Debian Jessie Openstack images changelog 8.11.4-20180929 Updates in 4 source package(s), 12 binary package(s): Source openssh, binaries: openssh-client:amd64 openssh-server:amd64 openssh-sftp-server:amd64 openssh (1:6.7p1-5+deb8u7) jessie-security; urgency=medium * Add debian/patches/CVE-2016-1908-3.patch: client_x11_get_proto: check if an invalid DISPLAY is NULL to avoid an ugly message. (Closes: #908652) openssh (1:6.7p1-5+deb8u6) jessie-security; urgency=medium * Fix CVE-2015-5352: Reject X11 connections after hard-coded Xauth cookie expiration time of 1200 seconds. (Closes: #790798) * CVE-2015-5600: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices - Add debian/patches/CVE-2015-5600-2.patch: initialize struct field (Closes: #793616) * CVE-2015-6563: Privilege separation weakness in PAM support (Closes: #795711) * CVE-2015-6564: use-after-free in PAM support * CVE-2016-10009: Untrusted search path vulnerability in ssh-agent.c in ssh-agent allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket. * CVE-2016-10011: Possible local information disclosure by the effects of realloc on buffer contents (Closes: #848716) - add split-allocation-out-of-sshbuf_reserve.patch, required to address the issue. * CVE-2016-10012: Lack of bounds check in the shared memory manager that could lead to local privilege escalation (Closes: #848717) * CVE-2016-10708: privsep process chrashing via an out-of-sequence NEWKEYS message * CVE-2016-1908: mishandling failed cookie generation for untrusted X11 forwarding * CVE-2016-3115: shell-command restrictions bypass via crafted X11 forwarding data * CVE-2016-6515: not limit password lengths for password authentication that may be used to DoS via crypt CPU consumption * CVE-2017-15906: sftp-server.c flaw at handling zero-length files. Source libxml2, binaries: libxml2:amd64 libxml2 (2.9.1+dfsg1-5+deb8u7) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2018-14404 Fix of a NULL pointer dereference which might result in a crash and thus in a denial of service. * CVE-2018-14567 and CVE-2018-9251 Approvement in LZMA error handling which prevents an infinite loop. * CVE-2017-18258 Limit available memory to 100MB to avoid exhaustive memory consumption by malicious files. Source python3.4, binaries: libpython3.4-minimal:amd64 libpython3.4-stdlib:amd64 python3.4:amd64 python3.4-minimal:amd64 python3.4 (3.4.2-1+deb8u1) jessie-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2018-1000802: fix command injection in shutil module * CVE-2017-1000158: fix integer overflow and possible arbitrary code execution in the PyString_DecodeEscape function * CVE-2018-1060 and CVE-2018-1061: fix REDOS vulnerabilities in poplib and difflib modules Source python2.7, binaries: libpython2.7-minimal:amd64 libpython2.7-stdlib:amd64 python2.7:amd64 python2.7-minimal:amd64 python2.7 (2.7.9-2+deb8u2) jessie-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2018-1000802: fix command injection in shutil module * CVE-2017-1000158: fix integer overflow and possible arbitrary code execution in the PyString_DecodeEscape function * CVE-2018-1060 and CVE-2018-1061: fix REDOS vulnerabilities in poplib and difflib modules -- Steve McIntyre <93sam@debian.org> Sun, 30 Sep 2018 20:37:57 +0100 8.11.3-20180831 Updates in 2 source package(s), 7 binary package(s): Source openssh, binaries: openssh-client:amd64 openssh-server:amd64 openssh-sftp-server:amd64 openssh (1:6.7p1-5+deb8u5) jessie-security; urgency=high * CVE-2018-15473: Prevent a user enumeration vulnerability by delaying the bailout for invalid authenticating users until after the packet containing the request has been fully parsed. (closes: #906236) Source bind9, binaries: libdns-export100:amd64 libirs-export91:amd64 libisc-export95:amd64 libisccfg-export90:amd64 bind9 (1:9.9.5.dfsg-9+deb8u16) jessie-security; urgency=high * Non-maintainer upload by the LTS Team. * CVE-2018-5740 The "deny-answer-aliases" feature in BIND has a flaw which can cause named to exit with an assertion failure. -- Steve McIntyre <93sam@debian.org> Fri, 31 Aug 2018 17:26:01 +0100 8.11.2-20180729 Updates in 4 source package(s), 5 binary package(s): Source linux, binaries: linux-image-3.16.0-6-amd64:amd64 linux (3.16.57-2) jessie-security; urgency=high * mmc/host: Ignore ABI changes (fixes FTBFS on armhf) linux (3.16.57-1) jessie-security; urgency=high * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.57 - cifs: empty TargetInfo leads to crash on recovery (CVE-2018-1066) - ext4: add validity checks for bitmap block numbers (CVE-2018-1093) - ext4: fix bitmap position validation - dccp: check sk for closed state in dccp_sendmsg() (CVE-2018-1130) - cdrom: information leak in cdrom_ioctl_media_changed() (CVE-2018-10940) - [x86] cpu: Update CPU model names - [x86] Add support for speculation control: + x86/cpufeatures: Add Intel feature bits for Speculation Control + x86/cpufeatures: Add AMD feature bits for Speculation Control + x86/msr: Add definitions for new speculation control MSRs - [x86] Update mitigation for Meltdown (CVE-2017-5754): + x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown + x86/pti: Mark constant arrays as __initconst - [x86] Add support for microcode-based mitigation of Spectre v2 (CVE-2017-5715): + x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes + x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support + x86/cpufeatures: Clean up Spectre v2 related CPUID flags + x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel + x86/speculation: Use IBRS if available before calling into firmware + KVM: nVMX: mark vmcs12 pages dirty on L2 exit + KVM: nVMX: Eliminate vmcs02 pool + KVM: VMX: introduce alloc_loaded_vmcs + KVM: VMX: make MSR bitmaps per-VCPU + KVM/x86: Add IBPB support + KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES + KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL + KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL + KVM/x86: Remove indirect MSR op calls from SPEC_CTRL + x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP + KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() + x86/speculation: Use Indirect Branch Prediction Barrier in context switch + x86/speculation: Update Speculation Control microcode blacklist + x86/speculation: Correct Speculation Control microcode blacklist again - [armhf] spi: sun6i: disable/unprepare clocks on remove - media: cpia2: Fix a couple off by one bugs - RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() - USB: serial: io_edgeport: fix possible sleep-in-atomic - media: bt8xx: Fix err 'bt878_probe()' - ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() - RDMA/cma: Use correct size when writing netlink stats - pinctrl: Really force states during suspend/resume - net/mlx4_core: Cleanup FMR unmapping flow - PM / devfreq: Propagate error from devfreq_add_device() - scsi: aacraid: Fix udev inquiry race condition - pktcdvd: Fix pkt_setup_dev() error path - [armhf] spi: imx: do not access registers while clocks disabled - [armhf] wl1251: check return from call to wl1251_acx_arp_ip_filter - scsi: libsas: fix error when getting phy events - scsi: aacraid: remove redundant setting of variable c - usb: gadget: f_fs: Fix possibe deadlock - usb: f_fs: Prevent gadget unbind if it is already unbound - ext4: save error to disk in __ext4_grp_locked_error() - drm/radeon: Add dpm quirk for Jet PRO (v2) - [x86] gart: Exclude GART aperture from vmcore - mtd: nand: Fix nand_do_read_oob() return value - crypto: af_alg - whitelist mask and type - crypto: hash - introduce crypto_hash_alg_has_setkey() - crypto: cryptd - pass through absence of ->setkey() - crypto: hash - annotate algorithms taking optional key - crypto: hash - prevent using keyed hashes without setting key - NFS: Add a cond_resched() to nfs_commit_release_pages() - NFS: Fix 2 use after free issues in the I/O code - nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds - console/dummy: leave .con_font_get set to NULL - IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) - USB: cdc-acm: Do not log urb submission errors on disconnect - uas: Log error codes when logging errors - usb: uas: unconditionally bring back host after reset - NFS: commit direct writes even if they fail partially - ubi: Fix race condition between ubi volume creation and udev - mtd: ubi: wl: Fix error return code in ubi_wl_init() - nfs: Do not convert nfs_idmap_cache_timeout to jiffies - drm/ttm: fix adding foreign BOs to the swap LRU - drm/ttm: Don't add swapped BOs to swap-LRU list - kernfs: fix regression in kernfs_fop_write caused by wrong type - staging: rts5208: Fix "seg_no" calculation in reset_ms_card() - NFS: reject request for id_legacy key without auxdata - btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() - cifs: Fix missing put_xid in cifs_file_strict_mmap - cifs: Fix autonegotiate security settings mismatch - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path - cifs: fix memory leak when password is supplied multiple times - CIFS: zero sensitive data when freeing - RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure - media: cxusb, dib0700: ignore XC2028_I2C_FLUSH - [x86] vhost_net: stop device during reset owner - rbd: whitelist RBD_FEATURE_OPERATIONS feature bit - drm/radeon: adjust tested variable - netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() - netfilter: on sockopt() acquire sock lock only in the required scope - [x86] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes" - mm: pin address_space before dereferencing it while isolating an LRU page - mm: fix the NULL mapping case in __isolate_lru_page() - net: igmp: add a missing rcu locking section - Btrfs: fix deadlock in run_delalloc_nocow - Btrfs: fix crash due to not cleaning up tree log block's dirty bits - Btrfs: fix extent state leak from tree log - Btrfs: fix use-after-free on root->orphan_block_rsv - btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes - [x86] firmware: dmi_scan: Fix handling of empty DMI strings - [x86] xen: init %gs very early to avoid page faults with stack protector - [armhf] KVM: Fix SMCCC handling of unimplemented SMC/HVC calls - netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert - kernel/async.c: revert "async: simplify lowest_in_progress()" - pipe: fix limit checking in pipe_set_size() - pipe: fix limit checking in alloc_pipe_info() - pipe: make account_pipe_buffers() return a value, and use it - pipe: cap initial pipe capacity according to pipe-max-size limit - pipe: avoid round_pipe_size() nr_pages overflow on 32-bit - pipe: add proc_dopipe_max_size() to safely assign pipe_max_size - sysctl: check for UINT_MAX before unsigned int min/max - pipe, sysctl: drop 'min' parameter from pipe-max-size converter - pipe, sysctl: remove pipe_proc_fn() - pipe: actually allow root to exceed the pipe buffer limits - pipe: fix off-by-one error when checking buffer limits - pipe: reject F_SETPIPE_SZ with size over UINT_MAX - pipe: simplify round_pipe_size() - pipe: read buffer limits atomically - netlink: ensure to loop over all netns in genlmsg_multicast_allns() - netlink: avoid a double skb free in genlmsg_mcast() - 9p/trans_virtio: discard zero-length reply - bridge: check brport attr show in brport_show - libata: fix length validation of ATAPI-relayed SCSI commands - libata: remove WARN() for DMA or PIO command without data - xfrm_user: uncoditionally validate esn replay attribute struct - net: fix race on decreasing number of TX queues - netfilter: drop outermost socket lock in getsockopt() - netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() - netfilter: x_tables: fix missing timer initialization in xt_LED - netfilter: nat: cope with negative port range - usbip: keep usbip_device sockfd state in sync with tcp_socket - usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist - NFC: llcp: Limit size of SDP URI - dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock - udplite: fix partial checksum initialization - drm/nouveau: Fix deadlock on runtime suspend - drm/radeon: Fix deadlock on runtime suspend - iio: buffer: check if a buffer has been set up when poll is called - libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs - cfg80211: fix cfg80211_beacon_dup - netfilter: IDLETIMER: be syzkaller friendly - md raid10: fix NULL deference in handle_write_completed() - [x86] mm: Fix {pmd,pud}_{set,clear}_flags() - libata: disable LPM for Crucial BX100 SSD 500GB drive - kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE - KVM: mmu: Fix overlap between public and private memslots - lock_parent() needs to recheck if dentry got __dentry_kill'ed under it - batman-adv: fix packet checksum in receive path - batman-adv: invalidate checksum on fragment reassembly - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt - batman-adv: Fix internal interface indices types - l2tp: don't close sessions in l2tp_tunnel_destruct() - l2tp: avoid using ->tunnel_sock for getting session's parent tunnel - l2tp: don't use inet_shutdown on tunnel destroy - l2tp: don't use inet_shutdown on ppp session destroy - l2tp: fix races with tunnel socket close - l2tp: fix race in pppol2tp_release with session object destroy - l2tp: fix tunnel lookup use-after-free race - [x86] tpm,tpm_i2c_infineon,tpm_i2c_nuvoton,tpm_tis: fix potential buffer overruns caused by bit glitches on the bus - [x86] mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers - [armhf] mmc: dw_mmc: Fix out-of-bounds access for slot's caps - tty: make n_tty_read() always abort if hangup is in progress - [x86] xen: Add xen_arch_suspend() - [armhf] xen: Define xen_arch_suspend() - [x86] xen: Zero MSR_IA32_SPEC_CTRL before suspend - xen/pirq: fix error path cleanup when binding MSIs - btrfs: alloc_chunk: fix DUP stripe size handling - ata: Add a new flag to destinguish sas controller - ata: do not schedule hot plug if it is a sas host - e1000e: Fix check_for_link return value with autoneg off - bcache: fix crashes in duplicate cache device register - bcache: don't attach backing with duplicate UUID - uas: fix comparison for error code - brcmfmac: fix P2P_DEVICE ethernet address generation - sch_netem: fix skb leak in netem_enqueue() - l2tp: do not accept arbitrary sockets - RDMA/ucma: Limit possible option size - RDMA/ucma: Check that user doesn't overflow QP state - drm/radeon: fix KV harvesting - [x86] spectre_v2: Don't check microcode versions when running under hypervisors - [x86] MCE: Save microcode revision in machine check records - team: Fix double free in error path - usb: usbmon: Read text within supplied buffer size - RDMA/mlx5: Fix integer overflow while resizing CQ - ALSA: seq: Fix possible UAF in snd_seq_check_queue() - ALSA: seq: Clear client entry before deleting else at closing - netfilter: bridge: ebt_among: add missing match size checks - netfilter: bridge: ebt_among: add more missing match size checks - l2tp: fix races with ipv4-mapped ipv6 addresses - IB/mlx5: Fix integer overflows in mlx5_ib_create_srq - [i386] can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack - [i386] can: cc770: Fix queue stall & dropped RTR reply - libata: Enable queued TRIM for Samsung SSD 860 - route: remove unsed variable in __mkroute_input - net: Refactor rtable initialization - ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu - aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock() - aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx() - aio: fix serial draining in exit_aio() - fs/aio: Add explicit RCU grace period when freeing kioctx - fs/aio: Use RCU accessors for kioctx_table->table[] - RDMA/ucma: Fix access to non-initialized CM_ID object - RDMA/ucma: Don't allow join attempts for unsupported AF family - drm/radeon: fix prime teardown order - mmc: block: fix updating ext_csd caches on ioctl call - drm/radeon: Don't turn off DP sink when disconnected - fs: Teach path_connected to handle nfs filesystems with multiple roots. - RDMA/ucma: Check AF family prior resolving address - net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off - skbuff: Fix not waking applications when errors are enqueued - batman-adv: update data pointers after skb_cow() - batman-adv: fix header size check in batadv_dbg_arp() - ALSA: hda/realtek - Always immediately update mute LED with pin VREF - batman-adv: Fix skbuff rcsum on packet reroute - vti4: Don't count header length twice on tunnel setup - ip_tunnel: Clamp MTU to bounds on new link - [i386] can: cc770: Fix use after free in cc770_tx_interrupt() - libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs - libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions - libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version - ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit - RDMA/ucma: Fix use-after-free access in ucma_close - RDMA/ucma: Ensure that CM_ID exists prior to access it - RDMA/ucma: Correct option size check using optlen - ALSA: aloop: Sync stale timer before release - ALSA: aloop: Fix access to not-yet-ready substream via cable - posix-timers: Protect posix clock array access against speculation (CVE-2017-5753) - mm/mempolicy.c: avoid use uninitialized preferred_node - tracing: probeevent: Fix to support minus offset from symbol - ip_tunnel: Emit events for post-register MTU changes - batman-adv: fix multicast-via-unicast transmission with AP isolation - batman-adv: fix packet loss for broadcasted DHCP packets to a server - tty: vt: fix up tabstops properly - netlink: make sure nladdr has correct size in netlink_connect() - ipv6: the entire IPv6 header chain must fit the first fragment - ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() - bonding: fix the err path for dev hwaddr sync in bond_enslave - bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave - bonding: process the err returned by dev_set_allmulti properly in bond_enslave - ALSA: pcm: potential uninitialized return values - net: fix possible out-of-bound read in skb_network_protocol() - net/mlx4_en: do not ignore autoneg in mlx4_en_set_pauseparam() - net/mlx4_en: Fix mixed PFC and Global pause user control requests - RDMA/ucma: Check that device is connected prior to access it - RDMA/ucma: Check that device exists prior to accessing it - mtd: jedec_probe: Fix crash in jedec_read_mfr() - net: Fix untag for vlan packets without ethernet header [ Ben Hutchings ] * cpufeatures: Avoid ABI change for Spectre v2 microcode features * Revert "CIFS: Enable encryption during session setup phase" as an alternate fix was included in 3.16.57 * [x86] mce: Ignore ABI change in 3.16.57 * nfs: Ignore ABI change in 3.16.57 * sdhci: Ignore ABI change in 3.16.57 * wireless: Avoid ABI cange in 3.16.57 * fs: Avoid ABI change in 3.16.57 * crypto: hash: Avoid ABI change in 3.16.57 * ipv4: Avoid or ignore ABI changes in 3.16.57 * Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" * [x86] fpu: Fix the 'nofxsr' boot parameter to also clear X86_FEATURE_FXSR_OPT * [x86] fpu: Default eagerfpu if FPU and FXSR are enabled (CVE-2018-3665) * usbip: fix error handling in stub_probe() * usbip: usbip_host: fix to hold parent lock for device_attach() calls * usbip: usbip_host: refine probe and disconnect debug msgs to be * usbip: usbip_host: delete device from busid_table after rebind * usbip: usbip_host: run rebind from exit when module is removed * usbip: usbip_host: fix NULL-ptr deref and use-after-free errors (CVE-2018-5814) * usbip: usbip_host: fix bad unlock balance during stub_probe() * futex: Remove requirement for lock_page() in get_futex_key() (CVE-2018-9422) * futex: Remove unnecessary warning from get_futex_key * [x86] KVM: Emulator ignores LDTR/TR extended base on LLDT/LTR * [x86] KVM: introduce linear_{read,write}_system * [x86] KVM: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system * [x86[ kvm: use correct privilege level for sgdt/sidt/fxsave/fxrstor access (CVE-2018-10853) * sr: pass down correctly sized SCSI sense buffer (CVE-2018-11506) * jfs: Fix inconsistency between memory allocation and ea_buf->max_size (CVE-2018-12233) * scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() (CVE-2018-1000204) [ Salvatore Bonaccorso ] * nfs: Fetch MOUNTED_ON_FILEID when updating an inode (Closes: #898165) Source linux-base, binaries: linux-base:amd64 linux-base (4.5~deb8u1) jessie-security; urgency=medium * Rebuild for jessie; no changes required linux-base (4.5) unstable; urgency=medium [ Salvatore Bonaccorso ] * Update Danish debconf template translation. Thanks to Joe Dalton (Closes: #830587) * Update Brazilian Portuguese debconf templates translation. Thanks to Diego Neves (Closes: #830691) [ Ben Hutchings ] * Update Dutch debconf template translations (Frans Spiesschaert) (Closes: #837097) * perf: Drop support for versions older than 3.2 * Use dh with debhelper compat level 9 * Add bash completion wrapper for perf (Closes: #702482) linux-base (4.4) unstable; urgency=medium [ Ben Hutchings ] * Update debconf template translations: - Portuguese (Américo Monteiro) (Closes: #826779) - Polish (Łukasz Dulny) - Japanese (Victory) - Russian (Yuri Kozlov) (Closes: #828772) - German (Markus Hiereth) - French (Jean-Pierre Giraud) (Closes: #830171) * linux-check-removal: Fix substitution of package name in debconf title [ Salvatore Bonaccorso ] * Update Swedish debconf template translation. Thanks to Martin Bagge (Closes: #828725) * Update Czech debconf template translation. Thanks to Michal Simunek (Closes: #828944) linux-base (4.3) unstable; urgency=medium * Add linux-check-removal command for use by package prerm scripts - Override lintian warning and error for this unusual debconf usage linux-base (4.2) unstable; urgency=medium * Change source format to 3.0 (native) so that .git directory is excluded by default * Add manual page for linux-update-symlinks * read_kernelimg_conf(): Quietly ignore settings used only by kernel-package * debian/rules: Add build-{arch,indep} targets * debian/control: Update policy version to 3.9.8; no changes required linux-base (4.1) unstable; urgency=medium * Adjust for migration to git: - Add .gitignore files - debian/control: Update Vcs-* fields (Closes: #824748) * Add image_stem() and read_kernelimg_conf() functions to Perl module * Add linux-update-symlinks command for use by package maintainer scripts linux-base (4.0) unstable; urgency=low * Remove obsolete postinst upgrade code and translations (Closes: #580435, #660670, #670775, #686211, #686384, #686431, #686445, #686459, #686480, #686602, #686610, #686662, #686687, #686704, #686705, #686717, #686720, #686748, #698203) * Run version_cmp() unit tests at build time * linux-version: Fix sorting of version strings containing -trunk (Closes: #761614) * perf: Update error message for missing perf executable, to refer to linux-perf- for Linux 4.1 onward * debian/control: Drop support for pre-multiarch releases * debian/control: Update Vcs-* fields to use anonscm.debian.org * debian/control: Update policy version to 3.9.6; no changes required Source openssl, binaries: libssl1.0.0:amd64 openssl:amd64 openssl (1.0.1t-1+deb8u9) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2018-0737: Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that the OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. * Fix CVE-2018-0732: DoS by a malicious server that sends a very large prime value to the client during TLS handshake. Source libidn, binaries: libidn11:amd64 libidn (1.29-1+deb8u3) jessie-security; urgency=high * Fix CVE-2017-14062: An integer overflow vulnerability in libidn's Punycode handling (an encoding used to convert Unicode characters to ASCII) which would have allowed remote attackers to cause a denial of service. Patch taken from wheezy, backported by Chris Lamb (Closes: #873903). -- Steve McIntyre <93sam@debian.org> Sun, 29 Jul 2018 10:53:42 +0800 8.11.1-20180709 Updates in 2 source package(s), 2 binary package(s): Source ca-certificates, binaries: ca-certificates:amd64 ca-certificates (20141019+deb8u4) jessie-security; urgency=high * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.22. Closes: #858064, #867461 This update removes StartCom and WoSign certificates. Closes: #858539 The following certificate authorities were added (+): + "AC RAIZ FNMT-RCM" + "Amazon Root CA 1" + "Amazon Root CA 2" + "Amazon Root CA 3" + "Amazon Root CA 4" + "D-TRUST Root CA 3 2013" + "GDCA TrustAUTH R5 ROOT" + "LuxTrust Global Root 2" + "SSL.com EV Root Certification Authority ECC" + "SSL.com EV Root Certification Authority RSA R2" + "SSL.com Root Certification Authority ECC" + "SSL.com Root Certification Authority RSA" + "Symantec Class 1 Public Primary Certification Authority - G4" + "Symantec Class 1 Public Primary Certification Authority - G6" + "Symantec Class 2 Public Primary Certification Authority - G4" + "Symantec Class 2 Public Primary Certification Authority - G6" + "TrustCor ECA-1" + "TrustCor RootCert CA-1" + "TrustCor RootCert CA-2" + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" The following certificate authorities were removed (-): - "ACEDICOM Root" - "AddTrust Public Services Root" - "AddTrust Qualified Certificates Root" - "ApplicationCA - Japanese Government" - "Buypass Class 2 CA 1" - "CA Disig Root R1" - "CA WoSign ECC Root" - "CNNIC ROOT" - "Certification Authority of WoSign G2" - "Certinomis - Autorité Racine" - "China Internet Network Information Center EV Certificates Root" - "Comodo Secure Services root" - "Comodo Trusted Services root" - "DST ACES CA X6" - "EBG Elektronik Sertifika Hizmet Saglayicisi" - "Equifax Secure CA" - "Equifax Secure eBusiness CA 1" - "Equifax Secure Global eBusiness CA" - "GeoTrust Global CA 2" - "IGC/A" - "Juur-SK" - "Microsec e-Szigno Root CA" - "PSCProcert" - "Root CA Generalitat Valenciana" - "RSA Security 2048 v3" - "S-TRUST Authentication and Encryption Root CA 2005 PN" - "Security Communication EV RootCA1" - "StartCom Certification Authority" - "StartCom Certification Authority G2" - "Swisscom Root CA 1" - "Swisscom Root EV CA 2" - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3" - "TURKTRUST Certificate Services Provider Root 2007" - "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" - "UTN USERFirst Hardware Root CA" - "Verisign Class 1 Public Primary Certification Authority" - "Verisign Class 2 Public Primary Certification Authority - G2" - "Verisign Class 3 Public Primary Certification Authority" - "WellsSecure Public Root Certificate Authority" - "WoSign" - "WoSign China" * debian/control: Remove Christian Perrier from uploaders at his request. Closes: #894070 Source libgcrypt20, binaries: libgcrypt20:amd64 libgcrypt20 (1.6.3-2+deb8u5) jessie-security; urgency=medium * Non-maintainer upload by the LTS team. * ecc: Add blinding for ECDSA (CVE-2018-0495) -- Steve McIntyre <93sam@debian.org> Mon, 09 Jul 2018 16:10:38 +0100 8.11.0-20180623 First (and last?) build for the final Jessie point release, 8.11.0 -- Steve McIntyre <93sam@debian.org> Sun, 24 Jun 2018 00:56:48 +0100