[ubuntu/xenial-updates] postgresql-9.5 9.5.12-0ubuntu0.16.04 (Accepted)
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium * New upstream release (LP: #1752271) If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. - Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) - Avoid use of insecure search_path settings in pg_dump and other client programs pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) - Details about other changes can be found at https://www.postgresql.org/docs/9.5/static/release-9-5-12.html Date: 2018-03-01 16:05:13.639334+00:00 Changed-By: ChristianEhrhardtSigned-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.12-0ubuntu0.16.04 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mariadb-10.0 10.0.34-0ubuntu0.16.04.1 (Accepted)
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for the following security vulnerabilities (LP: #1751920): - CVE-2018-2668 - CVE-2018-2665 - CVE-2018-2640 - CVE-2018-2622 - CVE-2018-2612 - CVE-2018-2562 * Update git-buildpackage Debian branch setting so gbp import-orig works * Update VCS-* links to point to the new source repository Date: 2018-03-06 10:16:43.512382+00:00 Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.34-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] irssi 0.8.19-1ubuntu1.7 (Accepted)
irssi (0.8.19-1ubuntu1.7) xenial-security; urgency=medium * SECURITY UPDATE: Null pointer dereference - debian/patches/CVE-2018-7050.patch: check if nick is Null in src/fe-common/core/chat-completion.c. - CVE-2018-7050 * SECURITY UPDATE: Certain nick names result in out-of-bounds access - debian/patches/CVE-2018-7051.patch: don't read beyond end of escaped string in src/fe-common/core/themes.c. - CVE-2018-7051 * SECURITY UPDATE: Null pointer dereference - debian/patches/CVE-2018-7052.patch: check if window parent is Null in src/fe-text/mainwindows.c. - CVE-2018-7052 * SECURITY UPDATE: use-after-free - debian/patches/CVE-2018-7053.patch: avoiding reuse sasl timeout in src/irc/core/sasl.c. - CVE-2018-7073 Date: 2018-02-28 21:31:11.903557+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Signed-By: Ubuntu Archive Robothttps://launchpad.net/ubuntu/+source/irssi/0.8.19-1ubuntu1.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-django 1.8.7-1ubuntu5.6 (Accepted)
python-django (1.8.7-1ubuntu5.6) xenial-security; urgency=medium * SECURITY UPDATE: DoS in urlize and urlizetrunc template filters - debian/patches/CVE-2018-7536.patch: fix backtracking in django/utils/html.py, add test to tests/utils_tests/test_html.py. - CVE-2018-7536 * SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html template filters - debian/patches/CVE-2018-7537.patch: fix backtracking in django/utils/text.py, add test to tests/utils_tests/test_text.py. - CVE-2018-7537 Date: 2018-03-05 15:57:20.734539+00:00 Changed-By: Marc Deslauriershttps://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] mariadb-10.0 10.0.34-0ubuntu0.16.04.1 (Accepted)
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for the following security vulnerabilities (LP: #1751920): - CVE-2018-2668 - CVE-2018-2665 - CVE-2018-2640 - CVE-2018-2622 - CVE-2018-2612 - CVE-2018-2562 * Update git-buildpackage Debian branch setting so gbp import-orig works * Update VCS-* links to point to the new source repository Date: 2018-03-06 10:16:43.512382+00:00 Signed-By: Ubuntu Archive Robothttps://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.34-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-updates] python-django 1.8.7-1ubuntu5.6 (Accepted)
python-django (1.8.7-1ubuntu5.6) xenial-security; urgency=medium * SECURITY UPDATE: DoS in urlize and urlizetrunc template filters - debian/patches/CVE-2018-7536.patch: fix backtracking in django/utils/html.py, add test to tests/utils_tests/test_html.py. - CVE-2018-7536 * SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html template filters - debian/patches/CVE-2018-7537.patch: fix backtracking in django/utils/text.py, add test to tests/utils_tests/test_text.py. - CVE-2018-7537 Date: 2018-03-05 15:57:20.734539+00:00 Changed-By: Marc DeslauriersSigned-By: Ubuntu Archive Robot https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/partner/xenial-proposed] google-cloud-sdk 191.0.0-0ubuntu1~16.04.0 (Accepted)
google-cloud-sdk (191.0.0-0ubuntu1~16.04.0) xenial; urgency=medium * New upstream release Date: Tue, 06 Mar 2018 09:03:21 +0100 Changed-By: Łukasz 'sil2100' ZemczakMaintainer: Canonical CPC Team https://launchpad.net/ubuntu/+source/google-cloud-sdk/191.0.0-0ubuntu1~16.04.0 Format: 1.8 Date: Tue, 06 Mar 2018 09:03:21 +0100 Source: google-cloud-sdk Binary: google-cloud-sdk Architecture: source Version: 191.0.0-0ubuntu1~16.04.0 Distribution: xenial Urgency: medium Maintainer: Canonical CPC Team Changed-By: Łukasz 'sil2100' Zemczak Description: google-cloud-sdk - Google Cloud SDK for interacting with Google Cloud services. Changes: google-cloud-sdk (191.0.0-0ubuntu1~16.04.0) xenial; urgency=medium . * New upstream release Checksums-Sha1: 30883387bef2d4ab72f36ae41b0ca64b6b5acdbf 1785 google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.dsc 42ee5a01b6e9cfbb3d132a69105d1bd6b346e277 19623094 google-cloud-sdk_191.0.0.orig.tar.gz 93397e88ed20109fc40bff94d010beff126decf2 14904 google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.debian.tar.xz 115ad407ba9c8567e2702b703b4172d6dad6b499 5882 google-cloud-sdk_191.0.0-0ubuntu1~16.04.0_source.buildinfo Checksums-Sha256: 13e1e41667dbf388dffe1071ab1f962465e2b00511c985237f674431bc22dcd7 1785 google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.dsc 74ec35155d3f70cedb90d651285c7b7ba8d2e7462e16f441140e93c0beab2a4f 19623094 google-cloud-sdk_191.0.0.orig.tar.gz a87ba0a5bbf7a92b7e83e065de768fb84bab5394d84497a55f07c666b6db3054 14904 google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.debian.tar.xz c8e93e06da07cb031e22b9e7932df58614c7acb3d951805e1f3b1658043c5b9f 5882 google-cloud-sdk_191.0.0-0ubuntu1~16.04.0_source.buildinfo Files: 97bf2c739df850692b240fe5650a6536 1785 partner/admin optional google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.dsc 81e45b005aeaea6c2c33254150676860 19623094 partner/admin optional google-cloud-sdk_191.0.0.orig.tar.gz fd448bfd4151b241b68a02cc6b1e152d 14904 partner/admin optional google-cloud-sdk_191.0.0-0ubuntu1~16.04.0.debian.tar.xz d058d50b6391b97000c17ba7389805d1 5882 partner/admin optional google-cloud-sdk_191.0.0-0ubuntu1~16.04.0_source.buildinfo -- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] postgresql-9.5 9.5.12-0ubuntu0.16.04 (Accepted)
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium * New upstream release (LP: #1752271) If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. - Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) - Avoid use of insecure search_path settings in pg_dump and other client programs pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) - Details about other changes can be found at https://www.postgresql.org/docs/9.5/static/release-9-5-12.html Date: 2018-03-01 16:05:13.639334+00:00 Changed-By: ChristianEhrhardtSigned-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.12-0ubuntu0.16.04 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] irssi 0.8.19-1ubuntu1.7 (Accepted)
irssi (0.8.19-1ubuntu1.7) xenial-security; urgency=medium * SECURITY UPDATE: Null pointer dereference - debian/patches/CVE-2018-7050.patch: check if nick is Null in src/fe-common/core/chat-completion.c. - CVE-2018-7050 * SECURITY UPDATE: Certain nick names result in out-of-bounds access - debian/patches/CVE-2018-7051.patch: don't read beyond end of escaped string in src/fe-common/core/themes.c. - CVE-2018-7051 * SECURITY UPDATE: Null pointer dereference - debian/patches/CVE-2018-7052.patch: check if window parent is Null in src/fe-text/mainwindows.c. - CVE-2018-7052 * SECURITY UPDATE: use-after-free - debian/patches/CVE-2018-7053.patch: avoiding reuse sasl timeout in src/irc/core/sasl.c. - CVE-2018-7073 Date: 2018-02-28 21:31:11.903557+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/irssi/0.8.19-1ubuntu1.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes