dragora-bug
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dragora-bug] Dragora 2.2 updates #006

From: Matias A. Fonzo
Subject: [Dragora-bug] Dragora 2.2 updates #006
Date: Mon, 23 Jun 2014 22:47:34 -0300
User-agent: SquirrelMail/1.5.2 [SVN] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  The Dragora team is happy in announcing the security updates #006,
security issues involving the following packages are:

  curl
  file
  gnupg1
  gnupg2
  gnutls
  gpgme
  libgpg-error
  libtasn1
  mutt
  nspr
  openssl
  pidgin

We recommend that you upgrade your packages as soon as possible.

Details
- -------

  Most packages have been updated to the latest version, which cover a
wide range of security advisories (and bug-fixes) that is long to list here.

  However, special emphasis has been put on the building to not break
compatibility with the version number from the packages of Dragora 2. This
includes the update of libgpg-error and libtasn1, dependencies for the
last gnupg. nspr has been rebuilt to solve CVE-2013-5607. openssl-1.0.0m
corrects: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198,
CVE-2010-5298, and CVE-2014-3470. For more information, visit:

  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470

Obtain the packages from

* 32 bit *

http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/curl-7.37.0-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/file-5.19-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnupg1-1.4.17-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnupg2-2.0.23-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnutls-2.12.23-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gpgme-1.3.2-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/libgpg-error-1.13-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/libtasn1-2.14-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/mutt-1.5.23-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/nspr-4.8.9-i486-2.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/openssl-1.0.0m-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/pidgin-2.10.9-i486-1.tlz

* 64 bit *

http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/curl-7.37.0-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/file-5.19-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnupg1-1.4.17-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnupg2-2.0.23-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnutls-2.12.23-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gpgme-1.3.2-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/libgpg-error-1.13-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/libtasn1-2.14-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/mutt-1.5.23-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/nspr-4.8.9-x86_64-2.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/openssl-1.0.0m-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/pidgin-2.10.9-x86_64-1.tlz

Checksums (SHA1)
- ----------------

6839f39e9096c2e9322c8913eab33a31e68ffb59  curl-7.37.0-i486-1.tlz
ef03f559ac86f66d1fcf43aae91435645de24ba3  file-5.19-i486-1.tlz
8bd9002fd057546894b7f96fbc0b9c6ee813961f  gnupg1-1.4.17-i486-1.tlz
ee9b4a287f921bb39f0ca99e4c7c0c05744f7875  gnupg2-2.0.23-i486-1.tlz
98378ffb9ff1a1155dc5884421c6ce97b702dbaa  gnutls-2.12.23-i486-1.tlz
201b04a5648cef742cce806674f78345e1eea97e  gpgme-1.3.2-i486-1.tlz
247d400cbfcf4e94a49d5d20036023bfa9a62479  libgpg-error-1.13-i486-1.tlz
adca3eb63817153c1135874acc79126070056448  libtasn1-2.14-i486-1.tlz
5788eb3fc8714be474d6e1d6dbfcb6cc235332f7  mutt-1.5.23-i486-1.tlz
6a6bc386fc1f6e6e367d5b047b5782af12525c69  nspr-4.8.9-i486-2.tlz
d7e5bb93deb08a0651e73275264869d418d1dda5  openssl-1.0.0m-i486-1.tlz
1d05f693dd49948af2df282d8624724718612d23  pidgin-2.10.9-i486-1.tlz

8c71d33b14e8acb097eb386e20869d0fc116c594  curl-7.37.0-x86_64-1.tlz
89acd42b8930096302075936a2f8ac6def951c71  file-5.19-x86_64-1.tlz
1be0d2524126532c434025053ec5eefb07955481  gnupg1-1.4.17-x86_64-1.tlz
587bfe9239e24dc7080a3b63c349d72fd5a5d6fd  gnupg2-2.0.23-x86_64-1.tlz
845035e936cc248d4415466ed9bc003562c3a33b  gnutls-2.12.23-x86_64-1.tlz
b9802d559edcba08eb22cd886c156bfc500285fc  gpgme-1.3.2-x86_64-1.tlz
f5fbf54724223d5ccbb1d8e48de80643a098d51a  libgpg-error-1.13-x86_64-1.tlz
a83fe26ace933ed5c032d552f10ac0fac03fff5a  libtasn1-2.14-x86_64-1.tlz
4b5f2c15865720609382de98a0c4fb0292a2597e  mutt-1.5.23-x86_64-1.tlz
bccfbcb4e5dc2a375c28caaccd238937b39c0097  nspr-4.8.9-x86_64-2.tlz
6cdd36a629242da6d6c236fb7ddd273f0638b6ab  openssl-1.0.0m-x86_64-1.tlz
0fc84c161dbaa03c3fbab8bec71474a85853e1e7  pidgin-2.10.9-x86_64-1.tlz

If you need the detached GPG signatures[1] just append .sig to the URLs
above.

Upgrading
- ---------

To upgrade a package you issue the following command:
  pkg upgrade <package.tlz>

To upgrade multiple packages, simply type:
  pkg upgrade curl-7.37.0-i486-1.tlz pidgin-2.10.9-i486-1.tlz  ...

Notes
=====

  You can get all the upgrades via RSYNC, for example, to obtain 32-bit
packages, type:

  # rsync -aviz gungre.ch::dragora/dragora-2.2/upgrades/packages/32b .

Then use the sha1sum(1) tool for a complete checksumming:

  # sha1sums -c SHA1SUMS

  `pkg upgrade' can be used to upgrade all the packages (installed or not
installed); for more information, take a look at:

  http://dragora.org/wiki/doku.php/guides/d2/pkgmanager

Footnotes:

[1] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:

  gpg --verify pidgin-2.10.9-i486-1.tlz.sig

If that command fails because you don't have the required public key,
then run these commands to import it:

  wget http://gungre.ch/dragora/mirror/dragora-2.2/KEY
  gpg --import KEY

and re-run the `gpg --verify' sequence.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJTqNhMAAoJEKpCZu9BMdKoaWAH/3pT9Y7W5FAQFmTkrxihNd0n
wcqhTiwAV845qyL5xJE+U5x2WClQYk6jWmsDmJub8MKwl7L+bgjXAVNMfBO/mthv
0KHtcsB+HSalLBmDHrkN5epYjYW7uGmKT1fSxZ6oHRP2krN/cySvBcaO7x6/Ls/I
EsNA76l+T6Ye5Qc4WmXog9RNS+fg32Rj73nBtYfkid6Vanf8YUa9lP5IOjQUCHpg
t/5df4Qy4V09qPDH5kgrx8d42ljRf4CrnjG5jUV9mRL8/y+qQySYis6LdLf0ZNcG
4pt45HW9xJLfDt2MMO0WI0ZOsj/vs/xSUozg2s+97JeDBJmhexocpCxik5T+H1s=
=bsID
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]