Home Home > Tag > CVE
Sign up | Login

Posts Tagged ‘CVE’

Tumbleweed Rolls with Package Updates of Git, Virtualbox, OpenSSH

December 6th, 2018 by

openSUSE’s rolling release Tumbleweed had a total of five snapshots this week and is preparing for an update to the KDE Plasma 5.14.4 packages in forthcoming snapshots.

The five Tumbleweed snapshots this week brought the 5.19.5 Linux Kernel, which was the only package updated in the 20181130 snapshot. The kernel-source 4.19.5 package added a force option for the pciserial device for x86 architecture and fixed HiperSockets sniffer for s390 architecture.

The most recently released snapshot, 20181204, had more than a dozen packages updated. GNOME’s application for manage their Flickr image hosting accounts, frogr 1.5, fixed issues with the content and installation of the AppData file and moved the functionality menu. GNOME’s goffice had a version bump to 0.10.44. Various rubygem packages were updated and the most significant change was of the packages was that rubygem-pry 0.12.2 dropped support for Rubinius. Both python-boto3 1.9.57 and python-botocore 1.12.57 had multiple application programming interface (API) changes. The obs-service-set_version 0.5.11 package needed “python suff” and now allow running tests with python3.

The first snapshot to arrive in December was snapshot 20181203. Among the package changes were an update to checkmedia 4.1, which fixed digest calculation in tagmedia, GNOME’s framework for media discovery grilo 0.3.7, and distributed compiler icecream 1.2, which made load calculations better and also cleaned up the general code. A python-docutils build dependency was added with cifs-utils 6.8 and elfutils 0.175 fixed three Common Vulnerabilities and Exposures issues. Major changes came with the man 2.8.4 package. One of the changes relies on decompressors reading from their standard input rather than redundantly passing them the input file on their command line; this works better with downstream AppArmor confinement of decompressors. Virtualbox 5.2.22 fixed a regression in the Core Audio backend causing a hang when returning from host sleep when processing input buffers and webkit2gtk3 2.22.4 fixed serval crashes and rendering issues and Fix a crash when using graphics library Cairo versions between 1.15 and 1.16.0.


Thunderbird, YaST, Sudo Updates Arrive in Tumbleweed

November 29th, 2018 by

Three openSUSE Tumbleweed snapshots were released since the last blog.

The three Tumbleweed snapshots this week brought a newer Linux Kernel, several rubygem package updates and improvements for an Xfce support library.

Snapshot 20181126 brought the 4.19.4 Linux Kernel, which fixed accelerated VLAN handling and fixed a memory leak with the Nouveau secure boot. Yet another Setup Tool (YaST) had some updates with yast2-fonts 4.0.2 that changes the desktop file fonts to system-wide fonts and multiple translations were also updated with the yast2-trans package. The support library for Xfce desktop environment, exo, updated to version 0.12.3; it improved layout spacing and alignment and hides the exo launchers from GNOME Software. The package for Integrated Development Environment cross-platform, kdevelop5 5.3.0, brought improved language support for php, python and c++; it also offers a new clazy analyzer plugin. Multiple other libraries were updated including libjansson 2.11, libsemanage 2.8, libsepol 2.8, libzypp 17.9.0 and more. Several rubygem packages were updated in the snapshot and rubygem-bundler 1.17.1 had a significant amount of additions and improvements including an add config option to disable platform warnings. The mailutils 3.5 package for the handling of email fixed a bug in the base64 encoder. Parser generator bison 3.2.2 brought massive improvements to the deterministic C++ skeleton, lalr1.cc and the library for manipulation of TIFF images, tiff 4.0.10, added a few patches that address the 10 Common Vulnerabilities and Exposures (CVE) patches that were removed.

Eight packages were updated in the 20181122 snapshot; three of them were YaST associated packages like yast2-ntp-client 4.1.6, which aligned a  “Synchronize Now” button and “NTP Server Address” box, which doesn’t break the previous fix and does not hide the manual checkbox in TextMode. The fourth release candidate of the free implementation of the Remote Desktop Protocol (RDP) freerdp 2.0.0,  added support to set the Transport Layer Security (TLS) security level for openssl 1.1.0 and also added smartcard support for substring filters. Sudo now treats the LOGNAME and USER environment variables (as well as the LOGIN variable on AIX) as a single unit with the update to sudo 1.8.26, which also added support for the OpenLDAP TLS_REQCERT setting in the ldap.conf. The xapian-core 1.4.9 package fixed a bug to efficiently handle insertion of a batch of extra positions in ascending order, which could lead to missing positions and corrupted encoded positional data, according to the changelog.


Tumbleweed Gets New Versions of KDE Applications, Krita, Apache Subversion

October 19th, 2018 by

Since last week’s openSUSE Tumbleweed update, there were two snapshots released that brought KDE users a newer version of Applications 18.08.2 and all Tumbleweed users could update to Linux Kernel 4.18.13.

Last week brought newer versions of KDE’s Plasma 5.14  and Frameworks 5.50.0, and this week the arrival of Applications 18.08.2 came in snapshot 20181015. Applications 18.08.2 contained only bug fixes and translation updates. Among the key bug fixes was the dragging of a file in Dolphin that no longer accidentally triggers inline renaming; KCalc again allows both ‘dot’ and ‘comma’ keys when entering decimals and a visual glitch in the Paris card deck for KDE’s card games was fixed. Snapshot 20181015 had a few other updated packages like the open source painting program krita 4.1.5, which fixed a missing shortcut from the Fill Tool tooltip and a change of importing SVG files as vector layers instead of pixel layers. The ibus-table 1.9.21 update, which is an engine framework for table-based input methods, migrated IBusConfig to GSettings; non-gnome users have a Draw InputMode text instead of icon into panel. The 4.18.13 Linux Kernel was also included in the snapshot and fixed an unexpected failure of nocow buffered writes for Btrfs after snapshoting when a user is low on space; the newer kernel also added support for Apple Magic Keyboards. Python-jedi 0.13.1 removed Python 3.3 support. The Apache version-control package subversion 1.10.3 fixed conflict resolver crashes and endless scan in some cases.

Snapshot 20181012 brought several new packages including an update of Mozilla Thunderbird 60.2.1. The  email client has some calendar changes and security fixes including a fix of CVE-2018-12383 that is related to stored passwords. The open-source audio platform audacity 2.3.0 was updated in the snapshot and it now has the ability to resize the toolbars controlling volume and speed for greater precision. Gstreamer and several of its plugins were updated to version 1.14.4, which added functionality needed for Mean Squared Error (MSE) use case fixing YouTube playback in epiphany/webkit-gtk. There were many incremental improvements and bug fixes with libvirt 4.8.0 that was released earlier this month including the libxl driver now supports virDomainPMSuspendForDuration and virDomainPMWakeup Application Programming Interfaces (APIs). Compiling parser generator Bison now requires a C99 compiler with the update of the bison 3.1 package. Other packages updated in the 20181012 snapshot were gpgme 1.12.0, which provided a major overhaul of the Python language bindings documentation, gthumb 3.6.2, libzypp 17.7.2, python-Pillow 5.3.0, snapper 0.6.1, and sqlite3 3.25.2.

Both snapshots are trending a stable rating of 94 or above according to the Tumbleweed snapshot reviewer.

Latest Tumbleweed Snapshot Brings Major Versions of Flatpak, qemu, Thunderbird , Nano

September 14th, 2018 by

Since the last openSUSE Tumbleweed update, three snapshots have been released and the latest snapshot has brought two new major versions of both Flatpak and qemu.

On the heels of the Libre Application Summit last week, which is a conference focusing on sandboxing and application distribution, a new major version of Flatpak was released in Snapshot 20180911. Flatpak 1.0 marks a significant improvement in performance and reliability, and includes a big collection of bug fixes with a collection of new features. Naturally, libostree 2018.8 was updated with Flatpak and added a new feature that provides an auto-update-summary config option for repositories. Full-system emulation with qemu 3.0.0 isn’t necessarily significant. The changelog states not to “read anything into the major version number update. It’s been decided to increase the major version number each year.” Yet there is improved support for nested Kernel-based Virtual Machine (KVM) guests running on Hyper-V. The project did emphasized that ongoing feature deprecation is tracked at both http://wiki.qemu-project.org/Features/LegacyRemoval and in Appendix B of the qemu-doc.* files installed with the qemu package. Mesa 18.1.7 had a handful of fixes and once again added wayland to egl_platforms. The Linux Kernel 4.18.7 added support for Intel Ice Lake microarchitecture in the snapshot. There were several other minor updates in the snapshot, but the nodejs10 update to version 10.9.0 brought a few Common Vulnerability and Exposure (CVE) fixes and upgraded dependencies to OpenSSL 1.0.2.

Mozilla Thunderbird also received a major version update this week in snapshot 20180910. Thunderbird 60.0 improved message handling and composing and also provided Internet Message Access Protocol (IMAP) fixes. A list of CVEs were addressed with the update and the email client also added support for OAuth2 and FIDO U2F. Pixel format translation library babl updated its license to LGPL 3.0 in with the version update to 0.1.56. The library and command-line tool for transferring data using various protocols known as curl had several changes in version 7.61.1 and warn the user if a given file name looks like an option. The GNOME Web browser package epiphany 3.28.4 fixes a crash on homedepot.com and improved the performance of adblocker. The 4.18.6 kernel was made available in this snapshot. Text editor nano 3.0  also had a major version update and provided some speed improvements. Pdf renderer poppler 0.68.0 added Reason and Location to SignatureInfo. Web developers will be happy to see webkit2gtk3 2.22.0. The updated webkit2gtk3 package provides a new JavaScriptCore GLib application programming interface (API) and added playbin3 support to GStreamer media backend.


Tumbleweed Snapshots Bring Changes for KVM, QEMU, Xen

August 23rd, 2018 by

Two openSUSE Tumbleweed snapshots were once again released this past week, which included two Linux Kernel updates.

The most recent snapshot, 20180818, updated the kernel to version 4.18.0, which brought many changes for KVM (Kernel-based Virtual Machine). Mozilla Firefox 61.0.2 improved website rendering with the Retained Display List feature enabled and also fixed broken DevTools panels. The ffmpeg 4.0.2 package in the snapshot added conditional package configuration and AOMedia Video 1 (AV1) support. Netfilter project nftables was restored as the default backend with firewalld 0.6.1 and now nftables and iptables can co-exist after a bug fix with the ‘nat’ table form the 4.18 kernel. The Command Line Interface configuration utility for wireless devices known as iw added support in its 4.14 for all new kernel features of kernel 4.14. The HTTP client/server library for GNOME, libsoup 2.62.3, now uses an atomic-refcounting in classes that are not using GObject-refcounting. The Linux Kernel 4.16 or higher is needed for the strace 4.24 package, which implemented decoding of KVM vcpu (virtual central processing unit) exit reason as an option, and yast2-http-server 4.1.1 fixed PHP support by dropping php5 and using php7.

The 20180815 Tumbleweed snapshot had the last 4.17 kernel with an update from Kernel 4.17.3 to 4.17.4. The new version of ImageMagick has the XBM coder leave the hex image data uninitialized if hex value of the pixel is negative. Several fixes were made with btrfsprogs 4.17.1 and an add ability to fix wrong ram_bytes for compressed inline files was also made with the package update in the snapshot. The advanced twin panel file manager for KDE Plasma, krusader 2.7.1, had a few fixes including a fix to the search bar in the application that showed results for a file that was deleted. The qemu 2.12.1 package dropped several patches and the updated gave new mitigation functionality for CVE-2018-3639. Caching proxy squid 4.2 provided fixes for GNU Compiler Collection 8 and a missing pointer. There were also several patches in the xen 4.11.0 update for GCC 8 and the yast2-storage-ng 4.1.4 update addressed the partitioner and now displays Xen virtual partitions and allows users to format and mount them.

Snapshot 20180815 recorded a stable rating of 93 on the snapshot reviewer and 20180818 is currently trending a moderate rating of 86.

Language, Networking Packages Get Updates in Tumbleweed

August 16th, 2018 by

There were two openSUSE Tumbleweed snapshots this past week that mostly focused on language and network packages.

The Linux Kernel also received an update a couple days ago to version 4.17.13.

The packages in the 20180812 Tumbleweed snapshot brought fixes in NetworkManager-applet 1.8.16, which also modernized the package for GTK 3 use in preparations for GTK 4. The free remote desktop protocol client had its third release candidate for freerdp 2.0.0 where it improved automatic reconnects, added Wave2 support and fixed automount issues. More network device card IDs for the Intel 9000 series were added in kernel  4.17.13. A jump from libstorage-ng 4.1.0 to version 4.1.10 brought several translations and added unit test for probing xen xvd devices. Two Common Vulnerabilities and Exposures fixes were made with the update in postgresql 10.5. Several rubygem packages were updated to versions 5.2.1 including rubygem-rails 5.2.1, which makes the master.key file read-only for the owner upon generation on POSIX-compliant systems. Processing XML and HTML with python-lxml 4.2.4 should have fewer crashes thanks to a fix of sporadic crashes during garbage collection when parse-time schema validation is used and the parser participates in a reference cycle. Several YaST packages receive updates including a new ServiceWidget to manage the service status with yast2-ftp-server 4.1.3 as well with yast2-http-server, yast2-slp-server and yast2-squid 4.1.0 versions.

The snapshot from 20180808 brought the firewalld 0.6.0 version, which switched back to an ‘iptables’ backend as a default; “loads of new services” were added in the newer version including the addition of firewall-config adding a ipv6-icmp to the protocol dropdown box. The Linux Filesystem in Userspace interface, fuse 2.9.8, provided security update for systems where SELinux is active. The security update stops an unprivileged users to specify the allow_other option even when it was forbidden in the /etc/fuse.conf. The snapshot also updated yast2-network 4.1.5 that fixes the networking AutoYaST schema

Snapshot 20180808 recorded a stable rating of 95 on the snapshot reviewer and 20180812 is trending at a 96 rating.

Tumbleweed Gets Python Setuptools 40.0, New Versions of Frameworks, Applications

July 26th, 2018 by

Several packages were updated in openSUSE Tumbleweed snapshots this week and developers will notice the snapshots are reported to be extremely stable.

Wireshark, sysdig, GNOME’s evolution, KDE’s Frameworks and Applications, Ceph, vim and python-setuptools were just a few of the many packages that arrived in Tumbleweed this week.

Wireshark 2.6.2 received several Common Vulnerabilities and Exposures (CVE) updates in snapshot 20180723, which included a HTTP2 dissector crash. The sysdig tool for deep system visibility with native support for containers had a minor update to 0.22.0 and added support for addional custom container types alongside Docker. Configurable text editor vim was updated to version 8.1.0200 and poppler 0.66.0 fixed compilations with some strict compilers when rendering PDFs. Google’s RE2 package, which is fast, safe, thread-friendly alternative to backtracking regular expression engines like those used in PCRE, Perl, and Python, simplified the spec file and fixed a Deterministic Finite Automaton (DFA) out of memory error. Cups-filters 1.20.4 made some ipp and ipps changes and also removed support for hardware-implemented reversing of page order in PostScript printers for some rare printers. (more…)

Tumbleweed Starts Week with Plasma, DigiKam Updates

April 6th, 2018 by

KDE‘s newest point version of Plasma 5.12.4 was released in the first of five openSUSE Tumbleweed snapshots that were released this week.

The  most recent snapshot was 20180403 and it included several updates for gstreamer 1.12.5 packages. Multiple bugs were fixed for gstreamer-editing-services, gstreamer-plugins-libav and gstreamer-validate. The gstreamer-rtsp-server package update to 1.12.5 had to drop the pkgconfig(libcgroup) because of a clash with systemd that causes bug reports. The Lightweight Directory Access Protocol, openldap2 version 2.4.46, fixed a Transport Layer Security connection timeout and removed obsolete back-port patches. The python-cryptography package update from version 2.1.4 to 2.2.1 and allows for the loading of Digital Signature Algorithm Keys with 224 bit q size. The snapshot is currently trending at 91 rating on the rating tool.

The 1.12.5 gstreamer package arrived in snapshot 20180402. The new gstreamer package, which constructs the graphs of media-handling components, fixes the handling of encoded silence, the tagging of keyframes on output buffers and updates the internal copy to ffmpeg 3.3.6. The Generic Graphics Library gegl 0.3.30 now has a build requirement of GIMP 2.10.0 and had some complex changes in the NEWS file.

Snapshot 20180401 added Application Programming Interface support for Microsoft’s .NET 4.7.1 with the update of the mono-core package to version 5.8.1, and snapshot 20180331 update Mozilla Firefox to version 59.0.2. The new version of Firefox fixed more than a handful of bugs, added a couple patches and Common Vulnerabilities and Exposures CVE-2018-5148.


Tumbleweed Has Updates for Frameworks, Applications, Plasma

February 22nd, 2018 by

The were plenty of updated packages in openSUSE Tumbleweed this week and KDE updates were made available for Frameworks, Applications and Plasma.

While the most recent snapshot didn’t include an update of a KDE package, four out of the six snapshots this week did.

Snapshot 20180220 brought a few lesser known packages. The C library for asynchronous DNS requests known as c-ares updated to version 1.14.0. The c-ares update provided a patch for Common Vulnerabilities and Exposures (CVE)-2017-1000381 to protect against a network attack. The image view Eye of GNOME updated translations with the eog-plugins 3.26.2. The Xfce library targeted at application development known as Exo now has version 0.12.0, which was released from upstream six day before being released in this 20180220 snapshot. The requirements were updated for exo 0.12.0 and they include GTK 2.24, GTK 3.22, GLib 2.42, libxfce4ui 4.12 and libxfce4util 4.12. Developers looking to generate random numbers will find the update of the haveged 1.9.2 package. The Haveged package contains a daemon that generates an unpredictable stream of random numbers and feeds the /dev/random device.

Linux Kernel 4.15.4 provided a fix to auto-negotiate security settings mismatches the 20180219 snapshot. Issues with AppStream required appstream-glib to revert from version 0.7.5 back to 0.7.4. The snapshot brought the first point release for KDE’s Long Term Support release of Plasma 5.12. The Plasma 5.12.1 version fixed several bugs including a fix for the mouse settings module that was crashing on Wayland.