The following Fedora EPEL 5 Security updates need testing:
Age URL
1082
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
536
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11893/libguestfs-1.20.12-1.el5
301
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1626/puppet-2.7.26-1.el5
151
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3849/sblim-sfcb-1.3.8-2.el5
19
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-1344/drupal6-6.35-1.el5
14
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-1374/tor-0.2.4.26-1.el5
3
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-1588/arj-3.10.22-22.el5
1
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-1636/mantis-1.2.19-1.el5
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5740/perl-Test-Signature-1.11-1.el5,perl-Module-Signature-0.78-1.el5
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5724/torque-4.2.10-1.el5
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5677/chrony-1.31.1-1.el5
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-5694/zarafa-7.1.12-1.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
collectl-4.0.0-1.el5
perl-Module-Signature-0.78-1.el5
perl-Test-Signature-1.11-1.el5
Details about builds:
================================================================================
collectl-4.0.0-1.el5 (FEDORA-EPEL-2015-5729)
A utility to collect various Linux performance data
--------------------------------------------------------------------------------
Update Information:
- update to upstream version 4.0.0
- upstream changelog at http://collectl.sourceforge.net/Releases.html
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 9 2015 Dan HorĂ¡k <dan[at]danny.cz> - 4.0.0-1
- upgrade to upstream version 4.0.0 (#1201069)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1201069 - collectl-4.0.0.src is available
https://bugzilla.redhat.com/show_bug.cgi?id=1201069
--------------------------------------------------------------------------------
================================================================================
perl-Module-Signature-0.78-1.el5 (FEDORA-EPEL-2015-5740)
CPAN signature management utilities and modules
--------------------------------------------------------------------------------
Update Information:
This update addresses various security issues in perl-Module-Signature as
described below. The default behavior is also changed so as to ignore any
MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version
of perl-Test-Signature that accounts for the changed default behavior is
included in this update.
Security issues:
* Module::Signature before version 0.75 could be tricked into interpreting the
unsigned portion of a SIGNATURE file as the signed portion due to faulty
parsing of the PGP signature boundaries.
* When verifying the contents of a CPAN module, Module::Signature before
version 0.75 ignored some files in the extracted tarball that were not listed
in the signature file. This included some files in the t/ directory that would
execute
automatically during "make test".
* Module::Signature before version 0.75 used two argument open() calls to read
the files when generating checksums from the signed manifest. This allowed
embedding arbitrary shell commands into the SIGNATURE file that would execute
during the signature verification process.
* Module::Signature before version 0.75 has been loading several modules at
runtime inside the extracted module directory. Modules like Text::Diff are not
guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the '.' path in @INC.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 9 2015 Paul Howarth <p...@city-fan.org> - 0.78-1
- Update to 0.78
- Fix verify() use from cpanm and CPAN.pm
* Wed Apr 8 2015 Paul Howarth <p...@city-fan.org> - 0.77-1
- Update to 0.77
- Include the latest public keys of PAUSE, ANDK and AUDREYT
- Clarify scripts/cpansign copyright to CC0 (#965126, CPAN RT#85466)
* Wed Apr 8 2015 Paul Howarth <p...@city-fan.org> - 0.76-1
- Update to 0.76
- Fix signature tests by defaulting to verify(skip=>1) when
$ENV{TEST_SIGNATURE} is true
* Tue Apr 7 2015 Paul Howarth <p...@city-fan.org> - 0.75-1
- Update to 0.75
- Fix GPG signature parsing logic
- MANIFEST.SKIP is no longer consulted unless --skip is given
- Properly use open() modes to avoid injection attacks
- More protection of @INC from relative paths
- Don't try to run the signature test, which needs the network
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as
signed in some circumstances
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
[ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during
test phase
https://bugzilla.redhat.com/show_bug.cgi?id=1209915
[ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when
verifying module signatures
https://bugzilla.redhat.com/show_bug.cgi?id=1209917
[ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some
circumstances
https://bugzilla.redhat.com/show_bug.cgi?id=1209918
--------------------------------------------------------------------------------
================================================================================
perl-Test-Signature-1.11-1.el5 (FEDORA-EPEL-2015-5740)
Automated SIGNATURE testing
--------------------------------------------------------------------------------
Update Information:
This update addresses various security issues in perl-Module-Signature as
described below. The default behavior is also changed so as to ignore any
MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version
of perl-Test-Signature that accounts for the changed default behavior is
included in this update.
Security issues:
* Module::Signature before version 0.75 could be tricked into interpreting the
unsigned portion of a SIGNATURE file as the signed portion due to faulty
parsing of the PGP signature boundaries.
* When verifying the contents of a CPAN module, Module::Signature before
version 0.75 ignored some files in the extracted tarball that were not listed
in the signature file. This included some files in the t/ directory that would
execute
automatically during "make test".
* Module::Signature before version 0.75 used two argument open() calls to read
the files when generating checksums from the signed manifest. This allowed
embedding arbitrary shell commands into the SIGNATURE file that would execute
during the signature verification process.
* Module::Signature before version 0.75 has been loading several modules at
runtime inside the extracted module directory. Modules like Text::Diff are not
guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the '.' path in @INC.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as
signed in some circumstances
https://bugzilla.redhat.com/show_bug.cgi?id=1209911
[ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during
test phase
https://bugzilla.redhat.com/show_bug.cgi?id=1209915
[ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when
verifying module signatures
https://bugzilla.redhat.com/show_bug.cgi?id=1209917
[ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some
circumstances
https://bugzilla.redhat.com/show_bug.cgi?id=1209918
--------------------------------------------------------------------------------
_______________________________________________
epel-devel mailing list
epel-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/epel-devel
