The following Fedora EPEL 6 Security updates need testing:
Age URL
491
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11175/php-symfony2-HttpFoundation-2.2.5-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11198/filezilla-3.7.3-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11250/Django14-1.4.6-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11245/python-virtualenv-1.10.1-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11194/cacti-0.8.8b-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11183/php-symfony2-Validator-2.2.5-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11187/libzrtpcpp-3.2.1-2.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11222/seamonkey-2.20-1.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11195/chrony-1.25-3.el6
9
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11179/libtommath-0.42.0-2.el6,libtomcrypt-1.17-20.el6
8
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11257/drupal7-entity-1.2-1.el6
5
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11274/ssmtp-2.61-21.el6
4
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11291/ansible-1.2.3-2.el6
3
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11301/drupal7-theme-zen-5.4-1.el6
1
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11327/php-pear-Auth-OpenID-2.2.2-7.el6
1
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11330/ngircd-20.3-1.el6
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11339/lighttpd-1.4.32-1.el6
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11311/roundcubemail-0.9.3-2.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
lighttpd-1.4.32-1.el6
nodejs-uid2-0.0.3-2.el6
perl-Net-OAuth-0.28-1.el6
php-Assetic-1.1.2-1.el6
python-cpopen-1.2.3-1.el6
python-cpopen-1.2.3-2.el6
python-django-ckeditor-4.0.2-5.el6
python-flask-login-0.2.7-1.el6
roundcubemail-0.9.3-2.el6
trafficserver-3.2.5-3.el6
transifex-client-0.9-3.el6
Details about builds:
================================================================================
lighttpd-1.4.32-1.el6 (FEDORA-EPEL-2013-11339)
Lightning fast webserver with light system requirements
--------------------------------------------------------------------------------
Update Information:
One important denial of service (in 1.4.31) fix: CVE-2012-5533.
A flaw was found in lighttpd version 1.4.31 that could be exploited by a remote
user to cause a denial of service condition in lighttpd. A client could send a
malformed Connection header to lighttpd (such as "Connection: TE,,Keep-Alive"),
which would cause lighttpd to enter an endless loop, detecting an empty token
but not incrementing the current string position, causing it to continually
read ',' over and over.
This flaw was introduced in 1.4.31 [1] when an "invalid read" bug was fixed [2].
[1]
http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/
[2] http://redmine.lighttpd.net/issues/2413
Acknowledgement:
Red Hat would like to thank Stefan Bühler for reporting this issue. Upstream
acknowledges Jesse Sipprell from McClatchy Interactive, Inc. as the original
reporter.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 26 2013 Jon Ciesla <limburg...@gmail.com> - 1.4.32-1
- Update to 1.4.32, BZ 878915.
* Sat Aug 3 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 1.4.31-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Feb 14 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 1.4.31-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Jul 19 2012 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 1.4.31-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #878915 - CVE-2012-5533 lighttpd: Denial of Service via malformed
Connection headers [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=878915
[ 2 ] Bug #878914 - CVE-2012-5533 lighttpd: Denial of Service via malformed
Connection headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=878914
--------------------------------------------------------------------------------
================================================================================
nodejs-uid2-0.0.3-2.el6 (FEDORA-EPEL-2013-11340)
Node.js module to generate strong unique IDs
--------------------------------------------------------------------------------
Update Information:
Initial package.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #998245 - Review Request: nodejs-uid2 - Node.js module to generate
strong unique IDs
https://bugzilla.redhat.com/show_bug.cgi?id=998245
--------------------------------------------------------------------------------
================================================================================
perl-Net-OAuth-0.28-1.el6 (FEDORA-EPEL-2013-11338)
OAuth protocol support library for Perl
--------------------------------------------------------------------------------
Update Information:
Update to newer version because perl-Net-Twitter needs it.
--------------------------------------------------------------------------------
ChangeLog:
* Sat Oct 6 2012 Emmanuel Seyman <emman...@seyman.fr> - 0.28-1
- Update to 0.28
- Clean up spec file
- Add default perl filter
* Fri Jul 20 2012 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 0.27-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jun 13 2012 Petr Pisar <ppi...@redhat.com> - 0.27-6
- Perl 5.16 rebuild
* Fri Jan 13 2012 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 0.27-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Wed Jul 20 2011 Petr Sabata <con...@redhat.com> - 0.27-4
- Perl mass rebuild
* Tue Feb 8 2011 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 0.27-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Dec 21 2010 Marcela Maslanova <mmasl...@redhat.com> - 0.27-2
- 661697 rebuild for fixing problems with vendorach/lib
* Fri Jul 30 2010 Lubomir Rintel (GoodData) <lubo.rin...@gooddata.com> - 0.27-1
- Update to 0.27
* Tue May 4 2010 Marcela Maslanova <mmasl...@redhat.com> - 0.19-3
- Mass rebuild with perl-5.12.0
* Mon Dec 7 2009 Stepan Kasal <ska...@redhat.com> - 0.19-2
- rebuild against perl 5.10.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1000320 - Please build perl-Net-OAuth for EPEL
https://bugzilla.redhat.com/show_bug.cgi?id=1000320
--------------------------------------------------------------------------------
================================================================================
php-Assetic-1.1.2-1.el6 (FEDORA-EPEL-2013-11333)
Asset Management for PHP
--------------------------------------------------------------------------------
Update Information:
1.1.2 (July 18, 2013)
* Fixed deep mtime on asset collections
* CallablesFilter now implements DependencyExtractorInterface
* Fixed detection of "partial" children in subfolders in SassFilter
* Restored PathUtils for BC
Full change log:
https://github.com/kriswallsmith/assetic/blob/v1.1.2/CHANGELOG-1.1.md
--------------------------------------------------------------------------------
ChangeLog:
* Sun Aug 18 2013 Shawn Iwinski <shawn.iwin...@gmail.com> 1.1.2-1
- Updated to 1.1.2
* Sun Aug 4 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 1.1.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #987400 - php-Assetic-1.1.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=987400
--------------------------------------------------------------------------------
================================================================================
python-cpopen-1.2.3-1.el6 (FEDORA-EPEL-2013-11342)
Creates a sub-process in simpler safer manner
--------------------------------------------------------------------------------
Update Information:
adding readme and authors files, updating installation process and modified dst
folders
--------------------------------------------------------------------------------
ChangeLog:
* Sun Aug 25 2013 Yaniv Bronhaim <ybron...@redhat.com> - 1.2.3
- Moving files under cpopen folder
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #903246 - Review Request: python-cpopen - Creates a subprocess in
simpler safer manner
https://bugzilla.redhat.com/show_bug.cgi?id=903246
--------------------------------------------------------------------------------
================================================================================
python-cpopen-1.2.3-2.el6 (FEDORA-EPEL-2013-11334)
Creates a sub-process in simpler safer manner
--------------------------------------------------------------------------------
Update Information:
fixing import error.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 26 2013 Yaniv Bronhaim <ybron...@redhat.com> - 1.2.3-2
- Fixing import error in __init__.py
* Sun Aug 25 2013 Yaniv Bronhaim <ybron...@redhat.com> - 1.2.3-1
- Moving files under cpopen folder
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #903246 - Review Request: python-cpopen - Creates a subprocess in
simpler safer manner
https://bugzilla.redhat.com/show_bug.cgi?id=903246
--------------------------------------------------------------------------------
================================================================================
python-django-ckeditor-4.0.2-5.el6 (FEDORA-EPEL-2013-11332)
Django admin CKEditor integration
--------------------------------------------------------------------------------
Update Information:
Remove bundle flash files.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 26 2013 Eduardo Echeverria <echevemas...@gmail.com> - 4.0.2-5
- Remove bundle flash files %prep section.
* Sun Aug 4 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 4.0.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1000262 - python-django-ckeditor contains bundled Flash and Flash
source files
https://bugzilla.redhat.com/show_bug.cgi?id=1000262
--------------------------------------------------------------------------------
================================================================================
python-flask-login-0.2.7-1.el6 (FEDORA-EPEL-2013-11341)
User session management for Flask
--------------------------------------------------------------------------------
Update Information:
New version 0.2.7
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 26 2013 Richard Marko <rma...@fedoraproject.org> - 0.2.7-1
- Update to 0.2.7
* Sun Aug 4 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 0.2.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
roundcubemail-0.9.3-2.el6 (FEDORA-EPEL-2013-11311)
Round Cube Webmail is a browser-based multilingual IMAP client
--------------------------------------------------------------------------------
Update Information:
Two XSS flaws were fixed in roundcube 0.9.3 [1]:
* Fix XSS vulnerability when saving HTML signatures [2],[3]
* Fix XSS vulnerability when editing a message "as new" or draft [2],[4]
[1] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
[2] http://trac.roundcube.net/ticket/1489251
[3]
http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
[4]
http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
--------------------------------------------------------------------------------
ChangeLog:
* Fri Aug 23 2013 Adam Williamson <awill...@redhat.com> - 0.9.3-2
- patch tinymce to cope elegantly with Flash binary being removed
* Fri Aug 23 2013 Jon Ciesla <limburg...@gmail.com> - 0.9.3-1
- Fix two XSS vulnerabilities:
- http://trac.roundcube.net/ticket/1489251
* Fri Aug 16 2013 Jon Ciesla <limburg...@gmail.com> - 0.9.2-3
- Drop precompiled flash.
* Sun Aug 4 2013 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 0.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Jun 17 2013 Adam Williamson <awill...@redhat.com> - 0.9.2-1
- latest upstream
- correct License field, add comment on complex licensing case
* Wed May 1 2013 Adam Williamson <awill...@redhat.com> - 0.9.0-1
- latest upstream
- drop MDB2 dependencies, add php-pdo dependency (upstream now using
pdo not MDB2)
- drop the update.sh script as it requires the installer framework we
don't ship
- update the Fedora README for changes to sqlite and update process
- drop strict.patch, upstream actually merged it years ago, just in
a slightly different format, and we kept dumbly diffing it
- drop references to obsolete patches (all merged upstream long ago)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1000511 - roundcubemail: two XSS flaws fixed in 0.9.3 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1000511
[ 2 ] Bug #1000512 - roundcubemail: two XSS flaws fixed in 0.9.3 [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1000512
--------------------------------------------------------------------------------
================================================================================
trafficserver-3.2.5-3.el6 (FEDORA-EPEL-2013-11337)
Fast, scalable and extensible HTTP/1.1 compliant caching proxy server
--------------------------------------------------------------------------------
Update Information:
Update to 3.2.5.
Switch to using rpmbuild %configure macro, instead of calling configure
directly.
Harden build with PIE flags,
Updated to 3.2.4 final.
This fixes numerous bugs (including crashes) since the current v3.0.x version
in EPEL, but there are a couple of incompatible configuration parameter
changes, ref: https://cwiki.apache.org/confluence/display/TS/Upgrading+to+3.2
1- SSL certificate configuration is now done in ssl_multicert.config.
2- removed proxy.config.http.quick_filter.mask from records.config. This
functionality is moved to ip_allow.config.
3- There are changes to the DNS cache, so the /var/cache/trafficserver/host.db
should be deleted before upgrading.
4- changes to stats snapshot file (/var/run/trafficserver/stats.snap)
5- deprecation of old port configuration parameters
1,2 - incompatible config options.
3,4 - files should be removed while trafficserver is stopped, before upgrading
it
5 - Only deprecation.
This version is intended for testing only. Point 3 and 4 should be fixed
automatically by the upgrade before creating a final release. Also notification
will be sent to EPEL-announce.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Aug 25 2013 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.5-3
- bz#994224 Use rpm
CFLAGS="${CFLAGS:--O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic}" ; export
CFLAGS ;
CXXFLAGS="${CXXFLAGS:--O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic}" ; export
CXXFLAGS ;
FFLAGS="${FFLAGS:--O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
-I/usr/lib64/gfortran/modules}" ; export FFLAGS ;
./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu \
--target=x86_64-redhat-linux-gnu \
--program-prefix= \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--sysconfdir=/etc \
--datadir=/usr/share \
--includedir=/usr/include \
--libdir=/usr/lib64 \
--libexecdir=/usr/libexec \
--localstatedir=/var \
--sharedstatedir=/var/lib \
--mandir=/usr/share/man \
--infodir=/usr/share/info macro, instead of calling configure
directly.
* Fri Aug 9 2013 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.5-2
- bz#994224 Pass RPM_OPT_FLAGS as environment variables to configure,
instead of overriding on make commandline. Thanks Dimitry Andric!
* Thu Aug 1 2013 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.5-1
- Update to v3.2.5 which fixes the following bugs:
[TS-1923] Fix memory issue caused by resolve_logfield_string()
[TS-1918] SSL hangs after origin handshake.
[TS-1483] Manager uses hardcoded FD limit causing restarts forever on
traffic_server.
[TS-1784] Fix FreeBSD block calculation (both RAW and directory)
[TS-1905] TS hangs (dead lock) on HTTPS POST/PROPFIND requests.
[TS-1785, TS-1904] Fixes to make it build with gcc-4.8.x.
[TS-1903] Remove JEMALLOC_P use, it seems to have been deprecated.
[TS-1902] Remove iconv as dependency.
[TS-1900] Detect and link libhwloc on Ubuntu.
[TS-1470] Fix cache sizes > 16TB (part 2 - Don't reset the cache after
restart)
* Mon Jun 3 2013 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.4-3
- Harden build with PIE flags, ref bz#955127.
* Sat Jan 19 2013 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.4-1
- Update to 3.2.4 release candiate
* Fri Jan 4 2013 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.3-1
- Update to v3.2.3. Remove patches no longer needed.
* Fri Aug 24 2012 Václav Pavlín <vpav...@redhat.com> - 3.2.0-6
- Scriptlets replaced with new systemd macros (#851462)
* Thu Aug 16 2012 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.0-5
- Add patch for TS-1392, to fix problem with SNI fallback.
* Sun Jul 22 2012 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 3.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon Jun 25 2012 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.0-2
- Remove duplicate man-pages.
* Sat Jun 23 2012 Jan-Frode Myklebust <janfr...@tanso.net> - 3.2.0-1
- Update to v3.2.0
* Sun Jun 10 2012 Jan-Frode Myklebust <janfr...@tanso.net> - 3.0.5-1
- Remove trafficserver-gcc47.patch since it's fixed upstream, TS-1116.
- Join trafficserver-condrestart.patch into trafficserver-init_scripts.patch,
and clean out not needed junk.
* Fri Apr 13 2012 Jan-Frode Myklebust <janfr...@tanso.net> - 3.0.4-5
- Add hardened build.
* Wed Apr 11 2012 <janfr...@tanso.net> - 3.0.4-4
- Add patch for gcc-4.7 build issues.
* Mon Apr 9 2012 Dan Horák <dan[at]danny.cz> - 3.0.4-3
- switch to ExclusiveArch
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #994224 - trafficserver must be compiled with -fno-strict-aliasing,
but it is not
https://bugzilla.redhat.com/show_bug.cgi?id=994224
[ 2 ] Bug #955127 - trafficserver package should be built with PIE flags
https://bugzilla.redhat.com/show_bug.cgi?id=955127
--------------------------------------------------------------------------------
================================================================================
transifex-client-0.9-3.el6 (FEDORA-EPEL-2013-11248)
Command line tool for Transifex translation management
--------------------------------------------------------------------------------
Update Information:
Command line tool for Transifex translation management
--------------------------------------------------------------------------------
ChangeLog:
* Mon Aug 26 2013 Luis Bazan <lba...@fedoraproject.org> - 0.9-3
- remove dependency
* Thu Aug 15 2013 Luis Bazan <lba...@fedoraproject.org> - 0.9-2
- add new requirement
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #985248 - transifex-client: use system
python-backports-ssl_match_hostname
https://bugzilla.redhat.com/show_bug.cgi?id=985248
--------------------------------------------------------------------------------
_______________________________________________
epel-devel mailing list
epel-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel
