Security fixes from 2017-01-26 14:58 UTC
13 views
Skip to first unread message
Graham Christensen
Jan 26, 2017, 10:00:48 AM1/26/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Huge thank you to Franz Pletz for these timely OpenSSL patches.
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/22128.
The following changes were applied to release-16.09:
d1715e2 openssl_1_0_1: not maintained anymore, remove
> openssl_1_0_1 has been removed due to not being maintained anymore.
ad34c19 openssl_1_1_0: 1.1.0c -> 1.1.0d for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
>
> More: https://www.openssl.org/news/openssl-1.1.0-notes.html
1a59ff1 openssl_1_0_2: 1.0.2j -> 1.0.2k for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
> - Montgomery multiplication may produce incorrect results
> (CVE-2016-7055)
>
> More: https://www.openssl.org/news/openssl-1.0.2-notes.html
5211464 Merge #22171: wireshark: 2.2.2 -> 2.2.4
> This release fixes those security related issues:
> - https://www.wireshark.org/security/wnpa-sec-2017-01.html
> - https://www.wireshark.org/security/wnpa-sec-2017-02.html
7274b07 torbrowser: 6.0.8 -> 6.5
> Updates to firefox-esr 45.7, which fixes several critical
> vulnerabilities [1]
>
> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
======================================================================
The following changes were applied to unstable:
6626b62 openssl_1_0_1: not maintained anymore, rename as -vulnerable
> openssl_1_0_1 is no longer maintained and has been renamed in Nixpkgs
> to openssl_1_0_1-vulnerable until we can remove it.
49bfd60 openssl_1_1_0: 1.1.0c -> 1.1.0d for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
>
> More: https://www.openssl.org/news/openssl-1.1.0-notes.html
434c151 openssl_1_0_2: 1.0.2j -> 1.0.2k for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
> - Montgomery multiplication may produce incorrect results
> (CVE-2016-7055)
>
> More: https://www.openssl.org/news/openssl-1.0.2-notes.html
5bbe542 torbrowser: 6.0.8 -> 6.5
> Updates to firefox-esr 45.7, which fixes several critical
> vulnerabilities [1]
>
> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
c99540d wireshark: 2.2.3 -> 2.2.4
> This release fixes those security related issues:
> - https://www.wireshark.org/security/wnpa-sec-2017-01.html
> - https://www.wireshark.org/security/wnpa-sec-2017-02.html
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYig8VAAoJEAYSHTZv6UNcq88QAKx9YnOCZ9WU2mWGVVZm+yPh
iBGlT4HCx0fz6Umf/jRdhAAG3UL6KSOUWnSHWaP/PS0axPCjeYWzzlfyDY6O9HIk
HvBGtZA2O5i47+UnpjkH2qS2GPHlP4Wr/ctyFzyW2lesFkWL4QfkK4yDzN64xuIe
EwvvS6rSEA7ubuUPet/Xbz6Qt9uSVFh3qyAN8b6qV8OmaehQwwSl3/ns7dTZCJeO
3VOyXIZz3Oj1nK9T1MXIXqodHMc3wxUK5JPDXvn/gzvG9RLgVsEnPyBSsvTxXVKL
uxuTfgw6+SGevWtWB/B35r1MugewxJ96OvX1Fw/lxNmdEZkS9RTA14dkuXqtJw1j
YjFuIFmG1w/JVbNACdbg53ssKD7WTAG3IotJmBPZg01RTBzvlveRSgPURIpY1uSy
VTYz22/WgOxdrDQVCifdwKJrJ5jmRUCniBny2Pl5qkEJjiPRaOADduZWpPWwyWHx
vQwTAuKbeqYWDar8aTYV4gxPmxSlpPFHAM8P7TcqL+KcNEiOnDrs3+XAE/OhUI5H
aaE5QoUPRSe00Q4P9TjQtRrmcln5zmFn7KAC6YvNm5na9k8nkKuRoCBqvp3sG3no
GPPiMU0QzU6zZDC75wqSE30+4SjEYA/kmGsLexTR5h1gzDakqFi040gxId2otPKY
fj0+Rnt1v37+7j4QbHP3
=LmOd
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Huge thank you to Franz Pletz for these timely OpenSSL patches.
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/22128.
The following changes were applied to release-16.09:
d1715e2 openssl_1_0_1: not maintained anymore, remove
> openssl_1_0_1 has been removed due to not being maintained anymore.
ad34c19 openssl_1_1_0: 1.1.0c -> 1.1.0d for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
>
> More: https://www.openssl.org/news/openssl-1.1.0-notes.html
1a59ff1 openssl_1_0_2: 1.0.2j -> 1.0.2k for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
> - Montgomery multiplication may produce incorrect results
> (CVE-2016-7055)
>
> More: https://www.openssl.org/news/openssl-1.0.2-notes.html
5211464 Merge #22171: wireshark: 2.2.2 -> 2.2.4
> This release fixes those security related issues:
> - https://www.wireshark.org/security/wnpa-sec-2017-01.html
> - https://www.wireshark.org/security/wnpa-sec-2017-02.html
7274b07 torbrowser: 6.0.8 -> 6.5
> Updates to firefox-esr 45.7, which fixes several critical
> vulnerabilities [1]
>
> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
======================================================================
The following changes were applied to unstable:
6626b62 openssl_1_0_1: not maintained anymore, rename as -vulnerable
> openssl_1_0_1 is no longer maintained and has been renamed in Nixpkgs
> to openssl_1_0_1-vulnerable until we can remove it.
49bfd60 openssl_1_1_0: 1.1.0c -> 1.1.0d for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
>
> More: https://www.openssl.org/news/openssl-1.1.0-notes.html
434c151 openssl_1_0_2: 1.0.2j -> 1.0.2k for multiple CVEs
> - Truncated packet could crash via OOB read (CVE-2017-3731)
> - BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
> - Montgomery multiplication may produce incorrect results
> (CVE-2016-7055)
>
> More: https://www.openssl.org/news/openssl-1.0.2-notes.html
5bbe542 torbrowser: 6.0.8 -> 6.5
> Updates to firefox-esr 45.7, which fixes several critical
> vulnerabilities [1]
>
> [1]: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
c99540d wireshark: 2.2.3 -> 2.2.4
> This release fixes those security related issues:
> - https://www.wireshark.org/security/wnpa-sec-2017-01.html
> - https://www.wireshark.org/security/wnpa-sec-2017-02.html
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYig8VAAoJEAYSHTZv6UNcq88QAKx9YnOCZ9WU2mWGVVZm+yPh
iBGlT4HCx0fz6Umf/jRdhAAG3UL6KSOUWnSHWaP/PS0axPCjeYWzzlfyDY6O9HIk
HvBGtZA2O5i47+UnpjkH2qS2GPHlP4Wr/ctyFzyW2lesFkWL4QfkK4yDzN64xuIe
EwvvS6rSEA7ubuUPet/Xbz6Qt9uSVFh3qyAN8b6qV8OmaehQwwSl3/ns7dTZCJeO
3VOyXIZz3Oj1nK9T1MXIXqodHMc3wxUK5JPDXvn/gzvG9RLgVsEnPyBSsvTxXVKL
uxuTfgw6+SGevWtWB/B35r1MugewxJ96OvX1Fw/lxNmdEZkS9RTA14dkuXqtJw1j
YjFuIFmG1w/JVbNACdbg53ssKD7WTAG3IotJmBPZg01RTBzvlveRSgPURIpY1uSy
VTYz22/WgOxdrDQVCifdwKJrJ5jmRUCniBny2Pl5qkEJjiPRaOADduZWpPWwyWHx
vQwTAuKbeqYWDar8aTYV4gxPmxSlpPFHAM8P7TcqL+KcNEiOnDrs3+XAE/OhUI5H
aaE5QoUPRSe00Q4P9TjQtRrmcln5zmFn7KAC6YvNm5na9k8nkKuRoCBqvp3sG3no
GPPiMU0QzU6zZDC75wqSE30+4SjEYA/kmGsLexTR5h1gzDakqFi040gxId2otPKY
fj0+Rnt1v37+7j4QbHP3
=LmOd
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages