Saturday, June 20, 2009

Security Updates: Ruby, Libpng

Two security updates are released today: Ruby and Libpng. There has been a reverted package as well. Mesa is downgraded to 7.4.1 due to regression found on 7.4.2 which was upgraded few days ago. While i don't find this regression on my system, many people have reported this and Pat and the team has decided to switch back to 7.4.1 which has no problem so far. The 7.4.2 version are moved to /testing.

Also, Pat has decided to include the old K3B program in extra in case the newer K3B is not yet stable for daily usage. It's a good choice as K3B isn't quite mature yet with KDE 4.

Here's the latest -Current changelog
Fri Jun 19 18:22:20 CDT 2009
d/ruby-1.8.7_p174-i486-1.txz: Upgraded.
This fixes a denial of service issue caused by the BigDecimal method handling large input values improperly that may allow attackers to crash the interpreter. The issue affects most Rails applications.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1904
(* Security fix *)

l/libpng-1.2.37-i486-1.txz: Upgraded.
This update fixes a possible security issue. Jeff Phillips discovered an uninitialized-memory-read bug affecting interlaced images that may have security implications.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
(* Security fix *)

x/mesa-7.4.1-i486-1.txz: Upgraded.
Well, actually more like "switched", or "reverted". After many hours trying to track down the reason for reported instability with X and compositing (such as crashes when adjusting advanced desktop settings in KDE), we've found that it seems to happen only with MesaLib 7.4.2. Rather than trying to cherry-pick changes between 7.4.1 and 7.4.2, we've switched to shipping 7.4.1 in the main tree, and have not run into any such problems since making the switch. If people want to continue testing 7.4.2, we've moved it into /testing. Let us know if you run into any problems with 7.4.1 that are fixed with 7.4.2, and we'll take a look at individual diffs.

extra/kde3-compat/k3b3-1.0.5-i486-opt1.txz: Added.
In case the KDE4 version of k3b is not stable, this KDE3 version may be used along with the KDE3 compatibility packages in extra/kde3-compat/.

testing/packages/mesa-7.4.2-i486-2.txz: Moved to /testing due to apparent regressions.