This email proposes upgrading the llhttp package in EPEL9 from 6.0.10 to
8.1.1, which would break the ABI and bump the SONAME version, under the
EPEL Incompatible Upgrades Policy[1].
The llhttp package is a C library (transpiled from TypeScript) that
provides the low-level HTTP support for NodeJS and for python-aiohttp.
Currently, only python-aiohttp depends on the llhttp package in EPEL9.
Versions of llhttp prior to 8.1.1 are affected by CVE-2023-30589[2], an
HTTP request smuggling vulnerability rated 7.7 HIGH in CVSS v3 and rated
Moderate by Red Hat. The GitHub advisory for llhttp is
GHSA-cggh-pq45-6h9x[3]; the advisory for python-aiohttp is
GHSA-45c4-8wx5-qw6w[4]. Upstream for python-aiohttp fixed this by
updating llhttp (which they bundle, but we unbundle) in release 3.8.5.
I am not comfortable attempting to backport the fix to an older release
of llhttp. My preferred solution would be to update llhttp to 8.1.1[5]
and (in the same side tag) update python-aiohttp to 3.8.5[6]. The ABI
break in llhttp would only affect python-aiohttp; the python-aiohttp
update itself is compatible (by upstream intent, and verified in
COPR[7]); and a number of packages that depend on python-aiohttp would
benefit from the fix.
If this exception request is not approved, my fallback plan is to
propose rebuilding python-aiohttp in EPEL9 with AIOHTTP_NO_EXTENSIONS=1,
which would convert it to a pure-Python package. This is a documented
mitigation, but comes with potentially serious performance regressions,
again affecting a number of dependent packages. The llhttp package would
become a leaf package and would remain unpatched.
The same incompatible update was approved by FESCo for Fedora 37[8].
The purpose of this email is to document and explain the proposed
update, to begin the minimum one-week discussion period mandated by the
EPEL Incompatible Upgrades Policy, and to request that the update be
added to the agenda for an upcoming EPEL meeting.
[1]
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades…
[2] https://access.redhat.com/security/cve/CVE-2023-30589
[3] https://github.com/advisories/GHSA-cggh-pq45-6h9x
[4]
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
[5] https://src.fedoraproject.org/rpms/llhttp/pull-request/14
[6] https://src.fedoraproject.org/rpms/python-aiohttp/pull-request/26
[7] https://copr.fedorainfracloud.org/coprs/music/aiohttp-epel9/packages/
[8] https://pagure.io/fesco/issue/3049
The following Fedora EPEL 8 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-49fe68774a plantuml-1.2023.11-1.el8
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9abc3565b5 chromium-117.0.5938.92-2.el8
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-27c714a6a4 xrdp-0.9.23.1-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
clustershell-1.9.2-1.el8
fedora-license-data-1.31-1.el8
Details about builds:
================================================================================
clustershell-1.9.2-1.el8 (FEDORA-EPEL-2023-b0fd443313)
Python framework for efficient cluster administration
--------------------------------------------------------------------------------
Update Information:
Update to upstream release 1.9.2
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Stephane Thiell <sthiell(a)stanford.edu> 1.9.2-1
- update to 1.9.2
--------------------------------------------------------------------------------
================================================================================
fedora-license-data-1.31-1.el8 (FEDORA-EPEL-2023-fa62323883)
Fedora Linux license data
--------------------------------------------------------------------------------
Update Information:
Automatic update for fedora-license-data-1.31-1.el8. ##### **Changelog for
fedora-license-data** ``` * Fri Sep 29 2023 Miroslav Such�� <msuchy(a)redhat.com>
1.31-1 - new license: GPL-2.0-or-later WITH Autoconf-exception-macro - new
license: LGPL-3.0-or-later WITH Autoconf-exception-macro - new license: HPND-
export-US-modify - Add a public domain dedication from the SWORD Project - Add
LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed - new license: LGPL-2.1-only
WITH Qt-LGPL-exception-1.1 - new license: SGI-OpenGL - Add jhash public domain
dedication for QEMU - Add QEMU to the rijndael (AES) public domain license
reference - new license: SSH-short - new license: GPL-2.0-or-later WITH UBDL-
exception - new license: McPhee-slideshow - new license: HPND-DEC - new license:
magaz - new license: ulem - new license: fwlw - new license: Kastrup - Fix names
of Linux-syscall-note TOML files - Add reference to EDK2 package public domain
code - new license: HPND-sell-regexpr - new license: Cronyx - new license:
Lucida-Bitmap-Fonts - new license: LPPL-1.3c - new license: swrule - new
license: BSD-Inferno-Nettverk - Some code in OpenSSH has a Public Domain license
- new license: ssh-keyscan - new license: HPND-Pbmplus - Add public domain text
from mingw-headers/mingw-winpthreads packages - Add public domain test from
Augeas project - new license: BSD-Attribution-HPND-disclaimer - new not allowed
license: LicenseRef-Tyrian - Add public domain entry for squid ```
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Miroslav Such�� <msuchy(a)redhat.com> 1.31-1
- new license: GPL-2.0-or-later WITH Autoconf-exception-macro
- new license: LGPL-3.0-or-later WITH Autoconf-exception-macro
- new license: HPND-export-US-modify
- Add a public domain dedication from the SWORD Project
- Add LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed
- new license: LGPL-2.1-only WITH Qt-LGPL-exception-1.1
- new license: SGI-OpenGL
- Add jhash public domain dedication for QEMU
- Add QEMU to the rijndael (AES) public domain license reference
- new license: SSH-short
- new license: GPL-2.0-or-later WITH UBDL-exception
- new license: McPhee-slideshow
- new license: HPND-DEC
- new license: magaz
- new license: ulem
- new license: fwlw
- new license: Kastrup
- Fix names of Linux-syscall-note TOML files
- Add reference to EDK2 package public domain code
- new license: HPND-sell-regexpr
- new license: Cronyx
- new license: Lucida-Bitmap-Fonts
- new license: LPPL-1.3c
- new license: swrule
- new license: BSD-Inferno-Nettverk
- Some code in OpenSSH has a Public Domain license
- new license: ssh-keyscan
- new license: HPND-Pbmplus
- Add public domain text from mingw-headers/mingw-winpthreads packages
- Add public domain test from Augeas project
- new license: BSD-Attribution-HPND-disclaimer
- new not allowed license: LicenseRef-Tyrian
- Add public domain entry for squid
--------------------------------------------------------------------------------
The following Fedora EPEL 9 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-d573bf038f plantuml-1.2023.11-2.el9
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-09cc239fe3 chromium-117.0.5938.92-2.el9
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-93ac846983 xrdp-0.9.23.1-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
clustershell-1.9.2-1.el9
composer-2.6.4-1.el9
fedora-license-data-1.31-1.el9
packit-0.82.0-1.el9
python-url-normalize-1.4.3-1.el9
pythoncapi-compat-0^20230929git671fb69-1.el9
Details about builds:
================================================================================
clustershell-1.9.2-1.el9 (FEDORA-EPEL-2023-f098c37044)
Python framework for efficient cluster administration
--------------------------------------------------------------------------------
Update Information:
Update to upstream release 1.9.2
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Stephane Thiell <sthiell(a)stanford.edu> 1.9.2-1
- update to 1.9.2
--------------------------------------------------------------------------------
================================================================================
composer-2.6.4-1.el9 (FEDORA-EPEL-2023-9791f0b66c)
Dependency Manager for PHP
--------------------------------------------------------------------------------
Update Information:
**Version 2.6.4** - 2023-09-29 * Security: Fixed possible remote code
execution vulnerability if composer.phar is publicly accessible, executable as
PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf /
**CVE-2023-43655**) * Fixed json output of abandoned packages in audit command
(#11647) * Performance improvement in pool optimization step (#11638) *
Performance improvement in `show -a <packagename>` (#11659)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Remi Collet <remi(a)remirepo.net> - 2.6.4-1
- update to 2.6.4
--------------------------------------------------------------------------------
================================================================================
fedora-license-data-1.31-1.el9 (FEDORA-EPEL-2023-cde92b8269)
Fedora Linux license data
--------------------------------------------------------------------------------
Update Information:
Automatic update for fedora-license-data-1.31-1.el9. ##### **Changelog for
fedora-license-data** ``` * Fri Sep 29 2023 Miroslav Such�� <msuchy(a)redhat.com>
1.31-1 - new license: GPL-2.0-or-later WITH Autoconf-exception-macro - new
license: LGPL-3.0-or-later WITH Autoconf-exception-macro - new license: HPND-
export-US-modify - Add a public domain dedication from the SWORD Project - Add
LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed - new license: LGPL-2.1-only
WITH Qt-LGPL-exception-1.1 - new license: SGI-OpenGL - Add jhash public domain
dedication for QEMU - Add QEMU to the rijndael (AES) public domain license
reference - new license: SSH-short - new license: GPL-2.0-or-later WITH UBDL-
exception - new license: McPhee-slideshow - new license: HPND-DEC - new license:
magaz - new license: ulem - new license: fwlw - new license: Kastrup - Fix names
of Linux-syscall-note TOML files - Add reference to EDK2 package public domain
code - new license: HPND-sell-regexpr - new license: Cronyx - new license:
Lucida-Bitmap-Fonts - new license: LPPL-1.3c - new license: swrule - new
license: BSD-Inferno-Nettverk - Some code in OpenSSH has a Public Domain license
- new license: ssh-keyscan - new license: HPND-Pbmplus - Add public domain text
from mingw-headers/mingw-winpthreads packages - Add public domain test from
Augeas project - new license: BSD-Attribution-HPND-disclaimer - new not allowed
license: LicenseRef-Tyrian - Add public domain entry for squid ```
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Miroslav Such�� <msuchy(a)redhat.com> 1.31-1
- new license: GPL-2.0-or-later WITH Autoconf-exception-macro
- new license: LGPL-3.0-or-later WITH Autoconf-exception-macro
- new license: HPND-export-US-modify
- Add a public domain dedication from the SWORD Project
- Add LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed
- new license: LGPL-2.1-only WITH Qt-LGPL-exception-1.1
- new license: SGI-OpenGL
- Add jhash public domain dedication for QEMU
- Add QEMU to the rijndael (AES) public domain license reference
- new license: SSH-short
- new license: GPL-2.0-or-later WITH UBDL-exception
- new license: McPhee-slideshow
- new license: HPND-DEC
- new license: magaz
- new license: ulem
- new license: fwlw
- new license: Kastrup
- Fix names of Linux-syscall-note TOML files
- Add reference to EDK2 package public domain code
- new license: HPND-sell-regexpr
- new license: Cronyx
- new license: Lucida-Bitmap-Fonts
- new license: LPPL-1.3c
- new license: swrule
- new license: BSD-Inferno-Nettverk
- Some code in OpenSSH has a Public Domain license
- new license: ssh-keyscan
- new license: HPND-Pbmplus
- Add public domain text from mingw-headers/mingw-winpthreads packages
- Add public domain test from Augeas project
- new license: BSD-Attribution-HPND-disclaimer
- new not allowed license: LicenseRef-Tyrian
- Add public domain entry for squid
--------------------------------------------------------------------------------
================================================================================
packit-0.82.0-1.el9 (FEDORA-EPEL-2023-f2e1fb408e)
A tool for integrating upstream projects with Fedora operating system
--------------------------------------------------------------------------------
Update Information:
Automatic update for packit-0.82.0-1.el9. ##### **Changelog for packit** ``` *
Fri Sep 29 2023 Packit <hello(a)packit.dev> - 0.82.0-1 - You can now specify bugs
resolved by an update by `-b` or `--resolve-bug` option for `propose-downstream`
and `pull-from-upstream` commands. The values will be added by default to the
changelog and commit message and provided in `commit-message` and `changelog-
entry` actions as `PACKIT_RESOLVED_BUGS` env variable. (#2094) - Resolves
rhbz#2240355 * Sat Sep 23 2023 Packit <hello(a)packit.dev> - 0.81.0-1 - Packit
now supports the `pkg_tool` option in the config (at the top-level or with
specific packages when using the monorepo syntax). This option can be used for
switching between `fedpkg` or `centpkg`. (#2085) - When updating the `Version`
tag during `propose_downstream` or `pull_from_upstream`, Packit now tries to
update referenced macros (if any) rather than overwriting the references.
(#2087) - If you have concerns about Packit uploading new archives to lookaside
cache before creating a pull request, you can newly set `upload_sources` to
False to disable this. (#2086) - We have fixed a bug that could cause duplicit
PRs to be created when using the `commit-message` action. (#2080) - Packit now
supports `commit-message` action that can be used to override the default commit
message produced by Packit during `propose-downstream` or `pull-from-upstream`.
Please pay attention to our
[documentation](https://packit.dev/docs/configuration/actions#commit-message)
with regards to the usage of this action. (#2070) ``` ---- Automatic update
for packit-0.81.0-1.el9. ##### **Changelog for packit** ``` * Sat Sep 23 2023
Packit <hello(a)packit.dev> - 0.81.0-1 - Packit now supports the `pkg_tool` option
in the config (at the top-level or with specific packages when using the
monorepo syntax). This option can be used for switching between `fedpkg` or
`centpkg`. (#2085) - When updating the `Version` tag during `propose_downstream`
or `pull_from_upstream`, Packit now tries to update referenced macros (if any)
rather than overwriting the references. (#2087) - If you have concerns about
Packit uploading new archives to lookaside cache before creating a pull request,
you can newly set `upload_sources` to False to disable this. (#2086) - We have
fixed a bug that could cause duplicit PRs to be created when using the `commit-
message` action. (#2080) - Packit now supports `commit-message` action that can
be used to override the default commit message produced by Packit during
`propose-downstream` or `pull-from-upstream`. Please pay attention to our
[documentation](https://packit.dev/docs/configuration/actions#commit-message)
with regards to the usage of this action. (#2070) ```
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Packit <hello(a)packit.dev> - 0.82.0-1
- You can now specify bugs resolved by an update by `-b` or `--resolve-bug` option for `propose-downstream` and `pull-from-upstream` commands. The values will be added by default to the changelog and commit message and provided in `commit-message` and `changelog-entry` actions as `PACKIT_RESOLVED_BUGS` env variable. (#2094)
- Resolves rhbz#2240355
* Sat Sep 23 2023 Packit <hello(a)packit.dev> - 0.81.0-1
- Packit now supports the `pkg_tool` option in the config (at the top-level or with specific packages when using the monorepo syntax). This option can be used for switching between `fedpkg` or `centpkg`. (#2085)
- When updating the `Version` tag during `propose_downstream` or `pull_from_upstream`, Packit now tries to update referenced macros (if any) rather than overwriting the references. (#2087)
- If you have concerns about Packit uploading new archives to lookaside cache before creating a pull request, you can newly set `upload_sources` to False to disable this. (#2086)
- We have fixed a bug that could cause duplicit PRs to be created when using the `commit-message` action. (#2080)
- Packit now supports `commit-message` action that can be used to override the default commit message produced by Packit during `propose-downstream` or `pull-from-upstream`. Please pay attention to our [documentation](https://packit.dev/docs/configuration/actions#commit-message) with regards to the usage of this action. (#2070)
--------------------------------------------------------------------------------
================================================================================
python-url-normalize-1.4.3-1.el9 (FEDORA-EPEL-2023-5d464fd883)
Python URI normalizator
--------------------------------------------------------------------------------
Update Information:
initial specfile
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Andrew Bauer <zonexpertconsulting(a)outlook.com> - 1.4.3-1
- initial specfile
- 1.4.3 release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2240783 - Review Request: python-url-normalize - Python URI normalizator
https://bugzilla.redhat.com/show_bug.cgi?id=2240783
--------------------------------------------------------------------------------
================================================================================
pythoncapi-compat-0^20230929git671fb69-1.el9 (FEDORA-EPEL-2023-932a4f0b7e)
Python C API compatibility
--------------------------------------------------------------------------------
Update Information:
Update to `0^20230929git671fb69` - Adds `PyObject_HasAttrWithError()` and
`PyObject_HasAttrStringWithError()` functions. - Fixes
`PyObject_GetOptionalAttrString()`: set result to `NULL` on error.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Benjamin A. Beasley <code(a)musicinmybrain.net> - 0^20230929git671fb69-1
- Update to 0^20230929git671fb69
- Adds PyObject_HasAttrWithError() and PyObject_HasAttrStringWithError()
functions.
- Fixes PyObject_GetOptionalAttrString(): set result to NULL on error.
--------------------------------------------------------------------------------
The following Fedora EPEL 7 Security updates need testing:
Age URL
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-981e9f53ff chromium-117.0.5938.92-2.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ffb6e04eb7 drupal7-7.98-1.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-c283911e27 ckeditor-4.22.1-1.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-97dd2d11b6 xrdp-0.9.23.1-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
clustershell-1.9.2-1.el7
composer-1.10.27-1.el7
fedora-license-data-1.31-1.el7
libptytty-2.0-4.el7
rxvt-unicode-9.31-1.el7
Details about builds:
================================================================================
clustershell-1.9.2-1.el7 (FEDORA-EPEL-2023-c1b3279c59)
Python framework for efficient cluster administration
--------------------------------------------------------------------------------
Update Information:
Update to upstream release 1.9.2
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Stephane Thiell <sthiell(a)stanford.edu> 1.9.2-1
- update to 1.9.2
--------------------------------------------------------------------------------
================================================================================
composer-1.10.27-1.el7 (FEDORA-EPEL-2023-3ee7f851c6)
Dependency Manager for PHP
--------------------------------------------------------------------------------
Update Information:
**Version 1.10.27** - 2023-09-29 * Security: Fixed possible remote code
execution vulnerability if composer.phar is publicly accessible, executable as
PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf /
**CVE-2023-43655**)
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Remi Collet <remi(a)remirepo.net> - 1.10.27-1
- update to 1.10.27
--------------------------------------------------------------------------------
================================================================================
fedora-license-data-1.31-1.el7 (FEDORA-EPEL-2023-2dfb1ec616)
Fedora Linux license data
--------------------------------------------------------------------------------
Update Information:
Automatic update for fedora-license-data-1.31-1.el7. ##### **Changelog for
fedora-license-data** ``` * Fri Sep 29 2023 Miroslav Such�� <msuchy(a)redhat.com>
1.31-1 - new license: GPL-2.0-or-later WITH Autoconf-exception-macro - new
license: LGPL-3.0-or-later WITH Autoconf-exception-macro - new license: HPND-
export-US-modify - Add a public domain dedication from the SWORD Project - Add
LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed - new license: LGPL-2.1-only
WITH Qt-LGPL-exception-1.1 - new license: SGI-OpenGL - Add jhash public domain
dedication for QEMU - Add QEMU to the rijndael (AES) public domain license
reference - new license: SSH-short - new license: GPL-2.0-or-later WITH UBDL-
exception - new license: McPhee-slideshow - new license: HPND-DEC - new license:
magaz - new license: ulem - new license: fwlw - new license: Kastrup - Fix names
of Linux-syscall-note TOML files - Add reference to EDK2 package public domain
code - new license: HPND-sell-regexpr - new license: Cronyx - new license:
Lucida-Bitmap-Fonts - new license: LPPL-1.3c - new license: swrule - new
license: BSD-Inferno-Nettverk - Some code in OpenSSH has a Public Domain license
- new license: ssh-keyscan - new license: HPND-Pbmplus - Add public domain text
from mingw-headers/mingw-winpthreads packages - Add public domain test from
Augeas project - new license: BSD-Attribution-HPND-disclaimer - new not allowed
license: LicenseRef-Tyrian - Add public domain entry for squid ```
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 29 2023 Miroslav Such�� <msuchy(a)redhat.com> 1.31-1
- new license: GPL-2.0-or-later WITH Autoconf-exception-macro
- new license: LGPL-3.0-or-later WITH Autoconf-exception-macro
- new license: HPND-export-US-modify
- Add a public domain dedication from the SWORD Project
- Add LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed
- new license: LGPL-2.1-only WITH Qt-LGPL-exception-1.1
- new license: SGI-OpenGL
- Add jhash public domain dedication for QEMU
- Add QEMU to the rijndael (AES) public domain license reference
- new license: SSH-short
- new license: GPL-2.0-or-later WITH UBDL-exception
- new license: McPhee-slideshow
- new license: HPND-DEC
- new license: magaz
- new license: ulem
- new license: fwlw
- new license: Kastrup
- Fix names of Linux-syscall-note TOML files
- Add reference to EDK2 package public domain code
- new license: HPND-sell-regexpr
- new license: Cronyx
- new license: Lucida-Bitmap-Fonts
- new license: LPPL-1.3c
- new license: swrule
- new license: BSD-Inferno-Nettverk
- Some code in OpenSSH has a Public Domain license
- new license: ssh-keyscan
- new license: HPND-Pbmplus
- Add public domain text from mingw-headers/mingw-winpthreads packages
- Add public domain test from Augeas project
- new license: BSD-Attribution-HPND-disclaimer
- new not allowed license: LicenseRef-Tyrian
- Add public domain entry for squid
--------------------------------------------------------------------------------
================================================================================
libptytty-2.0-4.el7 (FEDORA-EPEL-2023-a99c56df6a)
OS independent and secure pty/tty and utmp/wtmp/lastlog handling
--------------------------------------------------------------------------------
Update Information:
The last update for rxvt-unicode stripped it down to just the rxvt-unicode-
terminfo subpackage, leaving the rxvt-unicode package empty with no files. This
disruptive change was against EPEL policy. This new update restores the full
rxvt-unicode package. It also updates the package to version 9.31 to match the
version in EPEL 8, which correctly fixes CVE-2022-4170. It also introduces the
libptytty dependency to EPEL 7.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 27 2023 Carl George <carlwgeorge(a)fedoraproject.org> - 2.0-4
- Enable EPEL 7 build with devtoolset-8 and cmake3
* Wed Jan 4 2023 David Cantrell <dcantrell(a)redhat.com> - 2.0-3
- Convert license to SPDX format: GPL-2.0-or-later
* Fri Dec 16 2022 Robbie Harwood <rharwood(a)redhat.com> - 2.0-2
- Bump spec due to bodhi failures
* Fri Dec 16 2022 Robbie Harwood <rharwood(a)redhat.com> - 2.0-1
- Initial import (2.0)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2151598 - CVE-2022-4170 rxvt-unicode: remote code execution via background OSC [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2151598
[ 2 ] Bug #2160952 - rxvt-unicode-9.30-2.el7.x86_64 contains NO FILES
https://bugzilla.redhat.com/show_bug.cgi?id=2160952
[ 3 ] Bug #2165151 - rxvt-unicode-9.30-2 RPM on Epel7 repository is an invalid RPM
https://bugzilla.redhat.com/show_bug.cgi?id=2165151
[ 4 ] Bug #2170550 - EPEL7 - rxvt-unicode package contains no data
https://bugzilla.redhat.com/show_bug.cgi?id=2170550
--------------------------------------------------------------------------------
================================================================================
rxvt-unicode-9.31-1.el7 (FEDORA-EPEL-2023-a99c56df6a)
Unicode version of rxvt
--------------------------------------------------------------------------------
Update Information:
The last update for rxvt-unicode stripped it down to just the rxvt-unicode-
terminfo subpackage, leaving the rxvt-unicode package empty with no files. This
disruptive change was against EPEL policy. This new update restores the full
rxvt-unicode package. It also updates the package to version 9.31 to match the
version in EPEL 8, which correctly fixes CVE-2022-4170. It also introduces the
libptytty dependency to EPEL 7.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Carl George <carlwgeorge(a)fedoraproject.org> - 9.31-1
- Update to version 9.31
- Restore full package
- Build with devtoolset-8
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2151598 - CVE-2022-4170 rxvt-unicode: remote code execution via background OSC [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2151598
[ 2 ] Bug #2160952 - rxvt-unicode-9.30-2.el7.x86_64 contains NO FILES
https://bugzilla.redhat.com/show_bug.cgi?id=2160952
[ 3 ] Bug #2165151 - rxvt-unicode-9.30-2 RPM on Epel7 repository is an invalid RPM
https://bugzilla.redhat.com/show_bug.cgi?id=2165151
[ 4 ] Bug #2170550 - EPEL7 - rxvt-unicode package contains no data
https://bugzilla.redhat.com/show_bug.cgi?id=2170550
--------------------------------------------------------------------------------
The following Fedora EPEL 7 Security updates need testing:
Age URL
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-981e9f53ff chromium-117.0.5938.92-2.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ffb6e04eb7 drupal7-7.98-1.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-c283911e27 ckeditor-4.22.1-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-97dd2d11b6 xrdp-0.9.23.1-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
c-icap-0.6.0-1.el7
c-icap-modules-0.5.6-4.20230212gitfd1a1b7.el7
dkms-3.0.12-1.el7
Details about builds:
================================================================================
c-icap-0.6.0-1.el7 (FEDORA-EPEL-2023-8a5cc3fca8)
An implementation of an ICAP server
--------------------------------------------------------------------------------
Update Information:
Final release 0.6.0 for the snapshot that was currently published.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Simone Caronni <negativo17(a)gmail.com> - 0.6.0-1
- Update to final 0.6.0 release.
--------------------------------------------------------------------------------
================================================================================
c-icap-modules-0.5.6-4.20230212gitfd1a1b7.el7 (FEDORA-EPEL-2023-8a5cc3fca8)
Services for the c-icap server
--------------------------------------------------------------------------------
Update Information:
Final release 0.6.0 for the snapshot that was currently published.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Simone Caronni <negativo17(a)gmail.com> - 0.5.6-4.20230212gitfd1a1b7
- Rebuild for updated c-icap.
* Tue Sep 26 2023 Carl George <carlwgeorge(a)fedoraproject.org> - 0.5.6-3.20230212gitfd1a1b7
- Rebuilt for clamav 1.0
--------------------------------------------------------------------------------
================================================================================
dkms-3.0.12-1.el7 (FEDORA-EPEL-2023-52a1695e9b)
Dynamic Kernel Module Support Framework
--------------------------------------------------------------------------------
Update Information:
Update to 3.0.12.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Simone Caronni <negativo17(a)gmail.com> - 3.0.12-1
- Update to 3.0.12.
- Drop support for building from snapshots in SPEC file.
- Trim changelog.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2240511 - dkms-3.0.12 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2240511
--------------------------------------------------------------------------------
The following Fedora EPEL 8 Security updates need testing:
Age URL
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-49fe68774a plantuml-1.2023.11-1.el8
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9abc3565b5 chromium-117.0.5938.92-2.el8
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-27c714a6a4 xrdp-0.9.23.1-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
c-icap-0.6.0-1.el8
c-icap-modules-0.5.6-4.20230212gitfd1a1b7.el8
dkms-3.0.12-1.el8
libdispatch-5.9-1.el8
Details about builds:
================================================================================
c-icap-0.6.0-1.el8 (FEDORA-EPEL-2023-55c064645c)
An implementation of an ICAP server
--------------------------------------------------------------------------------
Update Information:
Final release 0.6.0 for the snapshot that was currently published.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Simone Caronni <negativo17(a)gmail.com> - 0.6.0-1
- Update to final 0.6.0 release.
--------------------------------------------------------------------------------
================================================================================
c-icap-modules-0.5.6-4.20230212gitfd1a1b7.el8 (FEDORA-EPEL-2023-55c064645c)
Services for the c-icap server
--------------------------------------------------------------------------------
Update Information:
Final release 0.6.0 for the snapshot that was currently published.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Simone Caronni <negativo17(a)gmail.com> - 0.5.6-4.20230212gitfd1a1b7
- Rebuild for updated c-icap.
* Tue Sep 26 2023 Carl George <carlwgeorge(a)fedoraproject.org> - 0.5.6-3.20230212gitfd1a1b7
- Rebuilt for clamav 1.0
--------------------------------------------------------------------------------
================================================================================
dkms-3.0.12-1.el8 (FEDORA-EPEL-2023-9dcb4a8bf7)
Dynamic Kernel Module Support Framework
--------------------------------------------------------------------------------
Update Information:
Update to 3.0.12.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Simone Caronni <negativo17(a)gmail.com> - 3.0.12-1
- Update to 3.0.12.
- Drop support for building from snapshots in SPEC file.
- Trim changelog.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2240511 - dkms-3.0.12 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2240511
--------------------------------------------------------------------------------
================================================================================
libdispatch-5.9-1.el8 (FEDORA-EPEL-2023-4662e70996)
Apple's Grand Central Dispatch library
--------------------------------------------------------------------------------
Update Information:
Updated to 5.9-RELEASE
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Ron Olson <tachoknight(a)gmail.com> 5.9-1
- Updated to 5.9-RELEASE
* Thu Jul 20 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 1:5.7.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
--------------------------------------------------------------------------------
The following Fedora EPEL 7 Security updates need testing:
Age URL
5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-4211889c5a seamonkey-2.53.17.1-1.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-981e9f53ff chromium-117.0.5938.92-2.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ffb6e04eb7 drupal7-7.98-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-c283911e27 ckeditor-4.22.1-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
xrdp-0.9.23.1-1.el7
Details about builds:
================================================================================
xrdp-0.9.23.1-1.el7 (FEDORA-EPEL-2023-97dd2d11b6)
Open source remote desktop protocol (RDP) server
--------------------------------------------------------------------------------
Update Information:
Release notes for xrdp v0.9.23.1 (2023/09/27) This is a security fix release
for CVE-2023-42822. This update is recommended for all xrdp users. Security
fixes - CVE-2023-42822: Unchecked access to font glyph info
--------------------------------------------------------------------------------
ChangeLog:
* Thu Sep 28 2023 Bojan Smojver <bojan(a)rexursive.com> - 1:0.9.23.1-1
- Update to 0.9.23.1
- CVE-2023-42822
--------------------------------------------------------------------------------