Обновление ПО

ООО "АДС" alx на adc-line.ru
Чт Июн 18 14:40:07 +05 2015


Уважаемый подписчик!

Выпущено обновление следующих пакетов:

* pd-04_1.0-r5.9:
  ===============
- Добавлена поддержка модуля RD01.

* libopkg1_0.2.4-r0.9, opkg_0.2.4-r0.9:
  =====================================
- Improve handling of failed installs. Package status is now set to 'install
  reinst-required half-installed' and advice on how to rectify the situation is
  now given.

- Improve handling of upgrades, and fix detection of orphan packages. Orphan
  RECOMMENDS will now be removed during an upgrade, as well as orphan DEPENDS,
  if autoremove is enabled. However, packages which move from DEPENDS to
  RECOMMENDS will now be kept. (issue 144)

- Improve handling of package flags.

- Fix 'opkg whatconflicts'.

- Fix handling of '--force-removal-of-dependent-packages'. (issue 140)

- Fix selection between multiple providers of the same abstract package. (issue
  152)

- Fix uname and gname caching during package extraction.

- Fix verification of release metadata files.

- Fix possible segfault in 'pkg_hash_fetch_conflicts()'.

- Use 'sh' instead of 'bash' as the interpreter for 'opkg-check-config'.


- New, optional syntax for setting lists_dir in config files. This new syntax
  will be required in v0.3.0 and later, the old syntax is now deprecated. The
  new syntax is:

    option lists_dir <path>

- New 'opkg-check-config' helper script to check and update config files.
  Currently this just changes the old lists_dir syntax to the new syntax.

- Add the 'combine' option and '--combine' command line argument. These options
  combine the installation or upgrade of multiple packages so that dependency
  evaluation is carried out for the whole transaction rather than separately for
  each package. This resolves the case of issue 124 where multiple packages
  depend on a common package with version constraints in such a way that all
  dependent packages need to be upgraded together.

- Don't select packages for installation which break the dependencies of already
  installed packages (issue 124).

- Fix epoch:version split so that a colon is only interpreted as the epoch
  separator in a version string if it is the first non-numeric character.

- Fix package flags after failed upgrade. This ensures that subsequent
  installs or upgrades do not consider the old package as scheduled for removal.

- Prevent packages listed in RECOMMENDS of an installed package from being
  removed automatically when autoremove is set.

- Fix 'extern "C"' wrapping in header files.

- Improve check for gpgme in configure script. Now either pkg-config or
  gpgme-config can be used to find gpgme.

- Fix internal usage of 'config.h', this ensures building opkg and its
  dependencies with large file support will work correctly.

- Fix internal memory leaks and suboptimal code.

- Fix '--force-reinstall' flag so that it acts as an upgrade rather than
  removing possibly critical packages before reinstall (issue 71)

- Symlinks are now correctly removed during package uninstall (issue 91)

- Fixed help and manual pages to reflect that shell globs not true regexps are
  accepted by opkg (issue 107)
  
- The error message "no valid architecture" is no longer given when the
  architecture of a package is valid but incompatible with the current system.

- Updated AUTHORS, README, CONTRIBUTING, etc

- Dropped "config.h" from the list of installed headers and removed checks for
  HAVE_* symbols from all installed headers

- Made libopkg usable from C++ via `extern "C"` wrapping

* libcrypto1.0.0_1.0.0s-r14.0.9, openssl-conf_1.0.0s-r14.0.9:
  ===========================================================
- Malformed ECParameters causes infinite loop

  When processing an ECParameters structure OpenSSL enters an infinite loop
  if the curve specified is over a specially malformed binary polynomial
  field.

  This can be used to perform denial of service against any
  system which processes public keys, certificate requests or
  certificates.  This includes TLS clients and TLS servers with
  client authentication enabled.

  This issue was reported to OpenSSL by Joseph Barr-Pixton.
  (CVE-2015-1788)
  [Andy Polyakov]

- Exploitable out-of-bounds read in X509_cmp_time

  X509_cmp_time does not properly check the length of the ASN1_TIME
  string and can read a few bytes out of bounds. In addition,
  X509_cmp_time accepts an arbitrary number of fractional seconds in the
  time string.

  An attacker can use this to craft malformed certificates and CRLs of
  various sizes and potentially cause a segmentation fault, resulting in
  a DoS on applications that verify certificates or CRLs. TLS clients
  that verify CRLs are affected. TLS clients and servers with client
  authentication enabled may be affected if they use custom verification
  callbacks.

  This issue was reported to OpenSSL by Robert Swiecki (Google), and
  independently by Hanno B.ck.
  (CVE-2015-1789)
  [Emilia K.sper]

- PKCS7 crash with missing EnvelopedContent

  The PKCS#7 parsing code does not handle missing inner EncryptedContent
  correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
  with missing content and trigger a NULL pointer dereference on parsing.

  Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
  structures from untrusted sources are affected. OpenSSL clients and
  servers are not affected.

  This issue was reported to OpenSSL by Michal Zalewski (Google).
  (CVE-2015-1790)
  [Emilia K.sper]

- CMS verify infinite loop with unknown hash function

  When verifying a signedData message the CMS code can enter an infinite loop
  if presented with an unknown hash function OID. This can be used to perform
  denial of service against any system which verifies signedData messages using
  the CMS code.
  This issue was reported to OpenSSL by Johannes Bauer.
  (CVE-2015-1792)
  [Stephen Henson]

- Race condition handling NewSessionTicket

  If a NewSessionTicket is received by a multi-threaded client when attempting to
  reuse a previous ticket then a race condition can occur potentially leading to
  a double free of the ticket data.
  (CVE-2015-1791)
  [Matt Caswell]

- Segmentation fault in ASN1_TYPE_cmp fix

  The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
  made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
  certificate signature algorithm consistency this can be used to crash any
  certificate verification operation and exploited in a DoS attack. Any
  application which performs certificate verification is vulnerable including
  OpenSSL clients and servers which enable client authentication.
  (CVE-2015-0286)
  [Stephen Henson]

- ASN.1 structure reuse memory corruption fix

  Reusing a structure in ASN.1 parsing may allow an attacker to cause
  memory corruption via an invalid write. Such reuse is and has been
  strongly discouraged and is believed to be rare.

  Applications that parse structures containing CHOICE or ANY DEFINED BY
  components may be affected. Certificate parsing (d2i_X509 and related
  functions) are however not affected. OpenSSL clients and servers are
  not affected.
  (CVE-2015-0287)
  [Stephen Henson]

- PKCS7 NULL pointer dereferences fix

  The PKCS#7 parsing code does not handle missing outer ContentInfo
  correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
  missing content and trigger a NULL pointer dereference on parsing.

  Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
  otherwise parse PKCS#7 structures from untrusted sources are
  affected. OpenSSL clients and servers are not affected.

  This issue was reported to OpenSSL by Michal Zalewski (Google).
  (CVE-2015-0289)
  [Emilia K.sper]

- DoS via reachable assert in SSLv2 servers fix

  A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
  servers that both support SSLv2 and enable export cipher suites by sending
  a specially crafted SSLv2 CLIENT-MASTER-KEY message.

  This issue was discovered by Sean Burford (Google) and Emilia K.sper
  (OpenSSL development team).
  (CVE-2015-0293)
  [Emilia K.sper]

- Use After Free following d2i_ECPrivatekey error fix

  A malformed EC private key file consumed via the d2i_ECPrivateKey function
  could cause a use after free condition. This, in turn, could cause a double
  free in several private key parsing functions (such as d2i_PrivateKey
  or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
  for applications that receive EC private keys from untrusted
  sources. This scenario is considered rare.

  This issue was discovered by the BoringSSL project and fixed in their
  commit 517073cd4b.
  (CVE-2015-0209)
  [Matt Caswell]

- X509_to_X509_REQ NULL pointer deref fix

  The function X509_to_X509_REQ will crash with a NULL pointer dereference if
  the certificate key is invalid. This function is rarely used in practice.

  This issue was discovered by Brian Carpenter.
  (CVE-2015-0288)
  [Stephen Henson]

- Removed the export ciphers from the DEFAULT ciphers
  [Kurt Roeckx]


-- 
С уважением,
ООО "АДС"





Подробная информация о списке рассылки MC04-DSL-3U-announce