cucumber-linux-security Mailing List for Cucumber Linux (Page 8)
A general purpose desktop and server Linux distribution.
Brought to you by:
z5t1
Menu
▾
▴
cucumber-linux-security — A moderated, low traffic mailing list for security updates.
You can subscribe to this list here.
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
(4) |
May
(5) |
Jun
(6) |
Jul
(12) |
Aug
(10) |
Sep
(18) |
Oct
(26) |
Nov
(20) |
Dec
(13) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018 |
Jan
(17) |
Feb
(18) |
Mar
(18) |
Apr
(13) |
May
(19) |
Jun
(17) |
Jul
(17) |
Aug
(13) |
Sep
(13) |
Oct
(11) |
Nov
(10) |
Dec
(10) |
| 2019 |
Jan
(4) |
Feb
(2) |
Mar
|
Apr
(15) |
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Scott C. <sc...@cu...> - 2018-02-12 19:49:33
|
Update Information A security update is available for librsvg for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Mon Feb 12 14:16:35 EST 2018 x-general/librsvg rebuilt (build 2) to fix CVE-2018-1000041, a security vulnerable that had the potential to result in leaking of usernames and password hashes. For more information see: http://security.cucumberlinux.com/security/details.php?id=288 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000041 multilib/x-general/librsvg-lib_i686 rebuilt (build 2, x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-288 [CVE-2018-1000041] (http://security.cucumberlinux.com/security/details.php?id=288) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure librsvg is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-07 19:34:32
|
Update Information A security update is available for mariadb for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Wed Feb 7 13:59:38 EST 2018 net-general/mariadb upgraded from 10.1.30 to 10.1.31 to fix several security vulnerabilities: CVE-2018-2562, CVE-2018-2622, CVE-2018-2640, CVE-2018-2665, CVE-2018-2668 and CVE-2018-2612. For more information see: http://security.cucumberlinux.com/security/details.php?id=273 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2562 http://security.cucumberlinux.com/security/details.php?id=274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2622 http://security.cucumberlinux.com/security/details.php?id=275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2640 http://security.cucumberlinux.com/security/details.php?id=276 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2665 http://security.cucumberlinux.com/security/details.php?id=277 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2668 http://security.cucumberlinux.com/security/details.php?id=278 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2612 mulitlib/net-general/mariadb-lib_i686 upgraded from 10.1.30 to 10.1.31 (x86_64 only). * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-273 [CVE-2018-2562] (http://security.cucumberlinux.com/security/details.php?id=273) * CLD-274 [CVE-2018-2622] (http://security.cucumberlinux.com/security/details.php?id=274) * CLD-275 [CVE-2018-2640] (http://security.cucumberlinux.com/security/details.php?id=275) * CLD-276 [CVE-2018-2665] (http://security.cucumberlinux.com/security/details.php?id=276) * CLD-277 [CVE-2018-2668] (http://security.cucumberlinux.com/security/details.php?id=277) * CLD-278 [CVE-2018-2612] (http://security.cucumberlinux.com/security/details.php?id=278) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure mariadb is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-06 16:50:53
|
Update Information A security update is available for libjpeg-turbo for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Tue Feb 6 11:19:40 EST 2018 lib-base/libjpeg-turbo rebuilt (build 3) to fix CVE-2017-15232, a NULL pointer dereference vulnerability that could result in a denial of service (crash). For more information see: http://security.cucumberlinux.com/security/details.php?id=272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15232 multilib/lib-base/libjpeg-turbo-lib_i686 rebuilt (build 3, x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-272 [CVE-2017-15232] (http://security.cucumberlinux.com/security/details.php?id=272) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure libjpeg-turbo is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-05 21:52:13
|
Update Information A security update is available for ffmpeg for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Mon Feb 5 16:19:36 EST 2018 lib-base/ffmpeg rebuilt (build 2) to fix CVE-2018-6621, a security vulnerability that allowed for remote attackers to cause a denial of service (crash) via a specially crafted AVI file. For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6621 http://security.cucumberlinux.com/security/details.php?id=270 multilib/lib-base/ffmpeg-lib_i686 rebuilt (build 2, x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-270 [CVE-2018-6621] (http://security.cucumberlinux.com/security/details.php?id=270) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure ffmpeg is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-05 20:27:56
|
Update Information A security update is available for p7zip for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Mon Feb 5 14:15:02 EST 2018 apps-general/p7zip rebuilt (build 3) to fix three security vulnerabilities: a heap based buffer overflow vulnerability that could result in arbitrary code execution via specially crafted zip archive (CVE-2017-17969), a denial of service vulnerability resulting from a null pointer dereference (CVE-2016-9296) and a denial of service & arbitrary code execution vulnerability resulting from insufficient exception handling for RAR files.. For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17969 http://security.cucumberlinux.com/security/details.php?id=268 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9296 http://security.cucumberlinux.com/security/details.php?id=269 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5996 http://security.cucumberlinux.com/security/details.php?id=271 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-268 [CVE-2017-17969] (http://security.cucumberlinux.com/security/details.php?id=268) * CLD-269 [CVE-2016-9296] (http://security.cucumberlinux.com/security/details.php?id=269) * CLD-271 [CVE-2018-5996] (http://security.cucumberlinux.com/security/details.php?id=271) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure p7zip is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-02 14:30:38
|
Update Information A security update is available for palemoon for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Fri Feb 2 08:56:32 EST 2018 testing/xapps-testing/palemoon upgraded from 27.7.1 to 27.7.2 to fix two security vulnerabilities: CVE-2018-5122 (an integer overflow in AesTask::DoCrypto() and CVE-2018-5102 (a crash in HTML media elements. For more information see: http://www.palemoon.org/releasenotes.shtml http://security.cucumberlinux.com/security/details.php?id=266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5122 http://security.cucumberlinux.com/security/details.php?id=267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-266 [CVE-2018-5122] (http://security.cucumberlinux.com/security/details.php?id=266) * CLD-267 [CVE-2018-5102] (http://security.cucumberlinux.com/security/details.php?id=267) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure palemoon is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-02 00:43:41
|
Update Information A security update is available for linux for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Thu Feb 1 16:33:19 EST 2018 base/linux upgraded from 4.9.78 to 4.9.79 to further address the Spectre 2 attack (CVE-2017-5715). This update enables the new BPF_JIT_ALWAYS_ON feature of the Linux kernel, which removes the kernel's BPF interpreter. This interpreter was used in the Spectre 2 attack that Google published. It should be noted that this change does not completely prevent this attack, it just makes it more difficult to exploit. For more information see: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.79 http://security.cucumberlinux.com/security/details.php?id=202 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-202 [CVE-2017-5715] (http://security.cucumberlinux.com/security/details.php?id=202) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure linux is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-02-01 20:57:05
|
Update Information A security update is available for poppler for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Thu Feb 1 13:04:09 EST 2018 lib-base/poppler rebuilt (build 5) to fix several security vulnerabilities: CVE-2017-9406, CVE-2017-9408, CVE-2017-9776, CVE-2017-9865, CVE-2017-14517, CVE-2017-14518, CVE-2017-14520, CVE-2017-14975, CVE-2017-14976, CVE-2017-14977, CVE-2017-15565, CVE-2017-7511 and CVE-2017-1000456. For more information see: http://security.cucumberlinux.com/security/details.php?id=207 http://security.cucumberlinux.com/security/details.php?id=208 http://security.cucumberlinux.com/security/details.php?id=210 http://security.cucumberlinux.com/security/details.php?id=211 http://security.cucumberlinux.com/security/details.php?id=212 http://security.cucumberlinux.com/security/details.php?id=213 http://security.cucumberlinux.com/security/details.php?id=215 http://security.cucumberlinux.com/security/details.php?id=216 http://security.cucumberlinux.com/security/details.php?id=217 http://security.cucumberlinux.com/security/details.php?id=218 http://security.cucumberlinux.com/security/details.php?id=219 http://security.cucumberlinux.com/security/details.php?id=236 http://security.cucumberlinux.com/security/details.php?id=248 multilib/lib-base/poppler-lib_i686 rebuilt (build 5, x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-207 [CVE-2017-9406] (http://security.cucumberlinux.com/security/details.php?id=207) * CLD-208 [CVE-2017-9408] (http://security.cucumberlinux.com/security/details.php?id=208) * CLD-210 [CVE-2017-9776] (http://security.cucumberlinux.com/security/details.php?id=210) * CLD-211 [CVE-2017-9865] (http://security.cucumberlinux.com/security/details.php?id=211) * CLD-212 [CVE-2017-14517] (http://security.cucumberlinux.com/security/details.php?id=212) * CLD-213 [CVE-2017-14518] (http://security.cucumberlinux.com/security/details.php?id=213) * CLD-215 [CVE-2017-14520] (http://security.cucumberlinux.com/security/details.php?id=215) * CLD-216 [CVE-2017-14975] (http://security.cucumberlinux.com/security/details.php?id=216) * CLD-217 [CVE-2017-14976] (http://security.cucumberlinux.com/security/details.php?id=217) * CLD-218 [CVE-2017-14977] (http://security.cucumberlinux.com/security/details.php?id=218) * CLD-219 [CVE-2017-15565] (http://security.cucumberlinux.com/security/details.php?id=219) * CLD-236 [CVE-2017-7511] (http://security.cucumberlinux.com/security/details.php?id=236) * CLD-248 [CVE-2017-1000456] (http://security.cucumberlinux.com/security/details.php?id=248) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure poppler is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-31 15:05:57
|
Update Information A security update is available for ncurses for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Wed Jan 31 09:24:48 EST 2018 base/ncurses rebuilt (build 3) to fix several security vulnerabilities: CVE-2017-10684, CVE-2017-10685, CVE-2017-11112, CVE-2017-11113, CVE-2017-13733, CVE-2017-13728, CVE-2017-13729, CVE-2017-13730, CVE-2017-13731, CVE-2017-13732 and CVE-2017-13734. For more information see: http://security.cucumberlinux.com/security/details.php?id=255 http://security.cucumberlinux.com/security/details.php?id=256 http://security.cucumberlinux.com/security/details.php?id=257 http://security.cucumberlinux.com/security/details.php?id=258 http://security.cucumberlinux.com/security/details.php?id=259 http://security.cucumberlinux.com/security/details.php?id=260 http://security.cucumberlinux.com/security/details.php?id=261 http://security.cucumberlinux.com/security/details.php?id=262 http://security.cucumberlinux.com/security/details.php?id=263 http://security.cucumberlinux.com/security/details.php?id=264 multilib/base/ncurses-lib_i686 rebuilt (build 3, x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-255 [CVE-2017-10685] (http://security.cucumberlinux.com/security/details.php?id=255) * CLD-256 [CVE-2017-11112] (http://security.cucumberlinux.com/security/details.php?id=256) * CLD-257 [CVE-2017-11113] (http://security.cucumberlinux.com/security/details.php?id=257) * CLD-258 [CVE-2017-13733] (http://security.cucumberlinux.com/security/details.php?id=258) * CLD-259 [CVE-2017-13728] (http://security.cucumberlinux.com/security/details.php?id=259) * CLD-260 [CVE-2017-13729] (http://security.cucumberlinux.com/security/details.php?id=260) * CLD-261 [CVE-2017-13730] (http://security.cucumberlinux.com/security/details.php?id=261) * CLD-262 [CVE-2017-13731] (http://security.cucumberlinux.com/security/details.php?id=262) * CLD-263 [CVE-2017-13732] (http://security.cucumberlinux.com/security/details.php?id=263) * CLD-264 [CVE-2017-13734] (http://security.cucumberlinux.com/security/details.php?id=264) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure ncurses is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-29 23:05:06
|
Update Information A security update is available for cpio for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Mon Jan 29 17:35:04 EST 2018 apps-base/cpio rebuilt (build 2) to fix CVE-2017-7516, a security vulnerability which could result in arbitrary files being overwritten when the user extracts a maliciously crafted cpio archive. For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7516 http://security.cucumberlinux.com/security/details.php?id=252 https://lists.gnu.org/archive/html/bug-cpio/2017-06/msg00001.html * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-252 [CVE-2017-7516] (http://security.cucumberlinux.com/security/details.php?id=252) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure cpio is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-26 22:25:55
|
Update Information A security update is available for thunderbird for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Fri Jan 26 08:54:12 EST 2018 xapps-general/thunderbird upgraded from 52.5.2 to 52.6.0 to fix several security vulnerabilities: CVE-2018-5095: Integer overflow in Skia library during edge builder allocation CVE-2018-5096: Use-after-free while editing form elements CVE-2018-5097: Use-after-free when source document is manipulated during XSLT CVE-2018-5098: Use-after-free while manipulating form input elements CVE-2018-5099: Use-after-free with widget listener CVE-2018-5102: Use-after-free in HTML media elements CVE-2018-5103: Use-after-free during mouse event handling CVE-2018-5104: Use-after-free during font face manipulation CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6 For more information see: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/ http://security.cucumberlinux.com/security/details.php?id=250 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-250 (http://security.cucumberlinux.com/security/details.php?id=250) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure thunderbird is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-26 00:31:39
|
Update Information A security update is available for dovecot for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.1 Beta changelog: +----------------+ Thu Jan 25 18:57:54 EST 2018 net-extra/dovecot rebuilt (build 3) to fix CVE-2017-15132, a security vulnerability which could allow for an attacker to cause a denail of service (crash) if dovecot was run with certain high performance configurations. It should be noted that the default configuration is not affected; only systems that have been explicitly configured to resue the login process are vulnerable. For more information see: http://security.cucumberlinux.com/security/details.php?id=249 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15132 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-249 [CVE-2017-15132] (http://security.cucumberlinux.com/security/details.php?id=249) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure dovecot is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-24 14:49:04
|
Update Information A security update is available for curl for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Wed Jan 24 09:19:58 EST 2018 net-base/curl upgraded from 7.57.0 to 7.58.0 to fix two security vulnerabilities: CVE-2018-1000005 and CVE-2018-1000007. For more information see: http://security.cucumberlinux.com/security/details.php?id=242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005 http://security.cucumberlinux.com/security/details.php?id=243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007 multilib/net-base/curl-lib_i686 upgraded fro 7.57 to 7.58 to fix CVE-2018-1000005 and CVE-2018-1000007 (x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-242 [CVE-2018-1000005] (http://security.cucumberlinux.com/security/details.php?id=242) * CLD-243 [CVE-2018-1000007] (http://security.cucumberlinux.com/security/details.php?id=243) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure curl is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-20 19:55:32
|
Update Information A security update is available for firefox for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Sat Jan 20 14:23:24 EST 2018 xapps-general/firefox upgraded from 52.5.3 to 52.6.0. This release probably contains security fixes, but Unfortunately, Mozilla doesn't like to make the details of their security fixes publicly available until several weeks after they are released, so we are unable to provide more information at this time. We have upgraded to be safe. For more information see: http://security.cucumberlinux.com/security/details.php?id=239 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-239 (http://security.cucumberlinux.com/security/details.php?id=239) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure firefox is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-18 18:57:30
|
Update Information A security update is available for rsync for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Thu Jan 18 13:27:16 EST 2018 net-general/rsync rebuilt (built 8) to fix CVE-2018-5764, a vulnerability that allows a remote attacker to bypass intended argument sanitization. For more informaion see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5764 http://security.cucumberlinux.com/security/details.php?id=232 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-232 [CVE-2018-5764] (http://security.cucumberlinux.com/security/details.php?id=232) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure rsync is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-18 17:17:44
|
Update Information A security update is available for linux for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Thu Jan 18 11:19:40 EST 2018 base/linux upgraded from 4.9.76 to 4.9.77 to mitigate against the Spectre attacks (CVE-2017-5753 and CVE-2017-5715). Additionally, it contains fixes for two other vulnerabilities: CVE-2017-17741 and CVE-2017-1000410. For more information see: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.77 https://meltdownattack.com/ http://security.cucumberlinux.com/security/details.php?id=201 http://security.cucumberlinux.com/security/details.php?id=202 http://security.cucumberlinux.com/security/details.php?id=233 http://security.cucumberlinux.com/security/details.php?id=234 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-201 [CVE-2017-5753] (http://security.cucumberlinux.com/security/details.php?id=201) * CLD-202 [CVE-2017-5715] (http://security.cucumberlinux.com/security/details.php?id=202) * CLD-233 [CVE-2017-17741] (http://security.cucumberlinux.com/security/details.php?id=233) * CLD-234 [CVE-2017-1000410] (http://security.cucumberlinux.com/security/details.php?id=234) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure linux is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-17 15:14:14
|
Update Information A security update is available for bind-server for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.1 Beta changelog: +----------------+ Wed Jan 17 09:03:19 EST 2018 net-extra/bind-server upgraded from 9.11.2 to 9.11.2_P1 to fix a few security vulnerabilities: CVE-2017-3145 (a use after free vulnerability), CVE-2017-3143 (a vulnerability which could result in unauthorized zone transfers) and CVE-2017-3140 (a vulnerability which could cause named to go into an infinite loop). For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145 http://security.cucumberlinux.com/security/details.php?id=227 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143 http://security.cucumberlinux.com/security/details.php?id=229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3140 http://security.cucumberlinux.com/security/details.php?id=231 https://lists.isc.org/pipermail/bind-announce/2018-January/001075.html multilib/net-extra/bind-server upgraded from 9.11.2 to 9.11.2_P1 (x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-227 [CVE-2017-3145] (http://security.cucumberlinux.com/security/details.php?id=227) * CLD-229 [CVE-2017-3143] (http://security.cucumberlinux.com/security/details.php?id=229) * CLD-231 [CVE-2017-3140] (http://security.cucumberlinux.com/security/details.php?id=231) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure bind-server is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-17 15:12:44
|
Update Information A security update is available for bind-client for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Wed Jan 17 09:36:12 EST 2018 net-base/bind-client upgraded from 9.10.4_P4 to 9.10.6_P1 to address CVE-2017-3145, CVE-2017-3143 and CVE-2017-3140. It is unclear whether the bind client is affected by any of these vulnerabilities, or if only the bind server is affected. It is more likely that only the bind server is affected; however, we will upgrade to be safe. For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145 http://security.cucumberlinux.com/security/details.php?id=226 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143 http://security.cucumberlinux.com/security/details.php?id=228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3140 http://security.cucumberlinux.com/security/details.php?id=230 https://lists.isc.org/pipermail/bind-announce/2018-January/001075.html * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-226 [CVE-2017-3145] (http://security.cucumberlinux.com/security/details.php?id=226) * CLD-228 [CVE-2017-3143] (http://security.cucumberlinux.com/security/details.php?id=228) * CLD-230 [CVE-2017-3140] (http://security.cucumberlinux.com/security/details.php?id=230) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure bind-client is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-15 20:07:56
|
Update Information A security update is available for palemoon for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.1 Beta changelog: +----------------+ Mon Jan 15 14:32:32 EST 2018 xapps-extra/palemoon upgraded from 27.6.2 to 27.7.0 to apply various security improvements. For more information see: https://www.palemoon.org/releasenotes.shtml http://security.cucumberlinux.com/security/details.php?id=225 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-225 (http://security.cucumberlinux.com/security/details.php?id=225) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure palemoon is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-14 16:43:50
|
Update Information A security update is available for gdk-pixbuf for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Sun Jan 14 11:07:49 EST 2018 x-base/gdk-pixbuf rebuilt (build 2) to fix CVE-2017-6313, an integer underflow vulnerability that allows context dependent attackers to cause a denial of service (application crash). For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6313 http://security.cucumberlinux.com/security/details.php?id=29 https://bugzilla.gnome.org/show_bug.cgi?id=779016 multilib/x-base/gdk-pixbuf-lib_i686 rebuilt (build 2, x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-29 [CVE-2017-6313] (http://security.cucumberlinux.com/security/details.php?id=29) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure gdk-pixbuf is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-13 23:52:25
|
Update Information A security update is available for libxml2 for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Sat Jan 13 18:10:24 EST 2018 lib-general/libxml2 upgraded from 2.9.5 to 2.9.7 to fix CVE-2017-15412, a use after free vulnerability that had the potential to result in memory corruption. For more information see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 http://security.cucumberlinux.com/security/details.php?id=223 https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 multilib/lib-general/libxml2-lib_i686 upgraded from 2.9.5 to 2.9.7 (x86_64 only) * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-223 [CVE-2017-15412] (http://security.cucumberlinux.com/security/details.php?id=223) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure libxml2 is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-11 02:31:03
|
Update Information A security update is available for linux for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Wed Jan 10 17:24:03 EST 2018 base/linux upgraded from 4.9.75 to 4.9.76 to further address the Meltdown vulnerability (CVE-2017-5754) by refining the kaiser implementation. This also includes other various bug and security fixes. For more information see: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.76 http://security.cucumberlinux.com/security/details.php?id=200 http://security.cucumberlinux.com/security/details.php?id=222 kernel/linux-source upgraded from 4.9.75 to 4.9.76 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-222 (http://security.cucumberlinux.com/security/details.php?id=222) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure linux is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-06 15:50:42
|
Update Information A security update is available for linux for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Fri Jan 5 21:28:05 EST 2018 base/linux upgraded from 4.9.74 to 4.9.75 to fix the Meltdown security vulnerability (CVE-2017-5754), a hardware vulnerability affecting almost all Intel processors made after 1995 that allows for any process to access the memory of any other process or the kernel. For more information see: http://security.cucumberlinux.com/security/details.php?id=200 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 https://meltdownattack.com/ https://www.youtube.com/watch?v=I5mRwzVvFGE * SECURITY FIX * +----------------+ WARNING: THIS UPDATE IS KNOWN TO BREAK CERTAIN SYSTEMS Due to the fact this this update makes a larger change to the Linux kernel than most other kernel updates, this update has greater than usual chance of breaking your system. This kernel update is known to cause issues in the following environments: * Running inside an x86_64 KVM virtual machine on a RedHat/Centos 6 hypervisor. If you experience issues with this kernel in a specific setup, reboot and use your fallback kernel to until the issue can be resolved. If you experience an issue with a setup that is not listed above, please send an email to sc...@cu... detailing your setup to we can add it to this list. We apologize for this inconvenience; however, there is little anyone can do about it since this vulnerability is extremely severe and requires a massive change to the kernel to mitigate. This Analysis is Still Ongoing Updates to our analysis can be found at http://security.cucumberlinux.com/security/details.php?id=200. ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-200 [CVE-2017-5754] (http://security.cucumberlinux.com/security/details.php?id=200) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure linux is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <sc...@cu...> - 2018-01-05 17:24:18
|
Update Information A security update is available for php, php5 for the following versions of Cucumber Linux: * 1.0 * 1.1 Beta Here are the details from the Cucumber 1.0 changelog: +----------------+ Fri Jan 5 10:41:33 EST 2018 lang-general/php upgraded from 5.6.32 to 5.6.33 to fix a couple of security issues (an infinite loop and XSS). For more information see: http://security.cucumberlinux.com/security/details.php?id=198 http://www.php.net/ChangeLog-5.php#5.6.33 * SECURITY FIX * +----------------+ Here are the details from the Cucumber 1.1 Beta changelog: +----------------+ Fri Jan 5 11:39:14 EST 2018 lang-general/php upgraded from 7.2.0 to 7.2.1 to fix several security vulnerabilities. For more information see: http://security.cucumberlinux.com/security/details.php?id=199 http://php.net/ChangeLog-7.php#7.2.1 lang-general/php5 upgraded from 5.6.32 to 5.6.33 to fix a couple of security issues (an infinite loop and XSS). For more information see: http://security.cucumberlinux.com/security/details.php?id=198 http://www.php.net/ChangeLog-5.php#5.6.33 * SECURITY FIX * +----------------+ ------------------------------------------------------------------------ CLD and CVE Information This update is associated with the following Cucumber Linux Deficiency (CLD) and CVE numbers: * CLD-198 (http://security.cucumberlinux.com/security/details.php?id=198) * CLD-199 (http://security.cucumberlinux.com/security/details.php?id=199) More information about these CLDs can be found at their respective pages on the Cucumber Linux Security Advisory Tracker (these are the URLs in parenthesis above). ------------------------------------------------------------------------ Installing the Update The updated package can be installed via Pickle by running the following commands (as root): # pickle --update # pickle Make sure php or php5 is selected on the update list, and then select Ok. Pickle will then install the updated package. If you prefer to download the updated package manually, it can be found on the mirror at http://mirror.cucumberlinux.com/cucumber/. ------------------------------------------------------------------------ The Cucumber Linux Security Team cuc...@li... <mailto:cuc...@li...> http://www.cucumberlinux.com/security.php |
|
From: Scott C. <z5...@z5...> - 2018-01-05 15:15:00
|
This following is an information disclosure about CVE-2017-18018, a recently disclosed vulnerability in the coreutils package: =================================== Overview =================================== From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018: In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. ================================= Our Analysis ================================= ----- Affected Products ----- All versions of the GNU coreutils up to and including 8.29 are vulnerable to this vulnerability. At the time of writing (Thu Jan 4 13:09:35 EST 2018) 8.29 is the latest available version of coreutils; future versions may or may not be affected. This includes coreutils as originally packaged in Cucumber Linux 1.0 and 1.1. ----- Scope and Impact of this Vulnerability ----- This vulnerability allows for a user cause an arbitrary file to be chowned when a directory that the user has write access to is chowned recursively. ----- Fix for this Vulnerability ----- As of Thu Jan 4 13:02:32 EST 2018 there is no known fix for this vulnerability. There are two patches available at http://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html and http://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html that add a warning about this issue to the man and info pages; however, there is nothing that actually fixes this vulnerability. *In the meantime, the impact of this vulnerability can be mitigated in ways: 1. Enable the protected_symlinks feature in the kernel. This can be done by running `sysctl --write fs.protected_symlinks=1` as root. You may want to add this to your /etc/rc.d/rc.local script to ensure it is run whenever the system boots up. 2. Do not combine the -R and -L flags when running chown/chgrp (-R = recursive and -L = traverse all symlinks). 3. Use the --from flag when running chown/chgrp to ensure that you are chowning/chgrping files owned only by the intended user/group.* ================================= Our Solution ================================= We have made an information disclosure about this vulnerability and will wait to see if an upstream patch is published. The full analysis and report for this vulnerability can be viewed at http://security.cucumberlinux.com/security/details.php?id=197. |
2 messages has been excluded from this view by a project administrator.
