[ubuntu/xenial-security] php7.0 7.0.33-0ubuntu0.16.04.11 (Accepted)
php7.0 (7.0.33-0ubuntu0.16.04.11) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2015-9253.patch: directly listen on socket, instead duping it to STDIN in sapi/fpm/fpm/fpm_children.c, sapi/fpm/fpm_stdio.c, and added tests to sapi/fpm/tests/bug73342-nonblocking-stdio.phpt. - CVE-2015-9253 * SECURITY UPDATE: Out of bounds read - debian/patches/CVE-2020-7059.patch: fix OOB read in php_strip_tags_ex in ext/standard/string.c and added test ext/standard/tests/file/bug79099.phpt. - CVE-2020-7059 * SECURITY UPDATE: Buffer-overflow - debian/patches/CVE-2020-7060.patch: fix adding a check function is_in_cp950_pua in ext/mbstring/libmbfl/filters/mbfilter_big5.c and added test ext/mbstring/tests/bug79037.phpt. - CVE-2020-7060 Date: 2020-02-17 11:49:14.937603+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.11 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] php7.0 7.0.33-0ubuntu0.16.04.12 (Accepted)
php7.0 (7.0.33-0ubuntu0.16.04.12) xenial-security; urgency=medium * SECURITY REGRESSION: fpm patch for CVE-2015-9253 caused a regression OOM - removing CVE-2015-9253.patch. Date: 2020-02-19 14:26:14.939320+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.12 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libarchive 3.1.2-11ubuntu0.16.04.8 (Accepted)
libarchive (3.1.2-11ubuntu0.16.04.8) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-read and Denial of service - debian/patches/CVE-2019-19221.patch: Bugfix and optimize archive_wstring_append_from_mbs() in libarchive/archive_string.c. - CVE-2019-19221 Date: 2020-02-20 19:30:16.767171+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libarchive/3.1.2-11ubuntu0.16.04.8 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] rake 10.5.0-2ubuntu0.1 (Accepted)
rake (10.5.0-2ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: OS command injection - debian/patches/CVE-2020-8130.patch: use File.open explicitly lib/rake/file_list.rb. - CVE-2020-8130 Date: 2020-03-03 14:01:17.132248+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/rake/10.5.0-2ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] icu 55.1-7ubuntu0.5 (Accepted)
icu (55.1-7ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: Integer Overflow - debian/patches/CVE-2020-10531.patch: adds a int32_t overflow check when calculate a newLen in doReplace function in source/common/unistr.cpp. - CVE-2020-10531 Date: 2020-03-16 19:25:24.884402+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/icu/55.1-7ubuntu0.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] vim 2:7.4.1689-3ubuntu1.4 (Accepted)
vim (2:7.4.1689-3ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/upstream/patch-8.0.070*.patch: check the event event for being out of range in src/fileio.c; set w_s pointer if w_buffer was NULL in src/ex_cmds.c. - CVE-2017-11109 * SECURITY UPDATE: Integer overflow - debian/patches/upstream/patch-8.0.0377*.patch: check if allocated size is not too big in src/undo.c. - CVE-2017-6349 * SECURITY UPDATE: Buffer overflow - debian/patches/upstream/patch-8.0.0378*.patch: check if allocated size is not too big in src/undo.c. - CVE-2017-6350 Date: 2020-03-18 20:02:39.669137+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/vim/2:7.4.1689-3ubuntu1.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libpam-krb5 4.7-2ubuntu0.1 (Accepted)
libpam-krb5 (4.7-2ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: One-byte buffer overflow - debian/patches/CVE-2020-10595.patch: checks prompts[i].reply->length boundaries in prompting.c. - CVE-2020-10595 Date: 2020-03-24 13:21:15.694454+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libpam-krb5/4.7-2ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] php7.0 7.0.33-0ubuntu0.16.04.14 (Accepted)
php7.0 (7.0.33-0ubuntu0.16.04.14) xenial-security; urgency=medium * SECURITY UDPATE: Null dereference pointer - debian/patches/CVE-2020-7062.patch: avoid null dereference in ext/session/session.c, ext/session/tests/bug79221.phpt. - CVE-2020-7062 * SECURITY UPDATE: Lax permissions on files added to tar with Phar - debian/patches/CVE-2020-7063.patch: enforce correct permissions for files add to tar with Phar in ext/phar/phar_object.c, ext/phar/tests/bug79082.phpt, ext/phar/tests/test79082*. - CVE-2020-7063 * SECURITY UPDATE: Read one byte of uninitialized memory - debian/patches/CVE-2020-7064.patch: check length in exif_process_TIFF_in_JPEG to avoid read uninitialized memory ext/exif/exif.c, ext/exif/tests/bug79282.phpt. - debian/patches/0001-Fix-test-bug79282.patch: fix test in ext/exif/tests/bug79282.phpt. - CVE-2020-7064 * SECURITY UPDATE: Truncated url due \0 - debian/patches/CVE-2020-7066.patch: check for get_headers not accepting \0 in ext/standard/url.c. - CVE-2020-7066 Date: 2020-04-09 15:43:14.331337+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.14 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] file-roller 3.16.5-0ubuntu1.4 (Accepted)
file-roller (3.16.5-0ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: Directory traversal - debian/patches/CVE-2020-11736.patch: do not follow external links when extracting files in src/fr-archive-libarchive.c. - CVE-2020-11736 Date: 2020-04-15 12:40:17.530402+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/file-roller/3.16.5-0ubuntu1.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python2.7 2.7.12-1ubuntu0~16.04.11 (Accepted)
python2.7 (2.7.12-1ubuntu0~16.04.11) xenial-security; urgency=medium * SECURITY UPDATE: CRLF injection - debian/patches/CVE-2019-18348.patch: disallow control characters in hostnames in http.client in Lib/httplib.py, Lib/test/test_urllib2.py. - CVE-2019-18348 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2020-8492.patch: fix the regex to prevent the regex denial of service in Lib/urllib2.py. - CVE-2020-8492 Date: 2020-04-17 16:34:15.418555+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.11 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python3.5 3.5.2-2ubuntu0~16.04.10 (Accepted)
python3.5 (3.5.2-2ubuntu0~16.04.10) xenial-security; urgency=medium * SECURITY UPDATE: CRLF injection - debian/patches/CVE-2019-18348.patch: disallow control characters in hostnames in http.client in Lib/http/client.py, Lib/test/test_urllib.py. - CVE-2019-18348 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2020-8492.patch: fix the regex to prevent the regex denial of service in Lib/urllib/request.py, - CVE-2020-8492 Date: 2020-04-17 14:43:14.795137+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.10 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mailman 1:2.1.20-1ubuntu0.4 (Accepted)
mailman (1:2.1.20-1ubuntu0.4) xenial-security; urgency=medium * SECURITY UPDATE: XSS vulnerability - debian/patches/93_CVE-2018-0618.patch: avoiding injections in Mailman/Gui/General.py, Mailman/Utils.py, Mailman/Gui/GUIBase.py - CVE-2018-0618 * SECURITY UPDATE: Arbitrary text injection - debian/patches/94_CVE-2018-13796.patch: check for injections in Mailmain/Utils.py. - CVE-2018-13796 * SECURITY UPDATE: XSS vulnerability - debian/patches/CVE-2020-12137.diff: use .bin extension for scrubbed application/octet-stream files in Mailman/Handlers/Scrubber.py. - CVE-2020-12137 Date: 2020-04-28 18:42:14.869630+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mailman/1:2.1.20-1ubuntu0.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mailman 1:2.1.20-1ubuntu0.5 (Accepted)
mailman (1:2.1.20-1ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: Arbitrary Content Injection - debian/patches/CVE-2020-12108.diff: removed safeusers variable that allows arbitrary content to be injected in Mailman/Cgi/options.py. - CVE-2020-12108 Date: 2020-05-07 13:23:38.779997+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mailman/1:2.1.20-1ubuntu0.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libexif 0.6.21-2ubuntu0.2 (Accepted)
libexif (0.6.21-2ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-20030.patch: improve deep recursion detection in exif_data_load_data_content in libexif/exif-data.c. - CVE-2018-20030 * SECURITY UPDATE: Divinding by zero vulnerability - debian/patches/CVE-2020-12767.patch: check if d variable is not zeroed before use it in libexif/exif-entry.c - CVE-2020-12767 Date: 2020-05-11 17:06:26.207311+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libexif/0.6.21-2ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] json-c 0.11-4ubuntu2.1 (Accepted)
json-c (0.11-4ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflows - debian/patches/CVE-2020-12762-*.patch: fix a series of integer overflows adding checks in linkhash.c, printbuf.c. - CVE-2020-12762 Date: 2020-05-12 14:12:26.384048+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/json-c/0.11-4ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] exim4 4.86.2-2ubuntu2.6 (Accepted)
exim4 (4.86.2-2ubuntu2.6) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2020-12783-*.patch: fix SPA authenticator, checking client-supplied data before using it in src/auths/spa.c, src/auths/spa-spa.c. - CVE-2020-12783 Date: 2020-05-14 15:36:29.242943+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/exim4/4.86.2-2ubuntu2.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] php7.0 7.0.33-0ubuntu0.16.04.15 (Accepted)
php7.0 (7.0.33-0ubuntu0.16.04.15) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service through oversized memory allocated - debian/patches/CVE-2019-11048.patch: changes types int to size_t in main/rfc1867.c. - CVE-2019-11048 Date: 2020-05-26 20:26:31.349281+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/php7.0/7.0.33-0ubuntu0.16.04.15 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] json-c 0.11-4ubuntu2.6 (Accepted)
json-c (0.11-4ubuntu2.6) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflows - debian/patches/CVE-2020-12762-*.patch: fix a series of integer overflows adding checks in linkhash.c, printbuf.c, test4.c test4.expected, also adds the fix for the INT_MAX regression caused in update 0.11-4ubuntu2.1. - CVE-2020-12762 Date: 2020-05-25 15:08:13.988043+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/json-c/0.11-4ubuntu2.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] flask 0.10.1-2ubuntu0.1 (Accepted)
flask (0.10.1-2ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-1000656.patch: fixing data incorrect encode in flask/json.py, flask/testsuite/helpers.py, flask/wrappers.py. - CVE-2018-1000656 Date: 2020-06-01 13:12:13.658553+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/flask/0.10.1-2ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libjpeg-turbo 1.4.2-0ubuntu3.4 (Accepted)
libjpeg-turbo (1.4.2-0ubuntu3.4) xenial-security; urgency=medium * SECURITY UPDATE: Heap-based buffer over-read - debian/patches/CVE-2020-13790.patch: fix buf overrun caused by bad binary PPM in rdppm.c. - CVE-2020-13790 Date: 2020-06-05 15:19:29.923041+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libjpeg-turbo/1.4.2-0ubuntu3.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] fwupd 0.8.3-0ubuntu5.1 (Accepted)
fwupd (0.8.3-0ubuntu5.1) xenial-security; urgency=medium * SECURITY UPDATE: Signature verification bypass - debian/patches/CVE-2020-10759.patch: validate that gpgme_op_verify_result() returned at least one signature in src/fu-keyring-gpg.c. - CVE-2020-10759 Date: 2020-06-10 11:48:22.057775+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/fwupd/0.8.3-0ubuntu5.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libexif 0.6.21-2ubuntu0.5 (Accepted)
libexif (0.6.21-2ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: Out of bounds read - debian/patches/CVE-2020-0093.patch: fix read buffer overflow making sure the number of bytes being copied from does not exceed the source buffer size in libexif/exif-data.c. - CVE-2020-0093 * SECURITY UPDATE: Out of bounds read - debian/patches/CVE-2020-13112.patch: fix MakerNote tag size overflow check for a size overflow while reading tags in libexif/canon/exif-mnote-data-canon.c, libexif/fuji/exif/mnote-data-fuji.c, libexif/olympus/exif-mnote-data-olympus.c, libexif/pentax/exif-mnote-data-pentax.c. - CVE-2020-13112 * SECURITY UPDATE: Possibly crash and potential use-after-free - debian/patches/CVE-2020-13113.patch: ensures that an uninitialized pointer is not dereferenced later in the case where the number of components is 0 in libexif/canon/exif-mnote-data-canon.c, libexif/fuji/exif-mnote-data-fuji.c, libexif/olympus/exif-mnote-data-olympus.c, libexif/pentax/exif-mnote-data-pentax. - CVE-2020-13113 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2020-13114.patch: add a failsafe on the maximum number of Canon MakerNote subtags in libexif/canon/exif-mnote-data-canon.c. - CVE-2020-13114 * SECURITY UPDATE: Out of bounds read - debian/patches/CVE-2020-0182.patch: fix a buffer read overflow in exif_entry_get_value in libexif/exif-entry.c. - CVE-2020-0182 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2020-0198.patch: fix unsigned integer overflow in libexif/exif-data.c. - CVE-2020-0198 Date: 2020-06-10 17:28:15.735125+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libexif/0.6.21-2ubuntu0.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mutt 1.5.24-1ubuntu0.3 (Accepted)
mutt (1.5.24-1ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: Man-in-the-middle attack - debian/patches/CVE-2020-14093.patch: prevent possible IMAP MITM via PREAUTH response in imap/imap.c. - CVE-2020-14093 * SECURITY UPDATE: Connection even if the user rejects an expired intermediate certificate - debian/patches/CVE-2020-14154-1.patch: fix GnuTLS tls_verify_peers() checking in mutt_ssl_gnutls.c. - debian/patches/CVE-2020-14154-2.patch: Abort GnuTLS certificate if a cert in the chain is rejected in mutt_ssl_gnutls.c. - debian/patches/CVE-2020-14154-3.patch: fix GnuTLS interactive prompt short-circuiting in mutt_ssl_gnutls.c. - CVE-2020-14154 Date: 2020-06-19 14:22:16.736314+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mutt/1.5.24-1ubuntu0.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] curl 7.47.0-1ubuntu2.15 (Accepted)
curl (7.47.0-1ubuntu2.15) xenial-security; urgency=medium * SECURITY UPDATE: curl overwrite local file with -J - debian/patches/CVE-2020-8177.patch: -i is not OK if -J is used in src/tool_cb_hdr.c, src/tool_getparam.c. - CVE-2020-8177 Date: 2020-06-17 22:05:13.138206+00:00 Changed-By: Marc Deslauriers Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.15 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mutt 1.5.24-1ubuntu0.4 (Accepted)
mutt (1.5.24-1ubuntu0.4) xenial-security; urgency=medium * SECURITY UPDATE: Man-in-the-middle attack - debian/patches/CVE-2020-14954.patch: fix STARTTLS response injection attack clearing the CONNECTION input buffer in mutt_ssl_starttls() in mutt_socket.c, mutt_socket.h, mutt_ssl.c, mutt_ssl_gnutls.c. - CVE-2020-14954 * Redoing patch CVE-2020-14154-1, that causes a possibly regression (LP: #1884588) Date: 2020-06-22 21:51:14.224893+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mutt/1.5.24-1ubuntu0.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mailman 1:2.1.20-1ubuntu0.6 (Accepted)
mailman (1:2.1.20-1ubuntu0.6) xenial-security; urgency=medium * SECURITY UPDATE: Arbitrary Content Injection - debian/patches/CVE-2020-15011.diff: checks if roster private, if so log the info in Mailman/Cgi/private.py. - CVE-2020-15011 Date: 2020-06-25 19:07:17.655621+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mailman/1:2.1.20-1ubuntu0.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] samba 2:4.3.11+dfsg-0ubuntu0.16.04.28 (Accepted)
samba (2:4.3.11+dfsg-0ubuntu0.16.04.28) xenial-security; urgency=medium * SECURITY UPDATE: Parsing and packing of NBT and DNS packets can consume excessive CPU - debian/patches/CVE-2020-10745-*.patch: multiple upstream patches to fix the issue. - CVE-2020-10745 Date: 2020-06-22 11:54:13.229589+00:00 Changed-By: Marc Deslauriers Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.28 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python3.5 3.5.2-2ubuntu0~16.04.11 (Accepted)
python3.5 (3.5.2-2ubuntu0~16.04.11) xenial-security; urgency=medium * SECURITY UPDATE: Misleading information - debian/patches/CVE-2019-17514.patch: explain that the orderness of the of the result is system-dependant in Doc/library/glob.rst. - CVE-2019-17514 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-9674.patch: add pitfalls to zipfile module doc in Doc/library/zipfile.rst, Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst. - CVE-2019-9674 * SECURITY UPDATE: Infinite loop - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py and add Lib/test/recursion.tar binary for test. - CVE-2019-20907 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2020-14422.patch: Resolve hash collisions for IPv4Interface and IPv6Interface in Lib/ipaddress.py, Lib/test/test_ipaddress.py. - CVE-2020-14422 Date: 2020-07-19 19:34:14.985131+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.11 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python2.7 2.7.12-1ubuntu0~16.04.12 (Accepted)
python2.7 (2.7.12-1ubuntu0~16.04.12) xenial-security; urgency=medium * SECURITY UPDATE: Misleading information - debian/patches/CVE-2019-17514.patch: explain that the orderness of the of the result is system-dependant in Doc/library/glob.rst. - CVE-2019-17514 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2019-9674.patch: add pitfalls to zipfile module doc in Doc/library/zipfile.rst, Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst. - CVE-2019-9674 * SECURITY UPDATE: Infinite loop - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py. - CVE-2019-20907 Date: 2020-07-21 16:02:18.284288+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.12 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libssh 0.6.3-4.3ubuntu0.6 (Accepted)
libssh (0.6.3-4.3ubuntu0.6) xenial-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2020-16135-*.patch: fix a NULL dereference checking the return of ssh_buffer_new() and added others checks in src/sftpservcer.c, src/buffer.c. - CVE-2020-16135 Date: 2020-08-03 16:19:15.518883+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libssh/0.6.3-4.3ubuntu0.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nss 2:3.28.4-0ubuntu0.16.04.13 (Accepted)
nss (2:3.28.4-0ubuntu0.16.04.13) xenial-security; urgency=medium * SECURITY UPDATE: Side-channel attack - debian/patches/CVE-2020-12400-and-6829-*.patch: use constant-time P-384 and P-521 in nss/lib/freebl/ecl/ecl-priv.h, nss/lib/freebl/ecl/ecl.c, nss/lib/freebl/ecl/ecl_spec384r1.c, nss/lib/freebl/freebl_base.gypi, nss/lib/freebl/manifest.mn, nss/test/ec/ectest.sh. - CVE-2020-12400 - CVE-2020-6829 * SECURITY UPDATE: Timing attack mitigation bypass - debian/patches/CVE-2020-12401.patch: remove unnecessary scalar padding in nss/lib/freebl/ec.c. - CVE-2020-12401 Date: 2020-08-06 18:48:19.112785+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.13 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] net-snmp 5.7.3+dfsg-1ubuntu4.5 (Accepted)
net-snmp (5.7.3+dfsg-1ubuntu4.5) xenial-security; urgency=medium * SECURITY UPDATE: Elevation of privileges - symlink handling - debian/patches/CVE-2020-15861.patch: stop reading and writing the mib_indexes files in include/net-snmp/library/mib.h, include/net-snmp/library/parse.h, snmplib/mib.c, snmplib/parse.c. - CVE-2020-15861 * SECURITY UPDATE: Elevation of privileges - debian/patches/CVE-2020-15862.patch: make the extend mib read-only by default in agent/mibgroup/agent/extend.c. - CVE-2020-15862 net-snmp (5.7.3+dfsg-1ubuntu4.4) xenial; urgency=medium * d/p/put-paranthesis-around-macros-which-are-expressions.patch: - put paranthesis around macros which are expressions. (LP: #1843036) * d/p/fix-check-hr-filesys-autofs.patch: - On Linux getmntent() is available but getfsstat() not. Hence remove #if HAVE_GETFSSTAT from around the HRFS_type check. net-snmp (5.7.3+dfsg-1ubuntu4.3) xenial; urgency=medium * Skip autofs entries when calling statfs to prevent autofs being mounted on snmpd startup (LP: #1835818): - d/p/autofs-skip-autofs-entries.patch - d/p/autofs-fix-a-recently-introduced-bug.patch Date: 2020-08-18 13:36:20.164499+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1ubuntu4.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] nss 2:3.28.4-0ubuntu0.16.04.14 (Accepted)
nss (2:3.28.4-0ubuntu0.16.04.14) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2020-12403-2.patch: fix incorrect call to ChaChaPoly1305 by PKCS11 in nss/lib/freebl/chacha20poly1305.c. - CVE-2020-12403 Date: 2020-08-21 19:11:19.756716+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.14 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] net-snmp 5.7.3+dfsg-1ubuntu4.6 (Accepted)
net-snmp (5.7.3+dfsg-1ubuntu4.6) xenial-security; urgency=medium * SECURITY REGRESSION: The update for CVE-2020-15862 making mib extend read-only caused nsExtendCacheTime to be not setable anymore (LP: #1892980) - debian/patches/CVE-2020-15862-bug1893465.patch: add -cacheTime and -execType flags to "extend" config directive in agent/mibgroup/agent/extend.c, man/snmpd.conf.5.def. Date: 2020-08-31 14:10:21.556880+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/net-snmp/5.7.3+dfsg-1ubuntu4.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libdbi-perl 1.634-1ubuntu0.1 (Accepted)
libdbi-perl (1.634-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Memory corruption - debian/patches/CVE-2020-14392.patch: changes fix memory corruption in XS functions when Perl stack is reallocated in DBI.xs, Driver.xst. - CVE-2020-14392 Date: 2020-09-15 14:27:13.921831+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libdbi-perl/1.634-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libproxy 0.4.11-5ubuntu1.1 (Accepted)
libproxy (0.4.11-5ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2020-25219.patch: rewrite url::recvline to be nonrecursive in libproxy/url.cpp. - CVE-2020-25219 Date: 2020-09-15 18:23:22.999314+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libproxy/0.4.11-5ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] shotwell 0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1 (Accepted)
shotwell (0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: information disclosure vulnerability through plugins - debian/patches/CVE-2017-124.patch: uses HTTPS everywhere plugins/shotwell-publishing-extras/TumblrPublishing.vala, plugins/shotwell-publishing-extras/YandexPublishing.vala, plugins/shotwell-publishing/PicasaPublishing.vala, plugins/shotwell-publishing/YouTubePublishing.vala. - CVE-2017-124 Date: 2017-08-04 13:31:14.574937+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/shotwell/0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libgd2 2.1.1-4ubuntu0.16.04.7 (Accepted)
libgd2 (2.1.1-4ubuntu0.16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: memory read vulnerability in GIF - debian/patches/CVE-2017-7890.patch: zeroing buffers to avoid information leak and adding test in src/gd_gif_in.c, tests/gif/CMakeLists.txt, tests/MakeModule.am, tests/gif/uninitialized_memory_read.c, tests/gif/unitialized_memory_read.gif. - CVE-2017-7890 Date: 2017-08-11 18:54:20.237246+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libgd2/2.1.1-4ubuntu0.16.04.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] strongswan 5.3.5-1ubuntu3.4 (Accepted)
strongswan (5.3.5-1ubuntu3.4) xenial-security; urgency=medium * SECURITY UPDATE: Fix RSA signature verification - debian/patches/CVE-2017-11185.patch: does some verifications in order to avoid null-point dereference in src/libstrongswan/gmp/gmp_rsa_public_key.c - CVE-2017-11185 Date: 2017-08-17 15:15:13.199699+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/strongswan/5.3.5-1ubuntu3.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] cvs 2:1.12.13+real-15ubuntu0.1 (Accepted)
cvs (2:1.12.13+real-15ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: SSH command injection via -o - src/rsh-client.c: fix argument parsing - CVE-2017-12836 Date: 2017-08-17 19:14:13.380952+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/cvs/2:1.12.13+real-15ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] augeas 1.4.0-0ubuntu1.1 (Accepted)
augeas (1.4.0-0ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: crash/memory corruption - debian/patches/CVE-2017-7555.patch: correctly handle trailing whitespace in src/pathx.c and add test in tests/test-xpath.c. - CVE-2017-7555 Date: 2017-08-18 16:37:14.597453+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/augeas/1.4.0-0ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] texlive-base 2015.20160320-1ubuntu0.1 (Accepted)
texlive-base (2015.20160320-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: execute arbitrary commands - debian/patches/CVE-2016-10243.patch: fixes tex arbitrary code execution by removing mpost in texmf/web2c/texmf.cnf. - CVE-2016-10243 Date: 2017-08-21 19:29:13.864491+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/texlive-base/2015.20160320-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-pysaml2 3.0.0-3ubuntu1.16.04.1 (Accepted)
python-pysaml2 (3.0.0-3ubuntu1.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: External Entity vulnerability - debian/patches/CVE-2016-10149.patch: fixes XXE issues in setupy.py, src/saml2/__init__.py, src/saml2/pack.py, src/saml2/soap.py, tests/test_03_saml2.py, tests/test_43_soap.py, tests/test_51_client.py. - CVE-2016-10149 * Some tests fails in upstream test suite. Adding the corresponding fix. - debian/patches/fix-tests.patch Date: 2017-08-23 14:24:22.155231+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python-pysaml2/3.0.0-3ubuntu1.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ghostscript 9.18~dfsg~0-0ubuntu2.7 (Accepted)
ghostscript (9.18~dfsg~0-0ubuntu2.7) xenial-security; urgency=medium * SECURITY UPDATE: DoS via crafted files - debian/patches/CVE-2017-11714.patch: prevent to reloc a freed object in psi/ztoken.c. - CVE-2017-11714 * SECURITY UPDATE: DoS in Artifex Ghostscript - debian/patches/CVE-2017-9611.patch: bounds check pointer in base/ttinterp.c - CVE-2017-9611 * SECURITY UPDATE: DoS in Artifex Ghostscript - debian/patches/CVE-2017-9612.patch: bounds check pointer in base/ttinterp.c - CVE-2017-9612 * SECURITY UPDATE: DoS heap-based buffer over-read and crash - debian/patches/CVE-2017-9726.patch: bounds check zone pointer in base/ttinterp.c. - CVE-2017-9726 * SECURITY UPDATE: DoS heap-based buffer over-read and crash - debian/patches/CVE-2017-9727.patch: make bounds check in base/gxttfb.c. - CVE-2017-9727 * SECURITY UPDATE: DoS heap-based buffer over-read and crash - debian/patches/CVE-2017-9739.patch: bounds check in base/ttinterp.c. - CVE-2017-9739 * SECURITY UPDATE: DoS heap-base buffer over-read and crash - debian/patches/CVE-2017-9835.patch: bounds check the array allocations methods in base/gsalloc.c. - CVE-2017-9835 Date: 2017-08-24 22:23:14.037979+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] pyjwt 1.3.0-1ubuntu0.1 (Accepted)
pyjwt (1.3.0-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: symmetric/asymmetric key confusion attacks - debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1 PEM-encoded public key in jwt/algorithms.py, tests/keys/testkey_pkcs1.pub.pem, tests/test_algorithms.py. - CVE-2017-11424 Date: 2017-08-29 18:37:17.524901+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/pyjwt/1.3.0-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] defusedxml 0.4.1-2ubuntu0.16.04.1 (Accepted)
defusedxml (0.4.1-2ubuntu0.16.04.1) xenial-security; urgency=medium * No change rebuild for xenial in support of recent python-pysaml2 security update. Date: 2017-08-31 19:06:21.205991+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/defusedxml/0.4.1-2ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] liblouis 2.6.4-2ubuntu0.1 (Accepted)
liblouis (2.6.4-2ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Illegal address access in getALine - debian/patches/CVE-2017-13738-and-2017-13744.patch: fix possible out-of-bounds write in liblouis/compileTranslationTable.c. - CVE-2017-13738 - CVE-2017-13744 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: fix buffer overflow parsing malformed table in liblouis/compilerTranslationTable.c. - CVE-2017-13739 - CVE-2017-13740 - CVE-2017-13742 Date: 2017-08-31 21:19:12.905470+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/liblouis/2.6.4-2ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libgd2 2.1.1-4ubuntu0.16.04.8 (Accepted)
libgd2 (2.1.1-4ubuntu0.16.04.8) xenial-security; urgency=medium * SECURITY UPDATE: Double-free memory - debian/patches/CVE-2017-6362.patch: introduces a static helper to check failure or success in src/gd_png.c also adds tests in tests/png/CMakeLists.txt, tests/Makemodule.am, tests/png/bug00381_1.c, tests/png/bug00381_2.c. - CVE-2017-6362 Date: 2017-09-04 21:53:25.139864+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libgd2/2.1.1-4ubuntu0.16.04.8 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gdk-pixbuf 2.32.2-1ubuntu1.3 (Accepted)
gdk-pixbuf (2.32.2-1ubuntu1.3) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow checks not enough - debian/patch/CVE-2017-2870.patch: checks for integer overflow in multiplication in gdk-pixbuf/io-tiff.c. - CVE-2017-2870 * SECURITY UPDATE: exploitable heap overflow - debian/patches/CVE-2017-2862-part1.patch: Throw error when number of colour components is unsupported in gdk-pixbuf/io-jpeg.c. - debian/patches/CVE-2017-2862-part2.patch: restore grayscale support in gdk-pixbuf/io-jpeg.c * SECURITY UPDATE: context-dependent to cause DoS - debian/patches/CVE-2017-6311.patch: return an error when ICO didn't load in gdk-pixbuf/io-ico.c. - CVE-2017-6311 Date: 2017-09-14 18:02:53.064863+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.32.2-1ubuntu1.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] emacs24 24.5+1-6ubuntu1.1 (Accepted)
emacs24 (24.5+1-6ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: arbitrary code execution - debian/patches/CVE-2017-14482.patch: Remove unsafe enriched mode translations in lisp/gnus/mm-view.el, lisp/textmodes/enriched.el. - CVE-2017-14482 Date: 2017-09-20 19:40:18.607264+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/emacs24/24.5+1-6ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libplist 1.12-3.1ubuntu0.16.04.1 (Accepted)
libplist (1.12-3.1ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2017-7982.patch: fix integer overflow check in src/bplist.c. - CVE-2017-7982 Date: 2017-09-25 17:21:23.657290+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libplist/1.12-3.1ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] poppler 0.41.0-0ubuntu1.3 (Accepted)
poppler (0.41.0-0ubuntu1.3) xenial-security; urgency=medium * SECURITY UPDATE: Memory corruption - infinite loop - debian/patches/CVE-2017-14519.patch: fix infinite recursion in poppler/Gfx.cc, poppler/Gfx.h, poppler/GfxFont.cc, poppler/GfxFont.h - CVE-2017-14519 Date: 2017-09-29 16:12:21.346977+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] poppler 0.41.0-0ubuntu1.4 (Accepted)
poppler (0.41.0-0ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: Floating point exception - debian/patches/CVE-2017-14518.patch: Fix divide by 0 on broken documents in splash/Splash.cc. - CVE-2017-14518 * SECURITY UPDATE: Floating point exception - debian/patches/CVE-2017-14520.patch: don't try to scale if srcHeight or srcWidth is less than 1 in splash/Splash.cc. - CVE-2017-14520 * SECURITY UPDATE: Floating point exception in ImageStream - debian/patches/CVE-2017-14617.patch: Fix crash in broken files in poppler/Stream.cc. - CVE-2017-14617 * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2017-14926.patch: Fix crash on broken files in poppler/Annot.cc. - CVE-2017-14926 * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2017-14928.patch: Fix crash broken files in poppler/Annot.cc. - CVE-2017-14928 * SECURITY UPDATE: Memory corruption - debian/patches/CVE-2017-14929.patch: Fix infinite recursion in poppler/Gfx.cc, poppler/GfxState.cc, poppler/GfxState.h. - CVE-2017-14929 * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2017-14975.patch: fix crash in convertToType0 in fofi/FoFiType1C.cc. - CVE-2017-14975 * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2017-14977.patch: fix NULL deference pointer in fofi/FoFiTrueType.cc. - CVE-2017-14977 * SECURITY UPDATE: Integer overflow and heap overflow - debian/patches/CVE-2017-9776.patch: fix malformed documents in poppler/JBIG2Stream.cc. - CVE-2017-9776 Date: 2017-10-04 15:39:39.777156+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] icu 55.1-7ubuntu0.3 (Accepted)
icu (55.1-7ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: double free - debian/patches/CVE-2017-14952.patch: fixes double free in createMetaZoneMappings() source/i18n/zonemeta.cpp. - CVE-2017-14952 Date: 2017-10-17 14:24:21.332586+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/icu/55.1-7ubuntu0.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-werkzeug 0.10.4+dfsg1-1ubuntu1.1 (Accepted)
python-werkzeug (0.10.4+dfsg1-1ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: Cross-site vulnerability in render_full function allows attackers to inject arbitrary script or HTML. - debian/patches/CVE-2016-10516.patch: in werkzeub/debug/tbtools.py. - CVE-2016-10516 Date: 2017-10-24 20:39:16.939098+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python-werkzeug/0.10.4+dfsg1-1ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] poppler 0.41.0-0ubuntu1.5 (Accepted)
poppler (0.41.0-0ubuntu1.5) xenial-security; urgency=medium * SECURITY UPDATE: pointer dereference can cause a DoS attack - debian/patches/CVE-2017-15565.patch: fix crash in broken files caused by a dereference pointer in poppler/CairoOutputDev.cc. - CVE-2017-15565 Date: 2017-10-26 15:25:14.954877+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] perl 5.22.1-9ubuntu0.2 (Accepted)
perl (5.22.1-9ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: Buffer overflow via crafted regular expressiion - debian/patches/fixes/CVE-2017-12883.patch: fix crafted expression with invalid '\N{U+...}' escape in regcomp.c - CVE-2017-12883 * SECURITY UPDATE: heap-based buffer overflow in S_regatom - debian/patches/fixes/CVE-2017-12837.patch: fix issue in regcomp.c - CVE-2017-12837 Date: 2017-11-10 15:16:26.509739+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/perl/5.22.1-9ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] db5.3 5.3.28-11ubuntu0.1 (Accepted)
db5.3 (5.3.28-11ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Berkeley DB reads DB_CONFIG from cwd - debian/patches/CVE-2017-10140.patch in src/env/env_open.c. - CVE-2017-10140 Date: 2017-11-21 19:11:16.103922+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/db5.3/5.3.28-11ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python2.7 2.7.12-1ubuntu0~16.04.2 (Accepted)
python2.7 (2.7.12-1ubuntu0~16.04.2) xenial-security; urgency=medium * SECURITY UPDATE: integer overflow in the PyString_DecodeEscape function - debian/patches/CVE-2017-1000158.patch: fix this integer overflow in Objects/stringobject.c. - CVE-2017-1000158 Date: 2017-11-23 15:36:21.827544+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python2.7/2.7.12-1ubuntu0~16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python3.5 3.5.2-2ubuntu0~16.04.4 (Accepted)
python3.5 (3.5.2-2ubuntu0~16.04.4) xenial-security; urgency=medium * SECURITY UPDATE: integer overflow in the PyBytes_DecodeEscape function - debian/patches/CVE-2017-1000158.patch: fix this integer overflow in Objects/bytesobject.c. - CVE-2017-1000158 python3.5 (3.5.2-2ubuntu0~16.04.3) xenial; urgency=medium * Explicitly use the system python for byte compilation in postinst scripts. (LP: #1682934) python3.5 (3.5.2-2ubuntu0~16.04.2) xenial; urgency=medium * SRU: LP: #1711724 Fix dict segfault. Issue #27945. Date: 2017-11-28 16:16:15.929421+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python3.5/3.5.2-2ubuntu0~16.04.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libxml2 2.9.3+dfsg1-1ubuntu0.4 (Accepted)
libxml2 (2.9.3+dfsg1-1ubuntu0.4) xenial-security; urgency=medium * SECURITY UPDATE: infinite recursion in parameter entities - CVE-2017-16932 Date: 2017-12-04 20:20:37.525232+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libxml2/2.9.3+dfsg1-1ubuntu0.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] rsync 3.1.1-3ubuntu1.1 (Accepted)
rsync (3.1.1-3ubuntu1.1) xenial-security; urgency=medium * SECURITY UPDATE: bypass intended access restrictions - debian/patches/CVE-2017-17433.patch: check fname in recv_files sooner in receiver.c. - CVE-2017-17433 * SECURITY UPDATE: not check for fnamecmp filenames and does not apply sanitize_paths - debian/patches/CVE-2017-17434-part1.patch: check daemon filter against fnamecmp in receiver.c. - debian/patches/CVE-2017-17434-part2.patch: sanitize xname in rsync.c. - CVE-2017-17434 Date: 2017-12-06 14:38:13.536164+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libxml2 2.9.3+dfsg1-1ubuntu0.5 (Accepted)
libxml2 (2.9.3+dfsg1-1ubuntu0.5) xenial-security; urgency=medium * SECURITY UPDATE: use after-free in xmlXPathCompOpEvalPositionPredicate - debian/patches/CVE-2017-15412.patch: fix XPath stack frame logic in xpath.c. - CVE-2017-15412 Date: 2017-12-12 12:14:17.723415+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libxml2/2.9.3+dfsg1-1ubuntu0.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] apport 2.20.1-0ubuntu2.15 (Accepted)
apport (2.20.1-0ubuntu2.15) xenial-security; urgency=medium * REGRESSION UPDATE: Fix regression that caused a Traceback in the container support (LP: #1733366) - data/apport: add a second os.path.exists check to ensure we do not receive a Traceback in is_container_id() and add an exception handler in case either name space can not be found. apport (2.20.1-0ubuntu2.14) xenial; urgency=medium * bin/apport-cli: read until instead of a single character when # of apport options is non-unique with a single character. Thanks to Chad Smith for the patch. (LP: #1722564) Date: 2018-01-02 20:56:16.451348+00:00 Changed-By: Brian Murray Maintainer: Martin Pitt Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.15 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ruby2.3 2.3.1-2~16.04.4 (Accepted)
ruby2.3 (2.3.1-2~16.04.4) xenial-security; urgency=medium * SECURITY UPDATE: command injection through Net::FTP - debian/patches/CVE-2017-17405.patch: fix command injection in lib/net/ftp.rb, test/net/ftp/test_ftp.rb. - CVE-2017-17405 * Exclude some tests that fails in launchpad: - debian/patches/0090-Exclude-tests-that-fail-on-Ubuntu-builds.patch Date: 2017-12-19 17:57:12.618046+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Antonio Terceiro https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] poppler 0.41.0-0ubuntu1.6 (Accepted)
poppler (0.41.0-0ubuntu1.6) xenial-security; urgency=medium * SECURITY UPDATE: fails to validate boundaries in TextPool::addWord leading to overflow - debian/patches/CVE-2017-1000456.patch: fix crash in fuzzed file in poppler/TextOutputDev.cc. - CVE-2017-1000456 * SECURITY UPDATE: has a heap-based buffer over-read vulnerability - debian/patches/CVE-2017-14976.patch: fix crash in broken files in fofi/FoFiType1C.cc. - CVE-2017-14976 Date: 2018-01-04 19:46:14.641594+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] python-pysaml2 3.0.0-3ubuntu1.16.04.3 (Accepted)
python-pysaml2 (3.0.0-3ubuntu1.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: Any password can be used if optimizations are enabled - debian/patches/CVE-2017-1000433.patch: fixes authentication bypass due to optimizations in src/saml2/authn.py. - CVE-2017-1000433 * Adding fix for test 41 response - debian/patches/fix-test-41-response.patch Date: 2018-01-05 17:42:27.752551+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/python-pysaml2/3.0.0-3ubuntu1.16.04.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] sssd 1.13.4-1ubuntu1.10 (Accepted)
sssd (1.13.4-1ubuntu1.10) xenial-security; urgency=medium * SECURITY UPDATE: unsanitized input - debian/patches/CVE-2017-12173.patch: sanitizes the input for sysdb searches by UPN/email, SID and UUID in src/db/sysdb_ops.c and add test src/tests/sysdb-tests.c. - CVE-2017-12173 Date: 2018-01-08 17:06:12.951351+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.10 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ruby2.3 2.3.1-2~16.04.5 (Accepted)
ruby2.3 (2.3.1-2~16.04.5) xenial-security; urgency=medium * SECURITY UPDATE: possible command injection attacks through kernel#open - debian/patches/CVE-2017-17790.patch: fix uses of Kernel#open in lib/resolv.rb. - CVE-2017-17790 * SECURITY UPDATE: possibly execute arbitrary commands via a crafted user name - debian/patches/CVE-2017-10784.patch: sanitize any type of logs in lib/webrick/httpstatus.rb, lib/webrick/log.rb and test/webrick/test_httpauth.rb. - CVE-2017-10784 * SECURITY UPDATE: denial of service via a crafted string - debian/patches/CVE-2017-14033.patch: fix in ext/openssl/ossl_asn1.c. - CVE-2017-14033 * SECURITY UPDATE: Arbitrary memory expose during a JSON.generate call - debian/patches/CVE-2017-14064.patch: fix this in ext/json/ext/generator/generator.c and ext/json/ext/generator/generator.h. Date: 2018-01-09 18:57:14.199723+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Antonio Terceiro https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.5 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] gdk-pixbuf 2.32.2-1ubuntu1.4 (Accepted)
gdk-pixbuf (2.32.2-1ubuntu1.4) xenial-security; urgency=medium * SECURITY UPDATE: Integer overflow in gif_get_lzw function - debian/patches/CVE-2017-1000422.patch: fix in gdk-pixbuf/io-gif.c. - CVE-2017-1000422 * SECURITY UPDATE: DoS and integer overflow in io-ico.c - debian/patches/CVE-2017-6312.patch: fix potential integer overflow in gdk-pixbuf/io-ico.c. - CVE-2017-6312 * SECURITY UPDATE: DoS and integer underflow in load_resources function - debian/patches/CVE-2017-6313.patch: protect against too short blocklen in gdk-pixbuf/io-icns.c. - CVE-2017-6313 * SECURITY UPDATE: DoS (infinite loop) - debian/patches/CVE-2017-6314.patch: avoid overflow buffer size computation in gdk-pixbuf/io-tiff.c. - CVE-2017-6314 Date: 2018-01-12 12:54:17.791525+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.32.2-1ubuntu1.4 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mariadb-10.0 10.0.33-0ubuntu0.16.04.1 (Accepted)
mariadb-10.0 (10.0.33-0ubuntu0.16.04.1) xenial-security; urgency=high [ Otto Kekäläinen ] * SECURITY UPDATE: New upstream release 10.0.33. Includes fixes for the following security vulnerabilities (LP: #1740608): - CVE-2017-10378 - CVE-2017-10268 - MDEV-13819 * Previous release 10.0.32 included included fixes for - CVE-2017-10384 - CVE-2017-10379 - CVE-2017-10286 - CVE-2017-3636 - CVE-2017-3641 - CVE-2017-3653 * Remove InnoDB build failure fix applied upstream Date: 2018-01-16 17:19:12.381208+00:00 Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.33-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] transmission 2.84-3ubuntu3.1 (Accepted)
transmission (2.84-3ubuntu3.1) xenial-security; urgency=medium * SECURITY UPDATE: Remote attacker with arbitrary execute - debian/CVE-2018-5702.patch: mitigate dns rebinding attacks against daemon in libtransmission/quark.c, libtransmission/quark.h, libtransmission/rpc-server.c, libtransmission/rpc-server.h, libtransmission/session.c, libtransmission/transmission.h, libtransmission/web.c. - CVE-2018-5702 Date: 2018-01-16 15:51:27.543829+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/transmission/2.84-3ubuntu3.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] rsync 3.1.1-3ubuntu1.2 (Accepted)
rsync (3.1.1-3ubuntu1.2) xenial-security; urgency=medium * SECURITY UPDATE: receive_xattr function does not check for '\0' character allowing denial of service attacks - debian/patches/CVE-2017-16548.patch: enforce trailing \0 when receiving xattr values in xattrs.c. - CVE-2017-16548 * SECURITY UPDATE: Allows remote attacker to bypass argument - debian/patches/CVE-2018-5764.patch: Ignore --protect-args when already sent by client in options.c. - CVE-2018-5764 Date: 2018-01-18 20:59:16.348855+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/rsync/3.1.1-3ubuntu1.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libtasn1-6 4.7-3ubuntu0.16.04.3 (Accepted)
libtasn1-6 (4.7-3ubuntu0.16.04.3) xenial-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference and DoS - debian/patches/CVE-2017-10790.patch: safer access to values read in /lib/parser_aux.c. - CVE-2017-10790 * SECURITY UPDATE: Unlimited recurssion leading to DoS attack - debian/patches/CVE-2018-6003.patch: restrics the levels of recurssion to 3. - CVE-2018-6003 Date: 2018-01-25 15:33:23.463773+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libtasn1-6/4.7-3ubuntu0.16.04.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ruby2.3 2.3.1-2~16.04.6 (Accepted)
ruby2.3 (2.3.1-2~16.04.6) xenial-security; urgency=medium * SECURITY UPDATE: fails to validade specification names - debian/patches/CVE-2017-0901-0902.patch: fix this. - CVE-2017-0901 * SECURITY UPDATE: vulnerable to a DNS hijacking - debian/patches/CVE-2017-0901-0902.patch fix this. - CVE-2017-0902 * SECURITY UPDATE: possible remote code execution - debian/patches/CVE-2017-0903.patch: whitelist classes and symbols that are in Gem spec YAML in lib/rubygems.rb, lib/rubygens/config_file.rb, lib/rubygems/package.rb, lib/rubygems/package/old.rb, lib/rubygems/safe_yaml.rb, lib/rubygems/specification.rb. - CVE-2017-0903 Date: 2018-01-30 18:37:18.902031+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Antonio Terceiro https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] curl 7.47.0-1ubuntu2.6 (Accepted)
curl (7.47.0-1ubuntu2.6) xenial-security; urgency=medium * SECURITY UPDATE: Out of bounds read in code handling HTTP/2 - debian/patches/CVE-2018-105.patch: fix incorrect trailer buffer size in lib/http2.c. - CVE-2018-105 * SECURITY UPDATE: leak authentication data - debian/patches/CVE-2018-107.patch: prevent custom authorization headers in redirects in lib/http.c, lib/url.c, lib/urldata.h, tests/data/Makefile.in, tests/data/test317, tests/data/test318. - CVE-2018-107 Date: 2018-01-29 20:04:12.440816+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] dovecot 1:2.2.22-1ubuntu2.6 (Accepted)
dovecot (1:2.2.22-1ubuntu2.6) xenial-security; urgency=medium * SECURITY UPDATE: Memory leak that can cause crash due to memory exhaustion - debian/patches/CVE-2017-15132.patch: fix memory leak in auth_client_request_abort() in src/lib-auth/auth-client-request.c. - debian/patches/CVE-2017-15132-additional.patch: remove request after abort in src/lib-auth/auth-client-request.c, src/lib-auth/auth-server-connection.c, src/lib-auth/auth-serser-connection.h. - CVE-2017-15132 Date: 2018-01-31 16:31:13.118660+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/dovecot/1:2.2.22-1ubuntu2.6 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mailman 1:2.1.20-1ubuntu0.3 (Accepted)
mailman (1:2.1.20-1ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: Cross-site scripting vulnerability - debian/patches/CVE-2018-5950.patch: fix this in Mailman/Cgi/options.py. - CVE-2018-5950 Date: 2018-02-08 14:26:15.682624+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mailman/1:2.1.20-1ubuntu0.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] postgresql-9.5 9.5.11-0ubuntu0.16.04 (Accepted)
postgresql-9.5 (9.5.11-0ubuntu0.16.04) xenial-security; urgency=medium * New upstream release (LP: #1747676) - Ensure that all temporary files made by pg_upgrade are non-world-readable (CVE-2018-1053) - Details about other changes at full changelog: https://www.postgresql.org/docs/9.5/static/release-9-5-11.html Date: 2018-02-08 15:42:34.823298+00:00 Changed-By: ChristianEhrhardt Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.11-0ubuntu0.16.04 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] wavpack 4.75.2-2ubuntu0.1 (Accepted)
wavpack (4.75.2-2ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service via crafted WV file - debian/patches/CVE-2016-10169.patch: fix in words.c. - CVE-2016-10169 Date: 2018-02-12 17:01:20.762231+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/wavpack/4.75.2-2ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libvorbis 1.3.5-3ubuntu0.1 (Accepted)
libvorbis (1.3.5-3ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Remote code execution - debian/patches/CVE-2017-14632.patch: don't clear opb in lib/info.c. - CVE-2017-14632 * SECURITY UPDATE: out-of-bounds array read - debian/patches/CVE-2017-14633.patch: don't allow for more than 256 channels in lib/info.c. - CVE-2017-14633 Date: 2018-02-13 17:17:29.628772+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libvorbis/1.3.5-3ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] twisted 16.0.0-1ubuntu0.2 (Accepted)
twisted (16.0.0-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: HTTProxy issue - debian/patches/CVE-2016-1000111.patch: fix implementation in twisted/web/twcgi.py and add some test in twisted/web/test/test_cgi.py. - CVE-2016-1000111 Date: 2018-03-01 20:45:13.179936+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/twisted/16.0.0-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] postgresql-9.5 9.5.12-0ubuntu0.16.04 (Accepted)
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium * New upstream release (LP: #1752271) If you run an installation in which not all users are mutually trusting, or if you maintain an application or extension that is intended for use in arbitrary situations, it is strongly recommended that you read the documentation changes described in the first changelog entry below, and take suitable steps to ensure that your installation or code is secure. Also, the changes described in the second changelog entry below may cause functions used in index expressions or materialized views to fail during auto-analyze, or when reloading from a dump. After upgrading, monitor the server logs for such problems, and fix affected functions. - Document how to configure installations and applications to guard against search-path-dependent trojan-horse attacks from other users Using a search_path setting that includes any schemas writable by a hostile user enables that user to capture control of queries and then run arbitrary SQL code with the permissions of the attacked user. While it is possible to write queries that are proof against such hijacking, it is notationally tedious, and it's very easy to overlook holes. Therefore, we now recommend configurations in which no untrusted schemas appear in one's search path. (CVE-2018-1058) - Avoid use of insecure search_path settings in pg_dump and other client programs pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications were themselves vulnerable to the type of hijacking described in the previous changelog entry; since these applications are commonly run by superusers, they present particularly attractive targets. To make them secure whether or not the installation as a whole has been secured, modify them to include only the pg_catalog schema in their search_path settings. Autovacuum worker processes now do the same, as well. In cases where user-provided functions are indirectly executed by these programs -- for example, user-provided functions in index expressions -- the tighter search_path may result in errors, which will need to be corrected by adjusting those user-provided functions to not assume anything about what search path they are invoked under. That has always been good practice, but now it will be necessary for correct behavior. (CVE-2018-1058) - Details about other changes can be found at https://www.postgresql.org/docs/9.5/static/release-9-5-12.html Date: 2018-03-01 16:05:13.639334+00:00 Changed-By: ChristianEhrhardt Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/postgresql-9.5/9.5.12-0ubuntu0.16.04 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] irssi 0.8.19-1ubuntu1.7 (Accepted)
irssi (0.8.19-1ubuntu1.7) xenial-security; urgency=medium * SECURITY UPDATE: Null pointer dereference - debian/patches/CVE-2018-7050.patch: check if nick is Null in src/fe-common/core/chat-completion.c. - CVE-2018-7050 * SECURITY UPDATE: Certain nick names result in out-of-bounds access - debian/patches/CVE-2018-7051.patch: don't read beyond end of escaped string in src/fe-common/core/themes.c. - CVE-2018-7051 * SECURITY UPDATE: Null pointer dereference - debian/patches/CVE-2018-7052.patch: check if window parent is Null in src/fe-text/mainwindows.c. - CVE-2018-7052 * SECURITY UPDATE: use-after-free - debian/patches/CVE-2018-7053.patch: avoiding reuse sasl timeout in src/irc/core/sasl.c. - CVE-2018-7073 Date: 2018-02-28 21:31:11.903557+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/irssi/0.8.19-1ubuntu1.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] mariadb-10.0 10.0.34-0ubuntu0.16.04.1 (Accepted)
mariadb-10.0 (10.0.34-0ubuntu0.16.04.1) xenial-security; urgency=high * SECURITY UPDATE: New upstream release 10.0.34. Includes fixes for the following security vulnerabilities (LP: #1751920): - CVE-2018-2668 - CVE-2018-2665 - CVE-2018-2640 - CVE-2018-2622 - CVE-2018-2612 - CVE-2018-2562 * Update git-buildpackage Debian branch setting so gbp import-orig works * Update VCS-* links to point to the new source repository Date: 2018-03-06 10:16:43.512382+00:00 Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/mariadb-10.0/10.0.34-0ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] zsh 5.1.1-1ubuntu2.1 (Accepted)
zsh (5.1.1-1ubuntu2.1) xenial-security; urgency=medium * SECURITY UPDATE: undersized buffer - debian/patches/CVE-2016-10714.patch: Add extra byte to PATH_MAX in Src/Zle/compctl.c, Src/builtin.c, Src/compat.c, Src/exec.c, Src/glob.c, Src/hist.c, Src/utils.c. - CVE-2016-10714 * SECURITY UPDATE: NULL dereference - debian/patches/CVE-2017-18205.patch: fix in Src/builtin.c, Test/B01cd.ztst. - CVE-2017-18205 * SECURITY UPATE: buffer overflow - debian/patches/CVE-2017-18206.patch: fix buffer overrun in xsymlinks in Src/utils.c. - CVE-2017-18206 * SECURITY UPDATE: Crash while copy an empty hash table - debian/patches/CVE-2018-7549.patch: avoid crash empty hash table in Src/params.c. - CVE-2018-7549 Date: 2018-03-07 14:40:18.423398+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/zsh/5.1.1-1ubuntu2.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] apport 2.20.1-0ubuntu2.10 (Accepted)
apport (2.20.1-0ubuntu2.10) xenial-security; urgency=medium * SECURITY UPDATE: code execution through path traversial in .crash files (LP: #1700573) - apport/report.py, test/test_ui.py: fix traversal issue and add a test for that. - debian/apport.install, setup.py, xdg-mime/apport.xml: removes apport as a file handler for .crash files. Thanks to Brian Murray for the patch and Felix Wilhelm for discovering this. - CVE-2017-10708 apport (2.20.1-0ubuntu2.9) xenial; urgency=medium * test/test_signal_crashes.py: delete the test which uses an arbitrary unpredictable core file size. apport (2.20.1-0ubuntu2.8) xenial; urgency=medium * test/test_signal_crashes.py: a ulimit of 1M bytes isn't enough to produce a core file anymore so bump it to 10M. apport (2.20.1-0ubuntu2.7) xenial; urgency=medium * data/general-hooks/ubuntu.py: Modify how a duplicate signature is created for package installation failures. (LP: #1692127) apport (2.20.1-0ubuntu2.6) xenial; urgency=medium * data/general/ubuntu.py: Collect a minimal version of /proc/cpuinfo in every report. (LP: #1673557) * data/general/ubuntu-gnome.py: The GNOME3 PPAs are no longer supported for 14.04 or 16.04 so set an UnreportableReason in those reports. (LP: #1689093) * test_backend_apt_dpkg.py: Move tests from Ubuntu 15.10 "wily" (which is EoL now) to 16.04 LTS "xenial". (LP: #1690437) apport (2.20.1-0ubuntu2.5) xenial; urgency=medium * apport-gtk: Specify module version with GI imports to avoid warnings. Thanks Anatoly Techtonik. (LP: #1502173) Date: 2017-07-17 22:36:14.907617+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Martin Pitt https://launchpad.net/ubuntu/+source/apport/2.20.1-0ubuntu2.10 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] sharutils 1:4.15.2-1ubuntu0.1 (Accepted)
sharutils (1:4.15.2-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2018-197.patch: fix in src/unshar.c. - CVE-2018-197 Date: 2018-03-22 10:58:28.013706+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/sharutils/1:4.15.2-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] zsh 5.1.1-1ubuntu2.2 (Accepted)
zsh (5.1.1-1ubuntu2.2) xenial-security; urgency=medium * SECURITY UPDATE: stack-based buffer overflow - debian/patches/CVE-2018-1071.patch: check bounds when copying patch in hashcmd() in Src/exec.c, Src/utils.c. - CVE-2018-1071 * SECURITY UPDATE: buffer-overflow - debian/patches/CVE-2018-1083.patch: check bounds on PATH_MAX buffer in Src/Zle/compctl.c. - CVE-2018-1083 Date: 2018-03-26 17:48:32.165530+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/zsh/5.1.1-1ubuntu2.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ruby2.3 2.3.1-2~16.04.7 (Accepted)
ruby2.3 (2.3.1-2~16.04.7) xenial-security; urgency=medium * SECURITY UPDATE: Directory traversal - debian/patches/CVE-2018-173.patch: fix in lib/rubygems/package.rb. - CVE-2018-173 * SECURITY UPDATE: Deserialization untrusted data - debian/patches/CVE-2018-174.patch fix in lib/rubygems/commands/owner_command.rb, test/rubygems/test_gem_commands_owner_command.rb. - CVE-2018-174 * SECURITY UPDATE: Infinite loop - debian/patches/CVE-2018-175.patch: fix in lib/rubygems/package/tar_header.rb, test/rubygems/test_gem_package_tar_header.rb. - CVE-2018-175 * SECURITY UPDATE: Improper verification of crypto signature - debian/patches/CVE-2018-176.patch: fix in lib/rubygems/package.rb, lib/rubygems/pacage/tar_writer.rb, test/rubygems/test_gem_pacakge.rg - CVE-2018-176 * SECURITY UPDATE: Validation vulnerability - debian/patches/CVE-2018-177.patch: fix in lib/rubygems/specification.rb, test/rubygems/test_gem_specification.rb. - CVE-2018-177 * SECURITY UPDATE: Cross site scripting - debian/patches/CVE-2018-178.patch: fix in lib/rubygems/server.rb. - CVE-2018-178 * SECURITY UPDATE: Directory traversal - debian/patches/CVE-2018-179.patch: fix in lib/rubygems/package.rb. - CVE-2018-179 Date: 2018-04-04 16:38:13.611863+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Antonio Terceiro https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.7 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] squirrelmail 2:1.4.23~svn20120406-2+deb8u2build0.16.04.1 (Accepted)
squirrelmail (2:1.4.23~svn20120406-2+deb8u2build0.16.04.1) xenial-security; urgency=medium * fake sync from Debian squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Path traversal vulnerability (CVE-2018-8741) Directory traversal flaw in Deliver.class.php can allow a remote attacker to retrieve or delete arbitrary files. (Closes: #893202) Date: 2018-04-10 12:28:13.599725+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Jeroen van Wolffelaar https://launchpad.net/ubuntu/+source/squirrelmail/2:1.4.23~svn20120406-2+deb8u2build0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] patch 2.7.5-1ubuntu0.16.04.1 (Accepted)
patch (2.7.5-1ubuntu0.16.04.1) xenial-security; urgency=medium * SECURITY UPDATE: Out-of-bounds access - debian/patches/CVE-2016-10713.patch: fix in src/pch.c. - CVE-2016-10713 * SECURITY UPDATE: Input validation vulnerability - debian/patches/CVE-2018-1000156.patch: fix in src/pch.c adding tests in Makefile.in, tests/ed-style. - debian/patches/0001-Fix-ed-style-test-failure.patch: fix test. - CVE-2018-1000156 * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2018-6951.patch: fix in src/pch.c. - CVE-2018-6951 * Adds dh_autoreconf to asure it will use the right automake, also adding dh_autoreconf as build-depend. Date: 2018-04-10 13:51:21.591472+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/patch/2.7.5-1ubuntu0.16.04.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] squirrelmail 2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.2 (Accepted)
squirrelmail (2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.2) xenial-security; urgency=medium [ Nishanth Aravamudan ] * Update to PHP7.0 dependencies (LP: #1566587). Date: 2018-04-10 17:37:14.219586+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/squirrelmail/2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] squirrelmail 2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.3 (Accepted)
squirrelmail (2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.3) xenial-security; urgency=medium [ Nishanth Aravamudan ] * debian/patches/php7_remove_e_modifier_preg_replace: Remove use of deprecated /e modifier in preg_replace. Thanks to Thijs Kinkhorst . Closes LP: #1636333. Date: 2018-04-11 17:31:13.785875+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/squirrelmail/2:1.4.23~svn20120406-2+deb8u2ubuntu0.16.04.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] calibre 2.55.0+dfsg-1ubuntu0.2 (Accepted)
calibre (2.55.0+dfsg-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: JavaScript in a book can access local files using XMLHttpRequest (LP: #1758699). - fix-CVE-2016-10187.patch - CVE-2016-10187 * SECURITY UPDATE: Malicious code execution when using CPickle instead of JSON. - fix-CVE-2018-7889.patch - CVE-2018-7889 Date: 2018-04-12 04:52:13.350865+00:00 Changed-By: Simon Quigley Signed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/calibre/2.55.0+dfsg-1ubuntu0.2 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ruby2.3 2.3.1-2~16.04.9 (Accepted)
ruby2.3 (2.3.1-2~16.04.9) xenial-security; urgency=medium * SECURITY UPDATE: Directory traversal vulnerability - debian/patches/CVE-2018-6914.patch: fix in lib/tmpdir.rb, test/test_tempfile.rb. - CVE-2018-6914 * SECURITY UPDATE: Buffer under-read - debian/patches/CVE-2018-8778.patch: fix in pack.c, test/ruby/test_pack.rb. - CVE-2018-8778 * SECURITY UPDATE: Unintended socket - debian/patches/CVE-2018-8779.patch: fix in ext/socket/unixsocket.c, test/socket/test_unix.rb. - CVE-2018-8779 * SECURITY UPDATE: Directory traversal - debian/patches/CVE-2018-8780.patch: fix in dir.c, test/ruby/test_dir.rb. - CVE-2018-8780 Date: 2018-04-13 19:00:16.829423+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) Maintainer: Antonio Terceiro https://launchpad.net/ubuntu/+source/ruby2.3/2.3.1-2~16.04.9 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] openssl 1.0.2g-1ubuntu4.12 (Accepted)
openssl (1.0.2g-1ubuntu4.12) xenial-security; urgency=medium * SECURITY UPDATE: Cache timing side channel - debian/patches/CVE-2018-0737.patch: ensure BN_mod_inverse and BN_mod_exp_mont get called with BN_FLG_CONSTTIME flag set in crypto/rsa/rsa_gen.c. - CVE-2018-0737 Date: 2018-04-18 19:20:14.934003+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.12 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] ghostscript 9.18~dfsg~0-0ubuntu2.8 (Accepted)
ghostscript (9.18~dfsg~0-0ubuntu2.8) xenial-security; urgency=medium * SECURITY UPDATE: Heap-based buffer overflow and application crash - debian/patches/CVE-2016-10317.patch: check max_height bounds in base/gxht_thresh.c, base/gxipixel.c. - CVE-2016-10317 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-10194.patch: avoid infinite number in devices/vector/gdevpdts.c. - CVE-2018-10194 Date: 2018-04-23 19:53:13.731408+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/ghostscript/9.18~dfsg~0-0ubuntu2.8 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libclamunrar 0.99-1ubuntu0.1 (Accepted)
libclamunrar (0.99-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: Arbitrary code execution issue - debian/patches/CVE-2012-6706.patch: prevent arbitrary code execution in libclamunrar/unrarvm.c. - CVE-2012-6706 * Fix four other unaligned access patches as suggested by the package maintainer. Date: 2018-05-02 15:28:17.823023+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libclamunrar/0.99-1ubuntu0.1 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes
[ubuntu/xenial-security] libraw 0.17.1-1ubuntu0.3 (Accepted)
libraw (0.17.1-1ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: Stack-based buffer overflow - debian/patches/CVE-2018-10528.patch: parser possible buffer overrun in src/libraw_cxx.cpp. - CVE-2018-10528 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2018-10529.patch: X3F property table list fix in src/libraw_cxx.cpp, internal/libraw_x3f.cpp. - CVE-2018-10529 Date: 2018-05-07 17:26:19.902823+00:00 Changed-By: leo.barb...@canonical.com (Leonidas S. Barbosa) https://launchpad.net/ubuntu/+source/libraw/0.17.1-1ubuntu0.3 Sorry, changesfile not available.-- Xenial-changes mailing list Xenial-changes@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/xenial-changes