Debian Jessie Openstack images changelog 8.7.0-20170114 First build for 8.7.0 point release -- Steve McIntyre <93sam@debian.org> Sat, 14 Jan 2017 19:46:48 +0000 8.6.3-20161129 Updates in 2 source package(s), 5 binary package(s): Source icu, binaries: libicu52 icu (52.1-8+deb8u4) jessie-security; urgency=high * Backport upstream fix for CVE-2014-9911: buffer overflow problem in uresbund.cpp . * Backport upstream fix for CVE-2015-2632: unspecified vulnerability allows remote attackers to affect confidentiality via unknown vectors. * Backport upstream fix for CVE-2015-4844: missing boundary checks in layout engine. * Backport upstream fix for CVE-2016-0494: integer signedness issue in IndicRearrangementProcessor. * Backport upstream fix for CVE-2016-6293: the uloc_acceptLanguageFromHTTP function does not ensure that there is a '\0' character at the end of a certain temporary array. * Backport upstream fix for CVE-2016-7415: stack-based buffer overflow in the Locale class via a long locale string (closes: #838694). Source vim, binaries: vim vim-common vim-runtime vim-tiny vim (2:7.4.488-7+deb8u1) jessie-security; urgency=high * Backport patch 8.0.0056 (and adapt tests) to fix an issue where malicious modelines could execute arbitrary shell commands. (CVE-2016-1248) -- Steve McIntyre <93sam@debian.org> Tue, 29 Nov 2016 11:46:48 +0000 8.6.2 Updates in 2 source package(s), 5 binary package(s): Source bind9, binaries: libdns-export100 libirs-export91 libisc-export95 libisccfg-export90 bind9 (1:9.9.5.dfsg-9+deb8u8) jessie-security; urgency=medium * CVE-2016-8864: Fix assertion failure in DNAME processing with patch provided by ISC. Source tar, binaries: tar tar (1.27.1-2+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * CVE-2016-6321: Bypassing the extract path name. When extracting, member names containing '..' components are skipped. (Closes: #842339) -- Steve McIntyre <93sam@debian.org> Thu, 17 Nov 2016 16:21:21 +0000 8.6.1 Updates in 3 source package(s), 7 binary package(s): Source openssl, binaries: libssl1.0.0 openssl openssl (1.0.1t-1+deb8u5) jessie-security; urgency=medium * The patch for CVE-2016-2182 was missing a fix. (Closes: #838652, #838659) openssl (1.0.1t-1+deb8u4) jessie-security; urgency=medium * Fix CVE-2016-2177 * Fix CVE-2016-2178 * Fix CVE-2016-2179 * Fix CVE-2016-2180 * Fix CVE-2016-2181 * Fix CVE-2016-2182 * Fix CVE-2016-2183 * Fix CVE-2016-6302 * Fix CVE-2016-6303 * Fix CVE-2016-6304 * Fix CVE-2016-6306 Source linux, binaries: linux-image-3.16.0-4-amd64 linux (3.16.36-1+deb8u2) jessie-security; urgency=high * KEYS: Fix short sprintf buffer in /proc/keys show function (CVE-2016-7042) * scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() (CVE-2016-7425) * Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (CVE-2015-8956) * netfilter: x_tables: speed up jump target validation (Closes: #831014) * mm: remove gup_flags FOLL_WRITE games from __get_user_pages() (CVE-2016-5195) Source bind9, binaries: libdns-export100 libirs-export91 libisc-export95 libisccfg-export90 bind9 (1:9.9.5.dfsg-9+deb8u7) jessie-security; urgency=high * CVE-2016-2775: lwresd crash with long query name. Backport of upstream commit 38cc2d14e218e536e0102fa70deef99461354232. Closes: #831796. * CVE-2016-2776: assertion failure due to unspecified crafted query. Fix based on 43139-9-9.patch from ISC. Closes: #839010. -- Steve McIntyre <93sam@debian.org> Fri, 28 Oct 2016 00:22:22 +0100