[ubuntu/xenial-updates] apparmor 2.10.95-0ubuntu2.12 (Accepted)

[Ubuntu Archive Robot]

apparmor (2.10.95-0ubuntu2.12) xenial-security; urgency=medium

  * debian/lib/apparmor/functions: remove support for loading snapd
generated profiles in /var/lib/snapd/apparmor/profiles as these are
handled by snapd.apparmor.service (LP: #2024637)

Date: 2023-06-29 11:24:15.463611+00:00
Changed-By: Alex Murray 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.12
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] amanda 1:3.3.6-4.1ubuntu0.1+actuallyesm2 (Accepted)

[Ubuntu Archive Robot]

amanda (1:3.3.6-4.1ubuntu0.1+actuallyesm2) xenial-security; urgency=medium

  * SECURITY REGRESSION: Remove all patches from version 1:3.3.6-4.1ubuntu0.1
restoring the package to the state of 1:3.3.6-4.1. (LP: #2012536)

Date: 2023-03-24 02:36:14.875953+00:00
Changed-By: David Lane 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/amanda/1:3.3.6-4.1ubuntu0.1+actuallyesm2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] amanda 1:3.3.6-4.1ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

amanda (1:3.3.6-4.1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: information leak calcsize SUID binary
- d/p/56-fix-CVE-2022-37703: remove perror call disclosing potentially
  privileged information
- CVE-2022-37703
  * SECURITY UPDATE: privilege escalation via rundump SUID binary
- d/p/50-fix-CVE-2022-37704: add option validation
- d/p/52-fix-CVE-2022-37704_part_2-backport: filter RSH env variable
- CVE-2022-37704
  * SECURITY UPDATE: privilege escalation via runtar SUID binary
- d/p/48-fix-CVE-2022-37705-backport: fix option parsing
- CVE-2022-37705

Date: 2023-03-19 23:23:13.386586+00:00
Changed-By: David Lane 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/amanda/1:3.3.6-4.1ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] containerd 1.2.6-0ubuntu1~16.04.6+esm1 (Accepted)

[Ubuntu Archive Robot]

containerd (1.2.6-0ubuntu1~16.04.6+esm1) xenial-security; urgency=medium

  * SECURITY UPDATE: Insecure handling of image volumes
- debian/patches/CVE-2022-23648.patch: Use fs.RootPath when mounting
volumes.
- debian/patches/update_cri_to_release_1_4.patch: Update CRI to 1.4.
- CVE-2022-23648

Date: 2022-02-25 20:45:10.576240+00:00
Changed-By: Paulo Flabiano Smorigo 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/containerd/1.2.6-0ubuntu1~16.04.6+esm1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] intel-microcode 3.20210216.0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

intel-microcode (3.20210216.0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: New upstream microcode datafile 2021-02-16 (LP: #1927911)
+ Updated Microcodes:
  sig 0x00050654, pf_mask 0xb7, 2020-12-31, rev 0x2006a0a, size 36864
  sig 0x00050656, pf_mask 0xbf, 2020-12-31, rev 0x4003006, size 53248
  sig 0x00050657, pf_mask 0xbf, 2020-12-31, rev 0x5003006, size 53248
  sig 0x000706a1, pf_mask 0x01, 2020-06-09, rev 0x0034, size 74752
- CVE-2020-8695 RAPL, INTEL-TA-00389
- CVE-2020-8696 Vector Register Leakage-Active, INTEL-TA-00381
- CVE-2020-8698 Fast forward store predictor, INTEL-TA-00381

Date: 2021-05-14 08:13:19.180896+00:00
Changed-By: Alex Murray 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/intel-microcode/3.20210216.0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] sbsigntool 0.6-0ubuntu10.2 (Accepted)

[Ubuntu Archive Robot]

sbsigntool (0.6-0ubuntu10.2) xenial-security; urgency=medium

  * No-change re-build upload for xenial-security, in support of landing
shim 15.4 or newer in xenial-security (LP: #1921134)

Date: 2021-05-14 18:50:10.105390+00:00
Changed-By: Steve Beattie 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu10.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] glibc 2.23-0ubuntu11.3 (Accepted)

[Ubuntu Archive Robot]

glibc (2.23-0ubuntu11.3) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via regular expression
- debian/patches/CVE-2009-5155.patch: diagnose invalid back-reference
  in posix/regcomp.c, remove invalid test in posix/PCRE.tests.
- CVE-2009-5155
  * SECURITY UPDATE: signed comparison vulnerability exists in ARM memcpy
- debian/patches/CVE-2020-6096-1.patch: fix multiarch memcpy for
  negative length in sysdeps/arm/armv7/multiarch/memcpy_impl.S.
- debian/patches/CVE-2020-6096-2.patch: fix memcpy and memmove for
  negative length in sysdeps/arm/memcpy.S, sysdeps/arm/memmove.S.
- CVE-2020-6096

Date: 2021-04-21 17:21:09.688651+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/glibc/2.23-0ubuntu11.3
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] samba 2:4.3.11+dfsg-0ubuntu0.16.04.34 (Accepted)

[Ubuntu Archive Robot]

samba (2:4.3.11+dfsg-0ubuntu0.16.04.34) xenial-security; urgency=medium

  * SECURITY UPDATE: wrong group entries via negative idmap cache entries
- debian/patches/CVE-2021-20254.patch: Simplify sids_to_unixids() in
  source3/passdb/lookup_sid.c.
- CVE-2021-20254

Date: 2021-04-14 15:44:09.356509+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.34
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] bind9 1:9.10.3.dfsg.P4-8ubuntu1.19 (Accepted)

[Ubuntu Archive Robot]

bind9 (1:9.10.3.dfsg.P4-8ubuntu1.19) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via broken inbound incremental zone update (IXFR)
- debian/patches/CVE-2021-25214.patch: immediately reject the entire
  transfer for certain RR in lib/dns/xfrin.c.
- CVE-2021-25214
  * SECURITY UPDATE: assert via answering certain queries for DNAME records
- debian/patches/CVE-2021-25215.patch: fix assert checks in
  lib/ns/query.c.
- CVE-2021-25215
  * SECURITY UPDATE: overflow in BIND's GSSAPI security policy negotiation
- debian/rules: build with --disable-isc-spnego to disable internal
  SPNEGO and use the one from the kerberos libraries.
- CVE-2021-25216

Date: 2021-04-27 12:42:09.601120+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.19
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] gst-plugins-good1.0 1.8.3-1ubuntu0.5 (Accepted)

[Ubuntu Archive Robot]

gst-plugins-good1.0 (1.8.3-1ubuntu0.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Use after free
- debian/patches/CVE-2021-3497.patch: Fix extraction of multichannel WavPack
  in gst/matroska/matroska-demux.c, gst/matroska/matroska-ids.h.
- CVE-2021-3497

Date: 2021-04-16 12:37:09.127394+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/gst-plugins-good1.0/1.8.3-1ubuntu0.5
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openjdk-8 8u292-b10-0ubuntu1~16.04.1 (Accepted)

[Ubuntu Archive Robot]

openjdk-8 (8u292-b10-0ubuntu1~16.04.1) xenial-security; urgency=medium

  * Backport the security update to 16.04 LTS.

openjdk-8 (8u292-b10-0ubuntu1) hirsute; urgency=medium

  * Update to 8u292-b10 (GA).
  * Security fixes
- JDK-8227467: Better class method invocations
- JDK-8244473: Contextualize registration for JNDI
- JDK-8244543: Enhanced handling of abstract classes
- JDK-8249906, CVE-2021-2163: Enhance opening JARs
- JDK-8250568, CVE-2021-2161: Less ambiguous processing
- JDK-8253799: Make lists of normal filenames
  * Other changes:
See https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-April/013680.html

openjdk-8 (8u282-b08-0ubuntu1) hirsute; urgency=medium

  * Update to 8u282-b08 (GA).
  * Update AArch64 hotspot to 8u282-b07 and AArch32 hotspot to 8u282-b07.

Date: 2021-04-21 12:15:14.928296+00:00
Changed-By: Matthias Klose 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/openjdk-8/8u292-b10-0ubuntu1~16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] file-roller 3.16.5-0ubuntu1.5 (Accepted)

[Ubuntu Archive Robot]

file-roller (3.16.5-0ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: Directory Traversal
- debian/patches/CVE-2020-36314.patch: skip files with symlinks in
  parents in src/fr-archive-libarchive.c.
- CVE-2020-36314

Date: 2021-04-12 13:41:23.797605+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/file-roller/3.16.5-0ubuntu1.5
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 88.0+build2-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

firefox (88.0+build2-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (88.0+build2)

  [ Olivier Tilloy ]
  * Re-enable and update debian/patches/unity-menubar.patch
  * On armhf, override the UA string used by an autopkgtest to prevent Google
from serving mobile content, which would break the test's expectations
(LP: #1923090)
- debian/tests/search-engines

  [ Rico Tzschichholz ]
  * Update cbindgen to 0.19.0
- debian/build/create-tarball.py
  * Use clang 12 if available
- debian/control{,.in}
- debian/build/rules.mk
  * Update patches
- debian/patches/rust-drop-dll-checksums.patch
- debian/patches/python3-remove-fstrings.patch
- debian/patches/python3-remove-variable-annotations.patch
  * Pass NASM only on supported archs
- debian/config/mozconfig.in

Date: 2021-04-16 13:46:14.366335+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/firefox/88.0+build2-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] dnsmasq 2.75-1ubuntu0.16.04.10 (Accepted)

[Ubuntu Archive Robot]

dnsmasq (2.75-1ubuntu0.16.04.10) xenial-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
- CVE-2017-15107: wildcard NSEC records interpretation issue
  + 4fe6744a220eddd3f1749b40cac3dfc510787de6
  + cd7df612b14ec1bf831a966ccaf076be0dae7404
- CVE-2019-14513: DoS via improper bounds checking
  + d3a8b39c7df2f0debf3b5f274a1c37a9e261f94e

Date: 2021-04-22 15:10:10.104216+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/dnsmasq/2.75-1ubuntu0.16.04.10
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] distro-info 0.14ubuntu0.2 (Accepted)

[Ubuntu Archive Robot]

distro-info (0.14ubuntu0.2) xenial-security; urgency=medium

  * No-change rebuild to fix instability in xenial-security (LP: #1925383)

Date: 2021-04-21 19:03:09.822963+00:00
Changed-By: Avital Ostromich 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/distro-info/0.14ubuntu0.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] chromium-browser 90.0.4430.72-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

chromium-browser (90.0.4430.72-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 90.0.4430.72
- CVE-2021-21201: Use after free in permissions.
- CVE-2021-21202: Use after free in extensions.
- CVE-2021-21203: Use after free in Blink.
- CVE-2021-21204: Use after free in Blink.
- CVE-2021-21205: Insufficient policy enforcement in navigation.
- CVE-2021-21221: Insufficient validation of untrusted input in Mojo.
- CVE-2021-21207: Use after free in IndexedDB.
- CVE-2021-21208: Insufficient data validation in QR scanner.
- CVE-2021-21209: Inappropriate implementation in storage.
- CVE-2021-21210: Inappropriate implementation in Network.
- CVE-2021-21211: Inappropriate implementation in Navigation.
- CVE-2021-21212: Incorrect security UI in Network Config UI.
- CVE-2021-21213: Use after free in WebMIDI.
- CVE-2021-21214: Use after free in Network API.
- CVE-2021-21215: Inappropriate implementation in Autofill.
- CVE-2021-21216: Inappropriate implementation in Autofill.
- CVE-2021-21217: Uninitialized Use in PDFium.
- CVE-2021-21218: Uninitialized Use in PDFium.
- CVE-2021-21219: Uninitialized Use in PDFium.
  * debian/patches/blink-animation-old-clang-compatibility.patch: added
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/define__libc_malloc.patch: refreshed
  * debian/patches/disable-sse2: removed, no longer needed
  * debian/patches/evdev-undefined-switch.patch: added
  * debian/patches/fix-c++17ism.patch: refreshed
  * debian/patches/gtk-symbols-conditional.patch: refreshed
  * debian/patches/import-missing-fcntl-defines.patch: updated
  * debian/patches/libaom-armhf-build-cpudetect.patch: added
  * debian/patches/revert-getrandom.patch: refreshed
  * debian/patches/revert-sequence-checker-capability-name.patch: refreshed
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/use-clang-versioned.patch: refreshed
  * debian/patches/wayland-scanner-add-missing-include.patch: refreshed
  * debian/patches/widevine-enable-version-string.patch: refreshed
  * debian/patches/widevine-other-locations: refreshed

chromium-browser (89.0.4389.128-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 89.0.4389.128
- CVE-2021-21206: Use after free in Blink.
- CVE-2021-21220: Insufficient validation of untrusted input in V8 for
  x86_64.

chromium-browser (89.0.4389.114-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 89.0.4389.114
- CVE-2021-21194: Use after free in screen capture.
- CVE-2021-21195: Use after free in V8.
- CVE-2021-21196: Heap buffer overflow in TabStrip.
- CVE-2021-21197: Heap buffer overflow in TabStrip.
- CVE-2021-21198: Out of bounds read in IPC.
- CVE-2021-21199: Use Use after free in Aura.

Date: 2021-04-15 10:29:09.260570+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/chromium-browser/90.0.4430.72-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ruby2.3 2.3.1-2~ubuntu16.04.16 (Accepted)

[Ubuntu Archive Robot]

ruby2.3 (2.3.1-2~ubuntu16.04.16) xenial-security; urgency=medium

  * SECURITY UPDATE: XML round-trip vulnerability in REXML
- debian/patches/CVE-2021-28965.patch: update to REXML 3.1.7.4.
- CVE-2021-28965

Date: 2021-04-15 15:57:12.568529+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~ubuntu16.04.16
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] libcaca 0.99.beta19-2ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

libcaca (0.99.beta19-2ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3410-*.patch: in canvas fix a integer overflow
  in caca_resize() and change some unit tests with that change in
  caca/canvas.c, caca/codec/import.c, caca/codec/text.c, test/canvas.cpp,
  tools/makefont.c.
- CVE-2021-3410

Date: 2021-04-05 19:18:10.014708+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/libcaca/0.99.beta19-2ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] clamav 0.103.2+dfsg-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

clamav (0.103.2+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * Updated to version 0.103.2 to fix security issues.
- Sync most of packaging with 0.103.2+dfsg-1.
- CVE-2021-1252, CVE-2021-1404, CVE-2021-1405

Date: 2021-04-15 17:51:09.704545+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/clamav/0.103.2+dfsg-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openslp-dfsg 1.2.1-11ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

openslp-dfsg (1.2.1-11ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: heap overflow vulnerability
- debian/patches/CVE-2019-5544.patch: Prevent memcpy heap overflow in
  slpd_process.c.
- debian/libslp1.symbols: Add RemainingBufferSpace@Base.
- CVE-2019-5544

Date: 2021-04-15 22:27:09.498884+00:00
Changed-By: Avital Ostromich 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/openslp-dfsg/1.2.1-11ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] underscore 1.7.0~dfsg-1ubuntu1.1 (Accepted)

[Ubuntu Archive Robot]

underscore (1.7.0~dfsg-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution
- debian/patches/CVE-2021-23358.patch: fix an arbitrary code exec in 
underscore.js.
- CVE-2021-23358

Date: 2021-04-07 13:10:09.926669+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/underscore/1.7.0~dfsg-1ubuntu1.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] nettle 3.2-1ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

nettle (3.2-1ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Out of Bound memory access in signature verification
- debian/patches/CVE-2021-20305-1.patch: new functions
  ecc_mod_mul_canonical and ecc_mod_sqr_canonical in
  curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c,
  ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c.
- debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for
  point comparison in eddsa-verify.c.
- debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in
  ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c.
- debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is
  canonically reduced in ecc-ecdsa-sign.c.
- debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in
  eddsa-hash.c.
- debian/libhogweed4.symbols: added new symbols.
- CVE-2021-20305

Date: 2021-04-07 15:33:13.629019+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/nettle/3.2-1ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] xorg-server 2:1.18.4-0ubuntu0.12 (Accepted)

[Ubuntu Archive Robot]

xorg-server (2:1.18.4-0ubuntu0.12) xenial-security; urgency=medium

  * SECURITY UPDATE: XChangeFeedbackControl Integer Underflow
- debian/patches/CVE-2021-3472.patch: add check to Xi/chgfctl.c.
- CVE-2021-3472

Date: 2021-04-08 13:38:12.977692+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/xorg-server/2:1.18.4-0ubuntu0.12
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] xorg-server-hwe-16.04 2:1.19.6-1ubuntu4.1~16.04.6 (Accepted)

[Ubuntu Archive Robot]

xorg-server-hwe-16.04 (2:1.19.6-1ubuntu4.1~16.04.6) xenial-security; 
urgency=medium

  * SECURITY UPDATE: XChangeFeedbackControl Integer Underflow
- debian/patches/CVE-2021-3472.patch: add check to Xi/chgfctl.c.
- CVE-2021-3472

Date: 2021-04-08 14:25:13.516595+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/xorg-server-hwe-16.04/2:1.19.6-1ubuntu4.1~16.04.6
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python-django 1.8.7-1ubuntu5.15 (Accepted)

[Ubuntu Archive Robot]

python-django (1.8.7-1ubuntu5.15) xenial-security; urgency=medium

  * SECURITY UPDATE: Potential directory-traversal via uploaded files
- debian/patches/CVE-2021-28658.patch: properly sanitize filenames in
  django/http/multipartparser.py, tests/file_uploads/tests.py,
  tests/file_uploads/uploadhandler.py, tests/file_uploads/urls.py,
  tests/file_uploads/views.py.
- CVE-2021-28658

Date: 2021-03-31 12:15:13.272141+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.15
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ruby-rack 1.6.4-3ubuntu0.2 (Accepted)

[Ubuntu Archive Robot]

ruby-rack (1.6.4-3ubuntu0.2) xenial-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Directory traversal vulnerability.
- debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
  Dir[glob] to prevent user-specified glob metacharacters.
- CVE-2020-8161
  * SECURITY UPDATE: Cookie forgery.
- debian/patches/CVE-2020-8184.patch: When parsing cookies, only
  decode the values.
- CVE-2020-8184

Date: 2021-04-06 09:36:28.258683+00:00
Changed-By: Eduardo Barretto 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/ruby-rack/1.6.4-3ubuntu0.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openexr 2.2.0-10ubuntu2.6 (Accepted)

[Ubuntu Archive Robot]

openexr (2.2.0-10ubuntu2.6) xenial-security; urgency=medium

  * SECURITY UPDATE: shift overflow in FastHufDecoder
- debian/patches/CVE-2021-3474.patch: compute Huf codelengths using 64
  bit to prevent shift overflow in IlmImf/ImfFastHuf.cpp.
- CVE-2021-3474
  * SECURITY UPDATE: integer overflow in calculateNumTiles
- debian/patches/CVE-2021-3475.patch: compute level size with 64 bits
  to avoid overflow in IlmImf/ImfTiledMisc.cpp.
- CVE-2021-3475
  * SECURITY UPDATE: shift overflows
- debian/patches/CVE-2021-3476.patch: ignore unused bits in B44 mode
  detection in IlmImf/ImfB44Compressor.cpp.
- CVE-2021-3476
  * SECURITY UPDATE: out-of-bounds read via deep tile sample size
- debian/patches/CVE-2021-3477.patch: fix overflow computing deeptile
  sample table size in IlmImf/ImfDeepTiledInputFile.cpp.
- CVE-2021-3477
  * SECURITY UPDATE: memory consumption via input file
- debian/patches/CVE-2021-3478-pre1.patch: reduce size limit for
  scanline files; prevent large chunkoffset allocations in
  IlmImf/ImfCompressor.cpp, IlmImf/ImfCompressor.h, IlmImf/ImfMisc.cpp,
  IlmImf/ImfMultiPartInputFile.cpp, IlmImf/ImfScanLineInputFile.cpp.
- debian/patches/CVE-2021-3478.patch: sanity check ScanlineInput
  bytesPerLine instead of lineOffset size in
  IlmImf/ImfScanLineInputFile.cpp.
- CVE-2021-3478
  * SECURITY UPDATE: memory consumption in scanline API
- debian/patches/CVE-2021-3479-pre1.patch: address issues reported by
  Undefined Behavior Sanitizer in IlmImf/ImfInputFile.cpp.
- debian/patches/CVE-2021-3479.patch: more efficient handling of filled
  channels reading tiles with scanline API in IlmImf/ImfInputFile.cpp,
  IlmImfTest/testScanLineApi.cpp.
- CVE-2021-3479

Date: 2021-04-01 14:33:10.455044+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/openexr/2.2.0-10ubuntu2.6
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] spamassassin 3.4.2-0ubuntu0.16.04.5 (Accepted)

[Ubuntu Archive Robot]

spamassassin (3.4.2-0ubuntu0.16.04.5) xenial-security; urgency=medium

  * SECURITY UPDATE: OS Command Injection in cf file parsing
- debian/patches/CVE-2020-1946.patch: fix header rule parsing in
  lib/Mail/SpamAssassin/Conf/Parser.pm.
- CVE-2020-1946

Date: 2021-03-29 17:38:09.491874+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/spamassassin/3.4.2-0ubuntu0.16.04.5
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] curl 7.47.0-1ubuntu2.19 (Accepted)

[Ubuntu Archive Robot]

curl (7.47.0-1ubuntu2.19) xenial-security; urgency=medium

  * SECURITY UPDATE: data leak via referer header field
- debian/patches/urlapi.patch: backport url api support in
  include/curl/Makefile.am, include/curl/curl.h, include/curl/urlapi.h,
  lib/Makefile.inc, lib/urlapi-int.h, lib/urlapi.c,
  lib/curl_setup_once.h, lib/url.c, lib/url.h, lib/escape.c,
  lib/escape.h, docs/libcurl/symbols-in-versions.
- debian/libcurl*.symbols: added new symbols.
- debian/patches/CVE-2021-22876.patch: strip credentials from the
  auto-referer header field in lib/transfer.c.
- CVE-2021-22876

Date: 2021-03-29 14:40:09.507068+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.19
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] lxml 3.5.0-1ubuntu0.4 (Accepted)

[Ubuntu Archive Robot]

lxml (3.5.0-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: incorrect formaction attribute input sanitization
- Add HTML-5 formaction attribute to defs.link_attrs in
  src/lxml/html/defs.py, src/lxml/html/tests/test_clean.py.
- CVE-2021-28957

Date: 2021-03-29 16:42:09.144711+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/lxml/3.5.0-1ubuntu0.4
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pygments 2.1+dfsg-1ubuntu0.2 (Accepted)

[Ubuntu Archive Robot]

pygments (2.1+dfsg-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: more denial of service issues in regular expressions
- debian/patches/CVE-2021-27291.patch: fix several exponential/cubic
  complexity regexes in pygments/lexers/archetype.py,
  pygments/lexers/factor.py, pygments/lexers/jvm.py,
  pygments/lexers/matlab.py, pygments/lexers/objective.py,
  pygments/lexers/templates.py.
- CVE-2021-27291

Date: 2021-03-29 16:00:10.087202+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/pygments/2.1+dfsg-1ubuntu0.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] squid3 3.5.12-1ubuntu7.16 (Accepted)

[Ubuntu Archive Robot]

squid3 (3.5.12-1ubuntu7.16) xenial-security; urgency=medium

  * SECURITY UPDATE: HTTP Request Smuggling issue
- debian/patches/CVE-2020-25097.patch: Add slash prefix to path-
  rootless or path-noscheme URLs in src/url.cc.
- CVE-2020-25097

Date: 2021-03-25 18:16:08.798868+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/squid3/3.5.12-1ubuntu7.16
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 87.0+build3-0ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

firefox (87.0+build3-0ubuntu0.16.04.2) xenial; urgency=medium

  * Fix FTBFS on ppc64el
- debian/patches/libpixman-disable-vmx.patch

firefox (87.0+build3-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (87.0+build3)

  [ Olivier Tilloy ]
  * Re-enable and update debian/patches/unity-menubar.patch

  [ Rico Tzschichholz ]
  * Update cbindgen to 0.18.0
- debian/build/create-tarball.py
  * Add Silesian language pack
- update debian/config/locales.all
- update debian/config/locales.shipped
- update debian/control
  * Drop upstreamed patches
- debian/patches/s390x-fix-hidden-symbol.patch
  * Update patches
- debian/patches/armhf-reduce-linker-memory-use.patch
- debian/patches/build-with-libstdc++-7.patch
- debian/patches/python3-remove-fstrings.patch

Date: 2021-03-23 05:57:08.309904+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/firefox/87.0+build3-0ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] chromium-browser 89.0.4389.90-0ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

chromium-browser (89.0.4389.90-0ubuntu0.16.04.2) xenial; urgency=medium

  * debian/control: add an explicit runtime dependency on libx11-xcb1
(LP: #1919146)

chromium-browser (89.0.4389.90-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 89.0.4389.90
- CVE-2021-21191: Use after free in WebRTC.
- CVE-2021-21192: Heap buffer overflow in tab groups.
- CVE-2021-21193: Use after free in Blink.

Date: 2021-03-18 14:29:14.794242+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/chromium-browser/89.0.4389.90-0ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ldb 2:1.1.24-1ubuntu3.2 (Accepted)

[Ubuntu Archive Robot]

ldb (2:1.1.24-1ubuntu3.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Heap corruption via crafted DN strings
- debian/patches/CVE-2020-27840.patch: avoid head corruption in
  ldb_dn_explode in common/ldb_dn.c.
- CVE-2020-27840
  * SECURITY UPDATE: Out of bounds read in AD DC LDAP server
- debian/patches/CVE-2021-20277.patch: stay in bounds in
  common/attrib_handlers.c.
- CVE-2021-20277

Date: 2021-03-24 12:46:08.070306+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/ldb/2:1.1.24-1ubuntu3.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] privoxy 3.0.24-1ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

privoxy (3.0.24-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
- debian/patches/38_CVE-2021-20217.patch: Prevent an assertion by a
  crafted CGI request.
- CVE-2021-20217
  * SECURITY UPDATE: Memory leak
- debian/patches/40_CVE-2021-20216.patch: Fix a memory leak.
- debian/patches/41_CVE-2020-35502.patch: Fixed memory leaks when a
  response is buffered and the buffer limit is reached or Privoxy is
  running out of memory.
- debian/patches/42_CVE-2021-20209.patch: Fixed a memory leak in the
  show-status CGI handler when no action files are configured.
- debian/patches/43_CVE-2021-20210.patch: Fixed a memory leak in the 
show-status
  CGI handler when no filter files are configured.
- debian/patches/45_CVE-2021-20212.patch: Fixed a memory leak if multiple
  filters are executed and the last one is skipped due to a pcre error.
- debian/patches/48_CVE-2021-20215.patch: Fixed memory leaks in the 
show-status
  CGI handler when memory allocations fail.
- CVE-2021-20216
- CVE-2020-35502
- CVE-2021-20209
- CVE-2021-20210
- CVE-2021-20212
- CVE-2021-20215
  * SECURITY UPDATE: Denial of Service
- debian/patches/46_CVE-2021-20213.patch: Prevent an unlikely dereference 
of a
  NULL-pointer that could result in a crash if accept-intercepted-requests
  was enabled.
- debian/patches/49_CVE-2021-20272.patch: Remove an assertion that could be
  triggered with a crafted CGI request.
- debian/patches/50_CVE-2021-20273.patch: Overrule invalid image types.
  Prevents a crash with a crafted CGI request if Privoxy is toggled off.
- debian/patches/51_CVE-2021-20275.patch: Prevent invalid read of size two.
- debian/patches/52_CVE-2021-20276.patch: Obsolete pcre: Prevent invalid 
memory
  accesses.
- CVE-2021-20213
- CVE-2021-20272
- CVE-2021-20273
- CVE-2021-20275
- CVE-2021-20276
  * Fix detection of insufficient data: debian/patches/39_decompress_iob.patch

Date: 2021-03-22 12:53:15.544427+00:00
Changed-By: Eduardo Barretto 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/privoxy/3.0.24-1ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 86.0.1+build1-0ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

firefox (86.0.1+build1-0ubuntu0.16.04.2) xenial; urgency=medium

  * Fix the URL used to download get-pip.py
- debian/tests/virtualenv-wrapper

firefox (86.0.1+build1-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (86.0.1+build1)

Date: 2021-03-11 16:49:08.913649+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/firefox/86.0.1+build1-0ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pygments 2.1+dfsg-1ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

pygments (2.1+dfsg-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Infinite loop in SMLLexer leads to denial of service
- debian/patches/CVE-2021-20270.patch: fix infinite loop in
  pygments/lexers/ml.py.
- CVE-2021-20270

Date: 2021-03-15 14:08:08.685494+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/pygments/2.1+dfsg-1ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ruby2.3 2.3.1-2~ubuntu16.04.15 (Accepted)

[Ubuntu Archive Robot]

ruby2.3 (2.3.1-2~ubuntu16.04.15) xenial-security; urgency=medium

  * SECURITY UPDATE: Unsafe Object Creation Vulnerability in JSON gem
- debian/patches/CVE-2020-10663.patch: set json->create_additions to 0
  in ext/json/parser/parser.c, ext/json/parser/parser.rl.
- CVE-2020-10663
  * SECURITY UPDATE: HTTP Request Smuggling attack in WEBrick
- debian/patches/CVE-2020-25613.patch: make it more strict to interpret
  some headers in lib/webrick/httprequest.rb.
- CVE-2020-25613

Date: 2021-03-16 16:19:16.241911+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~ubuntu16.04.15
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openjpeg2 2.1.2-1.1+deb9u6build0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

openjpeg2 (2.1.2-1.1+deb9u6build0.16.04.1) xenial-security; urgency=medium

  * fake sync from Debian

openjpeg2 (2.1.2-1.1+deb9u6) stretch-security; urgency=medium

  * Non-maintainer upload by the LTS Security Team.
  * Fix CVE-2020-27814: A heap-buffer overflow in the way openjpeg2
handled certain PNG format files.
  * Fix CVE-2020-27823: Wrong computation of x1,y1 if -d option is used,
resulting in heap buffer overflow.
  * Fix CVE-2020-27824: avoid global buffer overflow on irreversible conversion 
when
too many decomposition levels are specified.
  * Fix CVE-2020-27841: crafted input to be processed by the openjpeg encoder
could cause an out-of-bounds read.
  * Fix CVE-2020-27844: crafted input to be processed by the openjpeg encoder
could cause an out-of-bounds write.
  * Fix CVE-2020-27845: crafted input can cause out-of-bounds-read.

Date: 2021-03-16 09:30:09.507603+00:00
Changed-By: Eduardo Barretto 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/openjpeg2/2.1.2-1.1+deb9u6build0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] glib2.0 2.48.2-0ubuntu4.8 (Accepted)

[Ubuntu Archive Robot]

glib2.0 (2.48.2-0ubuntu4.8) xenial-security; urgency=medium

  * SECURITY UPDATE: incorrect g_file_replace() symlink handling
- debian/patches/CVE-2021-28153-pre1.patch: allow g_test_bug() to be
  used without g_test_bug_base() in /glib/gtestutils.c.
- debian/patches/CVE-2021-28153-1.patch: fix a typo in a comment in
  gio/glocalfileoutputstream.c.
- debian/patches/CVE-2021-28153-2.patch: stop using g_test_bug_base()
  in file tests in gio/tests/file.c.
- debian/patches/CVE-2021-28153-3.patch: factor out a flag check in
  gio/glocalfileoutputstream.c.
- debian/patches/CVE-2021-28153-4.patch: fix CREATE_REPLACE_DESTINATION
  with symlinks in gio/glocalfileoutputstream.c, gio/tests/file.c.
- debian/patches/CVE-2021-28153-5.patch: add a missing O_CLOEXEC flag
  to replace() in gio/glocalfileoutputstream.c.
- CVE-2021-28153

Date: 2021-03-12 23:23:09.445400+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/glib2.0/2.48.2-0ubuntu4.8
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] chromium-browser 89.0.4389.82-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

-*: remove (long gone) use_vulcanize build flag

chromium-browser (88.0.4324.96-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 88.0.4324.96
- CVE-2021-21117: Insufficient policy enforcement in Cryptohome.
- CVE-2021-21118: Insufficient data validation in V8.
- CVE-2021-21119: Use after free in Media.
- CVE-2021-21120: Use after free in WebSQL.
- CVE-2021-21121: Use after free in Omnibox.
- CVE-2021-21122: Use after free in Blink.
- CVE-2021-21123: Insufficient data validation in File System API.
- CVE-2021-21124: Potential user after free in Speech Recognizer.
- CVE-2021-21125: Insufficient policy enforcement in File System API.
- CVE-2020-16044: Use after free in WebRTC.
- CVE-2021-21126: Insufficient policy enforcement in extensions.
- CVE-2021-21127: Insufficient policy enforcement in extensions.
- CVE-2021-21128: Heap buffer overflow in Blink.
- CVE-2021-21129: Insufficient policy enforcement in File System API.
- CVE-2021-21130: Insufficient policy enforcement in File System API.
- CVE-2021-21131: Insufficient policy enforcement in File System API.
- CVE-2021-21132: Inappropriate implementation in DevTools.
- CVE-2021-21133: Insufficient policy enforcement in Downloads.
- CVE-2021-21134: Incorrect security UI in Page Info.
- CVE-2021-21135: Inappropriate implementation in Performance API.
- CVE-2021-21136: Insufficient policy enforcement in WebView.
- CVE-2021-21137: Inappropriate implementation in DevTools.
- CVE-2021-21138: Use after free in DevTools.
- CVE-2021-21139: Inappropriate implementation in iframe sandbox.
- CVE-2021-21140: Uninitialized Use in USB.
- CVE-2021-21141: Insufficient policy enforcement in File System API.
  * debian/control: do not suggest installing adobe-flashplugin (Flash is EOL)
  * debian/rules:
- build with use_allocator_shim=false to replace the default-allocator patch
- remove is_desktop_linux build flag
- build with use_vaapi=false to prevent the default on amd64 and i386 (since
  https://chromium.googlesource.com/chromium/src/+/7bc2776), because this
  requires a version of libva newer than what is available in xenial
  * debian/apport/chromium-browser.py: update the list of related packages
  * debian/chromium-browser.sh.in: do not try to detect Flash plugin
  * debian/patches/add-missing-minigbm-dep.patch: refreshed
  * debian/patches/closure-compiler-java-no-client-vm.patch: refreshed
  * debian/patches/configuration-directory.patch: refreshed
  * debian/patches/default-allocator: removed, no longer needed
  * debian/patches/fix-c++17ism.patch: refreshed
  * debian/patches/fix-ptrace-header-include.patch: refreshed
  * debian/patches/no-dirmd.patch: added
  * debian/patches/revert-newer-xcb-requirement.patch: refreshed
  * debian/patches/search-credit.patch: refreshed
  * debian/patches/set-rpath-on-chromium-executables.patch: refreshed
  * debian/patches/stl-util-old-clang-compatibility.patch: refreshed
  * debian/patches/suppress-newer-clang-warning-flags.patch: updated
  * debian/patches/title-bar-default-system.patch-v35: refreshed
  * debian/patches/touch-v35: refreshed
  * debian/patches/use-clang-versioned.patch: refreshed
  * debian/patches/widevine-enable-version-string.patch: refreshed
  * debian/patches/widevine-other-locations: refreshed
  * debian/known_gn_gen_args-*: remove is_desktop_linux build flag

chromium-browser (87.0.4280.141-0ubuntu0.16.04.2) xenial; urgency=medium

  * debian/patches/wayland-scanner-add-missing-include.patch: added

chromium-browser (87.0.4280.141-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 87.0.4280.141
- CVE-2021-21106: Use after free in autofill.
- CVE-2021-21107: Use after free in drag and drop.
- CVE-2021-21108: Use after free in media.
- CVE-2021-21109: Use after free in payments.
- CVE-2021-21110: Use after free in safe browsing.
- CVE-2021-2: Insufficient policy enforcement in WebUI.
- CVE-2021-21112: Use after free in Blink.
- CVE-2021-21113: Heap buffer overflow in Skia.
- CVE-2020-16043: Insufficient data validation in networking.
- CVE-2021-21114: Use after free in audio.
- CVE-2020-15995: Out of bounds write in V8.
- CVE-2021-21115: Use after free in safe browsing.
- CVE-2021-21116: Heap buffer overflow in audio.

chromium-browser (87.0.4280.88-0ubuntu0.16.04.1) xenial; urgency=medium

  * Upstream release: 87.0.4280.88

Date: 2021-03-07 05:53:12.908759+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/chromium-browser/89.0.4389.82-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pillow 3.1.2-0ubuntu1.6 (Accepted)

[Ubuntu Archive Robot]

pillow (3.1.2-0ubuntu1.6) xenial-security; urgency=medium

  * SECURITY UPDATE: negative-offset memcpy with an invalid size
- debian/patches/CVE-2021-25290.patch: add extra check to
  libImaging/TiffDecode.c.
- CVE-2021-25290
  * SECURITY UPDATE: DoS via invalid reported size
- debian/patches/CVE-2021-2792x.patch: check reported sizes in
  PIL/IcnsImagePlugin.py, PIL/IcoImagePlugin.py.
- CVE-2021-27922
- CVE-2021-27923

Date: 2021-03-11 13:12:12.297436+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/pillow/3.1.2-0ubuntu1.6
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] git 1:2.7.4-0ubuntu1.10 (Accepted)

[Ubuntu Archive Robot]

git (1:2.7.4-0ubuntu1.10) xenial-security; urgency=medium

  * SECURITY UPDATE: remote code exec during clone on case-insensitive FS
- debian/patches/CVE-2021-21300.patch: fix bug that makes checkout
  follow symlinks in leading path in cache.h, compat/mingw.c,
  git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh,
  t/t2006-checkout-index-basic.sh, unpack-trees.c.
- CVE-2021-21300

Date: 2021-03-04 15:34:10.224400+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/git/1:2.7.4-0ubuntu1.10
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] glib2.0 2.48.2-0ubuntu4.7 (Accepted)

[Ubuntu Archive Robot]

glib2.0 (2.48.2-0ubuntu4.7) xenial-security; urgency=medium

  * SECURITY UPDATE: g_byte_array_new_take length truncation
- debian/patches/CVE-2021-2721x/CVE-2021-27218.patch: do not accept too
  large byte arrays in glib/garray.c, glib/gbytes.c,
  glib/tests/bytes.c.
- CVE-2021-27218
  * SECURITY UPDATE: integer overflow in g_bytes_new
- debian/patches/CVE-2021-2721x/CVE-2021-27219*.patch: add internal
  g_memdup2() function and use it instead of g_memdup() in a bunch of
  places.
- CVE-2021-27219

Date: 2021-03-03 14:44:09.448568+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/glib2.0/2.48.2-0ubuntu4.7
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] golang-1.10 1.10.4-2ubuntu1~16.04.2 (Accepted)

[Ubuntu Archive Robot]

golang-1.10 (1.10.4-2ubuntu1~16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: XSS (LP: #1914372)
- debian/patches/CVE-2020-24553.patch: Add Content-Type detection in
  net/http/cgi and net/http/fcgi.
- CVE-2020-24553

Date: 2021-02-26 22:26:09.208808+00:00
Changed-By: Dariusz Gadomski 
Signed-By: Ubuntu Archive Robot 
https://launchpad.net/ubuntu/+source/golang-1.10/1.10.4-2ubuntu1~16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] wpa 2.4-0ubuntu6.8 (Accepted)

[Ubuntu Archive Robot]

wpa (2.4-0ubuntu6.8) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS and possible code execution via P2P provision
discovery requests
- debian/patches/CVE-2021-27803-pre1.patch: cleanup handling of unknown
  peer in PD Request processing in src/p2p/p2p_pd.c.
- debian/patches/CVE-2021-27803.patch: fix a corner case in peer
  addition based on PD Request in src/p2p/p2p_pd.c.
- CVE-2021-27803

Date: 2021-03-01 15:16:09.588018+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.8
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python2.7 2.7.12-1ubuntu0~16.04.18 (Accepted)

[Ubuntu Archive Robot]

python2.7 (2.7.12-1ubuntu0~16.04.18) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: use improved patch backport.
- CVE-2021-3177
  * Fix autopkgtests due to expired certificates
- debian/patches/ssl-certs-1.patch: Refresh expired SSL test certs
- debian/patches/ssl-certs-2.patch: Refresh expired SSL test certs
- debian/patches/test-ssl.patch: backport test changes and more ssl
  certs from python2.7 in bionic.

Date: 2021-03-01 18:56:10.239331+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.18
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 86.0+build3-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

firefox (86.0+build3-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (86.0+build3)

firefox (86.0+build2-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (86.0+build2)

  [ Olivier Tilloy ]
  * Reduce the LTO level (to "thin") on armhf to work around OOM failures on
Launchpad builders
- debian/build/rules.mk
- debian/patches/armhf-rustc-thin-lto.patch
  * Update test expectations
- debian/tests/html5test
  * Remove upstream patch
- debian/patches/upstream-fix-startup-hang.patch

  [ Rico Tzschichholz ]
  * Vendor dump_syms v0.0.7 and its dependencies in the source tarball
- debian/build/create-tarball.py
- debian/build/rules.mk
- debian/config/mozconfig.in
- debian/config/tarball.conf
  * Build-dep on libssl-dev as dump_syms dependency
- debian/control{,.in}
  * Update cbindgen to 0.17.0
- debian/build/create-tarball.py
  * Update patches
- debian/patches/armhf-do-not-build-qcms-with-neon.patch
- debian/patches/python3-remove-fstrings.patch
- debian/patches/unity-menubar.patch

Date: 2021-02-22 18:43:09.418461+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/firefox/86.0+build3-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python2.7 2.7.12-1ubuntu0~16.04.16 (Accepted)

[Ubuntu Archive Robot]

python2.7 (2.7.12-1ubuntu0~16.04.16) xenial-security; urgency=medium

  * SECURITY REGRESSION: previous update caused a regression that causes it
pending further investigation this update reverts it
- debian/patches/CVE-2021-3177.patch: was removed.

python2.7 (2.7.12-1ubuntu0~16.04.14) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode
  formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
  Modules/_ctypes/callproc.c.
- CVE-2021-3177

Date: 2021-02-25 14:25:17.410368+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.16
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] tiff 4.0.6-1ubuntu0.8 (Accepted)

[Ubuntu Archive Robot]

tiff (4.0.6-1ubuntu0.8) xenial-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in tif_getimage.c
- debian/patches/CVE-2020-35523.patch: check Tile width for overflow in
  libtiff/tif_getimage.c.
- CVE-2020-35523
  * SECURITY UPDATE: Heap-based buffer overflow in TIFF2PDF tool
- debian/patches/CVE-2020-35524.patch: properly calculate datasize when
  saving to JPEG YCbCr in tools/tiff2pdf.c.
- CVE-2020-35524

Date: 2021-02-25 13:12:09.266678+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/tiff/4.0.6-1ubuntu0.8
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python2.7 2.7.12-1ubuntu0~16.04.14 (Accepted)

[Ubuntu Archive Robot]

python2.7 (2.7.12-1ubuntu0~16.04.14) xenial-security; urgency=medium

  * SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode
  formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
  Modules/_ctypes/callproc.c.
- CVE-2021-3177

Date: 2021-02-03 13:00:09.623419+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.14
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python3.5 3.5.2-2ubuntu0~16.04.13 (Accepted)

[Ubuntu Archive Robot]

python3.5 (3.5.2-2ubuntu0~16.04.13) xenial-security; urgency=medium

  * SECURITY UPDATE: Code execution from content received via HTTP
- debian/patches/CVE-2020-27619.patch: no longer call eval() on
  content received via HTTP in Lib/test/multibytecodec_support.py.
- CVE-2020-27619
  * SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode
  formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py,
  Modules/_ctypes/callproc.c.
- CVE-2021-3177

Date: 2021-01-26 18:05:10.713415+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.13
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] screen 4.3.1-2ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

screen (4.3.1-2ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via crafted UTF-8 character sequence
- debian/patches/99_CVE-2021-26937.patch: fix out of bounds array
  access in encoding.c.
- CVE-2021-26937

Date: 2021-02-23 18:11:09.402353+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/screen/4.3.1-2ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] xterm 322-1ubuntu1.2 (Accepted)

[Ubuntu Archive Robot]

xterm (322-1ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: crash when handling crafted unicode content
- debian/patches/CVE-2021-27135.patch: correct upper-limit for
  selection buffer, accounting for combining characters in button.c.
- debian/patches/CVE-2021-27135-2.patch: check realloc return code,
  add some casts in button.c.
- CVE-2021-27135

Date: 2021-02-22 18:56:13.526768+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/xterm/322-1ubuntu1.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] dnsmasq 2.75-1ubuntu0.16.04.8 (Accepted)

[Ubuntu Archive Robot]

dnsmasq (2.75-1ubuntu0.16.04.8) xenial-security; urgency=medium

  * SECURITY REGRESSION: issue with multiple queries (LP: #1916462)
- backport multiple upstream commits to fix regressions
  + 04490bf622ac84891aad6f2dd2edf83725decdee
  + 12af2b171de0d678d98583e2190789e50e02
  + 3f535da79e7a42104543ef5c7b5fa2bed819a78b
  + 141a26f979b4bc959d8e866a295e24f8cf456920
  + 305cb79c5754d5554729b18a2c06fe7ce699687a

Date: 2021-02-23 16:58:13.436589+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/dnsmasq/2.75-1ubuntu0.16.04.8
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] qemu 1:2.5+dfsg-5ubuntu10.51 (Accepted)

[Ubuntu Archive Robot]

qemu (1:2.5+dfsg-5ubuntu10.51) xenial-security; urgency=medium

  * SECURITY REGRESSION: fix multiple regressions caused by CVE-2020-13754
security update (LP: #1914883)
- debian/patches/CVE-2020-13754-5.patch: allow 64-bit accesses in
  hw/timer/slavio_timer.c.
- debian/patches/CVE-2020-13754-9.patch: fix valid.max_access_size to
  access address registers in hw/usb/hcd-xhci.c.

Date: 2021-02-17 17:51:14.715959+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.51
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openldap 2.4.42+dfsg-2ubuntu3.13 (Accepted)

[Ubuntu Archive Robot]

openldap (2.4.42+dfsg-2ubuntu3.13) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via malicious packet
- debian/patches/CVE-2021-27212.patch: fix issuerAndThisUpdateCheck in
  servers/slapd/schema_init.c.
- CVE-2021-27212

Date: 2021-02-18 23:52:08.733764+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/openldap/2.4.42+dfsg-2ubuntu3.13
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] libjackson-json-java 1.9.2-7ubuntu0.2 (Accepted)

[Ubuntu Archive Robot]

libjackson-json-java (1.9.2-7ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Improper input sanitization
- debian/patches/CVE-2017-15095.patch: Fix deserialization.
- debian/patches/CVE-2017-7525.patch: Backport all known security
  fixes from 2.x that were missing, related to public CVEs.
- debian/patches/CVE-2019-10172_1.patch: Set Secure Processing
  flag on DocumentBuilderFactory.
- d/p/CVE-2019-10172_2.patch: setExpandEntityReferences(false).
- CVE-2017-7525
- CVE-2017-15095
- CVE-2019-10172

Date: 2021-02-18 16:36:09.453586+00:00
Changed-By: Paulo Flabiano Smorigo 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/libjackson-json-java/1.9.2-7ubuntu0.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] bind9 1:9.10.3.dfsg.P4-8ubuntu1.18 (Accepted)

[Ubuntu Archive Robot]

bind9 (1:9.10.3.dfsg.P4-8ubuntu1.18) xenial-security; urgency=medium

  * SECURITY UPDATE: off-by-one bug in ISC SPNEGO implementation
- debian/patches/CVE-2020-8625.patch: properly calculate length in
  lib/dns/spnego.c.
- CVE-2020-8625

Date: 2021-02-15 14:17:09.151595+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.18
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openssl 1.0.2g-1ubuntu4.19 (Accepted)

[Ubuntu Archive Robot]

openssl (1.0.2g-1ubuntu4.19) xenial-security; urgency=medium

  * SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840-pre1.patch: add new EVP error codes in
  crypto/evp/evp_err.c, crypto/evp/evp.h.
- debian/patches/CVE-2021-23840-pre2.patch: add a new EVP error code in
  crypto/evp/evp_err.c, crypto/evp/evp.h.
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
  in EVP_CipherUpdate calls in crypto/evp/evp_enc.c,
  crypto/evp/evp_err.c, crypto/evp/evp.h.
- CVE-2021-23840
  * SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
  crypto/x509/x509_cmp.c.
- CVE-2021-23841

Date: 2021-02-17 15:11:17.451640+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.19
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] wpa 2.4-0ubuntu6.7 (Accepted)

[Ubuntu Archive Robot]

wpa (2.4-0ubuntu6.7) xenial-security; urgency=medium

  * SECURITY UPDATE: P2P discovery heap overflow
- debian/patches/CVE-2021-0326.patch: P2P: Fix copying of secondary
  device types for P2P group client
- CVE-2021-0326
  * SECURITY UPDATE: UPnP SUBSCRIBE misbehavior in WPS AP
- debian/patches/CVE-2020-12695-1.patch: WPS UPnP: Do not allow
  event subscriptions with URLs to other networks
- debian/patches/CVE-2020-12695-2.patch: WPS UPnP: Fix event message
  generation using a long URL path
- debian/patches/CVE-2020-12695-3.patch: WPS UPnP: Handle HTTP
  initiation failures for events more properly
- CVE-2020-12695

Date: 2021-02-10 06:51:09.804114+00:00
Changed-By: Steve Beattie 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/wpa/2.4-0ubuntu6.7
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] junit4 4.12-4ubuntu1.1 (Accepted)

[Ubuntu Archive Robot]

junit4 (4.12-4ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Exposure of Sensitive Information
- debian/patches/CVE-2020-15250.patch: fix local information disclosure
  vulnerability.
- CVE-2020-15250

Date: 2021-02-10 15:53:09.265986+00:00
Changed-By: Paulo Flabiano Smorigo 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/junit4/4.12-4ubuntu1.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openvswitch 2.5.9-0ubuntu0.16.04.3 (Accepted)

[Ubuntu Archive Robot]

openvswitch (2.5.9-0ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: packet parsing vulnerability
- debian/patches/CVE-2020-35498.patch: support extra padding length in
  lib/dp-packet.h, lib/flow.c, tests/classifier.at.
- CVE-2020-35498

Date: 2021-01-29 12:38:16.565943+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/openvswitch/2.5.9-0ubuntu0.16.04.3
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] snapd 2.48.3 (Accepted)

[Ubuntu Archive Robot]

snapd (2.48.3) xenial-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability for containers
(LP: #1910456)
- many: add Delegate=true to generated systemd units for special
  interfaces
- interfaces/greengrass-support: back-port interface changes to
  2.48
- CVE-2020-27352
  * interfaces/builtin/docker-support: allow /run/containerd/s/...
- This is a new path that docker 19.03.14 (with a new version of
  containerd) uses to avoid containerd CVE issues around the unix
  socket. See also CVE-2020-15257.

snapd (2.48.2) xenial; urgency=medium

  * New upstream release, LP: #1906690
- tests: sign new nested-18|20* models to allow for generic serials
- secboot: add extra paranoia when waiting for that fde-reveal-key
- tests: backport netplan workarounds from #9785
- secboot: add workaround for snapcore/core-initrd issue #13
- devicestate: log checkEncryption errors via logger.Noticef
- tests: add nested spread end-to-end test for fde-hooks
- devicestate: implement checkFDEFeatures()
- boot: tweak resealing with fde-setup hooks
- sysconfig/cloudinit.go: add "manual_cache_clean: true" to cloud-
  init restrict file
- secboot: add new LockSealedKeys() that uses either TPM or
  fde-reveal-key
- gadget: use "sealed-keys" to determine what method to use for
  reseal
- boot: add sealKeyToModeenvUsingFdeSetupHook()
- secboot: use `fde-reveal-key` if available to unseal key
- cmd/snap-update-ns: fix sorting of overname mount entries wrt
  other entries
- o/devicestate: save model with serial in the device save db
- devicestate: add runFDESetupHook() helper
- secboot,devicestate: add scaffoling for "fde-reveal-key" support
- hookstate: add new HookManager.EphemeralRunHook()
- update-pot: fix typo in plural keyword spec
- store,cmd/snap-repair: increase initial expontential time
  intervals
- o/devicestate,daemon: fix reboot system action to not require a
  system label
- github: run nested suite when commit is pushed to release branch
- tests: reset fakestore unit status
- tests: fix uc20-create-parition-* tests for updated gadget
- hookstate: implement snapctl fde-setup-{request,result}
- devicestate: make checkEncryption fde-setup hook aware
- client,snapctl: add naive support for "stdin"
- devicestate: support "storage-safety" defaults during install
- snap: use the boot-base for kernel hooks
- vendor: update secboot repo to avoid including secboot.test binary

snapd (2.48.1) xenial; urgency=medium

  * New upstream release, LP: #1906690
- gadget: disable ubuntu-boot role validation check

Date: 2021-02-08 04:21:10.281105+00:00
Changed-By: Michael Vogt 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/snapd/2.48.3
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openjdk-8 8u282-b08-0ubuntu1~16.04 (Accepted)

[Ubuntu Archive Robot]

openjdk-8 (8u282-b08-0ubuntu1~16.04) xenial-security; urgency=medium

  * Backport from Hirsute.

openjdk-8 (8u282-b08-0ubuntu1) hirsute; urgency=medium

  * Update to 8u282-b08 (GA).
  * Update AArch64 hotspot to 8u282-b07 and AArch32 hotspot to 8u282-b07.

openjdk-8 (8u282-b07-0ubuntu1) hirsute; urgency=medium

  * Update to 8u282-b07 (early access build).
  * Update AArch64 hotspot to 8u282-b03 and AArch32 hotspot to 8u282-b06.
  * Update patches.

openjdk-8 (8u275-b01-0ubuntu1) hirsute; urgency=medium

  * Update to 8u275-b01 (GA). Patch aarch32 and aarch64 to 8u275-b01.
  * Regression fixes:
- JDK-8214440: ldap over a TLS connection negotiate failed with 
"javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not 
match the hostname in the server's certificate"
- JDK-8223940: Private key not supported by chosen signature algorithm
- JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
- JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)

Date: 2021-01-20 04:25:09.052623+00:00
Changed-By: Tiago Stürmer Daitx 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/openjdk-8/8u282-b08-0ubuntu1~16.04
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 85.0.1+build1-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

firefox (85.0.1+build1-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (85.0.1+build1)

firefox (85.0+build1-0ubuntu0.16.04.3) xenial; urgency=medium

  * Ensure the version of pip used in the virtualenv wrapper is compatible
with Python 3.5 (pip 21.0 dropped support for it, see
https://github.com/pypa/pip/pull/9189) (LP: #1914450)
- debian/tests/control
- debian/tests/virtualenv-wrapper

firefox (85.0+build1-0ubuntu0.16.04.2) xenial; urgency=medium

  * Cherry-pick an upstream commit to address a startup hang (LP: #1914147)
- debian/patches/upstream-fix-startup-hang.patch

Date: 2021-02-05 11:55:09.303023+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/firefox/85.0.1+build1-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] qemu 1:2.5+dfsg-5ubuntu10.49 (Accepted)

[Ubuntu Archive Robot]

qemu (1:2.5+dfsg-5ubuntu10.49) xenial-security; urgency=medium

  * SECURITY UPDATE: heap overread in iscsi_aio_ioctl_cb
- debian/patches/CVE-2020-11947.patch: fix heap-buffer-overflow in
  block/iscsi.c.
- CVE-2020-11947
  * SECURITY UPDATE: use-after-free in e1000e
- debian/patches/CVE-2020-15859.patch: forbid the reentrant RX in
  net/queue.c.
- CVE-2020-15859
  * SECURITY UPDATE: out of bounds read in atapi
- debian/patches/CVE-2020-29443-1.patch: assert that the buffer pointer
  is in range in hw/ide/atapi.c.
- debian/patches/CVE-2020-29443-2.patch: check logical block address
  and read size in hw/ide/atapi.c.
- CVE-2020-29443
  * SECURITY UPDATE: use after free in 9p
- debian/patches/CVE-2021-20181.patch: fully restart unreclaim loop in
  hw/9pfs/virtio-9p.c.
- CVE-2021-20181

Date: 2021-02-04 13:55:09.485375+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.49
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] php-pear 1:1.10.1+submodules+notgz-6ubuntu0.3 (Accepted)

[Ubuntu Archive Robot]

php-pear (1:1.10.1+submodules+notgz-6ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: directory traversal attack in Archive_Tar
- debian/patches/CVE-2020-36193-1.patch: disallow symlinks to
  out-of-path filenames in submodules/Archive_Tar/Archive/Tar.php.
- debian/patches/CVE-2020-36193-2.patch: fix out-of-path check for
  virtual relative symlink in submodules/Archive_Tar/Archive/Tar.php.
- debian/patches/CVE-2020-36193-3.patch: PHP compat fix in
  submodules/Archive_Tar/Archive/Tar.php..
- CVE-2020-36193

Date: 2021-02-04 17:31:12.126794+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/php-pear/1:1.10.1+submodules+notgz-6ubuntu0.3
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openldap 2.4.42+dfsg-2ubuntu3.12 (Accepted)

[Ubuntu Archive Robot]

openldap (2.4.42+dfsg-2ubuntu3.12) xenial-security; urgency=medium

  * SECURITY UPDATE: integer underflow in Certificate Exact Assertion
processing
- debian/patches/CVE-2020-36221-1.patch: fix serialNumberAndIssuerCheck
  in servers/slapd/schema_init.c.
- debian/patches/CVE-2020-36221-2.patch: fix serialNumberAndIssuerCheck
  in servers/slapd/schema_init.c.
- CVE-2020-36221
  * SECURITY UPDATE: assert failure in saslAuthzTo validation
- debian/patches/CVE-2020-36222-1.patch: remove saslauthz asserts in
  servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36222-2.patch: fix debug msg in
  servers/slapd/saslauthz.c.
- CVE-2020-36222
  * SECURITY UPDATE: crash in Values Return Filter control handling
- debian/patches/CVE-2020-36223.patch: fix vrfilter double-free in
  servers/slapd/controls.c.
- CVE-2020-36223
  * SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36224-1.patch: use ch_free on normalized DN
  in servers/slapd/saslauthz.c.
- debian/patches/CVE-2020-36224-2.patch: use slap_sl_free in prev
  commit in servers/slapd/saslauthz.c.
- CVE-2020-36224
  * SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36225.patch: fix AVA_Sort on invalid RDN in
  servers/slapd/dn.c.
- CVE-2020-36225
  * SECURITY UPDATE: DoS in saslAuthzTo processing
- debian/patches/CVE-2020-36226.patch: fix slap_parse_user in
  servers/slapd/saslauthz.c.
- CVE-2020-36226
  * SECURITY UPDATE: infinite loop in cancel_extop Cancel operation
- debian/patches/CVE-2020-36227.patch: fix cancel exop in
  servers/slapd/cancel.c.
- CVE-2020-36227
  * SECURITY UPDATE: DoS in Certificate List Exact Assertion processing
- debian/patches/CVE-2020-36228.patch: fix issuerAndThisUpdateCheck in
  servers/slapd/schema_init.c.
- CVE-2020-36228
  * SECURITY UPDATE: DoS in X.509 DN parsing in ad_keystring
- debian/patches/CVE-2020-36229.patch: add more checks to
  ldap_X509dn2bv in libraries/libldap/tls2.c.
- CVE-2020-36229
  * SECURITY UPDATE: DoS in X.509 DN parsing in ber_next_element
- debian/patches/CVE-2020-36230.patch: check for invalid BER after RDN
  count in libraries/libldap/tls2.c.
- CVE-2020-36230

Date: 2021-02-03 14:20:09.417213+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/openldap/2.4.42+dfsg-2ubuntu3.12
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] minidlna 1.1.5+dfsg-2ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

minidlna (1.1.5+dfsg-2ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Insufficient input sanitization vulnerability
- debian/patches/CVE-2020-12695.patch: upnphttp: Validate SUBSCRIBE
  callback URL.
- debian/patches/CVE-2020-28926.patch: upnphttp: Disallow negative HTTP
  chunk lengths.
- CVE-2020-12695
- CVE-2020-28926
  * Other fixes:
- debian/patches/15-use-newer-ip_multicast_if-api.patch: Use newer
API for IP_MULTICAST_IF which allows one to specify interface by
index, not by address.

Date: 2021-02-02 20:06:09.223295+00:00
Changed-By: Paulo Flabiano Smorigo 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/minidlna/1.1.5+dfsg-2ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] apport 2.20.1-0ubuntu2.30 (Accepted)

[Ubuntu Archive Robot]

apport (2.20.1-0ubuntu2.30) xenial-security; urgency=medium

  * SECURITY UPDATE: multiple security issues (LP: #1912326)
- CVE-2021-25682: error parsing /proc/pid/status
- CVE-2021-25683: error parsing /proc/pid/stat
- CVE-2021-25684: stuck reading fifo
- data/apport: make sure existing report is a regular file.
- apport/fileutils.py: move some logic here to skip over manipulated
  process names and filenames.
- test/test_fileutils.py: added some parsing tests.

Date: 2021-01-27 13:26:12.825999+00:00
Changed-By: Marc Deslauriers 
Maintainer: Martin Pitt 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.30
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ca-certificates 20210119~16.04.1 (Accepted)

[Ubuntu Archive Robot]

ca-certificates (20210119~16.04.1) xenial-security; urgency=medium

  * Update ca-certificates database to 20210119 (LP: #1914064):
- mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate
  authority bundle to version 2.46.
- backport certain changes from the Ubuntu 20.10 20210119 package

Date: 2021-02-01 16:14:12.307198+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/ca-certificates/20210119~16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] fastd 17-4ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

fastd (17-4ubuntu0.1) xenial-security; urgency=medium

[ Emilia Torino ]
* SECURITY UPDATE: denial of service in receive.c
- debian/patches/CVE-2020-27638.patch: fix buffer leak when receiving
  invalid packets.
- CVE-2020-27638

Date: 2021-01-26 11:38:09.697535+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/fastd/17-4ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 85.0+build1-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

firefox (85.0+build1-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (85.0+build1)

  [ Olivier Tilloy ]
  * Re-enable and update debian/patches/unity-menubar.patch
  * Update test expectation (https://bugzilla.mozilla.org/1680596)
- debian/tests/html5test
  * Partially rewrite an autopkgtest to make it more robust
- debian/tests/search-engines
  * Remove patches that are no longer needed
- debian/patches/fix-make-package-tests-without-webrtc.patch
- debian/patches/ppc-no-static-sizes.patch

  [ Rico Tzschichholz ]
  * Bump build-dep on rustc >= 1.47.0 and cargo >= 0.47
- debian/control{,.in}
  * Make cargo 0.47 aka 1.46.0 sufficient
- debian/patches/relax-cargo-dep.patch
  * Update cbindgen to 0.16.0
- debian/build/create-tarball.py
  * Reduce the rust debuginfo level unconditionally on all architectures,
given that builds started failing reliably on amd64 with rustc 1.47
- update
  debian/patches/reduce-rust-debuginfo-on-selected-architectures.patch and
  rename it to debian/patches/reduce-rust-debuginfo.patch
  * Update patches
- debian/patches/python3-remove-fstrings.patch

Date: 2021-01-18 20:53:10.091885+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/firefox/85.0+build1-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] rustc 1.47.0+dfsg1+llvm-1ubuntu1~16.04.1 (Accepted)

[Ubuntu Archive Robot]

 Fix patch for line numbers on little-endian arches.

rustc (1.44.1+dfsg1-2) unstable; urgency=medium

  * Ignore tests that assume little-endian on big-endian arches.
See upstream #74829 for details.

rustc (1.44.1+dfsg1-1) unstable; urgency=medium

  * Upload to unstable.
  * Backport a typenum fix for i386.
  * Work around upstream #74786 involving debuginfo maps.

rustc (1.44.1+dfsg1-1~exp1) experimental; urgency=medium

  * New upstream release.

rustc (1.43.0+dfsg1+llvm-1~exp1ubuntu3) UNRELEASED; urgency=medium

  * Relax rustc version constraint in Build-Depends to see if 1.41 can
build 1.43 on riscv64.

rustc (1.43.0+dfsg1+llvm-1~exp1ubuntu2) groovy; urgency=medium

  * Fix mismerge preventing tests from running.
  * Backport patch fixing miscompliation and subsequent crash on s390x
(adapted from https://src.fedoraproject.org/rpms/llvm/pull-request/49):
- add 
debian/patches/0001-InstCombine-Fix-big-endian-miscompile-of-bitcast-zex.patch
- update debian/patches/series

Date: 2020-12-10 07:37:14.859381+00:00
Changed-By: Michael Hudson-Doyle 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/rustc/1.47.0+dfsg1+llvm-1ubuntu1~16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] cargo 0.47.0-1~exp1ubuntu1~16.04.1 (Accepted)

[Ubuntu Archive Robot]

cargo (0.47.0-1~exp1ubuntu1~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1901571)
  * Drop ssh_key_from_memory from the git2 default features, as that results
in the libgit2 build depending on a version of libssh2 that is too recent
- add debian/patches/git2-no-ssh_key_from_memory.patch
- update debian/patches/series
  * Do not use the http2 feature of the curl crate, and warn rather than fail
on errors caused by a too-old curl.
- add debian/patches/ignore-libcurl-errors.patch
- update debian/patches/series
  * Relax debhelper requirement.

cargo (0.47.0-1~exp1ubuntu1) hirsute; urgency=medium

  * Merge from Debian experimental (LP: #1901571): Remaining changes:
- Don't use the bootstrap.py script for bootstrapping as it no longer
  works.
  - remove debian/bootstrap.py
  - update debian/make_orig_multi.sh
- Embed libgit2 1.0.0 which is not yet in Debian or Ubuntu.
  - add debian/libgit2
  - add debian/patches/use-system-libhttp-parser.patch
  - update debian/control
  - update debian/copyright
  - update debiab/patches/series
  - update debian/README.source
  - update debian/rules
  * d/patches/0001-relax-deprecated-diagnostic-message-check.patch:
backport fix for tests that fail with rustc 1.47 from upstream.
  * d/patches/skip-filters_target-i386.patch: skip a test that fails on
i386 for silly reasons.

cargo (0.47.0-1~exp1) experimental; urgency=medium

  * New upstream release.

Date: 2020-12-11 06:31:14.808820+00:00
Changed-By: Michael Hudson-Doyle 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/cargo/0.47.0-1~exp1ubuntu1~16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] mysql-5.7 5.7.33-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

mysql-5.7 (5.7.33-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Update to 5.7.33 to fix security issues
- CVE-2021-2010, CVE-2021-2011, CVE-2021-2014, CVE-2021-2022,
  CVE-2021-2032, CVE-2021-2060

Date: 2021-01-28 15:17:09.451934+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.33-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pinba-engine-mysql 1.1.0-1ubuntu1.19 (Accepted)

[Ubuntu Archive Robot]

pinba-engine-mysql (1.1.0-1ubuntu1.19) xenial-security; urgency=medium

  * Rebuild against mysql 5.7.33.

Date: 2021-01-28 17:41:11.032026+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/pinba-engine-mysql/1.1.0-1ubuntu1.19
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python-django 1.8.7-1ubuntu5.14 (Accepted)

[Ubuntu Archive Robot]

python-django (1.8.7-1ubuntu5.14) xenial-security; urgency=medium

  * SECURITY UPDATE: Potential directory-traversal via archive.extract()
- debian/patches/CVE-2021-3281.patch: check for invalid paths in
  django/utils/archive.py.
- CVE-2021-3281

Date: 2021-01-25 13:51:09.786112+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.14
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] sudo 1.8.16-0ubuntu1.10 (Accepted)

[Ubuntu Archive Robot]

sudo (1.8.16-0ubuntu1.10) xenial-security; urgency=medium

  * SECURITY UPDATE: dir existence issue via sudoedit race
- debian/patches/CVE-2021-23239.patch: fix potential directory existing
  info leak in sudoedit in src/sudo_edit.c.
- CVE-2021-23239
  * SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2021-3156-pre1.patch: check lock record size in
  plugins/sudoers/timestamp.c.
- debian/patches/CVE-2021-3156-pre2.patch: sanity check size when
  converting the first record to TS_LOCKEXCL in
  plugins/sudoers/timestamp.c.
- debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
  MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
- debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
  plugin in plugins/sudoers/policy.c.
- debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
  when unescaping backslashes in plugins/sudoers/sudoers.c.
- debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
  converting a v1 timestamp to TS_LOCKEXCL in
  plugins/sudoers/timestamp.c.
- debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
  allocated as a single flat buffer in src/parse_args.c.
- CVE-2021-3156

Date: 2021-01-20 16:46:19.567958+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.10
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] libsndfile 1.0.25-10ubuntu0.16.04.3 (Accepted)

[Ubuntu Archive Robot]

libsndfile (1.0.25-10ubuntu0.16.04.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Heap-based buffer overflow 
- debian/patches/CVE-2017-12562.patch: Size buffer correctly in
  src/common.c to prevent buffer overflows.
- CVE-2017-12562

Date: 2021-01-22 23:34:09.216565+00:00
Changed-By: Avital Ostromich 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/libsndfile/1.0.25-10ubuntu0.16.04.3
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] mutt 1.5.24-1ubuntu0.6 (Accepted)

[Ubuntu Archive Robot]

mutt (1.5.24-1ubuntu0.6) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
- debian/patches/CVE-2021-3181-1.patch: Fix memory leak parsing group 
addresses without a display name
  in rfc822.c.
- debian/patches/CVE-2021-3181-2.patch: Don't allocate a group terminator 
unless we are in a group-list
  in rfc822.c.
- debian/patches/CVE-2021-3181-3.patch: Add group terminator if it is left
  off in rfc822.c.
- CVE-2021-3181

Date: 2021-01-22 13:41:36.821448+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/mutt/1.5.24-1ubuntu0.6
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pound 2.6-6.1ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

pound (2.6-6.1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Request smuggling
- debian/patches/0009-CVE-2016-10711-CVE-2018-21245.patch: avoid
  request smuggling in http.c.
- CVE-2016-10711
- CVE-2018-21245

Date: 2021-01-21 13:26:11.273882+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/pound/2.6-6.1ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pyxdg 0.25-4ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

pyxdg (0.25-4ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: XML Injection
- debian/patches/CVE-2019-12761.patch: Prevent a code injection via the
  Category element of a Menu XML document.
- CVE-2019-12761

Date: 2021-01-13 23:50:22.677228+00:00
Changed-By: Avital Ostromich 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/pyxdg/0.25-4ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] log4net 1.2.10+dfsg-7ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

log4net (1.2.10+dfsg-7ubuntu0.16.04.1) xenial-security; urgency=medium

  * SECURITY UPDATE: XXE-based attacks
- XmlConfigurator: do longer allow dtd processing across all
  platforms in src/Config/XmlConfigurator.cs.
- CVE-2018-1285

Date: 2021-01-18 18:12:13.899704+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/log4net/1.2.10+dfsg-7ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] dnsmasq 2.75-1ubuntu0.16.04.7 (Accepted)

[Ubuntu Archive Robot]

dnsmasq (2.75-1ubuntu0.16.04.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Multiple security issues
- CVE-2020-25681: heap overflow in RRSets sorting
- CVE-2020-25682: buffer overflow in extracting names from DNS packets
- CVE-2020-25683: heap overflow in DNSSEC validation
- CVE-2020-25684: cache poisoning issue via address/port
- CVE-2020-25685: cache poisoning issue via weak hash
- CVE-2020-25686: birthday attack via incorrect existing requests check
- CVE-2020-25687: heap overflow in DNSSEC validation
- CVE-2019-14834: memory leak via DHCP response creation

Date: 2021-01-11 13:04:10.026392+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/dnsmasq/2.75-1ubuntu0.16.04.7
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] pillow 3.1.2-0ubuntu1.5 (Accepted)

[Ubuntu Archive Robot]

pillow (3.1.2-0ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer over-read via PCX file
- debian/patches/CVE-2020-35653.patch: don't trust the image to specify
  a buffer size in PIL/PcxImagePlugin.py, removed failing test in
  Tests/test_image.py.
- CVE-2020-35653

Date: 2021-01-14 12:38:15.744694+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/pillow/3.1.2-0ubuntu1.5
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] htmldoc 1.8.27-8ubuntu1.1 (Accepted)

[Ubuntu Archive Robot]

htmldoc (1.8.27-8ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Stack-based buffer overflow
- debian/patches/CVE-2019-19630.patch: fix a buffer underflow issue with
  GCC on linux in htmldoc/ps-pdf.cxx.
- CVE-2019-19630

Date: 2021-01-14 16:06:12.234668+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/htmldoc/1.8.27-8ubuntu1.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] icoutils 0.31.0-3ubuntu0.1 (Accepted)

[Ubuntu Archive Robot]

icoutils (0.31.0-3ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-5208.patch: fix check_offset overflow on
  64-bit systems in wrestool/fileread.c.
- CVE-2017-5208
  * SECURITY UPDATE: Arbitrary code execution and Denial of service
- debian/patches/CVE-2017-5331.patch: make check_offset more stringent
  in wrestool/fileread.c.
- CVE-2017-5331
  * SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-5332.patch: prevent access to unallocated memory
  in wrestool/extract.c.
- CVE-2017-5332
  * SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-5333.patch: fix an index in wrestool/extract.c.
- CVE-2017-5333
  * SECURITY UPDATE: Failed memcpy, crash and buffer overflow
- debian/patches/CVE-2017-6009_CVE-2017-6010_CVE-2017-6011.patch: fix in
  icotool/extract.c, wrestool/restable.c.
- CVE-2017-6009
- CVE-2017-6010
- CVE-2017-6011

Date: 2021-01-14 14:33:08.996467+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/icoutils/0.31.0-3ubuntu0.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ampache 3.6-rzb2779+dfsg-0ubuntu9.2 (Accepted)

[Ubuntu Archive Robot]

ampache (3.6-rzb2779+dfsg-0ubuntu9.2) xenial-security; urgency=medium

  * SECURITY UPDATE: SQL Injection and XSS vulnerabilities
- debian/patches/04_CVE-2019-12385_CVE-2019-12386.patch: Fix search engine
  and the LocalPlay "add instance" functionality.
- CVE-2019-12385
- CVE-2019-12386

Date: 2021-01-14 16:03:09.733740+00:00
Changed-By: Paulo Flabiano Smorigo 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/ampache/3.6-rzb2779+dfsg-0ubuntu9.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] openvswitch 2.5.9-0ubuntu0.16.04.2 (Accepted)

[Ubuntu Archive Robot]

openvswitch (2.5.9-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer overflow decoding malformed packets in lldp
- debian/patches/CVE-2015-8011.patch: check lengths in lib/lldp/lldp.c.
- CVE-2015-8011
  * SECURITY UPDATE: Externally triggered memory leak in lldp
- debian/patches/CVE-2020-27827.patch: properly free memory in
  lib/lldp/lldp.c.
- CVE-2020-27827

openvswitch (2.5.9-0ubuntu0.16.04.1) xenial; urgency=medium

  * Bump nofiles to 1048576 for ovs daemons when running under
upstart (LP: #1737866).
  * d/watch: Misc tweaks for upstream layout changes.
  * New upstream release (LP: #1888198).

Date: 2021-01-08 14:13:14.326038+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/openvswitch/2.5.9-0ubuntu0.16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] tar 1.28-2.1ubuntu0.2 (Accepted)

[Ubuntu Archive Robot]

tar (1.28-2.1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Infinite read loop
- debian/patches/Fix-CVE-2018-20482.patch: Add handling for short read
  condition in sparse_dump_region() of src/sparse.c.
- CVE-2018-20482
  * SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2019-9923.patch: Check for NULL return value from
  find_next_block in src/sparse.c.
- CVE-2019-9923

Date: 2021-01-11 17:23:08.702683+00:00
Changed-By: Avital Ostromich 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/tar/1.28-2.1ubuntu0.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] xdg-utils 1.1.1-1ubuntu1.16.04.5 (Accepted)

[Ubuntu Archive Robot]

xdg-utils (1.1.1-1ubuntu1.16.04.5) xenial-security; urgency=medium

  * SECURITY REGRESSION: simple-scan email functionality break
- debian/patches/CVE-2020-27748.patch: was reverted/delete in
  scripts/xdg-email.in.

Date: 2021-01-11 14:13:09.201751+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/xdg-utils/1.1.1-1ubuntu1.16.04.5
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] jasper 1.900.1-debian1-2.4ubuntu1.3 (Accepted)

[Ubuntu Archive Robot]

jasper (1.900.1-debian1-2.4ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2018-18873.patch: check components for RGB,
  fixes NULL pointer deference in src/libjasper/ras/ras_enc.c.
- CVE-2018-18873
  * SECURITY UPDATE: Null pointer dereference
- debian/patches/CVE-2018-19542-and-CVE-2017-9782.patch: fix numchans mixup,
  NULL dereference in src/libjasper/jp2/jp2_dec.c.
- CVE-2018-19542
- CVE-2017-9782
  * SECURITY UPDATE: Out of bounds write
- debian/patches/CVE-2020-27828.patch: avoid maxrlvls more
  than upper bound to cause heap-buffer-overflow in
  src/libjasper/jpc/jpc_enc.c.
- CVE-2020-27828

Date: 2021-01-08 15:25:09.422167+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/jasper/1.900.1-debian1-2.4ubuntu1.3
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] coturn 4.5.0.3-1ubuntu0.4 (Accepted)

[Ubuntu Archive Robot]

coturn (4.5.0.3-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Unsafe loopback interface
- debian/patches/CVE-2020-26262.patch: Add check if address is in
  0.0.0.0/8 or ::/128.
- CVE-2020-26262

Date: 2021-01-08 14:34:09.193206+00:00
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/coturn/4.5.0.3-1ubuntu0.4
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] firefox 84.0.2+build1-0ubuntu0.16.04.1 (Accepted)

[Ubuntu Archive Robot]

firefox (84.0.2+build1-0ubuntu0.16.04.1) xenial; urgency=medium

  * New upstream release (84.0.2+build1)

Date: 2021-01-06 12:34:08.811486+00:00
Changed-By: Olivier Tilloy 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/firefox/84.0.2+build1-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] ghostscript 9.26~dfsg+0-0ubuntu0.16.04.14 (Accepted)

[Ubuntu Archive Robot]

ghostscript (9.26~dfsg+0-0ubuntu0.16.04.14) xenial-security; urgency=medium

  * SECURITY UPDATE: integer overflow in opj_t1_encode_cblks
- debian/patches/CVE-2018-5727.patch: fix UBSAN signed integer overflow
  in openjpeg/src/lib/openjp2/t1.c.
- CVE-2018-5727
  * SECURITY UPDATE: heap overflow in opj_t1_clbl_decode_processor
- debian/patches/CVE-2020-6851.patch: reject images whose
  coordinates are beyond INT_MAX in openjpeg/src/lib/openjp2/j2k.c.
- CVE-2020-6851
  * SECURITY UPDATE: another heap overflow in opj_t1_clbl_decode_processor
- debian/patches/CVE-2020-8112.patch: avoid integer overflow in
  openjpeg/src/lib/openjp2/tcd.c.
- CVE-2020-8112
  * SECURITY UPDATE: heap-buffer-overflow
- debian/patches/CVE-2020-27814-1.patch: grow buffer size in
  openjpeg/src/lib/openjp2/tcd.c.
- debian/patches/CVE-2020-27814-2.patch: grow it again
- debian/patches/CVE-2020-27814-3.patch: and some more
- debian/patches/CVE-2020-27814-4.patch: bigger, BIGGER!!!
- CVE-2020-27814
  * SECURITY UPDATE: global-buffer-overflow
- debian/patches/CVE-2020-27824.patch: avoid global buffer overflow on
  irreversible conversion when too many decomposition levels are
  specified in openjpeg/src/lib/openjp2/dwt.c.
- CVE-2020-27824
  * SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-27841.patch: add extra checks to
  openjpeg/src/lib/openjp2/pi.c, openjpeg/src/lib/openjp2/pi.h,
  openjpeg/src/lib/openjp2/t2.c.
- CVE-2020-27841
  * SECURITY UPDATE: null pointer dereference
- debian/patches/CVE-2020-27842.patch: add check to
  openjpeg/src/lib/openjp2/t2.c.
- CVE-2020-27842
  * SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-27843.patch: add check to
  openjpeg/src/lib/openjp2/t2.c.
- CVE-2020-27843
  * SECURITY UPDATE: out-of-bounds read
- debian/patches/CVE-2020-27845.patch: add extra checks to
  openjpeg/src/lib/openjp2/pi.c.
- CVE-2020-27845

Date: 2021-01-06 19:16:12.891322+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/ghostscript/9.26~dfsg+0-0ubuntu0.16.04.14
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] edk2 0~20160408.ffea0a2c-2ubuntu0.2 (Accepted)

[Ubuntu Archive Robot]

edk2 (0~20160408.ffea0a2c-2ubuntu0.2) xenial-security; urgency=medium

  * Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562)
  * CryptoPkg/BaseCryptLib: fix NULL dereference. (CVE-2019-14584)

Date: 2021-01-06 13:19:11.626820+00:00
Changed-By: dann frazier 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/edk2/0~20160408.ffea0a2c-2ubuntu0.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] p11-kit 0.23.2-5~ubuntu16.04.2 (Accepted)

[Ubuntu Archive Robot]

p11-kit (0.23.2-5~ubuntu16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: multiple integer overflows
- debian/patches/CVE-2020-29361-1.patch: check for arithmetic overflows
  before allocating in p11-kit/iter.c, p11-kit/lists.c,
  p11-kit/proxy.c, p11-kit/rpc-message.c, p11-kit/rpc-message.h,
  p11-kit/rpc-server.c, trust/index.c.
- debian/patches/CVE-2020-29361-2.patch: add reallocarray and follow-up
  to arithmetic overflow fix in common/compat.c, common/compat.h,
  p11-kit/rpc-message.c.
- CVE-2020-29361
  * SECURITY UPDATE: heap over-read in the RPC protocol
- debian/patches/CVE-2020-29362.patch: fix bounds check in
  p11-kit/rpc-message.c.
- CVE-2020-29362

Date: 2021-01-04 19:43:12.706348+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/p11-kit/0.23.2-5~ubuntu16.04.2
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes