The following Fedora EPEL 5 Security updates need testing: Age URL 536 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.1... 51 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11276/ssmtp-2.61-21... 27 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11560/fail2ban-0.8.... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11811/mod_fcgid-2.2... 0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11813/libtar-1.2.11...
The following builds have been pushed to Fedora EPEL 5 updates-testing
libtar-1.2.11-14.el5 mod_fcgid-2.2-12.el5 mozilla-https-everywhere-3.4.2-1.el5 python-sphinxcontrib-httpdomain-1.1.8-3.el5 rpmlint-0.94-3.el5 zabbix20-2.0.9-1.el5
Details about builds:
================================================================================ libtar-1.2.11-14.el5 (FEDORA-EPEL-2013-11813) Tar file manipulation API -------------------------------------------------------------------------------- Update Information:
fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive -------------------------------------------------------------------------------- ChangeLog:
* Thu Oct 10 2013 Kamil Dudka kdudka@redhat.com - 1.2.11-14 - fix CVE-2013-4397: buffer overflows by expanding a specially-crafted archive -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1014492 - CVE-2013-4397 libtar: Heap-based buffer overflows by expanding a specially-crafted archive https://bugzilla.redhat.com/show_bug.cgi?id=1014492 --------------------------------------------------------------------------------
================================================================================ mod_fcgid-2.2-12.el5 (FEDORA-EPEL-2013-11811) Apache2 module for high-performance server-side scripting -------------------------------------------------------------------------------- Update Information:
This update includes a security fix for a possible heap buffer overwrite issue (CVE-2013-4365), back-ported from mod_fcgid 2.3.9. -------------------------------------------------------------------------------- ChangeLog:
* Tue Oct 8 2013 Paul Howarth paul@city-fan.org 2.2-12 - Fix possible heap buffer overwrite (CVE-2013-4365) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1017039 - CVE-2013-4365 mod_fcgid: heap overflow https://bugzilla.redhat.com/show_bug.cgi?id=1017039 --------------------------------------------------------------------------------
================================================================================ mozilla-https-everywhere-3.4.2-1.el5 (FEDORA-EPEL-2013-11798) HTTPS/HSTS enforcement extension for Mozilla Firefox and SeaMonkey -------------------------------------------------------------------------------- Update Information:
- HTTPS Everywhere builds are now deterministic! - Global memory leak bug fixes - Updated rules: Craigslist, Apple.com, Microsoft, CloudFront, UKLocalGov, -- Bing, Cengage - New rules from dev: IPTorrents.com, TvTorrents -------------------------------------------------------------------------------- ChangeLog:
* Wed Oct 9 2013 Russell Golden niveusluna@niveusluna.org - 3.4.2-1 - HTTPS Everywhere builds are now deterministic! - Global memory leak bug fixes - Updated rules: Craigslist, Apple.com, Microsoft, CloudFront, UKLocalGov, -- Bing, Cengage - New rules from dev: IPTorrents.com, TvTorrents --------------------------------------------------------------------------------
================================================================================ python-sphinxcontrib-httpdomain-1.1.8-3.el5 (FEDORA-EPEL-2013-11812) Sphinx domain for documenting HTTP APIs -------------------------------------------------------------------------------- Update Information:
The HTTP domain requires Sphinx 1.0, it does not work with Sphinx 0.6. -------------------------------------------------------------------------------- ChangeLog:
* Wed Oct 9 2013 Dan Callaghan dcallagh@redhat.com - 1.1.8-3 - require python-sphinx10 on EPEL * Sun Aug 4 2013 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 1.1.8-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1016434 - Extension sphinxcontrib.httpdomain could not be imported https://bugzilla.redhat.com/show_bug.cgi?id=1016434 --------------------------------------------------------------------------------
================================================================================ rpmlint-0.94-3.el5 (FEDORA-EPEL-2013-11806) Tool for checking common errors in RPM packages -------------------------------------------------------------------------------- Update Information:
Update license list, add AGPLv3+. -------------------------------------------------------------------------------- ChangeLog:
* Wed Oct 9 2013 Tom Callaway spot@fedoraproject.org - 0.94-3 - update license list -------------------------------------------------------------------------------- References:
[ 1 ] Bug #894187 - AGPLv3+ not recognized as valid license https://bugzilla.redhat.com/show_bug.cgi?id=894187 --------------------------------------------------------------------------------
================================================================================ zabbix20-2.0.9-1.el5 (FEDORA-EPEL-2013-11795) Open-source monitoring solution for your IT infrastructure -------------------------------------------------------------------------------- Update Information:
http://www.zabbix.com/rn2.0.9.php
The following issues were already sorted out in 2.0.8-3:
- ZBX-6804 - ZBX-6922 - ZBX-6992 - ZBX-7091 An SQL injection vulnerability inside frontend and API was discovered and mended:
https://support.zabbix.com/browse/ZBX-7091
CVE-2013-5743
Additional improvements:
- Patch for failing XML host import (ZBX-6922) - SQL speed-up patch for graphs (ZBX-6804) -------------------------------------------------------------------------------- ChangeLog:
* Wed Oct 9 2013 Volker Fröhlich volker27@gmx.at - 2.0.9-1 - New upstream release - Drop obsolete patches ZBX-6804, ZBX-7091, ZBX-6922, ZBX-6992 * Mon Sep 23 2013 Volker Fröhlich volker27@gmx.at - 2.0.8-3 - Add SQL speed-up patch (ZBX-6804) - Add SQL injection vulnerability patch (ZBX-7091, CVE-2013-5743) - Add patch for failing XML host import (ZBX-6922) * Fri Sep 13 2013 Volker Fröhlich volker27@gmx.at - 2.0.8-2 - Add php-ldap as a requirement for the frontend - Add patch for ZBX-6992 --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org