dragora-bug
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dragora-bug] Dragora 2.2 updates #007

From: Matias A. Fonzo
Subject: [Dragora-bug] Dragora 2.2 updates #007
Date: Fri, 27 Jun 2014 16:04:35 -0300
User-agent: SquirrelMail/1.5.2 [SVN] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  The Dragora team is happy in announcing the security updates #007,
security issues involving the following packages are:

  freetype
  gnupg2
  libpng
  openssh
  python
  ruby

We recommend that you upgrade your packages as soon as possible.

Details
- -------

  The release of GnuPG 2.0.24 includes a correction to stop a possible
DoS (Denial of Service) using garbled compressed data packets which
can be used to put gpg into an infinite loop.

  The update for Python 2.6.9 includes the solution for several security
issues: CVE-2013-1752 (long lines consuming too much memory),
CVE-2013-4238 (SSL module handling of NULL bytes inside subjectAltName).
  Python 2.6.9 also covers vulnerabilities found in Python 2.6.8,
for more information see http://www.python.org/download/releases/2.6.9
and http://www.python.org/download/releases/2.6.8

  Ruby 1.9.3 patch level 547 contains the a related fix for CVE-2013-4238
with a lot of bug-fixes.

  OpenSSH 6.6p1 is a major version which has the solution for several
security issues including bug-fixes and improvements, since our version
of OpenSSH 5.9p1.

  Freetype2 and Libpng are just bug fixes releases.

References:

  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4238

Obtain the packages from

* 32 bit *

http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/freetype-2.4.12-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/gnupg2-2.0.24-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/libpng-1.4.13-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/openssh-6.6p1-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/python-2.6.9-i486-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/ruby-1.9.3_p547-i486-1.tlz

* 64 bit *

http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/freetype-2.4.12-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/gnupg2-2.0.24-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/libpng-1.4.13-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/openssh-6.6p1-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/python-2.6.9-x86_64-1.tlz
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/ruby-1.9.3_p547-x86_64-1.tlz

Checksums (SHA1)
- ----------------

3d7afb0bc73fb6962271f000db414789433a9f06  freetype-2.4.12-i486-1.tlz
2e9f6840d50391e461720801c145f28ba0de698d  gnupg2-2.0.24-i486-1.tlz
f8f7a3cb0162ab9fc82d763029e5536ad20efca6  libpng-1.4.13-i486-1.tlz
0ce2bda1af072a6e5af2d3f6de375ce158aff9d0  openssh-6.6p1-i486-1.tlz
7cda33abaa2c5c180d68e6591a391534691003ed  python-2.6.9-i486-1.tlz
158ea2c4309af4dd1f10e008ffcdf30559c5632f  ruby-1.9.3_p547-i486-1.tlz

c62bef38b0aa328854e83105514d33b06a6958bf  freetype-2.4.12-x86_64-1.tlz
e79a85c389be111a02abaeb06ac53fa3608c351e  gnupg2-2.0.24-x86_64-1.tlz
8675724bbd78dfa5e5de7942d74c6c179825842d  libpng-1.4.13-x86_64-1.tlz
3321d26e59fcb7164c1a6e43d959039374306acf  openssh-6.6p1-x86_64-1.tlz
3ecf1f396906492c2b3d1e3c300fdd40512681dc  python-2.6.9-x86_64-1.tlz
58de12e1498bcff375abc5f323f51da0f1125706  ruby-1.9.3_p547-x86_64-1.tlz

If you need the detached GPG signatures[1] just append .sig to the URLs
above.

Upgrading
- ---------

To upgrade a package you issue the following command:
  pkg upgrade <package.tlz>

To upgrade multiple packages, simply type:
  pkg upgrade freetype-2.4.12-i486-1.tlz gnupg2-2.0.24-i486-1.tlz ...

Notes
=====

  You can get all the upgrades via RSYNC, for example, to obtain 32-bit
packages, type:

  # rsync -avPiz gungre.ch::dragora/dragora-2.2/upgrades/packages/32b .

Then use the sha1sum(1) tool for a complete checksumming:

  # sha1sums -c SHA1SUMS

  `pkg upgrade' can be used to upgrade all the packages (installed or not
installed); for more information, take a look at:

  http://dragora.org/wiki/doku.php/guides/d2/pkgmanager

Footnotes:

[1] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:

  gpg --verify gnupg2-2.0.24-i486-1.tlz.sig

If that command fails because you don't have the required public key,
then run these commands to import it:

  wget http://gungre.ch/dragora/mirror/dragora-2.2/KEY
  gpg --import KEY

and re-run the `gpg --verify' sequence.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJTrcAQAAoJEKpCZu9BMdKo3nAIAKk62V+7QGc/jW8zcpr2iZqZ
qvMk30O/F6vYdfYOIXs4/p92s6hprc7RJSRtBNVMeBYGZvIf0L/72H90fQDFm1hK
mW6N/2UO24MOi75OeEy9UVV6RGaU/vJtpI70JgevstMykpbuqM4Qvrl4u/4U4eo9
KpDvE1OLRq8H+OJCvRTwZvqcIkDJ0H3qnOp0gNRlxgIX7GcP/Oi7nSp3gFzeWon2
XpPpMeMsq0SDxJ35UoxI8AncBP1TptgFC6tSlT3hz9hQF86/ewYLtekArZaGWHNS
6nhwHChpSNX2DNZXd0ksnjQwYjY2HYAwwS+F7JlXm6Fz15IB4H0Ni7uWPn0b8Sg=
=IqyX
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]