The following Fedora EPEL 5 Security updates need testing:

https://admin.fedoraproject.org/updates/glpi-0.72.4-3.svn11497.el5 https://admin.fedoraproject.org/updates/gnucash-2.2.9-5.el5 https://admin.fedoraproject.org/updates/wordpress-mu-2.9.2-1.el5 https://admin.fedoraproject.org/updates/gromacs-4.5.2-1.el5 https://admin.fedoraproject.org/updates/pootle-2.1.2-1.el5 https://admin.fedoraproject.org/updates/proftpd-1.3.3c-1.el5

The following builds have been pushed to Fedora EPEL 5 updates-testing

perl-Try-Tiny-0.07-1.el5 perl-mime-construct-1.11-2.el5 proftpd-1.3.3c-1.el5 tetex-fonts-hebrew-0.1-12.el5

Details about builds:

================================================================================ perl-Try-Tiny-0.07-1.el5 (FEDORA-EPEL-2010-3620) Minimal try/catch with proper localization of $@ --------------------------------------------------------------------------------

================================================================================ perl-mime-construct-1.11-2.el5 (FEDORA-EPEL-2010-3622) Construct/send MIME messages from the command line --------------------------------------------------------------------------------

================================================================================ proftpd-1.3.3c-1.el5 (FEDORA-EPEL-2010-3621) Flexible, stable and highly-configurable FTP server -------------------------------------------------------------------------------- Update Information:

This is an update to the current upstream maintenance release, which addresses two security issues that can be exploited by malicious users to manipulate certain data and compromise a vulnerable system.

* A logic error in the code for processing user input containing the Telnet IAC (Interpret As Command) escape sequence can be exploited to cause a stack-based buffer overflow by sending specially crafted input to the FTP or FTPS service. Successful exploitation may allow execution of arbitrary code. There isn't currently a CVE number for this issue but the original reporter of the problem has tagged this as ZDI-CAN-925. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3521

* An input validation error within the "mod_site_misc" module can be exploited to e.g. create and delete directories, create symlinks, and change the time of files located outside a writable directory. Only configurations using "mod_site_misc", which is not enabled by default, and where the attacker has write access to a directory, are vulnerable to this issue, which has been assigned CVE-2010-3867. More details can be found at http://bugs.proftpd.org/show_bug.cgi?id=3519

The update from 1.3.2d to 1.3.3c also includes a large number of non-security bugfixes and a number of additional loadable modules for enhanced functionality:

* mod_geoip * mod_sftp * mod_sftp_pam * mod_sftp_sql * mod_shaper * mod_sql_passwd * mod_tls_shmcache

There is also a new utility "ftpscrub" for scrubbing the scoreboard file.

-------------------------------------------------------------------------------- ChangeLog:

* Mon Nov 1 2010 Paul Howarth paul@city-fan.org 1.3.3c-1 - Update to 1.3.3c (#647965) - Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) - Fixed directory traversal bug in mod_site_misc (CVE-2010-3867) - Fixed SQLite authentications using "SQLAuthType Backend" - New DSO module: mod_geoip * Fri Sep 10 2010 Paul Howarth paul@city-fan.org 1.3.3b-1 - Update to 1.3.3b - Fixed SFTP directory listing bug - Avoid corrupting utmpx databases on FreeBSD - Avoid null pointer dereferences during data transfers - Fixed "AuthAliasOnly on" anonymous login * Fri Jul 2 2010 Paul Howarth paul@city-fan.org 1.3.3a-1 - Update to 1.3.3a - Added Japanese translation - Many mod_sftp bugfixes - Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later - Fixed handling of utmp/utmpx format changes on FreeBSD * Thu Feb 25 2010 Paul Howarth paul@city-fan.org 1.3.3-1 - Update to 1.3.3 (see NEWS for list of fixed bugs) - Update PID file location in initscript - Drop upstreamed patches - Upstream distribution now includes mod_exec, so drop unbundled source - New DSO modules: - mod_sftp - mod_sftp_pam - mod_sftp_sql - mod_shaper - mod_sql_passwd - mod_tls_shmcache - Configure script no longer appends "/proftpd" to --localstatedir option - New utility ftpscrub for scrubbing the scoreboard file - Include public key blacklist and Diffie-Hellman parameter files for mod_sftp in %{_sysconfdir} - Remove IdentLookups from config file - disabled by default now -------------------------------------------------------------------------------- References:

[ 1 ] Bug #647965 - proftpd-1.3.3c is available https://bugzilla.redhat.com/show_bug.cgi?id=647965 --------------------------------------------------------------------------------

================================================================================ tetex-fonts-hebrew-0.1-12.el5 (FEDORA-EPEL-2010-3623) Culmus Hebrew fonts support for tetex -------------------------------------------------------------------------------- Update Information:

Add the required font metrics to typeset Hebrew in teTeX. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #195585 - Review Request: tetex-fonts-hebrew https://bugzilla.redhat.com/show_bug.cgi?id=195585 --------------------------------------------------------------------------------