[ubuntu/xenial-updates] python-apt 1.1.0~beta1ubuntu0.16.04.8 (Accepted)
python-apt (1.1.0~beta1ubuntu0.16.04.8) xenial-security; urgency=medium * SECURITY REGRESSION: crash with ubuntu-release-upgrader (LP: #1860606) - apt/cache.py: make allow_unauthenticated argument to fetch_archives() optional. Date: 2020-01-22 22:22:13.688492+00:00 Changed-By: Marc Deslauriers Signed-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/python-apt/1.1.0~beta1ubuntu0.16.04.8 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-apt 1.1.0~beta1ubuntu0.16.04.8 (Accepted)
python-apt (1.1.0~beta1ubuntu0.16.04.8) xenial-security; urgency=medium * SECURITY REGRESSION: crash with ubuntu-release-upgrader (LP: #1860606) - apt/cache.py: make allow_unauthenticated argument to fetch_archives() optional. Date: 2020-01-22 22:22:13.688492+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/python-apt/1.1.0~beta1ubuntu0.16.04.8 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] graphicsmagick 1.3.23-1ubuntu0.5 (Accepted)
graphicsmagick (1.3.23-1ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: DoS in ReadWPGImage() - debian/patches/CVE-2017-16545.patch: Assure that colormapped image is a PseudoClass type with valid colormapped indexes. - CVE-2017-16545 * SECURITY UPDATE: DoS (negative strncpy) in DrawImage() - debian/patches/CVE-2017-16547.patch: Fix pointer computation which leads to large strncpy size request and bad array index. - CVE-2017-16547 * SECURITY UPDATE: Heap-based buffer overflow in coders/wpg.c - debian/patches/CVE-2017-16669-1.patch: Do not call SyncImagePixels() when something fails. - debian/patches/CVE-2017-16669-2.patch: Wrong row count checking. - debian/patches/CVE-2017-16669-3.patch: Detect pending use of null indexes pointer due to programming error and report it. - debian/patches/CVE-2017-16669-4.patch: Fix crash which image fails to produce expected PseudoClass indexes. - debian/patches/CVE-2017-16669-5.patch: Check for InsertRow() return value. - debian/patches/CVE-2017-16669-6.patch: Check InsertRow() return value for all calls. - CVE-2017-16669 * SECURITY UPDATE: Heap-based buffer overflow in WritePNMImage() - debian/patches/CVE-2017-17498.patch: Fix buffer overflow when writing gray+alpha 1-bit/sample. - CVE-2017-17498 * SECURITY UPDATE: Heap-based buffer over-read in ReadRGBImage() - debian/patches/CVE-2017-17500.patch: Fix heap-overflow due to tile outside image bounds. - CVE-2017-17500 * SECURITY UPDATE: Heap-based buffer over-read in WriteOnePNGImage() - debian/patches/CVE-2017-17501.patch: Fix heap read overrun while testing pixels for opacity. - CVE-2017-17501 * SECURITY UPDATE: Heap-based buffer over-read in ReadCMYKImage() - debian/patches/CVE-2017-17502.patch: Fix heap-overflow due to tile outside image bounds. - CVE-2017-17502 * SECURITY UPDATE: Heap-based buffer over-read in ReadGRAYImage() - debian/patches/CVE-2017-17503.patch: Fix heap-overflow due to tile outside image bounds. - CVE-2017-17503 * SECURITY UPDATE: Heap-based buffer over-read in ReadOneJNGImage() - debian/patches/CVE-2017-17782.patch: Fix wrong offset into oFFs chunk which caused heap read overflow. - CVE-2017-17782 * SECURITY UPDATE: Buffer over-read in ReadPALMImage() - debian/patches/CVE-2017-17783.patch: Fix heap buffer overflow in Q8 build while initializing color palette. - CVE-2017-17783 Date: 2020-01-22 16:40:19.357787+00:00 Changed-By: Eduardo dos Santos Barretto Signed-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/graphicsmagick/1.3.23-1ubuntu0.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] graphicsmagick 1.3.23-1ubuntu0.5 (Accepted)
graphicsmagick (1.3.23-1ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: DoS in ReadWPGImage() - debian/patches/CVE-2017-16545.patch: Assure that colormapped image is a PseudoClass type with valid colormapped indexes. - CVE-2017-16545 * SECURITY UPDATE: DoS (negative strncpy) in DrawImage() - debian/patches/CVE-2017-16547.patch: Fix pointer computation which leads to large strncpy size request and bad array index. - CVE-2017-16547 * SECURITY UPDATE: Heap-based buffer overflow in coders/wpg.c - debian/patches/CVE-2017-16669-1.patch: Do not call SyncImagePixels() when something fails. - debian/patches/CVE-2017-16669-2.patch: Wrong row count checking. - debian/patches/CVE-2017-16669-3.patch: Detect pending use of null indexes pointer due to programming error and report it. - debian/patches/CVE-2017-16669-4.patch: Fix crash which image fails to produce expected PseudoClass indexes. - debian/patches/CVE-2017-16669-5.patch: Check for InsertRow() return value. - debian/patches/CVE-2017-16669-6.patch: Check InsertRow() return value for all calls. - CVE-2017-16669 * SECURITY UPDATE: Heap-based buffer overflow in WritePNMImage() - debian/patches/CVE-2017-17498.patch: Fix buffer overflow when writing gray+alpha 1-bit/sample. - CVE-2017-17498 * SECURITY UPDATE: Heap-based buffer over-read in ReadRGBImage() - debian/patches/CVE-2017-17500.patch: Fix heap-overflow due to tile outside image bounds. - CVE-2017-17500 * SECURITY UPDATE: Heap-based buffer over-read in WriteOnePNGImage() - debian/patches/CVE-2017-17501.patch: Fix heap read overrun while testing pixels for opacity. - CVE-2017-17501 * SECURITY UPDATE: Heap-based buffer over-read in ReadCMYKImage() - debian/patches/CVE-2017-17502.patch: Fix heap-overflow due to tile outside image bounds. - CVE-2017-17502 * SECURITY UPDATE: Heap-based buffer over-read in ReadGRAYImage() - debian/patches/CVE-2017-17503.patch: Fix heap-overflow due to tile outside image bounds. - CVE-2017-17503 * SECURITY UPDATE: Heap-based buffer over-read in ReadOneJNGImage() - debian/patches/CVE-2017-17782.patch: Fix wrong offset into oFFs chunk which caused heap read overflow. - CVE-2017-17782 * SECURITY UPDATE: Buffer over-read in ReadPALMImage() - debian/patches/CVE-2017-17783.patch: Fix heap buffer overflow in Q8 build while initializing color palette. - CVE-2017-17783 Date: 2020-01-22 16:40:19.357787+00:00 Changed-By: Eduardo dos Santos Barretto https://launchpad.net/ubuntu/+source/graphicsmagick/1.3.23-1ubuntu0.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] python-apt 1.1.0~beta1ubuntu0.16.04.7 (Accepted)
python-apt (1.1.0~beta1ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: Check that repository is trusted before downloading files from it (LP: #1858973) - apt/cache.py: Add checks to fetch_archives() and commit() - apt/package.py: Add checks to fetch_binary() and fetch_source() - CVE-2019-15796 * SECURITY UPDATE: Do not use MD5 for verifying downloadeds (Closes: #944696) (#LP: #1858972) - apt/package.py: Use all hashes when fetching packages, and check that we have trusted hashes when downloading - CVE-2019-15795 * To work around the new checks, the parameter allow_unauthenticated=True can be passed to the functions. It defaults to the value of the APT::Get::AllowUnauthenticated option. - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu14.2), as it will have to set that parameter after having done validation. * Necessary backports: - turn elements in apt_pkg.SourceRecords.files into a class, rather than a tuple (w/ legacy compat), so we can get to their hashes - add apt_pkg.HashStringList - add apt_pkg.Hashes.hashes * Automatic changes and fixes for external regressions: - Adjustments to test suite and CI to fix CI regressions - Automatic mirror list update Date: 2020-01-16 15:25:21.578157+00:00 Changed-By: Julian Andres Klode Signed-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/python-apt/1.1.0~beta1ubuntu0.16.04.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] aptdaemon 1.1.1+bzr982-0ubuntu14.2 (Accepted)
aptdaemon (1.1.1+bzr982-0ubuntu14.2) xenial-security; urgency=medium * Fix compatibility with python-apt security update (LP: #1858973) Date: 2020-01-16 13:45:20.513502+00:00 Changed-By: Marc Deslauriers Signed-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/aptdaemon/1.1.1+bzr982-0ubuntu14.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-apt 1.1.0~beta1ubuntu0.16.04.7 (Accepted)
python-apt (1.1.0~beta1ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: Check that repository is trusted before downloading files from it (LP: #1858973) - apt/cache.py: Add checks to fetch_archives() and commit() - apt/package.py: Add checks to fetch_binary() and fetch_source() - CVE-2019-15796 * SECURITY UPDATE: Do not use MD5 for verifying downloadeds (Closes: #944696) (#LP: #1858972) - apt/package.py: Use all hashes when fetching packages, and check that we have trusted hashes when downloading - CVE-2019-15795 * To work around the new checks, the parameter allow_unauthenticated=True can be passed to the functions. It defaults to the value of the APT::Get::AllowUnauthenticated option. - Bump Breaks aptdaemon (<< 1.1.1+bzr982-0ubuntu14.2), as it will have to set that parameter after having done validation. * Necessary backports: - turn elements in apt_pkg.SourceRecords.files into a class, rather than a tuple (w/ legacy compat), so we can get to their hashes - add apt_pkg.HashStringList - add apt_pkg.Hashes.hashes * Automatic changes and fixes for external regressions: - Adjustments to test suite and CI to fix CI regressions - Automatic mirror list update Date: 2020-01-16 15:25:21.578157+00:00 Changed-By: Julian Andres Klode Signed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/python-apt/1.1.0~beta1ubuntu0.16.04.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] aptdaemon 1.1.1+bzr982-0ubuntu14.2 (Accepted)
aptdaemon (1.1.1+bzr982-0ubuntu14.2) xenial-security; urgency=medium * Fix compatibility with python-apt security update (LP: #1858973) Date: 2020-01-16 13:45:20.513502+00:00 Changed-By: Marc Deslauriers https://launchpad.net/ubuntu/+source/aptdaemon/1.1.1+bzr982-0ubuntu14.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] zlib 1:1.2.8.dfsg-2ubuntu4.3 (Accepted)
zlib (1:1.2.8.dfsg-2ubuntu4.3) xenial-security; urgency=medium * SECURITY UPDATE: improper pointer arithmetic might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization in inftrees.c - CVE-2016-9840 * SECURITY UPDATE: improper pointer arithmetic might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9841.patch: use post-increment only in inffast.c - CVE-2016-9841 * SECURITY UPDATE: vectors involving left shifts of negative integers might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9842_1.patch: avoid shifts of negative values in inflateMark() - debian/patches/CVE-2016-9842_2.patch: avoid casting an out-of-range value to long - CVE-2016-9842 * SECURITY UPDATE: vectors involving big-endian CRC calculation might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9843.patch: avoid pre-decrement of pointer in big-endian CRC calculation - CVE-2016-9843 Date: 2020-01-21 19:12:14.485405+00:00 Changed-By: Avital Ostromich Signed-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/zlib/1:1.2.8.dfsg-2ubuntu4.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] zlib 1:1.2.8.dfsg-2ubuntu4.3 (Accepted)
zlib (1:1.2.8.dfsg-2ubuntu4.3) xenial-security; urgency=medium * SECURITY UPDATE: improper pointer arithmetic might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization in inftrees.c - CVE-2016-9840 * SECURITY UPDATE: improper pointer arithmetic might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9841.patch: use post-increment only in inffast.c - CVE-2016-9841 * SECURITY UPDATE: vectors involving left shifts of negative integers might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9842_1.patch: avoid shifts of negative values in inflateMark() - debian/patches/CVE-2016-9842_2.patch: avoid casting an out-of-range value to long - CVE-2016-9842 * SECURITY UPDATE: vectors involving big-endian CRC calculation might allow context-dependent attackers to have unspecified impact - debian/patches/CVE-2016-9843.patch: avoid pre-decrement of pointer in big-endian CRC calculation - CVE-2016-9843 Date: 2020-01-21 19:12:14.485405+00:00 Changed-By: Avital Ostromich https://launchpad.net/ubuntu/+source/zlib/1:1.2.8.dfsg-2ubuntu4.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes