[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Dragora-announcements] Dragora v2 Updates #012
From: |
Matias A. Fonzo |
Subject: |
[Dragora-announcements] Dragora v2 Updates #012 |
Date: |
Tue, 8 Mar 2016 17:27:36 -0300 |
The following packages have been updated (#012):
bash
glibc
kernel
libpng
tzdatabase
We recommend that you upgrade your packages as soon as possible.
Details
=======
* The upgrade for Bash 4.2 has the patch level 053, which says:
A combination of nested command substitutions and function importing
from the environment can cause bash to execute code appearing in the
environment variable value following the function definition.
* A new vulnerability has been discovered in Glibc:
CVE-2015-7547[1]:
Multiple stack-based buffer overflows in the (1) send_dg and (2)
send_vc functions in the libresolv library in the GNU C Library
(aka glibc or libc6) before 2.23 allow remote attackers to cause a
denial of service (crash) or possibly execute arbitrary code via a
crafted DNS response that triggers a call to the getaddrinfo function
with the AF_UNSPEC or AF_INET6 address family, related to performing
"dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
* The kernel (linux-libre) has been upgrade to the version 3.2.78,
which contains many bug fixes and security issues fixed in this
version. (too long to mention here).
* The upgrade version for libpng is the 1.4.19, it had a potential
out-of-bounds read in png_check_keyword(). Vulnerability fixed in
this version.
* The tzdatabase package contains the update for the time zone: 2016a.
Links:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
Packages
========
Obtain the packages from rsync://rsync.dragora.org or from one of its
mirrors, like the posted here:
* 32 bit *
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/bash-4.2-i486-11.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/glibc-2.13_20110720-i486-13.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-firmware-3.2.78-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-headers-3.2.78-x86-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-modules-gen-3.2.78-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-gen-3.2.78-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/libpng-1.4.19-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/tzdatabase-2016a-i486-1.tlz
* 64 bit *
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/bash-4.2-x86_64-11.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/glibc-2.13_20110720-x86_64-13.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-firmware-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-headers-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-modules-smp64-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-smp64-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/libpng-1.4.19-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/tzdatabase-2016a-x86_64-1.tlz
Checksums (SHA1)
================
* 32 bit *
3da763ba23a5db892afebfb375c6e7ff080bcb6a bash-4.2-i486-11.tlz
fd75dd2fe652c861bc5ade49b4b541eb650270cb
glibc-2.13_20110720-i486-13.tlz
4ececc32fceb3a82b2bc2f796b23006ab6266cc7
kernel-firmware-3.2.78-i486-1.tlz
3ec8c4ec521438135a2cfe26af893173a3aa1eb9 kernel-gen-3.2.78-i486-1.tlz
0990abbb28848f144876d2d37342913142771ec6
kernel-headers-3.2.78-x86-1.tlz
f3527027810ee41ee85ef4fe0927001393cdf7c5
kernel-modules-gen-3.2.78-i486-1.tlz
73812dc097cc4b139c825b28e77c275880f0d1f3 libpng-1.4.19-i486-1.tlz
7c2f74fb4a66fd104581d60e17861c599ace7d9d tzdatabase-2016a-i486-1.tlz
* 64 bit *
07cf15fa9c419076380d466c96b7d11e4e70e1ea bash-4.2-x86_64-11.tlz
ec3aefd8444b841de15d62fb3b144704fec3a5cd
glibc-2.13_20110720-x86_64-13.tlz
9aeb0b1a0f09c8e76e258c139219e6f1b19aed7b
kernel-firmware-3.2.78-x86_64-1.tlz
4fd14286df3df6bd5d85aaa11c66541ee2eef63b
kernel-headers-3.2.78-x86_64-1.tlz
a2b9d9d8fe1f11b1305d3e770bcacd612b43826c
kernel-modules-smp64-3.2.78-x86_64-1.tlz
d38536077357a6734da69491b3aa9fb6493b858c
kernel-smp64-3.2.78-x86_64-1.tlz
e7fba841fc7d22a9d88367d29cc60ef97e934ae6 libpng-1.4.19-x86_64-1.tlz
6f825be211a47545b203cccc07a863eaf6763b2c tzdatabase-2016a-x86_64-1.tlz
If you need the detached GPG signatures[1] just append .sig to the URLs
above.
Upgrading
=========
To upgrade a package you issue the following command:
pkg upgrade <package.tlz>
Notes
=====
You can get all the upgrades via RSYNC, for example, to obtain 32-bit
packages, type:
# rsync -avPiz gungre.ch::dragora/v2/upgrades/packages/32b .
Then use the sha1sum(1) tool for a complete checksumming:
# sha1sums -c SHA1SUMS
`pkg upgrade' can be used to upgrade all the packages (installed or
not installed); for more information, take a look at:
http://wiki.dragora.org/guides/d2/pkgmanager
Footnotes:
[1] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify bash-4.2-i486-11.tlz.sig
If that command fails because you don't have the required public key,
then run these commands to import it:
wget http://gungre.ch/dragora/mirror/v2/KEY
gpg --import KEY
and re-run the `gpg --verify' sequence.
--
GPG pub ID = 0x3AAF1CEC203A99D5
Key servers = hkps.pool.sks-keyservers.net - keys.gnupg.net
Key fingerprint = 35BD B9D4 6B56 B5FA CB64 7C9B 3AAF 1CEC 203A 99D5
pgpkIFjbY_BWN.pgp
Description: Firma digital OpenPGP
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Dragora-announcements] Dragora v2 Updates #012,
Matias A. Fonzo <=