[ubuntu/trusty-security] mariadb-5.5 5.5.64-1ubuntu0.14.04.1 (Accepted)

2019-05-23 Thread Eduardo dos Santos Barretto 
mariadb-5.5 (5.5.64-1ubuntu0.14.04.1) trusty-security; urgency=high

  * SECURITY UPDATE: New upstream release 5.5.64. Includes fixes for
the following security vulnerabilities (LP: #1825572):
- CVE-2019-2627
- CVE-2019-2614

Date: 2019-05-16 16:19:14.904515+00:00
Signed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/mariadb-5.5/5.5.64-1ubuntu0.14.04.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] xmltooling 1.5.3-2+deb8u3ubuntu0.1 (Accepted)

2019-03-26 Thread Eduardo dos Santos Barretto 
xmltooling (1.5.3-2+deb8u3ubuntu0.1) trusty-security; urgency=high

  * SECURITY UPDATE: uncaught exception on malformed XML declaration
Invalid data in the XML declaration causes an exception of a type that
was not handled properly in the parser class and propagates an
unexpected exception type.
This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.
- debian/patches/CVE-2019-9628.patch
- CVE-2019-9628
- https://shibboleth.net/community/advisories/secadv_20190311.txt
- LP: #1819912

Date: 2019-03-21 17:39:32.483869+00:00
Changed-By: Etienne Dysli Metref 
Signed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/xmltooling/1.5.3-2+deb8u3ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] xml-security-c 1.7.2-2ubuntu0.1 (Accepted)

2019-03-13 Thread Eduardo dos Santos Barretto 
xml-security-c (1.7.2-2ubuntu0.1) trusty-security; urgency=medium

  * debian/patches/99-xsecsafebuffer.patch: Fix undefined behavior in
XSECSafeBuffer that affect ECDSA signature generation. This fix was
introduced in serie 2.x, but it was not backported to serie 1.7.x.

Date: 2019-03-11 12:29:13.307510+00:00
Changed-By: Alejandro Claro 
Signed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/xml-security-c/1.7.2-2ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] sendmail 8.14.4-4.1ubuntu1.1 (Accepted)

2019-02-05 Thread Eduardo dos Santos Barretto 
sendmail (8.14.4-4.1ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Local users to access unintended high-numbered file
descriptors via a custom mail-delivery program.
- debian/patches/8.14/8.14.4/close_on_exec.patch: Properly set the
  close-on-exec flag for file descriptors before executing mailers.
- CVE-2014-3956

Date: 2019-02-05 18:40:12.963880+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/sendmail/8.14.4-4.1ubuntu1.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] torque 2.4.16+dfsg-1.3ubuntu1.1 (Accepted)

2019-02-04 Thread Eduardo dos Santos Barretto 
torque (2.4.16+dfsg-1.3ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow vulnerability allows remote attackers
to execute arbitrary code via a large count value.
- debian/patches/CVE-2014-0749.patch: Fix stack-based buffer overflow in
  disrsi_.c
- CVE-2014-0749
  * SECURITY UPDATE: Lack of validation on process owner allows remote
authenticated users to kill arbitrary processes via a crafted executable.
- debian/patches/CVE-2014-3684.patch: Limit tm_adopt to only adopt a session
  id that is owned by the calling user.
- CVE-2014-3684

Date: 2019-02-04 18:14:17.229663+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/torque/2.4.16+dfsg-1.3ubuntu1.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] jetty 6.1.26-1ubuntu1.2 (Accepted)

2019-01-30 Thread Eduardo dos Santos Barretto 
jetty (6.1.26-1ubuntu1.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Possible Timing Attack.
- debian/patches/CVE-2017-9735.patch: A timing channel in Password.java.
- CVE-2017-9735

Date: 2019-01-30 18:13:12.285648+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/jetty/6.1.26-1ubuntu1.2
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] virtualbox 4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2 (Accepted)

2019-01-22 Thread Eduardo dos Santos Barretto 
virtualbox (4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2) trusty-security; urgency=medium

  * debian/patches/fix-for-guest-to-host-escape-vulnerability.patch:
- Apply patch for guest-to-host escape vulnerability (LP: #1809156)
- CVE-2018-3294

Date: 2019-01-21 15:57:13.400224+00:00
Changed-By: Martin Konrad 
Signed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/virtualbox/4.3.36-dfsg-1+deb8u1ubuntu1.14.04.2
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] krb5 1.12+dfsg-2ubuntu5.4 (Accepted)

2019-01-10 Thread Eduardo dos Santos Barretto 
krb5 (1.12+dfsg-2ubuntu5.4) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS (out-of-bounds read) via a crafted string
- debian/patches/CVE-2015-8629.patch: Verify decode kadmin C strings
- CVE-2015-8629
  * SECURITY UPDATE: DoS (NULL pointer dereference) by specifying KADM5_POLICY
with a NULL policy name
- debian/patches/CVE-2015-8630.patch: Check for null kadm5 policy name
- CVE-2015-8630
  * SECURITY UPDATE: DoS (memory consumption) via a request specifying a NULL
principal name
- debian/patches/CVE-2015-8631.patch: Fix leaks in kadmin server stubs
- CVE-2015-8631
  * SECURITY UPDATE: DoS (NULL pointer dereference) via a crafted request to
modify a principal
- debian/patches/CVE-2016-3119.patch: Fix LDAP null dereference on
  empty arg
- CVE-2016-3119
  * SECURITY UPDATE: DoS (NULL pointer dereference) via an S4U2Self request
- debian/patches/CVE-2016-3120.patch: Fix S4U2Self KDC crash when anon
  is restricted
- CVE-2016-3120
  * SECURITY UPDATE: KDC assertion failure
- debian/patches/CVE-2017-11368-1.patch: Prevent KDC unset status
  assertion failures
- debian/patches/CVE-2017-11368-2.patch: Simplify KDC status assignment
- CVE-2017-11368
  * SECURITY UPDATE: Double free vulnerability
- debian/patches/CVE-2017-11462.patch: Preserve GSS context on init/accept
  failure
- CVE-2017-11462
  * SECURITY UPDATE: Authenticated kadmin with permission to add principals
to an LDAP Kerberos can DoS or bypass DN container check.
- debian/patches/CVE-2018-5729-CVE-2018-5730.patch: Fix flaws in LDAP DN
  checking
- CVE-2018-5729
- CVE-2018-5730

krb5 (1.12+dfsg-2ubuntu5.3) trusty; urgency=medium

  * d/p/upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch:
Cherry-pick from upstream to add SPNEGO special case for
NTLMSSP+MechListMIC.  LP: #1643708.

Date: 2019-01-10 18:06:12.384461+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5.4
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] chrony 1.29-1ubuntu0.1 (Accepted)

2018-12-06 Thread Eduardo dos Santos Barretto 
chrony (1.29-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Heap-based buffer overflow
- debian/patches/CVE-2015-1821.patch: Fix access configuration with
  subnet size indivisible by 4.
- CVE-2015-1821
  * SECURITY UPDATE: DoS (uninitialized pointer dereference and daemon
crash) or possibly execute arbitrary code via a large number of
command requests.
- debian/patches/CVE-2015-1822.patch: Fix initialization of allocated
  reply slots.
- CVE-2015-1822
  * SECURITY UPDATE: Authentication doesn't protect symmetric associations
against DoS attacks
- debian/patches/CVE-2015-1853.patch: Protect authenticated symmetric
  associations against DoS attacks.
- CVE-2015-1853
  * SECURITY UPDATE: Remote attackers to conduct impersonation attacks via
an arbitrary trusted key, aka a "skeleton key".
- debian/patches/CVE-2016-1567.patch: restrict authentication of
  server/peer to specified key.
- CVE-2016-1567

Date: 2018-12-06 16:37:11.800383+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/chrony/1.29-1ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] tor 0.2.4.27-1ubuntu0.1 (Accepted)

2018-11-26 Thread Eduardo dos Santos Barretto 
tor (0.2.4.27-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS (client crash) via a crafted hidden service
descriptor.
- debian/patches/CVE-2016-1254.patch: Fix parsing bug with unrecognized
  token at EOS.
- CVE-2016-1254
  * SECURITY UPDATE: DoS (crash) via crafted data.
- debian/patches/CVE-2016-8860.patch: Protect against NUL-terminated
  inputs.
- CVE-2016-8860
  * SECURITY UPDATE: DoS (assertion failure and daemon exit) via a BEGIN_DIR
rendezvous circuit.
- debian/patches/CVE-2017-0376.patch: Fix assertion failure.
- CVE-2017-0376
  * SECURITY UPDATE: Replay-cache protection mechanism is ineffective for v2
onion services.
- debian/patches/CVE-2017-8819.patch: Fix length of replaycache-checked
  data.
- CVE-2017-8819
  * SECURITY UPDATE: DoS (application hang) via a crafted PEM input.
- debian/patches/CVE-2017-8821.patch: Avoid asking for passphrase on
  junky PEM input.
- CVE-2017-8821
  * SECURITY UPDATE: Relays, that have incompletely downloaded
descriptors, can pick themselves in a circuit path, leading to a
degradation of anonymity
- debian/patches/CVE-2017-8822.patch: Use local descriptor object to
  exclude self in path selection.
- CVE-2017-8822

Date: 2018-11-26 16:04:17.183114+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/tor/0.2.4.27-1ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] mercurial 2.8.2-1ubuntu1.4 (Accepted)

2018-11-22 Thread Eduardo dos Santos Barretto 
mercurial (2.8.2-1ubuntu1.4) trusty-security; urgency=medium

  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a
crafted git ext:: URL when cloning a subrepository.
- debian/patches/CVE-2016-3068.patch: set GIT_ALLOW_PROTOCOL to limit
  git clone protocols.
- CVE-2016-3068
  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a crafted
name when converting a Git repository.
- debian/patches/CVE-2016-3069_part1.patch: add new, non-clowny interface
  for shelling out to git.
- debian/patches/CVE-2016-3069_part2.patch: rewrite calls to Git to use
  the new shelling mechanism.
- debian/patches/CVE-2016-3069_part3.patch: dead code removal - old git
  calling functions
- debian/patches/CVE-2016-3069_part4.patch: test for shell injection in
  git calls
- CVE-2016-3069
  * SECURITY UPDATE: The convert extension might allow attackers to
execute arbitrary code via a crafted git repository name.
- debian/patches/CVE-2016-3105.patch: Pass absolute paths to git.
- CVE-2016-3105
  * SECURITY UPDATE: Remote attackers can execute arbitrary code via a clone,
push or pull command because of a list sizing rounding error and short
records.
- debian/patches/CVE-2016-3630_part1.patch: fix list sizing rounding
  error.
- debian/patches/CVE-2016-3630_part2.patch: detect short records
- CVE-2016-3630
  * SECURITY UPDATE: hg server --stdio allows remote authenticated users
to launch the Python debugger and execute arbitrary code.
- debian/patches/CVE-2017-9462.patch: Protect against malicious hg
  serve --stdio invocations.
- CVE-2017-9462
  * SECURITY UPDATE: A specially malformed repository can cause GIT
subrepositories to run arbitrary code.
- debian/patches/CVE-2017-17458_part1.patch: add test-audit-subrepo.t
  testcase.
- debian/patches/CVE-2017-17458_part2.patch: disallow symlink
  traversal across subrepo mount point.
- CVE-2017-17458
  * SECURITY UPDATE: Missing symlink check could be abused to write to files
outside the repository.
- debian/patches/CVE-2017-1000115.patch: Fix symlink traversal.
- CVE-2017-1000115
  * SECURITY UPDATE: Possible shell-injection attack from not adequately
sanitizing hostnames passed to ssh.
- debian/patches/CVE-2017-1000116.patch: Sanitize hostnames passed to ssh.
- CVE-2017-1000116
  * SECURITY UPDATE: Integer underflow and overflow.
- debian/patches/CVE-2018-13347.patch: Protect against underflow.
- debian/patches/CVE-2018-13347-extras.patch: Protect against overflow.
- CVE-2018-13347
  * SECURITY UPDATE: Able to start fragment past of the end of original data.
- debian/patches/CVE-2018-13346.patch: Ensure fragment start is not past
  then end of orig.
- CVE-2018-13346
  * SECURITY UPDATE: Data mishandling in certain situations.
- debian/patches/CVE-2018-13348.patch: Be more careful about parsing
  binary patch data.
- CVE-2018-13348
  * SECURITY UPDATE: Vulnerability in Protocol server can result in
unauthorized data access.
- debian/patches/CVE-2018-1000132.patch: Always perform permissions
  checks on protocol commands.
- CVE-2018-1000132

Date: 2018-11-22 18:19:46.418758+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/mercurial/2.8.2-1ubuntu1.4
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] graphicsmagick 1.3.18-1ubuntu3.1 (Accepted)

2018-10-31 Thread Eduardo dos Santos Barretto 
SECURITY UPDATE: DoS (crash) via a large dimensions in a jpeg image.
- debian/patches/CVE-2016-9830.patch: enforce spec requirement that
  the dimensions of the JPEG embedded in a JDAT chunk must match the
  JHDR dimensions.
- CVE-2016-9830

Date: 2018-10-30 20:05:12.971655+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/graphicsmagick/1.3.18-1ubuntu3.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] tomcat6 6.0.39-1ubuntu0.1 (Accepted)

2018-10-17 Thread Eduardo dos Santos Barretto 
tomcat6 (6.0.39-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Integer overflow
- debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
  parseChunkHeader function in
  java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
- CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
arbitrary files via a crafted web application that provides an XML
external entity declaration in conjunction with an entity reference.
- debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
  stylesheets
- CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
- debian/patches/CVE-2014-0099.patch: Fix in
  java/org/apache/tomcat/util/buf/Ascii.java
- CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
that provides an XML external entity declaration in conjunction with
an entity reference.
- debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
  and DefaultServlet.java
- debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
- debian/patches/CVE-2014-0119-3.patch: fix in multiple files
- CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
reading after an error to fail fast.
- debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
- CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
upload attempts.
- debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
- CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
web application that leverages use of incorrect privileges during EL
evaluation.
- debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
- debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
  and SecurityClassLoad.java
- CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
- debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
- CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
directory via a URL that lacks a trailing slash character.
- debian/patches/CVE-2015-5345-1.patch: fix in multiple files
- debian/patches/CVE-2015-5345-2.patch: fix in multiple files
- CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
- debian/patches/CVE-2015-5351-1.patch: fix in manager application
- debian/patches/CVE-2015-5351-2.patch: fix in host-manager
  application
- CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application.
- debian/patches/CVE-2016-0706.patch: fix in
  RestrictedServlets.properties
- CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
execute arbitrary code in a privileged context via a web application
that places a crafted object in a session.
- debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
- debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
- CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
- debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
  RealmBase.java
- CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
read or write to arbitrary application data, or cause a denial of
service (application disruption), via a web application that sets
a crafted global context.
- debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
- CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
via a symlink attack on the Catalina log file.
- debian/tomcat6.init: don't follow symlinks when handling the
  catalina.out file.
- CVE-2016-1240

Date: 2018-10-17 12:21:13.810032+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/tomcat6/6.0.39-1ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] opencv 2.4.8+dfsg1-2ubuntu1.2 (Accepted)

2018-09-19 Thread Eduardo dos Santos Barretto 
opencv (2.4.8+dfsg1-2ubuntu1.2) trusty-security; urgency=medium

  * Set -DENABLE_PRECOMPILED_HEADERS on arm64.

Date: 2018-09-19 08:18:15.622030+00:00
Changed-By: Eduardo dos Santos Barretto 
Maintainer: Kubuntu Members 
https://launchpad.net/ubuntu/+source/opencv/2.4.8+dfsg1-2ubuntu1.2
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] mpg123 1.16.0-1ubuntu1.1 (Accepted)

2018-09-05 Thread Eduardo dos Santos Barretto 
mpg123 (1.16.0-1ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2014-9497.patch: Regression fix: Ensure decoder
  reinitialization on combination of seek and resync (buffer
  overflow) and add check for bad bit allocation value in layer I
  decoder.
- CVE-2014-9497
  * SECURITY UPDATE: Memory overread
- debian/patches/CVE-2016-1000247.patch: fix DoS with crafted ID3v2
  tags.
- CVE-2016-1000247
  * SECURITY UPDATE: Memory overread
- debian/patches/CVE-2017-10683.patch: fix in id3.c
- CVE-2017-10683

Date: 2018-09-05 18:37:13.502478+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/mpg123/1.16.0-1ubuntu1.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] mosquitto 0.15-2+deb7u3ubuntu0.1 (Accepted)

2018-09-05 Thread Eduardo dos Santos Barretto 
mosquitto (0.15-2+deb7u3ubuntu0.1) trusty-security; urgency=medium

  * Merge from Debian. Remaining changes:
- Install apparmor profile.
- Replace init script with upstart script.

mosquitto (0.15-2+deb7u3) wheezy-security; urgency=high

  * Non-maintainer upload by the Wheezy LTS Team. 
  * CVE-2017-7651
fix to avoid extraordinary memory consumption by crafted 
CONNECT packet from unauthenticated client
  * CVE-2017-7652
in case all sockets/file descriptors are exhausted, this is a 
fix to avoid default config values after reloading configuration
by SIGHUP signal

mosquitto (0.15-2+deb7u2) wheezy-security; urgency=high

  * SECURITY UPDATE: Persistence file is world readable, which may expose
sensitive data.
- debian/patches/mosquitto-0.15_cve-2017-9868.patch: Set umask to
  restrict persistence file read access to owner.
- CVE-2017-9868

mosquitto (0.15-2+deb7u1) wheezy-security; urgency=high

  * SECURITY UPDATE: Pattern ACL can be bypassed by using a username/client id
set to '+' or '#'.
- debian/patches/mosquitto-1.3.4_cve-2017-7650.patch: Reject send/receive
  of messages to/from clients with a '+', '#' or '/' in their
  username/client id.
- CVE-2017-7650

Date: 2018-09-05 15:11:24.589193+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/mosquitto/0.15-2+deb7u3ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] hdf5 1.8.11-5ubuntu7.1 (Accepted)

2018-08-28 Thread Eduardo dos Santos Barretto 
hdf5 (1.8.11-5ubuntu7.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Heap-based buffer overflow, potentially leading to
arbitrary code execution.
- debian/patches/CVE-2016-4330.patch: fix in src/H5Odtype.c
- debian/patches/CVE-2016-4331-1.patch: fix in src/H5Znbit.c
- debian/patches/CVE-2016-4331-2.patch: fix in src/H5Znbit.c
- debian/patches/CVE-2016-4332.patch: fix in src/H5Ocache.c and
  src/H5Opkg.h
- debian/patches/CVE-2016-4333.patch: fix in src/H5Odtype.c
- CVE-2016-4330
- CVE-2016-4331
- CVE-2016-4332
- CVE-2016-4333

Date: 2018-08-28 18:21:12.850746+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/hdf5/1.8.11-5ubuntu7.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] httpcomponents-client 4.3.3-1ubuntu0.1 (Accepted)

2018-08-14 Thread Eduardo dos Santos Barretto 
httpcomponents-client (4.3.3-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: It was found that the fix for CVE-2012-5783
and CVE-2012-6153 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN
field was flawed. This can be exploited by a Man-in-the-middle
(MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
- debian/patches/CVE-2014-3577.patch: fix in AbstractVerifier.java
- CVE-2014-3577

Date: 2018-08-13 20:52:11.981641+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/httpcomponents-client/4.3.3-1ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] monit 1:5.6-2ubuntu0.1 (Accepted)

2018-08-13 Thread Eduardo dos Santos Barretto 
monit (1:5.6-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: CSRF vulnerability
- debian/patches/CVE-2016-7067.patch: The following http services
  are no longer implemented for GET method and require CSRF
  protected POST: _doaction, _viewlog
- CVE-2016-7067

Date: 2018-08-10 18:46:25.340683+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/monit/1:5.6-2ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] zeromq3 4.0.4+dfsg-2ubuntu0.1 (Accepted)

2018-08-07 Thread Eduardo dos Santos Barretto 
zeromq3 (4.0.4+dfsg-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: man-in-the-middle attackers to conduct
downgrade attacks via a crafted connection request.
- debian/patches/CVE-2014-7202.patch: Solution: accept only the
  mechanism defined by the socket options.
- CVE-2014-7202

  * SECURITY UPDATE: man-in-the-middle attackers to conduct replay
attacks via unspecified vectors.
- debian/patches/CVE-2014-7203.patch: Solution: ensure message
  short nonces are strictly increasing and validate them.
- CVE-2014-7203

  * SECURITY UPDATE: remote attackers to conduct downgrade attacks
and bypass ZMTP v3 protocol security mechanisms via a ZMTP v2
or earlier header.
- debian/patches/CVE-2014-9721.patch: Solution: if security is
  defined on a socket, reject all V2 and earlier connections,
  unconditionally.
- CVE-2014-9721

Date: 2018-08-07 16:00:21.071418+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/zeromq3/4.0.4+dfsg-2ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] libtomcrypt 1.17-5ubuntu0.1 (Accepted)

2018-08-06 Thread Eduardo dos Santos Barretto 
libtomcrypt (1.17-5ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix possible bleichenbacher signature attack.
- debian/patches/CVE-2016-6129.patch: fix in
  src/pk/rsa/rsa_verify_hash.c
- CVE-2016-6129

  * SECURITY UPDATE: Memory side-channel attack on ECDSA signatures.
- debian/patches/CVE-2018-12437.patch: fix in
  src/pk/ecc/ecc_sign_hash.c
- CVE-2018-12437

Date: 2018-08-06 18:16:12.025656+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/libtomcrypt/1.17-5ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] jansson 2.5-2ubuntu0.2 (Accepted)

2018-08-02 Thread Eduardo dos Santos Barretto 
jansson (2.5-2ubuntu0.2) trusty-security; urgency=medium

  * REGRESSION UPDATE: The backport of CVE-2013-6401 brought a
regression.
- debian/patches/Fix-regression-in-CVE-2013-6401-backport.patch: Fix
  in src/hashtable.c and test/suites/api/test_objec.t

Date: 2018-08-02 16:12:19.770980+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/jansson/2.5-2ubuntu0.2
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] jansson 2.5-2ubuntu0.1 (Accepted)

2018-08-01 Thread Eduardo dos Santos Barretto 
jansson (2.5-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Hash collision issue
- debian/patches/CVE-2013-6401.patch: Fix hash function so that
  it is not susceptible to predictable hash collisions
- CVE-2013-6401

  * SECURITY UPDATE: Stack exhaustion parsing a JSON file
- debian/patches/CVE-2016-4425.patch: Fix in src/load.c and
  src/jansson_config.h.in
- CVE-2016-4425

Date: 2018-08-01 15:17:21.427884+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/jansson/2.5-2ubuntu0.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] capnproto 0.4.0-1ubuntu2.1 (Accepted)

2018-07-31 Thread Eduardo dos Santos Barretto 
capnproto (0.4.0-1ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in pointer validation.
- debian/patches/CVE-2015-2310.patch: fix in src/capnp/layout.c++
- CVE-2015-2310

  * SECURITY UPDATE: Integer underflow in pointer validation.
- debian/patches/CVE-2015-2311.patch: fix in src/capnp/layout.c++
- CVE-2015-2311

  * SECURITY UPDATE: CPU usage amplification attack.
- debian/patches/CVE-2015-2312.patch: fix in src/capnp/arena.h,
  src/capnp/encoding-test.c++ and src/capnp/layout.c++
- CVE-2015-2312

  * SECURITY UPDATE: CPU additional CPU amplification case.
- debian/patches/CVE-2015-2313.patch: fix in src/capnp/layout.c++
  and src/capnp/encoding-test.c++
- CVE-2015-2313

  * SECURITY UPDATE: Prevent compiler from eliding bounds checks.
- debian/patches/CVE-2017-7892.patch: fix in src/capnp/arena.h
- CVE-2017-7892

Date: 2018-07-31 12:57:18.048380+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/capnproto/0.4.0-1ubuntu2.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes

[ubuntu/trusty-security] libonig 5.9.1-1ubuntu1.1 (Accepted)

2018-07-30 Thread Eduardo dos Santos Barretto 
libonig (5.9.1-1ubuntu1.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix multiple invalid pointer dereference,
out-of-bounds write memory corruption and stack buffer overflow.
- debian/patches/CVE-2017-9224-and-CVE-2017-9226-to-9229.patch:
  fixes in regexec.c and regparse.c
- CVE-2017-9224
- CVE-2017-9926
- CVE-2017-9927
- CVE-2017-9228
- CVE-2017-9229

Date: 2018-07-27 18:43:12.151852+00:00
Changed-By: Eduardo dos Santos Barretto 
https://launchpad.net/ubuntu/+source/libonig/5.9.1-1ubuntu1.1
Sorry, changesfile not available.-- 
Trusty-changes mailing list
Trusty-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/trusty-changes