Jump to content
aelius

Notificare update pachete pe Debian

Recommended Posts

Posted

Daca doriti sa fiti notificati atunci cand sunt disponibile update-uri la pachetele de pe Debian, puteti utiliza apticron. Apticron este un script bash ce este rulat din crontab si verifica daca exista upgrade-uri la pachetele instalate. In cazul in care exista, va trimite o notificare detaliata prin email. Este foarte customizabil si util.

Instalarea acestuia se face foarte simplu:


root@pluto:~# apt-get install apticron
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
apticron
0 upgraded, 1 newly installed, 0 to remove and 70 not upgraded.
Need to get 20.1 kB of archives.
After this operation, 88.1 kB of additional disk space will be used.
Get:1 http://ftp.de.debian.org/debian/ wheezy/main apticron all 1.1.55 [20.1 kB]
Fetched 20.1 kB in 0s (120 kB/s)
Preconfiguring packages ...
Selecting previously unselected package apticron.
(Reading database ... 53927 files and directories currently installed.)
Unpacking apticron (from .../apticron_1.1.55_all.deb) ...
Processing triggers for man-db ...
Setting up apticron (1.1.55) ...
Creating config file /etc/apticron/apticron.conf with new version
Creating config file /etc/cron.d/apticron with new version
root@pluto:~#

Am editat fisierul '/etc/apticron/apticron.conf' si l-am configurat dupa cum urmeaza:


EMAIL="tex@myfuckingdomain.org"
SYSTEM="pluto.myfuckingdomain.org"
IPADDRESSNUM="1"
CUSTOM_SUBJECT="Pluto Server - available update packages"
CUSTOM_FROM="system@myfuckingdomain.org"

Am sters fisierul '/etc/cron.d/apticron' si am adaugat in loc de el un crontab in '/etc/crontab' care sa ruleze la ora 10.30:


root@pluto:~# rm -f /etc/cron.d/apticron
root@pluto:~# echo "30 10 * * * root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi" >> /etc/crontab

Cam asa arata reportul trimis pe email:


apticron report [Thu, 03 Apr 2014 23:24:38 +0100]
========================================================================

apticron has detected that some packages need upgrading on:

pluto.myfuckingdomain.org
[ 188.240.xx 94.177.xx 94.177.xx 188.240.xx ]

The following packages are currently pending an upgrade:

apache2.2-bin 2.2.22-13+deb7u1
apache2.2-common 2.2.22-13+deb7u1
apache2-mpm-prefork 2.2.22-13+deb7u1
apache2-prefork-dev 2.2.22-13+deb7u1
apache2-utils 2.2.22-13+deb7u1
apt 0.9.7.9+deb7u1
apt-utils 0.9.7.9+deb7u1
base-files 7.1wheezy4
curl 7.26.0-1+wheezy8
dropbox 1.6.1
gnupg 1.4.12-7+deb7u3
gpgv 1.4.12-7+deb7u3
libapache2-mod-php5 5.4.4-14+deb7u8
libapache2-mod-rpaf 0.6-7+wheezy1
libapt-inst1.5 0.9.7.9+deb7u1
libapt-pkg4.12 0.9.7.9+deb7u1
libavcodec53 6:0.8.10-1
libavformat53 6:0.8.10-1
libavutil51 6:0.8.10-1
libc6 2.13-38+deb7u1
libc6-dev 2.13-38+deb7u1
libc-bin 2.13-38+deb7u1
libc-dev-bin 2.13-38+deb7u1
libcurl3 7.26.0-1+wheezy8
libcurl3-gnutls 7.26.0-1+wheezy8
libexpat1 2.1.0-1+deb7u1
libexpat1-dev 2.1.0-1+deb7u1
libgnutls26 2.12.20-8+deb7u1
libmysqlclient18 5.5.35-rel33.0-611.wheezy
libmysqlclient18.1 5.6.15-25.5-759.wheezy
libmysqlclient-dev 5.6.15-25.5-759.wheezy
libnet-server-perl 2.006-1+deb7u1
libperconaserverclient18 5.5.36-rel34.2-648.wheezy
libpq5 9.1.12-0wheezy1
libpq-dev 9.1.12-0wheezy1
libpython2.7 2.7.3-6+deb7u2
librsvg2-2 2.36.1-2
librsvg2-common 2.36.1-2
libssl-doc 1.0.1e-2+deb7u4
libswscale2 6:0.8.10-1
linux-image-3.2.0-4-amd64 3.2.54-2
linux-libc-dev 3.2.54-2
locales 2.13-38+deb7u1
memcached 1.4.13-0.2+deb7u1
multiarch-support 2.13-38+deb7u1
mutt 1.5.21-6.2+deb7u2
openssl 1.0.1e-2+deb7u4
percona-server-client-5.5 5.5.36-rel34.2-648.wheezy
percona-server-common-5.5 5.5.36-rel34.2-648.wheezy
percona-server-server-5.5 5.5.36-rel34.2-648.wheezy
php5 5.4.4-14+deb7u8
php5-cli 5.4.4-14+deb7u8
php5-common 5.4.4-14+deb7u8
php5-curl 5.4.4-14+deb7u8
php5-dev 5.4.4-14+deb7u8
php5-fpm 5.4.4-14+deb7u8
php5-gd 5.4.4-14+deb7u8
php5-intl 5.4.4-14+deb7u8
php5-mcrypt 5.4.4-14+deb7u8
php5-mysql 5.4.4-14+deb7u8
php5-sqlite 5.4.4-14+deb7u8
php5-sybase 5.4.4-14+deb7u8
php5-tidy 5.4.4-14+deb7u8
php5-xmlrpc 5.4.4-14+deb7u8
php5-xsl 5.4.4-14+deb7u8
php-pear 5.4.4-14+deb7u8
python2.7 2.7.3-6+deb7u2
python2.7-minimal 2.7.3-6+deb7u2
tzdata 2013i-0wheezy1
wget 1.13.4-3+deb7u1
whois 5.1.1~deb7u1

========================================================================

Package Details:

Reading changelogs...
--- Changes for curl (curl libcurl3 libcurl3-gnutls) ---
curl (7.26.0-1+wheezy8) wheezy-security; urgency=high

* Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
http://curl.haxx.se/docs/adv_20140129.html
* Set urgency=high accordingly

-- Alessandro Ghedini <ghedo@debian.org> Wed, 29 Jan 2014 19:01:03 +0100

curl (7.26.0-1+wheezy7) stable-security; urgency=high

* Fix GnuTLS checking of a certificate CN or SAN name field when the digital
signature verification is turned off as per CVE-2013-6422
http://curl.haxx.se/docs/adv_20131217.html
* Set urgency=high accordingly

-- Alessandro Ghedini <ghedo@debian.org> Wed, 11 Dec 2013 18:00:59 +0100

--- Changes for gnupg (gnupg gpgv) ---
gnupg (1.4.12-7+deb7u3) wheezy-security; urgency=high

* Fixed the RSA Key Extraction via Low-Bandwidth Acoustic
Cryptanalysis attack as described by Genkin, Shamir, and Tromer.
See <http://www.cs.tau.ac.il/~tromer/acoustic/>. [CVE-2013-4576]

-- Thijs Kinkhorst <thijs@debian.org> Sat, 14 Dec 2013 09:18:28 +0100

--- Changes for gnutls26 (libgnutls26) ---
gnutls26 (2.12.20-8+deb7u1) wheezy-security; urgency=high

* 38_CVE-2014-0092.diff by Nikos Mavrogiannopoulos: Fix certificate
validation issue. CVE-2014-0092

-- Andreas Metzler <ametzler@debian.org> Sat, 01 Mar 2014 07:44:51 +0100

gnutls26 (2.12.20-8) wheezy-security; urgency=high

* 26_fix_rejection-of-v1-intermedi.diff pulled and unfuzzed from GIT 3.x:
A version 1 intermediate certificate will be considered as a CA
certificate by default (something that deviates from the documented
behavior).
CVE-2014-1959 / GNUTLS-SA-2014-1

-- Andreas Metzler <ametzler@debian.org> Sat, 15 Feb 2014 18:27:37 +0100

--- Changes for linux (linux-image-3.2.0-4-amd64 linux-libc-dev) ---
linux (3.2.54-2) wheezy; urgency=high

* [arm] Ignore ABI change in omap_dsp_get_mempool_base (fixes FTBFS)

-- dann frazier <dannf@debian.org> Sat, 01 Feb 2014 13:08:46 +0000

linux (3.2.54-1) wheezy; urgency=high

* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.54
- NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
- USB: mos7840: fix tiocmget error handling
- ALSA: 6fire: Fix probe of multiple cards
- can: c_can: Fix RX message handling, handle lost message before EOB
- dm mpath: fix race condition between multipath_dtr and pg_init_done
- ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea()
- KVM: IOMMU: hva align mapping page size
- crypto: s390 - Fix aes-cbc IV corruption
- audit: printk USER_AVC messages when audit isn't enabled
- audit: fix info leak in AUDIT_GET requests
- audit: use nlmsg_len() to get message payload length
- PM / hibernate: Avoid overflow in hibernate_preallocate_memory()
- blk-core: Fix memory corruption if blkcg_init_queue fails
- block: fix a probe argument to blk_register_region
- SUNRPC: Fix a data corruption issue when retransmitting RPC calls
- mwifiex: correct packet length for packets from SDIO interface
- vsprintf: check real user/group id for %pK
- ipc, msg: fix message length check for negative values
- hwmon: (lm90) Fix max6696 alarm handling
- rtlwifi: rtl8192cu: Fix more pointer arithmetic errors
- setfacl removes part of ACL when setting POSIX ACLs to Samba
- nfsd: make sure to balance get/put_write_access
- nfsd4: fix xdr decoding of large non-write compounds (regression
in 3.2.49)
- NFSv4 wait on recovery for async session errors
- powerpc/signals: Mark VSX not saved with small contexts
- iscsi-target: fix extract_param to handle buffer length corner case
- iscsi-target: chap auth shouldn't match username with trailing garbage
- configfs: fix race between dentry put and lookup
- [powerpc] signals: Improved mark VSX not saved with small contexts fix
- mac80211: don't attempt to reorder multicast frames
- Staging: zram: Fix access of NULL pointer
- Staging: zram: Fix memory leak by refcount mismatch
- irq: Enable all irqs unconditionally in irq_resume
- tracing: Allow events to have NULL strings
- [armhf/omap] Staging: tidspbridge: disable driver
- cpuset: Fix memory allocator deadlock
- crypto: authenc - Find proper IV address in ablkcipher callback
- crypto: scatterwalk - Set the chain pointer indication bit
- [s390] crypto: s390 - Fix aes-xts parameter corruption
- crypto: ccm - Fix handling of zero plaintext when computing mac
- net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST
(fixes regression in 3.2.17)
- hpsa: do not discard scsi status on aborted commands
- hpsa: return 0 from driver probe function on success, not 1
- [arm] 7912/1: check stack pointer in get_wchan
- [arm] 7913/1: fix framepointer check in unwind_frame
- ALSA: memalloc.h - fix wrong truncation of dma_addr_t
- dm snapshot: avoid snapshot space leak on crash
- dm table: fail dm_table_create on dm_round_up overflow
- hwmon: (w83l786ng) Fix fan speed control mode setting and reporting
- hwmon: (w83l768ng) Fix fan speed control range
- futex: fix handling of read-only-mapped hugepages
- KVM: Improve create VCPU parameter (CVE-2013-4587)
- [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367)
- net: Fix "ip rule delete table 256" (Closes: #724783)
- 6lowpan: Uncompression of traffic class field was incorrect
- ipv4: fix possible seqlock deadlock
- inet: prevent leakage of uninitialized memory to user in recv syscalls
- net: rework recvmsg handler msg_name and msg_namelen logic
- net: add BUG_ON if kernel advertises msg_namelen >
sizeof(struct sockaddr_storage)
- inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
functions
- ipv6: fix leaking uninitialized port number of offender sockaddr
- net: core: Always propagate flag changes to interfaces
- packet: fix use after free race in send path when dev is released
- inet: fix possible seqlock deadlocks
- ipv6: fix possible seqlock deadlock in ip6_finish_output2
- ftrace: Check module functions being traced on reload
- ftrace: Fix function graph with loading of modules
- mmc: block: fix a bug of error handling in MMC driver

[ Ben Hutchings ]
* SCSI: virtio_scsi: fix memory leak on full queue condition
(Closes: #730138)
* drm, agp: Update to 3.4.76:
- drm/radeon: fix asic gfx values for scrapper asics
- drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook
- drm/radeon: fixup bad vram size on SI

[ dann frazier ]
* ath9k_htc: properly set MAC address and BSSID mask (CVE-2013-4579)
* KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368)
* x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (CVE-2014-1438)
* hamradio/yam: fix info leak in ioctl (CVE-2014-1446)

-- dann frazier <dannf@debian.org> Wed, 29 Jan 2014 13:42:01 -0700

linux (3.2.53-2) wheezy; urgency=high

* [sparc] Ignore insignificant ABI changes (fixes FTBFS)
* [powerpc] Update CPU device backport to work after 'powerpc/sysfs:
Disable writing to PURR in guest mode' in 3.2.52 (fixes FTBFS)
* exec/ptrace: Fix typo in backport of 'fix get_dumpable() incorrect tests'
(CVE-2013-2929) (Closes: #732208)
* net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348)

-- Ben Hutchings <ben@decadent.org.uk> Tue, 17 Dec 2013 03:24:07 +0000

linux (3.2.53-1) wheezy; urgency=medium

* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.52
- 8139cp: Add dma_mapping_error checking
- ipv6: drop packets with multiple fragmentation headers
- ipv6: Don't depend on per socket memory for neighbour discovery messages
- HID: hidraw: correctly deallocate memory on device disconnect
- xen-gnt: prevent adding duplicate gnt callbacks
- usb: config->desc.bLength may not exceed amount of data returned by the
device
- USB: cdc-wdm: fix race between interrupt handler and tasklet
- [powerpc] Handle unaligned ldbrx/stdbrx
- intel-iommu: Fix leaks in pagetable freeing
- ath9k: fix rx descriptor related race condition
- ath9k: avoid accessing MRC registers on single-chain devices
- rculist: list_first_or_null_rcu() should use list_entry_rcu()
- USB: mos7720: fix big-endian control requests
- of: Fix missing memory initialization on FDT unflattening
- fuse: postpone end_page_writeback() in fuse_writepage_locked()
- fuse: invalidate inode attributes on xattr modification
- fuse: hotfix truncate_pagecache() issue
- hdpvr: register the video node at the end of probe
- hdpvr: fix iteration over uninitialized lists in hdpvr_probe()
- fuse: readdir: check for slash in names
- crypto: api - Fix race condition in larval lookup
- sd: Fix potential out-of-bounds access
- ocfs2: fix the end cluster offset of FIEMAP
- mm/huge_memory.c: fix potential NULL pointer dereference
- sched/fair: Fix small race where child->se.parent,cfs_rq might point to
invalid ones
- HID: zeroplus: validate output report details (CVE-2013-2889)
- HID: LG: validate HID output report details (CVE-2013-2893)
- HID: validate feature and input report details (CVE-2013-2897)
- HID: logitech-dj: validate output report details (CVE-2013-2895)
- nilfs2: fix issue with race condition of competition between segments
for dirty blocks
- powerpc: Fix parameter clobber in csum_partial_copy_generic()
- powerpc: Restore registers on error exit from csum_partial_copy_generic()
- net: sctp: fix smatch warning in sctp_send_asconf_del_ip
- net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit (CVE-2013-4350)
- ip: generate unique IP identificator if local fragmentation is allowed
- ipv6: udp packets following an UFO enqueued packet need also be handled
by UFO (CVE-2013-4387)
- esp_scsi: Fix tag state corruption when autosensing.
- [sparc] Fix not SRA'ed %o5 in 32-bit traced syscall
- perf: Use css_tryget() to avoid propping up css refcount
- Revert "zram: use zram->lock to protect zram_free_page() in swap free
notify path" (regression in 3.2.49)
- macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS
- sfc: Fix efx_rx_buf_offset() for recycled pages
- cgroup: fail if monitored file and event_control are in different cgroup
- perf: Fix perf_cgroup_switch for sw-events
- Revert "sctp: fix call to SCTP_CMD_PROCESS_SACK in
sctp_cmd_interpreter()" (regression in 3.2.34)
- iscsi: don't hang in endless loop if no targets present
- cpqarray: fix info leak in ida_locked_ioctl() (CVE-2013-2147)
- cciss: fix info leak in cciss_ioctl32_passthru() (CVE-2013-2147)
- staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.53
- tcp: must unclone packets before mangling them
- tcp: do not forget FIN in tcp_shifted_skb() (fixes regression in 2.6.39)
- net: do not call sock_put() on TIMEWAIT sockets
- net: heap overflow in __audit_sockaddr()
- proc connector: fix info leaks
- ipv6: restrict neighbor entry creation to output flow
(fixes regression in 3.2.39)
- farsync: fix info leak in ioctl
- connector: use nlmsg_len() to check message length
- wanxl: fix info leak in ioctl
- net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race
(fixes regression in 3.2)
- net: fix cipso packet validation when !NETLABEL
- zram: allow request end to coincide with disksize
- perf: Fix perf ring buffer memory ordering
- inet: fix possible memory corruption with UDP_CORK and UFO
(CVE-2013-4470)
- tracing: Fix potential out-of-bounds in trace_get_user()
- include/linux/fs.h: disable preempt when acquire i_size_seqcount write
lock
- jfs: fix error path in ialloc
- random: run random_int_secret_init() run after all late_initcalls
- mac80211: drop spoofed packets in ad-hoc mode
- libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures
- [powerpc] KVM: PPC: Book3S HV: Fix typo in saving DSCR
- compiler/gcc4: Add quirk for 'asm goto' miscompilation bug
- ext4: fix memory leak in xattr
- [hppa] fix interruption handler to respect pagefault_disable()
- dm snapshot: fix data corruption (CVE-2013-4299)
- ecryptfs: Fix memory leakage in keystore.c
- target/pscsi: fix return value check
- Fix a few incorrectly checked [io_]remap_pfn_range() calls
(CVE-2013-4511)
- uml: check length in exitcode_proc_write() (CVE-2013-4512)
- aacraid: missing capable() check in compat ioctl
- staging: wlags49_h2: buffer overflow setting station name
- Staging: bcm: info leak in ioctl
- lib/scatterlist.c: don't flush_kernel_dcache_page on slab page

* [armel/orion5x] i2c: mv64xxx: work around signals causing I2C transactions
to be aborted
* [armel/orion5x] I2C: mv64xxx: fix race between FSM/interrupt and process
context (Closes: #622325)
* aufs: Set version to 3.2.x-debian
* drm: fix DRM_IOCTL_MODE_GETFB handle-leak
* drm, agp: Update to 3.4.72:
- drm/edid: add quirk for Medion MD30217PG
- drm/ttm: fix the tt_populated check in ttm_tt_destroy()
- drm/radeon: fix LCD record parsing
- drm/radeon: fix endian bugs in hw i2c atom routines
- drm/radeon: update line buffer allocation for dce4.1/5
- drm/radeon: update line buffer allocation for dce6
- drm/radeon: fix resume on some rs4xx boards (v2)
- drm/radeon: fix handling of variable sized arrays for router objects
- drm/radeon/atom: workaround vbios bug in transmitter table on rs880 (v2)
- drm/i915/dp: increase i2c-over-aux retry interval on AUX DEFER
- drm/radeon: disable tests/benchmarks if accel is disabled
- drm/radeon: fix hw contexts for SUMO2 asics
- drm: Prevent overwriting from userspace underallocating core ioctl structs
- drm/radeon/atom: workaround vbios bug in transmitter table on rs780
- drm/ttm: Handle in-memory region copies
- drm/i915: flush cursors harder
- drm/nouveau: when bailing out of a pushbuf ioctl, do not remove previous
fence
- drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL
- radeon: workaround pinning failure on low ram gpu
* [rt] Update to 3.2.53-rt75:
- genirq: Set the irq thread policy without checking CAP_SYS_NICE
- hwlat-detector: Don't ignore threshold module
- mm/memcontrol: Don't call schedule_work_on in preemption disabled context
- drm: remove preempt_disable() from
drm_calc_vbltimestamp_from_scanoutpos()
* net: clamp ->msg_namelen instead of returning an error (fixes
regression in 3.2.53)
* rds: prevent BUG_ON triggered on congestion update to loopback
(CVE-2012-2372)
* HID: multitouch: validate indexes details (CVE-2013-2897)
* exec/ptrace: fix get_dumpable() incorrect tests (CVE-2013-2929)
* crypto: ansi_cprng - Fix off by one error in non-block size request
(CVE-2013-4345)
* KVM: perform an invalid memslot step for gpa base change
* KVM: Fix iommu map/unmap to handle memory slot moves (CVE-2013-4592)
* [armhf] 7527/1: uaccess: explicitly check __user pointer when
!CPU_USE_DOMAINS (CVE-2013-6282)
* libertas: potential oops in debugfs (CVE-2013-6378)
* aacraid: prevent invalid pointer dereference (CVE-2013-6380)
* [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381)
* xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382)

-- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Dec 2013 07:23:56 +0000

--- Changes for memcached ---
memcached (1.4.13-0.2+deb7u1) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add 06_CVE-2011-4971.patch patch.
CVE-2011-4971: Fix remote denial of service. Sending a specially
crafted packet cause memcached to segfault. (Closes: #706426)
* Add 07_CVE-2013-7239.patch patch.
CVE-2013-7239: SASL authentication allows wrong credentials to access
memcache. (Closes: #733643)

-- Salvatore Bonaccorso <carnil@debian.org> Mon, 30 Dec 2013 17:47:44 +0100

--- Changes for mutt ---
mutt (1.5.21-6.2+deb7u2) wheezy-security; urgency=high

* Non-maintainer upload.
* Fix buffer overrun caused by not updating a string length after
address expansion.
Fixes: CVE-2014-0467
Closes: #708731

-- Evgeni Golov <evgeni@debian.org> Tue, 11 Mar 2014 18:31:30 +0100

--- Changes for postgresql-9.1 (libpq5 libpq-dev) ---
postgresql-9.1 (9.1.12-0wheezy1) wheezy-security; urgency=high

* New upstream security/bugfix release.

+ Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

Granting a role without ADMIN OPTION is supposed to prevent the grantee
from adding or removing members from the granted role, but this
restriction was easily bypassed by doing SET ROLE first. The security
impact is mostly that a role member can revoke the access of others,
contrary to the wishes of his grantor. Unapproved role member additions
are a lesser concern, since an uncooperative role member could provide
most of his rights to others anyway by creating views or SECURITY
DEFINER functions. (CVE-2014-0060)

+ Prevent privilege escalation via manual calls to PL validator functions
(Andres Freund)

The primary role of PL validator functions is to be called implicitly
during CREATE FUNCTION, but they are also normal SQL functions that a
user can call explicitly. Calling a validator on a function actually
written in some other language was not checked for and could be
exploited for privilege-escalation purposes. The fix involves adding a
call to a privilege-checking function in each validator function.
Non-core procedural languages will also need to make this change to
their own validator functions, if any. (CVE-2014-0061)

+ Avoid multiple name lookups during table and index DDL (Robert Haas,
Andres Freund)

If the name lookups come to different conclusions due to concurrent
activity, we might perform some parts of the DDL on a different table
than other parts. At least in the case of CREATE INDEX, this can be used
to cause the permissions checks to be performed against a different
table than the index creation, allowing for a privilege escalation
attack. (CVE-2014-0062)

+ Prevent buffer overrun with long datetime strings (Noah Misch)

The MAXDATELEN constant was too small for the longest possible value of
type interval, allowing a buffer overrun in interval_out(). Although the
datetime input functions were more careful about avoiding buffer
overrun, the limit was short enough to cause them to reject some valid
inputs, such as input containing a very long timezone name. The ecpg
library contained these vulnerabilities along with some of its own.
(CVE-2014-0063)

+ Prevent buffer overrun due to integer overflow in size calculations
(Noah Misch, Heikki Linnakangas)

Several functions, mostly type input functions, calculated an allocation
size without checking for overflow. If overflow did occur, a too-small
buffer would be allocated and then written past. (CVE-2014-0064)

+ Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

Use strlcpy() and related functions to provide a clear guarantee that
fixed-size buffers are not overrun. Unlike the preceding items, it is
unclear whether these cases really represent live issues, since in most
cases there appear to be previous constraints on the size of the input
string. Nonetheless it seems prudent to silence all Coverity warnings of
this type. (CVE-2014-0065)

+ Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

There are relatively few scenarios in which crypt() could return NULL,
but contrib/chkpass would crash if it did. One practical case in which
this could be an issue is if libc is configured to refuse to execute
unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)

+ Document risks of make check in the regression testing instructions
(Noah Misch, Tom Lane)

Since the temporary server started by make check uses "trust"
authentication, another user on the same machine could connect to it as
database superuser, and then potentially exploit the privileges of the
operating-system user who started the tests. A future release will
probably incorporate changes in the testing procedure to prevent this
risk, but some public discussion is needed first. So for the moment,
just warn people against using make check when there are untrusted users
on the same machine. (CVE-2014-0067)

* The upstream tarballs no longer contain a plain HISTORY file, but point to
the html documentation. Note the location of these files in our
changelog.gz file.

-- Christoph Berg <christoph.berg@credativ.de> Thu, 20 Feb 2014 13:34:54 +0100

postgresql-9.1 (9.1.11-0wheezy1) stable; urgency=low

* New upstream bug fix release:
- Fix "VACUUM"'s tests to see whether it can update relfrozenxid
In some cases "VACUUM" (either manual or autovacuum) could
incorrectly advance a table's relfrozenxid value, allowing tuples
to escape freezing, causing those rows to become invisible once
2^31 transactions have elapsed. The probability of data loss is
fairly low since multiple incorrect advancements would need to
happen before actual loss occurs, but it's not zero. Users
upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected,
but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all
tables in all databases while having vacuum_freeze_table_age set to
zero. This will fix any latent corruption but will not be able to
fix all pre-existing data errors. However, an installation can be
presumed safe after performing this vacuuming if it has executed
fewer than 2^31 update transactions in its lifetime (check this
with SELECT txid_current() < 2^31).

- Fix initialization of "pg_clog" and "pg_subtrans" during hot
standby startup
This bug can cause data loss on standby servers at the moment they
start to accept hot-standby queries, by marking committed
transactions as uncommitted. The likelihood of such corruption is
small unless, at the time of standby startup, the primary server
has executed many updating transactions since its last checkpoint.
Symptoms include missing rows, rows that should have been deleted
being still visible, and obsolete versions of updated rows being
still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and
9.0.14. Standby servers that have only been running earlier
releases are not at risk. It's recommended that standby servers
that have ever run any of the buggy releases be re-cloned from the
primary (e.g., with a new base backup) after upgrading.

- See HISTORY/changelog.gz for details about other bug fixes.

-- Martin Pitt <mpitt@debian.org> Thu, 05 Dec 2013 06:28:57 +0100

postgresql-9.1 (9.1.10-0wheezy1) stable; urgency=low

* New upstream bug fix release. See HISTORY/changelog.gz for details.
(No security or critical issues this time.)

-- Martin Pitt <mpitt@debian.org> Tue, 15 Oct 2013 11:49:53 +0200

--- Changes for apache2 (apache2.2-bin apache2.2-common apache2-mpm-prefork apache2-prefork-dev apache2-utils) ---
apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium

Low impact security fixes:
* CVE-2013-1862: mod_rewrite: Ensure that client data written to the
RewriteLog is escaped to prevent terminal escape sequences from entering
the log file. Closes: #722333
* CVE-2013-1896: mod_dav: denial of service via MERGE request.
Closes: #717272
* mod_dav: Fix segfaults in certain error conditions.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52559

* Make apache2ctl create the necessary directories even if started with
special options for apache2. Closes: #731531
* Adjust paragraph in README.Debian about MaxMemFree not working properly.
The issue has been fixed with apr 1.4.5-1.

-- Stefan Fritsch <sf@debian.org> Fri, 31 Jan 2014 19:43:07 +0100

--- Changes for openssl (libssl-doc openssl) ---
openssl (1.0.1e-2+deb7u4) stable; urgency=medium

* enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447)
* Enable assembler for the arm targets, and remove armeb.
Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533)

-- Kurt Roeckx <kurt@roeckx.be> Sat, 01 Feb 2014 21:25:20 +0100

openssl (1.0.1e-2+deb7u3) stable-security; urgency=medium

* Don't change version number if session established

-- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 20:28:20 +0100

openssl (1.0.1e-2+deb7u2) stable-security; urgency=medium

* The patch we applied for CVE-2013-6450 was causing segfaults,
also apply the previous commit checking for NULL in
EVP_MD_CTX_destroy()
* Fix for TLS record tampering bug CVE-2013-4353

-- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 18:17:13 +0100

openssl (1.0.1e-2+deb7u1) stable-security; urgency=medium

* Fix CVE-2013-6449 (Closes: #732754)
* Fix CVE-2013-6450
* disable rdrand by default. It was used as only source of entropy when
available. (Closes: #732710)
* Disable Dual EC DRBG.

-- Kurt Roeckx <kurt@roeckx.be> Mon, 23 Dec 2013 17:47:19 +0100

--- Changes for whois ---
whois (5.1.1~deb7u1) proposed-updates; urgency=low

* Rebuilt for wheezy.

-- Marco d'Itri <md@linux.it> Sat, 11 Jan 2014 03:16:43 +0100

whois (5.1.1) unstable; urgency=medium

* Added the servers for 29 "new" gTLDs.

-- Marco d'Itri <md@linux.it> Sat, 11 Jan 2014 00:51:05 +0100

whois (5.1.0) unstable; urgency=low

* Added the .ga, .ml, .pf, .xn--l1acc (.???, Mongolia) and
.xn--mgba3a4f16a (.?????, Iran) TLD servers.
* Added the servers for 54 "new" gTLDs.
* Updated the .bw, .gd, .hn, .sb, .xn--j1amh and .xn--mgberp4a5d4ar
TLD servers.
* Added new RIPE and APNIC ASN allocations.
* Removed the .ck TLD server.
* Updated one or more translations.
* Applied multiple small fixes contributed by Petr Písa? of Red Hat.
* Correctly hide the disclaimers for .be and .sx. (Closes: #729366)
* Direct queries for private ASN blocks to RIPE. (Closes: #724661)

-- Marco d'Itri <md@linux.it> Thu, 26 Dec 2013 10:05:43 +0100

whois (5.0.26) unstable; urgency=low

* Added the .cf TLD server.
* Updated the .bi TLD server.
* Added a new ASN allocation.

-- Marco d'Itri <md@linux.it> Wed, 17 Jul 2013 00:48:12 +0200

whois (5.0.25) unstable; urgency=low

* Added the .ax, .bn, .iq, .pw and .rw TLD servers.
* Updated one or more translations.

-- Marco d'Itri <md@linux.it> Fri, 10 May 2013 05:13:47 +0200

whois (5.0.24) unstable; urgency=low

* Merged documentation fixes and the whois.conf(5) man page, courtesy of
Petr Písa? of Red Hat.
* Added a new ASN allocation.
* Updated one or more translations. (Closes: #705163)

-- Marco d'Itri <md@linux.it> Thu, 18 Apr 2013 03:36:17 +0200

--- Changes for apt (apt apt-utils libapt-inst1.5 libapt-pkg4.12) ---
apt (0.9.7.9+deb7u1) wheezy; urgency=low

* Non-maintainer upload.
* Apply patch for large .debs (Closes: #725483)
Thanks Mark Hymers for the patch, Vincent Sanders for
the review
* Apply patch for strict multi-arch checking in single-architecture
environments (Closes: #723586)

-- Jonathan Wiltshire <jmw@debian.org> Sat, 16 Nov 2013 11:14:39 +0000

--- Changes for base-files ---
base-files (7.1wheezy4) stable; urgency=low

* Changed /etc/debian_version to 7.4, for Debian 7.4 point release.

-- Santiago Vila <sanvila@debian.org> Tue, 28 Jan 2014 11:49:40 +0100

base-files (7.1wheezy3) stable; urgency=low

* Changed /etc/debian_version to 7.3, for Debian 7.3 point release.

-- Santiago Vila <sanvila@debian.org> Wed, 04 Dec 2013 12:30:04 +0100

--- Changes for dropbox ---
dropbox (1.6.1) stable; urgency=low

* Initial Release, This package doesn't use a changelog

-- Rian Hunter <rian@dropbox.com> Wed, 18 Dec 2013 09:08:46 -0800

--- Changes for eglibc (libc6 libc6-dev libc-bin libc-dev-bin locales multiarch-support) ---
eglibc (2.13-38+deb7u1) wheezy; urgency=low

[ Aurelien Jarno ]
* debian/testsuite-checking/compare.sh: disable failing the build on test
regressions to ease the pain of ongoing stable/security maintenance.
* patches/any/cvs-CVE-2012-44xx.diff: backport overflow fixes in strcoll,
addressing CVE-2012-4412 and CVE-2012-4424 (Closes: #687530, #689423).
* patches/any/CVE-2013-0242.diff: backport buffer overrun fix in regexp
matcher, addressing CVE-2013-0242 (Closes: #699399).
* patches/cvs-CVE-2013-1914.diff: backport stack overflow fixes in
getaddrinfo(), addressing CVE-2013-1914 (Closes: #704623).
* patches/any/cvs-CVE-2013-4237.diff: backport buffer overwrite fix in
readdir_r for file systems returning file names longer than NAME_MAX
characters, addressing CVE-2013-4237 (Closes: #719558).
patches/kfreebsd/local-readdir_r.diff: remove superseded by the CVE
patch.
* patches/any/cvs-CVE-2013-4332.diff: backport integer overflow fixes
in pvalloc, valloc, posix_memalign, memalign and aligned_alloc functions,
addressing CVE-2013-4332 (Closes: #722536).
* patches/any/cvs-CVE-2013-4458.diff: backport stack (frame) overflow fixes
in getaddrinfo() when called with AF_INET6, addressing CVE-2013-4458
(Closes: #727181).
* patches/any/cvs-CVE-2013-4788.diff: backport patch to fix PTR_MANGLE
ineffectivity for statically linked binaries, addressing CVE-2013-4788
(Closes: #717178). *** Note that static binaries need to be recompiled
to take advantage of the fix ***.
* patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
#718890, #730336).
* patches/mips/cvs-prlimit64.diff: patch from upstream to fix getrlimit64
and setrlimit64 with recent 64-bit kernels (Closes: #665897).

[ Petr Salinger ]
* patches/kfreebsd/local-initgroups-order.diff: always put supplied extra
gid as the first entry of group list in setgroups(). Closes: #699593.
* inline is not keyword in c89 mode, use __inline. Closes: #704598.
* sys_ktimer_settime have 4 parameters. Closes: #712196.

-- Aurelien Jarno <aurel32@debian.org> Thu, 05 Dec 2013 23:19:48 +0100

--- Changes for expat (libexpat1 libexpat1-dev) ---
expat (2.1.0-1+deb7u1) wheezy; urgency=low

[ Matthias Klose ]
* Don't ship the pkgconfig file in lib64expat1-dev. Closes: #706932.

[ Laszlo Boszormenyi (GCS) ]
* New maintainer (closes: #660681).

-- Andreas Beckmann <anbe@debian.org> Thu, 05 Dec 2013 12:39:53 +0100

--- Changes for libapache2-mod-rpaf ---
libapache2-mod-rpaf (0.6-7+wheezy1) stable; urgency=low

* Restore 030_ipv6.patch, removed by QA upload in 0.6-1 (Closes: #726529)

-- Sergey B Kirpichev <skirpichev@gmail.com> Mon, 20 Jan 2014 17:56:07 +0400

--- Changes for libav (libavcodec53 libavformat53 libavutil51 libswscale2) ---
libav (6:0.8.10-1) stable-security; urgency=low

* Imported Upstream version 0.8.9, new releases fixes:
- CVE-2013-0855, CVE-2013-0856, CVE-2013-0865, CVE-2013-4358,
CVE-2013-7010, CVE-2013-7014
* Too many security related upstream changes to list here, please cf. to
upstream changelog:
http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9

-- Reinhard Tartler <siretart@tauware.de> Tue, 04 Feb 2014 20:09:57 -0500

--- Changes for libnet-server-perl ---
libnet-server-perl (2.006-1+deb7u1) wheezy; urgency=low

* Team upload.
* Add fix-use-of-uninitialized-value-in-pattern-match.patch.
Fixes use of uninitialized value in pattern match.
This in particular affects munin-nodes under wheezy. Logs are spammed
with entries: "Use of uninitialized value in pattern match (m//) at
/usr/share/perl5/Net/Server.pm line 600.". (Closes: #693320)

-- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 Nov 2013 12:31:37 +0100

--- Changes for librsvg (librsvg2-2 librsvg2-common) ---
librsvg (2.36.1-2) stable; urgency=low

[ Raphaël Geissert ]
* Fix CVE-2013-1881: disable loading of external entities.
Closes: #724741.

[ Josselin Mouette ]
* Break libgtk-3-0 (<< 3.4.2-7) which uses the anti-feature that is
disabled by the security fix.

-- Josselin Mouette <joss@debian.org> Wed, 04 Dec 2013 21:08:25 +0100

--- Changes for percona-server-5.5 (libmysqlclient18 percona-server-client-5.5 percona-server-common-5.5 percona-server-server-5.5) ---
percona-server-5.5 (5.5.36-rel34.2-648.wheezy) wheezy; urgency=low

* Update distribution

-- Jenkins User <jenkins@debian> Mon, 24 Mar 2014 12:09:43 -0400

percona-server-5.5 (5.5.36-34.2-1) unstable; urgency=low

* Update to new upstream release Percona Server 5.5.36-34.2

-- Jenkins User <jenkins@debian> Mon, 24 Mar 2014 12:03:33 -0400

--- Changes for percona-xtradb-cluster-5.6 (libmysqlclient18.1 libmysqlclient-dev) ---
percona-xtradb-cluster-5.6 (5.6.15-25.5-759.wheezy) wheezy; urgency=low

* Update distribution

-- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Thu, 20 Mar 2014 06:39:36 -0400

percona-xtradb-cluster-5.6 (5.6.15-rel62.0) unstable; urgency=low

* Release bump.

-- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Thu, 30 Jan 2014 17:00:00 -0300

percona-xtradb-cluster-5.6 (5.6.15-rel62.0) unstable; urgency=low

* Updated to 5.6.15.

-- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Wed, 14 Dec 2013 17:00:00 -0300

--- Changes for php5 (libapache2-mod-php5 php5 php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd php5-intl php5-mcrypt php5-mysql php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl php-pear) ---
php5 (5.4.4-14+deb7u8) wheezy-security; urgency=low

* [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012)

-- Ond?ej Surý <ondrej@debian.org> Mon, 17 Feb 2014 10:07:18 +0100

php5 (5.4.4-14+deb7u7) wheezy-security; urgency=low

* [CVE-2013-6420]: Fix memory corruption in openssl_x509_parse (Closes: #731895)
* [CVE-2013-6712]: Fix heap buffer over-read in DateInterval (Closes: #731112)

-- Ond?ej Surý <ondrej@debian.org> Thu, 12 Dec 2013 09:28:14 +0100

php5 (5.4.4-14+deb7u6) stable; urgency=low

[ William Dauchy ]
* upstream fix: curl memory leak (Closes: #725868)
* upstream fix: allow root to run php-fpm (Closes: #725890)
* upstream fix: remove annoying warnings with php-fpm and user usage
(Closes: #725972)
* upstream fix: memoryleak in function declaration (Closes: #726033)
* upstream fix: munmap() is called with the incorrect length (Closes: #726037)
* upstream fix: segfault on zend_deactivate (Closes: #726295)
* upstream fix: Possible null dereference (Closes: #726320)
* upstream fix: Phar::buildFromDirectory creates corrupt archives
(Closes: #726379)
* upstream fix: segfault while loading extensions (Closes: #726627)
* upstream fix: (un)serialize() leaves dangling pointers, causes crashes
(Closes: #726633)

-- Ond?ej Surý <ondrej@debian.org> Tue, 22 Oct 2013 08:33:07 +0200

--- Changes for python2.7 (libpython2.7 python2.7 python2.7-minimal) ---
python2.7 (2.7.3-6+deb7u2) stable-security; urgency=low

* Fix installation of modules in python2.7-minimal, thanks to
Jakub Wilk for the analysis

-- Moritz Mühlenhoff <jmm@debian.org> Wed, 12 Mar 2014 23:45:44 +0100

python2.7 (2.7.3-6+deb7u1) stable-security; urgency=low

* CVE-2014-1912, CVE-2013-4238

-- Moritz Mühlenhoff <jmm@debian.org> Wed, 05 Mar 2014 00:18:28 +0100

--- Changes for tzdata ---
tzdata (2013i-0wheezy1) stable; urgency=low

* New upstream version.
* Remove solar87, solar88 and solar89 from the list of timezones, as
they have been removed upstream.

-- Aurelien Jarno <aurel32@debian.org> Sun, 26 Jan 2014 19:33:55 +0000

tzdata (2013h-0wheezy1) stable; urgency=low

* New upstream version.

-- Aurelien Jarno <aurel32@debian.org> Sat, 07 Dec 2013 15:06:58 +0100

--- Changes for wget ---
wget (1.13.4-3+deb7u1) stable-proposed-updates; urgency=low

* backported TLS Server Name Indication (SNI) to stable
(patches/wget-tls-sni) from wget 1.14
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=fd582e454378db9a1e218acf79f24fbe042bed98
closes: #653267

-- Noël Köthe <noel@debian.org> Sat, 1 Feb 2014 20:29:14 +0100

========================================================================

You can perform the upgrade by issuing the command:

apt-get dist-upgrade

as root on pluto.myfuckingdomain.org

--
apticron

Posted

Pentru a vedea la ce pachete este disponibil un update (fara apticon), puteti utiliza urmatoarele comenzi:

Cu aptitude:


aptitude search '~U'

Cu apt-get:


apt-get -s upgrade

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...