[Nix-dev] Channels, LetsEncrypt, and Security fixes from 2016-12-23 01:26 UTC

zimbatm zimbatm at zimbatm.com
Sun Dec 25 11:33:27 CET 2016 

Thanks Graham.

I pushed the Exim updates for CVE-2016-9963 as well.

master: 352e167c224: exim: 4.87 -> 4.88 for CVE-2016-9963
release-16.09: d6bff30c96ed6: exim: 4.87 -> 4.87.1 for CVE-2016-9963

The release branch only got the tiny update to avoid breaking
backward-compatibility.


On Fri, 23 Dec 2016 at 01:28 Graham Christensen <graham at grahamc.com> wrote:

>
> New format! If you have feedback on formatting, or extra information you
> would like to see here, please either mail the nix-dev mailing list, me
> personally, or open an issue at https://github.com/nixos/security.
>
> Additionally: Channels are now moving forward and 16.09 users with
> LetsEncrypt should be working after updating your channels and
> rebuilding.
>
> This mail was sent to the nix-dev list as well for the previous two
> issues.
>
> Standard email follows:
>
> The following issues have been resolved in NixOS in release-16.09 and
> unstable. They remain potentially vulnerable on older major
> releases.
>
> These patches will be released to the unstable and
> release-16.09 channels when Hydra finishes building the "tested" job
> for each channel:
>
>  - https://hydra.nixos.org/job/nixos/release-16.09/tested
>  - https://hydra.nixos.org/job/nixos/trunk-combined/tested
>
> Please consider helping with the next security roundup by commenting on
> LATEST_ROUNDUP_URL.
>
> The following changes were applied to release-16.09:
>
> af9b4c6  libtorrentRasterbar_1_0: 1.0.9 -> 1.0.10
> > Fixes potential crash on invalid input to the http parser
> > and a division-by-zero bug in the super seeding logic.
>
> 831571c  keepass: 2.33 -> 2.34
> > Recommended update from upstream. Release notes:
> > http://keepass.info/news/n160611_2.34.html
>
> d3e9fc6  linux:3.12.68 -> 3.12.69
> > All kernel patches are considered security-sensitive.
>
> 6cef2f2  linux:3.18.44 -> 3.18.45
> > All kernel patches are considered security-sensitive.
>
> bd9eba2  zlib: patch for CVE-2016-9840, CVE-2016-9841, CVE-9842, CV..
> > CVE-2016-9840
> > CVE-2016-9841
> > CVE-2016-9842
> > CVE-2016-9843
>
> 4e6223c  pythonPackages.bottle: 0.12.9 -> 0.12.11 for CVE-2016-9964
> > CVE-2016-9964
>
> b5de7ef  xen: patch for many XSAs
> > XSA-190
> > XSA-191
> > XSA-192
> > XSA-193
> > XSA-195
> > XSA-196
> > XSA-198
> > XSA-200
> > XSA_202
> > XSA-204
>
> d3934be  openjpeg2: patch for CVE-2016-9580, and CVE-2016-9581
> > CVE-2016-9580
> > CVE-2016-9581
>
> 142b303  libupnp: 1.6.20 -> 1.6.21 for CVE-2016-8863
> > CVE-2016-8863
>
> 490a23e  nagios: 4.2.3 -> 4.2.4 for CVE-2016-9566
> > CVE-2016-9566
>
> 6c97c1c  tomcatUnstable: 9.0.0.M13 -> 9.0.0.M15 for CVE-2016-9774, ..
> > CVE-2016-9774
> > CVE-2016-9775
>
> 2ab18b7  tomcat85: 8.5.8 -> 8.5.9 for CVE-2016-9774, CVE-2016-9775
> > CVE-2016-9774
> > CVE-2016-9775
>
> 78b5267  game-music-emu: 0.6.0 -> 0.6.1 for multiple CVEs
> > CVE-2016-9957
> > CVE-2016-9958
> > CVE-2016-9959
> > CVE-2016-9960
> > CVE-2016-9961
>
> b2e80a5  samba4: 4.3.11 -> 4.3.13
> > CVE-2016-2123
> > CVE-2016-2125
> > CVE-2016-2126
>
> eaf6fc8  tor: 0.2.8.10 -> 0.2.8.12
> > CVE-2016-1254
>
> b5edcfc  squid: 3.5.19 -> 3.5.23
> > CVE-2016-10002
> > CVE-2016-10003
> ======================================================================
>
>
>
> The following changes were applied to unstable:
>
> 3ffb5ba  linux:3.18.44 -> 3.18.45
> > All kernel patches are considered security-sensitive.
>
> 53e2152  linux:3.12.68 -> 3.12.69
> > All kernel patches are considered security-sensitive.
>
> ecc7b33  pythonPackages.bottle: 0.12.9 -> 0.12.11 for CVE-2016-9964
> > CVE-2016-9964
>
> 4e6c7fa  xen: patch for many XSAs
> > XSA-190
> > XSA-191
> > XSA-192
> > XSA-193
> > XSA-195
> > XSA-196
> > XSA-198
> > XSA-200
> > XSA_202
> > XSA-204
>
> c7a2073  openjpeg2: patch for CVE-2016-9580, and CVE-2016-9581
> > CVE-2016-9580
> > CVE-2016-9581
>
> 0d3f0f0  libupnp: 1.6.20 -> 1.6.21 for CVE-2016-8863
> > CVE-2016-8863
>
> 2f17c36  nagios: 4.2.3 -> 4.2.4 for CVE-2016-9566
> > CVE-2016-9566
>
> 72faac9  tomcatUnstable: 9.0.0.M13 -> 9.0.0.M15 for CVE-2016-9774, ..
> > CVE-2016-9774
> > CVE-2016-9775
>
> a528c04  tomcat85: 8.5.8 -> 8.5.9 for CVE-2016-9774, CVE-2016-9775
> > CVE-2016-9774
> > CVE-2016-9775
>
> 2c24ce5  game-music-emu: 0.6.0 -> 0.6.1 for multiple CVEs
> > CVE-2016-9957
> > CVE-2016-9958
> > CVE-2016-9959
> > CVE-2016-9960
> > CVE-2016-9961
>
> 3e92b56  tor: 0.2.8.10 -> 0.2.8.12
> > CVE-2016-1254
>
> 4b67968  squid: 3.5.19 -> 3.5.23
> > CVE-2016-10002
> > CVE-2016-10003
>
> Thank you very much,
> Graham Christensen
> NixOS Security Team
> https://github.com/nixos/security
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20161225/5445ad4d/attachment-0001.html>

More information about the nix-dev mailing list