[ubuntu/xenial-updates] postgresql-9.5 9.5.12-0ubuntu0.16.04 (Accepted)

2018-03-06 Thread Ubuntu Archive Robot 
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream release (LP: #1752271)
If you run an installation in which not all users are mutually
trusting, or if you maintain an application or extension that is
intended for use in arbitrary situations, it is strongly recommended
that you read the documentation changes described in the first changelog
entry below, and take suitable steps to ensure that your installation or
code is secure.

Also, the changes described in the second changelog entry below may
cause functions used in index expressions or materialized views to fail
during auto-analyze, or when reloading from a dump.  After upgrading,
monitor the server logs for such problems, and fix affected functions.

- Document how to configure installations and applications to guard
  against search-path-dependent trojan-horse attacks from other users

  Using a search_path setting that includes any schemas writable by a
  hostile user enables that user to capture control of queries and then
  run arbitrary SQL code with the permissions of the attacked user. While
  it is possible to write queries that are proof against such hijacking,
  it is notationally tedious, and it's very easy to overlook holes.
  Therefore, we now recommend configurations in which no untrusted schemas
  appear in one's search path.
  (CVE-2018-1058)

- Avoid use of insecure search_path settings in pg_dump and other client
  programs

  pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
  were themselves vulnerable to the type of hijacking described in the
  previous changelog entry; since these applications are commonly run by
  superusers, they present particularly attractive targets.  To make them
  secure whether or not the installation as a whole has been secured,
  modify them to include only the pg_catalog schema in their search_path
  settings. Autovacuum worker processes now do the same, as well.

  In cases where user-provided functions are indirectly executed by these
  programs -- for example, user-provided functions in index expressions --
  the tighter search_path may result in errors, which will need to be
  corrected by adjusting those user-provided functions to not assume
  anything about what search path they are invoked under.  That has always
  been good practice, but now it will be necessary for correct behavior.
  (CVE-2018-1058)

- Details about other changes can be found at
  https://www.postgresql.org/docs/9.5/static/release-9-5-12.html

Date: 2018-03-01 16:05:13.639334+00:00
Changed-By: ChristianEhrhardt 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.12-0ubuntu0.16.04
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-security] mariadb-10.0 10.0.34-0ubuntu0.16.04.1 (Accepted)

2018-03-06 Thread Leonidas S. Barbosa 
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for
the following security vulnerabilities (LP: #1751920):
- CVE-2018-2668
- CVE-2018-2665
- CVE-2018-2640
- CVE-2018-2622
- CVE-2018-2612
- CVE-2018-2562
  * Update git-buildpackage Debian branch setting so gbp import-orig works
  * Update VCS-* links to point to the new source repository

Date: 2018-03-06 10:16:43.512382+00:00
Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.34-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] irssi 0.8.19-1ubuntu1.7 (Accepted)

2018-03-06 Thread Ubuntu Archive Robot 
irssi (0.8.19-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference
- debian/patches/CVE-2018-7050.patch: check if
  nick is Null in src/fe-common/core/chat-completion.c.
- CVE-2018-7050
  * SECURITY UPDATE: Certain nick names result in out-of-bounds
access
- debian/patches/CVE-2018-7051.patch: don't read beyond end of
  escaped string in src/fe-common/core/themes.c.
- CVE-2018-7051
  * SECURITY UPDATE: Null pointer dereference
- debian/patches/CVE-2018-7052.patch: check if window parent
  is Null in src/fe-text/mainwindows.c.
- CVE-2018-7052
  * SECURITY UPDATE: use-after-free
- debian/patches/CVE-2018-7053.patch: avoiding
  reuse sasl timeout in src/irc/core/sasl.c.
- CVE-2018-7073

Date: 2018-02-28 21:31:11.903557+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/irssi/0.8.19-1ubuntu1.7
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-security] python-django 1.8.7-1ubuntu5.6 (Accepted)

2018-03-06 Thread Marc Deslauriers 
python-django (1.8.7-1ubuntu5.6) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS in urlize and urlizetrunc template filters
- debian/patches/CVE-2018-7536.patch: fix backtracking in
  django/utils/html.py, add test to tests/utils_tests/test_html.py.
- CVE-2018-7536
  * SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html
template filters
- debian/patches/CVE-2018-7537.patch: fix backtracking in
  django/utils/text.py, add test to tests/utils_tests/test_text.py.
- CVE-2018-7537

Date: 2018-03-05 15:57:20.734539+00:00
Changed-By: Marc Deslauriers 
https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.6
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] mariadb-10.0 10.0.34-0ubuntu0.16.04.1 (Accepted)

2018-03-06 Thread Ubuntu Archive Robot 
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high

  * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for
the following security vulnerabilities (LP: #1751920):
- CVE-2018-2668
- CVE-2018-2665
- CVE-2018-2640
- CVE-2018-2622
- CVE-2018-2612
- CVE-2018-2562
  * Update git-buildpackage Debian branch setting so gbp import-orig works
  * Update VCS-* links to point to the new source repository

Date: 2018-03-06 10:16:43.512382+00:00
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.34-0ubuntu0.16.04.1
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-updates] python-django 1.8.7-1ubuntu5.6 (Accepted)

2018-03-06 Thread Ubuntu Archive Robot 
python-django (1.8.7-1ubuntu5.6) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS in urlize and urlizetrunc template filters
- debian/patches/CVE-2018-7536.patch: fix backtracking in
  django/utils/html.py, add test to tests/utils_tests/test_html.py.
- CVE-2018-7536
  * SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html
template filters
- debian/patches/CVE-2018-7537.patch: fix backtracking in
  django/utils/text.py, add test to tests/utils_tests/test_text.py.
- CVE-2018-7537

Date: 2018-03-05 15:57:20.734539+00:00
Changed-By: Marc Deslauriers 
Signed-By: Ubuntu Archive Robot 

https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.6
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/partner/xenial-proposed] google-cloud-sdk 191.0.0-0ubuntu1~16.04.0 (Accepted)

2018-03-06 Thread Łukasz 'sil2100' Zemczak 
google-cloud-sdk (191.0.0-0ubuntu1~16.04.0) xenial; urgency=medium

  * New upstream release

Date: Tue, 06 Mar 2018 09:03:21 +0100
Changed-By: Łukasz 'sil2100' Zemczak 
Maintainer: Canonical CPC Team 
https://launchpad.net/ubuntu/+source/google-cloud-sdk/191.0.0-0ubuntu1~16.04.0
Format: 1.8
Date: Tue, 06 Mar 2018 09:03:21 +0100
Source: google-cloud-sdk
Binary: google-cloud-sdk
Architecture: source
Version: 191.0.0-0ubuntu1~16.04.0
Distribution: xenial
Urgency: medium
Maintainer: Canonical CPC Team 
Changed-By: Łukasz 'sil2100' Zemczak 
Description:
 google-cloud-sdk - Google Cloud SDK for interacting with Google Cloud services.
Changes:
 google-cloud-sdk (191.0.0-0ubuntu1~16.04.0) xenial; urgency=medium
 .
   * New upstream release
Checksums-Sha1:
 30883387bef2d4ab72f36ae41b0ca64b6b5acdbf 1785 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.dsc
 42ee5a01b6e9cfbb3d132a69105d1bd6b346e277 19623094 
google-cloud-sdk_191.0.0.orig.tar.gz
 93397e88ed20109fc40bff94d010beff126decf2 14904 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.debian.tar.xz
 115ad407ba9c8567e2702b703b4172d6dad6b499 5882 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0_source.buildinfo
Checksums-Sha256:
 13e1e41667dbf388dffe1071ab1f962465e2b00511c985237f674431bc22dcd7 1785 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.dsc
 74ec35155d3f70cedb90d651285c7b7ba8d2e7462e16f441140e93c0beab2a4f 19623094 
google-cloud-sdk_191.0.0.orig.tar.gz
 a87ba0a5bbf7a92b7e83e065de768fb84bab5394d84497a55f07c666b6db3054 14904 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.debian.tar.xz
 c8e93e06da07cb031e22b9e7932df58614c7acb3d951805e1f3b1658043c5b9f 5882 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0_source.buildinfo
Files:
 97bf2c739df850692b240fe5650a6536 1785 partner/admin optional 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.dsc
 81e45b005aeaea6c2c33254150676860 19623094 partner/admin optional 
google-cloud-sdk_191.0.0.orig.tar.gz
 fd448bfd4151b241b68a02cc6b1e152d 14904 partner/admin optional 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.debian.tar.xz
 d058d50b6391b97000c17ba7389805d1 5882 partner/admin optional 
google-cloud-sdk_191.0.0-0ubuntu1~16.04.0_source.buildinfo
-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-security] postgresql-9.5 9.5.12-0ubuntu0.16.04 (Accepted)

2018-03-06 Thread Leonidas S. Barbosa 
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream release (LP: #1752271)
If you run an installation in which not all users are mutually
trusting, or if you maintain an application or extension that is
intended for use in arbitrary situations, it is strongly recommended
that you read the documentation changes described in the first changelog
entry below, and take suitable steps to ensure that your installation or
code is secure.

Also, the changes described in the second changelog entry below may
cause functions used in index expressions or materialized views to fail
during auto-analyze, or when reloading from a dump.  After upgrading,
monitor the server logs for such problems, and fix affected functions.

- Document how to configure installations and applications to guard
  against search-path-dependent trojan-horse attacks from other users

  Using a search_path setting that includes any schemas writable by a
  hostile user enables that user to capture control of queries and then
  run arbitrary SQL code with the permissions of the attacked user. While
  it is possible to write queries that are proof against such hijacking,
  it is notationally tedious, and it's very easy to overlook holes.
  Therefore, we now recommend configurations in which no untrusted schemas
  appear in one's search path.
  (CVE-2018-1058)

- Avoid use of insecure search_path settings in pg_dump and other client
  programs

  pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
  were themselves vulnerable to the type of hijacking described in the
  previous changelog entry; since these applications are commonly run by
  superusers, they present particularly attractive targets.  To make them
  secure whether or not the installation as a whole has been secured,
  modify them to include only the pg_catalog schema in their search_path
  settings. Autovacuum worker processes now do the same, as well.

  In cases where user-provided functions are indirectly executed by these
  programs -- for example, user-provided functions in index expressions --
  the tighter search_path may result in errors, which will need to be
  corrected by adjusting those user-provided functions to not assume
  anything about what search path they are invoked under.  That has always
  been good practice, but now it will be necessary for correct behavior.
  (CVE-2018-1058)

- Details about other changes can be found at
  https://www.postgresql.org/docs/9.5/static/release-9-5-12.html

Date: 2018-03-01 16:05:13.639334+00:00
Changed-By: ChristianEhrhardt 
Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.12-0ubuntu0.16.04
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes

[ubuntu/xenial-security] irssi 0.8.19-1ubuntu1.7 (Accepted)

2018-03-06 Thread Leonidas S. Barbosa 
irssi (0.8.19-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference
- debian/patches/CVE-2018-7050.patch: check if
  nick is Null in src/fe-common/core/chat-completion.c.
- CVE-2018-7050
  * SECURITY UPDATE: Certain nick names result in out-of-bounds
access
- debian/patches/CVE-2018-7051.patch: don't read beyond end of
  escaped string in src/fe-common/core/themes.c.
- CVE-2018-7051
  * SECURITY UPDATE: Null pointer dereference
- debian/patches/CVE-2018-7052.patch: check if window parent
  is Null in src/fe-text/mainwindows.c.
- CVE-2018-7052
  * SECURITY UPDATE: use-after-free
- debian/patches/CVE-2018-7053.patch: avoiding
  reuse sasl timeout in src/irc/core/sasl.c.
- CVE-2018-7073

Date: 2018-02-28 21:31:11.903557+00:00
Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/irssi/0.8.19-1ubuntu1.7
Sorry, changesfile not available.-- 
Xenial-changes mailing list
Xenial-changes@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/xenial-changes