Home Home > Tag > CVE
Sign up | Login

Posts Tagged ‘CVE’

Tumbleweed Gets New Versions of KDE Applications, Krita, Apache Subversion

October 19th, 2018 by

Since last week’s openSUSE Tumbleweed update, there were two snapshots released that brought KDE users a newer version of Applications 18.08.2 and all Tumbleweed users could update to Linux Kernel 4.18.13.

Last week brought newer versions of KDE’s Plasma 5.14  and Frameworks 5.50.0, and this week the arrival of Applications 18.08.2 came in snapshot 20181015. Applications 18.08.2 contained only bug fixes and translation updates. Among the key bug fixes was the dragging of a file in Dolphin that no longer accidentally triggers inline renaming; KCalc again allows both ‘dot’ and ‘comma’ keys when entering decimals and a visual glitch in the Paris card deck for KDE’s card games was fixed. Snapshot 20181015 had a few other updated packages like the open source painting program krita 4.1.5, which fixed a missing shortcut from the Fill Tool tooltip and a change of importing SVG files as vector layers instead of pixel layers. The ibus-table 1.9.21 update, which is an engine framework for table-based input methods, migrated IBusConfig to GSettings; non-gnome users have a Draw InputMode text instead of icon into panel. The 4.18.13 Linux Kernel was also included in the snapshot and fixed an unexpected failure of nocow buffered writes for Btrfs after snapshoting when a user is low on space; the newer kernel also added support for Apple Magic Keyboards. Python-jedi 0.13.1 removed Python 3.3 support. The Apache version-control package subversion 1.10.3 fixed conflict resolver crashes and endless scan in some cases.

Snapshot 20181012 brought several new packages including an update of Mozilla Thunderbird 60.2.1. The  email client has some calendar changes and security fixes including a fix of CVE-2018-12383 that is related to stored passwords. The open-source audio platform audacity 2.3.0 was updated in the snapshot and it now has the ability to resize the toolbars controlling volume and speed for greater precision. Gstreamer and several of its plugins were updated to version 1.14.4, which added functionality needed for Mean Squared Error (MSE) use case fixing YouTube playback in epiphany/webkit-gtk. There were many incremental improvements and bug fixes with libvirt 4.8.0 that was released earlier this month including the libxl driver now supports virDomainPMSuspendForDuration and virDomainPMWakeup Application Programming Interfaces (APIs). Compiling parser generator Bison now requires a C99 compiler with the update of the bison 3.1 package. Other packages updated in the 20181012 snapshot were gpgme 1.12.0, which provided a major overhaul of the Python language bindings documentation, gthumb 3.6.2, libzypp 17.7.2, python-Pillow 5.3.0, snapper 0.6.1, and sqlite3 3.25.2.

Both snapshots are trending a stable rating of 94 or above according to the Tumbleweed snapshot reviewer.

Latest Tumbleweed Snapshot Brings Major Versions of Flatpak, qemu, Thunderbird , Nano

September 14th, 2018 by

Since the last openSUSE Tumbleweed update, three snapshots have been released and the latest snapshot has brought two new major versions of both Flatpak and qemu.

On the heels of the Libre Application Summit last week, which is a conference focusing on sandboxing and application distribution, a new major version of Flatpak was released in Snapshot 20180911. Flatpak 1.0 marks a significant improvement in performance and reliability, and includes a big collection of bug fixes with a collection of new features. Naturally, libostree 2018.8 was updated with Flatpak and added a new feature that provides an auto-update-summary config option for repositories. Full-system emulation with qemu 3.0.0 isn’t necessarily significant. The changelog states not to “read anything into the major version number update. It’s been decided to increase the major version number each year.” Yet there is improved support for nested Kernel-based Virtual Machine (KVM) guests running on Hyper-V. The project did emphasized that ongoing feature deprecation is tracked at both http://wiki.qemu-project.org/Features/LegacyRemoval and in Appendix B of the qemu-doc.* files installed with the qemu package. Mesa 18.1.7 had a handful of fixes and once again added wayland to egl_platforms. The Linux Kernel 4.18.7 added support for Intel Ice Lake microarchitecture in the snapshot. There were several other minor updates in the snapshot, but the nodejs10 update to version 10.9.0 brought a few Common Vulnerability and Exposure (CVE) fixes and upgraded dependencies to OpenSSL 1.0.2.

Mozilla Thunderbird also received a major version update this week in snapshot 20180910. Thunderbird 60.0 improved message handling and composing and also provided Internet Message Access Protocol (IMAP) fixes. A list of CVEs were addressed with the update and the email client also added support for OAuth2 and FIDO U2F. Pixel format translation library babl updated its license to LGPL 3.0 in with the version update to 0.1.56. The library and command-line tool for transferring data using various protocols known as curl had several changes in version 7.61.1 and warn the user if a given file name looks like an option. The GNOME Web browser package epiphany 3.28.4 fixes a crash on homedepot.com and improved the performance of adblocker. The 4.18.6 kernel was made available in this snapshot. Text editor nano 3.0  also had a major version update and provided some speed improvements. Pdf renderer poppler 0.68.0 added Reason and Location to SignatureInfo. Web developers will be happy to see webkit2gtk3 2.22.0. The updated webkit2gtk3 package provides a new JavaScriptCore GLib application programming interface (API) and added playbin3 support to GStreamer media backend.

(more…)

Tumbleweed Snapshots Bring Changes for KVM, QEMU, Xen

August 23rd, 2018 by

Two openSUSE Tumbleweed snapshots were once again released this past week, which included two Linux Kernel updates.

The most recent snapshot, 20180818, updated the kernel to version 4.18.0, which brought many changes for KVM (Kernel-based Virtual Machine). Mozilla Firefox 61.0.2 improved website rendering with the Retained Display List feature enabled and also fixed broken DevTools panels. The ffmpeg 4.0.2 package in the snapshot added conditional package configuration and AOMedia Video 1 (AV1) support. Netfilter project nftables was restored as the default backend with firewalld 0.6.1 and now nftables and iptables can co-exist after a bug fix with the ‘nat’ table form the 4.18 kernel. The Command Line Interface configuration utility for wireless devices known as iw added support in its 4.14 for all new kernel features of kernel 4.14. The HTTP client/server library for GNOME, libsoup 2.62.3, now uses an atomic-refcounting in classes that are not using GObject-refcounting. The Linux Kernel 4.16 or higher is needed for the strace 4.24 package, which implemented decoding of KVM vcpu (virtual central processing unit) exit reason as an option, and yast2-http-server 4.1.1 fixed PHP support by dropping php5 and using php7.

The 20180815 Tumbleweed snapshot had the last 4.17 kernel with an update from Kernel 4.17.3 to 4.17.4. The new 7.0.8.9 version of ImageMagick has the XBM coder leave the hex image data uninitialized if hex value of the pixel is negative. Several fixes were made with btrfsprogs 4.17.1 and an add ability to fix wrong ram_bytes for compressed inline files was also made with the package update in the snapshot. The advanced twin panel file manager for KDE Plasma, krusader 2.7.1, had a few fixes including a fix to the search bar in the application that showed results for a file that was deleted. The qemu 2.12.1 package dropped several patches and the updated gave new mitigation functionality for CVE-2018-3639. Caching proxy squid 4.2 provided fixes for GNU Compiler Collection 8 and a missing pointer. There were also several patches in the xen 4.11.0 update for GCC 8 and the yast2-storage-ng 4.1.4 update addressed the partitioner and now displays Xen virtual partitions and allows users to format and mount them.

Snapshot 20180815 recorded a stable rating of 93 on the snapshot reviewer and 20180818 is currently trending a moderate rating of 86.

Language, Networking Packages Get Updates in Tumbleweed

August 16th, 2018 by

There were two openSUSE Tumbleweed snapshots this past week that mostly focused on language and network packages.

The Linux Kernel also received an update a couple days ago to version 4.17.13.

The packages in the 20180812 Tumbleweed snapshot brought fixes in NetworkManager-applet 1.8.16, which also modernized the package for GTK 3 use in preparations for GTK 4. The free remote desktop protocol client had its third release candidate for freerdp 2.0.0 where it improved automatic reconnects, added Wave2 support and fixed automount issues. More network device card IDs for the Intel 9000 series were added in kernel  4.17.13. A jump from libstorage-ng 4.1.0 to version 4.1.10 brought several translations and added unit test for probing xen xvd devices. Two Common Vulnerabilities and Exposures fixes were made with the update in postgresql 10.5. Several rubygem packages were updated to versions 5.2.1 including rubygem-rails 5.2.1, which makes the master.key file read-only for the owner upon generation on POSIX-compliant systems. Processing XML and HTML with python-lxml 4.2.4 should have fewer crashes thanks to a fix of sporadic crashes during garbage collection when parse-time schema validation is used and the parser participates in a reference cycle. Several YaST packages receive updates including a new ServiceWidget to manage the service status with yast2-ftp-server 4.1.3 as well with yast2-http-server, yast2-slp-server and yast2-squid 4.1.0 versions.

The snapshot from 20180808 brought the firewalld 0.6.0 version, which switched back to an ‘iptables’ backend as a default; “loads of new services” were added in the newer version including the addition of firewall-config adding a ipv6-icmp to the protocol dropdown box. The Linux Filesystem in Userspace interface, fuse 2.9.8, provided security update for systems where SELinux is active. The security update stops an unprivileged users to specify the allow_other option even when it was forbidden in the /etc/fuse.conf. The snapshot also updated yast2-network 4.1.5 that fixes the networking AutoYaST schema

Snapshot 20180808 recorded a stable rating of 95 on the snapshot reviewer and 20180812 is trending at a 96 rating.

Tumbleweed Gets Python Setuptools 40.0, New Versions of Frameworks, Applications

July 26th, 2018 by

Several packages were updated in openSUSE Tumbleweed snapshots this week and developers will notice the snapshots are reported to be extremely stable.

Wireshark, sysdig, GNOME’s evolution, KDE’s Frameworks and Applications, Ceph, vim and python-setuptools were just a few of the many packages that arrived in Tumbleweed this week.

Wireshark 2.6.2 received several Common Vulnerabilities and Exposures (CVE) updates in snapshot 20180723, which included a HTTP2 dissector crash. The sysdig tool for deep system visibility with native support for containers had a minor update to 0.22.0 and added support for addional custom container types alongside Docker. Configurable text editor vim was updated to version 8.1.0200 and poppler 0.66.0 fixed compilations with some strict compilers when rendering PDFs. Google’s RE2 package, which is fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python, simplified the spec file and fixed a Deterministic Finite Automaton (DFA) out of memory error. Cups-filters 1.20.4 made some ipp and ipps changes and also removed support for hardware-implemented reversing of page order in PostScript printers for some rare printers. (more…)

Tumbleweed Starts Week with Plasma, DigiKam Updates

April 6th, 2018 by

KDE‘s newest point version of Plasma 5.12.4 was released in the first of five openSUSE Tumbleweed snapshots that were released this week.

The  most recent snapshot was 20180403 and it included several updates for gstreamer 1.12.5 packages. Multiple bugs were fixed for gstreamer-editing-services, gstreamer-plugins-libav and gstreamer-validate. The gstreamer-rtsp-server package update to 1.12.5 had to drop the pkgconfig(libcgroup) because of a clash with systemd that causes bug reports. The Lightweight Directory Access Protocol, openldap2 version 2.4.46, fixed a Transport Layer Security connection timeout and removed obsolete back-port patches. The python-cryptography package update from version 2.1.4 to 2.2.1 and allows for the loading of Digital Signature Algorithm Keys with 224 bit q size. The snapshot is currently trending at 91 rating on the rating tool.

The 1.12.5 gstreamer package arrived in snapshot 20180402. The new gstreamer package, which constructs the graphs of media-handling components, fixes the handling of encoded silence, the tagging of keyframes on output buffers and updates the internal copy to ffmpeg 3.3.6. The Generic Graphics Library gegl 0.3.30 now has a build requirement of GIMP 2.10.0 and had some complex changes in the NEWS file.

Snapshot 20180401 added Application Programming Interface support for Microsoft’s .NET 4.7.1 with the update of the mono-core package to version 5.8.1, and snapshot 20180331 update Mozilla Firefox to version 59.0.2. The new version of Firefox fixed more than a handful of bugs, added a couple patches and Common Vulnerabilities and Exposures CVE-2018-5148.

(more…)

Tumbleweed Has Updates for Frameworks, Applications, Plasma

February 22nd, 2018 by

The were plenty of updated packages in openSUSE Tumbleweed this week and KDE updates were made available for Frameworks, Applications and Plasma.

While the most recent snapshot didn’t include an update of a KDE package, four out of the six snapshots this week did.

Snapshot 20180220 brought a few lesser known packages. The C library for asynchronous DNS requests known as c-ares updated to version 1.14.0. The c-ares update provided a patch for Common Vulnerabilities and Exposures (CVE)-2017-1000381 to protect against a network attack. The image view Eye of GNOME updated translations with the eog-plugins 3.26.2. The Xfce library targeted at application development known as Exo now has version 0.12.0, which was released from upstream six day before being released in this 20180220 snapshot. The requirements were updated for exo 0.12.0 and they include GTK 2.24, GTK 3.22, GLib 2.42, libxfce4ui 4.12 and libxfce4util 4.12. Developers looking to generate random numbers will find the update of the haveged 1.9.2 package. The Haveged package contains a daemon that generates an unpredictable stream of random numbers and feeds the /dev/random device.

Linux Kernel 4.15.4 provided a fix to auto-negotiate security settings mismatches the 20180219 snapshot. Issues with AppStream required appstream-glib to revert from version 0.7.5 back to 0.7.4. The snapshot brought the first point release for KDE’s Long Term Support release of Plasma 5.12. The Plasma 5.12.1 version fixed several bugs including a fix for the mouse settings module that was crashing on Wayland.

(more…)

Freetype, Flatpak, Sysdig Receive Updates in Tumbleweed

February 15th, 2018 by

The streak of six Tumbleweed snapshots continued this a week as openSUSE’s rolling release has provided a consistent release of six snapshots per week this year.

There were hundreds of packages updated this week and sysdig, Freetype and Flatpak were just a few of the many packages to receive an updated version.

At the time of publishing this article, snapshot 20180213 was the most recent snapshot released. Mozilla Firefox 58.0.2 fixed a tab crash during printing. The package yast2-ca-management was dropped with the autoyast2 4.0.31 update. A new set of functions that allows 64-bit offsets even on 32-bit systems are now available with cryptsetup 2.0.1, which is a user-space utility for dealing with the DMCrypt kernel module for setting up encrypted disk volumes. Cryptsetup also increased maximum allowed Password-Based Key Derivation Function 2 (PBKDF) memory-cost limit to 4 GiB. Another notable package in the snapshot was the update of the Ruby debugger package rubygem-byebug  10.0.0, which added Ruby 2.5.0 support and fixed a remote server crash when interrupting a client.

KDE Applications 17.12.2 was made available in the 20180212 snapshot; about 20 recorded bugfixes include improvements to Kontact, Dolphin, Gwenview, KGet and Okular. View the changelog for a full list of changes and fixes for Applications 17.12.2. Flatpak 0.10.3 fixed vulnerability in dbus proxy and updated a Polish translation. Position Independent Executables improvements were made with Snappy 1.1.7 as well as improvements to CMake build support for 64-bit Linux distributions. Added support for the USB 3.1 SuperSpeedPlus device capability was also made available in the snapshot with the usbutils 009 package. There were also several YaST package updates.

(more…)

Plasma 5.11, GNOME 3.26.1 Land in Tumbleweed

October 12th, 2017 by

The week has been pretty exciting for desktop enthusiast running openSUSE Tumbleweed since two of this week’s snapshots delivered new versions of GNOME and KDE respectively.

Snapshot 20171010, which is the most recent release, fixed numerous memory leaks with ImageMagick 7.0.7.6 and apache 2.4.28 fixed Optionsbleed or Common Vulnerabilities and Exposures (CVE)-2017-9798, which allows remote attackers to read secret data from process memory. Cmake 3.9.4 added support for Boost 1.65.0 and 1.65.1 and hplip 3.17.9 added support for several new printers. New features were added for the Quick Emulator (QEMU) with the new libvirt 3.8.0 version. Two major version updates were also available in the snapshot; some targets may rebuild when upgrading with the software construction tool SCons 3.0.0 and the memory allocator Jemalloc 5.0.1 added several improvements and new features including the addition of mutex profiling, which collects a variety of statistics useful for diagnosing overhead/contention issues.

Tumbleweed KDE users saw Plasma 5.11 make its way into snapshot 20171009 less than 24 hours after the official upstream release. The new Plasma 5.11 brings a redesigned settings app, improved notifications and a more powerful task manager. The release is the first release to contain the new “Vault”, a system to allow the user to encrypt and open sets of documents in a secure and user-friendly way.    Several CVE fixes were made with the update of Mozilla Firefox 56.0, but users should be aware that Firefox has no 32-bit builds for the application. The Linux Kernel was also upgraded to version 4.13.5 in the snapshot.

Several libraries and XFCE plugins were updated in the 20171007 snapshot and Mesa 17.2.2 had several Vulkan ANV/RADV driver fixes. Support for LLVM 5.0 for the Gallium3D architecture when using SCons was also added with the new Mesa version. YaST 4.0.10 fixed the handling of Pretty Good Privacy (PGP) signatures when running in insecure mode. (more…)

Tumbleweed Goes Astronomical

October 5th, 2017 by

Astronomers using openSUSE Tumbleweed received some major software enhancements in a snapshot this week and the four snapshots released also addressed some architecture issues and critical bug fixes.

The snapshots also brought new versions of the Linux Kernel, git, GNU Compiler Collection and mpg123.

The most recent snapshot to be released, snapshot 20171001, provided an update to the programming tool binutils 2.29.1. An update of the branch head of GNU Compiler Collection 7 disabled a patch to verify a test case. The network authentication protocol krb5 1.15.2 fixed a Key Distribution Center (KDC) Denial of Service (DoS) vulnerability caused by unset status strings; Common Vulnerabilities and Exposures (CVE-2017-11368).

Snapshot 20170929 updated ImageMagick 7.0.7.4 and fixed numerous memory leaks. The Linux Kernel was updated to version 4.13.4 and made several changes, which included fixes for PowerPC and S390. The KBD Project, which offers the package that helps with managing the Linux console, virtual terminals, keyboards and more, received an update to kbd 2.0.4. Git 2.14.2 provided various fixes for output correctness. An updated version of the Router Advertisement Daemon to radvd 2.17 added systemd service file. Several bugs were fixed with the update of php7 7.1.10 including bug 75093 that affected curl detection for OpenSSL, which was not detected. A proper fix for the xrpnt overflow problems were made for the MPEG Audio Player and decoder library mpg123 with version 1.25.7.

(more…)