UbuntuUpdates.org

Latest Changelogs for all releases

All releases Bionic Focal Precise Trusty Xenial
Include all PPAs Exclude daily builds PPAs Exclude all PPAs
Include levels: securityupdatesproposedbackportsbase

Note: Only updates for "head" packages where the changelog is available are shown on this page (view all).

pam 10-01 02:06 UTC
Release: xenial Repo: main Level: proposed New version: 1.1.8-3.2ubuntu2.3
Packages in group:  libpam0g libpam0g-dev libpam-cracklib libpam-doc libpam-modules libpam-modules-bin libpam-runtime

  pam (1.1.8-3.2ubuntu2.3) xenial; urgency=medium

  * Move patch fixing LP: #1666203 from debian/patches to
    debian/patches-applied so it actually gets applied.
  * debian/libpam-modules.postinst: Add /snap/bin to $PATH in
    /etc/environment. (LP: #1659719)

1666203 pam_tty_audit failed in pam_open_session

firefox 10-01 01:07 UTC
This package belongs to a PPA: Ubuntu Mozilla Security
Release: xenial Repo: main Level: base New version: 81.0.1+build1-0ubuntu0.16.04.1
Packages in group:  firefox-dbg firefox-dev firefox-geckodriver firefox-globalmenu firefox-locale-af firefox-locale-an firefox-locale-ar firefox-locale-as firefox-locale-ast firefox-locale-az firefox-locale-be (... see all)

 firefox (81.0.1+build1-0ubuntu0.16.04.1) xenial; urgency=medium
 .
   * New upstream stable release (81.0.1+build1)


firefox 10-01 00:08 UTC
This package belongs to a PPA: Ubuntu Mozilla Security
Release: bionic Repo: main Level: base New version: 81.0.1+build1-0ubuntu0.18.04.1
Packages in group:  firefox-dbg firefox-dev firefox-geckodriver firefox-globalmenu firefox-locale-af firefox-locale-an firefox-locale-ar firefox-locale-as firefox-locale-ast firefox-locale-az firefox-locale-be (... see all)

 firefox (81.0.1+build1-0ubuntu0.18.04.1) bionic; urgency=medium
 .
   * New upstream stable release (81.0.1+build1)


firefox 09-30 23:08 UTC
This package belongs to a PPA: Ubuntu Mozilla Security
Release: focal Repo: main Level: base New version: 81.0.1+build1-0ubuntu0.20.04.1
Packages in group:  firefox-dbg firefox-dev firefox-geckodriver firefox-locale-af firefox-locale-an firefox-locale-ar firefox-locale-as firefox-locale-ast firefox-locale-az firefox-locale-be firefox-locale-bg (... see all)

 firefox (81.0.1+build1-0ubuntu0.20.04.1) focal; urgency=medium
 .
   * New upstream stable release (81.0.1+build1)


cvise 09-30 22:06 UTC
Release: focal Repo: universe Level: proposed New version: 1.6.0-3~20.04
Packages in group: 

  cvise (1.6.0-3~20.04) focal-proposed; urgency=medium

  * SRU: LP: #1895971. Backport cvise to the LTS releases.

 -- Matthias Klose <email address hidden> Tue, 29 Sep 2020 16:55:47 +0200

1895971 SRU: backport cvise to 18.04 LTS and 20.04 LTS

ruby-kramdown 09-30 22:06 UTC
Release: focal Repo: universe Level: updates New version: 1.17.0-4ubuntu0.1
Packages in group:  kramdown

  ruby-kramdown (1.17.0-4ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Unintended read access
    - debian/patches/CVE-2020-14001.patch: Add option
      forbidden_inline_options. By default, the template option is now
      forbidden.
    - CVE-2020-14001

 -- Mike Salvatore <email address hidden> Wed, 30 Sep 2020 15:11:49 -0400

CVE-2020-14001 The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such

ruby-kramdown 09-30 22:06 UTC
Release: focal Repo: universe Level: security New version: 1.17.0-4ubuntu0.1
Packages in group:  kramdown

  ruby-kramdown (1.17.0-4ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Unintended read access
    - debian/patches/CVE-2020-14001.patch: Add option
      forbidden_inline_options. By default, the template option is now
      forbidden.
    - CVE-2020-14001

 -- Mike Salvatore <email address hidden> Wed, 30 Sep 2020 15:11:49 -0400

CVE-2020-14001 The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such

torbrowser-launcher 09-30 20:06 UTC
Release: focal Repo: universe Level: proposed New version: 0.3.2-9ubuntu1
Packages in group: 

  torbrowser-launcher (0.3.2-9ubuntu1) focal; urgency=medium

  * This is a bug-fix only upload to address several significant bugs
    found in the Tor Browser launcher package.
  * Patches backported from Debian Unstable release and Debian Salsa git
    repository for the package into the Focal package to fix issues.
    The following patches were added in d/patches and added to the quilt
    series file in the stated order:
    - 0023-Update-Tor-Browser-Developers-public-key-481.patch: Fixes issue
      with signature verification of tor browser tarball, due to changed
      upstream developers key. (LP: #1856895)
    - 0030-Use-gpg-instead-of-gpg2.patch: Use /usr/bin/gpg instead of the
      /usr/bin/gpg2 symlink due to gnupg2 transitional package not being
      part of default installations. (LP: #1897306)
    - 0031-Use-better-version-string-comparison.patch: Properly handle the
      version string comparison between Tor Browser versions, so that the
      launcher supports version 10+ and can properly validate.
      (LP: #1896752)
    - 0032-apparmor-allow-Browser-to-memory-map-libstdc.patch: Allow
      apparmor profile to access and memory map libstdc, due to AppArmor
      default DENY on access causing issues. (LP: #1897302)

 -- Thomas Ward <email address hidden> Sun, 27 Sep 2020 14:34:53 -0400

1856895 [SRU] Tor does not download and install; repeated signature verification failed
1897306 [SRU] torbrowser-launcher has missing gnupg dependency
1896752 [SRU] Version checking error in torbrowser-launcher since Tor Browser 10.0 was released
1897302 [SRU] Apparmor profile prevents Tor Browser from loading libstdc++.so.6 since Tor Browser 10.0 was released

ruby-rack 09-30 20:06 UTC
Release: bionic Repo: universe Level: updates New version: 1.6.4-4ubuntu0.2
Packages in group: 

  ruby-rack (1.6.4-4ubuntu0.2) bionic-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Directory traversal vulnerability.
    - debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
      Dir[glob] to prevent user-specified glob metacharacters.
    - CVE-2020-8161
  * SECURITY UPDATE: Cookie forgery.
    - debian/patches/CVE-2020-8184.patch: When parsing cookies, only
      decode the values.
    - CVE-2020-8184

 -- Eduardo Barretto <email address hidden> Wed, 30 Sep 2020 12:08:48 -0300

CVE-2020-8161 A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory a
CVE-2020-8184 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an

ruby-rack 09-30 20:06 UTC
Release: bionic Repo: universe Level: security New version: 1.6.4-4ubuntu0.2
Packages in group: 

  ruby-rack (1.6.4-4ubuntu0.2) bionic-security; urgency=medium

  * Merge patches from Debian.
  * SECURITY UPDATE: Directory traversal vulnerability.
    - debian/patches/CVE-2020-8161.patch: Use Dir.entries instead of
      Dir[glob] to prevent user-specified glob metacharacters.
    - CVE-2020-8161
  * SECURITY UPDATE: Cookie forgery.
    - debian/patches/CVE-2020-8184.patch: When parsing cookies, only
      decode the values.
    - CVE-2020-8184

 -- Eduardo Barretto <email address hidden> Wed, 30 Sep 2020 12:08:48 -0300

CVE-2020-8161 A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory a
CVE-2020-8184 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an

ruby-gon 09-30 18:06 UTC
Release: bionic Repo: universe Level: updates New version: 6.1.0-1+deb9u1build0.18.04.1
Packages in group: 

  ruby-gon (6.1.0-1+deb9u1build0.18.04.1) bionic-security; urgency=medium

  * fake sync from Debian


ruby-gon 09-30 17:06 UTC
Release: bionic Repo: universe Level: security New version: 6.1.0-1+deb9u1build0.18.04.1
Packages in group: 

  ruby-gon (6.1.0-1+deb9u1build0.18.04.1) bionic-security; urgency=medium

  * fake sync from Debian


ldb 09-30 15:07 UTC
Release: focal Repo: universe Level: updates New version: 2:2.0.10-0ubuntu0.20.04.2
Packages in group:  ldb-tools

  ldb (2:2.0.10-0ubuntu0.20.04.2) focal-security; urgency=medium

  * No change rebuild to pick up riscv64 build.

 -- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 14:30:35 -0400


samba 09-30 15:07 UTC
Release: focal Repo: universe Level: updates New version: 2:4.11.6+dfsg-0ubuntu1.5
Packages in group:  ctdb registry-tools samba-testsuite

  samba (2:4.11.6+dfsg-0ubuntu1.5) focal-security; urgency=medium

  * SECURITY UPDATE: Unauthenticated domain controller compromise by
    subverting Netlogon cryptography (ZeroLogon)
    - debian/patches/zerologon-*.patch: backport upstream patches:
      + For compatibility reasons, allow specifying an insecure netlogon
        configuration per machine. See the following link for examples:
        https://www.samba.org/samba/security/CVE-2020-1472.html
      + Add additional server checks for the protocol attack in the
        client-specified challenge to provide some protection when
        'server schannel = no/auto' and avoid the false-positive results
        when running the proof-of-concept exploit.
    - CVE-2020-1472

 -- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 12:33:05 -0400

CVE-2020-1472 An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, u

ldb 09-30 15:07 UTC
Release: focal Repo: universe Level: security New version: 2:2.0.10-0ubuntu0.20.04.2
Packages in group:  ldb-tools

  ldb (2:2.0.10-0ubuntu0.20.04.2) focal-security; urgency=medium

  * No change rebuild to pick up riscv64 build.

 -- Marc Deslauriers <email address hidden> Fri, 18 Sep 2020 14:30:35 -0400




About   -   Send Feedback to @ubuntu_updates