.9-7ubuntu5.6 (Accepted)
imagemagick (8:6.8.9.9-7ubuntu5.6) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 8:6.8.9.9-5+deb8u8 release. Once again, thanks to Bastien Roucariès for the excellent work this update is based on! - CVE-2017-6498, CVE-2017-6499, CVE-2017-6500 Date: 2017-03-14 15:06:22.490501+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] pidgin 1:2.10.12-0ubuntu5.2 (Accepted)
pidgin (1:2.10.12-0ubuntu5.2) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-bounds write when stripping xml - debian/patches/CVE-2017-2640.patch: improve entity processing in libpurple/util.c. - CVE-2017-2640 Date: 2017-03-13 19:43:14.421542+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/pidgin/1:2.10.12-0ubuntu5.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] pillow 3.1.2-0ubuntu1.1 (Accepted)
pillow (3.1.2-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: information disclosure via crafted image - debian/patches/CVE-2016-9189.patch: add overflow checks to map.c. - CVE-2016-9189 * SECURITY UPDATE: code execution via crafted image - debian/patches/CVE-2016-9190.patch: add size check to libImaging/Storage.c, add test to Tests/images/negative_size.ppm, Tests/test_file_ppm.py. - CVE-2016-9190 Date: 2017-03-10 14:03:24.257962+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/pillow/3.1.2-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] icu 55.1-7ubuntu0.1 (Accepted)
icu (55.1-7ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Multiple security issues. Synchronize security fixes with Debian's 52.1-8+deb8u4 release. Thanks to Laszlo Boszormenyi for the work this update is based on. - debian/patches/CVE-2015-4844.patch - debian/patches/CVE-2016-0494.patch - debian/patches/CVE-2016-6293.patch - debian/patches/CVE-2016-7415.patch - CVE-2015-4844 - CVE-2016-0494 - CVE-2016-6293 - CVE-2016-7415 Date: 2017-03-10 17:47:14.709511+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/icu/55.1-7ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libarchive 3.1.2-11ubuntu0.16.04.3 (Accepted)
libarchive (3.1.2-11ubuntu0.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: arbitrary file write via hardlink entries - debian/patches/CVE-2016-5418-1.patch: enforce sandbox with very long pathnames in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-2.patch: fix path handling in libarchive/archive_write_disk_posix.c. - debian/patches/CVE-2016-5418-3.patch: add test cases to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/main.c, libarchive/test/test.h, libarchive/test/test_write_disk_secure744.c, libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-4.patch: fix testcases in libarchive/test/test_write_disk_secure745.c, libarchive/test/test_write_disk_secure746.c. - debian/patches/CVE-2016-5418-5.patch: correct PATH_MAX usage in libarchive/archive_write_disk_posix.c. - CVE-2016-5418 * SECURITY UPDATE: denial of service and possible code execution when writing an ISO9660 archive - debian/patches/CVE-2016-6250.patch: check for overflow in libarchive/archive_write_set_format_iso9660.c. - CVE-2016-6250 * SECURITY UPDATE: denial of service via recursive decompression - debian/patches/CVE-2016-7166.patch: limit number of filters in libarchive/archive_read.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_too_many_filters.c, libarchive/test/test_read_too_many_filters.gz.uu. - CVE-2016-7166 * SECURITY UPDATE: denial of service via non-printable multibyte character in a filename - debian/patches/CVE-2016-8687.patch: expand buffer size in tar/util.c. - CVE-2016-8687 * SECURITY UPDATE: denial of service via multiple long lines - debian/patches/CVE-2016-8688.patch: fix bounds in libarchive/archive_read_support_format_mtree.c, added test to Makefile.am, libarchive/test/CMakeLists.txt, libarchive/test/test_read_format_mtree_crash747.c, libarchive/test/test_read_format_mtree_crash747.mtree.bz2.uu. - CVE-2016-8688 * SECURITY UPDATE: denial of service via multiple EmptyStream attributes - debian/patches/CVE-2016-8689.patch: reject files with multiple markers in libarchive/archive_read_support_format_7zip.c. - CVE-2016-8689 * SECURITY UPDATE: denial of service via invalid compressed file size - debian/patches/CVE-2017-5601.patch: add check to libarchive/archive_read_support_format_lha.c. - CVE-2017-5601 Date: 2017-03-09 16:42:32.714236+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.16.04.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] imagemagick 8:6.8.9.9-7ubuntu5.5 (Accepted)
imagemagick (8:6.8.9.9-7ubuntu5.5) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 8:6.8.9.9-5+deb8u7 release. Once again, thanks to Bastien Roucariès for the excellent work this update is based on! - CVE-2016-8707, CVE-2016-10062, CVE-2016-10144, CVE-2016-10145, CVE-2016-10146, CVE-2017-5506, CVE-2017-5507, CVE-2017-5508, CVE-2017-5510, CVE-2017-5511 Date: 2017-03-02 21:23:19.274636+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] network-manager 1.2.2-0ubuntu0.16.04.4 (Accepted)
network-manager (1.2.2-0ubuntu0.16.04.4) xenial-security; urgency=medium * No change rebuild in the -security pocket. Date: 2017-03-06 18:04:41.216645+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu0.16.04.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] munin 2.0.25-2ubuntu0.16.04.3 (Accepted)
munin (2.0.25-2ubuntu0.16.04.3) xenial-security; urgency=medium * SECURITY REGRESSION: log spamming issue (LP: #1669764) - debian/patches/CVE-2017-6188-3.patch: use looks_like_number in master/_bin/munin-cgi-graph.in. Date: 2017-03-03 12:45:21.059822+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/munin/2.0.25-2ubuntu0.16.04.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] kio 5.18.0-0ubuntu1.1 (Accepted)
kio (5.18.0-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE:Information Leak when accessing https when using a malicious PAC file - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch - Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this issue, Albert Astals Cid for fixing this issue. - No CVE number. - fixes (LP: #1668871) Date: 2017-03-02 17:45:14.500331+00:00 Changed-By: vishnunaini <vis...@vishnunaini.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/kio/5.18.0-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] kde4libs 4:4.14.16-0ubuntu3.1 (Accepted)
kde4libs (4:4.14.16-0ubuntu3.1) xenial-security; urgency=medium * SECURITY UPDATE:Information Leak when accessing https when using a malicious PAC file - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch - Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this issue, Albert Astals Cid for fixing this issue. - No CVE number. - fixes (LP: #1668871) Date: 2017-03-02 17:53:13.85+00:00 Changed-By: vishnunaini <vis...@vishnunaini.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/kde4libs/4:4.14.16-0ubuntu3.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] munin 2.0.25-2ubuntu0.16.04.2 (Accepted)
munin (2.0.25-2ubuntu0.16.04.2) xenial-security; urgency=medium * SECURITY UPDATE: local file write vulnerability - debian/patches/CVE-2017-6188.patch: avoid expansion in list context in master/_bin/munin-cgi-graph.in. - debian/patches/CVE-2017-6188-2.patch: handle empty strings in master/_bin/munin-cgi-graph.in. - CVE-2017-6188 Date: 2017-03-02 12:49:17.552929+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/munin/2.0.25-2ubuntu0.16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] w3m 0.5.3-26ubuntu0.1 (Accepted)
w3m (0.5.3-26ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: backport large quantity of security fixes from Debian's 0.5.3-19+deb8u1 release. Thanks to Tatsuya Kinoshita. - CVE-2016-9422, CVE-2016-9423, CVE-2016-9424, CVE-2016-9425, CVE-2016-9426, CVE-2016-9428, CVE-2016-9429, CVE-2016-9430, CVE-2016-9431, CVE-2016-9432, CVE-2016-9433, CVE-2016-9434, CVE-2016-9435, CVE-2016-9436, CVE-2016-9437, CVE-2016-9438, CVE-2016-9439, CVE-2016-9440, CVE-2016-9441, CVE-2016-9442, CVE-2016-9443, CVE-2016-9622, CVE-2016-9623, CVE-2016-9624, CVE-2016-9625, CVE-2016-9626, CVE-2016-9627, CVE-2016-9628, CVE-2016-9629, CVE-2016-9630, CVE-2016-9631, CVE-2016-9632, CVE-2016-9633 Date: 2017-03-01 19:24:14.426959+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/w3m/0.5.3-26ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] php7.0 7.0.15-0ubuntu0.16.04.4 (Accepted)
php7.0 (7.0.15-0ubuntu0.16.04.4) xenial-security; urgency=medium * SECURITY REGRESSION: large mysql requests broken (LP: #1668017) - debian/patches/fix_74021.patch: fix fetch_array with more than MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt. Date: 2017-03-02 12:19:13.320843+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.04.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] iio-sensor-proxy 1.1-1ubuntu1 (Accepted)
iio-sensor-proxy (1.1-1ubuntu1) xenial-security; urgency=medium [ Jeremy Bicha ] * SECURITY UPDATE: insecure dbus configuration (LP: #1666358) - debian/patches/iio-dbus-policy-security.patch: Patch from Debian, applied upstream. Restrict send_destination to "net.hadess.SensorProxy" in net.hadess.SensorProxy.conf [ Marc Deslauriers ] * debian/control: added udev to Build-Depends. Date: 2017-02-28 13:03:13.550925+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/iio-sensor-proxy/1.1-1ubuntu1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] tiff 4.0.6-1ubuntu0.1 (Accepted)
in tools/tiffcrop.c. - CVE-2016-9539 * SECURITY UPDATE: out-of-bounds write via odd tile width versus image width - debian/patches/CVE-2016-9540.patch: check bounds in tools/tiffcp.c. - CVE-2016-9540 * SECURITY UPDATE: DoS or code execution via crafted BitsPerSample value - debian/patches/CVE-2017-5225.patch: check bps in tools/tiffcp.c. - CVE-2017-5225 Date: 2017-02-24 18:28:29.236094+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] php7.0 7.0.15-0ubuntu0.16.04.2 (Accepted)
6-7130 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c, added tests to ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug72799.phpt. + CVE-2016-7131 + CVE-2016-7132 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long pathname + debian/patches/CVE-2016-7133.patch: fix memory allocator in Zend/zend_alloc.c. + CVE-2016-7133 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long string and curl_escape call + debian/patches/CVE-2016-7134.patch: check both curl_escape and curl_unescape in ext/curl/interface.c. + CVE-2016-7134 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via crafted field metadata in MySQL driver + debian/patches/CVE-2016-7412.patch: validate field length in ext/mysqlnd/mysqlnd_wireprotocol.c. + CVE-2016-7412 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7413.patch: fixed use-after-free in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72860.phpt. + CVE-2016-7413 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via crafted PHAR archive + debian/patches/CVE-2016-7414.patch: validate signatures in ext/phar/util.c, ext/phar/zip.c. + CVE-2016-7414 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via MessageFormatter::formatMessage call with a long first argument + debian/patches/CVE-2016-7416.patch: added locale length check to ext/intl/msgformat/msgformat_format.c. + CVE-2016-7416 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service or code execution via crafted serialized data + debian/patches/CVE-2016-7417.patch: added type check to ext/spl/spl_array.c, added test to ext/spl/tests/bug73029.phpt, fix test in ext/spl/tests/bug70068.phpt. + CVE-2016-7417 [ Fixed in 7.0.11 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7418.patch: fix out-of-bounds read in ext/wddx/wddx.c, added test to ext/wddx/tests/bug73065.phpt. + CVE-2016-7418 [ Fixed in 7.0.11 ] Date: 2017-02-23 13:57:21.947572+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] imagemagick 8:6.8.9.9-7ubuntu5.4 (Accepted)
imagemagick (8:6.8.9.9-7ubuntu5.4) xenial-security; urgency=medium * SECURITY REGRESSION: text coder issue (LP: #1589580) - debian/patches/fix_text_coder.patch: add extra check to coders/mvg.c, fix logic in coders/txt.c. Date: 2017-02-22 18:25:28.721297+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] tcpdump 4.9.0-1ubuntu1~ubuntu16.04.1 (Accepted)
tcpdump (4.9.0-1ubuntu1~ubuntu16.04.1) xenial-security; urgency=medium * Backport to xenial to fix CVEs (LP: #1662177). * Reset libpcap dependency to xenial version * Enable crypto support, dropped in zesty because of openssl. * Disable some tests failing with older pcap versions Date: 2017-02-21 15:48:16.621075+00:00 Changed-By: LocutusOfBorg <costamagnagianfra...@yahoo.it> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/tcpdump/4.9.0-1ubuntu1~ubuntu16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] spice 0.12.6-4ubuntu0.2 (Accepted)
spice (0.12.6-4ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: overflow when reading large messages - debian/patches/CVE-2016-9577.patch: check size in server/main_channel.c. - CVE-2016-9577 * SECURITY UPDATE: DoS via crafted message - debian/patches/CVE-2016-9578-1.patch: limit size in server/reds.c. - debian/patches/CVE-2016-9578-2.patch: limit caps in server/reds.c. - CVE-2016-9578 Date: 2017-02-15 19:27:19.179806+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/spice/0.12.6-4ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gtk-vnc 0.5.3-1.3ubuntu2.1 (Accepted)
gtk-vnc (0.5.3-1.3ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: insufficient bounds checking - debian/patches/CVE-2017-5884.patch: add checks to src/vncconnection.c. - CVE-2017-5884 * SECURITY UPDATE: integer overflow when processing SetColorMapEntries - debian/patches/CVE-2017-5885-1.patch: don't accept color map entries for true-color pixel format in src/vncconnection.c. - debian/patches/CVE-2017-5885-2.patch: correctly validate color map range indexes in src/vnccolormap.c, src/vncconnection.c. - CVE-2017-5885 Date: 2017-02-17 19:52:14.724464+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gtk-vnc/0.5.3-1.3ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] bind9 1:9.10.3.dfsg.P4-8ubuntu1.5 (Accepted)
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.5) xenial-security; urgency=medium * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing a NULL pointer - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz combination in bin/named/query.c, lib/dns/message.c, lib/dns/rdataset.c. - CVE-2017-3135 * SECURITY UPDATE: regression in CVE-2016-8864 - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME was still being cached when it should have been in lib/dns/resolver.c, added tests to bin/tests/system/dname/ans3/ans.pl, bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh. - No CVE number Date: 2017-02-15 16:46:44.156316+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] webkit2gtk 2.14.5-0ubuntu0.16.04.1 (Accepted)
webkit2gtk (2.14.5-0ubuntu0.16.04.1) xenial-security; urgency=medium * Updated to 2.14.5 to fix multiple security issues. Date: 2017-02-15 12:50:23.064630+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.5-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nettle 3.2-1ubuntu0.16.04.1 (Accepted)
nettle (3.2-1ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: RSA cache timing side-channel attack - debian/patches/CVE-2016-6489.patch: use mpz_powm_sec and check for invalid keys in bignum.h, configure.ac, dsa-sign.c, rsa-blind.c, rsa-sign-tr.c, rsa-sign.c, rsa.c, testsuite/rsa-test.c. - CVE-2016-6489 Date: 2017-02-03 14:25:05.980168+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/nettle/3.2-1ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] squid3 3.5.12-1ubuntu7.3 (Accepted)
squid3 (3.5.12-1ubuntu7.3) xenial-security; urgency=medium * SECURITY UPDATE: cookie data leak via If-Not-Modified HTTP conditional - debian/patches/CVE-2016-10002.patch: properly handle combination of If-Match and a Cache Hit in src/LogTags.h, src/client_side.cc, src/client_side_reply.cc, src/client_side_reply.h. - CVE-2016-10002 * SECURITY UPDATE: incorrect HTTP Request header comparison - debian/patches/CVE-2016-10003.patch: don't share private responses with collapsed client in src/client_side_reply.cc. - CVE-2016-10003 Date: 2017-02-04 01:51:25.474213+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] webkit2gtk 2.14.3-0ubuntu0.16.04.1 (Accepted)
webkit2gtk (2.14.3-0ubuntu0.16.04.1) xenial-security; urgency=medium * Updated to 2.14.3 to fix multiple security issues. Date: 2017-02-03 12:22:16.775606+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.3-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] iucode-tool 1.5.1-1ubuntu0.1 (Accepted)
iucode-tool (1.5.1-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: heap buffer overflow on -tr loader - debian/patches/CVE-2017-0357.patch: check al in intel_microcode.c. - CVE-2017-0357 Date: 2017-01-25 19:16:13.932432+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/iucode-tool/1.5.1-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libxpm 1:3.5.11-1ubuntu0.16.04.1 (Accepted)
libxpm (1:3.5.11-1ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: OOB write when handling malicious XPM files - debian/patches/CVE-2016-10164.patch: add bounds checks to src/CrDatFrI.c. - CVE-2016-10164 Date: 2017-01-25 21:03:14.423946+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libxpm/1:3.5.11-1ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gnutls28 3.4.10-4ubuntu1.2 (Accepted)
gnutls28 (3.4.10-4ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: OCSP validation issue - debian/patches/CVE-2016-7444.patch: correctly verify the serial length in lib/x509/ocsp.c. - CVE-2016-7444 * SECURITY UPDATE: denial of service via warning alerts - debian/patches/CVE-2016-8610.patch: set a maximum number of warning messages in lib/gnutls_int.h, lib/gnutls_handshake.c, lib/gnutls_state.c. - CVE-2016-8610 * SECURITY UPDATE: double-free when reading proxy language - debian/patches/CVE-2017-5334.patch: fix double-free in lib/x509/x509_ext.c. - CVE-2017-5334 * SECURITY UPDATE: out of memory error in stream reading functions - debian/patches/CVE-2017-5335.patch: add error checking to lib/opencdk/read-packet.c. - CVE-2017-5335 * SECURITY UPDATE: stack overflow in cdk_pk_get_keyid - debian/patches/CVE-2017-5336.patch: check return code in lib/opencdk/pubkey.c. - CVE-2017-5336 * SECURITY UPDATE: heap read overflow when reading streams - debian/patches/CVE-2017-5337.patch: add more precise checks to lib/opencdk/read-packet.c. - CVE-2017-5337 * debian/patches/fix_expired_certs.patch: use datefudge to fix test with expired certs. Date: 2017-01-26 19:18:21.817877+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] openssl 1.0.2g-1ubuntu4.6 (Accepted)
openssl (1.0.2g-1ubuntu4.6) xenial-security; urgency=medium * SECURITY UPDATE: Montgomery multiplication may produce incorrect results - debian/patches/CVE-2016-7055.patch: fix logic in crypto/bn/asm/x86_64-mont.pl. - CVE-2016-7055 * SECURITY UPDATE: DoS via warning alerts - debian/patches/CVE-2016-8610.patch: don't allow too many consecutive warning alerts in ssl/d1_pkt.c, ssl/s3_pkt.c, ssl/ssl.h, ssl/ssl_locl.h. - debian/patches/CVE-2016-8610-2.patch: fail if an unrecognised record type is received in ssl/s3_pkt.c. - CVE-2016-8610 * SECURITY UPDATE: Truncated packet could crash via OOB read - debian/patches/CVE-2017-3731.patch: harden RC4_MD5 cipher in crypto/evp/e_rc4_hmac_md5.c. - CVE-2017-3731 * SECURITY UPDATE: BN_mod_exp may produce incorrect results on x86_64 - debian/patches/CVE-2017-3732.patch: fix carry bug in bn_sqr8x_internal in crypto/bn/asm/x86_64-mont5.pl. - CVE-2017-3732 Date: 2017-01-30 16:00:18.440188+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mariadb-10.0 10.0.29-0ubuntu0.16.04.1 (Accepted)
mariadb-10.0 (10.0.29-0ubuntu0.16.04.1) xenial-security; urgency=high * SECURITY UPDATE: New upstream release 10.0.29. Includes fixes for the following security vulnerabilities (LP: #1657594): - CVE-2017-3318 - CVE-2017-3317 - CVE-2017-3312 - CVE-2017-3291 - CVE-2017-3265 - CVE-2017-3258 - CVE-2017-3257 - CVE-2017-3244 - CVE-2017-3243 - CVE-2017-3238 - CVE-2016-6664 Date: 2017-01-24 18:44:37.433619+00:00 Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.29-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] firejail 0.9.38-1ubuntu0.1 (Accepted)
firejail (0.9.38-1ubuntu0.1) xenial-security; urgency=low * SECURITY UPDATE: sandbox escape via TIOCSTI ioctl (LP: #1655136) - debian/patches/CVE-2016-9016.patch: cherry-picked from upstream 0.9.38-LTS branch (commit 19302eb) - CVE-2016-9016 * SECURITY UPDATE: truncate /etc/resolv.conf as non-root user (LP: #1655136) - debian/patches/CVE-2016-10118.patch: cherry-picked from upstream 0.9.38-LTS branch (commit 4f4e59c) - CVE-2016-10118 * SECURITY UPDATE: local privilege escalation to root (LP: #1655136) - debian/patches/CVE-2017-5180.patch: cherry-picked from upstream 0.9.38-LTS branch (commit ad97545) - CVE-2017-5180 Date: 2017-01-23 20:58:23.093163+00:00 Changed-By: Reiner Herrmann <rei...@reiner-h.de> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/firejail/0.9.38-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] tomcat8 8.0.32-1ubuntu1.3 (Accepted)
tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium * SECURITY UPDATE: timing attack in realm implementations - debian/patches/CVE-2016-0762.patch: add time delays to java/org/apache/catalina/realm/DataSourceRealm.java, java/org/apache/catalina/realm/JDBCRealm.java, java/org/apache/catalina/realm/MemoryRealm.java, java/org/apache/catalina/realm/RealmBase.java. - CVE-2016-0762 * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java, java/org/apache/jasper/servlet/JasperInitializer.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoaderBase.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat8.postinst: properly set permissions on /etc/tomcat8/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat8.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat8.init: further hardening. Date: 2017-01-18 13:32:09.679525+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] pcsc-lite 1.8.14-1ubuntu1.16.04.1 (Accepted)
pcsc-lite (1.8.14-1ubuntu1.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution via cardsList use-after-free - debian/patches/CVE-2016-10109-1.patch: prevent use-after-free of cardsList in src/winscard_svc.c. - debian/patches/CVE-2016-10109-2.patch: check for a valid hContext handles in src/winscard_svc.c. - CVE-2016-10109 Date: 2017-01-06 15:41:13.693101+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/pcsc-lite/1.8.14-1ubuntu1.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] pinba-engine-mysql 1.1.0-1ubuntu1.5 (Accepted)
pinba-engine-mysql (1.1.0-1ubuntu1.5) xenial-security; urgency=medium * Rebuild against mysql 5.7.17. Date: 2017-01-19 00:01:29.314601+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/pinba-engine-mysql/1.1.0-1ubuntu1.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mysql-5.7 5.7.17-0ubuntu0.16.04.1 (Accepted)
mysql-5.7 (5.7.17-0ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: Update to 5.7.17 to fix security issues - CVE-2016-8318 - CVE-2016-8327 - CVE-2017-3238 - CVE-2017-3244 - CVE-2017-3251 - CVE-2017-3256 - CVE-2017-3258 - CVE-2017-3265 - CVE-2017-3273 - CVE-2017-3291 - CVE-2017-3312 - CVE-2017-3313 - CVE-2017-3317 - CVE-2017-3318 - CVE-2017-3319 - CVE-2017-3320 * debian/patches/fix_failing_test.patch: fix test failure that uses env from rapid plugins. * debian/patches/fix_test_events_2.patch: fix date in test. * debian/control: replace python with libjson-perl in mysql-testsuite-5.7 Depends. * debian/mysql-testsuite-5.7.install: add test_udf_services.so. Date: 2017-01-18 21:21:12.857760+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.17-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] xen 4.6.0-1ubuntu4.3 (Accepted)
xen (4.6.0-1ubuntu4.3) xenial-security; urgency=low * Applying Xen Security Advisories: - CVE-2016-9386 / XSA-191 * x86/hvm: Fix the handling of non-present segments - CVE-2016-9382 / XSA-192 * x86/HVM: don't load LDTR with VM86 mode attrs during task switch - CVE-2016-9385 / XSA-193 * x86/PV: writes of %fs and %gs base MSRs require canonical addresses - CVE-2016-9383 / XSA-195 * x86emul: fix huge bit offset handling - CVE-2016-9377, CVE-2016-9378 / XSA-196 * x86/emul: Correct the IDT entry calculation in inject_swint() * x86/svm: Fix injection of software interrupts - CVE-2016-9379, CVE-2016-9380 / XSA-198 * pygrub: Properly quote results, when returning them to the caller - CVE-2016-9932 / XSA-200 * x86emul: CMPXCHG8B ignores operand size prefix - CVE-2016-9815, CVE-2016-9816, CVE-2016-9817, CVE-2016-9818 / XSA.201 * arm64: handle guest-generated EL1 asynchronous abort * arm64: handle async aborts delivered while at EL2 * arm: crash the guest when it traps on external abort * arm32: handle async aborts delivered while at HYP - CVE-2016-10024 / XSA-202 * x86: force EFLAGS.IF on when exiting to PV guests - CVE-2016-10025 / XSA-203 * x86/HVM: add missing NULL check before using VMFUNC hook - CVE-2016-10013 / XSA-204 * x86/emul: Correct the handling of eflags with SYSCALL Date: 2017-01-12 14:48:21.136446+00:00 Changed-By: Stefan Bader <stefan.ba...@canonical.com> Signed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/xen/4.6.0-1ubuntu4.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] bind9 1:9.10.3.dfsg.P4-8ubuntu1.4 (Accepted)
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: assertion failure via class mismatch - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY records in lib/dns/resolver.c. - CVE-2016-9131 * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information - debian/patches/CVE-2016-9147.patch: fix logic when records are returned without the requested data in lib/dns/resolver.c. - CVE-2016-9147 * SECURITY UPDATE: assertion failure via unusually-formed DS record - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in lib/dns/message.c, lib/dns/resolver.c. - CVE-2016-9444 * SECURITY UPDATE: regression in CVE-2016-8864 - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in responses in lib/dns/resolver.c, added tests to bin/tests/system/dname/ns2/example.db, bin/tests/system/dname/tests.sh. - No CVE number bind9 (1:9.10.3.dfsg.P4-8ubuntu1.3) xenial; urgency=medium * Add RemainAfterExit to bind9-resolvconf unit configuration file (LP: #1536181). Date: 2017-01-09 15:17:13.778911+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libvncserver 0.9.10+dfsg-3ubuntu0.16.04.1 (Accepted)
libvncserver (0.9.10+dfsg-3ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: heap overflows in rectangle fill functions - debian/patches/CVE-2016-9941.patch: add bounds checking to libvncclient/rfbproto.c. - CVE-2016-9941 * SECURITY UPDATE: heap overflow in Ultra type tile decoder - debian/patches/CVE-2016-9942.patch: use _safe variant in libvncclient/ultra.c. - CVE-2016-9942 Date: 2017-01-06 13:30:23.182650+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/libvncserver/0.9.10+dfsg-3ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] epiphany-browser 3.18.5-0ubuntu1.1 (Accepted)
epiphany-browser (3.18.5-0ubuntu1.1) xenial-security; urgency=medium * debian/patches/new_webkit_abi.patch: fix compatibility with newer WebKitGTK+. * debian/control*: bump libwebkit2gtk-4.0-dev to (>= 2.13.2). Date: 2017-01-10 14:52:17.610553+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/epiphany-browser/3.18.5-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] webkit2gtk 2.14.2-0ubuntu0.16.04.1 (Accepted)
webkit2gtk (2.14.2-0ubuntu0.16.04.1) xenial-security; urgency=medium * Updated to 2.14.2 to fix multiple security issues. - debian/patches/install-minibrowser.patch: removed, no longer needed. - debian/rules: set -DENABLE_MINIBROWSER=ON. - debian/patches/fix-ftbfs-m68k.patch: removed, not needed in Ubuntu. - debian/patches/fix-ftbfs-armel.patch: fix FTBFS. - debian/libjavascriptcoregtk-4.0-bin.install: install the jsc executable in /usr/bin. - debian/libwebkit2gtk-4.0-37.symbols: updated for new version. Date: 2017-01-07 14:43:14.247055+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/webkit2gtk/2.14.2-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] exim4 4.86.2-2ubuntu2.1 (Accepted)
exim4 (4.86.2-2ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: DKIM information leakage - debian/patches/CVE-2016-9963.patch: fix information leakage in src/dkim.c, src/transports/smtp.c. - CVE-2016-9963 Date: 2017-01-05 14:45:26.802035+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/exim4/4.86.2-2ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-bottle 0.12.7-1+deb8u1build0.16.04.1 (Accepted)
python-bottle (0.12.7-1+deb8u1build0.16.04.1) xenial-security; urgency=medium * fake sync from Debian Date: 2017-01-05 12:43:14.497932+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> Maintainer: David Paleino <da...@debian.org> https://launchpad.net/ubuntu/+source/python-bottle/0.12.7-1+deb8u1build0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nss 2:3.26.2-0ubuntu0.16.04.2 (Accepted)
nss (2:3.26.2-0ubuntu0.16.04.2) xenial-security; urgency=medium * Updated to upstream 3.26.2 to fix security issues and get a new CA certificate bundle. * SECURITY UPDATE: denial of service via invalid DH keys - CVE-2016-5285 * SECURITY UPDATE: small subgroup confinement attack - CVE-2016-8635 * SECURITY UPDATE: insufficient mitigation of timing side-channel attack - CVE-2016-9074 * debian/rules: added libfreeblpriv3.so. * debian/libnss3.symbols: updated for new version, added SSL_GetCipherSuiteInfo and SSL_GetChannelInfo as they are not backwards compatible. * debian/patches/*.patch: refreshed for new version. * debian/rules: When building with -O3, build with -Wno-error=maybe- uninitialized to fix FTBFS on ppc64el and powerpc. Date: 2016-12-05 13:04:22.172113+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/nss/2:3.26.2-0ubuntu0.16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] game-music-emu 0.6.0-3ubuntu0.16.04.1 (Accepted)
game-music-emu (0.6.0-3ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: code execution via missing register value clamps - debian/patches/missing_register_value_clamp.patch: clamp values to uint8_t in gme/Spc_Cpu.h. - No CVE number Date: 2016-12-13 17:04:15.035908+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/game-music-emu/0.6.0-3ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] c-ares 1.10.0-3ubuntu0.1 (Accepted)
c-ares (1.10.0-3ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: denial of service and possible execution via hostname with an escaped trailing dot (LP: #1629085) - debian/patches/CVE-2016-5180.patch: properly handle escaped dot in ares_create_query.c. - CVE-2016-5180 Date: 2016-10-06 14:35:14.763260+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/c-ares/1.10.0-3ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] imagemagick 8:6.8.9.9-7ubuntu5.3 (Accepted)
imagemagick (8:6.8.9.9-7ubuntu5.3) xenial-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/*: synchronize security fixes with Debian's 8:6.8.9.9-5+deb8u6 release. Once again, thanks to Bastien Roucariès for the excellent work this update is based on! - CVE-2016-7799, CVE-2016-7906, CVE-2016-8677, CVE-2016-8862, CVE-2016-9556 * debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch: add back changes from 8:6.8.9.9-7ubuntu1 lost during the previous update. Date: 2016-11-29 17:50:14.416643+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-cryptography 1.2.3-1ubuntu0.1 (Accepted)
python-cryptography (1.2.3-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: HKDF might return an empty byte-string - debian/patches/CVE-2016-9243.patch: fix short length handling in src/cryptography/hazmat/primitives/kdf/hkdf.py, added test to tests/hazmat/primitives/test_hkdf.py. - CVE-2016-9243 Date: 2016-11-17 15:47:14.840328+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/python-cryptography/1.2.3-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-good1.0 1.8.2-1ubuntu0.3 (Accepted)
gst-plugins-good1.0 (1.8.2-1ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: incomplete fix for flx decoder - debian/patches/flxdec-bounds3.patch: don't unref() parent in the chain function in gst/flx/gstflxdec.c. - debian/patches/flxdec-bounds4.patch: rewrite logic based on GstByteReader/Writer in gst/flx/flx_color.c, gst/flx/flx_fmt.h, gst/flx/gstflxdec.c, gst/flx/gstflxdec.h. - No CVE number Date: 2016-11-25 14:33:15.609343+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.2-1ubuntu0.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] moin 1.9.8-1ubuntu1.16.04.1 (Accepted)
moin (1.9.8-1ubuntu1.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: XSS in attachment dialogue - debian/patches/CVE-2016-7146.patch: properly escape page_name in MoinMoin/action/fckdialog.py. - CVE-2016-7146 * SECURITY UPDATE: XSS in AttachFile view - debian/patches/CVE-2016-7148.patch: properly escape pagename in MoinMoin/action/AttachFile.py. - CVE-2016-7148 * SECURITY UPDATE: XSS in link dialogue - debian/patches/CVE-2016-9119.patch: properly escape strings in MoinMoin/action/fckdialog.py. - CVE-2016-9119 Date: 2016-11-22 13:59:30.792749+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/moin/1.9.8-1ubuntu1.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-good0.10 0.10.31-3+nmu4ubuntu2.16.04.1 (Accepted)
gst-plugins-good0.10 (0.10.31-3+nmu4ubuntu2.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: code execution via out-of-bounds write in flx decoder - debian/patches/flxdec-bounds1.patch: add bounds checking to gst/flx/gstflxdec.c. - debian/patches/flxdec-bounds2.patch: fix compiler warnings in gst/flx/gstflxdec.c. - No CVE number * debian/patches/docs_ftbfs.patch: fix FTBFS. Date: 2016-11-22 17:08:13.421759+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> Maintainer: Ubuntu Desktop <ubuntu-desk...@lists.ubuntu.com> https://launchpad.net/ubuntu/+source/gst-plugins-good0.10/0.10.31-3+nmu4ubuntu2.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-good1.0 1.8.2-1ubuntu0.2 (Accepted)
gst-plugins-good1.0 (1.8.2-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: code execution via out-of-bounds write in flx decoder - debian/patches/flxdec-bounds1.patch: add bounds checking to gst/flx/gstflxdec.c. - debian/patches/flxdec-bounds2.patch: fix compiler warnings in gst/flx/gstflxdec.c. - No CVE number Date: 2016-11-22 16:22:17.941166+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.2-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gst-plugins-base1.0 1.8.2-1ubuntu0.2 (Accepted)
gst-plugins-base1.0 (1.8.2-1ubuntu0.2) xenial-security; urgency=medium * No change rebuild in security pocket. Date: 2016-11-22 15:33:25.037982+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/gst-plugins-base1.0/1.8.2-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] tar 1.28-2.1ubuntu0.1 (Accepted)
tar (1.28-2.1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: extract pathname bypass - debian/patches/CVE-2016-6321.patch: skip members whose names contain ".." in src/extract.c. - CVE-2016-6321 Date: 2016-11-17 16:26:39.585121+00:00 Changed-By: Marc Deslauriers <marc.deslauri...@canonical.com> https://launchpad.net/ubuntu/+source/tar/1.28-2.1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes