Debian Jessie Openstack images changelog 8.8.4-20170709 Updates in 1 source package(s), 4 binary package(s): Source bind9, binaries: libdns-export100:amd64 libirs-export91:amd64 libisc-export95:amd64 libisccfg-export90:amd64 bind9 (1:9.9.5.dfsg-9+deb8u12) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Add patch to fix CVE-2017-3042 and CVE-2017-3043 CVE-2017-3042: error in TSIG authentication can permit unauthorized zone transfers. An attacker may be able to circumvent TSIG authentication of AXFR and Notify requests. CVE-2017-3043: error in TSIG authentication can permit unauthorized dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) signature for a dynamic update. -- Steve McIntyre <93sam@debian.org> Sun, 09 Jul 2017 23:00:58 +0100 8.8.3-20170703 Updates in 3 source package(s), 3 binary package(s): Source expat, binaries: libexpat1:amd64 expat (2.1.0-6+deb8u4) jessie-security; urgency=high * Use upstream fix for the following vulnerabilities: - CVE-2017-9233, external entity infinite loop bug, - CVE-2016-9063, undefined behavior from signed integer overflow. Source linux, binaries: linux-image-3.16.0-4-amd64:amd64 linux (3.16.43-2+deb8u2) jessie-security; urgency=high * Revert previous fixes for CVE-2017-1000364 (Closes: #865303) * mm: larger stack guard gap, between vmas (CVE-2017-1000364) * mm: fix new crash in unmapped_area_topdown() Source libgcrypt20, binaries: libgcrypt20:amd64 libgcrypt20 (1.6.3-2+deb8u4) jessie-security; urgency=high * 22_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see . [CVE-2017-7526] -- Steve McIntyre <93sam@debian.org> Mon, 03 Jul 2017 14:53:41 +0100 8.8.2-20170620 Updates in 9 source package(s), 14 binary package(s): Source glibc, binaries: libc-bin:amd64 libc6:amd64 locales:amd64 locales-all:amd64 multiarch-support:amd64 glibc (2.19-18+deb8u10) jessie-security; urgency=medium * debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: add patches to protect the dynamic linker against stack clashes (CVE-2017-1000366). * debian/patches/any/cvs-hwcap-AT_SECURE.diff: patch backported from upstream to disable HWCAP for AT_SECURE programs. Source gnutls28, binaries: libgnutls-deb0-28:amd64 libgnutls-openssl27:amd64 gnutls28 (3.3.8-6+deb8u6) jessie-security; urgency=high * 56_CVE-2017-7507_1-ext-status_request-ensure-response-IDs-are-pro.patch 56_CVE-2017-7507_2-ext-status_request-Removed-the-parsing-of-resp.patch 56_CVE-2017-7507_3-gnutls_ocsp_status_request_enable_client-docum.patch from upstream gnutls_3_3_x branch: Fix crash upon receiving well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507 Closes: #864560 Source libffi, binaries: libffi6:amd64 libffi (3.1-2+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - 01_add_missing_GNU_STACK_markings, fix requirement on an executable stack on x86_32 (CVE-2017-1000376) closes: #751907 * debian/rules: - enable pax_emutramp Source sudo, binaries: sudo:amd64 sudo (1.8.10p3-1+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2017-1000367: Fix parsing of /proc/[pid]/stat Source linux, binaries: linux-image-3.16.0-4-amd64:amd64 linux (3.16.43-2+deb8u1) jessie-security; urgency=high [ Ben Hutchings ] * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() (CVE-2017-0605) * ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487) * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645) * nfsd4: minor NFSv2/v3 write decoding cleanup * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895) * media: dvb-usb-v2: avoid use-after-free (CVE-2017-8064) * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890) * USB: serial: io_ti: fix information leak in completion handler (CVE-2017-8924) * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925) * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074) * ipv6: Check ip6_find_1stfragopt() return value properly. * ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() * ipv6: Fix leak in ipv6_gso_segment(). * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075) * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076, CVE-2017-9077) * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242) [ Salvatore Bonaccorso ] * mm: enlarge stack guard gap (CVE-2017-1000364) * mm: allow to configure stack gap size * mm, proc: cap the stack gap for unpopulated growing vmas * mm: do not collapse stack gap into THP * fold me "mm: allow to configure stack gap size" Source libtasn1-6, binaries: libtasn1-6:amd64 libtasn1-6 (4.2-3+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. * CVE-2017-6891 (Closes: #863186) two errors in the "asn1_find_node()" function (lib/parser_aux.c) can be exploited to cause a stacked-based buffer overflow. Source perl, binaries: perl-base:amd64 Source libgcrypt20, binaries: libgcrypt20:amd64 libgcrypt20 (1.6.3-2+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * ecc: Store EdDSA session key in secure memory (CVE-2017-9526) * secmem: Fix SEGV and stat calculation Source debian-archive-keyring, binaries: debian-archive-keyring:amd64 debian-archive-keyring (2017.5~deb8u1) jessie; urgency=medium * Team upload. * Update jessie with 2017.5, closes: #860831, 860830, 863303 debian-archive-keyring (2017.5) unstable; urgency=medium * Team upload. * Add Debian Stable Release Key (9/stretch) (ID: EF0F382A1A7B6500) (Closes: #860831) * Add Debian Archive Automatic Signing Key (9/stretch) (ID: E0B11894F66AEC98) and Debian Security Archive Automatic Signing Key (9/stretch) (ID: EDA0D2388AE22BA9) (Closes: #860830) * Move the squeeze keys to the removed keyring (Closes: #863303) * Update the maintainer README to document removing keys -- Steve McIntyre <93sam@debian.org> Tue, 20 Jun 2017 15:41:58 +0100 8.8.1-20170521 Updates in 2 source package(s), 6 binary package(s): Source bind9, binaries: libdns-export100:amd64 libirs-export91:amd64 libisc-export95:amd64 libisccfg-export90:amd64 bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Dns64 with "break-dnssec yes;" can result in a assertion failure. (CVE-2017-3136) (Closes: #860224) * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. If not cherry-picking this change the fix for CVE-2017-3137 can cause an assertion failure to appear in name.c. * Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures (CVE-2017-3137) (Closes: #860225) * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) * Fix regression introduced when handling CNAME to referral below the current domain * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) (Closes: #860226) Source shadow, binaries: login:amd64 passwd:amd64 shadow (1:4.2-3+deb8u4) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Reset pid_child only if waitpid was successful. This is a regression fix for CVE-2017-2616. If su receives a signal like SIGTERM, it is not propagated to the child. (Closes: #862806) -- Steve McIntyre <93sam@debian.org> Sun, 21 May 2017 23:15:17 +0100 8.8.0-20170506 First build for 8.8.0 point release -- Steve McIntyre <93sam@debian.org> Sun, 07 May 2017 22:35:52 +0100