Home Home > Tag > CVE
Sign up | Login

Posts Tagged ‘CVE’

MariaDB, VLC, Plopper, Apache Packages Update in Tumbleweed

August 29th, 2019 by

There have been three openSUSE Tumbleweed snapshots released this week.

The snapshots brought new versions of VLC, Apache, Plopper and an update of the Linux Kernel.

Snapshot 20190824 delivered a  fix that was made to the swirl option, which produced an unexpected result, with the update of ImageMagick’s 7.0.8.61 version. Improved adaptive streaming and a fix for stuttering for low framerate videos became available in VLC 3.0.8; 13 issues, including 5 buffer overflows we fixed and 11 Common Vulnerabilities and Exposures were assigned and addressed in the media player version. More than a handful of CVEs were addressed with the apache2 2.4.41 update. One of the CVEs addressed was that of a malicious client that could perform a Denial of Services attack by flooding a connection with requests and basically never reading responses on the TCP connection. The new version also improves the balancer-manager protection against XSS/XSRF attacks from trusted users. The x86 emulation library fixed a compiler warning in the 2.4 version and the X11 RandR utility updated the geometry text file configure.ac for gitlab migration with the xrandr 1.5.1 version. The snapshot is trending at a rating of 86, according to the Tumbleweed snapshot reviewer.

The HP Linux Imaging and Printing package hplip 3.19.6 added support for several new color and enterprise printer, which was released in snapshot 20190823. The Linux Kernel was updated to version 5.2.9 and offered more than a handful of commits for the Direct Rendering Manager for AMD hardware and offered some memory leak bugs related to the Advanced Linux Sound Architecture. The utility library for rendering PDFs, poppler, also fixed some memory allocation in the PostScriptFunction with version 0.79.0; the version also fixed regressions on TextSelectionPainter. Minor updates were also made in the snapshot for xfce4-settings 4.14.1 and yast2-fonts 4.2.1, yast2-instserver 4.2.3 and yast2-support 4.2.2 all had changes related to a newer Ruby version. The snapshot is trending at a rating of 84, according to the Tumbleweed snapshot reviewer.

The first snapshot of the week, 20190822, updated five packages. MariaDB’s 10.3.17 package had the most changes in the snapshot and provided merge relevant storage engine changes from MySQL 5.7.27 as well as five CVE fixes. Small bug fixes and fuzzer fixes were made to libetonyek 0.1.9. GNOME’s photo manager shotwell 0.30.7 fix compatibility with programming language Vala 0.46. The other two package updates were libsrtp2  2.2.0 and rubygem-sassc 2.1.0. The snapshot recorded a rating of 78, according to the Tumbleweed snapshot reviewer.

Mesa, ImageMagick, Plasma, Frameworks Update in Tumbleweed

August 1st, 2019 by

There have been three openSUSE Tumbleweed snapshots released since last week.

The snapshots brought a single major version update and new versions of KDE’s Plasma and Frameworks.

ImageMagick’s 7.0.8.56 version arrived in snapshot 20190730 and added support for the TIM2 image format, which is commonly used in PlayStation 2 and sometimes in PlayStation Portable games. The snapshot also delivered an update for Mesa 3D Graphics Library with version 19.1.3 that mostly provided fixes for ANV and RADV drivers, as well as NIR backend fixes. File searching tool catfish 1.4.8 provided some fixes with directories and a fix running on Wayland. The GNU Compiler Collection 7 added a patch and fixed for a Link Time Optimization (LTO) linker plugin. The 9.0.1 glu, which is the OpenGL Utility library for Mesa, fixed a possible memory leak. The Linux Kernel was updated to 5.2.3; the new version made a few fixes for PowerPC and added Bluetooth for some new devices. Serval Python packages were updated in the snapshot. LLVM tools and libraries were updated in Tumbleweed with llvm8 8.0.1 but the changelog states not to run LLVM tests on PowerPC because of sporadic hangs. The 2.4.7 version of openvpn in the snapshot added support for tls-ciphersuites for TLS 1.3 and updated openvpn.keyring with public key downloaded from https://swupdate.openvpn.net/community/keys/security-key-2019.asc. A lengthy list of fixes were made to the VIM text editor in version 8.1.1741. Other packages updated in the snapshot were ucode-intel 20190618, xapps 1.4.8, ypbind 2.6.1 and zstd 1.4.1. The snapshot is trending as moderately stable with a rating of 79, according to the Tumbleweed snapshot reviewer.

KDE’s Frameworks and Plasma were updated in the 20190726 snapshot. Frameworks 5.60.0 had multiple fixes for KTextEditor, KWayland, KIO and Baloo. The new version requires Qt 5.11 now that Qt 5.13 was released. Plasma 5.16.3 adds new translations and fixes including the fix of compilation without libinput and an improved appearance and reduce memory consumption with Plasma Audio Volume Control. There was a major version update for the checkmedia to version 5.2, which fixed a compat issue with older GCC. The new major version also allows to set a specific GPG key for signature verification. GNOME’s bijiben updated to version 3.32.2 and the update of curl 7.65.3 fixed several bugs and makes the progress meter appear again. A Common Vulnerabilities and Exposures that could allow remote attackers to execute other programs with root privileges was fixed in the message transfer agent exim 4.92.1. The 11.0.4.0 version of java-11-openjdk also fixed several CVEs and cleaned up the sources and code. Phonon, which is the multimedia Application Programming Interface (API) for KDE, removed the QFOREACH function in the headers when building for Qt 5 in version 4.10.3. The snapshot is trending as moderately stable with a rating of 76, according to the Tumbleweed snapshot reviewer.

Snapshot 20190724 had just three packages updated. GCC 9 received a small update that Included a fix for openCV3 builds with LTO and provided a fix for vector shift mis-compilation on IBM’s s390 architecture. The update of osc 0.165.3 fixed broken TLS certificate handling and the package ristretto, which is a fast and lightweight image viewer for the Xfce desktop, added support for Canon CR2 format and improved the “Sorting” menu with the 0.8.5 version update. The snapshot posted a moderately stable rating of 72, according to the Tumbleweed snapshot reviewer.

GNOME Packages, More Updated in Tumbleweed This Week

July 25th, 2019 by

Two openSUSE Tumbleweed snapshots have been released since our last Tumbleweed update on Saturday.

The most recent snapshot, 20190723, updated Mozilla Firefox to version 68.0.1. The browser fixed the missing Full-Screen button when watching videos in full screen mode on HBO GO. The new 68 version enhanced the Dark Mode reader view to include darkening the controls, sidebars and toolbars. It also addressed several Common Vulnerabilities and Exposures (CVE). The snapshot provided an update to GNOME 3.32.4, which fixed an issue that led to some packages with multiple appdata files not correctly showing up on the updates page. The Guile programming language package update to 2.2.6 fixed regression introduced in the previous version that broke HTTP servers locale encoding. Hardware library hwinfo 21.67 fixed Direct Access Storage Devices (DASD) detection. A major 7.0 version of hylafax+ arrived in the snapshot. The Linux Kernel brought several new features with the 5.2.1 kernel and enhanced security for a hardware vulnerability affecting Intel processors. The open-source painting program Krita 4.2.3 version offered a variety of fixes including a copy and paste fix of the animation frames. A few libraries like libgphoto2, libuv and libva received update. There were also several Perl and Rubygem packages that were updated in the snapshot. The file manager for the Xfce Desktop Environment, thunar 1.8.8, fixed XML declaration in uca.xml and the 2.15 transactional-update package enable network during updates and allow updates of the bootloader on EFI systems. The snapshot is currently trending at a 93 rating, according to the Tumbleweed snapshot reviewer.

Among the top packages to update in snapshot 20190721 were gnome-builder 3.32.4, wireshark 3.0.3 and an update for GNU Compiler Collection 9. GNOME Builder fixed the initial selection in project-tree popovers, Wireshark fixed CVE-2019-13619 and GCC9 added a patch to provide more stable builds for single value counters. The dracut package updated from 044.2 to 049; this update removed several patches and added support for compressed kernel modules. The Distributed Replicated Block Device (drbd) 9.0.19 package fixed resync stuck at near completion and introduced allow-remote-read configuration option. GNOME’s personal information management application evolution updated to version 3.32.4, which added an [ECompEditor] to ensure attendee changes are stored before saving. GNOME’s Grilo, which is a framework focused on making media discovery and browsing easy for application developers, updated to 0.3.9 fixed core keys extraction. GNOME’s Virtual file system (gvfs) and programming language Vala were updated to versions 1.40.2 and 0.44.6 respectively. Krita was also updated in this snapshot. The 0.5.1 version of python-parso fixed some unicode identifiers that were not correctly tokenized.  The snapshot is currently trending at a 90 rating, according to the Tumbleweed snapshot reviewer.

KDE Applications, Squid, SQLite, VIM Update in Tumbleweed

July 20th, 2019 by

Three openSUSE Tumbleweed snapshots in the middle of this week brought new minor version updates to ImageMagick, Squid, SQLite, VIM and more. The new KDE Applications 19.04.3 version arrived in the first two snapshots.

The more recent snapshot, 20190718, brought a half-dozen new packages, which include fix for the UrbanCode Deploy (UCD) script data for Unicode 10+ scripts for the OpenType text shaping engine package harfbuzz 2.5.3. A two-year old Common Vulnerabilities and Exposures (CVE) was fixed with the update of libpng12 1.2.59. The tool that cleans RPM spec files, spec-cleaner 1.1.4, added a temporary patch to fix a test that fails if there is no internet connection. Caching proxy squid 4.8 fixed GNU Compiler Collection (GCC) 9 build issues and added a fix to prevent parameter parsing used for a potential Denial of Service (DoS). RISC-V support was added with the virt-manager 2.2.1 update and xclock 1.0.9 was also updated in the snapshot, which is trending at a 97 rating, according to the Tumbleweed snapshot reviewer.

Updates for KDE Applications 19.04.3 were completed in snapshot 20190717. More than 60 bugfixes were made and improvements were made to Konqueror and Kontact so there is no longer a crash on exit with QtWebEngine 5.13. Cutting groups with compositions no longer crash the Kdenlive video editor and the Python importer in Umbrello’s Unified Modeling Language (UML) designer now handles parameters with default arguments. ImageMagick fixed a parsing issue and optimized the PDF reader with the 7.0.8.53 update. GNOME’s hex editor ghex 3.18.4 migrated the build system to meson and added Open Age Ratings Service (OARS) metadata. The kernel-firmware was updated in the snapshot. The newer php7 7.3.7 provided more than a dozen bug fixes to include a fix for reproducible builds that failed with OpenSSL 1.1.1c. The update of text editor vim from version 8.1.1600 to 8.1.1694 provided a large amount of fixes to include a fix for tests that get stuck when running into an existing swap file. The snapshot is also trending at a 97 rating, according to the Tumbleweed snapshot reviewer.

Snapshot 20190716 started updating KDE Applications 19.04.3 and brought users of the rolling release 10 CVE fixes for Mozilla Thunderbird 60.8.0; the updated version also fixed problems when editing event times that related to AM/PM setting in non-English locations. The update to Ceph in the snapshot removed SuSEfirewall2 support. The update of gpg2 2.2.17 provided a new command –locate-external-key to locate the keys given as arguments. LibreOffice 6.2.5.2 removed some merged patches. Relational database management system sqlite3 3.29.0 added the “sqlite_dbdata” virtual table for extracting raw low-level content from an SQLite database to also include a database that is corrupt. The new major version of xreader 2.2.1 fixed incompatible pointer type issues and Linux syscall tracer strace 5.2 enhanced decoding of bpf, clone, inotify_init, mbind, and set_mempolicy syscalls. Other packages that received updates were python-qt5 5.13.0, python-sip 4.19.18 and rubygem-coffee-rails 5.0.0, which removed support for Rails below version 5.2 and added support for Rails 6. The snapshot is trending to project a 95 rating, according to the Tumbleweed snapshot reviewer

Tumbleweed’s July Snapshots Are Trending Strong

July 11th, 2019 by

There have been a total of five openSUSE Tumbleweed snapshots since the beginning of July and all the snapshots have a strong, stable rating.

The rolling release had the most updates arrive in the 20190702 snapshot. The packages update in that snapshot included Mesa 19.1.1 and Mesa-drivers 19.1.1 that had fixes for Intel ANV and AMD RADV driver as well as Nouveau and R300 Gallium3D drivers. The bzip2 file compression application fixed undefined behavior in the macros in version 1.0.7 and fixed a low impact Common Vulnerabilities and Exposures (CVE). The programing language package guilef was updated to version 2.2.5 and provided bootstrap optimization. Portability improvements were made in the library for encryption, decryption, signatures and password hashing with libsodium 1.0.18. A major release of the PulseAudio’s Volume Control package pavucontrol 4.0 was made; the new version dropped support for Gtk+ 2 and added more than a handful of new language translations.

The most recent snapshot, 20190708, didn’t offer a changelog due to the server that the web app uses to produce the changelogs being upgraded to Leap 15.1. The changelog is expected to be included in the next snapshot that is released.

Just two packages were updated in the 20190704 snapshot. The newer vhba-kmp file system package from April 2019 fixed a crash when mounting disk image with the 5.1 Linux Kernel. The vm-install 0.10.07 package, which is a tool to define a Virtual Machine and Install Its Operating System, addressed the use of the ‘builder’ option in the config file that produces an error because it is deprecated.

The first snapshot of the month, 20190701, didn’t provide any new package releases, but there were some changes made to a few packages like the one to llvm8 (Low Level Virtual Machine) that increase RAM for armv6/7 to avoid the undesirable state of Out of memory (OOM). A patch was also dropped from the same package.

A few package updates were made available in the 20190703 snapshot. The Linux Kernel was updated to 5.1.15. The updated kernel offered some fixes for mediatek MultiMediaCard (MMC) flow and detection issues and it enabled System Management Bus (SMBus) on Lenovo ThinkPad E480 and E580. KDE’s Hex editor for viewing and editing binary files okteta 0.26.2 improved the maximum array size in structures extended to 64K.

All snapshots released this month so far have recorded a stable rating of 93 or higher, according to the Tumbleweed snapshot reviewer.

Mesa, VirtualBox, Ceph, NetworkManager Packages Update in Tumbleweed

June 6th, 2019 by

Three openSUSE Tumbleweed snapshots have been released in the first four days of June, which bring several minor package updates to the rolling release.

The 20190604 snapshot brought babl  0.1.64, which provided some code consistency, gitlab Continuous Integration (CI), autotools and meson build improvements. An accident in naming caused the 0.3.2 version of bubblewrap to become version 0.3.3. However, bubblewrap 0.3.3. did address a Common Vulnerabilities and Exposures (CVE), provided a few smaller fixes and added the JSON Application Programming Interface (API) that allows reading the inner process exit code. GNU Compiler Collection 8 had some updates that included a couple patches with one that makes builds without profiling reproducible. Generic Graphics Library gegl 0.4.16 also added gitlab CI and uses a custom allocator for tile data, which aligns data and groups allocations in blocks; this was achieved on Linux by using the GNU extension malloc_trim to permit forcing invocation of the glibc malloc/free allocators garbage collection function. Oracle’ virtualbox 6.0.8 had a minor maintenance release that fixed a crash when powering off a Virtual Machine without a graphics controller and xorg-x11-server 1.20.5 fixed some input. The snapshot is currently trending at a 96 rating, according to the snapshot reviewer.

Snapshot 20190603 updated Mesa and Mesa-drivers to version 19.0.5 and took care of some core code and drivers. NetworkManager 1.16.2 fixed some wrong permissions of the /var/lib/NetworkManager/secret_key file. Ceph’s minor version update disabled Link Time Optimisation in spec when being used. GNOME 3.32.2 had several package updates and fixes including the fix of a regression that caused the fonts category to go missing. Tumbleweed skipped over the 1.3.0 series of Flatpak directly to version 1.4.0. The major changes since 1.2.4 is the improved I/O use for system-installed applications, and the new format for pre-configured remotes. Glib2 2.60.3 updated translations and provided various fixes to small key/value support in GHashTable. Scripting language php7 7.3.6 added a missing curl_version and fixed several other bugs. The snapshot is currently trending at a 95 rating, according to the snapshot reviewer.

The snapshot that started out the month, 20190601, update the Linux Kernel to 5.1.5 that fixed a data loss bug. Flatpak-builder 1.0.7 fixed some details in how to create platform commits to fix font cache mtime issues. Among the other package updates in the snapshot were GNOME’s image viewer gthumb 3.8.0, ibus-libpinyin 1.11.1, libopenmpt 0.4.5, qalculate 3.2.0, rdesktop 1.8.6, which fixed the protocol code handling new licenses, and yast2-support 4.1.1. The snapshot is currently trending at a 90 rating, according to the snapshot reviewer.

Tumbleweed Snapshots Deliver Curl, Salt, FFmpegs Packages Updates

April 18th, 2019 by

Three quality openSUSE Tumbleweed snapshot were released since last Thursday with updated packages for Curl, Salt, FFmpeg and more.

Mozilla Firefox had a minor release of version 66.0.3 in the latest Tumbleweed 20190415 snapshot. The browser addressed some performance issues with some HTML5 games and provided a Baidu search plugin for Chinese users and China’s Internet space. The command-line tool for transferring data using various protocols, curl 7.64.1 fixed many bugs and added additional libraries to check for Lightweight Directory Access Protocol (LDAP) support. The update of libvirt 5.2.0 dropped a few patches and added several new features like Storage Pool Capabilities to get a more detailed list XML output for the virConnectGetStoragePoolCapabilites Application Programming Interface (API) and libvirt also enabled firmware autoselection for the open-source emulator QEMU. The newest salt 2019.2.0 package in Tumbleweed enhanced network automation and broadened support for a variety of network operating systems, and features for configuration manipulation or operational command execution. Salt also  added running playbooks to the 2019.2.0 release with the playbooks function and it includes an ansible playbooks state module, which can be used on a targeted host to run ansible playbooks, or used in an orchestration state runner. The snapshot was trending at a 95 rating at the time of publishing this article, according to the Tumbleweed snapshot reviewer.

Snapshot 20190412 was trending at a 94 and that package brought an update to Ceph that added a separate option to config a Secure Sockets Layer (SSL) port. The cifs-utils 6.9 package, which is part of the Samba Project, added fixes for Azure and removed several patches. The libssh2_org 1.8.2 package fixed a misapplied patch that broke its previous version. A few YaST packages had some updates like the yast2-storage-ng 4.2.5 package that allows for a new format for importing/exporting Network File System (NFS) drives.

The 20190411 snapshot started off the week and it posted a moderately stable rating of 89. This snapshot brought the 5.0.7 Linux Kernel and it offered up a mitigation potential for a ptrace system call for PowerPC. There were some bug fixes for codecs, filters and formats in the ffmpeg 4.1.3 update. The JavaScript Bindings for GNOME, gjs 1.56.0, had a significantly large changelog recording info from the previous 1.54.3 version that was in Tumbleweed. The previous logs identified a GNU Compiler Collection 9 bug and added some ESLint rules. The new version was a stable version bump. The python-kiwi  9.17.35 package fixed regressions for the kiwi-repart dracut module. The wget 1.20.3 package fixed the buffer overflow vulnerability found in Common Vulnerabilities and Exposures (CVE)-2019-5953. Text editor vim 8.1.1137 fixed several bugs including a Python test that didn’t wipe out hidden buffer and a space in number column that was on wrong side with ‘rightleft’ set.

Tumbleweed Rolls with Package Updates of Git, Virtualbox, OpenSSH

December 6th, 2018 by

openSUSE’s rolling release Tumbleweed had a total of five snapshots this week and is preparing for an update to the KDE Plasma 5.14.4 packages in forthcoming snapshots.

The five Tumbleweed snapshots this week brought the 5.19.5 Linux Kernel, which was the only package updated in the 20181130 snapshot. The kernel-source 4.19.5 package added a force option for the pciserial device for x86 architecture and fixed HiperSockets sniffer for s390 architecture.

The most recently released snapshot, 20181204, had more than a dozen packages updated. GNOME’s application for manage their Flickr image hosting accounts, frogr 1.5, fixed issues with the content and installation of the AppData file and moved the functionality menu. GNOME’s goffice had a version bump to 0.10.44. Various rubygem packages were updated and the most significant change was of the packages was that rubygem-pry 0.12.2 dropped support for Rubinius. Both python-boto3 1.9.57 and python-botocore 1.12.57 had multiple application programming interface (API) changes. The obs-service-set_version 0.5.11 package needed “python suff” and now allow running tests with python3.

The first snapshot to arrive in December was snapshot 20181203. Among the package changes were an update to checkmedia 4.1, which fixed digest calculation in tagmedia, GNOME’s framework for media discovery grilo 0.3.7, and distributed compiler icecream 1.2, which made load calculations better and also cleaned up the general code. A python-docutils build dependency was added with cifs-utils 6.8 and elfutils 0.175 fixed three Common Vulnerabilities and Exposures issues. Major changes came with the man 2.8.4 package. One of the changes relies on decompressors reading from their standard input rather than redundantly passing them the input file on their command line; this works better with downstream AppArmor confinement of decompressors. Virtualbox 5.2.22 fixed a regression in the Core Audio backend causing a hang when returning from host sleep when processing input buffers and webkit2gtk3 2.22.4 fixed serval crashes and rendering issues and Fix a crash when using graphics library Cairo versions between 1.15 and 1.16.0.

(more…)

Thunderbird, YaST, Sudo Updates Arrive in Tumbleweed

November 29th, 2018 by

Three openSUSE Tumbleweed snapshots were released since the last blog.

The three Tumbleweed snapshots this week brought a newer Linux Kernel, several rubygem package updates and improvements for an Xfce support library.

Snapshot 20181126 brought the 4.19.4 Linux Kernel, which fixed accelerated VLAN handling and fixed a memory leak with the Nouveau secure boot. Yet another Setup Tool (YaST) had some updates with yast2-fonts 4.0.2 that changes the desktop file fonts to system-wide fonts and multiple translations were also updated with the yast2-trans package. The support library for Xfce desktop environment, exo, updated to version 0.12.3; it improved layout spacing and alignment and hides the exo launchers from GNOME Software. The package for Integrated Development Environment cross-platform, kdevelop5 5.3.0, brought improved language support for php, python and c++; it also offers a new clazy analyzer plugin. Multiple other libraries were updated including libjansson 2.11, libsemanage 2.8, libsepol 2.8, libzypp 17.9.0 and more. Several rubygem packages were updated in the snapshot and rubygem-bundler 1.17.1 had a significant amount of additions and improvements including an add config option to disable platform warnings. The mailutils 3.5 package for the handling of email fixed a bug in the base64 encoder. Parser generator bison 3.2.2 brought massive improvements to the deterministic C++ skeleton, lalr1.cc and the library for manipulation of TIFF images, tiff 4.0.10, added a few patches that address the 10 Common Vulnerabilities and Exposures (CVE) patches that were removed.

Eight packages were updated in the 20181122 snapshot; three of them were YaST associated packages like yast2-ntp-client 4.1.6, which aligned a  “Synchronize Now” button and “NTP Server Address” box, which doesn’t break the previous fix and does not hide the manual checkbox in TextMode. The fourth release candidate of the free implementation of the Remote Desktop Protocol (RDP) freerdp 2.0.0,  added support to set the Transport Layer Security (TLS) security level for openssl 1.1.0 and also added smartcard support for substring filters. Sudo now treats the LOGNAME and USER environment variables (as well as the LOGIN variable on AIX) as a single unit with the update to sudo 1.8.26, which also added support for the OpenLDAP TLS_REQCERT setting in the ldap.conf. The xapian-core 1.4.9 package fixed a bug to efficiently handle insertion of a batch of extra positions in ascending order, which could lead to missing positions and corrupted encoded positional data, according to the changelog.

(more…)