The following Fedora EPEL 4 Security updates need testing:
https://admin.fedoraproject.org/updates/phpPgAdmin-5.0.3-1.el4
https://admin.fedoraproject.org/updates/puppet-0.25.5-2.el4
The following builds have been pushed to Fedora EPEL 4 updates-testing
check_postgres-2.18.0-1.el4
phpPgAdmin-5.0.3-1.el4
puppet-0.25.5-2.el4
Details about builds:
================================================================================
check_postgres-2.18.0-1.el4 (FEDORA-EPEL-2011-4587)
PostgreSQL monitoring script
--------------------------------------------------------------------------------
Update Information:
Update to 2.18.0, per changes described at
https://mail.endcrypt.com/pipermail/check_postgres-announce/2011-October/...
--------------------------------------------------------------------------------
ChangeLog:
* Mon Oct 3 2011 - Devrim GUNDUZ <devrim(a)gunduz.org> 2.18.0-1
- Update to 2.18.0, per changes described at
https://mail.endcrypt.com/pipermail/check_postgres-announce/2011-October/...
* Tue Feb 15 2011 - Devrim GUNDUZ <devrim(a)gunduz.org> 2.16.0-1
- Update to 2.16.0
* Wed Mar 10 2010 - Devrim GUNDUZ <devrim(a)gunduz.org> 2.14.3-1
- Update to 2.14.3
--------------------------------------------------------------------------------
================================================================================
phpPgAdmin-5.0.3-1.el4 (FEDORA-EPEL-2011-4594)
Web-based PostgreSQL administration
--------------------------------------------------------------------------------
Update Information:
* Update to 5.0.3, per changes described at:
http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%4...
which also fixes a security flaw:
http://www.openwall.com/lists/oss-security/2011/10/04/1
--------------------------------------------------------------------------------
ChangeLog:
* Mon Oct 3 2011 Devrim Gunduz <devrim(a)gunduz.org> 5.0.3-1
- Update to 5.0.3, per changes described at:
http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%4...
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #743205 - phpPgAdmin: Multiple XSS flaws fixed in v5.0.3
https://bugzilla.redhat.com/show_bug.cgi?id=743205
--------------------------------------------------------------------------------
================================================================================
puppet-0.25.5-2.el4 (FEDORA-EPEL-2011-4581)
A network tool for managing many disparate systems
--------------------------------------------------------------------------------
Update Information:
The following vulnerabilities have been discovered and fixed:
* CVE-2011-3848, a directory traversal attack
* CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file
* CVE-2011-3869, a symlink attack via a user's .k5login file
* CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet
resource application
* A low-risk file indirector injection attack
Further details can be found in the upstream announcements:
http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce274...
http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b...
Additionally, fixes for several bugs are included:
* Yumrepo deprecation error (
http://projects.puppetlabs.com/issues/4252)
* Handle CR/LF in puppet.conf (
http://projects.puppetlabs.com/issues/3514)
* Capture stderr from exec resources (
http://projects.puppetlabs.com/issues/2359)
--------------------------------------------------------------------------------
ChangeLog:
* Mon Oct 3 2011 Todd Zullinger <tmz(a)pobox.com> - 0.25.5-2
- Apply upstream patches for CVE-2011-3848, CVE-2011-3869, CVE-2011-3870,
CVE-2011-3871
- Create and own /usr/share/puppet/modules (#615432)
- Silence deprecation warnings in yumrepo type (#615175, upstream #4252)
- Handle CR/LF in puppet.conf (upstream #3514)
- Capture stderr from exec resources (upstream #2359)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #742644 - CVE-2011-3870 puppet: SSH authorized_keys symlink attack
https://bugzilla.redhat.com/show_bug.cgi?id=742644
[ 2 ] Bug #742645 - CVE-2011-3869 puppet: K5login content attack
https://bugzilla.redhat.com/show_bug.cgi?id=742645
[ 3 ] Bug #742649 - CVE-2011-3871 puppet: predictable temporary file using RAL
https://bugzilla.redhat.com/show_bug.cgi?id=742649
[ 4 ] Bug #742174 - CVE-2011-3848 puppet: Directory traversal attack by processing
certain x509 certificate signing requests
https://bugzilla.redhat.com/show_bug.cgi?id=742174
--------------------------------------------------------------------------------