[ubuntu/trusty-security] mariadb-5.5 5.5.64-1ubuntu0.14.04.1 (Accepted)
mariadb-5.5 (5.5.64-1ubuntu0.14.04.1) trusty-security; urgency=high * SECURITY UPDATE: New upstream release 5.5.64. Includes fixes for the following security vulnerabilities (LP: #1825572): - CVE-2019-2627 - CVE-2019-2614 Date: 2019-05-16 16:19:14.904515+00:00 Signed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/mariadb-5.5/5.5.64-1ubuntu0.14.04.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] xmltooling 1.5.3-2+deb8u3ubuntu0.1 (Accepted)
xmltooling (1.5.3-2+deb8u3ubuntu0.1) trusty-security; urgency=high * SECURITY UPDATE: uncaught exception on malformed XML declaration Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so can be exploited by an untrusted attacker. - debian/patches/CVE-2019-9628.patch - CVE-2019-9628 - https://shibboleth.net/community/advisories/secadv_20190311.txt - LP: #1819912 Date: 2019-03-21 17:39:32.483869+00:00 Changed-By: Etienne Dysli Metref Signed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/xmltooling/1.5.3-2+deb8u3ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] xml-security-c 1.7.2-2ubuntu0.1 (Accepted)
xml-security-c (1.7.2-2ubuntu0.1) trusty-security; urgency=medium * debian/patches/99-xsecsafebuffer.patch: Fix undefined behavior in XSECSafeBuffer that affect ECDSA signature generation. This fix was introduced in serie 2.x, but it was not backported to serie 1.7.x. Date: 2019-03-11 12:29:13.307510+00:00 Changed-By: Alejandro Claro Signed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/xml-security-c/1.7.2-2ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] sendmail 8.14.4-4.1ubuntu1.1 (Accepted)
sendmail (8.14.4-4.1ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Local users to access unintended high-numbered file descriptors via a custom mail-delivery program. - debian/patches/8.14/8.14.4/close_on_exec.patch: Properly set the close-on-exec flag for file descriptors before executing mailers. - CVE-2014-3956 Date: 2019-02-05 18:40:12.963880+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/sendmail/8.14.4-4.1ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] torque 2.4.16+dfsg-1.3ubuntu1.1 (Accepted)
torque (2.4.16+dfsg-1.3ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Buffer overflow vulnerability allows remote attackers to execute arbitrary code via a large count value. - debian/patches/CVE-2014-0749.patch: Fix stack-based buffer overflow in disrsi_.c - CVE-2014-0749 * SECURITY UPDATE: Lack of validation on process owner allows remote authenticated users to kill arbitrary processes via a crafted executable. - debian/patches/CVE-2014-3684.patch: Limit tm_adopt to only adopt a session id that is owned by the calling user. - CVE-2014-3684 Date: 2019-02-04 18:14:17.229663+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/torque/2.4.16+dfsg-1.3ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] jetty 6.1.26-1ubuntu1.2 (Accepted)
jetty (6.1.26-1ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: Possible Timing Attack. - debian/patches/CVE-2017-9735.patch: A timing channel in Password.java. - CVE-2017-9735 Date: 2019-01-30 18:13:12.285648+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/jetty/6.1.26-1ubuntu1.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] virtualbox 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2 (Accepted)
virtualbox (4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2) trusty-security; urgency=medium * debian/patches/fix-for-guest-to-host-escape-vulnerability.patch: - Apply patch for guest-to-host escape vulnerability (LP: #1809156) - CVE-2018-3294 Date: 2019-01-21 15:57:13.400224+00:00 Changed-By: Martin Konrad Signed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/virtualbox/4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] krb5 1.12+dfsg-2ubuntu5.4 (Accepted)
krb5 (1.12+dfsg-2ubuntu5.4) trusty-security; urgency=medium * SECURITY UPDATE: DoS (out-of-bounds read) via a crafted string - debian/patches/CVE-2015-8629.patch: Verify decode kadmin C strings - CVE-2015-8629 * SECURITY UPDATE: DoS (NULL pointer dereference) by specifying KADM5_POLICY with a NULL policy name - debian/patches/CVE-2015-8630.patch: Check for null kadm5 policy name - CVE-2015-8630 * SECURITY UPDATE: DoS (memory consumption) via a request specifying a NULL principal name - debian/patches/CVE-2015-8631.patch: Fix leaks in kadmin server stubs - CVE-2015-8631 * SECURITY UPDATE: DoS (NULL pointer dereference) via a crafted request to modify a principal - debian/patches/CVE-2016-3119.patch: Fix LDAP null dereference on empty arg - CVE-2016-3119 * SECURITY UPDATE: DoS (NULL pointer dereference) via an S4U2Self request - debian/patches/CVE-2016-3120.patch: Fix S4U2Self KDC crash when anon is restricted - CVE-2016-3120 * SECURITY UPDATE: KDC assertion failure - debian/patches/CVE-2017-11368-1.patch: Prevent KDC unset status assertion failures - debian/patches/CVE-2017-11368-2.patch: Simplify KDC status assignment - CVE-2017-11368 * SECURITY UPDATE: Double free vulnerability - debian/patches/CVE-2017-11462.patch: Preserve GSS context on init/accept failure - CVE-2017-11462 * SECURITY UPDATE: Authenticated kadmin with permission to add principals to an LDAP Kerberos can DoS or bypass DN container check. - debian/patches/CVE-2018-5729-CVE-2018-5730.patch: Fix flaws in LDAP DN checking - CVE-2018-5729 - CVE-2018-5730 krb5 (1.12+dfsg-2ubuntu5.3) trusty; urgency=medium * d/p/upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch: Cherry-pick from upstream to add SPNEGO special case for NTLMSSP+MechListMIC. LP: #1643708. Date: 2019-01-10 18:06:12.384461+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] chrony 1.29-1ubuntu0.1 (Accepted)
chrony (1.29-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Heap-based buffer overflow - debian/patches/CVE-2015-1821.patch: Fix access configuration with subnet size indivisible by 4. - CVE-2015-1821 * SECURITY UPDATE: DoS (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. - debian/patches/CVE-2015-1822.patch: Fix initialization of allocated reply slots. - CVE-2015-1822 * SECURITY UPDATE: Authentication doesn't protect symmetric associations against DoS attacks - debian/patches/CVE-2015-1853.patch: Protect authenticated symmetric associations against DoS attacks. - CVE-2015-1853 * SECURITY UPDATE: Remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key". - debian/patches/CVE-2016-1567.patch: restrict authentication of server/peer to specified key. - CVE-2016-1567 Date: 2018-12-06 16:37:11.800383+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/chrony/1.29-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] tor 0.2.4.27-1ubuntu0.1 (Accepted)
tor (0.2.4.27-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: DoS (client crash) via a crafted hidden service descriptor. - debian/patches/CVE-2016-1254.patch: Fix parsing bug with unrecognized token at EOS. - CVE-2016-1254 * SECURITY UPDATE: DoS (crash) via crafted data. - debian/patches/CVE-2016-8860.patch: Protect against NUL-terminated inputs. - CVE-2016-8860 * SECURITY UPDATE: DoS (assertion failure and daemon exit) via a BEGIN_DIR rendezvous circuit. - debian/patches/CVE-2017-0376.patch: Fix assertion failure. - CVE-2017-0376 * SECURITY UPDATE: Replay-cache protection mechanism is ineffective for v2 onion services. - debian/patches/CVE-2017-8819.patch: Fix length of replaycache-checked data. - CVE-2017-8819 * SECURITY UPDATE: DoS (application hang) via a crafted PEM input. - debian/patches/CVE-2017-8821.patch: Avoid asking for passphrase on junky PEM input. - CVE-2017-8821 * SECURITY UPDATE: Relays, that have incompletely downloaded descriptors, can pick themselves in a circuit path, leading to a degradation of anonymity - debian/patches/CVE-2017-8822.patch: Use local descriptor object to exclude self in path selection. - CVE-2017-8822 Date: 2018-11-26 16:04:17.183114+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/tor/0.2.4.27-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mercurial 2.8.2-1ubuntu1.4 (Accepted)
mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted git ext:: URL when cloning a subrepository. - debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit git clone protocols. - CVE-2016-3068 * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted name when converting a Git repository. - debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface for shelling out to git. - debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use the new shelling mechanism. - debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git calling functions - debian/patches/CVE-2016-3069_part4.patch: test for shell injection in git calls - CVE-2016-3069 * SECURITY UPDATE: The convert extension might allow attackers to execute arbitrary code via a crafted git repository name. - debian/patches/CVE-2016-3105.patch: Pass absolute paths to git. - CVE-2016-3105 * SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone, push or pull command because of a list sizing rounding error and short records. - debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding error. - debian/patches/CVE-2016-3630_part2.patch: detect short records - CVE-2016-3630 * SECURITY UPDATE: hg server --stdio allows remote authenticated users to launch the Python debugger and execute arbitrary code. - debian/patches/CVE-2017-9462.patch: Protect against malicious hg serve --stdio invocations. - CVE-2017-9462 * SECURITY UPDATE: A specially malformed repository can cause GIT subrepositories to run arbitrary code. - debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t testcase. - debian/patches/CVE-2017-17458_part2.patch: disallow symlink traversal across subrepo mount point. - CVE-2017-17458 * SECURITY UPDATE: Missing symlink check could be abused to write to files outside the repository. - debian/patches/CVE-2017-1000115.patch: Fix symlink traversal. - CVE-2017-1000115 * SECURITY UPDATE: Possible shell-injection attack from not adequately sanitizing hostnames passed to ssh. - debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh. - CVE-2017-1000116 * SECURITY UPDATE: Integer underflow and overflow. - debian/patches/CVE-2018-13347.patch: Protect against underflow. - debian/patches/CVE-2018-13347-extras.patch: Protect against overflow. - CVE-2018-13347 * SECURITY UPDATE: Able to start fragment past of the end of original data. - debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past then end of orig. - CVE-2018-13346 * SECURITY UPDATE: Data mishandling in certain situations. - debian/patches/CVE-2018-13348.patch: Be more careful about parsing binary patch data. - CVE-2018-13348 * SECURITY UPDATE: Vulnerability in Protocol server can result in unauthorized data access. - debian/patches/CVE-2018-1000132.patch: Always perform permissions checks on protocol commands. - CVE-2018-1000132 Date: 2018-11-22 18:19:46.418758+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/mercurial/2.8.2-1ubuntu1.4 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] graphicsmagick 1.3.18-1ubuntu3.1 (Accepted)
SECURITY UPDATE: DoS (crash) via a large dimensions in a jpeg image. - debian/patches/CVE-2016-9830.patch: enforce spec requirement that the dimensions of the JPEG embedded in a JDAT chunk must match the JHDR dimensions. - CVE-2016-9830 Date: 2018-10-30 20:05:12.971655+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/graphicsmagick/1.3.18-1ubuntu3.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] tomcat6 6.0.39-1ubuntu0.1 (Accepted)
tomcat6 (6.0.39-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java - CVE-2014-0075 * SECURITY UPDATE: Bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference. - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT stylesheets - CVE-2014-0096 * SECURITY UPDATE: Fix integer overflow. - debian/patches/CVE-2014-0099.patch: Fix in java/org/apache/tomcat/util/buf/Ascii.java - CVE-2014-0099 * SECURITY UPDATE: Read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference. - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java and DefaultServlet.java - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java - debian/patches/CVE-2014-0119-3.patch: fix in multiple files - CVE-2014-0119 * SECURITY UPDATE: Add error flag to allow subsequent attempts at reading after an error to fail fast. - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java - CVE-2014-0227 * SECURITY UPDATE: DoS (thread consumption) via a series of aborted upload attempts. - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize - CVE-2014-0230 * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java and SecurityClassLoad.java - CVE-2014-7810 * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java - CVE-2015-5174 * SECURITY UPDATE: Remote attackers can determine the existence of a directory via a URL that lacks a trailing slash character. - debian/patches/CVE-2015-5345-1.patch: fix in multiple files - debian/patches/CVE-2015-5345-2.patch: fix in multiple files - CVE-2015-5345 * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token. - debian/patches/CVE-2015-5351-1.patch: fix in manager application - debian/patches/CVE-2015-5351-2.patch: fix in host-manager application - CVE-2015-5351 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. - debian/patches/CVE-2016-0706.patch: fix in RestrictedServlets.properties - CVE-2016-0706 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. - debian/patches/CVE-2016-0714-1.patch: fix in multiple files. - debian/patches/CVE-2016-0714-2.patch: fix in multiple files. - CVE-2016-0714 * SECURITY UPDATE: Possible to determine valid user names. - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and RealmBase.java - CVE-2016-0762 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java - CVE-2016-0763 * SECURITY UPDATE: Access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file. - debian/tomcat6.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 Date: 2018-10-17 12:21:13.810032+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/tomcat6/6.0.39-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] opencv 2.4.8+dfsg1-2ubuntu1.2 (Accepted)
opencv (2.4.8+dfsg1-2ubuntu1.2) trusty-security; urgency=medium * Set -DENABLE_PRECOMPILED_HEADERS on arm64. Date: 2018-09-19 08:18:15.622030+00:00 Changed-By: Eduardo dos Santos Barretto Maintainer: Kubuntu Members https://launchpad.net/ubuntu/+source/opencv/2.4.8+dfsg1-2ubuntu1.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mpg123 1.16.0-1ubuntu1.1 (Accepted)
mpg123 (1.16.0-1ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2014-9497.patch: Regression fix: Ensure decoder reinitialization on combination of seek and resync (buffer overflow) and add check for bad bit allocation value in layer I decoder. - CVE-2014-9497 * SECURITY UPDATE: Memory overread - debian/patches/CVE-2016-1000247.patch: fix DoS with crafted ID3v2 tags. - CVE-2016-1000247 * SECURITY UPDATE: Memory overread - debian/patches/CVE-2017-10683.patch: fix in id3.c - CVE-2017-10683 Date: 2018-09-05 18:37:13.502478+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/mpg123/1.16.0-1ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] mosquitto 0.15-2+deb7u3ubuntu0.1 (Accepted)
mosquitto (0.15-2+deb7u3ubuntu0.1) trusty-security; urgency=medium * Merge from Debian. Remaining changes: - Install apparmor profile. - Replace init script with upstart script. mosquitto (0.15-2+deb7u3) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-7651 fix to avoid extraordinary memory consumption by crafted CONNECT packet from unauthenticated client * CVE-2017-7652 in case all sockets/file descriptors are exhausted, this is a fix to avoid default config values after reloading configuration by SIGHUP signal mosquitto (0.15-2+deb7u2) wheezy-security; urgency=high * SECURITY UPDATE: Persistence file is world readable, which may expose sensitive data. - debian/patches/mosquitto-0.15_cve-2017-9868.patch: Set umask to restrict persistence file read access to owner. - CVE-2017-9868 mosquitto (0.15-2+deb7u1) wheezy-security; urgency=high * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id set to '+' or '#'. - debian/patches/mosquitto-1.3.4_cve-2017-7650.patch: Reject send/receive of messages to/from clients with a '+', '#' or '/' in their username/client id. - CVE-2017-7650 Date: 2018-09-05 15:11:24.589193+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/mosquitto/0.15-2+deb7u3ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] hdf5 1.8.11-5ubuntu7.1 (Accepted)
hdf5 (1.8.11-5ubuntu7.1) trusty-security; urgency=medium * SECURITY UPDATE: Heap-based buffer overflow, potentially leading to arbitrary code execution. - debian/patches/CVE-2016-4330.patch: fix in src/H5Odtype.c - debian/patches/CVE-2016-4331-1.patch: fix in src/H5Znbit.c - debian/patches/CVE-2016-4331-2.patch: fix in src/H5Znbit.c - debian/patches/CVE-2016-4332.patch: fix in src/H5Ocache.c and src/H5Opkg.h - debian/patches/CVE-2016-4333.patch: fix in src/H5Odtype.c - CVE-2016-4330 - CVE-2016-4331 - CVE-2016-4332 - CVE-2016-4333 Date: 2018-08-28 18:21:12.850746+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/hdf5/1.8.11-5ubuntu7.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] httpcomponents-client 4.3.3-1ubuntu0.1 (Accepted)
httpcomponents-client (4.3.3-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: It was found that the fix for CVE-2012-5783 and CVE-2012-6153 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. - debian/patches/CVE-2014-3577.patch: fix in AbstractVerifier.java - CVE-2014-3577 Date: 2018-08-13 20:52:11.981641+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/httpcomponents-client/4.3.3-1ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] monit 1:5.6-2ubuntu0.1 (Accepted)
monit (1:5.6-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: CSRF vulnerability - debian/patches/CVE-2016-7067.patch: The following http services are no longer implemented for GET method and require CSRF protected POST: _doaction, _viewlog - CVE-2016-7067 Date: 2018-08-10 18:46:25.340683+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/monit/1:5.6-2ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] zeromq3 4.0.4+dfsg-2ubuntu0.1 (Accepted)
zeromq3 (4.0.4+dfsg-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: man-in-the-middle attackers to conduct downgrade attacks via a crafted connection request. - debian/patches/CVE-2014-7202.patch: Solution: accept only the mechanism defined by the socket options. - CVE-2014-7202 * SECURITY UPDATE: man-in-the-middle attackers to conduct replay attacks via unspecified vectors. - debian/patches/CVE-2014-7203.patch: Solution: ensure message short nonces are strictly increasing and validate them. - CVE-2014-7203 * SECURITY UPDATE: remote attackers to conduct downgrade attacks and bypass ZMTP v3 protocol security mechanisms via a ZMTP v2 or earlier header. - debian/patches/CVE-2014-9721.patch: Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally. - CVE-2014-9721 Date: 2018-08-07 16:00:21.071418+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/zeromq3/4.0.4+dfsg-2ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libtomcrypt 1.17-5ubuntu0.1 (Accepted)
libtomcrypt (1.17-5ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Fix possible bleichenbacher signature attack. - debian/patches/CVE-2016-6129.patch: fix in src/pk/rsa/rsa_verify_hash.c - CVE-2016-6129 * SECURITY UPDATE: Memory side-channel attack on ECDSA signatures. - debian/patches/CVE-2018-12437.patch: fix in src/pk/ecc/ecc_sign_hash.c - CVE-2018-12437 Date: 2018-08-06 18:16:12.025656+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/libtomcrypt/1.17-5ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] jansson 2.5-2ubuntu0.2 (Accepted)
jansson (2.5-2ubuntu0.2) trusty-security; urgency=medium * REGRESSION UPDATE: The backport of CVE-2013-6401 brought a regression. - debian/patches/Fix-regression-in-CVE-2013-6401-backport.patch: Fix in src/hashtable.c and test/suites/api/test_objec.t Date: 2018-08-02 16:12:19.770980+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/jansson/2.5-2ubuntu0.2 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] jansson 2.5-2ubuntu0.1 (Accepted)
jansson (2.5-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Hash collision issue - debian/patches/CVE-2013-6401.patch: Fix hash function so that it is not susceptible to predictable hash collisions - CVE-2013-6401 * SECURITY UPDATE: Stack exhaustion parsing a JSON file - debian/patches/CVE-2016-4425.patch: Fix in src/load.c and src/jansson_config.h.in - CVE-2016-4425 Date: 2018-08-01 15:17:21.427884+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/jansson/2.5-2ubuntu0.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] capnproto 0.4.0-1ubuntu2.1 (Accepted)
capnproto (0.4.0-1ubuntu2.1) trusty-security; urgency=medium * SECURITY UPDATE: Integer overflow in pointer validation. - debian/patches/CVE-2015-2310.patch: fix in src/capnp/layout.c++ - CVE-2015-2310 * SECURITY UPDATE: Integer underflow in pointer validation. - debian/patches/CVE-2015-2311.patch: fix in src/capnp/layout.c++ - CVE-2015-2311 * SECURITY UPDATE: CPU usage amplification attack. - debian/patches/CVE-2015-2312.patch: fix in src/capnp/arena.h, src/capnp/encoding-test.c++ and src/capnp/layout.c++ - CVE-2015-2312 * SECURITY UPDATE: CPU additional CPU amplification case. - debian/patches/CVE-2015-2313.patch: fix in src/capnp/layout.c++ and src/capnp/encoding-test.c++ - CVE-2015-2313 * SECURITY UPDATE: Prevent compiler from eliding bounds checks. - debian/patches/CVE-2017-7892.patch: fix in src/capnp/arena.h - CVE-2017-7892 Date: 2018-07-31 12:57:18.048380+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/capnproto/0.4.0-1ubuntu2.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes
[ubuntu/trusty-security] libonig 5.9.1-1ubuntu1.1 (Accepted)
libonig (5.9.1-1ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Fix multiple invalid pointer dereference, out-of-bounds write memory corruption and stack buffer overflow. - debian/patches/CVE-2017-9224-and-CVE-2017-9226-to-9229.patch: fixes in regexec.c and regparse.c - CVE-2017-9224 - CVE-2017-9926 - CVE-2017-9927 - CVE-2017-9228 - CVE-2017-9229 Date: 2018-07-27 18:43:12.151852+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/libonig/5.9.1-1ubuntu1.1 Sorry, changesfile not available.-- Trusty-changes mailing list Trusty-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/trusty-changes