Debian Jessie Openstack images changelog 8.9.8-20171105 Updates in 1 source package(s), 2 binary package(s): Source openssl, binaries: libssl1.0.0:amd64 openssl:amd64 openssl (1.0.1t-1+deb8u7) jessie-security; urgency=medium * Fix CVE-2017-3735.patch -- Steve McIntyre <93sam@debian.org> Sun, 05 Nov 2017 21:45:26 +0000 8.9.7-20171030 Updates in 2 source package(s), 2 binary package(s): Source tzdata, binaries: tzdata:amd64 tzdata (2017c-0+deb8u1) jessie; urgency=medium * New upstream version, affecting the following future timestamp: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. Source wget, binaries: wget:amd64 wget (1.16-1+deb8u4) jessie-security; urgency=medium * CVE-2017-13089 / CVE-2017-13090 -- Steve McIntyre <93sam@debian.org> Mon, 30 Oct 2017 21:45:54 +0000 8.9.6-20170921 Updates in 2 source package(s), 2 binary package(s): Source perl, binaries: perl-base:amd64 perl (5.20.2-3+deb8u9) jessie-security; urgency=high * Update upstream base.pm no-dot-in-inc fix patch description. * [SECURITY] CVE-2017-12837: Fix a heap buffer overflow in regular expression compiler. (Closes: #875596) * [SECURITY] CVE-2017-12883: Fix a buffer over-read in regular expression parser. (Closes: #875597) + also includes a separate upstream fix from the 5.23 cycle Source linux, binaries: linux-image-3.16.0-4-amd64:amd64 linux (3.16.43-2+deb8u5) jessie-security; urgency=medium * [amd64] mm: revert ELF_ET_DYN_BASE base changes (fixes regression of ASan) linux (3.16.43-2+deb8u4) jessie-security; urgency=high * [x86] KVM: fix singlestepping over syscall (CVE-2017-7518) * binfmt_elf: use ELF_ET_DYN_BASE only for PIE (CVE-2017-1000370, CVE-2017-1000371) * ALSA: timer: Fix race between read and ioctl (CVE-2017-1000380) * ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (CVE-2017-1000380) * timerfd: Protect the might cancel mechanism proper (CVE-2017-10661) * xfrm: policy: check policy direction value (CVE-2017-11600) * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) * ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output * udp: consistently apply ufo or fragmentation (CVE-2017-1000112) * xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511) * nl80211: check for the required netlink attributes presence (CVE-2017-12153) * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154) * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051) * tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (CVE-2017-14106) * Sanitize 'move_pages()' permission checks (CVE-2017-14140) * video: fbdev: aty: do not leak uninitialized padding in clk to userspace (CVE-2017-14156) * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present (CVE-2017-14340) * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (CVE-2017-14489) * Bluetooth: Properly check L2CAP config option output buffer length (CVE-2017-1000251) (Closes: #875881) -- Steve McIntyre <93sam@debian.org> Thu, 21 Sep 2017 21:05:31 +0100 8.9.5-20170910 Updates in 1 source package(s), 4 binary package(s): Source bind9, binaries: libdns-export100:amd64 libirs-export91:amd64 libisc-export95:amd64 libisccfg-export90:amd64 bind9 (1:9.9.5.dfsg-9+deb8u14) jessie; urgency=high [ Bernhard Schmidt ] * Import upcoming DNSSEC KSK-2017 from 9.10.5 [ Ondřej Surý ] * Non-maintainer upload. -- Steve McIntyre <93sam@debian.org> Sun, 10 Sep 2017 23:35:59 +0100 8.9.4-20170903 Updates in 1 source package(s), 2 binary package(s): Source gnupg, binaries: gnupg:amd64 gpgv:amd64 gnupg (1.4.18-7+deb8u4) jessie-security; urgency=high * Backport fixes for CVE-2017-7526 from STABLE-BRANCH-1-4 branch -- Steve McIntyre <93sam@debian.org> Sun, 03 Sep 2017 08:48:29 +0100 8.9.3-20170825 Updates in 1 source package(s), 1 binary package(s): Source libxml2, binaries: libxml2:amd64 libxml2 (2.9.1+dfsg1-5+deb8u5) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Increase buffer space for port in HTTP redirect support (CVE-2017-7376) Incorrect limit was used for port values. (Closes: #870865) * Prevent unwanted external entity reference (CVE-2017-7375) Missing validation for external entities in xmlParsePEReference. (Closes: #870867) * Fix handling of parameter-entity references (CVE-2017-9049, CVE-2017-9050) - Heap-based buffer over-read in function xmlDictComputeFastKey (CVE-2017-9049). - Heap-based buffer over-read in function xmlDictAddString (CVE-2017-9050). (Closes: #863019, #863018) * Fix buffer size checks in xmlSnprintfElementContent (CVE-2017-9047, CVE-2017-9048) - Buffer overflow in function xmlSnprintfElementContent (CVE-2017-9047). - Stack-based buffer overflow in function xmlSnprintfElementContent (CVE-2017-9048). (Closes: #863022, #863021) * Fix type confusion in xmlValidateOneNamespace (CVE-2017-0663) Heap buffer overflow in xmlAddID. (Closes: #870870) -- Steve McIntyre <93sam@debian.org> Fri, 25 Aug 2017 18:19:34 +0100 8.9.2-20170822 Updates in 1 source package(s), 1 binary package(s): Source linux, binaries: linux-image-3.16.0-4-amd64:amd64 linux (3.16.43-2+deb8u3) jessie-security; urgency=high * regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing (CVE-2014-9940) * [x86] drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() (CVE-2017-7346) * rxrpc: Fix several cases where a padded len isn't checked in ticket decode (CVE-2017-7482) * brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() (CVE-2017-7541) * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) * [x86] mm: Tighten x86 /dev/mem with zeroing reads (CVE-2017-7889) * [x86] drm/vmwgfx: Make sure backup_handle is always valid (CVE-2017-9605) * xen-blkback: don't leak stack data via response ring (CVE-2017-10911) * mqueue: fix a use-after-free in sys_mq_notify() (CVE-2017-11176) * char: lp: fix possible integer overflow in lp_setup() (CVE-2017-1000363) * fs/exec.c: account for argv/envp pointers (CVE-2017-1000365) [ Ben Hutchings ] * dentry name snapshots (CVE-2017-7533) -- Steve McIntyre <93sam@debian.org> Wed, 23 Aug 2017 02:01:34 +0100 8.9.1-20170725 Updates in 1 source package(s), 4 binary package(s): Source bind9, binaries: libdns-export100:amd64 libirs-export91:amd64 libisc-export95:amd64 libisccfg-export90:amd64 bind9 (1:9.9.5.dfsg-9+deb8u13) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Add patch to fix regression introduced by patch for CVE-2017-3042. closes: #868952 -- Steve McIntyre <93sam@debian.org> Tue, 25 Jul 2017 13:48:20 +0100 8.9.0-20170723 First build for 8.9.0 point release -- Steve McIntyre <93sam@debian.org> Sun, 23 Jul 2017 16:12:05 +0100