[Nix-dev] Channels, LetsEncrypt, and Security fixes from 2016-12-23 01:26 UTC

Graham Christensen graham at grahamc.com
Fri Dec 23 02:27:33 CET 2016 

New format! If you have feedback on formatting, or extra information you
would like to see here, please either mail the nix-dev mailing list, me
personally, or open an issue at https://github.com/nixos/security.

Additionally: Channels are now moving forward and 16.09 users with
LetsEncrypt should be working after updating your channels and
rebuilding.

This mail was sent to the nix-dev list as well for the previous two
issues.

Standard email follows:

The following issues have been resolved in NixOS in release-16.09 and
unstable. They remain potentially vulnerable on older major
releases.

These patches will be released to the unstable and
release-16.09 channels when Hydra finishes building the "tested" job
for each channel:

 - https://hydra.nixos.org/job/nixos/release-16.09/tested
 - https://hydra.nixos.org/job/nixos/trunk-combined/tested

Please consider helping with the next security roundup by commenting on
LATEST_ROUNDUP_URL.

The following changes were applied to release-16.09:

af9b4c6  libtorrentRasterbar_1_0: 1.0.9 -> 1.0.10                    
> Fixes potential crash on invalid input to the http parser
> and a division-by-zero bug in the super seeding logic.

831571c  keepass: 2.33 -> 2.34                                       
> Recommended update from upstream. Release notes:
> http://keepass.info/news/n160611_2.34.html

d3e9fc6  linux:3.12.68 -> 3.12.69                                    
> All kernel patches are considered security-sensitive.

6cef2f2  linux:3.18.44 -> 3.18.45                                    
> All kernel patches are considered security-sensitive.

bd9eba2  zlib: patch for CVE-2016-9840, CVE-2016-9841, CVE-9842, CV..
> CVE-2016-9840
> CVE-2016-9841
> CVE-2016-9842
> CVE-2016-9843

4e6223c  pythonPackages.bottle: 0.12.9 -> 0.12.11 for CVE-2016-9964  
> CVE-2016-9964

b5de7ef  xen: patch for many XSAs                                    
> XSA-190
> XSA-191
> XSA-192
> XSA-193
> XSA-195
> XSA-196
> XSA-198
> XSA-200
> XSA_202
> XSA-204

d3934be  openjpeg2: patch for CVE-2016-9580, and CVE-2016-9581       
> CVE-2016-9580
> CVE-2016-9581

142b303  libupnp: 1.6.20 -> 1.6.21 for CVE-2016-8863                 
> CVE-2016-8863

490a23e  nagios: 4.2.3 -> 4.2.4 for CVE-2016-9566                    
> CVE-2016-9566

6c97c1c  tomcatUnstable: 9.0.0.M13 -> 9.0.0.M15 for CVE-2016-9774, ..
> CVE-2016-9774
> CVE-2016-9775

2ab18b7  tomcat85: 8.5.8 -> 8.5.9 for CVE-2016-9774, CVE-2016-9775   
> CVE-2016-9774
> CVE-2016-9775

78b5267  game-music-emu: 0.6.0 -> 0.6.1 for multiple CVEs            
> CVE-2016-9957
> CVE-2016-9958
> CVE-2016-9959
> CVE-2016-9960
> CVE-2016-9961

b2e80a5  samba4: 4.3.11 -> 4.3.13                                    
> CVE-2016-2123
> CVE-2016-2125
> CVE-2016-2126

eaf6fc8  tor: 0.2.8.10 -> 0.2.8.12                                   
> CVE-2016-1254

b5edcfc  squid: 3.5.19 -> 3.5.23                                     
> CVE-2016-10002
> CVE-2016-10003
======================================================================



The following changes were applied to unstable:

3ffb5ba  linux:3.18.44 -> 3.18.45                                    
> All kernel patches are considered security-sensitive.

53e2152  linux:3.12.68 -> 3.12.69                                    
> All kernel patches are considered security-sensitive.

ecc7b33  pythonPackages.bottle: 0.12.9 -> 0.12.11 for CVE-2016-9964  
> CVE-2016-9964

4e6c7fa  xen: patch for many XSAs                                    
> XSA-190
> XSA-191
> XSA-192
> XSA-193
> XSA-195
> XSA-196
> XSA-198
> XSA-200
> XSA_202
> XSA-204

c7a2073  openjpeg2: patch for CVE-2016-9580, and CVE-2016-9581       
> CVE-2016-9580
> CVE-2016-9581

0d3f0f0  libupnp: 1.6.20 -> 1.6.21 for CVE-2016-8863                 
> CVE-2016-8863

2f17c36  nagios: 4.2.3 -> 4.2.4 for CVE-2016-9566                    
> CVE-2016-9566

72faac9  tomcatUnstable: 9.0.0.M13 -> 9.0.0.M15 for CVE-2016-9774, ..
> CVE-2016-9774
> CVE-2016-9775

a528c04  tomcat85: 8.5.8 -> 8.5.9 for CVE-2016-9774, CVE-2016-9775   
> CVE-2016-9774
> CVE-2016-9775

2c24ce5  game-music-emu: 0.6.0 -> 0.6.1 for multiple CVEs            
> CVE-2016-9957
> CVE-2016-9958
> CVE-2016-9959
> CVE-2016-9960
> CVE-2016-9961

3e92b56  tor: 0.2.8.10 -> 0.2.8.12                                   
> CVE-2016-1254

4b67968  squid: 3.5.19 -> 3.5.23                                     
> CVE-2016-10002
> CVE-2016-10003

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161222/10e55eec/attachment.sig>

More information about the nix-dev mailing list