[ubuntu/xenial-updates] libvncserver 0.9.10+dfsg-3ubuntu0.16.04.1 (Accepted)
libvncserver (0.9.10+dfsg-3ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: heap overflows in rectangle fill functions - debian/patches/CVE-2016-9941.patch: add bounds checking to libvncclient/rfbproto.c. - CVE-2016-9941 * SECURITY UPDATE: heap overflow in Ultra type tile decoder - debian/patches/CVE-2016-9942.patch: use _safe variant in libvncclient/ultra.c. - CVE-2016-9942 Date: 2017-01-06 13:30:23.182650+00:00 Changed-By: Marc Deslauriers Signed-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/libvncserver/0.9.10+dfsg-3ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libvncserver 0.9.10+dfsg-3ubuntu0.16.04.1 (Accepted)
libvncserver (0.9.10+dfsg-3ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: heap overflows in rectangle fill functions - debian/patches/CVE-2016-9941.patch: add bounds checking to libvncclient/rfbproto.c. - CVE-2016-9941 * SECURITY UPDATE: heap overflow in Ultra type tile decoder - debian/patches/CVE-2016-9942.patch: use _safe variant in libvncclient/ultra.c. - CVE-2016-9942 Date: 2017-01-06 13:30:23.182650+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/libvncserver/0.9.10+dfsg-3ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] apt 1.2.18 (Accepted)
apt (1.2.18) xenial; urgency=high * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252) Thanks to Jann Horn, Google Project Zero for reporting the issue (LP: #1647467) * gpgv: Flush the files before checking for errors apt (1.2.17) xenial; urgency=medium [ David Kalnischkies ] * apt-key: warn instead of fail on unreadable keyrings (LP: #1642386) * show apt-key warnings in apt update (Closes: 834973) [ Julian Andres Klode ] * test-releasefile-verification: installaptold: Clean up before run apt (1.2.16) xenial; urgency=medium [ David Kalnischkies ] * avoid changing the global LC_TIME for Release writing * use de-localed std::put_time instead rolling our own * accept only the expected UTC timezones in date parsing (Closes: 819697) * avoid std::get_time usage to sidestep libstdc++6 bug (LP: #1593583) * imbue datetime parsing with C.UTF-8 locale (Closes: 828011) * prevent C++ locale number formatting in text APIs (try 2) (Closes: 832044) * prevent C++ locale number formatting in text APIs (try 3) (LP: #1611010) (LP: #1592817) * imbue .diff/Index parsing with C.UTF-8 as well [ Julian Andres Klode ] * Use C locale instead of C.UTF-8 for protocol strings * Add shippable.yml for CI on Shippable * Revert "if the FileFd failed already following calls should fail, too" (LP: #1641905) Date: 2016-12-13 17:59:10.990986+00:00 Changed-By: Julian Andres Klode Signed-By: Brian Murray https://launchpad.net/ubuntu/+source/apt/1.2.18 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] php7.0 7.0.13-0ubuntu0.16.04.1 (Accepted)
php7.0 (7.0.13-0ubuntu0.16.04.1) xenial; urgency=medium * New upstream release - LP: #1645431 - Refresh patches for new upstream release. * Drop: - SECURITY UPDATE: proxy request header vulnerability (httpoxy) + debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the local environment in ext/standard/basic_functions.c, main/SAPI.c, main/php_variables.c. + CVE-2016-5385 [ Fixed in 7.0.9 ] - SECURITY UPDATE: inadequate error handling in bzread() + debian/patches/CVE-2016-5399.patch: do not allow reading past error read in ext/bz2/bz2.c. + CVE-2016-5399 [ Fixed in 7.0.9 ] - SECURITY UPDATE: integer overflow in the virtual_file_ex function + debian/patches/CVE-2016-6289.patch: properly check path_length in Zend/zend_virtual_cwd.c. + CVE-2016-6289 [ Fixed in 7.0.9 ] - SECURITY UPDATE: use after free in unserialize() with unexpected session deserialization + debian/patches/CVE-2016-6290.patch: destroy var_hash properly in ext/session/session.c, added test to ext/session/tests/bug72562.phpt. + CVE-2016-6290 [ Fixed in 7.0.9 ] - SECURITY UPDATE: out of bounds read in exif_process_IFD_in_MAKERNOTE + debian/patches/CVE-2016-6291.patch: add more bounds checks to ext/exif/exif.c. + CVE-2016-6291 [ Fixed in 7.0.9 ] - SECURITY UPDATE: NULL pointer dereference in exif_process_user_comment + debian/patches/CVE-2016-6292.patch: properly handle encoding in ext/exif/exif.c. + CVE-2016-6292 [ Fixed in 7.0.9 ] - SECURITY UPDATE: locale_accept_from_http out-of-bounds access + debian/patches/CVE-2016-6294.patch: check length in ext/intl/locale/locale_methods.c, added test to ext/intl/tests/bug72533.phpt. + CVE-2016-6294 [ Fixed in 7.0.9 ] - SECURITY UPDATE: use after free vulnerability in SNMP with GC and unserialize() + debian/patches/CVE-2016-6295.patch: add new handler to ext/snmp/snmp.c, add test to ext/snmp/tests/bug72479.phpt. + CVE-2016-6295 [ Fixed in 7.0.9 ] - SECURITY UPDATE: heap buffer overflow in simplestring_addn + debian/patches/CVE-2016-6296.patch: prevent overflows in ext/xmlrpc/libxmlrpc/simplestring.*. + CVE-2016-6296 [ Fixed in 7.0.9 ] - SECURITY UPDATE: integer overflow in php_stream_zip_opener + debian/patches/CVE-2016-6297.patch: use size_t in ext/zip/zip_stream.c. + CVE-2016-6297 [ Fixed in 7.0.9 ] - debian/patches/fix_exif_tests.patch: fix exif test results after security changes. [ Fixed in 7.0.9 ] - SECURITY UPDATE: denial of service or code execution via crafted serialized data + debian/patches/CVE-2016-7124.patch: fix unserializing logic in ext/session/session.c, ext/standard/var_unserializer.c*, ext/wddx/wddx.c, added tests to ext/standard/tests/serialize/bug72663.phpt, ext/standard/tests/serialize/bug72663_2.phpt, ext/standard/tests/serialize/bug72663_3.phpt. + CVE-2016-7124 [ Fixed in 7.0.10 ] - SECURITY UPDATE: arbitrary-type session data injection + debian/patches/CVE-2016-7125.patch: consume data even if not storing in ext/session/session.c, added test to ext/session/tests/bug72681.phpt. + CVE-2016-7125 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution in imagegammacorrect function + debian/patches/CVE-2016-7127.patch: check gamma values in ext/gd/gd.c, added test to ext/gd/tests/bug72730.phpt. + CVE-2016-7127 [ Fixed in 7.0.10 ] - SECURITY UPDATE: information disclosure via exif_process_IFD_in_TIFF + debian/patches/CVE-2016-7128.patch: properly handle thumbnails in ext/exif/exif.c. + CVE-2016-7128 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via invalid ISO 8601 time value + debian/patches/CVE-2016-7129.patch: properly handle strings in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72749.phpt. + CVE-2016-7129 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via invalid base64 binary value + debian/patches/CVE-2016-7130.patch: properly handle string in ext/wddx/wddx.c, added test to ext/wddx/tests/bug72750.phpt. + CVE-2016-7130 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via malformed wddxPacket XML document + debian/patches/CVE-2016-7131.patch: added checks to ext/wddx/wddx.c, added tests to ext/wddx/tests/bug72790.phpt, ext/wddx/tests/bug72799.phpt. + CVE-2016-7131 + CVE-2016-7132 [ Fixed in 7.0.10 ] - SECURITY UPDATE: denial of service and possible code execution via long pathname
[ubuntu/xenial-proposed] freshplayerplugin 0.3.4-3ubuntu0.1 (Accepted)
freshplayerplugin (0.3.4-3ubuntu0.1) xenial; urgency=medium * d/*.postinst, d/*.preinst, d/*.prerm: - Use the same alternative as the adobe-flashplugin package to prevent confusion with the NPAPI plugin installed by adobe-flashplugin (LP: #1633678). Thanks to Alin Andrei for the solution! * d/control: - Drop the pepperflashplugin-nonfree recommend. - Recommend adobe-flashplugin. - Maintainer: Ubuntu Developers. * d/rules: - Run tests with LC_ALL=C to prevent the build failure reported in LP bug 1578252. Date: Fri, 28 Oct 2016 23:00:00 +0200 Changed-By: Gunnar Hjalmarsson Maintainer: Ubuntu Developers Signed-By: Brian Murray https://launchpad.net/ubuntu/+source/freshplayerplugin/0.3.4-3ubuntu0.1 Format: 1.8 Date: Fri, 28 Oct 2016 23:00:00 +0200 Source: freshplayerplugin Binary: browser-plugin-freshplayer-pepperflash browser-plugin-freshplayer-libpdf browser-plugin-freshplayer-nacl Architecture: source Version: 0.3.4-3ubuntu0.1 Distribution: xenial Urgency: medium Maintainer: Ubuntu Developers Changed-By: Gunnar Hjalmarsson Description: browser-plugin-freshplayer-libpdf - PPAPI-host NPAPI-plugin adapter for libpdf.so from Chrome browser-plugin-freshplayer-nacl - PPAPI-host NPAPI-plugin adapter for Native Client from Chrome browser-plugin-freshplayer-pepperflash - PPAPI-host NPAPI-plugin adapter for pepperflash Launchpad-Bugs-Fixed: 1633678 Changes: freshplayerplugin (0.3.4-3ubuntu0.1) xenial; urgency=medium . * d/*.postinst, d/*.preinst, d/*.prerm: - Use the same alternative as the adobe-flashplugin package to prevent confusion with the NPAPI plugin installed by adobe-flashplugin (LP: #1633678). Thanks to Alin Andrei for the solution! * d/control: - Drop the pepperflashplugin-nonfree recommend. - Recommend adobe-flashplugin. - Maintainer: Ubuntu Developers. * d/rules: - Run tests with LC_ALL=C to prevent the build failure reported in LP bug 1578252. Checksums-Sha1: 3391850871aa1a18e3ee7ebbb4dcc8d426c0e522 2073 freshplayerplugin_0.3.4-3ubuntu0.1.dsc f5e983d945913d55805567f70bfd1e12eaf44b89 9528 freshplayerplugin_0.3.4-3ubuntu0.1.debian.tar.xz Checksums-Sha256: 63601373243ff64ae011fed57f4fb4b00b04d191195833f6996bf52583cabeb7 2073 freshplayerplugin_0.3.4-3ubuntu0.1.dsc 706d16741f940596f708a408867887a5733cae712aa0ff7b7766d104cef6ced7 9528 freshplayerplugin_0.3.4-3ubuntu0.1.debian.tar.xz Files: a5e0c2d7c73649b41d192dc28da45f4c 2073 contrib/web optional freshplayerplugin_0.3.4-3ubuntu0.1.dsc 7656cf643097ba2da8995b9f144402f9 9528 contrib/web optional freshplayerplugin_0.3.4-3ubuntu0.1.debian.tar.xz Original-Maintainer: Vincent Danjean -- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-proposed] docker.io 1.12.3-0ubuntu4~16.04.1 (Accepted)
docker.io (1.12.3-0ubuntu4~16.04.1) xenial; urgency=medium * Backport to Xenial. (LP: #1647376, #1639407) * d/control: Remove version from Build-Depends on dh-golang, only required in Debian. * Install the service file with .install again, fixing service activation on install. Date: Tue, 27 Sep 2016 12:25:38 +1300 Changed-By: Michael Hudson-Doyle Maintainer: Ubuntu Developers https://launchpad.net/ubuntu/+source/docker.io/1.12.3-0ubuntu4~16.04.1 Format: 1.8 Date: Tue, 27 Sep 2016 12:25:38 +1300 Source: docker.io Binary: docker.io vim-syntax-docker golang-github-docker-docker-dev golang-docker-dev docker-doc Architecture: source Version: 1.12.3-0ubuntu4~16.04.1 Distribution: xenial Urgency: medium Maintainer: Ubuntu Developers Changed-By: Michael Hudson-Doyle Description: docker-doc - Linux container runtime -- documentation docker.io - Linux container runtime golang-docker-dev - Transitional package for golang-github-docker-docker-dev golang-github-docker-docker-dev - Externally reusable Go packages included with Docker vim-syntax-docker - Docker container engine - Vim highlighting syntax files Launchpad-Bugs-Fixed: 1639407 1647376 Changes: docker.io (1.12.3-0ubuntu4~16.04.1) xenial; urgency=medium . * Backport to Xenial. (LP: #1647376, #1639407) * d/control: Remove version from Build-Depends on dh-golang, only required in Debian. * Install the service file with .install again, fixing service activation on install. Checksums-Sha1: c9e380cc480f7f9ee92d56bf9080e4a6ebcb31d7 2777 docker.io_1.12.3-0ubuntu4~16.04.1.dsc 53c4d45e7f4763cb7ae18d8ada8ffa6a07cfc6b9 51480 docker.io_1.12.3-0ubuntu4~16.04.1.debian.tar.xz Checksums-Sha256: 4b636fb26513989341e3d3c1e0d1cd766043d32c18076ea2f69c1e58cb29a8fa 2777 docker.io_1.12.3-0ubuntu4~16.04.1.dsc 5abe3aaec78b9d90a4d528b37468dbfd0db2131bc19ca07526060f84bfced4e8 51480 docker.io_1.12.3-0ubuntu4~16.04.1.debian.tar.xz Files: 0cd221eb5ad5c33b1907bc18fd85afd0 2777 admin optional docker.io_1.12.3-0ubuntu4~16.04.1.dsc 090553fdfaa7232a6ffa26b197332496 51480 admin optional docker.io_1.12.3-0ubuntu4~16.04.1.debian.tar.xz Original-Maintainer: Paul Tagliamonte -- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] linux-aws_4.4.0-1001.10_amd64.tar.gz - (Accepted)
linux-aws (4.4.0-1001.10) xenial; urgency=low * linux - Memory Bandwidth Monitoring regression (LP: #1648088) - x86/smp: Fix __max_logical_packages value setup * CONFIG_NR_CPUS=256 is too low (LP: #1579205) - [Config] Increase the NR_CPUS to 512 for amd64 to support systems with a large number of cores. * NVMe drives in Amazon AWS instance fail to initialize (LP: #1648449) - SAUCE: (no-up) NVMe: only setup MSIX once * NVMe driver accidentally reverted to use GSI instead of MSIX (LP: #1647887) - (fix) NVMe: restore code to always use MSI/MSI-x interrupts * Miscellaneous Ubuntu changes - Ubuntu-4.4.0-54.75 - [debian] derive indep_hdrs_pkg_name from src_pkg_name - linux-aws packaging - SAUCE: tsc: make tsc= default to reliable for AWS - SAUCE: tsc: make no_timer_check default to 1 for AWS - SAUCE: md/raid6 algorithms: scale test duration for speedier boots - SAUCE: Increase the ext4 default commit age - SAUCE: reduce ksm-wakeups - SAUCE: smpboot: reuse timer calibration - [config] disable CONFIG_POWERCAP as AWS does not make use of this - SAUCE: silence RAPL - [config] disable CONFIG_FUJITSU_ES driver, it is not used by AWS - [config] Disable CONFIG_INPUT_LEDS for AWS - [config] Disable ATA drivers that AWS does not use - [config] AWS: Disable x86 platform drivers where appropriate - [config] disable sound for AWS - [config] AWS: disable unnecessary ACPI features - [config] AWS: Disable joystick drivers - [config] AWS: Disable touchscreen drivers - [config] AWS: disable CONFIG_MEDIA_RADIO_SUPPORT - [config] AWS: Disable Blue Tooth support - [config] AWS: disable CONFIG_MEDIA_CAMERA_SUPPORT - [config] AWS: disable MEDIA_ANALOG_TV_SUPPORT - [config] AWS: disable MEDIA_DIGITAL_TV_SUPPORT - [config] AWS: disable MEDIA_RC_SUPPORT - [config] AWS: disable MEDIA_SDR_SUPPORT - [config] AWS: disable MEDIA_PCI_SUPPORT - [config] AWS disable CONFIG_SPEAKUP synth - [config] AWS: disable LED support - [config] AWS: disable comedi data acquisition support - [config] AWS: disable charger configs - [config] AWS: disable firewire - [config] AWS: disable gameport - [config] AWS: disable CONFIG_MOUSE - [config] AWS: disable CONFIG_ISDN - [config] AWS: disable various misc LCD drivers - [config] AWS disable CONFIG_MACINTOSH_DRIVERS - [config] AWS: disable CONFIG_PCMCIA - [config] AWS: disable misc backlight drivers - [config] disable CONFIG_MTD for AWS - [config] AWS: disable some battery drivers - [config] AWS: disable WLAN wireless - [config] AWS: disable WIMAX support - [config] AWS: disable Dallas 1 wire support - [config] AWS: disable Ultra Wideband devices - [config] AWS disable FPGA support - SAUCE: import Intel ixgbevf (2.14.2) - SAUCE: ixgbevf-2.14.2: replace deprecated smp_mb__before_clear_bit - SAUCE: ixgbevf-2.14.2: disable VLAN tagging - SAUCE: ixgbevf-2.14.2: Replace deprecated u64_stats _bh calls - SAUCE: ixgbevf-2.14.2: fix set_ethtool_ops - SAUCE: ixgbevf-2.14.2: Makefile and Kconfig - ixgbevf-2.14.2: add support for X550 VFs - ixgbevf-2.14.2: add RSS support for X550 - [config] enable IXGBEVF_2_14_2=m instead of IXGBEVF Date: Thu, 08 Dec 2016 12:05:21 -0800 Changed-By: Kamal Mostafa Maintainer: Launchpad Build Daemon Format: 1.8 Date: Thu, 08 Dec 2016 12:05:21 -0800 Source: linux-aws Binary: linux-aws-source-4.4.0 linux-aws-headers-4.4.0-1001 linux-aws-tools-common linux-aws-tools-4.4.0-1001 linux-aws-cloud-tools-common linux-aws-cloud-tools-4.4.0-1001 linux-image-4.4.0-1001-aws linux-image-extra-4.4.0-1001-aws linux-headers-4.4.0-1001-aws linux-image-4.4.0-1001-aws-dbgsym linux-tools-4.4.0-1001-aws linux-cloud-tools-4.4.0-1001-aws linux-udebs-aws Architecture: amd64 all Version: 4.4.0-1001.10 Distribution: xenial Urgency: low Maintainer: Launchpad Build Daemon Changed-By: Kamal Mostafa Description: linux-aws-cloud-tools-4.4.0-1001 - Linux kernel version specific cloud tools for version 4.4.0-1001 linux-aws-cloud-tools-common - Linux kernel version specific cloud tools for version 4.4.0 linux-aws-headers-4.4.0-1001 - Header files related to Linux kernel version 4.4.0 linux-aws-source-4.4.0 - Linux kernel source for version 4.4.0 with Ubuntu patches linux-aws-tools-4.4.0-1001 - Linux kernel version specific tools for version 4.4.0-1001 linux-aws-tools-common - Linux kernel version specific tools for version 4.4.0 linux-cloud-tools-4.4.0-1001-aws - Linux kernel version specific cloud tools for version 4.4.0-1001 linux-headers-4.4.0-1001-aws - Linux kernel headers for version 4.4.0 on 64 bit x86 SMP linux-image-4.4.0-1001-aws - Linux kernel image for version 4.4.0 on 64 bit x86 SMP linux-image-4.4.0-1001-aws-dbgsym - Linux kernel debug image for version 4.4.0 on 64 bit x86 SMP linux-image-extra-4.4.0-1001-aws - Linux kernel extra mo