The following Fedora EPEL 5 Security updates need testing:
Age URL
864
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2013-11893
libguestfs-1.20.12-1.el5
629
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-1626 puppet-2.7.26-1.el5
478
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-3849
sblim-sfcb-1.3.8-2.el5
121
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-edbea40516
mcollective-2.8.4-1.el5
93
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-582c8075e6
thttpd-2.25b-24.el5
13
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-67862ee460
botan-1.8.15-1.el5
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-64da3a7a91
drupal6-6.38-1.el5
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-f158c9e72f
drupal7-7.43-1.el5
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-085f094286
php-htmLawed-1.1.21-1.el5
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-66faa4ea19
openssl101e-1.0.1e-7.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
clustershell-1.7.1-1.el5
lighttpd-1.4.39-3.el5
openssl101e-1.0.1e-7.el5
php-htmLawed-1.1.21-1.el5
xrootd-4.3.0-1.el5
Details about builds:
================================================================================
clustershell-1.7.1-1.el5 (FEDORA-EPEL-2016-f1175a85e6)
Python framework for efficient cluster administration
--------------------------------------------------------------------------------
Update Information:
* update to 1.7.1
--------------------------------------------------------------------------------
================================================================================
lighttpd-1.4.39-3.el5 (FEDORA-EPEL-2016-ccce288563)
Lightning fast webserver with light system requirements
--------------------------------------------------------------------------------
Update Information:
Restore defaultconf patch.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1310036 - Wrong Server_root
https://bugzilla.redhat.com/show_bug.cgi?id=1310036
--------------------------------------------------------------------------------
================================================================================
openssl101e-1.0.1e-7.el5 (FEDORA-EPEL-2016-66faa4ea19)
A general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:
* A padding oracle flaw was found in the Secure Sockets Layer version 2.0
(SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-
encrypted cipher text from a connection using a newer SSL/TLS protocol version,
allowing them to decrypt such connections. This cross-protocol attack is
publicly referred to as DROWN. (CVE-2016-0800) * Note: This issue was
addressed by disabling the SSLv2 protocol by default when using the 'SSLv23'
connection methods, and removing support for weak SSLv2 cipher suites. For more
information, refer to the knowledge base article linked to in the References
section. * A flaw was found in the way malicious SSLv2 clients could
negotiate SSLv2 ciphers that have been disabled on the server. This could result
in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable
to man-in-the-middle attacks. (CVE-2015-3197) * A side-channel attack was
found that makes use of cache-bank conflicts on the Intel Sandy-Bridge
microarchitecture. An attacker who has the ability to control code in a thread
running on the same hyper-threaded core as the victim's thread that is
performing decryption, could use this flaw to recover RSA private keys.
(CVE-2016-0702) * A double-free flaw was found in the way OpenSSL parsed
certain malformed DSA (Digital Signature Algorithm) private keys. An attacker
could create specially crafted DSA private keys that, when processed by an
application compiled against OpenSSL, could cause the application to crash.
(CVE-2016-0705) * An integer overflow flaw, leading to a NULL pointer
dereference or a heap-based memory corruption, was found in the way some BIGNUM
functions of OpenSSL were implemented. Applications that use these functions
with large untrusted input could crash or, potentially, execute arbitrary code.
(CVE-2016-0797)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1310593 - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2
(DROWN)
https://bugzilla.redhat.com/show_bug.cgi?id=1310593
[ 2 ] Bug #1301846 - CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
https://bugzilla.redhat.com/show_bug.cgi?id=1301846
[ 3 ] Bug #1310599 - CVE-2016-0702 OpenSSL: Side channel attack on modular
exponentiation
https://bugzilla.redhat.com/show_bug.cgi?id=1310599
[ 4 ] Bug #1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code
https://bugzilla.redhat.com/show_bug.cgi?id=1310596
[ 5 ] Bug #1311880 - CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap
corruption
https://bugzilla.redhat.com/show_bug.cgi?id=1311880
--------------------------------------------------------------------------------
================================================================================
php-htmLawed-1.1.21-1.el5 (FEDORA-EPEL-2016-085f094286)
PHP code to purify and filter HTML
--------------------------------------------------------------------------------
Update Information:
**Version 1.1.21** - 27 February 2016. * Improvement and security fix in
transforming 'font' element.
--------------------------------------------------------------------------------
================================================================================
xrootd-4.3.0-1.el5 (FEDORA-EPEL-2016-c13a4dbfd9)
Extended ROOT file server
--------------------------------------------------------------------------------
Update Information:
New minor release 4.3.0. Release notes are here:
https://github.com/xrootd/xrootd/blob/master/docs/ReleaseNotes.txt
--------------------------------------------------------------------------------