Sicherheit: Zwei Probleme in zeroinstall-injector
Aktuelle Meldungen Distributionen
Name: Zwei Probleme in zeroinstall-injector
ID: FEDORA-2013-12414
Distribution: Fedora
Plattformen: Fedora 19
Datum: Mo, 15. Juli 2013, 08:52
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2098
Applikationen: zeroinstall-injector


Name        : zeroinstall-injector
Product : Fedora 19
Version : 2.3
Release : 1.fc19
URL : http://0install.net
Summary : The Zero Install Injector (0launch)
Description :
The Zero Install Injector makes it easy for users to install software
without needing root privileges. It takes the URL of a program and
runs it (downloading it first if necessary). Any dependencies of the
program are fetched in the same way. The user controls which version
of the program and its dependencies to use.

Zero Install is a decentralized installation system (there is no
central repository; all packages are identified by URLs),
loosely-coupled (if different programs require different versions of a
library then both versions are installed in parallel, without
conflicts), and has an emphasis on security (all package descriptions
are GPG-signed, and contain cryptographic hashes of the contents of
each version). Each version of each program is stored in its own
sub-directory within the Zero Install cache (nothing is installed to
directories outside of the cache, such as /usr/bin) and no code from
the package is run during install or uninstall. The system can
automatically check for updates when software is run.

Update Information:

- upstream now ships an experimental OCaml front-end, this is not yet enabled
- Add fish-shell command completion
- Allow relative files in <archive> and <file> for local feeds.
This makes it easy to test feeds before passing them to 0repo.

Bug fixes:
- Better handling of default="" in <environment> bindings. This
now specifies that the default should be "", overriding any system default.
- Fixed --refresh with "download" and "run" for apps.
- Updated ssl_match_hostname based on latest bug-fixes. This fix is intended to
fix a denial-of-service attack, which doesn't really matter to 0install, but we might as well have the latest version. CVE-2013-2099
- Better error when the <rename> source does not exist.
- Allow selecting local archives even in offline mode.
- Support the use of the system store with recipes. This is especially
important now that we treat all downloads as recipes!
- Removed old zeroinstall-add.desktop file.

Changes for APIs we depend on
- Cope with more PyGObject API changes. Based on patch in
- Keep gobject and glib separate. Sometimes we need GLib, sometimes we need
- Updates to avoid PyGIDeprecationWarning.


* Fri Jul 5 2013 Michel Salim <salimma@fedoraproject.org> - 2.3-1
- Update to 2.3
* Mon May 6 2013 Michel Salim <salimma@fedoraproject.org> - 2.2-1
- Update to 2.2

[ 1 ] Bug #958834 - zeroinstall-injector-2.3 is available
[ 2 ] Bug #966273 - CVE-2013-2098 CVE-2013-2099 python: ssl.match_hostname()
DoS via certificates with specially crafted hostname wildcard patterns [fedora-all]
[ 3 ] Bug #966274 - CVE-2013-2098 CVE-2013-2099 python: ssl.match_hostname()
DoS via certificates with specially crafted hostname wildcard patterns [epel-6]

This update can be installed with the "yum" update program. Use
su -c 'yum update zeroinstall-injector' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list
Pro-Linux @Facebook
Neue Nachrichten