The following Fedora EPEL 7 Security updates need testing:
Age URL
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ba899b9717
golang-1.19.6-1.el7
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-cd6dc8dccf
wordpress-5.1.16-1.el7
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-00ddf3658a
dropbear-2017.75-3.el7
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1388277bf4
chromium-113.0.5672.126-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
dnsperf-2.12.0-1.el7
exfatprogs-1.2.1-1.el7
godot-3.1.2-2.el7
inxi-3.3.27-1.el7
mediainfo-23.04-2.el7
xrdp-0.9.22.1-2.el7
Details about builds:
================================================================================
dnsperf-2.12.0-1.el7 (FEDORA-EPEL-2023-de900564b0)
Benchmarking authorative and recursing DNS servers
--------------------------------------------------------------------------------
Update Information:
# Release 2.12.0 This release fixes a segfault when doing DNS-over-HTTPS and
changes the way maximum queries per second are handled. The DNS-over-HTTPS
module handled reconnecting incorrectly and destroyed the nghttp2 context during
callbacks. Thanks to the help from @kgillis2000 it was quickly found and fixed.
The way maximum QPS is handled has been changed by Petr ��pa��ek @pspacek (ISC).
The new way solves an over-shoot problem that happened due to max QPS being
counted for the whole runtime and based on completed queries, not just sent. A
new option `qps_threshold_wait` has also been added. This controls the threshold
for using `nanosleep()` between sending packet and the default is measured on
start-up. If the time between packets, based on max QPS `-Q`, is smaller then no
sleep will be performed. This improves performance when doing high max QPS
limiting.
https://github.com/DNS-OARC/dnsperf/releases/tag/v2.12.0
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 23 2023 Petr Men����k <pemensik(a)redhat.com> - 2.12.0-1
- Update to 2.12.0
--------------------------------------------------------------------------------
================================================================================
exfatprogs-1.2.1-1.el7 (FEDORA-EPEL-2023-32fa9a66f6)
Userspace utilities for exFAT filesystems
--------------------------------------------------------------------------------
Update Information:
Update to bugfix release 1.2.1.
--------------------------------------------------------------------------------
ChangeLog:
* Mon May 22 2023 Simone Caronni <negativo17(a)gmail.com> - 1.2.1-1
- Update to 1.2.1.
* Thu Jan 19 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.2.0-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2208759 - exfatprogs-1.2.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2208759
--------------------------------------------------------------------------------
================================================================================
godot-3.1.2-2.el7 (FEDORA-EPEL-2023-2455ae47ae)
Multi-platform 2D and 3D game engine with a feature-rich editor
--------------------------------------------------------------------------------
Update Information:
Backports some fixes to reported security vulnerabilities in Godot's TGA loader,
and the tinyexr dependency. [
CVE-2021-26825](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2021-26825) - An integer overflow issue exists in Godot
Engine up to v3.2 that can be triggered when loading specially crafted.TGA image
files. The vulnerability exists in ImageLoaderTGA::load_image() function at
line: const size_t buffer_size = (tga_header.image_width *
tga_header.image_height) * pixel_size; The bug leads to Dynamic stack buffer
overflow. Depending on the context of the application, attack vector can be
local or remote, and can lead to code execution and/or system crash.
[
CVE-2021-26826](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2...
- A stack overflow issue exists in Godot Engine up to v3.2 and is caused by
improper boundary checks when loading .TGA image files. Depending on the context
of the application, attack vector can be local or remote, and can lead to code
execution and/or system crash. [
CVE-2022-38529](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2022-38529) - tinyexr commit 0647fb3 was discovered to
contain a heap-buffer overflow via the component rleUncompress.
--------------------------------------------------------------------------------
ChangeLog:
* Mon May 22 2023 R��mi Verschelde <akien(a)fedoraproject.org> - 3.1.2-2
- Backport PR 45701 to fix CVE-2021-26825 and CVE-2021-26826 (rhbz#1926935, rhbz#1926938)
- Backport tinyexr PR 170 to fix CVE-2022-38529 (rhbz#2124780)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1926935 - CVE-2021-26826 godot: stack overflow caused by improper boundary
checks when loading .TGA image files [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1926935
[ 2 ] Bug #1926938 - CVE-2021-26825 godot: integer overflow when loading specially
crafted .TGA image files [epel-7]
https://bugzilla.redhat.com/show_bug.cgi?id=1926938
[ 3 ] Bug #2124780 - CVE-2022-38529 godot: heap-buffer overflow via the component
rleUncompress. [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2124780
--------------------------------------------------------------------------------
================================================================================
inxi-3.3.27-1.el7 (FEDORA-EPEL-2023-cf7b7de5e4)
A full featured system information script
--------------------------------------------------------------------------------
Update Information:
Update to 3.3.27.
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 23 2023 Vasiliy N. Glazov <vascom2(a)gmail.com> - 3.3.27-1
- Update to 3.3.27
--------------------------------------------------------------------------------
================================================================================
mediainfo-23.04-2.el7 (FEDORA-EPEL-2023-da53c6b490)
Supplies technical and tag information about a video or audio file (CLI)
--------------------------------------------------------------------------------
Update Information:
Fixed docs.
--------------------------------------------------------------------------------
ChangeLog:
* Sun May 14 2023 Todd Zullinger <tmz(a)pobox.com> - 23.04-2
- don't unconditionally strip last character from *.html/*.txt in %prep
- generate manpages
--------------------------------------------------------------------------------
================================================================================
xrdp-0.9.22.1-2.el7 (FEDORA-EPEL-2023-4cc304b812)
Open source remote desktop protocol (RDP) server
--------------------------------------------------------------------------------
Update Information:
Update to corrected upstream tarball. ---- Patch segfault in session chooser.
---- Fix the breakage I caused with the latest update (i.e. -3 package), by
mistakenly omitting required .so files from %_libdir/xrdp directory.
Unfortunately, F36 has just gone EOL, so this will never be fixed in koji/bodhi.
Upgrade to F37 or better, F38. If you really insist on using F36, I created a
copr project with fixed builds:
https://copr.fedorainfracloud.org/coprs/bojan/xrdp-f36/
--------------------------------------------------------------------------------
ChangeLog:
* Tue May 23 2023 Bojan Smojver <bojan(a)rexursive.com> - 1:0.9.22.1-2
- Remove C99 loop initialisation on EPEL7
* Tue May 23 2023 Bojan Smojver <bojan(a)rexursive.com> - 1:0.9.22.1-1
- Update to 0.9.22.1
* Fri May 19 2023 Bojan Smojver <bojan(a)rexursive.com> - 1:0.9.22-5
- Patch session chooser segfault
- Bugs #2208015 and #2208248
* Wed May 17 2023 Bojan Smojver <bojan(a)rexursive.com> - 1:0.9.22-4
- Put back .so files into %_libdir/xrdp directory
- Bug #2207733
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2207733 - xrdp-0.9.22-3 is missing libxup.so and libvnc.so, breaking package
https://bugzilla.redhat.com/show_bug.cgi?id=2207733
[ 2 ] Bug #2207769 - xrdp xrdp-0.9.22-3 missing libvnc.so
https://bugzilla.redhat.com/show_bug.cgi?id=2207769
[ 3 ] Bug #2207839 - xrdp - shared lib /usr/lib64/xrdp/libvnc.so is missing
https://bugzilla.redhat.com/show_bug.cgi?id=2207839
[ 4 ] Bug #2208015 - xrdp-0.9.22-4 - segfaults is you click on the session box in XRDP
login
https://bugzilla.redhat.com/show_bug.cgi?id=2208015
[ 5 ] Bug #2208248 - xrdp 0.9.22-4 segfaults on login screen
https://bugzilla.redhat.com/show_bug.cgi?id=2208248
--------------------------------------------------------------------------------