dragora-announcements
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dragora-announcements] Dragora v2 Updates #012


From: Matias A. Fonzo
Subject: [Dragora-announcements] Dragora v2 Updates #012
Date: Tue, 8 Mar 2016 17:27:36 -0300

The following packages have been updated (#012):

  bash
  glibc
  kernel
  libpng
  tzdatabase

We recommend that you upgrade your packages as soon as possible.

Details
=======

* The upgrade for Bash 4.2 has the patch level 053, which says:

  A combination of nested command substitutions and function importing
from the environment can cause bash to execute code appearing in the
environment variable value following the function definition.

* A new vulnerability has been discovered in Glibc:

CVE-2015-7547[1]:

  Multiple stack-based buffer overflows in the (1) send_dg and (2)
send_vc functions in the libresolv library in the GNU C Library
(aka glibc or libc6) before 2.23 allow remote attackers to cause a
denial of service (crash) or possibly execute arbitrary code via a
crafted DNS response that triggers a call to the getaddrinfo function
with the AF_UNSPEC or AF_INET6 address family, related to performing
"dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.

* The kernel (linux-libre) has been upgrade to the version 3.2.78,
which contains many bug fixes and security issues fixed in this
version. (too long to mention here).

* The upgrade version for libpng is the 1.4.19, it had a potential
out-of-bounds read in png_check_keyword().  Vulnerability fixed in
this version.

* The tzdatabase package contains the update for the time zone: 2016a.

Links:

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

Packages
========

Obtain the packages from rsync://rsync.dragora.org or from one of its
mirrors, like the posted here:

* 32 bit *

http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/bash-4.2-i486-11.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/glibc-2.13_20110720-i486-13.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-firmware-3.2.78-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-headers-3.2.78-x86-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-modules-gen-3.2.78-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/kernel-gen-3.2.78-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/libpng-1.4.19-i486-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/32b/tzdatabase-2016a-i486-1.tlz

* 64 bit *

http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/bash-4.2-x86_64-11.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/glibc-2.13_20110720-x86_64-13.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-firmware-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-headers-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-modules-smp64-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/kernel-smp64-3.2.78-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/libpng-1.4.19-x86_64-1.tlz
http://gungre.ch/dragora/mirror/v2/upgrades/packages/64b/tzdatabase-2016a-x86_64-1.tlz

Checksums (SHA1)
================

* 32 bit *

3da763ba23a5db892afebfb375c6e7ff080bcb6a  bash-4.2-i486-11.tlz

fd75dd2fe652c861bc5ade49b4b541eb650270cb
glibc-2.13_20110720-i486-13.tlz

4ececc32fceb3a82b2bc2f796b23006ab6266cc7
kernel-firmware-3.2.78-i486-1.tlz

3ec8c4ec521438135a2cfe26af893173a3aa1eb9  kernel-gen-3.2.78-i486-1.tlz

0990abbb28848f144876d2d37342913142771ec6
kernel-headers-3.2.78-x86-1.tlz

f3527027810ee41ee85ef4fe0927001393cdf7c5
kernel-modules-gen-3.2.78-i486-1.tlz

73812dc097cc4b139c825b28e77c275880f0d1f3  libpng-1.4.19-i486-1.tlz
7c2f74fb4a66fd104581d60e17861c599ace7d9d  tzdatabase-2016a-i486-1.tlz

* 64 bit *

07cf15fa9c419076380d466c96b7d11e4e70e1ea  bash-4.2-x86_64-11.tlz

ec3aefd8444b841de15d62fb3b144704fec3a5cd
glibc-2.13_20110720-x86_64-13.tlz

9aeb0b1a0f09c8e76e258c139219e6f1b19aed7b
kernel-firmware-3.2.78-x86_64-1.tlz

4fd14286df3df6bd5d85aaa11c66541ee2eef63b
kernel-headers-3.2.78-x86_64-1.tlz

a2b9d9d8fe1f11b1305d3e770bcacd612b43826c
kernel-modules-smp64-3.2.78-x86_64-1.tlz

d38536077357a6734da69491b3aa9fb6493b858c
kernel-smp64-3.2.78-x86_64-1.tlz

e7fba841fc7d22a9d88367d29cc60ef97e934ae6  libpng-1.4.19-x86_64-1.tlz
6f825be211a47545b203cccc07a863eaf6763b2c  tzdatabase-2016a-x86_64-1.tlz

If you need the detached GPG signatures[1] just append .sig to the URLs
above.

Upgrading
=========

To upgrade a package you issue the following command:
  pkg upgrade <package.tlz>

Notes
=====

  You can get all the upgrades via RSYNC, for example, to obtain 32-bit
packages, type:

  # rsync -avPiz gungre.ch::dragora/v2/upgrades/packages/32b .

Then use the sha1sum(1) tool for a complete checksumming:

  # sha1sums -c SHA1SUMS

  `pkg upgrade' can be used to upgrade all the packages (installed or
not installed); for more information, take a look at:

  http://wiki.dragora.org/guides/d2/pkgmanager


Footnotes:

[1] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:

  gpg --verify bash-4.2-i486-11.tlz.sig

If that command fails because you don't have the required public key,
then run these commands to import it:

  wget http://gungre.ch/dragora/mirror/v2/KEY
  gpg --import KEY

and re-run the `gpg --verify' sequence.


-- 
GPG pub ID = 0x3AAF1CEC203A99D5
Key servers = hkps.pool.sks-keyservers.net - keys.gnupg.net
Key fingerprint = 35BD B9D4 6B56 B5FA CB64  7C9B 3AAF 1CEC 203A 99D5

Attachment: pgpkIFjbY_BWN.pgp
Description: Firma digital OpenPGP


reply via email to

[Prev in Thread] Current Thread [Next in Thread]