Security fixes from 2017-01-26 02:55 UTC
4 views
Skip to first unread message
Graham Christensen
Jan 25, 2017, 9:56:04 PM1/25/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/22128.
The following changes were applied to release-16.09:
57ae42d ed: 1.13 -> 1.14.1
> From the Red Hat bugzilla:
>
> A vulnerability was found in GNU ed. An invalid free might occur while
> parsing specially crafted commands which will make the application
> crash.
>
> - CVE-2017-5357
>
> More: https://lwn.net/Alerts/712263/
362420c ppp: add patch to fix CVE-2015-3310
> From the Debian advisory:
>
> Emanuele Rocca discovered that ppp, a daemon implementing the
> Point-to-Point Protocol, was subject to a buffer overflow when
> communicating with a RADIUS server. This would allow unauthenticated
> users to cause a denial-of-service by crashing the daemon.
>
> - CVE-2015-3310
>
> More: https://lwn.net/Alerts/640588/
f15f5dc gd: 2.2.3 -> 2.2.4 for multiple CVEs
> From the Fedora advisory:
>
> - gdImageCreate() doesn't check for oversized images and as such is
> prone to DoS vulnerabilities. (CVE-2016-9317)
> - double-free in gdImageWebPtr() (CVE-2016-6912)
>
> More: https://lwn.net/Alerts/712339/
529231c libav_0_8: 0.8.17 -> 0.8.20 for multiple CVEs
> From the Debian-LTS advisory:
>
> Multiple integer overflows have been discovered in libav 11.8 and
> earlier, allowing remote attackers to cause a crash via a crafted MP3
> file.
>
> - CVE-2016-9819
> - CVE-2016-9820
> - CVE-2016-9821
> - CVE-2016-9822
>
> More: https://lwn.net/Alerts/712044/
633bba5 mariadb: 10.1.19 -> 10.1.21 for multiple CVEs
> - CVE-2017-3238
> - CVE-2017-3243
> - CVE-2017-3244
> - CVE-2017-3257
> - CVE-2017-3258
> - CVE-2017-3265
> - CVE-2017-3291
> - CVE-2017-3312
> - CVE-2017-3317
> - CVE-2017-3318
>
> More: https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/
f97f679 libnl: 3.2.28 -> 3.2.29 for CVE-2017-0386
> From the Red Hat bugzilla:
>
> An elevation of privilege vulnerability in the libnl library could
> enable a local malicious application to execute arbitrary code within
> the context of a privileged process.
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1414304
4eb411c cvs: patch against CVE-2012-0804 (heap overflow)
> (Note: Thank you to Gentoo for going through and finding CVEs old
> un-addressed CVEs, helping us find them too!)
>
> From the Debian advisory on CVE-2012-0804:
>
> It was discovered that a malicious CVS server could cause a heap
> overflow in the CVS client, potentially allowing the server to execute
> arbitrary code on the client.
9cb5503 firefox: 50.1.0 -> 51.0, firefox-esr: 45.6.0esr -> 45.7.0esr
> Numerous security fixes.
>
> More:
> - https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
9b02319 ansible2: 2.2.0.0 -> 2.2.1.0
>
> > CVE-2016-9587 is rated as HIGH in risk, as a compromised remote
> > system being managed via Ansible can lead to commands being run on
> > the Ansible controller (as the user running the ansible or
> > ansible-playbook command)."
>
> More: https://lwn.net/Articles/711357/
> More: https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt
4d8e248 webkit: security 2.14.1 -> 2.14.3
> From the announcement page:
>
> https://webkitgtk.org/security/WSA-2017-0001.html
>
> CVE-2016-7586
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Boris Zbarsky.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: A validation
> issue was addressed through improved state management.
> CVE-2016-7589
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
> CVE-2016-7592
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may
> compromise user information. Description: An issue existed in
> handling of JavaScript prompts. This was addressed through
> improved state management.
> CVE-2016-7599
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Muneaki Nishimura (nishimunea) of Recruit Technologies
> Co., Ltd.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: An issue
> existed in the handling of HTTP redirects. This issue was
> addressed through improved cross origin validation.
> CVE-2016-7623
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Visiting a maliciously crafted website may compromise
> user information. Description: An issue existed in the handling
> of blob URLs. This issue was addressed through improved URL
> handling.
> CVE-2016-7632
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Jeonghoon Shin.
> Impact: Visiting a maliciously crafted webpage may lead to an
> unexpected application termination or arbitrary code execution.
> Description: A memory corruption issue was addressed through
> improved state management.
> CVE-2016-7635
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7639
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Tongbo Luo of Palo Alto Networks.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7641
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7645
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7652
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7654
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7656
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
dc6a857 linux: 3.18.45 -> 3.18.47
> All kernel patches are considered security-sensitive.
a1672a2 linux: 4.1.36 -> 4.1.38
> All kernel patches are considered security-sensitive.
858a4ac kernel: 4.4.43 -> 4.4.44
> All kernel patches are considered security-sensitive.
======================================================================
The following changes were applied to unstable:
9ac6297 ppp: add patch to fix CVE-2015-3310
> From the Debian advisory:
>
> Emanuele Rocca discovered that ppp, a daemon implementing the
> Point-to-Point Protocol, was subject to a buffer overflow when
> communicating with a RADIUS server. This would allow unauthenticated
> users to cause a denial-of-service by crashing the daemon.
>
> - CVE-2015-3310
>
> More: https://lwn.net/Alerts/640588/
6a02d48 gd: 2.2.3 -> 2.2.4 for multiple CVEs
> From the Fedora advisory:
>
> - gdImageCreate() doesn't check for oversized images and as such is
> prone to DoS vulnerabilities. (CVE-2016-9317)
> - double-free in gdImageWebPtr() (CVE-2016-6912)
>
> More: https://lwn.net/Alerts/712339/
5f3c626 libav_0_8: 0.8.19 -> 0.8.20 for multiple CVEs
> From the Debian-LTS advisory:
>
> Multiple integer overflows have been discovered in libav 11.8 and
> earlier, allowing remote attackers to cause a crash via a crafted MP3
> file.
>
> - CVE-2016-9819
> - CVE-2016-9820
> - CVE-2016-9821
> - CVE-2016-9822
>
> More: https://lwn.net/Alerts/712044/
111b4e4 mariadb: 10.1.19 -> 10.1.21 for multiple CVEs
> - CVE-2017-3238
> - CVE-2017-3243
> - CVE-2017-3244
> - CVE-2017-3257
> - CVE-2017-3258
> - CVE-2017-3265
> - CVE-2017-3291
> - CVE-2017-3312
> - CVE-2017-3317
> - CVE-2017-3318
>
> More: https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/
8d342d2 libnl: 3.2.28 -> 3.2.29 for CVE-2017-0386
> From the Red Hat bugzilla:
>
> An elevation of privilege vulnerability in the libnl library could
> enable a local malicious application to execute arbitrary code within
> the context of a privileged process.
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1414304
04ae7fe cvs: patch against CVE-2012-0804 (heap overflow)
> (Note: Thank you to Gentoo for going through and finding CVEs old
> un-addressed CVEs, helping us find them too!)
>
> From the Debian advisory on CVE-2012-0804:
>
> It was discovered that a malicious CVS server could cause a heap
> overflow in the CVS client, potentially allowing the server to execute
> arbitrary code on the client.
9c9424d firefox: 50.1.0 -> 51.0, firefox-esr: 45.6.0esr -> 45.7.0esr
> Numerous security fixes.
>
> More:
> - https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
28c3d7f firefox-bin: 50.1.0 -> 51.0
> Numerous security issues.
>
> More:
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
fc8233a kernel: 4.4.43 -> 4.4.44
> All kernel patches are considered security-sensitive.
61caacb linux: 4.1.36 -> 4.1.38
> All kernel patches are considered security-sensitive.
ce3b98d linux: 3.18.45 -> 3.18.47
> All kernel patches are considered security-sensitive.
4b9b1fa util-linux: remove seccomp sandbox for CVE-2016-2279
> the patch for CVE-2016-2779 was reverted by upstream and was not
> adopted by any other downstream distributions. Upstream waits for a
> better fix in the kernel:
> https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYiWU4AAoJEAYSHTZv6UNcYMAP/3H9mSDcanPjTH/8zzwvhaCa
lbOveD7YH5PJgvLcTAMTINHtmTgjM58osFsQwlNAEwn1TzwcK5xBUOMxsfJMwTHe
ylvcXaJWFiweifmrSOPuIuV0O79MyxibpIlwQLFIgM7tUdoPohc4dBkwMWuaezI+
Uz7VpsAb9BXASXIB74MtsCD11noEwS/KJX8iRupLaCI+MR/PuTbQICk1hOekAq24
JeQ7KhhjiuHiq8Ru+43DyVL32aEmeabTLb7XD2y5TA3v2QALhaovBioLHIBT8pvq
Y7L0klEs3lnCUpkveGipMHlgSaX38+SDQ1DU86lXPhbWXZMsZEZ9qN0juHXu72nU
swvPhY4QoxC/k1D5A5fNrAv1WpGBMKUqy5spQ21qiLbboXh8ifOFHROSzDgEQWNc
iW/adydLQp2LjxyIbWRYnL+BY1uT3mUhCMX2bOvLffqnno+OGlsGfpUjbCcK8Dnw
arMIo4tqsSfKQvV03RVfzn+r4IGqCarm5njcBxTimc96dpya1K2DfdNUU8/KpFuE
y3fm5OdNsv1tBOjKbkeqo60m1KpRtKF1roqMKhRvNYhuK+ttPYR3Y8cyKy97FxPt
z6OO6t7pf0vmxcNoZxkKULdfO00HGgi2yrh3tDB7M7UwqLnN0Nj63h5BYGHCSpaY
aAw7/okq2KdH+4/8rEzG
=38v8
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/22128.
The following changes were applied to release-16.09:
57ae42d ed: 1.13 -> 1.14.1
> From the Red Hat bugzilla:
>
> A vulnerability was found in GNU ed. An invalid free might occur while
> parsing specially crafted commands which will make the application
> crash.
>
> - CVE-2017-5357
>
> More: https://lwn.net/Alerts/712263/
362420c ppp: add patch to fix CVE-2015-3310
> From the Debian advisory:
>
> Emanuele Rocca discovered that ppp, a daemon implementing the
> Point-to-Point Protocol, was subject to a buffer overflow when
> communicating with a RADIUS server. This would allow unauthenticated
> users to cause a denial-of-service by crashing the daemon.
>
> - CVE-2015-3310
>
> More: https://lwn.net/Alerts/640588/
f15f5dc gd: 2.2.3 -> 2.2.4 for multiple CVEs
> From the Fedora advisory:
>
> - gdImageCreate() doesn't check for oversized images and as such is
> prone to DoS vulnerabilities. (CVE-2016-9317)
> - double-free in gdImageWebPtr() (CVE-2016-6912)
>
> More: https://lwn.net/Alerts/712339/
529231c libav_0_8: 0.8.17 -> 0.8.20 for multiple CVEs
> From the Debian-LTS advisory:
>
> Multiple integer overflows have been discovered in libav 11.8 and
> earlier, allowing remote attackers to cause a crash via a crafted MP3
> file.
>
> - CVE-2016-9819
> - CVE-2016-9820
> - CVE-2016-9821
> - CVE-2016-9822
>
> More: https://lwn.net/Alerts/712044/
633bba5 mariadb: 10.1.19 -> 10.1.21 for multiple CVEs
> - CVE-2017-3238
> - CVE-2017-3243
> - CVE-2017-3244
> - CVE-2017-3257
> - CVE-2017-3258
> - CVE-2017-3265
> - CVE-2017-3291
> - CVE-2017-3312
> - CVE-2017-3317
> - CVE-2017-3318
>
> More: https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/
f97f679 libnl: 3.2.28 -> 3.2.29 for CVE-2017-0386
> From the Red Hat bugzilla:
>
> An elevation of privilege vulnerability in the libnl library could
> enable a local malicious application to execute arbitrary code within
> the context of a privileged process.
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1414304
4eb411c cvs: patch against CVE-2012-0804 (heap overflow)
> (Note: Thank you to Gentoo for going through and finding CVEs old
> un-addressed CVEs, helping us find them too!)
>
> From the Debian advisory on CVE-2012-0804:
>
> It was discovered that a malicious CVS server could cause a heap
> overflow in the CVS client, potentially allowing the server to execute
> arbitrary code on the client.
9cb5503 firefox: 50.1.0 -> 51.0, firefox-esr: 45.6.0esr -> 45.7.0esr
> Numerous security fixes.
>
> More:
> - https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
9b02319 ansible2: 2.2.0.0 -> 2.2.1.0
>
> > CVE-2016-9587 is rated as HIGH in risk, as a compromised remote
> > system being managed via Ansible can lead to commands being run on
> > the Ansible controller (as the user running the ansible or
> > ansible-playbook command)."
>
> More: https://lwn.net/Articles/711357/
> More: https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt
4d8e248 webkit: security 2.14.1 -> 2.14.3
> From the announcement page:
>
> https://webkitgtk.org/security/WSA-2017-0001.html
>
> CVE-2016-7586
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Boris Zbarsky.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: A validation
> issue was addressed through improved state management.
> CVE-2016-7589
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
> CVE-2016-7592
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may
> compromise user information. Description: An issue existed in
> handling of JavaScript prompts. This was addressed through
> improved state management.
> CVE-2016-7599
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Muneaki Nishimura (nishimunea) of Recruit Technologies
> Co., Ltd.
> Impact: Processing maliciously crafted web content may result in
> the disclosure of user information. Description: An issue
> existed in the handling of HTTP redirects. This issue was
> addressed through improved cross origin validation.
> CVE-2016-7623
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Visiting a maliciously crafted website may compromise
> user information. Description: An issue existed in the handling
> of blob URLs. This issue was addressed through improved URL
> handling.
> CVE-2016-7632
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Jeonghoon Shin.
> Impact: Visiting a maliciously crafted webpage may lead to an
> unexpected application termination or arbitrary code execution.
> Description: A memory corruption issue was addressed through
> improved state management.
> CVE-2016-7635
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7639
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Tongbo Luo of Palo Alto Networks.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7641
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7645
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Kai Kang of Tencent’s Xuanwu Lab (tencent.com).
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7652
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Apple.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved memory
> handling.
> CVE-2016-7654
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: Multiple memory
> corruption issues were addressed through improved state
> management.
> CVE-2016-7656
> Versions affected: WebKitGTK+ before 2.14.3.
> Credit to Keen Lab working with Trend Micro’s Zero Day Initiative.
> Impact: Processing maliciously crafted web content may lead to
> arbitrary code execution. Description: A memory corruption issue
> was addressed through improved state management.
dc6a857 linux: 3.18.45 -> 3.18.47
> All kernel patches are considered security-sensitive.
a1672a2 linux: 4.1.36 -> 4.1.38
> All kernel patches are considered security-sensitive.
858a4ac kernel: 4.4.43 -> 4.4.44
> All kernel patches are considered security-sensitive.
======================================================================
The following changes were applied to unstable:
9ac6297 ppp: add patch to fix CVE-2015-3310
> From the Debian advisory:
>
> Emanuele Rocca discovered that ppp, a daemon implementing the
> Point-to-Point Protocol, was subject to a buffer overflow when
> communicating with a RADIUS server. This would allow unauthenticated
> users to cause a denial-of-service by crashing the daemon.
>
> - CVE-2015-3310
>
> More: https://lwn.net/Alerts/640588/
6a02d48 gd: 2.2.3 -> 2.2.4 for multiple CVEs
> From the Fedora advisory:
>
> - gdImageCreate() doesn't check for oversized images and as such is
> prone to DoS vulnerabilities. (CVE-2016-9317)
> - double-free in gdImageWebPtr() (CVE-2016-6912)
>
> More: https://lwn.net/Alerts/712339/
5f3c626 libav_0_8: 0.8.19 -> 0.8.20 for multiple CVEs
> From the Debian-LTS advisory:
>
> Multiple integer overflows have been discovered in libav 11.8 and
> earlier, allowing remote attackers to cause a crash via a crafted MP3
> file.
>
> - CVE-2016-9819
> - CVE-2016-9820
> - CVE-2016-9821
> - CVE-2016-9822
>
> More: https://lwn.net/Alerts/712044/
111b4e4 mariadb: 10.1.19 -> 10.1.21 for multiple CVEs
> - CVE-2017-3238
> - CVE-2017-3243
> - CVE-2017-3244
> - CVE-2017-3257
> - CVE-2017-3258
> - CVE-2017-3265
> - CVE-2017-3291
> - CVE-2017-3312
> - CVE-2017-3317
> - CVE-2017-3318
>
> More: https://mariadb.com/kb/en/mariadb/mariadb-10029-release-notes/
8d342d2 libnl: 3.2.28 -> 3.2.29 for CVE-2017-0386
> From the Red Hat bugzilla:
>
> An elevation of privilege vulnerability in the libnl library could
> enable a local malicious application to execute arbitrary code within
> the context of a privileged process.
>
> More: https://bugzilla.redhat.com/show_bug.cgi?id=1414304
04ae7fe cvs: patch against CVE-2012-0804 (heap overflow)
> (Note: Thank you to Gentoo for going through and finding CVEs old
> un-addressed CVEs, helping us find them too!)
>
> From the Debian advisory on CVE-2012-0804:
>
> It was discovered that a malicious CVS server could cause a heap
> overflow in the CVS client, potentially allowing the server to execute
> arbitrary code on the client.
9c9424d firefox: 50.1.0 -> 51.0, firefox-esr: 45.6.0esr -> 45.7.0esr
> Numerous security fixes.
>
> More:
> - https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
28c3d7f firefox-bin: 50.1.0 -> 51.0
> Numerous security issues.
>
> More:
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox51
fc8233a kernel: 4.4.43 -> 4.4.44
> All kernel patches are considered security-sensitive.
61caacb linux: 4.1.36 -> 4.1.38
> All kernel patches are considered security-sensitive.
ce3b98d linux: 3.18.45 -> 3.18.47
> All kernel patches are considered security-sensitive.
4b9b1fa util-linux: remove seccomp sandbox for CVE-2016-2279
> the patch for CVE-2016-2779 was reverted by upstream and was not
> adopted by any other downstream distributions. Upstream waits for a
> better fix in the kernel:
> https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYiWU4AAoJEAYSHTZv6UNcYMAP/3H9mSDcanPjTH/8zzwvhaCa
lbOveD7YH5PJgvLcTAMTINHtmTgjM58osFsQwlNAEwn1TzwcK5xBUOMxsfJMwTHe
ylvcXaJWFiweifmrSOPuIuV0O79MyxibpIlwQLFIgM7tUdoPohc4dBkwMWuaezI+
Uz7VpsAb9BXASXIB74MtsCD11noEwS/KJX8iRupLaCI+MR/PuTbQICk1hOekAq24
JeQ7KhhjiuHiq8Ru+43DyVL32aEmeabTLb7XD2y5TA3v2QALhaovBioLHIBT8pvq
Y7L0klEs3lnCUpkveGipMHlgSaX38+SDQ1DU86lXPhbWXZMsZEZ9qN0juHXu72nU
swvPhY4QoxC/k1D5A5fNrAv1WpGBMKUqy5spQ21qiLbboXh8ifOFHROSzDgEQWNc
iW/adydLQp2LjxyIbWRYnL+BY1uT3mUhCMX2bOvLffqnno+OGlsGfpUjbCcK8Dnw
arMIo4tqsSfKQvV03RVfzn+r4IGqCarm5njcBxTimc96dpya1K2DfdNUU8/KpFuE
y3fm5OdNsv1tBOjKbkeqo60m1KpRtKF1roqMKhRvNYhuK+ttPYR3Y8cyKy97FxPt
z6OO6t7pf0vmxcNoZxkKULdfO00HGgi2yrh3tDB7M7UwqLnN0Nj63h5BYGHCSpaY
aAw7/okq2KdH+4/8rEzG
=38v8
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages