Fedora EPEL 7 updates-testing report
by updates@fedoraproject.org
The following Fedora EPEL 7 Security updates need testing:
Age URL
462 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087 dokuwiki-0-0.24.20140929c.el7
224 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f mcollective-2.8.4-1.el7
90 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-785fc9a2ea dropbear-2016.72-1.el7
11 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-804b7430fd GraphicsMagick-1.3.24-1.el7
11 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-70e05c7285 nginx-1.6.3-9.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-153f7ebdb7 iperf3-3.1.3-1.el7
0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ac8f9cc0fd nfdump-1.6.15-1.el7
0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-86f7c45855 php-zendframework-zendxml-1.0.2-2.el7 php-ZendFramework2-2.4.10-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
czmq-3.0.2-3.el7
libnftnl-1.0.6-1.el7
limnoria-20160506-2.el7
mxml-2.9-1.el7
nfdump-1.6.15-1.el7
nftables-0.6-1.el7
nitroshare-0.3.1-3.20160612git930c9b7.el7
php-ZendFramework2-2.4.10-1.el7
php-libvirt-0.5.2-1.el7
php-zendframework-zendxml-1.0.2-2.el7
python-pysocks-1.5.6-3.el7
supybot-notify-0.2.2-9.el7
zeromq-4.1.4-5.el7
Details about builds:
================================================================================
czmq-3.0.2-3.el7 (FEDORA-EPEL-2016-611247d1a6)
High-level C binding for 0MQ (ZeroMQ)
--------------------------------------------------------------------------------
Update Information:
Upgrade for EPEL7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1302118 - Please update czmq to version 3.0.2
https://bugzilla.redhat.com/show_bug.cgi?id=1302118
--------------------------------------------------------------------------------
================================================================================
libnftnl-1.0.6-1.el7 (FEDORA-EPEL-2016-dd3c42b375)
Library for low-level interaction with nftables Netlink's API over libmnl
--------------------------------------------------------------------------------
Update Information:
Initial version of nftables and deps for epel7
--------------------------------------------------------------------------------
================================================================================
limnoria-20160506-2.el7 (FEDORA-EPEL-2016-e7cc57a690)
A modified version of Supybot (an IRC bot) with enhancements and bug fixes
--------------------------------------------------------------------------------
Update Information:
initial version of limnoria to replace supybot-gribble.
--------------------------------------------------------------------------------
================================================================================
mxml-2.9-1.el7 (FEDORA-EPEL-2016-dd3c42b375)
Miniature XML development library
--------------------------------------------------------------------------------
Update Information:
Initial version of nftables and deps for epel7
--------------------------------------------------------------------------------
================================================================================
nfdump-1.6.15-1.el7 (FEDORA-EPEL-2016-ac8f9cc0fd)
NetFlow collecting and processing tools
--------------------------------------------------------------------------------
Update Information:
nfdump 1.6.15 released. --- - Fix Security issue http://www.security-assessmen
t.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnera
bilities.pdf - Fix obyte, opps and obps output records - Fix wrong bps type case
in cvs output. Fix opbs ipbs typos nfdump 1.6.14 released. --- - Create
libnfdump for dynamic linking - Add -R to ModifyCompression - Add std sampler ID
4 Bytes and allow random sampler (tag 50) - Add BZ2 compression along existing
LZ0 - Add direct write to flowtools converter ft2nfdump - Fix CentOS compile
issues with flow-tools converter - Fix FreeBSD,OpenBSD build problems - Fix
timestamp overflow in sflow.c - Fix IP Fragmentation in sflow collector - Fix
compile errors on other platforms - Fix zero alignment bug, if only half of an
extension is sent - Fix nfanon time window bug in subsequent files in -R list -
Fix CommonRecordV0Type conversion bug - Fix nfexport bug, if only one single map
exists
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1335204 - nfdump: multiple remote denial of service vulnerabilities
https://bugzilla.redhat.com/show_bug.cgi?id=1335204
--------------------------------------------------------------------------------
================================================================================
nftables-0.6-1.el7 (FEDORA-EPEL-2016-dd3c42b375)
Netfilter Tables userspace utillites
--------------------------------------------------------------------------------
Update Information:
Initial version of nftables and deps for epel7
--------------------------------------------------------------------------------
================================================================================
nitroshare-0.3.1-3.20160612git930c9b7.el7 (FEDORA-EPEL-2016-c812458f3c)
Transfer files from one device to another made extremely simple
--------------------------------------------------------------------------------
Update Information:
initial package, rhbz#1338553 - use git snapshot with several bugfixes - add
Qt5Svg as dependency ---- initial package, rhzb#1338553
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1338553 - Review Request: nitroshare - Transfer files from one device to another made extremely simple
https://bugzilla.redhat.com/show_bug.cgi?id=1338553
--------------------------------------------------------------------------------
================================================================================
php-ZendFramework2-2.4.10-1.el7 (FEDORA-EPEL-2016-86f7c45855)
Zend Framework 2
--------------------------------------------------------------------------------
Update Information:
## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP's internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP's default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
--------------------------------------------------------------------------------
================================================================================
php-libvirt-0.5.2-1.el7 (FEDORA-EPEL-2016-22d8e14cdd)
PHP language bindings for Libvirt
--------------------------------------------------------------------------------
Update Information:
Upgrade to 0.5.2 to support newer libvirt capabilities
--------------------------------------------------------------------------------
================================================================================
php-zendframework-zendxml-1.0.2-2.el7 (FEDORA-EPEL-2016-86f7c45855)
Zend Framework ZendXml component
--------------------------------------------------------------------------------
Update Information:
## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal
characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a
sequence of random letters from a character set. Prior to this vulnerability
announcement, the selection was performed using PHP's internal `array_rand()`
function. This function does not generate sufficient entropy due to its usage
of `rand()` instead of more cryptographically secure methods such as
`openssl_pseudo_random_bytes()`. This could potentially lead to information
disclosure should an attacker be able to brute force the random number
generation. This release contains a patch that replaces the `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()` which used PHP's default `$padding` argument, which
specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA
private key. This release contains a patch that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have
issues decrypting previously stored values, due to the change in padding. If
this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this should only apply to the latter): ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343990
[ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289318
[ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1343995
[ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1289317
--------------------------------------------------------------------------------
================================================================================
python-pysocks-1.5.6-3.el7 (FEDORA-EPEL-2016-e7cc57a690)
A Python SOCKS client module
--------------------------------------------------------------------------------
Update Information:
initial version of limnoria to replace supybot-gribble.
--------------------------------------------------------------------------------
================================================================================
supybot-notify-0.2.2-9.el7 (FEDORA-EPEL-2016-e7cc57a690)
Notification plugin for Supybot
--------------------------------------------------------------------------------
Update Information:
initial version of limnoria to replace supybot-gribble.
--------------------------------------------------------------------------------
================================================================================
zeromq-4.1.4-5.el7 (FEDORA-EPEL-2016-9769421234)
Software library for fast, message-based applications
--------------------------------------------------------------------------------
Update Information:
Upgrade for EPEL 7
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1301163 - zeromq-4.1.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1301163
--------------------------------------------------------------------------------