/
Release Notes for Snare Central v7.4.4

Release Notes for Snare Central v7.4.4

Jun 14, 2019

Snare Central v7.4.4 was released on 19th June 2019.

Snare Central incorporates the Agent Management Console (AMC), the v2.3.0 Reflector, and the v1.0.3 Snare Agent Manager (SAM).

Change Log

New Features

  • Snare Server 7.4.4 is a patch release that includes bug fixes and operating system security updates.

  • The Collector/Reflector configuration page now provides the capability to modify TLS Authentication configuration settings.

Enhancements

  • Well formed events that have arrived at the Snare Server collection subsystem from either epilog, or a 5.2+ Snare agent with integrated epilog capabilities, will have the first field (hostname) trusted as long as it meets RFC 952 and RFC 1178 requirements, or can be identified explicitly as an IP address. Prior to this change, genericlog events were always assigned an IP address as the system name.

  • The AppleBSM and SolarisBSM collection modules have been updated to cope with eventIDs that include flag information in the header field (eg: open(2) - read,write,exec). The eventID originally only included the initial system call (open), but has now been modified to add the extended information (read,write,exec). The man-page reference is still excluded ("(2)"), to make event matching simpler. Objectives that have used 'eventid=open' in the past, may need to be updated to use eventID LIKE 'open%', instead.

Bug Fixes

  • An issue in the 'boost' libraries would cause the Snare Server Collector in version 7.4.3 to terminate in certain situations. Service monitors would restart the service, but a new version of the collector built against newer versions of the boost libraries, has been included with this release.

Operating System Updates

Package

Previous Version

Update

Details

Package

Previous Version

Update

Details

apache2

2.4.7-1ubuntu4.21

2.4.7-1ubuntu4.22

apache2 (2.4.7-1ubuntu4.22) trusty-security; urgency=medium

* SECURITY UPDATE: mod_session expiry time issue
- debian/patches/CVE-2018-17199-pre1.patch: properly handle sessions that could not be decoded in modules/session/mod_session.c.
- debian/patches/CVE-2018-17199.patch: always decode session attributes early in modules/session/mod_session.c.
- CVE-2018-17199
* SECURITY UPDATE: mod_auth_digest access control bypass
- debian/patches/CVE-2019-0217.patch: fix a race condition in modules/aaa/mod_auth_digest.c.
- CVE-2019-0217
* SECURITY UPDATE: URL normalization inconsistincy
- debian/patches/CVE-2019-0220-1.patch: merge consecutive slashes in the path in include/http_core.h, include/httpd.h, server/core.c, server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-2.patch: fix r->parsed_uri.path safety in server/request.c, server/util.c.
- debian/patches/CVE-2019-0220-3.patch: maintainer mode fix in server/util.c.
- CVE-2019-0220

apt

1.0.1ubuntu2.19

1.0.1ubuntu2.23

 

base-files

7.2ubuntu5.5

7.2ubuntu5.6

 

bind9-host

1:9.9.5.dfsg-3ubuntu0.18

1:9.9.5.dfsg-3ubuntu0.19

bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465

busybox-initramfs

1:1.21.0-1ubuntu1

1:1.21.0-1ubuntu1.4

busybox (1:1.21.0-1ubuntu1.4) trusty-security; urgency=medium

* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks unless env variable is set in archival/libarchive/Kbuild.src, archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in archival/libarchive/get_header_ar.c.
- CVE-2011-5325
* SECURITY UPDATE: kernel module loading restrictions bypass
- debian/patches/CVE-2014-9645.patch: reject module names with slashes in modutils/modprobe.c.
- CVE-2014-9645
* SECURITY UPDATE: integer overflow in the DHCP client
- debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
- debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in networking/udhcp/domain_codec.c.
- CVE-2016-2147
* SECURITY UPDATE: heap-based buffer overflow in the DHCP client
- debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in networking/udhcp/common.c, networking/udhcp/dhcpc.c.
- CVE-2016-2148
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in libbb/lineedit.c.
- CVE-2017-16544
* SECURITY UPDATE: DoS in unzip operations
- debian/patches/CVE-2015-9261-1.patch: test for a bad archive in archival/libarchive/decompress_gunzip.c, added test in testsuite/unzip.tests.
- debian/patches/CVE-2015-9261-2.patch: further fix decompression code in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
- CVE-2015-9261
* SECURITY UPDATE: buffer overflow in wget
- debian/patches/CVE-2018-1000517.patch: check chunk length in networking/wget.c.
- CVE-2018-1000517
* SECURITY UPDATE: out-of-bounds read in udhcp
- debian/patches/CVE-2018-20679.patch: check that 4-byte options are indeed 4-byte in networking/udhcp/common.*, networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
- CVE-2018-20679
* SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
- debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure it is 4 bytes long in networking/udhcp/common.*, networking/udhcp/dhcpc.c.
- CVE-2019-5747

busybox-static

1:1.21.0-1ubuntu1

1:1.21.0-1ubuntu1.4

busybox (1:1.21.0-1ubuntu1.4) trusty-security; urgency=medium

* SECURITY UPDATE: directory traversal via tar symlink extraction
- debian/patches/CVE-2011-5325-1.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/tar.c, archival/tar_symlink_attack, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-2.patch: do not extract unsafe symlinks unless env variable is set in archival/libarchive/Kbuild.src, archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, libbb/copy_file.c, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-3.patch: postpone creation of symlinks with "suspicious" targets in archival/libarchive/data_extract_all.c, archival/libarchive/unsafe_symlink_target.c, archival/tar.c, include/bb_archive.h, testsuite/tar.tests.
- debian/patches/CVE-2011-5325-4.patch: extract "unsafe" symlinks the same way tar/unzip does in archival/cpio.c.
- debian/patches/CVE-2011-5325-5.patch: fix symlink creation in archival/libarchive/get_header_ar.c.
- CVE-2011-5325
* SECURITY UPDATE: kernel module loading restrictions bypass
- debian/patches/CVE-2014-9645.patch: reject module names with slashes in modutils/modprobe.c.
- CVE-2014-9645
* SECURITY UPDATE: integer overflow in the DHCP client
- debian/patches/CVE-2016-2147-1.patch: fix a SEGV on malformed RFC1035-encoded domain name in networking/udhcp/domain_codec.c.
- debian/patches/CVE-2016-2147-2.patch: fix a warning in debug code in networking/udhcp/domain_codec.c.
- CVE-2016-2147
* SECURITY UPDATE: heap-based buffer overflow in the DHCP client
- debian/patches/CVE-2016-2148.patch: fix OPTION_6RD parsing in networking/udhcp/common.c, networking/udhcp/dhcpc.c.
- CVE-2016-2148
* SECURITY UPDATE: integer overflow in get_next_block
- debian/patches/CVE-2017-15873.patch: fix runCnt overflow in archival/libarchive/decompress_bunzip2.c.
- CVE-2017-15873
* SECURITY UPDATE: code execution in tab autocomplete feature
- debian/patches/CVE-2017-16544.patch: check for control characters in libbb/lineedit.c.
- CVE-2017-16544
* SECURITY UPDATE: DoS in unzip operations
- debian/patches/CVE-2015-9261-1.patch: test for a bad archive in archival/libarchive/decompress_gunzip.c, added test in testsuite/unzip.tests.
- debian/patches/CVE-2015-9261-2.patch: further fix decompression code in archival/libarchive/decompress_gunzip.c, testsuite/unzip.tests.
- CVE-2015-9261
* SECURITY UPDATE: buffer overflow in wget
- debian/patches/CVE-2018-1000517.patch: check chunk length in networking/wget.c.
- CVE-2018-1000517
* SECURITY UPDATE: out-of-bounds read in udhcp
- debian/patches/CVE-2018-20679.patch: check that 4-byte options are indeed 4-byte in networking/udhcp/common.*, networking/udhcp/dhcpc.c, networking/udhcp/dhcpd.c.
- CVE-2018-20679
* SECURITY UPDATE: incomplete fix for out-of-bounds read in udhcp
- debian/patches/CVE-2019-5747.patch: when decoding DHCP_SUBNET, ensure it is 4 bytes long in networking/udhcp/common.*, networking/udhcp/dhcpc.c.
- CVE-2019-5747

clamav

0.100.2+dfsg-1ubuntu0.14.04.2

0.100.3+dfsg-0ubuntu0.14.04.1

clamav (0.100.3+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium

* Updated to version 0.100.3 to fix security issues. (LP: #1822503)
- debian/libclamav7.symbols: updated to new version.
- CVE-2019-1787
- CVE-2019-1788
- CVE-2019-1789

curl

7.35.0-1ubuntu2.19

7.35.0-1ubuntu2.20

curl (7.35.0-1ubuntu2.20) trusty-security; urgency=medium

* SECURITY UPDATE: SMTP end-of-response out-of-bounds read
- debian/patches/CVE-2019-3823.patch: avoid risk of buffer overflow in strtol in lib/smtp.c.
- CVE-2019-3823

dnsutils

1:9.9.5.dfsg-3ubuntu0.18

1:9.9.5.dfsg-3ubuntu0.19

bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465

ghostscript

9.26~dfsg+0-0ubuntu0.14.04.4

9.26~dfsg+0-0ubuntu0.14.04.8

ghostscript (9.26~dfsg+0-0ubuntu0.14.04.8) trusty-security; urgency=medium

* SECURITY UPDATE: superexec operator is available
- debian/patches/CVE-2019-3835-pre1.patch: Have gs_cet.ps run from gs_init.ps in Resource/Init/gs_cet.ps, Resource/Init/gs_init.ps.
- debian/patches/CVE-2019-3835-pre2.patch: Undef /odef in Resource/Init/gs_cet.ps, Resource/Init/gs_init.ps.
- debian/patches/CVE-2019-3835-1.patch: restrict superexec and remove it in Resource/Init/gs_cet.ps, Resource/Init/gs_dps1.ps, Resource/Init/gs_fonts.ps, Resource/Init/gs_init.ps, Resource/Init/gs_ttf.ps, Resource/Init/gs_type1.ps.
- debian/patches/CVE-2019-3835-2.patch: obliterate superexec in Resource/Init/gs_init.ps, psi/icontext.c, psi/icstate.h, psi/zcontrol.c, psi/zdict.c, psi/zgeneric.c.
- CVE-2019-3835
* SECURITY UPDATE: forceput in DefineResource is still accessible
- debian/patches/CVE-2019-3838-1.patch: make a transient proc executeonly in Resource/Init/gs_res.ps.
- debian/patches/CVE-2019-3838-2.patch: an extra transient proc needs executeonly in Resource/Init/gs_res.ps.
- CVE-2019-3838

grub2-common

2.02~beta2-9ubuntu1.15

2.02~beta2-9ubuntu1.17

grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)

grub-common

2.02~beta2-9ubuntu1.15

2.02~beta2-9ubuntu1.17

grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)

grub-efi-amd64-bin

2.02~beta2-9ubuntu1.15

2.02~beta2-9ubuntu1.17

grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)

grub-pc-bin

2.02~beta2-9ubuntu1.15

2.02~beta2-9ubuntu1.17

grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)

grub-pc

2.02~beta2-9ubuntu1.15

2.02~beta2-9ubuntu1.17

grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)

hhvm

3.30.2-1~trusty

4.5.0-1~trusty

hhvm (4.5.0-1~trusty) trusty; urgency=medium

intel-microcode

3.20180807a.0ubuntu0.14.04.1

3.20190514.0ubuntu0.14.04.1

intel-microcode (3.20190514.0ubuntu0.14.04.1) trusty-security; urgency=medium

* SECURITY UPDATE: new upstream datafile 20190507
- CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+ New Microcodes: sig 0x00050655, pf_mask 0xb7, 2018-11-16, rev 0x3000010, size 47104 sig 0x00050656, pf_mask 0xbf, 2019-01-28, rev 0x400001c, size 47104 sig 0x00050657, pf_mask 0xbf, 2019-02-27, rev 0x5000021, size 47104
+ Updated Micrcodes: sig 0x000206a7, pf_mask 0x12, 2019-02-17, rev 0x002f, size 12288 sig 0x000306a9, pf_mask 0x12, 2019-02-13, rev 0x0021, size 14336 sig 0x000306c3, pf_mask 0x32, 2019-02-26, rev 0x0027, size 23552 sig 0x000306d4, pf_mask 0xc0, 2019-03-07, rev 0x002d, size 19456 sig 0x000306e4, pf_mask 0xed, 2019-03-14, rev 0x042e, size 16384 sig 0x000306e7, pf_mask 0xed, 2019-03-14, rev 0x0715, size 17408 sig 0x000306f2, pf_mask 0x6f, 2019-03-01, rev 0x0043, size 34816 sig 0x000306f4, pf_mask 0x80, 2019-03-01, rev 0x0014, size 18432 sig 0x00040651, pf_mask 0x72, 2019-02-26, rev 0x0025, size 21504 sig 0x00040661, pf_mask 0x32, 2019-02-26, rev 0x001b, size 25600 sig 0x00040671, pf_mask 0x22, 2019-03-07, rev 0x0020, size 14336 sig 0x000406e3, pf_mask 0xc0, 2019-04-01, rev 0x00cc, size 100352 sig 0x000406f1, pf_mask 0xef, 2019-03-02, rev 0xb000036, size 30720 sig 0x00050654, pf_mask 0xb7, 2019-04-02, rev 0x200005e, size 32768 sig 0x00050662, pf_mask 0x10, 2019-03-23, rev 0x001a, size 32768 sig 0x00050663, pf_mask 0x10, 2019-03-23, rev 0x7000017, size 24576 sig 0x00050664, pf_mask 0x10, 2019-03-23, rev 0xf000015, size 23552 sig 0x00050665, pf_mask 0x10, 2019-03-23, rev 0xe00000d, size 19456 sig 0x000506c9, pf_mask 0x03, 2019-01-15, rev 0x0038, size 17408 sig 0x000506e3, pf_mask 0x36, 2019-04-01, rev 0x00cc, size 100352 sig 0x000506f1, pf_mask 0x01, 2019-03-21, rev 0x002e, size 11264 sig 0x000706a1, pf_mask 0x01, 2019-01-02, rev 0x002e, size 73728 sig 0x000806e9, pf_mask 0x10, 2019-04-01, rev 0x00b4, size 98304 sig 0x000806e9, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806ea, pf_mask 0xc0, 2019-04-01, rev 0x00b4, size 99328 sig 0x000806eb, pf_mask 0xd0, 2019-03-30, rev 0x00b8, size 98304 sig 0x000806ec, pf_mask 0x94, 2019-03-30, rev 0x00b8, size 97280 sig 0x000906e9, pf_mask 0x2a, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ea, pf_mask 0x22, 2019-04-01, rev 0x00b4, size 98304 sig 0x000906eb, pf_mask 0x02, 2019-04-01, rev 0x00b4, size 99328 sig 0x000906ec, pf_mask 0x22, 2019-02-14, rev 0x00ae, size 98304 sig 0x000906ed, pf_mask 0x22, 2019-03-17, rev 0x00b8, size 97280
+ Reinstated Microcodes: sig 0x00050653, pf_mask 0x97, 2018-01-29, rev 0x1000140, size 30720

landscape-common

14.12-0ubuntu6.14.04.3

14.12-0ubuntu6.14.04.4

landscape-client (14.12-0ubuntu6.14.04.4) trusty; urgency=medium

* debian/patches/nutanix-kvm.patch: Update vm_info.py to include Nutanix
hypervisor. (LP: #1788219)
* Fixes for release-upgrade (LP: #1699179).
- debian/patches/1699179-release-upgrade-check.diff: Check if ubuntu- release-upgrader is running before apt-update. (LP: #1699179)
- debian/patches/release-upgrade-success.patch: Enable landscape-client to survive trusty upgrade. (LP: #1670291)
- debian/patches/post-upgrade-reboot.patch: Force reboot operation in case systemd fails. (LP: #1670291)
* debian/patches/1616116-resync-loop.patch:
Clear hash id database on package resync. (LP: #1616116)

php5

5.5.9+dfsg-1ubuntu4.26

5.5.9+dfsg-1ubuntu4.29

php5 (5.5.9+dfsg-1ubuntu4.29) trusty-security; urgency=medium

* SECURITY UPDATE: Unauthorized users access
- debian/patches/CVE-2019-9637.patch: fix in main/streams/plain_wrapper.c.
- CVE-2019-9637
* SECURITY UPDATE: Invalid read in exif_process_IFD_MAKERNOTE
- debian/patches/CVE-2019-9638-and-CVE-2019-9639-*.patch: fix in ext/exif/exif.c, added tests in ext/exif/tests/bug77563.jpg, ext/exif/tests/bug77563.phpt.
- CVE-2019-9638
- CVE-2019-9639
* SECURITY UPDATE: Invalid read
- debian/patches/CVE-2019-9640.patch: fix in ext/exif/exif.c, added tests in ext/exif/tests/bug77540.jpg, ext/exif/tests/bug77540.phpt.
- CVE-2019-9640
* SECURITY UPDATE: Unitialized read
- debian/patches/CVE-2019-9641.patch: fix in ext/exif/exif.c.
- CVE-2019-9641
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2019-9675.patch: fix in ext/phar/tar.c, added tests, ext/phar/tests/bug77586,phpt, ext/phar/tests/bug77586/files/*.
- CVE-2019-9675
* Changed the way MAKERNOTE is handled in case we do not have a matching
signature, in order to support tests CVE-2019-9638 and CVE-2019-9639.
- debian/patches/Changed-the-way-MAKERNOTE-is-handled-in-case.patch: fix it changing the behavior in order to continue the parse in ext/exif/exif.c
* SECURITY UPDATE: buffer over-read in dns_get_record
- debian/patches/CVE-2019-9022.patch: check length in ext/standard/dns.c.
- CVE-2019-9022

libarchive13

3.1.2-7ubuntu2.7

3.1.2-7ubuntu2.8

libarchive (3.1.2-7ubuntu2.8) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000019.patch: fix in libarchive/archive_read_support_format_7zip.c.
- CVE-2019-1000019
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-1000020.patch: fix in libarchive/archive_read_support_format_iso9660.c.
- CVE-2019-1000020

libavahi-client3

0.6.31-4ubuntu1.2

0.6.31-4ubuntu1.3

avahi (0.6.31-4ubuntu1.3) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch: fix in avahi-core/server.c.
- CVE-2017-6519
- CVE-2018-1000845

libavahi-common3

0.6.31-4ubuntu1.2

0.6.31-4ubuntu1.3

avahi (0.6.31-4ubuntu1.3) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch: fix in avahi-core/server.c.
- CVE-2017-6519
- CVE-2018-1000845

libavahi-common-data

0.6.31-4ubuntu1.2

0.6.31-4ubuntu1.3

avahi (0.6.31-4ubuntu1.3) trusty-security; urgency=medium

* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-6519-and-CVE-2018-1000845.patch: fix in avahi-core/server.c.
- CVE-2017-6519
- CVE-2018-1000845

libbind9-90

1:9.9.5.dfsg-3ubuntu0.18

1:9.9.5.dfsg-3ubuntu0.19

bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465

libc6

2.19-0ubuntu6.14

2.19-0ubuntu6.15

eglibc (2.19-0ubuntu6.15) trusty-security; urgency=medium

* Fix NSS loading for static binaries (LP: #1821752)
- debian/patches/any/local-static-dlopen-search-path.diff: fix static dlopen default library search path in elf/dl-support.c.

libc-bin

2.19-0ubuntu6.14

2.19-0ubuntu6.15

eglibc (2.19-0ubuntu6.15) trusty-security; urgency=medium

* Fix NSS loading for static binaries (LP: #1821752)
- debian/patches/any/local-static-dlopen-search-path.diff: fix static dlopen default library search path in elf/dl-support.c.

libdns100

1:9.9.5.dfsg-3ubuntu0.18

1:9.9.5.dfsg-3ubuntu0.19

bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465

libgd3

2.1.0-3ubuntu0.10

2.1.0-3ubuntu0.11

libgd2 (2.1.0-3ubuntu0.11) trusty-security; urgency=medium

* SECURITY UPDATE: buffer overflow in gdImageColorMatch
- debian/patches/CVE-2019-6977.patch: use gdMaxColors in src/gd_color_match.c.
- CVE-2019-6977
* SECURITY UPDATE: double-free in gdImage*Ptr() functions
- debian/patches/CVE-2019-6978.patch: properly handle failure in src/gd_gif_out.c, src/gd_jpeg.c, src/gd_wbmp.c, add test to tests/jpeg/CMakeLists.txt, tests/jpeg/jpeg_ptr_double_free.c.
- CVE-2019-6978

libgudev-1.0-0

1:204-5ubuntu20.29

1:204-5ubuntu20.31

systemd (204-5ubuntu20.31) trusty-security; urgency=medium

* SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to
incorrect Policykit authorization
- debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c
- CVE-2019-3842

libisc95

1:9.9.5.dfsg-3ubuntu0.18

1:9.9.5.dfsg-3ubuntu0.19

bind9 (1:9.9.5.dfsg-3ubuntu0.19) trusty-security; urgency=medium

* SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
unsupported key algorithm when using managed-keys
- lib/dns/zone.c: enhance rfc 5011 logging
- lib/dns/include/dst/dst.h, lib/dns/zone.c: properly handle situations when the key tag cannot be computed.
- CVE-2018-5745
* SECURITY UPDATE: Controls for zone transfers may not be properly
applied to Dynamically Loadable Zones (DLZs) if the zones are writable
- bin/named/xfrout.c: handle zone transfers marked in the zone table as a DLZ zone.
- CVE-2019-6465

libisccc90