The following Fedora EPEL 6 Security updates need testing: Age URL 537 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.1... 51 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11274/ssmtp-2.61-21... 12 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11703/chicken-4.8.0... 12 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11706/fedmsg-0.7.1-... 10 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11733/php-pecl-xhpr... 2 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11771/mod_fcgid-2.3... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11803/dropbear-2013... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11785/phpMyAdmin-3.... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11817/ReviewBoard-1...
The following builds have been pushed to Fedora EPEL 6 updates-testing
ReviewBoard-1.7.15-1.el6 nodejs-node-static-0.7.1-2.el6 nx-libs-3.5.0.21-4.el6 perl-Term-ShellUI-0.92-2.el6 python-djblets-0.7.20-1.el6 python-py-1.4.17-1.el6 satyr-0.10-1.el6 transifex-client-0.9-4.el6
Details about builds:
================================================================================ ReviewBoard-1.7.15-1.el6 (FEDORA-EPEL-2013-11817) Web-based code review tool -------------------------------------------------------------------------------- Update Information:
Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).
These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.
There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs. -------------------------------------------------------------------------------- ChangeLog:
* Thu Oct 10 2013 Stephen Gallagher sgallagh@redhat.com - 1.7.15-1 - New upstream security release 1.7.15 - http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15/ - Resolves: CVE-2013-4410 - Fixes access-control problems with REST API - Resolves: CVE-2013-4411 - Fixes URL processing allowing unauthorized users to view review lists -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with REST API https://bugzilla.redhat.com/show_bug.cgi?id=1016596 [ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists https://bugzilla.redhat.com/show_bug.cgi?id=1016599 [ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=1016601 --------------------------------------------------------------------------------
================================================================================ nodejs-node-static-0.7.1-2.el6 (FEDORA-EPEL-2013-11816) Simple, compliant file streaming module for node -------------------------------------------------------------------------------- Update Information:
Newpackage --------------------------------------------------------------------------------
================================================================================ nx-libs-3.5.0.21-4.el6 (FEDORA-EPEL-2013-11818) NX X11 protocol compression libraries -------------------------------------------------------------------------------- Update Information:
NX is a software suite which implements very efficient compression of the X11 protocol. This increases performance when using X applications over a network, especially a slow one.
This package provides the core nx-X11 libraries customized for nxagent/x2goagent.
--------------------------------------------------------------------------------
================================================================================ perl-Term-ShellUI-0.92-2.el6 (FEDORA-EPEL-2013-11814) Perl module to implement a full-featured shell-like command line environment -------------------------------------------------------------------------------- Update Information:
Initial push -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1002319 - Review Request: perl-Term-ShellUI - Fully-featured shell-like command line environment https://bugzilla.redhat.com/show_bug.cgi?id=1002319 --------------------------------------------------------------------------------
================================================================================ python-djblets-0.7.20-1.el6 (FEDORA-EPEL-2013-11817) A collection of useful classes and functions for Django -------------------------------------------------------------------------------- Update Information:
Review Board 1.6.19 and 1.7.15 fix a few issues in the API where users could access certain data they should not have been able to access, if using the Local Sites feature, invite-only groups, or private repositories. It also fixes cases with invite-only groups where the group name and list of private review requests would show up on some pages (though the review requests themselves were not accessible).
These issues do not affect most of the installations out there, but we strongly recommend upgrading anyway. There are no known cases of anyone exploiting these bugs, and in fact we discovered these internally while building new tools to test for security vulnerabilities in our codebase.
There are also some other bug fixes, and important changes needed for extensions that provide their own REST APIs. -------------------------------------------------------------------------------- ChangeLog:
* Fri Oct 11 2013 Stephen Gallagher sgallagh@redhat.com - 0.7.20-1 - New upstream bugfix release 0.7.20 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.20.NEWS - Fixed regression with pagination on the datagrid * Thu Oct 10 2013 Stephen Gallagher sgallagh@redhat.com - 0.7.19-1 - New upstream security release 0.7.19 - http://downloads.reviewboard.org/releases/Djblets/0.7/Djblets-0.7.19.NEWS - Resolves: CVE-2013-4409 - Resolves unsanitized eval() vulnerability -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1016596 - CVE-2013-4410 ReviewBoard: access-control problems with REST API https://bugzilla.redhat.com/show_bug.cgi?id=1016596 [ 2 ] Bug #1016599 - CVE-2013-4411 ReviewBoard: URL processing allows unauthorized users to view review lists https://bugzilla.redhat.com/show_bug.cgi?id=1016599 [ 3 ] Bug #1016601 - CVE-2013-4409 python-djblets: unsanitized eval() vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=1016601 --------------------------------------------------------------------------------
================================================================================ python-py-1.4.17-1.el6 (FEDORA-EPEL-2013-11815) Library with cross-python path, ini-parsing, io, code, log facilities -------------------------------------------------------------------------------- Update Information:
Update pylib to the latest stable version.
Changes between 1.4.16 and 1.4.17:
- make py.io.TerminalWriter() prefer colorama if it is available and avoid empty lines when separator-lines are printed by being defensive and reducing the working terminalwidth by 1
- introduce optional "expanduser" argument to py.path.local so that local("~", expanduser=True) gives the home directory of "user".
-------------------------------------------------------------------------------- ChangeLog:
* Fri Oct 4 2013 Thomas Moschny thomas.moschny@gmx.de - 1.4.17-1 - Update to 1.4.17. * Thu Oct 3 2013 Thomas Moschny thomas.moschny@gmx.de - 1.4.16-1 - Update to 1.4.16. * Sun Aug 4 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.4.15-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild --------------------------------------------------------------------------------
================================================================================ satyr-0.10-1.el6 (FEDORA-EPEL-2013-11820) Tools to create anonymous, machine-friendly problem reports -------------------------------------------------------------------------------- Update Information:
- Fix a segmentation fault in sr_rpm_package_uniq() - Respect kernel flavor when parsing package name - Parse backtrace without Thread header - Fix koops json output if there are no modules - Add support for multiple koops stacks
* Enrich koops uReport data with koops text and kernel version. * Improve koops modules handling. * Added support for json de/serialization of reports and stacktraces. * Library version number increased, as the interface changed since the last release -------------------------------------------------------------------------------- ChangeLog:
* Thu Oct 3 2013 Jakub Filak jfilak@redhat.com 0.10-1 - New upstream version - Fix a segmentation fault in sr_rpm_package_uniq() - Respect kernel flavor when parsing package name - Parse backtrace without Thread header - Fix koops json output if there are no modules - Add support for multiple koops stacks * Wed Sep 11 2013 Jakub Filak jfilak@redhat.com 0.9-1 - New upstream version - Enrich koops uReport data with koops text and kernel version. - Improve koops modules handling. * Wed Aug 28 2013 Richard Markormarko@redhat.com 0.8-1 - New upstream version - Added support for json de/serialization of reports and stacktraces. - Library version number increased, as the interface changed since the last release * Mon Aug 26 2013 Martin Milata mmilata@redhat.com 0.7-1 - New upstream version - Fix couple of crashes (#997076, #994747) * Mon Jul 29 2013 Martin Milata mmilata@redhat.com 0.6-1 - New upstream version - Do not export internal function symbols. --------------------------------------------------------------------------------
================================================================================ transifex-client-0.9-4.el6 (FEDORA-EPEL-2013-11819) Command line tool for Transifex translation management -------------------------------------------------------------------------------- Update Information:
Command line tool for Transifex translation management
-------------------------------------------------------------------------------- ChangeLog:
* Thu Oct 10 2013 Luis Bazan lbazan@fedoraproject.org - 0.9-4 - Fix BZ #1002546 * Mon Aug 26 2013 Luis Bazan lbazan@fedoraproject.org - 0.9-3 - remove dependency * Thu Aug 15 2013 Luis Bazan lbazan@fedoraproject.org - 0.9-2 - add new requirement -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1002546 - Missing Dependency: python-setuptools.noarch https://bugzilla.redhat.com/show_bug.cgi?id=1002546 --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org