naddy@ found that net/ocserv failed to build during his latest amd64
package bulk build. Specifically, configure appears to pick up GeoIP if
installed, but there is no dependency on net/GeoIP.
OK naddy@, sthen@
CVE-2018-6532: By sending specially crafted requests, authenticated and
unauthenticated, an attacker can exhaust a lot of memory on the server
side, triggering the OOM killer.
CVE-2018-6534: By sending specially crafted messages, an attacker can
cause a NULL pointer dereference, which can cause Icinga2 to crash.
CVE-2018-6535: Lack of a constant-time password comparison function can
disclose the password to an attacker.
Detailed write-up and simple crashers for the above at
https://hansmi.ch/articles/2018-03-icinga2-security
(CVE-2017-16933 and CVE-2018-6536 also in this release relate to the
init scripts that we don't use).
possible to remove thread locking with auto-init support but skipping
that for now.
attempt to build on hppa again; it switched compiler since it was marked
BROKEN.
Mattermost is an open source, private cloud, Slack-alternative
from https://mattermost.org.
It's written in Golang and React and runs as a single binary
with MySQL or PostgreSQL.
ok ajacoutot@
The 5.6 branch will be supported until November 2018. It is extended
partially for longer support of PicoM2 (converted to UniFi), UAP-AC,
UAP-AC v2, and UAP-AC-Outdoor (our 1st gen AC products).
o CVE-2018-1050 (Denial of Service Attack on external print server.)
o CVE-2018-1057 (Authenticated users can change other users' password.)
If you have an AD setup, you are *strongly* advised to upgrade asap
and/or apply the documented workarounds.
More details at
https://www.samba.org/samba/history/samba-4.7.6.html
