Sisyphus repository
Last update: 21 july 2018 | SRPMs: 18626 | Visits: 11914755
en ru br
Security fixes

curl-7.61.0-alt1.S1   build Anton Farygin, 2018-07-17


- 7.61.0
- fixes:
* CVE-2018-0500 SMTP send heap buffer overflow

glusterfs3-3.12.12-alt1   build Vitaly Lipatov, 2018-07-12


- new version 3.12.12 (with rpmrb script)
- CVE-2018-10841

kernel-image-std-pae-4.4.140-alt1   build Kernel Bot, 2018-07-11


- v4.4.140 (Fixes: CVE-2018-10876, CVE-2018-10877, CVE-2018-10881, CVE-2018-10882,
CVE-2018-10883)

kernel-image-std-def-4.14.55-alt1   build Kernel Bot, 2018-07-11


- v4.14.55 (Fixes: CVE-2018-10876, CVE-2018-10877, CVE-2018-10879, CVE-2018-10880,
CVE-2018-10881, CVE-2018-10882, CVE-2018-10883)

kernel-image-un-def-4.17.6-alt1   build Kernel Bot, 2018-07-11


- v4.17.6 (Fixes: CVE-2018-10876, CVE-2018-10877, CVE-2018-10879, CVE-2018-10880,
CVE-2018-10881, CVE-2018-10882, CVE-2018-10883)

polkit-0.115-alt1   build Yuri N. Sedunov, 2018-07-10


- 0.115 (fixed CVE-2018-1116)

libgit2-0.26.5-alt1   build Yuri N. Sedunov, 2018-07-10


- 0.26.5 (fixed CVE-2018-11235, CVE-2018-10887, CVE-2018-10888)

thunderbird-52.9.0-alt1   build Andrey Cherepanov, 2018-07-04


- New version (52.9.0).
- Enigmail 2.0.7.
- Fixes:
+ CVE-2018-12359 Buffer overflow using computed size of canvas element
+ CVE-2018-12360 Use-after-free when using focus()
+ CVE-2018-12372 S/MIME and PGP decryption oracles can be built with HTML emails
+ CVE-2018-12373 S/MIME plaintext can be leaked through HTML reply/forward
+ CVE-2018-12362 Integer overflow in SSSE3 scaler
+ CVE-2018-12363 Use-after-free when appending DOM nodes
+ CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins
+ CVE-2018-12365 Compromised IPC child process can list local filenames
+ CVE-2018-12366 Invalid data handling during QCMS transformations
+ CVE-2018-12368 No warning when opening executable SettingContent-ms files
+ CVE-2018-12374 Using form to exfiltrate encrypted mail part by pressing enter in form field
+ CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9

firefox-61.0-alt1   build Alexey Gladkov, 2018-07-02


- New release (61.0).
- Fixed:
+ CVE-2018-12359: Buffer overflow using computed size of canvas element
+ CVE-2018-12360: Use-after-free when using focus()
+ CVE-2018-12361: Integer overflow in SwizzleData
+ CVE-2018-12358: Same-origin bypass using service worker and redirection
+ CVE-2018-12362: Integer overflow in SSSE3 scaler
+ CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
+ CVE-2018-12363: Use-after-free when appending DOM nodes
+ CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
+ CVE-2018-12365: Compromised IPC child process can list local filenames
+ CVE-2018-12371: Integer overflow in Skia library during edge builder allocation
+ CVE-2018-12366: Invalid data handling during QCMS transformations
+ CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
+ CVE-2018-12368: No warning when opening executable SettingContent-ms files
+ CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments
+ CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View
+ CVE-2018-5186: Memory safety bugs fixed in Firefox 61
+ CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
+ CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

node-8.11.3-alt1   build Vitaly Lipatov, 2018-06-30


- new version (8.11.3) with rpmgs script
- 2018-06-12, Version 8.11.3 'Carbon' (LTS), @evanlucas
- CVE-2018-7167, CVE-2018-7161, CVE-2018-1000168

firefox-esr-60.1.0-alt1   build Andrey Cherepanov, 2018-06-26


- New ESR version (60.1.0).
- Fixed:
+ CVE-2018-12359 Buffer overflow using computed size of canvas element
+ CVE-2018-12360 Use-after-free when using focus()
+ CVE-2018-12361 Integer overflow in SwizzleData
+ CVE-2018-12362 Integer overflow in SSSE3 scaler
+ CVE-2018-5156 Media recorder segmentation fault when track type is changed during capture
+ CVE-2018-12363 Use-after-free when appending DOM nodes
+ CVE-2018-12364 CSRF attacks through 307 redirects and NPAPI plugins
+ CVE-2018-12365 Compromised IPC child process can list local filenames
+ CVE-2018-12371 Integer overflow in Skia library during edge builder allocation
+ CVE-2018-12366 Invalid data handling during QCMS transformations
+ CVE-2018-12367 Timing attack mitigation of PerformanceNavigationTiming
+ CVE-2018-12368 No warning when opening executable SettingContent-ms files
+ CVE-2018-12369 WebExtension security permission checks bypassed by embedded experiments
+ CVE-2018-5187 Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
+ CVE-2018-5188 Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9

kernel-image-un-def-4.16.18-alt1   build Kernel Bot, 2018-06-26


- v4.16.18 (Fixes: CVE-2018-10840, CVE-2018-1118, CVE-2018-11412)

kernel-image-std-pae-4.4.138-alt1   build Kernel Bot, 2018-06-19


- v4.4.138 (Fixes: CVE-2018-10853)

chromium-67.0.3396.87-alt1   build Alexey Gladkov, 2018-06-17


- New version (67.0.3396.87).
- Use ninja-build.
- Security fixes:
- CVE-2018-6149: Out of bounds write in V8.
- CVE-2018-6148: Incorrect handling of CSP header.
- CVE-2018-6123: Use after free in Blink.
- CVE-2018-6124: Type confusion in Blink.
- CVE-2018-6125: Overly permissive policy in WebUSB.
- CVE-2018-6126: Heap buffer overflow in Skia.
- CVE-2018-6127: Use after free in indexedDB.
- CVE-2018-6128: uXSS in Chrome on iOS.
- CVE-2018-6129: Out of bounds memory access in WebRTC.
- CVE-2018-6130: Out of bounds memory access in WebRTC.
- CVE-2018-6131: Incorrect mutability protection in WebAssembly.
- CVE-2018-6132: Use of uninitialized memory in WebRTC.
- CVE-2018-6133: URL spoof in Omnibox.
- CVE-2018-6134: Referrer Policy bypass in Blink.
- CVE-2018-6135: UI spoofing in Blink.
- CVE-2018-6136: Out of bounds memory access in V8.
- CVE-2018-6137: Leak of visited status of page in Blink.
- CVE-2018-6138: Overly permissive policy in Extensions.
- CVE-2018-6139: Restrictions bypass in the debugger extension API.
- CVE-2018-6140: Restrictions bypass in the debugger extension API.
- CVE-2018-6141: Heap buffer overflow in Skia.
- CVE-2018-6142: Out of bounds memory access in V8.
- CVE-2018-6143: Out of bounds memory access in V8.
- CVE-2018-6144: Out of bounds memory access in PDFium.
- CVE-2018-6145: Incorrect escaping of MathML in Blink.
- CVE-2018-6147: Password fields not taking advantage of OS protections in Views.

libgcrypt-1.7.10-alt1.S1   build Sergey V Turchin, 2018-06-14


- new version
- security fixes: CVE-2018-0495

firefox-esr-60.0.2-alt1   build Andrey Cherepanov, 2018-06-11


- New ESR version (60.0.2).
- Fixed:
+ CVE-2018-6126 Heap buffer overflow rasterizing paths in SVG with Skia

libwebkitgtk4-2.20.3-alt1   build Yuri N. Sedunov, 2018-06-11


- 2.20.3 (fixed CVE-2018-4190, CVE-2018-4199, CVE-2018-4218,
CVE-2018-4222, CVE-2018-4232, CVE-2018-4233, CVE-2018-4246,
CVE-2018-11646)

gnupg-1.4.22-alt2   build Dmitry V. Levin, 2018-06-08


- Backported upstream fixes
(GnuPG-bug-id: 2923, 3329, 3898, 4012; fixes CVE-2018-12020).

gnupg2-2.2.8-alt1.S1   build Sergey V Turchin, 2018-06-08


- new version
- security fix: CVE-2018-12020

epiphany-3.28.3.1-alt1   build Yuri N. Sedunov, 2018-06-08


- 3.28.3.1 (fixed CVE-2018-11396, CVE-2018-12016)

firefox-60.0.2-alt1   build Alexey Gladkov, 2018-06-07


- New release (60.0.2).
- Fixed:
+ CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia

firefox-esr-60.0.1-alt1   build Andrey Cherepanov, 2018-06-05


- New ESR version (60.0.1).
- Fixed:
+ CVE-2018-5154: Use-after-free with SVG animations and clip paths
+ CVE-2018-5155: Use-after-free with SVG animations and text paths
+ CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
+ CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
+ CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
+ CVE-2018-5160: Uninitialized memory use by WebRTC encoder
+ CVE-2018-5152: WebExtensions information leak through webRequest API
+ CVE-2018-5153: Out-of-bounds read in mixed content websocket messages
+ CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache
+ CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace
+ CVE-2018-5166: WebExtension host permission bypass through filterReponseData
+ CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger
+ CVE-2018-5168: Lightweight themes can be installed without user interaction
+ CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages
+ CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer
+ CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters
+ CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update
+ CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies
+ CVE-2018-5176: JSON Viewer script injection
+ CVE-2018-5177: Buffer overflow in XSLT during number formatting
+ CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox
+ CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
+ CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink
+ CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar
+ CVE-2018-5151: Memory safety bugs fixed in Firefox 60
+ CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8

python-2.7.14-alt4   build Aleksei Nikiforov, 2018-05-31


- Fixed heap-use-after-free bug (Fixes: CVE-2018-1000030).

jq-1.5-alt3.S1   build Anton Farygin, 2018-05-31


- security update (fixes: CVE-2016-4074)

kernel-image-std-pae-4.4.134-alt1   build Kernel Bot, 2018-05-30


- v4.4.134 (Fixes: CVE-2018-6412)
 
design & coding: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
current maintainer: Michael Shigorin