Home Home > Tag > CVE
Sign up | Login

Posts Tagged ‘CVE’

Tumbleweed’s July Snapshots Are Trending Strong

July 11th, 2019 by

There have been a total of five openSUSE Tumbleweed snapshots since the beginning of July and all the snapshots have a strong, stable rating.

The rolling release had the most updates arrive in the 20190702 snapshot. The packages update in that snapshot included Mesa 19.1.1 and Mesa-drivers 19.1.1 that had fixes for Intel ANV and AMD RADV driver as well as Nouveau and R300 Gallium3D drivers. The bzip2 file compression application fixed undefined behavior in the macros in version 1.0.7 and fixed a low impact Common Vulnerabilities and Exposures (CVE). The programing language package guilef was updated to version 2.2.5 and provided bootstrap optimization. Portability improvements were made in the library for encryption, decryption, signatures and password hashing with libsodium 1.0.18. A major release of the PulseAudio’s Volume Control package pavucontrol 4.0 was made; the new version dropped support for Gtk+ 2 and added more than a handful of new language translations.

The most recent snapshot, 20190708, didn’t offer a changelog due to the server that the web app uses to produce the changelogs being upgraded to Leap 15.1. The changelog is expected to be included in the next snapshot that is released.

Just two packages were updated in the 20190704 snapshot. The newer vhba-kmp file system package from April 2019 fixed a crash when mounting disk image with the 5.1 Linux Kernel. The vm-install 0.10.07 package, which is a tool to define a Virtual Machine and Install Its Operating System, addressed the use of the ‘builder’ option in the config file that produces an error because it is deprecated.

The first snapshot of the month, 20190701, didn’t provide any new package releases, but there were some changes made to a few packages like the one to llvm8 (Low Level Virtual Machine) that increase RAM for armv6/7 to avoid the undesirable state of Out of memory (OOM). A patch was also dropped from the same package.

A few package updates were made available in the 20190703 snapshot. The Linux Kernel was updated to 5.1.15. The updated kernel offered some fixes for mediatek MultiMediaCard (MMC) flow and detection issues and it enabled System Management Bus (SMBus) on Lenovo ThinkPad E480 and E580. KDE’s Hex editor for viewing and editing binary files okteta 0.26.2 improved the maximum array size in structures extended to 64K.

All snapshots released this month so far have recorded a stable rating of 93 or higher, according to the Tumbleweed snapshot reviewer.

Mesa, VirtualBox, Ceph, NetworkManager Packages Update in Tumbleweed

June 6th, 2019 by

Three openSUSE Tumbleweed snapshots have been released in the first four days of June, which bring several minor package updates to the rolling release.

The 20190604 snapshot brought babl  0.1.64, which provided some code consistency, gitlab Continuous Integration (CI), autotools and meson build improvements. An accident in naming caused the 0.3.2 version of bubblewrap to become version 0.3.3. However, bubblewrap 0.3.3. did address a Common Vulnerabilities and Exposures (CVE), provided a few smaller fixes and added the JSON Application Programming Interface (API) that allows reading the inner process exit code. GNU Compiler Collection 8 had some updates that included a couple patches with one that makes builds without profiling reproducible. Generic Graphics Library gegl 0.4.16 also added gitlab CI and uses a custom allocator for tile data, which aligns data and groups allocations in blocks; this was achieved on Linux by using the GNU extension malloc_trim to permit forcing invocation of the glibc malloc/free allocators garbage collection function. Oracle’ virtualbox 6.0.8 had a minor maintenance release that fixed a crash when powering off a Virtual Machine without a graphics controller and xorg-x11-server 1.20.5 fixed some input. The snapshot is currently trending at a 96 rating, according to the snapshot reviewer.

Snapshot 20190603 updated Mesa and Mesa-drivers to version 19.0.5 and took care of some core code and drivers. NetworkManager 1.16.2 fixed some wrong permissions of the /var/lib/NetworkManager/secret_key file. Ceph’s minor version update disabled Link Time Optimisation in spec when being used. GNOME 3.32.2 had several package updates and fixes including the fix of a regression that caused the fonts category to go missing. Tumbleweed skipped over the 1.3.0 series of Flatpak directly to version 1.4.0. The major changes since 1.2.4 is the improved I/O use for system-installed applications, and the new format for pre-configured remotes. Glib2 2.60.3 updated translations and provided various fixes to small key/value support in GHashTable. Scripting language php7 7.3.6 added a missing curl_version and fixed several other bugs. The snapshot is currently trending at a 95 rating, according to the snapshot reviewer.

The snapshot that started out the month, 20190601, update the Linux Kernel to 5.1.5 that fixed a data loss bug. Flatpak-builder 1.0.7 fixed some details in how to create platform commits to fix font cache mtime issues. Among the other package updates in the snapshot were GNOME’s image viewer gthumb 3.8.0, ibus-libpinyin 1.11.1, libopenmpt 0.4.5, qalculate 3.2.0, rdesktop 1.8.6, which fixed the protocol code handling new licenses, and yast2-support 4.1.1. The snapshot is currently trending at a 90 rating, according to the snapshot reviewer.

Tumbleweed Snapshots Deliver Curl, Salt, FFmpegs Packages Updates

April 18th, 2019 by

Three quality openSUSE Tumbleweed snapshot were released since last Thursday with updated packages for Curl, Salt, FFmpeg and more.

Mozilla Firefox had a minor release of version 66.0.3 in the latest Tumbleweed 20190415 snapshot. The browser addressed some performance issues with some HTML5 games and provided a Baidu search plugin for Chinese users and China’s Internet space. The command-line tool for transferring data using various protocols, curl 7.64.1 fixed many bugs and added additional libraries to check for Lightweight Directory Access Protocol (LDAP) support. The update of libvirt 5.2.0 dropped a few patches and added several new features like Storage Pool Capabilities to get a more detailed list XML output for the virConnectGetStoragePoolCapabilites Application Programming Interface (API) and libvirt also enabled firmware autoselection for the open-source emulator QEMU. The newest salt 2019.2.0 package in Tumbleweed enhanced network automation and broadened support for a variety of network operating systems, and features for configuration manipulation or operational command execution. Salt also  added running playbooks to the 2019.2.0 release with the playbooks function and it includes an ansible playbooks state module, which can be used on a targeted host to run ansible playbooks, or used in an orchestration state runner. The snapshot was trending at a 95 rating at the time of publishing this article, according to the Tumbleweed snapshot reviewer.

Snapshot 20190412 was trending at a 94 and that package brought an update to Ceph that added a separate option to config a Secure Sockets Layer (SSL) port. The cifs-utils 6.9 package, which is part of the Samba Project, added fixes for Azure and removed several patches. The libssh2_org 1.8.2 package fixed a misapplied patch that broke its previous version. A few YaST packages had some updates like the yast2-storage-ng 4.2.5 package that allows for a new format for importing/exporting Network File System (NFS) drives.

The 20190411 snapshot started off the week and it posted a moderately stable rating of 89. This snapshot brought the 5.0.7 Linux Kernel and it offered up a mitigation potential for a ptrace system call for PowerPC. There were some bug fixes for codecs, filters and formats in the ffmpeg 4.1.3 update. The JavaScript Bindings for GNOME, gjs 1.56.0, had a significantly large changelog recording info from the previous 1.54.3 version that was in Tumbleweed. The previous logs identified a GNU Compiler Collection 9 bug and added some ESLint rules. The new version was a stable version bump. The python-kiwi  9.17.35 package fixed regressions for the kiwi-repart dracut module. The wget 1.20.3 package fixed the buffer overflow vulnerability found in Common Vulnerabilities and Exposures (CVE)-2019-5953. Text editor vim 8.1.1137 fixed several bugs including a Python test that didn’t wipe out hidden buffer and a space in number column that was on wrong side with ‘rightleft’ set.

Tumbleweed Rolls with Package Updates of Git, Virtualbox, OpenSSH

December 6th, 2018 by

openSUSE’s rolling release Tumbleweed had a total of five snapshots this week and is preparing for an update to the KDE Plasma 5.14.4 packages in forthcoming snapshots.

The five Tumbleweed snapshots this week brought the 5.19.5 Linux Kernel, which was the only package updated in the 20181130 snapshot. The kernel-source 4.19.5 package added a force option for the pciserial device for x86 architecture and fixed HiperSockets sniffer for s390 architecture.

The most recently released snapshot, 20181204, had more than a dozen packages updated. GNOME’s application for manage their Flickr image hosting accounts, frogr 1.5, fixed issues with the content and installation of the AppData file and moved the functionality menu. GNOME’s goffice had a version bump to 0.10.44. Various rubygem packages were updated and the most significant change was of the packages was that rubygem-pry 0.12.2 dropped support for Rubinius. Both python-boto3 1.9.57 and python-botocore 1.12.57 had multiple application programming interface (API) changes. The obs-service-set_version 0.5.11 package needed “python suff” and now allow running tests with python3.

The first snapshot to arrive in December was snapshot 20181203. Among the package changes were an update to checkmedia 4.1, which fixed digest calculation in tagmedia, GNOME’s framework for media discovery grilo 0.3.7, and distributed compiler icecream 1.2, which made load calculations better and also cleaned up the general code. A python-docutils build dependency was added with cifs-utils 6.8 and elfutils 0.175 fixed three Common Vulnerabilities and Exposures issues. Major changes came with the man 2.8.4 package. One of the changes relies on decompressors reading from their standard input rather than redundantly passing them the input file on their command line; this works better with downstream AppArmor confinement of decompressors. Virtualbox 5.2.22 fixed a regression in the Core Audio backend causing a hang when returning from host sleep when processing input buffers and webkit2gtk3 2.22.4 fixed serval crashes and rendering issues and Fix a crash when using graphics library Cairo versions between 1.15 and 1.16.0.

(more…)

Thunderbird, YaST, Sudo Updates Arrive in Tumbleweed

November 29th, 2018 by

Three openSUSE Tumbleweed snapshots were released since the last blog.

The three Tumbleweed snapshots this week brought a newer Linux Kernel, several rubygem package updates and improvements for an Xfce support library.

Snapshot 20181126 brought the 4.19.4 Linux Kernel, which fixed accelerated VLAN handling and fixed a memory leak with the Nouveau secure boot. Yet another Setup Tool (YaST) had some updates with yast2-fonts 4.0.2 that changes the desktop file fonts to system-wide fonts and multiple translations were also updated with the yast2-trans package. The support library for Xfce desktop environment, exo, updated to version 0.12.3; it improved layout spacing and alignment and hides the exo launchers from GNOME Software. The package for Integrated Development Environment cross-platform, kdevelop5 5.3.0, brought improved language support for php, python and c++; it also offers a new clazy analyzer plugin. Multiple other libraries were updated including libjansson 2.11, libsemanage 2.8, libsepol 2.8, libzypp 17.9.0 and more. Several rubygem packages were updated in the snapshot and rubygem-bundler 1.17.1 had a significant amount of additions and improvements including an add config option to disable platform warnings. The mailutils 3.5 package for the handling of email fixed a bug in the base64 encoder. Parser generator bison 3.2.2 brought massive improvements to the deterministic C++ skeleton, lalr1.cc and the library for manipulation of TIFF images, tiff 4.0.10, added a few patches that address the 10 Common Vulnerabilities and Exposures (CVE) patches that were removed.

Eight packages were updated in the 20181122 snapshot; three of them were YaST associated packages like yast2-ntp-client 4.1.6, which aligned a  “Synchronize Now” button and “NTP Server Address” box, which doesn’t break the previous fix and does not hide the manual checkbox in TextMode. The fourth release candidate of the free implementation of the Remote Desktop Protocol (RDP) freerdp 2.0.0,  added support to set the Transport Layer Security (TLS) security level for openssl 1.1.0 and also added smartcard support for substring filters. Sudo now treats the LOGNAME and USER environment variables (as well as the LOGIN variable on AIX) as a single unit with the update to sudo 1.8.26, which also added support for the OpenLDAP TLS_REQCERT setting in the ldap.conf. The xapian-core 1.4.9 package fixed a bug to efficiently handle insertion of a batch of extra positions in ascending order, which could lead to missing positions and corrupted encoded positional data, according to the changelog.

(more…)

Tumbleweed Gets New Versions of KDE Applications, Krita, Apache Subversion

October 19th, 2018 by

Since last week’s openSUSE Tumbleweed update, there were two snapshots released that brought KDE users a newer version of Applications 18.08.2 and all Tumbleweed users could update to Linux Kernel 4.18.13.

Last week brought newer versions of KDE’s Plasma 5.14  and Frameworks 5.50.0, and this week the arrival of Applications 18.08.2 came in snapshot 20181015. Applications 18.08.2 contained only bug fixes and translation updates. Among the key bug fixes was the dragging of a file in Dolphin that no longer accidentally triggers inline renaming; KCalc again allows both ‘dot’ and ‘comma’ keys when entering decimals and a visual glitch in the Paris card deck for KDE’s card games was fixed. Snapshot 20181015 had a few other updated packages like the open source painting program krita 4.1.5, which fixed a missing shortcut from the Fill Tool tooltip and a change of importing SVG files as vector layers instead of pixel layers. The ibus-table 1.9.21 update, which is an engine framework for table-based input methods, migrated IBusConfig to GSettings; non-gnome users have a Draw InputMode text instead of icon into panel. The 4.18.13 Linux Kernel was also included in the snapshot and fixed an unexpected failure of nocow buffered writes for Btrfs after snapshoting when a user is low on space; the newer kernel also added support for Apple Magic Keyboards. Python-jedi 0.13.1 removed Python 3.3 support. The Apache version-control package subversion 1.10.3 fixed conflict resolver crashes and endless scan in some cases.

Snapshot 20181012 brought several new packages including an update of Mozilla Thunderbird 60.2.1. The  email client has some calendar changes and security fixes including a fix of CVE-2018-12383 that is related to stored passwords. The open-source audio platform audacity 2.3.0 was updated in the snapshot and it now has the ability to resize the toolbars controlling volume and speed for greater precision. Gstreamer and several of its plugins were updated to version 1.14.4, which added functionality needed for Mean Squared Error (MSE) use case fixing YouTube playback in epiphany/webkit-gtk. There were many incremental improvements and bug fixes with libvirt 4.8.0 that was released earlier this month including the libxl driver now supports virDomainPMSuspendForDuration and virDomainPMWakeup Application Programming Interfaces (APIs). Compiling parser generator Bison now requires a C99 compiler with the update of the bison 3.1 package. Other packages updated in the 20181012 snapshot were gpgme 1.12.0, which provided a major overhaul of the Python language bindings documentation, gthumb 3.6.2, libzypp 17.7.2, python-Pillow 5.3.0, snapper 0.6.1, and sqlite3 3.25.2.

Both snapshots are trending a stable rating of 94 or above according to the Tumbleweed snapshot reviewer.

Latest Tumbleweed Snapshot Brings Major Versions of Flatpak, qemu, Thunderbird , Nano

September 14th, 2018 by

Since the last openSUSE Tumbleweed update, three snapshots have been released and the latest snapshot has brought two new major versions of both Flatpak and qemu.

On the heels of the Libre Application Summit last week, which is a conference focusing on sandboxing and application distribution, a new major version of Flatpak was released in Snapshot 20180911. Flatpak 1.0 marks a significant improvement in performance and reliability, and includes a big collection of bug fixes with a collection of new features. Naturally, libostree 2018.8 was updated with Flatpak and added a new feature that provides an auto-update-summary config option for repositories. Full-system emulation with qemu 3.0.0 isn’t necessarily significant. The changelog states not to “read anything into the major version number update. It’s been decided to increase the major version number each year.” Yet there is improved support for nested Kernel-based Virtual Machine (KVM) guests running on Hyper-V. The project did emphasized that ongoing feature deprecation is tracked at both http://wiki.qemu-project.org/Features/LegacyRemoval and in Appendix B of the qemu-doc.* files installed with the qemu package. Mesa 18.1.7 had a handful of fixes and once again added wayland to egl_platforms. The Linux Kernel 4.18.7 added support for Intel Ice Lake microarchitecture in the snapshot. There were several other minor updates in the snapshot, but the nodejs10 update to version 10.9.0 brought a few Common Vulnerability and Exposure (CVE) fixes and upgraded dependencies to OpenSSL 1.0.2.

Mozilla Thunderbird also received a major version update this week in snapshot 20180910. Thunderbird 60.0 improved message handling and composing and also provided Internet Message Access Protocol (IMAP) fixes. A list of CVEs were addressed with the update and the email client also added support for OAuth2 and FIDO U2F. Pixel format translation library babl updated its license to LGPL 3.0 in with the version update to 0.1.56. The library and command-line tool for transferring data using various protocols known as curl had several changes in version 7.61.1 and warn the user if a given file name looks like an option. The GNOME Web browser package epiphany 3.28.4 fixes a crash on homedepot.com and improved the performance of adblocker. The 4.18.6 kernel was made available in this snapshot. Text editor nano 3.0  also had a major version update and provided some speed improvements. Pdf renderer poppler 0.68.0 added Reason and Location to SignatureInfo. Web developers will be happy to see webkit2gtk3 2.22.0. The updated webkit2gtk3 package provides a new JavaScriptCore GLib application programming interface (API) and added playbin3 support to GStreamer media backend.

(more…)

Tumbleweed Snapshots Bring Changes for KVM, QEMU, Xen

August 23rd, 2018 by

Two openSUSE Tumbleweed snapshots were once again released this past week, which included two Linux Kernel updates.

The most recent snapshot, 20180818, updated the kernel to version 4.18.0, which brought many changes for KVM (Kernel-based Virtual Machine). Mozilla Firefox 61.0.2 improved website rendering with the Retained Display List feature enabled and also fixed broken DevTools panels. The ffmpeg 4.0.2 package in the snapshot added conditional package configuration and AOMedia Video 1 (AV1) support. Netfilter project nftables was restored as the default backend with firewalld 0.6.1 and now nftables and iptables can co-exist after a bug fix with the ‘nat’ table form the 4.18 kernel. The Command Line Interface configuration utility for wireless devices known as iw added support in its 4.14 for all new kernel features of kernel 4.14. The HTTP client/server library for GNOME, libsoup 2.62.3, now uses an atomic-refcounting in classes that are not using GObject-refcounting. The Linux Kernel 4.16 or higher is needed for the strace 4.24 package, which implemented decoding of KVM vcpu (virtual central processing unit) exit reason as an option, and yast2-http-server 4.1.1 fixed PHP support by dropping php5 and using php7.

The 20180815 Tumbleweed snapshot had the last 4.17 kernel with an update from Kernel 4.17.3 to 4.17.4. The new 7.0.8.9 version of ImageMagick has the XBM coder leave the hex image data uninitialized if hex value of the pixel is negative. Several fixes were made with btrfsprogs 4.17.1 and an add ability to fix wrong ram_bytes for compressed inline files was also made with the package update in the snapshot. The advanced twin panel file manager for KDE Plasma, krusader 2.7.1, had a few fixes including a fix to the search bar in the application that showed results for a file that was deleted. The qemu 2.12.1 package dropped several patches and the updated gave new mitigation functionality for CVE-2018-3639. Caching proxy squid 4.2 provided fixes for GNU Compiler Collection 8 and a missing pointer. There were also several patches in the xen 4.11.0 update for GCC 8 and the yast2-storage-ng 4.1.4 update addressed the partitioner and now displays Xen virtual partitions and allows users to format and mount them.

Snapshot 20180815 recorded a stable rating of 93 on the snapshot reviewer and 20180818 is currently trending a moderate rating of 86.

Language, Networking Packages Get Updates in Tumbleweed

August 16th, 2018 by

There were two openSUSE Tumbleweed snapshots this past week that mostly focused on language and network packages.

The Linux Kernel also received an update a couple days ago to version 4.17.13.

The packages in the 20180812 Tumbleweed snapshot brought fixes in NetworkManager-applet 1.8.16, which also modernized the package for GTK 3 use in preparations for GTK 4. The free remote desktop protocol client had its third release candidate for freerdp 2.0.0 where it improved automatic reconnects, added Wave2 support and fixed automount issues. More network device card IDs for the Intel 9000 series were added in kernel  4.17.13. A jump from libstorage-ng 4.1.0 to version 4.1.10 brought several translations and added unit test for probing xen xvd devices. Two Common Vulnerabilities and Exposures fixes were made with the update in postgresql 10.5. Several rubygem packages were updated to versions 5.2.1 including rubygem-rails 5.2.1, which makes the master.key file read-only for the owner upon generation on POSIX-compliant systems. Processing XML and HTML with python-lxml 4.2.4 should have fewer crashes thanks to a fix of sporadic crashes during garbage collection when parse-time schema validation is used and the parser participates in a reference cycle. Several YaST packages receive updates including a new ServiceWidget to manage the service status with yast2-ftp-server 4.1.3 as well with yast2-http-server, yast2-slp-server and yast2-squid 4.1.0 versions.

The snapshot from 20180808 brought the firewalld 0.6.0 version, which switched back to an ‘iptables’ backend as a default; “loads of new services” were added in the newer version including the addition of firewall-config adding a ipv6-icmp to the protocol dropdown box. The Linux Filesystem in Userspace interface, fuse 2.9.8, provided security update for systems where SELinux is active. The security update stops an unprivileged users to specify the allow_other option even when it was forbidden in the /etc/fuse.conf. The snapshot also updated yast2-network 4.1.5 that fixes the networking AutoYaST schema

Snapshot 20180808 recorded a stable rating of 95 on the snapshot reviewer and 20180812 is trending at a 96 rating.