Debian Stretch Openstack images changelog 9.0.4-20170709 Updates in 1 source package(s), 4 binary package(s): Source bind9, binaries: libdns-export162:amd64 libisc-export160:amd64 libdns-export162:arm64 libisc-export160:arm64 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. * debian/patches: - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses CVE-2017-3142: error in TSIG authentication can permit unauthorized zone transfers. An attacker may be able to circumvent TSIG authentication of AXFR and Notify requests. CVE-2017-3143: error in TSIG authentication can permit unauthorized dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0) signature for a dynamic update. -- Steve McIntyre <93sam@debian.org> Mon, 10 Jul 2017 01:34:12 +0100 9.0.3-20170703 Updates in 3 source package(s), 6 binary package(s): Source libgcrypt20, binaries: libgcrypt20:amd64 libgcrypt20:arm64 libgcrypt20 (1.7.6-2+deb9u1) stretch-security; urgency=high * 31_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster". For details see . [CVE-2017-7526] Source linux, binaries: linux-image-4.9.0-3-amd64:amd64 linux-image-4.9.0-3-arm64:arm64 linux (4.9.30-2+deb9u2) stretch-security; urgency=high * Revert changes in version 4.9.30-2+deb9u1 (Closes: #865303) * mm: larger stack guard gap, between vmas (CVE-2017-1000364) * mm: fix new crash in unmapped_area_topdown() Source expat, binaries: libexpat1:amd64 libexpat1:arm64 expat (2.2.0-2+deb9u1) stretch-security; urgency=high * Replace the Mozilla CVE-2016-9063 fix with the more complete, upstream one. * Fix CVE-2017-9233: external entity infinite loop DoS. -- Steve McIntyre <93sam@debian.org> Mon, 03 Jul 2017 19:11:24 +0100 9.0.2-20170623 REBUILD OF 9.0.1-20170620 with build system fix Updates in 3 source package(s), 16 binary package(s): Source glibc, binaries: libc-bin:amd64 libc-l10n:amd64 libc6:amd64 locales:amd64 locales-all:amd64 multiarch-support:amd64 libc-bin:arm64 libc-l10n:arm64 libc6:arm64 locales:arm64 locales-all:arm64 multiarch-support:arm64 glibc (2.24-11+deb9u1) stretch-security; urgency=medium * debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: add patches to protect the dynamic linker against stack clashes (CVE-2017-1000366). * debian/patches/any/cvs-vectorized-strcspn-guards.diff: patch backported from upstream to allow usage of strcspn in ld.so. * debian/patches/any/cvs-hwcap-AT_SECURE.diff: patch backported from upstream to disable HWCAP for AT_SECURE programs. Source gnutls28, binaries: libgnutls30:amd64 libgnutls30:arm64 gnutls28 (3.5.8-5+deb9u1) stretch-security; urgency=high * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507 Closes: #864560 * Upload is identical to 3.5.8-6 except for the version number. Source linux, binaries: linux-image-4.9.0-3-amd64:amd64 linux-image-4.9.0-3-arm64:arm64 linux (4.9.30-2+deb9u1) stretch-security; urgency=high * mm: enlarge stack guard gap (CVE-2017-1000364) * mm: allow to configure stack gap size * mm, proc: cap the stack gap for unpopulated growing vmas * mm, proc: drop priv parameter from is_stack * mm: do not collapse stack gap into THP * fold me "mm: allow to configure stack gap size" -- Steve McIntyre <93sam@debian.org> Fri, 23 Jun 2017 14:25:57 +0100 9.0.1-20170620 Updates in 3 source package(s), 16 binary package(s): Source glibc, binaries: libc-bin:amd64 libc-l10n:amd64 libc6:amd64 locales:amd64 locales-all:amd64 multiarch-support:amd64 libc-bin:arm64 libc-l10n:arm64 libc6:arm64 locales:arm64 locales-all:arm64 multiarch-support:arm64 glibc (2.24-11+deb9u1) stretch-security; urgency=medium * debian/patches/any/local-CVE-2017-1000366-rtld-LD_AUDIT.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_LIBRARY_PATH.diff, debian/patches/any/local-CVE-2017-1000366-rtld-LD_PRELOAD.diff: add patches to protect the dynamic linker against stack clashes (CVE-2017-1000366). * debian/patches/any/cvs-vectorized-strcspn-guards.diff: patch backported from upstream to allow usage of strcspn in ld.so. * debian/patches/any/cvs-hwcap-AT_SECURE.diff: patch backported from upstream to disable HWCAP for AT_SECURE programs. Source gnutls28, binaries: libgnutls30:amd64 libgnutls30:arm64 gnutls28 (3.5.8-5+deb9u1) stretch-security; urgency=high * 36_CVE-2017-7507_*.patch: Pulled from 3.5.13, fix crash upon receiving well-formed status_request extension. GNUTLS-SA-2017-4/CVE-2017-7507 Closes: #864560 * Upload is identical to 3.5.8-6 except for the version number. Source linux, binaries: linux-image-4.9.0-3-amd64:amd64 linux-image-4.9.0-3-arm64:arm64 linux (4.9.30-2+deb9u1) stretch-security; urgency=high * mm: enlarge stack guard gap (CVE-2017-1000364) * mm: allow to configure stack gap size * mm, proc: cap the stack gap for unpopulated growing vmas * mm, proc: drop priv parameter from is_stack * mm: do not collapse stack gap into THP * fold me "mm: allow to configure stack gap size" -- Steve McIntyre <93sam@debian.org> Tue, 20 Jun 2017 20:57:28 +0100 9.0.0-20170617 First build for 9.0.0 release -- Steve McIntyre <93sam@debian.org> Sun, 18 Jun 2017 00:34:02 +0100