Security fixes from 2017-02-18 14:18 UTC
33 views
Skip to first unread message
Graham Christensen
Feb 18, 2017, 9:20:51 AM2/18/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/22826.
The following changes were applied to release-16.09:
a1a13ad calibre: 2.64.0 -> 2.76.0
(Thank you, Peter Hoeg)
> There are likely many issues that were present in 2.64.0 that are now
> fixed, however, only for the latest bump:
>
> From the Red Hat bugzilla for CVE-2016-10187:
>
> A vulnerability was found in Calibre. It was found that a javascript
> present in the book can access files on the computer using
> XMLHttpRequest.
134772e linux_4_9: 4.9.9 -> 4.9.10
(Thank you, Joachim Fasting (author))
> All kernel patches are considered security-sensitive.
ce3ffe7 linux_4_9: patch for CVE-2017-5986
(Thank you, Joachim Fasting (author))
> All kernel patches are considered security-sensitive.
1cc9887 libxml2: bugfix updates from git upstream
(Thank you, Vladimír Čunát (author))
> This should solve CVE-2016-5131 and some other bugs, but not what Suse
> calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
> The bugzilla discussion seems to indicate that the CVE is referenced
> incorrectly and only shows reproducing when using command-line flags
> that are considered "unsafe".
>
> CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
> https://lwn.net/Alerts/714411/
3c10c74 webkitgtk: 2.14.4 -> 2.14.5
(Thank you, Herwig Hochleitner (author))
> All browser patches are considered security-sensitive.
381c2bd netpbm: 10.70.00 -> 10.77.02 for numerous fixes
> At minimum:
>
> > From the Red Hat bugzilla:
> >
> > CVE-2017-5849: An out of bounds read and write issue was found in
> > netpbm. A maliciously crafted file could cause the application to
> > crash or possibly have other unspecified impact.
> >
> > CVE-2017-2586: A null pointer dereference vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> > CVE-2017-2587: A memory allocation vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> but likely more at:
> https://sourceforge.net/p/netpbm/code/2883/tree/advanced/doc/HISTORY
9021951 grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
ac4559e chromium: flashplayer: 24.0.0.194 -> 24.0.0.221
(Thank you: Kamil Chmielewski (author), Robin Gloster (committer))
> See:
> - https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html
9f7ec81 openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733
(Thank you, Matthew Maurer (author))
>
> It was found that changing the ciphersuite during a renegotiation of
> the Encrypt-Then-Mac extension could result in a crash of the OpenSSL
> server or client.
3113646 redis: 3.2.5 -> 3.2.7 for two vulnerabilities
> more: https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
50b671b graphviz_2_0: hide inside monotoneViz
(Thank you, Michael Raskin)
f3587cc ffmpeg: 3.1.6 -> 3.1.7 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
701192e ffmpeg_3: 3.1.4 -> 3.1.6
(Thank you, Franz Pletz (committer))
13e9396 ffmpeg: 2.8.10 -> 2.8.11 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
a244849 webkitgtk: 2.14.3 -> 2.14.4 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2350
> * CVE-2017-2354
> * CVE-2017-2355
> * CVE-2017-2356
> * CVE-2017-2362
> * CVE-2017-2363
> * CVE-2017-2364
> * CVE-2017-2365
> * CVE-2017-2366
> * CVE-2017-2369
> * CVE-2017-2371
> * CVE-2017-2373
>
> See https://webkitgtk.org/security/WSA-2017-0002.html.
fb3ea26 linux: 3.10.104 -> 3.10.105
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
fd7e5cb glibc: security 2.24 -> 2.25
(Thank you, Vladimír Čunát)
> https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
890f40d mupdf: update mujs to fix multiple CVEs
(Thank you, Peter Hoeg)
======================================================================
The following changes were applied to unstable:
6fc3840 tomcat6: drop, no longer supported.
> Tomcat6 is no longer receiving updates as of December 31 2016
f308722 netpbm: 10.70.00 -> 10.77.02 for numerous fixes
> At minimum:
>
> > From the Red Hat bugzilla:
> >
> > CVE-2017-5849: An out of bounds read and write issue was found in
> > netpbm. A maliciously crafted file could cause the application to
> > crash or possibly have other unspecified impact.
> >
> > CVE-2017-2586: A null pointer dereference vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> > CVE-2017-2587: A memory allocation vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> but likely more at:
> https://sourceforge.net/p/netpbm/code/2883/tree/advanced/doc/HISTORY
e8007c0 linux_4_9: patch for CVE-2017-5986
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
73577a2 linux_4_9: 4.9.9 -> 4.9.10
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
dcc84d8 quagga: 1.0.20161017 -> 1.2.0
(Thank you, Octavian Cerna)
> From the Red Hat bugzilla entry:
>
> A vulnerability was found in quagga. Telnet interface input buffer allocates unbounded amounts of memory which leads to Denial-of-service.
5ad81ab libxml2: bugfix updates from git upstream
(Thank you, Vladimír Čunát)
> This should solve CVE-2016-5131 and some other bugs, but not what Suse
> calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
> The bugzilla discussion seems to indicate that the CVE is referenced
> incorrectly and only shows reproducing when using command-line flags
> that are considered "unsafe".
>
> CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
> https://lwn.net/Alerts/714411/
0d2ba7e openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733
(Thank you, Matthew Maurer)
>
> It was found that changing the ciphersuite during a renegotiation of
> the Encrypt-Then-Mac extension could result in a crash of the OpenSSL
> server or client.
bc2f53f grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
b207bf5 redis: 3.2.5 -> 3.2.7 for two vulnerabilities
> more: https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
d2d12c2 vim: 8.0.0075 -> 8.0.0329
(Thank you, Daiderd Jordan)
> From the CVE entry:
>
> vim before patch 8.0.0322 does not properly validate values for tree
> length when handling a spell file, which may result in an integer
> overflow at a memory allocation site and a resultant buffer overflow.
2640c87 webkitgtk: 2.14.4 -> 2.14.5
(Thank you: Herwig Hochleitner (author), Franz Pletz (committer))
> All browser patches are considered security-sensitive.
13a1d38 irssi: 1.0.0 -> 1.0.1
(Thank you, Michael Raskin)
> From the SUSE bug report:
>
> Joseph Bisch has detected a remote memory leak in some cases where a
> hostile server would send certain incomplete SASL replies. According
> to his calculations, the server would need to send 13 times the amount
> of memory it wants to leak. The issue is a missing free of the base64
> data.
ac9222f gnome3.gnome-boxes: 3.22.0 -> 3.22.4
> From the Fedora advisory:
>
> gnome-boxes 3.22.4 release, fixing a possible security issue with
> storing the express installation password in clear text. - Store the
> user password in the keyring during an express installation.
c731738 graphviz_2_0: hide inside monotoneViz
(Thank you, Michael Raskin)
bf86a26 gtk-vnc: 0.6.0 -> 0.7.0
(Thank you, Peter Hoeg)
> From the Red Hat bugzilla entry for CVE-2017-5884:
>
> It was found that gtk-vnc does not properly check boundaries of
> subrectangle-containing tiles. A malicious server can use this to
> overwrite parts of the client memory, potentially leading to code
> execution under privileges of the user running the VNC client.
>
> From the Red Hat bugzilla entry for CVE-2017-5885:
>
> It was found that vnc_connection_server_message() and
> vnc_color_map_set() functions do not check for integer overflow
> properly, leading to a malicious server being able to overwrite parts
> of the client memory, possibly leading to remote code execution under
> privileges of user running the VNC client.
1a77e41 chromium: flashplayer: 24.0.0.194 -> 24.0.0.221
(Thank you: Kamil Chmielewski (author), Franz Pletz (committer))
> See:
> - https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html
07309d7 webkitgtk: 2.14.3 -> 2.14.4 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2350
> * CVE-2017-2354
> * CVE-2017-2355
> * CVE-2017-2356
> * CVE-2017-2362
> * CVE-2017-2363
> * CVE-2017-2364
> * CVE-2017-2365
> * CVE-2017-2366
> * CVE-2017-2369
> * CVE-2017-2371
> * CVE-2017-2373
>
> See https://webkitgtk.org/security/WSA-2017-0002.html.
e8af5dc ffmpeg: 3.2.2 -> 3.2.4 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
d2426f0 ffmpeg: 3.1.6 -> 3.1.7 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
78f59f1 ffmpeg: 2.8.10 -> 2.8.11 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
9d8a0f8 pax-utils: 1.1.7 -> 1.2.2
(Thank you, Joachim Fasting)
> Fixes at least a few out-of-bounds reads[1][2]
>
> [1]: http://seclists.org/oss-sec/2017/q1/256
> [2]: http://seclists.org/oss-sec/2017/q1/308
0ec9e69 linux: 3.10.104 -> 3.10.105
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
ccf4d5e cudatoolkit5: remove this ancient version
(Thank you: Frederik Rietdijk (author), Robin Gloster (committer))
c2e2a4d Python: remove 2.6
(Thank you: Frederik Rietdijk (author), Robin Gloster (committer))
96d767d pam_oath: require OATH and pam_unix credentials to be valid
> @clefru on GitHub discovered that enabling the OATH second factor
> turned made the first factor not required. For example, if you entered
> an incorrect unix password, it would prompt for the OATH second factor
> as a second chance. Entering an incorrect unix password and correct
> OATH token would grant you access.
>
> As of this change, both the OATH token and the unix passwords are
> checked.
a01f8a4 glibc: security 2.24 -> 2.25
(Thank you, Vladimír Čunát)
> https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
b1a05a0 nixos: drop references to kde4
> KDE4 is no longer supported in unstable.
3cec7d1 kdm: drop service
> KDM is no longer supported in unstable.
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYqFgzAAoJEAYSHTZv6UNcy0MP/AyelRpvbpXoPQMMYX0B8ct/
lekzwZs+y+SlpncZwB89YzoVH6p2KbG+hanMlkFOAOaTrai2LdWuc1HXwXUb1jSe
3/jniQpyu4eE8X0v5ozATUwK42UfLw3MxutzHrW8B5Q5Mg31X5C+VmQlkZ2dnrgQ
8IReeJyVFICITJPJCpMcMJOOpfgw/tytRlDGfjAi7vgraoSh+VLsRnJcXy8oh3zM
UXkHzPKiD7kB6TziL2xwbUOs7tw3jtUtPNjwq9YBVuUtL3Eott9yg2g/pV2VZUeI
4qdd3bOgQpx6oSnAkDUKcRpTaFHrEXx++AP60elG7GRO9T7JOtbQ1ODrScPXp/ug
joF6k9i/63Yf7omOfx806yYl8DNIr8b7T6zpv9ERvuyLc+mMizlvxC6J1TckrYT/
7ZbQ7lpGh4iaWV0v+Jd+D4ZD+nv453x7/AZ75DqvRfm/gbencKT3TfIZEWlN0EJB
SUp3Meh/Os5kPvr5SJYt9vSF2+1kAnxYX3TisSfjbDS+XUTvHeW95PIB2K7u6cln
h+VfFeefuianY8pFLYB8Ni4vydz4xtzmnYRO5EEzhXKZAetZ8ACu8fJ0G1TYNLJB
5GLOF2EY674lfrwqCsc7YPDBVOC1tcK/de2XzVai5OVDEJcwbHvV0MZb2SExy6qi
ds+FAngUKtoEOw4vUy30
=WtCu
-----END PGP SIGNATURE-----
Hash: SHA256
The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.
These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:
- https://hydra.nixos.org/job/nixos/release-16.09/tested
- https://hydra.nixos.org/job/nixos/trunk-combined/tested
Please consider helping with the next security roundup by commenting on
https://github.com/NixOS/nixpkgs/issues/22826.
The following changes were applied to release-16.09:
a1a13ad calibre: 2.64.0 -> 2.76.0
(Thank you, Peter Hoeg)
> There are likely many issues that were present in 2.64.0 that are now
> fixed, however, only for the latest bump:
>
> From the Red Hat bugzilla for CVE-2016-10187:
>
> A vulnerability was found in Calibre. It was found that a javascript
> present in the book can access files on the computer using
> XMLHttpRequest.
134772e linux_4_9: 4.9.9 -> 4.9.10
(Thank you, Joachim Fasting (author))
> All kernel patches are considered security-sensitive.
ce3ffe7 linux_4_9: patch for CVE-2017-5986
(Thank you, Joachim Fasting (author))
> All kernel patches are considered security-sensitive.
1cc9887 libxml2: bugfix updates from git upstream
(Thank you, Vladimír Čunát (author))
> This should solve CVE-2016-5131 and some other bugs, but not what Suse
> calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
> The bugzilla discussion seems to indicate that the CVE is referenced
> incorrectly and only shows reproducing when using command-line flags
> that are considered "unsafe".
>
> CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
> https://lwn.net/Alerts/714411/
3c10c74 webkitgtk: 2.14.4 -> 2.14.5
(Thank you, Herwig Hochleitner (author))
> All browser patches are considered security-sensitive.
381c2bd netpbm: 10.70.00 -> 10.77.02 for numerous fixes
> At minimum:
>
> > From the Red Hat bugzilla:
> >
> > CVE-2017-5849: An out of bounds read and write issue was found in
> > netpbm. A maliciously crafted file could cause the application to
> > crash or possibly have other unspecified impact.
> >
> > CVE-2017-2586: A null pointer dereference vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> > CVE-2017-2587: A memory allocation vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> but likely more at:
> https://sourceforge.net/p/netpbm/code/2883/tree/advanced/doc/HISTORY
9021951 grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
ac4559e chromium: flashplayer: 24.0.0.194 -> 24.0.0.221
(Thank you: Kamil Chmielewski (author), Robin Gloster (committer))
> See:
> - https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html
9f7ec81 openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733
(Thank you, Matthew Maurer (author))
>
> It was found that changing the ciphersuite during a renegotiation of
> the Encrypt-Then-Mac extension could result in a crash of the OpenSSL
> server or client.
3113646 redis: 3.2.5 -> 3.2.7 for two vulnerabilities
> more: https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
50b671b graphviz_2_0: hide inside monotoneViz
(Thank you, Michael Raskin)
f3587cc ffmpeg: 3.1.6 -> 3.1.7 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
701192e ffmpeg_3: 3.1.4 -> 3.1.6
(Thank you, Franz Pletz (committer))
13e9396 ffmpeg: 2.8.10 -> 2.8.11 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
a244849 webkitgtk: 2.14.3 -> 2.14.4 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2350
> * CVE-2017-2354
> * CVE-2017-2355
> * CVE-2017-2356
> * CVE-2017-2362
> * CVE-2017-2363
> * CVE-2017-2364
> * CVE-2017-2365
> * CVE-2017-2366
> * CVE-2017-2369
> * CVE-2017-2371
> * CVE-2017-2373
>
> See https://webkitgtk.org/security/WSA-2017-0002.html.
fb3ea26 linux: 3.10.104 -> 3.10.105
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
fd7e5cb glibc: security 2.24 -> 2.25
(Thank you, Vladimír Čunát)
> https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
890f40d mupdf: update mujs to fix multiple CVEs
(Thank you, Peter Hoeg)
======================================================================
The following changes were applied to unstable:
6fc3840 tomcat6: drop, no longer supported.
> Tomcat6 is no longer receiving updates as of December 31 2016
f308722 netpbm: 10.70.00 -> 10.77.02 for numerous fixes
> At minimum:
>
> > From the Red Hat bugzilla:
> >
> > CVE-2017-5849: An out of bounds read and write issue was found in
> > netpbm. A maliciously crafted file could cause the application to
> > crash or possibly have other unspecified impact.
> >
> > CVE-2017-2586: A null pointer dereference vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> > CVE-2017-2587: A memory allocation vulnerability was found in
> > netpbm. A maliciously crafted SVG file could cause the application
> > to crash.
>
> but likely more at:
> https://sourceforge.net/p/netpbm/code/2883/tree/advanced/doc/HISTORY
e8007c0 linux_4_9: patch for CVE-2017-5986
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
73577a2 linux_4_9: 4.9.9 -> 4.9.10
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
dcc84d8 quagga: 1.0.20161017 -> 1.2.0
(Thank you, Octavian Cerna)
> From the Red Hat bugzilla entry:
>
> A vulnerability was found in quagga. Telnet interface input buffer allocates unbounded amounts of memory which leads to Denial-of-service.
5ad81ab libxml2: bugfix updates from git upstream
(Thank you, Vladimír Čunát)
> This should solve CVE-2016-5131 and some other bugs, but not what Suse
> calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
> The bugzilla discussion seems to indicate that the CVE is referenced
> incorrectly and only shows reproducing when using command-line flags
> that are considered "unsafe".
>
> CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
> https://lwn.net/Alerts/714411/
0d2ba7e openssl: 1.1.0d -> 1.1.0e for High severity CVE-2017-3733
(Thank you, Matthew Maurer)
>
> It was found that changing the ciphersuite during a renegotiation of
> the Encrypt-Then-Mac extension could result in a crash of the OpenSSL
> server or client.
bc2f53f grsecurity: 4.9.8-201702071801 -> 4.9.10-201702152052
(Thank you, Joachim Fasting)
> All kernel patches are considered security-sensitive.
b207bf5 redis: 3.2.5 -> 3.2.7 for two vulnerabilities
> more: https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
d2d12c2 vim: 8.0.0075 -> 8.0.0329
(Thank you, Daiderd Jordan)
> From the CVE entry:
>
> vim before patch 8.0.0322 does not properly validate values for tree
> length when handling a spell file, which may result in an integer
> overflow at a memory allocation site and a resultant buffer overflow.
2640c87 webkitgtk: 2.14.4 -> 2.14.5
(Thank you: Herwig Hochleitner (author), Franz Pletz (committer))
> All browser patches are considered security-sensitive.
13a1d38 irssi: 1.0.0 -> 1.0.1
(Thank you, Michael Raskin)
> From the SUSE bug report:
>
> Joseph Bisch has detected a remote memory leak in some cases where a
> hostile server would send certain incomplete SASL replies. According
> to his calculations, the server would need to send 13 times the amount
> of memory it wants to leak. The issue is a missing free of the base64
> data.
ac9222f gnome3.gnome-boxes: 3.22.0 -> 3.22.4
> From the Fedora advisory:
>
> gnome-boxes 3.22.4 release, fixing a possible security issue with
> storing the express installation password in clear text. - Store the
> user password in the keyring during an express installation.
c731738 graphviz_2_0: hide inside monotoneViz
(Thank you, Michael Raskin)
bf86a26 gtk-vnc: 0.6.0 -> 0.7.0
(Thank you, Peter Hoeg)
> From the Red Hat bugzilla entry for CVE-2017-5884:
>
> It was found that gtk-vnc does not properly check boundaries of
> subrectangle-containing tiles. A malicious server can use this to
> overwrite parts of the client memory, potentially leading to code
> execution under privileges of the user running the VNC client.
>
> From the Red Hat bugzilla entry for CVE-2017-5885:
>
> It was found that vnc_connection_server_message() and
> vnc_color_map_set() functions do not check for integer overflow
> properly, leading to a malicious server being able to overwrite parts
> of the client memory, possibly leading to remote code execution under
> privileges of user running the VNC client.
1a77e41 chromium: flashplayer: 24.0.0.194 -> 24.0.0.221
(Thank you: Kamil Chmielewski (author), Franz Pletz (committer))
> See:
> - https://helpx.adobe.com/flash-player/release-note/fp_24_air_24_release_notes.html
> - https://helpx.adobe.com/security/products/flash-player/apsb17-04.html
07309d7 webkitgtk: 2.14.3 -> 2.14.4 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes:
>
> * CVE-2017-2350
> * CVE-2017-2354
> * CVE-2017-2355
> * CVE-2017-2356
> * CVE-2017-2362
> * CVE-2017-2363
> * CVE-2017-2364
> * CVE-2017-2365
> * CVE-2017-2366
> * CVE-2017-2369
> * CVE-2017-2371
> * CVE-2017-2373
>
> See https://webkitgtk.org/security/WSA-2017-0002.html.
e8af5dc ffmpeg: 3.2.2 -> 3.2.4 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
d2426f0 ffmpeg: 3.1.6 -> 3.1.7 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
78f59f1 ffmpeg: 2.8.10 -> 2.8.11 for multiple CVEs
(Thank you, Franz Pletz)
> Fixes CVE-2017-5024 & CVE-2017-5025.
>
> See https://ffmpeg.org/security.html.
9d8a0f8 pax-utils: 1.1.7 -> 1.2.2
(Thank you, Joachim Fasting)
> Fixes at least a few out-of-bounds reads[1][2]
>
> [1]: http://seclists.org/oss-sec/2017/q1/256
> [2]: http://seclists.org/oss-sec/2017/q1/308
0ec9e69 linux: 3.10.104 -> 3.10.105
(Thank you, Tim Steinbach)
> All kernel patches are considered security-sensitive.
ccf4d5e cudatoolkit5: remove this ancient version
(Thank you: Frederik Rietdijk (author), Robin Gloster (committer))
c2e2a4d Python: remove 2.6
(Thank you: Frederik Rietdijk (author), Robin Gloster (committer))
96d767d pam_oath: require OATH and pam_unix credentials to be valid
> @clefru on GitHub discovered that enabling the OATH second factor
> turned made the first factor not required. For example, if you entered
> an incorrect unix password, it would prompt for the OATH second factor
> as a second chance. Entering an incorrect unix password and correct
> OATH token would grant you access.
>
> As of this change, both the OATH token and the unix passwords are
> checked.
a01f8a4 glibc: security 2.24 -> 2.25
(Thank you, Vladimír Čunát)
> https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html
b1a05a0 nixos: drop references to kde4
> KDE4 is no longer supported in unstable.
3cec7d1 kdm: drop service
> KDM is no longer supported in unstable.
Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYqFgzAAoJEAYSHTZv6UNcy0MP/AyelRpvbpXoPQMMYX0B8ct/
lekzwZs+y+SlpncZwB89YzoVH6p2KbG+hanMlkFOAOaTrai2LdWuc1HXwXUb1jSe
3/jniQpyu4eE8X0v5ozATUwK42UfLw3MxutzHrW8B5Q5Mg31X5C+VmQlkZ2dnrgQ
8IReeJyVFICITJPJCpMcMJOOpfgw/tytRlDGfjAi7vgraoSh+VLsRnJcXy8oh3zM
UXkHzPKiD7kB6TziL2xwbUOs7tw3jtUtPNjwq9YBVuUtL3Eott9yg2g/pV2VZUeI
4qdd3bOgQpx6oSnAkDUKcRpTaFHrEXx++AP60elG7GRO9T7JOtbQ1ODrScPXp/ug
joF6k9i/63Yf7omOfx806yYl8DNIr8b7T6zpv9ERvuyLc+mMizlvxC6J1TckrYT/
7ZbQ7lpGh4iaWV0v+Jd+D4ZD+nv453x7/AZ75DqvRfm/gbencKT3TfIZEWlN0EJB
SUp3Meh/Os5kPvr5SJYt9vSF2+1kAnxYX3TisSfjbDS+XUTvHeW95PIB2K7u6cln
h+VfFeefuianY8pFLYB8Ni4vydz4xtzmnYRO5EEzhXKZAetZ8ACu8fJ0G1TYNLJB
5GLOF2EY674lfrwqCsc7YPDBVOC1tcK/de2XzVai5OVDEJcwbHvV0MZb2SExy6qi
ds+FAngUKtoEOw4vUy30
=WtCu
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages