drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Zwei Probleme in zeroinstall-injector
Name: |
Zwei Probleme in zeroinstall-injector |
|
ID: |
FEDORA-2013-12414 |
|
Distribution: |
Fedora |
|
Plattformen: |
Fedora 19 |
|
Datum: |
Mo, 15. Juli 2013, 08:52 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099 |
|
Applikationen: |
Zero Install Injector |
|
Originalnachricht |
Name : zeroinstall-injector Product : Fedora 19 Version : 2.3 Release : 1.fc19 URL : http://0install.net Summary : The Zero Install Injector (0launch) Description : The Zero Install Injector makes it easy for users to install software without needing root privileges. It takes the URL of a program and runs it (downloading it first if necessary). Any dependencies of the program are fetched in the same way. The user controls which version of the program and its dependencies to use.
Zero Install is a decentralized installation system (there is no central repository; all packages are identified by URLs), loosely-coupled (if different programs require different versions of a library then both versions are installed in parallel, without conflicts), and has an emphasis on security (all package descriptions are GPG-signed, and contain cryptographic hashes of the contents of each version). Each version of each program is stored in its own sub-directory within the Zero Install cache (nothing is installed to directories outside of the cache, such as /usr/bin) and no code from the package is run during install or uninstall. The system can automatically check for updates when software is run.
------------------------------------------------------------------------------- - Update Information:
Enhancements:
- upstream now ships an experimental OCaml front-end, this is not yet enabled
- Add fish-shell command completion
- Allow relative files in <archive> and <file> for local feeds. This makes it easy to test feeds before passing them to 0repo.
Bug fixes:
- Better handling of default="" in <environment> bindings. This now specifies that the default should be "", overriding any system default.
- Fixed --refresh with "download" and "run" for apps.
- Updated ssl_match_hostname based on latest bug-fixes. This fix is intended to fix a denial-of-service attack, which doesn't really matter to 0install, but we might as well have the latest version. CVE-2013-2099
- Better error when the <rename> source does not exist.
- Allow selecting local archives even in offline mode.
- Support the use of the system store with recipes. This is especially important now that we treat all downloads as recipes!
- Removed old zeroinstall-add.desktop file.
Changes for APIs we depend on
- Cope with more PyGObject API changes. Based on patch in
http://twistedmatrix.com/trac/ticket/6369
- Keep gobject and glib separate. Sometimes we need GLib, sometimes we need GObject.
- Updates to avoid PyGIDeprecationWarning.
------------------------------------------------------------------------------- - ChangeLog:
* Fri Jul 5 2013 Michel Salim <salimma@fedoraproject.org> - 2.3-1 - Update to 2.3 * Mon May 6 2013 Michel Salim <salimma@fedoraproject.org> - 2.2-1 - Update to 2.2 ------------------------------------------------------------------------------- - References:
[ 1 ] Bug #958834 - zeroinstall-injector-2.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=958834 [ 2 ] Bug #966273 - CVE-2013-2098 CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=966273 [ 3 ] Bug #966274 - CVE-2013-2098 CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=966274 ------------------------------------------------------------------------------- -
This update can be installed with the "yum" update program. Use su -c 'yum update zeroinstall-injector' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ------------------------------------------------------------------------------- - _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-announce
|
|
|
|