/
Release Notes for Snare Central v7.4.4

Release Notes for Snare Central v7.4.4

Owned by Andrew Madge
Jun 14, 2019

Snare Central v7.4.4 was released on 19th June 2019.

Snare Central incorporates the Agent Management Console (AMC), the v2.3.0 Reflector, and the v1.0.3 Snare Agent Manager (SAM).

Change Log

New Features

  • Snare Server 7.4.4 is a patch release that includes bug fixes and operating system security updates.
  • The Collector/Reflector configuration page now provides the capability to modify TLS Authentication configuration settings.

Enhancements

  • Well formed events that have arrived at the Snare Server collection subsystem from either epilog, or a 5.2+ Snare agent with integrated epilog capabilities, will have the first field (hostname) trusted as long as it meets RFC 952 and RFC 1178 requirements, or can be identified explicitly as an IP address. Prior to this change, genericlog events were always assigned an IP address as the system name.
  • The AppleBSM and SolarisBSM collection modules have been updated to cope with eventIDs that include flag information in the header field (eg: open(2) - read,write,exec). The eventID originally only included the initial system call (open), but has now been modified to add the extended information (read,write,exec). The man-page reference is still excluded ("(2)"), to make event matching simpler. Objectives that have used 'eventid=open' in the past, may need to be updated to use eventID LIKE 'open%', instead.

Bug Fixes

  • An issue in the 'boost' libraries would cause the Snare Server Collector in version 7.4.3 to terminate in certain situations. Service monitors would restart the service, but a new version of the collector built against newer versions of the boost libraries, has been included with this release.

Operating System Updates

PackagePrevious VersionUpdateDetails
apache22.4.7-1ubuntu4.212.4.7-1ubuntu4.22apache2 (2.4.7-1ubuntu4.22) trusty-security; urgency=medium

* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions that could not be decoded in modules/session/mod_session.c.
- debian/patches/CVE-2018-17199.patch: always decode session attributes early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in the path in include/http_core.h, include/httpd.h, server/core.c, server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in server/util.c.
- CVE-2019-0220
apt1.0.1ubuntu2.191.0.1ubuntu2.23
base-files7.2ubuntu5.57.2ubuntu5.6
bind9-host1:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
busybox-initramfs1:1.21.0-1ubuntu11:1.21.0-1ubuntu1.4busybox (1:1.21.0-1ubuntu1.4) trusty-security; urgency=medium

* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks unless env variable is set in archival/libarchive/Kbuild.src, archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in archival/libarchive/get_header_ar.c.
- CVE-2011-5325
* SECURITY UPDATE: kernel module loading restrictions bypass
- debian/patches/CVE-2014-9645.patch: reject module names with slashes in modutils/modprobe.c.
- CVE-2014-9645
* SECURITY UPDATE: integer overflow in the DHCP client
- debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
- debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in networking/udhcp/domain_codec.c.
- CVE-2016-2147
* SECURITY UPDATE: heap-based buffer overflow in the DHCP client
- debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in networking/udhcp/common.c, networking/udhcp/dhcpc.c.
- CVE-2016-2148
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in libbb/lineedit.c.
- CVE-2017-16544
* SECURITY UPDATE: DoS in unzip operations
- debian/patches/CVE-2015-9261-1.patch: test for a bad archive in archival/libarchive/decompress_gunzip.c, added test in testsuite/unzip.tests.
- debian/patches/CVE-2015-9261-2.patch: further fix decompression code in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
- CVE-2015-9261
* SECURITY UPDATE: buffer overflow in wget
- debian/patches/CVE-2018-1000517.patch: check chunk length in networking/wget.c.
- CVE-2018-1000517
* SECURITY UPDATE: out-of-bounds read in udhcp
- debian/patches/CVE-2018-20679.patch: check that 4-byte options are indeed 4-byte in networking/udhcp/common.*, networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
- CVE-2018-20679
* SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
- debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure it is 4 bytes long in networking/udhcp/common.*, networking/udhcp/dhcpc.c.
- CVE-2019-5747
busybox-static1:1.21.0-1ubuntu11:1.21.0-1ubuntu1.4busybox (1:1.21.0-1ubuntu1.4) trusty-security; urgency=medium

* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks unless env variable is set in archival/libarchive/Kbuild.src, archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in archival/libarchive/get_header_ar.c.
- CVE-2011-5325
* SECURITY UPDATE: kernel module loading restrictions bypass
- debian/patches/CVE-2014-9645.patch: reject module names with slashes in modutils/modprobe.c.
- CVE-2014-9645
* SECURITY UPDATE: integer overflow in the DHCP client
- debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
- debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in networking/udhcp/domain_codec.c.
- CVE-2016-2147
* SECURITY UPDATE: heap-based buffer overflow in the DHCP client
- debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in networking/udhcp/common.c, networking/udhcp/dhcpc.c.
- CVE-2016-2148
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in libbb/lineedit.c.
- CVE-2017-16544
* SECURITY UPDATE: DoS in unzip operations
- debian/patches/CVE-2015-9261-1.patch: test for a bad archive in archival/libarchive/decompress_gunzip.c, added test in testsuite/unzip.tests.
- debian/patches/CVE-2015-9261-2.patch: further fix decompression code in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
- CVE-2015-9261
* SECURITY UPDATE: buffer overflow in wget
- debian/patches/CVE-2018-1000517.patch: check chunk length in networking/wget.c.
- CVE-2018-1000517
* SECURITY UPDATE: out-of-bounds read in udhcp
- debian/patches/CVE-2018-20679.patch: check that 4-byte options are indeed 4-byte in networking/udhcp/common.*, networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
- CVE-2018-20679
* SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
- debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure it is 4 bytes long in networking/udhcp/common.*, networking/udhcp/dhcpc.c.
- CVE-2019-5747
clamav0.100.2+dfsg-1ubuntu0.14.04.20.100.3+dfsg-0ubuntu0.14.04.1clamav (0.100.3+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium

* Updated to version 0.100.3 to fix security issues. (LP: #1822503)
- debian/libclamav7.symbols: updated to new version.
- CVE-2019-1787
- CVE-2019-1788
- CVE-2019-1789
curl7.35.0-1ubuntu2.197.35.0-1ubuntu2.20curl (7.35.0-1ubuntu2.20) trusty-security; urgency=medium

* SECURITY UPDATE: SMTP end-of-response out-of-bounds read
- debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in strtol in lib/smtp.c.
- CVE-2019-3823
dnsutils1:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
ghostscript9.26~dfsg+0-0ubuntu0.14.04.49.26~dfsg+0-0ubuntu0.14.04.8ghostscript (9.26~dfsg+0-0ubuntu0.14.04.8) trusty-security; urgency=medium

* SECURITY UPDATE: superexec operator is available
- debian/patches/CVE-2019-3835-pre1.patch: Have gs_cet.ps run from gs_init.ps in Resource/Init/gs_cet.ps, Resource/Init/gs_init.ps.
- debian/patches/CVE-2019-3835-pre2.patch: Undef /odef in Resource/Init/gs_cet.ps, Resource/Init/gs_init.ps.
- debian/patches/CVE-2019-3835-1.patch: restrict superexec and remove it in Resource/Init/gs_cet.ps, Resource/Init/gs_dps1.ps, Resource/Init/gs_fonts.ps, Resource/Init/gs_init.ps, Resource/Init/gs_ttf.ps, Resource/Init/gs_type1.ps.
- debian/patches/CVE-2019-3835-2.patch: obliterate superexec in Resource/Init/gs_init.ps, psi/icontext.c, psi/icstate.h, psi/zcontrol.c, psi/zdict.c, psi/zgeneric.c.
- CVE-2019-3835
* SECURITY UPDATE: forceput in DefineResource is still accessible
- debian/patches/CVE-2019-3838-1.patch: make a transient proc executeonly in Resource/Init/gs_res.ps.
- debian/patches/CVE-2019-3838-2.patch: an extra transient proc needs executeonly in Resource/Init/gs_res.ps.
- CVE-2019-3838
grub2-common2.02~beta2-9ubuntu1.152.02~beta2-9ubuntu1.17grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
grub-common2.02~beta2-9ubuntu1.152.02~beta2-9ubuntu1.17grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
grub-efi-amd64-bin2.02~beta2-9ubuntu1.152.02~beta2-9ubuntu1.17grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
grub-pc-bin2.02~beta2-9ubuntu1.152.02~beta2-9ubuntu1.17grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
grub-pc2.02~beta2-9ubuntu1.152.02~beta2-9ubuntu1.17grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
hhvm3.30.2-1~trusty4.5.0-1~trustyhhvm (4.5.0-1~trusty) trusty; urgency=medium
intel-microcode3.20180807a.0ubuntu0.14.04.13.20190514.0ubuntu0.14.04.1intel-microcode (3.20190514.0ubuntu0.14.04.1) trusty-security; urgency=medium

* SECURITY UPDATE: new upstream datafile 20190507
- CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+ New Microcodes: sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x3000010, size 47104 sig 0x00050656, pf_mask 0xbf, 2019-01-28, rev 0x400001c, size 47104 sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x5000021, size 47104
+ Updated Micrcodes: sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb000036, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x200005e, size 32768 sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x7000017, size 24576 sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf000015, size 23552 sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe00000d, size 19456 sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304 sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280 sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304 sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280
+ Reinstated Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720
landscape-common14.12-0ubuntu6.14.04.314.12-0ubuntu6.14.04.4landscape-client (14.12-0ubuntu6.14.04.4) trusty; urgency=medium

* debian/patches/nutanix-kvm.patch: Update vm_info.py to include Nutanix
hypervisor. (LP: #1788219)
* Fixes for release-upgrade (LP: #1699179).
- debian/patches/1699179-release-upgrade-check.diff: Check if ubuntu- release-upgrader is running before apt-update. (LP: #1699179)
- debian/patches/release-upgrade-success.patch: Enable landscape-client to survive trusty upgrade. (LP: #1670291)
- debian/patches/post-upgrade-reboot.patch: Force reboot operation in case systemd fails. (LP: #1670291)
* debian/patches/1616116-resync-loop.patch:
Clear hash id database on package resync. (LP: #1616116)
php55.5.9+dfsg-1ubuntu4.265.5.9+dfsg-1ubuntu4.29php5 (5.5.9+dfsg-1ubuntu4.29) trusty-security; urgency=medium

* SECURITY UPDATE: Unauthorized users access
- debian/patches/CVE-2019-9637.patch: fix in main/streams/plain_wrapper.c.
- CVE-2019-9637
* SECURITY UPDATE: Invalid read in exif_process_IFD_MAKERNOTE
- debian/patches/CVE-2019-9638-and-CVE-2019-9639-*.patch: fix in ext/exif/exif.c, added tests in ext/exif/tests/bug77563.jpg, ext/exif/tests/bug77563.phpt.
- CVE-2019-9638
- CVE-2019-9639
* SECURITY UPDATE: Invalid read
- debian/patches/CVE-2019-9640.patch: fix in ext/exif/exif.c, added tests in ext/exif/tests/bug77540.jpg, ext/exif/tests/bug77540.phpt.
- CVE-2019-9640
* SECURITY UPDATE: Unitialized read
- debian/patches/CVE-2019-9641.patch: fix in ext/exif/exif.c.
- CVE-2019-9641
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2019-9675.patch: fix in ext/phar/tar.c, added tests, ext/phar/tests/bug77586,phpt, ext/phar/tests/bug77586/files/*.
- CVE-2019-9675
* Changed the way MAKERNOTE is handled in case we do not have a matching
signature, in order to support tests CVE-2019-9638 and CVE-2019-9639.
- debian/patches/Changed-the-way-MAKERNOTE-is-handled-in-case.patch: fix it changing the behavior in order to continue the parse in ext/exif/exif.c
* SECURITY UPDATE: buffer over-read in dns_get_record
- debian/patches/CVE-2019-9022.patch: check length in ext/standard/dns.c.
- CVE-2019-9022
libarchive133.1.2-7ubuntu2.73.1.2-7ubuntu2.8libarchive (3.1.2-7ubuntu2.8) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000019.patch: fix in libarchive/archive_read_support_format_7zip.c.
- CVE-2019-1000019
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000020.patch: fix in libarchive/archive_read_support_format_iso9660.c.
- CVE-2019-1000020
libavahi-client30.6.31-4ubuntu1.20.6.31-4ubuntu1.3avahi (0.6.31-4ubuntu1.3) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch: fix in avahi-core/server.c.
- CVE-2017-6519
- CVE-2018-1000845
libavahi-common30.6.31-4ubuntu1.20.6.31-4ubuntu1.3avahi (0.6.31-4ubuntu1.3) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch: fix in avahi-core/server.c.
- CVE-2017-6519
- CVE-2018-1000845
libavahi-common-data0.6.31-4ubuntu1.20.6.31-4ubuntu1.3avahi (0.6.31-4ubuntu1.3) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch: fix in avahi-core/server.c.
- CVE-2017-6519
- CVE-2018-1000845
libbind9-901:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
libc62.19-0ubuntu6.142.19-0ubuntu6.15eglibc (2.19-0ubuntu6.15) trusty-security; urgency=medium

* Fix NSS loading for static binaries (LP: #1821752)
- debian/patches/any/local-static-dlopen-search-path.diff: fix static dlopen default library search path in elf/dl-support.c.
libc-bin2.19-0ubuntu6.142.19-0ubuntu6.15eglibc (2.19-0ubuntu6.15) trusty-security; urgency=medium

* Fix NSS loading for static binaries (LP: #1821752)
- debian/patches/any/local-static-dlopen-search-path.diff: fix static dlopen default library search path in elf/dl-support.c.
libdns1001:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
libgd32.1.0-3ubuntu0.102.1.0-3ubuntu0.11libgd2 (2.1.0-3ubuntu0.11) trusty-security; urgency=medium

* SECURITY UPDATE: buffer overflow in gdImageColorMatch
- debian/patches/CVE-2019-6977.patch: use gdMaxColors in src/gd_color_match.c.
- CVE-2019-6977
* SECURITY UPDATE: double-free in gdImage*Ptr() functions
- debian/patches/CVE-2019-6978.patch: properly handle failure in src/gd_gif_out.c, src/gd_jpeg.c, src/gd_wbmp.c, add test to tests/jpeg/CMakeLists.txt, tests/jpeg/jpeg_ptr_double_free.c.
- CVE-2019-6978
libgudev-1.0-01:204-5ubuntu20.291:204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
libisc951:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
libisccc901:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
libisccfg901:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
libldb11:1.1.24-0ubuntu0.14.04.11:1.1.24-0ubuntu0.14.04.2ldb (1:1.1.24-0ubuntu0.14.04.2) trusty-security; urgency=medium

* SECURITY UPDATE: Out of bound read in ldb_wildcard_compare
- debian/patches/CVE-2019-3824-1.patch: fix length.
- debian/patches/CVE-2019-3824-2.patch: add extra comments.
- debian/patches/CVE-2019-3824-3.patch: improve code style.
- debian/patches/CVE-2019-3824-4.patch: use talloc_zero.
- debian/patches/CVE-2019-3824-5.patch: check tree operation.
- debian/patches/CVE-2019-3824-6.patch: fix end of data check.
- CVE-2019-3824
liblwres901:9.9.5.dfsg-3ubuntu0.181:9.9.5.dfsg-3ubuntu0.19bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465
libnss32:3.28.4-0ubuntu0.14.04.42:3.28.4-0ubuntu0.14.04.5nss (2:3.28.4-0ubuntu0.14.04.5) trusty-security; urgency=medium

* SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
- debian/patches/CVE-2018-18508-1.patch: add null checks in nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c, nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c, nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
- debian/patches/CVE-2018-18508-2.patch: add null checks in nss/lib/smime/cmsmessage.c.
- CVE-2018-18508
libnss3-nssdb2:3.28.4-0ubuntu0.14.04.42:3.28.4-0ubuntu0.14.04.5nss (2:3.28.4-0ubuntu0.14.04.5) trusty-security; urgency=medium

* SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
- debian/patches/CVE-2018-18508-1.patch: add null checks in nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c, nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c, nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
- debian/patches/CVE-2018-18508-2.patch: add null checks in nss/lib/smime/cmsmessage.c.
- CVE-2018-18508
libpam-systemd204-5ubuntu20.29204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
policykit-10.105-4ubuntu3.14.04.50.105-4ubuntu3.14.04.6policykit-1 (0.105-4ubuntu3.14.04.6) trusty-security; urgency=medium

* SECURITY UPDATE: start time protection mechanism bypass
- debian/patches/CVE-2019-6133.patch: Compare PolkitUnixProcess uids for temporary authorizations in src/polkit/polkitsubject.c, src/polkit/polkitunixprocess.c, src/polkitbackend/polkitbackendinteractiveauthority.c.
- CVE-2019-6133
samba2:4.3.11+dfsg-0ubuntu0.14.04.192:4.3.11+dfsg-0ubuntu0.14.04.20samba (2:4.3.11+dfsg-0ubuntu0.14.04.20) trusty-security; urgency=medium

* SECURITY UPDATE: save registry file outside share as unprivileged user
- debian/patches/CVE-2019-3880.patch: remove implementations of SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
- CVE-2019-3880
sqlite33.8.2-1ubuntu2.13.8.2-1ubuntu2.2sqlite3 (3.8.2-1ubuntu2.2) trusty-security; urgency=medium

* SECURITY UPDATE: Avoid segmentation fault while using a corrupted file.
- d/p/0001-Fix-a-parsing-issue-associated-with-a-corrupt-sqlite.patch: Check if parser is busy before using it and raise an error if positive. (LP: #1814869)
- d/p/0002-Better-error-message-text-when-the-schema-is-corrupt.patch: Better message and additional checks.
- No CVE associated.
libsystemd-daemon0204-5ubuntu20.29204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
libsystemd-login0204-5ubuntu20.29204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
libtiff54.0.3-7ubuntu0.104.0.3-7ubuntu0.11tiff (4.0.3-7ubuntu0.11) trusty-security; urgency=medium

* SECURITY UPDATE: heap over-read in TIFFWriteScanline
- debian/patches/CVE-2018-10779.patch: fix overflow in libtiff/tif_write.c.
- CVE-2018-10779
* SECURITY UPDATE: heap over-read in cpSeparateBufToContigBuf
- debian/patches/CVE-2018-12900-1.patch: check for overflow in tools/tiffcp.c.
- debian/patches/CVE-2018-12900-2.patch: use INT_MAX in tools/tiffcp.c.
- CVE-2018-12900
- CVE-2019-7663
* SECURITY UPDATE: NULL pointer dereference in _TIFFmemcmp
- debian/patches/CVE-2018-17000.patch: add NULL check in libtiff/tif_dirwrite.c.
- CVE-2018-17000
* SECURITY UPDATE: NULL pointer dereference in TIFFWriteDirectorySec
- debian/patches/CVE-2018-19210-1.patch: unset transferfunction field if necessary in libtiff/tif_dir.c.
- debian/patches/CVE-2018-19210-2.patch: fix warning in libtiff/tif_dir.c.
- CVE-2018-19210
* SECURITY UPDATE: memory leak in TIFFFdOpen
- debian/patches/CVE-2019-6128.patch: properly handle errors in tools/pal2rgb.c.
- CVE-2019-6128
libudev1204-5ubuntu20.29204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
libxslt1.11.1.28-2ubuntu0.11.1.28-2ubuntu0.2libxslt (1.1.28-2ubuntu0.2) trusty-security; urgency=medium

* SECURITY UPDATE: Bypass of protection mechanism
- debian/patches/CVE-2019-11068.patch: Fix security framework bypass checking for returns equal or less -1 in libxslt/documents.c, libxslt/imports.c, libxslt/transform.c,libxslt/xslt.c.
- CVE-2019-11068
linux-generic3.13.0.164.1743.13.0.170.181
linux-headers-3.13.0-163-generic3.13.0-163.213

linux-headers-3.13.0-1633.13.0-163.213

linux-headers-3.13.0-164-generic3.13.0-164.214

linux-headers-3.13.0-1643.13.0-164.214

linux-headers-generic3.13.0.164.1743.13.0.170.181
linux-image-generic3.13.0.164.1743.13.0.170.181
linux-image-server3.13.0.164.1743.13.0.170.181
linux-image-virtual3.13.0.164.1743.13.0.170.181
multiarch-support2.19-0ubuntu6.142.19-0ubuntu6.15eglibc (2.19-0ubuntu6.15) trusty-security; urgency=medium

* Fix NSS loading for static binaries (LP: #1821752)
- debian/patches/any/local-static-dlopen-search-path.diff: fix static dlopen default library search path in elf/dl-support.c.
openssh-client1:6.6p1-2ubuntu2.111:6.6p1-2ubuntu2.13openssh (1:6.6p1-2ubuntu2.13) trusty-security; urgency=medium

* SECURITY UPDATE: Incomplete fix for CVE-2019-6111
- debian/patches/CVE-2019-6111-pre1.patch: add reallocarray to openbsd-compat/Makefile.in, openbsd-compat/openbsd-compat.h, openbsd-compat/reallocarray.c.
- debian/patches/CVE-2019-6111-2.patch: add another fix to the filename check in scp.c.
- CVE-2019-6111
* Fixed inverted CVE numbers in patch filenames and in previous changelog.
openssh-server1:6.6p1-2ubuntu2.111:6.6p1-2ubuntu2.13openssh (1:6.6p1-2ubuntu2.13) trusty-security; urgency=medium

* SECURITY UPDATE: Incomplete fix for CVE-2019-6111
- debian/patches/CVE-2019-6111-pre1.patch: add reallocarray to openbsd-compat/Makefile.in, openbsd-compat/openbsd-compat.h, openbsd-compat/reallocarray.c.
- debian/patches/CVE-2019-6111-2.patch: add another fix to the filename check in scp.c.
- CVE-2019-6111
* Fixed inverted CVE numbers in patch filenames and in previous changelog.
openssh-sftp-server1:6.6p1-2ubuntu2.111:6.6p1-2ubuntu2.13openssh (1:6.6p1-2ubuntu2.13) trusty-security; urgency=medium

* SECURITY UPDATE: Incomplete fix for CVE-2019-6111
- debian/patches/CVE-2019-6111-pre1.patch: add reallocarray to openbsd-compat/Makefile.in, openbsd-compat/openbsd-compat.h, openbsd-compat/reallocarray.c.
- debian/patches/CVE-2019-6111-2.patch: add another fix to the filename check in scp.c.
- CVE-2019-6111
* Fixed inverted CVE numbers in patch filenames and in previous changelog.
python3-distupgrade1:0.220.101:0.220.11
python-ldb1:1.1.24-0ubuntu0.14.04.11:1.1.24-0ubuntu0.14.04.2ldb (1:1.1.24-0ubuntu0.14.04.2) trusty-security; urgency=medium

* SECURITY UPDATE: Out of bound read in ldb_wildcard_compare
- debian/patches/CVE-2019-3824-1.patch: fix length.
- debian/patches/CVE-2019-3824-2.patch: add extra comments.
- debian/patches/CVE-2019-3824-3.patch: improve code style.
- debian/patches/CVE-2019-3824-4.patch: use talloc_zero.
- debian/patches/CVE-2019-3824-5.patch: check tree operation.
- debian/patches/CVE-2019-3824-6.patch: fix end of data check.
- CVE-2019-3824
shim-signed1.33.1~14.04.3+13-0ubuntu21.33.1~14.04.5+13-0ubuntu2shim-signed (1.33.1~14.04.5) trusty; urgency=medium

* debian/control: make the sbsigntool dependency versioned to ensure updates
include getting the new sbsigntool so DKMS modules can be correctly signed.
(LP: #1818929)
systemd-services204-5ubuntu20.29204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
tzdata2018i-0ubuntu0.14.042019a-0ubuntu0.14.04tzdata (2019a-0ubuntu0.14.04) trusty; urgency=medium

* New upstream version, affecting past and future timestamps:
- Palestine "springs forward" on 2019-03-30 instead of 2019-03-23.
- Metlakatla "fell back" to rejoin Alaska Time on 2019-01-20 at 02:00.
ubuntu-advantage-tools10ubuntu0.14.04.210ubuntu0.14.04.3
ubuntu-release-upgrader-core1:0.220.101:0.220.11
udev204-5ubuntu20.29204-5ubuntu20.31systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842
update-notifier-common0.154.1ubuntu30.154.1ubuntu6
wget1.15-1ubuntu1.14.04.41.15-1ubuntu1.14.04.5wget (1.15-1ubuntu1.14.04.5) trusty-security; urgency=medium

* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2019-5953-*.patch: fix in src/iri.c.
- CVE-2019-5953
wpasupplicant2.1-0ubuntu1.62.1-0ubuntu1.7wpa (2.1-0ubuntu1.7) trusty-security; urgency=medium

* SECURITY UPDATE: Multiple security issues
- debian/patches/VU-871675/*.patch: backported upstream patches.
- CVE-2019-9495
- CVE-2019-9497
- CVE-2019-9498
- CVE-2019-9499
* SECURITY UPDATE: insecure os_random() fallback
- debian/patches/CVE-2016-10743.patch: Use only os_get_random() for PIN generation.
- CVE-2016-10743




Related content