User: Password:
|
|
Subscribe / Log in / New account

Security

CentOS 5, RHEL 5.6, and security updates

By Jake Edge
February 23, 2011

CentOS is forever in catch-up mode. That's because it repackages Red Hat's Enterprise Linux (RHEL) for those who would prefer an enterprise distribution without the costs associated with RHEL. That regularly puts the distribution in something of a pinch, because Red Hat, quite reasonably, follows its own schedule for updates. That pinch is being felt strongly right now with two RHEL releases in quick succession (6.0 followed by 5.6). But it isn't just the distribution developers who are being pinched, as the security updates for CentOS 5 have also been held up by the ongoing work to release CentOS 5.6 and 6.0.

CentOS had already been struggling for a bit in its efforts to put out CentOS 6 after the release of RHEL 6 in November. Then, on January 13, Red Hat released its latest update for RHEL 5, 5.6. At that point, CentOS was faced with a bit of a dilemma: should it focus on 6.0 or work on 5.6 first? The decision was made to work on 5.6 and 6.0 in parallel more or less. That meant that CentOS had two fairly large jobs at hand.

With each Red Hat release, the CentOS developers need to go through the packages and remove any Red Hat-specific elements: artwork, trademarks, %description lines in RPM spec files, and so on. Once that's done, there is a QA process that the packages go through before a final release can be done. Turning RHEL 6 into CentOS 6 is a time-consuming process, but that's also true with 5.6. But there is an additional problem with 5.6: security updates.

Normally, CentOS follows along with Red Hat security updates, releasing its versions as quickly as it can after the RHEL update is released. But 5.6 (or any "point" release of RHEL) comes with a whole slew of updated packages, any of which might have a security update—or be a dependency of a package updated for security reasons. Since there are no CentOS 5.6 packages (yet), these security updates fall into a crack in the CentOS development process. CentOS can either backport the fixes into the 5.5 package, or release an updated 5.6 package along with all of its dependencies, some of which may not have passed the QA process yet.

Except for those updates that Red Hat has marked as "critical", CentOS has chosen to do neither of the above, according to lead developer Karanbir Singh. That may leave its users vulnerable to a number of potentially exploitable security holes. In email, Singh said that the CentOS team is looking at Red Hat's security updates to fix those that are deemed "remotely-exploitable", but that doesn't seem to jibe with what is getting released for CentOS 5. Since the release of RHEL 5.6, there have been no CentOS 5 security updates.

In fact, the last CentOS 5 security update was for the kernel on January 6, a week before RHEL 5.6 dropped. In the interim, Red Hat has released 22 updates, most with "low" or "moderate" impact, but a few that are "important" (two for the kernel, and one each for openoffice.org, krb5, and java-1.6.0-openjdk), and three "critical" bugs (java-1.5.0-ibm, flash-plugin, and java-1.6.0-sun). [Update: As pointed out in the comments (and by Singh), those last three packages are closed source and thus not distributed by CentOS.] There is also a pre-5.6 wireshark vulnerability that has yet to be patched. The full list can be seen here.

It may well be that some of those vulnerabilities only apply to the updated packages that came with RHEL 5.6, but it is extremely unlikely that's true of all of them. The critical Java updates are perhaps the most worrisome, since they come with vague vulnerability descriptions (e.g. "Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors."). The critical flash-plugin update is also of concern, but one would guess that there aren't all that many CentOS users running browsers with Flash on a server-oriented distribution.

It's also not at all clear that none of these vulnerabilities are remotely exploitable, as there are, at least, some remote denial of service flaws (which can sometimes be turned into remote exploits). For CentOS installations with untrusted users, there are plenty of locally exploitable flaws in the list. Even without untrusted users, a flaw in a content management system or other web application, for example, may provide an attacker the local access they need to use a local exploit to potentially compromise the entire system.

CentOS is pretty clearly dropping the ball on security updates here, which is probably not what its users expect. While the project is understaffed and is always looking for additional contributors, CentOS 5 users may not be aware that nearly two-dozen security updates (so far) have gone by the wayside while the QA process for 5.6 is ongoing. The CentOS FAQ clearly states that the goal is to have updates available in 72 hours after Red Hat puts them out and, by and large, the project meets that goal—except during the point-release gap.

That gap has stretched longer than the project would like, as Singh notes:

Our goal is to meet the 2 - 4 weeks for a point release. And we have slipped a bit for the last couple of releases. There are plans underfoot to make sure that this sort of a thing is reduced as much as possible, but make changes within a framework that does not break user trust, process and machine integrity.

According to Singh, the 5.6 release is imminent ("within the next few days"), which will allow the project to release the updates soon after. There have been complaints in the past about updates that didn't exactly track the upstream RHEL release (i.e. changes for CentOS 5.5 that are not in RHEL 5.5), but doing so in previous releases (e.g. the 5.4 to 5.5 transition) "was the right thing to do" and when there is a "serious threat to user deployed machines, we would do it again", he said.

There has been some discussion of the problem on the centos-devel mailing list, with former CentOS developer Dag Wieers being particularly critical of the delays. He is concerned that users are being misled: "I don't think most of the users ever expected to be without security updates for 10 weeks or more when choosing CentOS, and that is an important characteristic." Singh and others agree that there are things that the project could be doing better, but do not see this as the right time to address those problems. As Singh puts it:

The fact that there are disfunctional setups in place is not something that anyone ( I for one ) are [denying]. But the fact that a call for help got zero traction for weeks is also worth considering. We could go back, stop everything that is going on at the moment and try to process engineer a better setup before we again start working on CentOS-6, I'd say a target of 2 to 3 months would be reasonable if we did that.

On the other hand, we can just get this done out of the door and then look at process engineering for the future. We are better, stronger as a group with a much larger contributor base than ever before - I see no reason why we could not strengthen that even further and split the roles out.

As part of that discussion, though, Singh muddies the waters further about which kinds of security fixes are actually being considered for CentOS 5:

all updates to the /5/ tree are monitored and anything which has a remote or local exploit will get pushed into the /5/ tree; things in 5.6 and against 5.6 that [don't] meet that criteria wait for 5.6 release. build order, linking, inheriting upstream testing etc etc to blame.

But the reality seems to be rather different, as all manner of vulnerabilities are still languishing in the CentOS 5 tree.

It is a difficult situation for the project. It must necessarily trail the Red Hat releases, and keeping up with security updates while trying to push two releases out is difficult. Doing so would likely push back the releases even further. On the other hand, though, CentOS users may well be unaware that there have been potentially significant updates while they wait for CentOS 5.6. Unless those users follow the RHEL update announcements, they don't even know that there are vulnerabilities they may need to be aware of.

While there are no guarantees about security updates for CentOS (or any other community distribution for that matter), enterprise distribution users tend to expect regular updates, without significant, somewhat arbitrary, gaps. The biggest problem here is really one of communication as the CentOS team should try to make it widely known that security updates are being held back. It probably also makes sense for the project to try to figure out a way to keep up with the update stream even in the point release gap.

Another alternative would be to put CentOS 6 on hold, while focusing on CentOS 5.6. There are, after all, no CentOS 6 users yet, while CentOS 5 has many. It would also be nice to see some of the companies that benefit from CentOS (like various hosting providers, for example) put some effort into helping the project. Those companies are getting an awful lot from CentOS without, visibly at least, putting much back in.

Comments (9 posted)

Brief items

Security quotes of the week

There was nothing I could do, and it was no help that I recommended a website where a knowledgeable chemist explains, in delightfully comedic detail, what it would take to manufacture a workable bomb from binary liquid ingredients, working for several hours in the aircraft loo, using copious quantities of ice, in relays of champagne coolers helpfully supplied by the cabin staff.

The prohibition against taking more than very small quantities of liquids or unguents on planes is demonstrably ludicrous. It started as one of those "Look at us, we're taking decisive action" displays, the ones designed to cause maximum inconvenience to the public in order to make the dimwitted Dundridges who rule our lives feel important and look busy.

-- Richard Dawkins at Boing Boing

But say a scientist from the facility uses a memory stick to carry data home at night, and that he plugs the memory stick into his laptop on occasion. You can now get a piece of custom spyware into the facility by putting a copy on the memory stick—if you can first get access to the laptop. So you tail the scientist and follow him from his home one day to a local coffee shop. He steps away to order another drink, to go to the bathroom, or to talk on his cell phone, and the tail walks past his table and sticks an all-but-undetectable bit of hardware in his laptop's ExpressCard slot. Suddenly, you have a vector that points all the way from a local coffee shop to the interior of a secure government facility.
-- ars technica looks more deeply into HBGary's government-sponsored activities

On the flip side, the difficulty of securing a complex enterprise hardly applies to specialized, well-funded security outlets: that one problem is easy to fix. These companies should have an abundance of expertise and resources to tightly manage and monitor their relatively small and self-contained networks. Similarly, their employees can be reasonably expected to exercise above-average restraint and a good dose of common sense. It is an uncomplicated matter of living up to your own bold claims.

From this perspective, the purported details of the attack on HBGary - a horribly vulnerable, obscure CMS; unpatched internal systems; careless password reuse across corporate systems and Twitter or LinkedIn; and trivial susceptibility to e-mail phishing - are a truly fascinating detail. These tidbits seem to imply either extreme cynicism of their staff... or an [unbelievable] level of cluelessness. And from a broader perspective, both of these options are pretty scary.

-- Michal Zalewski

Comments (5 posted)

New vulnerabilities

aptdaemon: security restriction bypass

Package(s):aptdaemon CVE #(s):CVE-2011-0725
Created:February 22, 2011 Updated:February 23, 2011
Description: From the Ubuntu advisory:

Sergey Nizovtsev discovered that Aptdaemon incorrectly filtered certain arguments when using its D-Bus interface. A local attacker could use this flaw to bypass security restrictions and view sensitive information by reading arbitrary files.

Alerts:
Ubuntu USN-1068-1 aptdaemon 2011-02-22

Comments (none posted)

awstats: arbitrary command execution

Package(s):awstats CVE #(s):CVE-2010-4367
Created:February 21, 2011 Updated:February 23, 2011
Description: From the CVE entry:

awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server.

Alerts:
Mandriva MDVSA-2011:033 awstats 2011-02-21

Comments (none posted)

bind: denial of service

Package(s):bind9 CVE #(s):CVE-2011-0414
Created:February 23, 2011 Updated:April 8, 2011
Description:

From the Ubuntu advisory:

It was discovered that Bind incorrectly handled IXFR transfers and dynamic updates while under heavy load when used as an authoritative server. A remote attacker could use this flaw to cause Bind to stop responding, resulting in a denial of service.

Alerts:
Gentoo 201206-01 bind 2012-06-02
Pardus 2011-65 bind 2011-04-07
SUSE SUSE-SR:2011:005 hplip, perl, subversion, t1lib, bind, tomcat5, tomcat6, avahi, gimp, aaa_base, build, libtiff, krb5, nbd, clamav, aaa_base, flash-player, pango, openssl, subversion, postgresql, logwatch, libxml2, quagga, fuse, util-linux 2011-04-01
Debian DSA-2208-1 bind9 2011-03-30
openSUSE openSUSE-SU-2011:0135-1 bind 2011-02-25
Ubuntu USN-1070-1 bind9 2011-02-23

Comments (none posted)

gitolite: arbitrary code execution

Package(s):gitolite CVE #(s):
Created:February 22, 2011 Updated:April 11, 2011
Description: From the Fedora advisory:

Dylan Alex Simon discovered and reported a directory traversal flaw in the way Gitolite restricted access to admin defined commands ("ADC"). An authenticated attacker could execute arbitrary code with privileges of Gitolite server user using specially crafted command name.

Alerts:
Debian DSA-2215-1 gitolite 2011-04-09
Fedora FEDORA-2011-1644 gitolite 2011-02-16

Comments (none posted)

java: multiple vulnerabilities

Package(s):java-1.6.0-openjdk CVE #(s):CVE-2010-4448 CVE-2010-4450 CVE-2010-4465 CVE-2010-4469 CVE-2010-4470 CVE-2010-4472 CVE-2010-4471
Created:February 17, 2011 Updated:July 22, 2011
Description:

From the Red Hat advisory:

A flaw was found in the Swing library. Forged TimerEvents could be used to bypass SecurityManager checks, allowing access to otherwise blocked files and directories. (CVE-2010-4465)

A flaw was found in the HotSpot component in OpenJDK. Certain bytecode instructions confused the memory management within the Java Virtual Machine (JVM), which could lead to heap corruption. (CVE-2010-4469)

A flaw was found in the way JAXP (Java API for XML Processing) components were handled, allowing them to be manipulated by untrusted applets. This could be used to elevate privileges and bypass secure XML processing restrictions. (CVE-2010-4470)

It was found that untrusted applets could create and place cache entries in the name resolution cache. This could allow an attacker targeted manipulation over name resolution until the OpenJDK VM is restarted. (CVE-2010-4448)

It was found that the Java launcher provided by OpenJDK did not check the LD_LIBRARY_PATH environment variable for insecure empty path elements. A local attacker able to trick a user into running the Java launcher while working from an attacker-writable directory could use this flaw to load an untrusted library, subverting the Java security model. (CVE-2010-4450)

A flaw was found in the XML Digital Signature component in OpenJDK. Untrusted code could use this flaw to replace the Java Runtime Environment (JRE) XML Digital Signature Transform or C14N algorithm implementations to intercept digital signature operations. (CVE-2010-4472)

Note: All of the above flaws can only be remotely triggered in OpenJDK by calling the "appletviewer" application.

Alerts:
Gentoo 201406-32 icedtea-bin 2014-06-29
Gentoo 201111-02 sun-jdk 2011-11-05
SUSE SUSE-SU-2011:0823-1 IBM Java 2011-07-22
SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03
CentOS CESA-2011:0281 java-1.6.0-openjdk 2011-04-14
Mandriva MDVSA-2011:054 java-1.6.0-openjdk 2011-03-27
SUSE SUSE-SA:2011:014 java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm 2011-03-22
Ubuntu USN-1079-3 openjdk-6b18 2011-03-17
Red Hat RHSA-2011:0364-01 java-1.5.0-ibm 2011-03-17
Red Hat RHSA-2011:0357-01 java-1.6.0-ibm 2011-03-16
Ubuntu USN-1079-2 openjdk-6b18 2011-03-15
openSUSE openSUSE-SU-2011:0155-1 java-1_6_0-openjdk 2011-03-07
Ubuntu USN-1079-1 openjdk-6 2011-03-01
SUSE SUSE-SA:2011:024 java-1_4_2-ibm 2011-05-13
SUSE SUSE-SA:2011:010 java-1_6_0-sun 2011-02-22
openSUSE openSUSE-SU-2011:0126-1 java-1_6_0-sun 2011-02-22
Red Hat RHSA-2011:0282-01 java-1.6.0-sun 2011-02-17
Fedora FEDORA-2011-1645 java-1.6.0-openjdk 2011-02-16
Fedora FEDORA-2011-1631 java-1.6.0-openjdk 2011-02-16
Red Hat RHSA-2011:0281-01 java-1.6.0-openjdk 2011-02-17
Red Hat RHSA-2011:0490-01 java-1.4.2-ibm 2011-05-05
Debian DSA-2224-1 openjdk-6 2011-04-20

Comments (none posted)

java-1.6.0-sun: multiple unspecified vulnerabilities

Package(s):java-1.6.0-sun CVE #(s):CVE-2010-4422 CVE-2010-4447 CVE-2010-4451 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462 CVE-2010-4463 CVE-2010-4466 CVE-2010-4467 CVE-2010-4468 CVE-2010-4473 CVE-2010-4475
Created:February 17, 2011 Updated:July 22, 2011
Description:

From the Red Hat advisory:

CVE-2010-4475 JDK unspecified vulnerability in Deployment component

CVE-2010-4473 JDK unspecified vulnerability in Sound component

CVE-2010-4468 JDK unspecified vulnerability in JDBC component

CVE-2010-4467 JDK unspecified vulnerability in Deployment component

CVE-2010-4466 JDK unspecified vulnerability in Deployment component

CVE-2010-4463 JDK unspecified vulnerability in Deployment component

CVE-2010-4462 JDK unspecified vulnerability in Sound component

CVE-2010-4454 JDK unspecified vulnerability in Sound component

CVE-2010-4452 JDK unspecified vulnerability in Deployment component

CVE-2010-4451 JDK unspecified vulnerability in Install component

CVE-2010-4447 JDK unspecified vulnerability in Deployment component

CVE-2010-4422 JDK unspecified vulnerability in Deployment component

Alerts:
Gentoo 201406-32 icedtea-bin 2014-06-29
Gentoo 201111-02 sun-jdk 2011-11-05
SUSE SUSE-SU-2011:0823-1 IBM Java 2011-07-22
SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03
SUSE SUSE-SA:2011:014 java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm 2011-03-22
Red Hat RHSA-2011:0364-01 java-1.5.0-ibm 2011-03-17
Red Hat RHSA-2011:0357-01 java-1.6.0-ibm 2011-03-16
SUSE SUSE-SA:2011:024 java-1_4_2-ibm 2011-05-13
SUSE SUSE-SA:2011:010 java-1_6_0-sun 2011-02-22
openSUSE openSUSE-SU-2011:0126-1 java-1_6_0-sun 2011-02-22
Red Hat RHSA-2011:0282-01 java-1.6.0-sun 2011-02-17
Red Hat RHSA-2011:0490-01 java-1.4.2-ibm 2011-05-05

Comments (none posted)

mailman: cross site scripting

Package(s):mailman CVE #(s):CVE-2011-0707
Created:February 21, 2011 Updated:May 17, 2011
Description: From the Debian advisory:

A cross site scripting vulnerability was discovered in Mailman, a web-based mailing list manager, that allows an attacker to retrieve session cookies via inserting crafted JavaScript into confirmation messages.

Alerts:
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
CentOS CESA-2011:0307 mailman 2011-04-14
openSUSE openSUSE-SU-2011:0312-1 mailman 2011-04-07
SUSE SUSE-SR:2011:009 mailman, openssl, tgt, rsync, vsftpd, libzip1/libzip-devel, otrs, libtiff, kdelibs4, libwebkit, libpython2_6-1_0, perl, pure-ftpd, collectd, vino, aaa_base, exim 2011-05-17
Fedora FEDORA-2011-2125 mailman 2011-02-24
Fedora FEDORA-2011-2102 mailman 2011-02-24
openSUSE openSUSE-SU-2011:0424-1 mailman 2011-05-03
CentOS CESA-2011:0307 mailman 2011-03-02
Red Hat RHSA-2011:0308-01 mailman 2011-03-01
Red Hat RHSA-2011:0307-01 mailman 2011-03-01
Mandriva MDVSA-2011:036 mailman 2011-02-23
Ubuntu USN-1069-1 mailman 2011-02-22
Debian DSA-2170-1 mailman 2011-02-18

Comments (none posted)

openafs: multiple vulnerabilities

Package(s):openafs CVE #(s):CVE-2011-0430 CVE-2011-0431
Created:February 17, 2011 Updated:February 23, 2011
Description:

From the Debian advisory:

CVE-2011-0430: Andrew Deason discovered that a double free in the Rx server process could lead to denial of service or the execution of arbitrary code.

CVE-2011-0431: It was discovered that insufficient error handling in the kernel module could lead to denial of service.

Alerts:
Gentoo 201404-05 openafs 2014-04-08
Debian DSA-2168-1 openafs 2011-02-16

Comments (none posted)

python-django: directory traversal

Package(s):python-django CVE #(s):CVE-2011-0698
Created:February 21, 2011 Updated:February 23, 2011
Description: From the Mandriva advisory:

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.

Alerts:
Mandriva MDVSA-2011:031 python-django 2011-02-18

Comments (none posted)

telepathy-gabble: man-in-the-middle audio/video interception

Package(s):telepathy-gabble CVE #(s):CVE-2011-1000
Created:February 17, 2011 Updated:April 19, 2011
Description:

From the Debian advisory:

It was discovered that telepathy-gabble, the Jabber/XMMP connection manager for the Telepathy framework, is processing google:jingleinfo updates without validating their origin. This may allow an attacker to trick telepathy-gabble into relaying streamed media data through a server of his choice and thus intercept audio and video calls.

Alerts:
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
openSUSE openSUSE-SU-2011:0303-1 telepathy-gabble 2011-04-07
Fedora FEDORA-2011-1903 telepathy-glib 2011-02-21
Fedora FEDORA-2011-1903 telepathy-gabble 2011-02-21
Pardus 2011-46 telepathy-gabble 2011-02-21
Ubuntu USN-1067-1 telepathy-gabble 2011-02-17
Debian DSA-2169-1 telepathy-gabble 2011-02-16

Comments (5 posted)

webkitgtk: multiple vulnerabilities

Package(s):webkitgtk CVE #(s):CVE-2010-4492 CVE-2010-4493 CVE-2011-0482 CVE-2010-4199 CVE-2010-4578 CVE-2010-4042
Created:February 18, 2011 Updated:August 23, 2011
Description: From the CVE entries:

Use-after-free vulnerability in Google Chrome before 8.0.552.215 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving SVG animations. (CVE-2010-4492)

Use-after-free vulnerability in Google Chrome before 8.0.552.215 allows remote attackers to cause a denial of service via vectors related to the handling of mouse dragging events. (CVE-2010-4493)

Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344 do not properly perform a cast of an unspecified variable during handling of anchors, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document. (CVE-2011-0482)

Google Chrome before 7.0.517.44 does not properly perform a cast of an unspecified variable during processing of an SVG use element, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted SVG document. (CVE-2010-4199)

Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 do not properly perform cursor handling, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to "stale pointers." (CVE-2010-4578)

Google Chrome before 7.0.517.41 does not properly handle element maps, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to "stale elements." (CVE-2010-4042)

Alerts:
Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Ubuntu USN-1195-1 webkit 2011-08-23
SUSE SUSE-SR:2011:009 mailman, openssl, tgt, rsync, vsftpd, libzip1/libzip-devel, otrs, libtiff, kdelibs4, libwebkit, libpython2_6-1_0, perl, pure-ftpd, collectd, vino, aaa_base, exim 2011-05-17
Debian DSA-2188-1 webkit 2011-03-10
openSUSE openSUSE-SU-2011:0482-1 webkit 2011-05-13
Fedora FEDORA-2011-1224 webkitgtk 2011-02-09

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds