CVE-2018-6532: By sending specially crafted requests, authenticated and
unauthenticated, an attacker can exhaust a lot of memory on the server
side, triggering the OOM killer.
CVE-2018-6534: By sending specially crafted messages, an attacker can
cause a NULL pointer dereference, which can cause Icinga2 to crash.
CVE-2018-6535: Lack of a constant-time password comparison function can
disclose the password to an attacker.
Detailed write-up and simple crashers for the above at
https://hansmi.ch/articles/2018-03-icinga2-security
(CVE-2017-16933 and CVE-2018-6536 also in this release relate to the
init scripts that we don't use).
calendar was changed to '%B %-d, %Y'.
The %-* format string is a GNU libc extension which we don't support,
resulting in dates being displayed like 'March -d, 2018' instead of
showing the day of the month as a decimal number.
Switch to using the %d format string instead.
OK naddy@, jca@
starting GDM, otherwise you loose your ability to input anything...
So add a timer in the GDM init file (instead of the rc.d script where it
was really ugly).
reported by and ok sthen@
"In SQLite through 3.22.0, databases whose schema is corrupted using a
CREATE TABLE AS statement could cause a NULL pointer dereference"
Cf https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1756349
Discussed with sthen@, no objection from naddy@
Create a custom target for KMYMONEYSETTINGS_H and create dependencies for all
targets which include/use generated kmymoneysettings.h
Tested by and ok sthen@ Thanks!
handling From:
- fix berkeley db utilities and kamctl "shift: nothing to shift",
reported by feinerer@, from maintainer Roman Kravchuk
- fix runtime TLS failure, undefined symbol OPENSSL_zalloc,
from maintainer
- remove some dead patches follow switch to clang, from me
(there was an earlier update to 5.1.x from maintainer earlier this
month which I missed pushing earlier and it's too close to release now;
this is planned for post-6.3)
- add missing CMAKE_CURRENT_{SOURCE,BINARY}_DIR to find kmymoneysettings.h
- rm -DCMAKE_POLICY_DEFAULT_CMP0071=NEW (Revert previous commit) and also
revert reorder patch
spotted by naddy@ (Hopefully for the last time)
"memory handling issues when reading crafted repository index files.
The issues allow for possible denial of service due to allocation of large
memory and out-of-bound reads. As the index is never transferred via the
network, exploitation requires an attacker to have access to the local repository."
- apply a patch from Thomas Frohwein:
Use SIGUSR1 as the abort signal in mono instead of SIGTTIN,
because SIGTTIN gets delivered to all processes/threads and
that is not what we want here.
The port is still broken though, so leaving it as BROKEN.
possible to remove thread locking with auto-init support but skipping
that for now.
attempt to build on hppa again; it switched compiler since it was marked
BROKEN.
