The following Fedora EPEL 8 Security updates need testing:
Age URL
3
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-83ab5bb91b
opensmtpd-6.8.0p2-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
GraphicsMagick-1.3.36-2.el8
beakerlib-1.23-1.el8
bpytop-1.0.61-1.el8
chromium-88.0.4324.96-1.el8
icewm-2.1.1-1.el8
lua-rpm-macros-1-3.el8
perl-LWP-Online-1.08-29.el8
Details about builds:
================================================================================
GraphicsMagick-1.3.36-2.el8 (FEDORA-EPEL-2021-a67c7cb2e0)
An ImageMagick fork, offering faster image generation and better quality
--------------------------------------------------------------------------------
Update Information:
Fix urw-font bundling on epel-8 builds
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Rex Dieter <rdieter(a)fedoraproject.org> - 1.3.36-2
- fix bundled urw font install (#1911008)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919997 - Unable to read font
https://bugzilla.redhat.com/show_bug.cgi?id=1919997
--------------------------------------------------------------------------------
================================================================================
beakerlib-1.23-1.el8 (FEDORA-EPEL-2021-e89b265534)
A shell-level integration testing library
--------------------------------------------------------------------------------
Update Information:
- TestResults state indicator - profiling code - rebased yash to 1.1 - fixed
rlAssertLesser - fixed failed library load name logging ---- - ability to
parse fmf id references - ability the use simpler library name - library(foo),
{url: '../foo.git', name: '/'}, meaming the library is n the root folder
-
ability put library even deeper in the tree - library(foo/path/to/the/library),
{url: '../foo.git', name: '/path/to/the/library'} - rebased yash to 1.0 -
and
few more minor fixes
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 26 2021 Dalibor Pospisil <dapospis(a)redhat.com> - 1.23-1
- TestResults state indicator
- profiling code
- rebased yash to 1.1
- fixed rlAssertLesser
- fixed failed library load name logging
* Fri Jan 15 2021 Dalibor Pospisil <dapospis(a)redhat.com> - 1.22-1
- ability to parse fmf id references
- ability the use simpler library name - library(foo), {url: '../foo.git', name:
'/'}, meaming the library is n the root folder
- ability put library even deeper in the tree - library(foo/path/to/the/library), {url:
'../foo.git', name: '/path/to/the/library'}
- rebased yash to 1.0
- and few more minor fixes
--------------------------------------------------------------------------------
================================================================================
bpytop-1.0.61-1.el8 (FEDORA-EPEL-2021-d3023e0da5)
Linux/OSX/FreeBSD resource monitor
--------------------------------------------------------------------------------
Update Information:
Update to latest version
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.61-1
- build(update): 1.0.61
* Sat Jan 23 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.60-1
- build(update): 1.0.60
* Mon Jan 11 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.59-1
- build(update): 1.0.59
* Sun Jan 10 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.58-1
- build(update): 1.0.58
* Wed Jan 6 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.57-1
- build(update): 1.0.57
* Tue Jan 5 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.56-1
- build(update): 1.0.56
* Sat Jan 2 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.55-1
- build(update): 1.0.55
* Thu Dec 31 2020 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.54-1
- build(update): 1.0.54
* Wed Dec 30 2020 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.53-1
- build(update): 1.0.53
* Sat Dec 19 2020 Artem Polishchuk <ego.cordatus(a)gmail.com> - 1.0.51-1
- build(update): 1.0.51
--------------------------------------------------------------------------------
================================================================================
chromium-88.0.4324.96-1.el8 (FEDORA-EPEL-2021-b68969af8c)
A WebKit (Blink) powered web browser
--------------------------------------------------------------------------------
Update Information:
This is probably not the update you want. Let me be clear, it does fix the
security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118
CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129
CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134
CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128 But it will not
behave like Google Chrome does. Google has announced that it is cutting off
access to the Sync and "other Google Exclusive" APIs from all builds except
Google Chrome. This will make the EPEL Chromium build significantly less
functional (along with every other distro packaged Chromium). It is noteworthy
that Google _gave_ the builders of distribution Chromium packages these access
rights back in 2013 via API keys, specifically so that we could have open source
builds of Chromium with (near) feature parity to Chrome. And now they're taking
it away. The reasoning given for this change? Google does not want users to be
able to "access their personal Chrome Sync data (such as bookmarks) ... with a
non-Google, Chromium-based browser." They're not closing a security hole,
they're just requiring that everyone use Chrome. Or to put it bluntly, they do
not want you to access their Google API functionality without using proprietary
software (Google Chrome). There is no good reason for Google to do this, other
than to force people to use Chrome. I gave a lot of thought to whether I wanted
to continue to maintain the Chromium package in EPEL, given that many (most?)
users will be confused/annoyed when API functionality like sync and geolocation
stops working for no good reason. Ultimately, I decided to continue for now,
because there were at least some users who didn't mind, and if I stopped,
someone else would start over and run blindly into this problem. I would say
that you might want to reconsider whether you want to use Chromium or not. If
you want the full "Google" experience, you can run the proprietary Chrome. If
you want to use a FOSS browser that isn't hobbled, there is a Firefox package in
whatever EL flavor you're using. Oh, last, but not least, Google isn't shutting
off the API access until March 15, 2021, but I have gone ahead and disabled it
starting with this update. I'd rather you read about it here (even though most
users will never see this) than have it just happen. ---- Update Chromium to
87.0.4280.141. Fixes: CVE-2021-21106 CVE-2021-21107 CVE-2021-21108
CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113
CVE-2020-16043 CVE-2021-21114 CVE-2020-15995 CVE-2021-21115 CVE-2021-21116
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 20 2021 Tom Callaway <spot(a)fedoraproject.org> - 88.0.4324.96-1
- 88 goes from beta to stable
- disable use of api keys (Google shut off API access)
* Wed Jan 13 2021 Tom Callaway <spot(a)fedoraproject.org>
- update to 87.0.4280.141
* Wed Dec 30 2020 Tom Callaway <spot(a)fedoraproject.org> - 88.0.4324.50-1
- update to 88.0.4324.50
- drop patches 74 & 75 (applied upstream)
* Thu Dec 17 2020 Tom Callaway <spot(a)fedoraproject.org>
- add two patches for missing headers to build with gcc 11
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1913624 - CVE-2021-21106 chromium-browser: Use after free in autofill
https://bugzilla.redhat.com/show_bug.cgi?id=1913624
[ 2 ] Bug #1913625 - CVE-2021-21107 chromium-browser: Use after free in drag and drop
https://bugzilla.redhat.com/show_bug.cgi?id=1913625
[ 3 ] Bug #1913626 - CVE-2021-21108 chromium-browser: Use after free in media
https://bugzilla.redhat.com/show_bug.cgi?id=1913626
[ 4 ] Bug #1913627 - CVE-2021-21109 chromium-browser: Use after free in payments
https://bugzilla.redhat.com/show_bug.cgi?id=1913627
[ 5 ] Bug #1913629 - CVE-2021-21110 chromium-browser: Use after free in safe browsing
https://bugzilla.redhat.com/show_bug.cgi?id=1913629
[ 6 ] Bug #1913630 - CVE-2021-21111 chromium-browser: Insufficient policy enforcement in
WebUI
https://bugzilla.redhat.com/show_bug.cgi?id=1913630
[ 7 ] Bug #1913631 - CVE-2021-21112 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1913631
[ 8 ] Bug #1913632 - CVE-2021-21113 chromium-browser: Heap buffer overflow in Skia
https://bugzilla.redhat.com/show_bug.cgi?id=1913632
[ 9 ] Bug #1913633 - CVE-2020-16043 chromium-browser: Insufficient data validation in
networking
https://bugzilla.redhat.com/show_bug.cgi?id=1913633
[ 10 ] Bug #1913634 - CVE-2021-21114 chromium-browser: Use after free in audio
https://bugzilla.redhat.com/show_bug.cgi?id=1913634
[ 11 ] Bug #1913635 - CVE-2020-15995 chromium-browser: Out of bounds write in V8
https://bugzilla.redhat.com/show_bug.cgi?id=1913635
[ 12 ] Bug #1913636 - CVE-2021-21115 chromium-browser: Use after free in safe browsing
https://bugzilla.redhat.com/show_bug.cgi?id=1913636
[ 13 ] Bug #1913637 - CVE-2021-21116 chromium-browser: Heap buffer overflow in audio
https://bugzilla.redhat.com/show_bug.cgi?id=1913637
[ 14 ] Bug #1918218 - CVE-2021-21118 chromium-browser: Insufficient data validation in
V8
https://bugzilla.redhat.com/show_bug.cgi?id=1918218
[ 15 ] Bug #1918219 - CVE-2021-21119 chromium-browser: Use after free in Media
https://bugzilla.redhat.com/show_bug.cgi?id=1918219
[ 16 ] Bug #1918220 - CVE-2021-21120 chromium-browser: Use after free in WebSQL
https://bugzilla.redhat.com/show_bug.cgi?id=1918220
[ 17 ] Bug #1918222 - CVE-2021-21121 chromium-browser: Use after free in Omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1918222
[ 18 ] Bug #1918223 - CVE-2021-21122 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1918223
[ 19 ] Bug #1918224 - CVE-2021-21123 chromium-browser: Insufficient data validation in
File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918224
[ 20 ] Bug #1918225 - CVE-2021-21124 chromium-browser: Potential user after free in
Speech Recognizer
https://bugzilla.redhat.com/show_bug.cgi?id=1918225
[ 21 ] Bug #1918226 - CVE-2021-21125 chromium-browser: Insufficient policy enforcement
in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918226
[ 22 ] Bug #1918227 - CVE-2021-21126 chromium-browser: Insufficient policy enforcement
in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918227
[ 23 ] Bug #1918228 - CVE-2021-21127 chromium-browser: Insufficient policy enforcement
in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918228
[ 24 ] Bug #1918229 - CVE-2021-21129 chromium-browser: Insufficient policy enforcement
in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918229
[ 25 ] Bug #1918230 - CVE-2021-21130 chromium-browser: Insufficient policy enforcement
in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918230
[ 26 ] Bug #1918231 - CVE-2021-21131 chromium-browser: Insufficient policy enforcement
in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918231
[ 27 ] Bug #1918232 - CVE-2021-21132 chromium-browser: Inappropriate implementation in
DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918232
[ 28 ] Bug #1918233 - CVE-2021-21133 chromium-browser: Insufficient policy enforcement
in Downloads
https://bugzilla.redhat.com/show_bug.cgi?id=1918233
[ 29 ] Bug #1918235 - CVE-2021-21134 chromium-browser: Incorrect security UI in Page
Info
https://bugzilla.redhat.com/show_bug.cgi?id=1918235
[ 30 ] Bug #1918236 - CVE-2021-21135 chromium-browser: Inappropriate implementation in
Performance API
https://bugzilla.redhat.com/show_bug.cgi?id=1918236
[ 31 ] Bug #1918237 - CVE-2021-21136 chromium-browser: Insufficient policy enforcement
in WebView
https://bugzilla.redhat.com/show_bug.cgi?id=1918237
[ 32 ] Bug #1918238 - CVE-2021-21137 chromium-browser: Inappropriate implementation in
DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918238
[ 33 ] Bug #1918239 - CVE-2021-21138 chromium-browser: Use after free in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918239
[ 34 ] Bug #1918240 - CVE-2021-21139 chromium-browser: Inappropriate implementation in
iframe sandbox
https://bugzilla.redhat.com/show_bug.cgi?id=1918240
[ 35 ] Bug #1918241 - CVE-2021-21140 chromium-browser: Uninitialized Use in USB
https://bugzilla.redhat.com/show_bug.cgi?id=1918241
[ 36 ] Bug #1918242 - CVE-2021-21141 chromium-browser: Insufficient policy enforcement
in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918242
--------------------------------------------------------------------------------
================================================================================
icewm-2.1.1-1.el8 (FEDORA-EPEL-2021-1daf1e3147)
Window manager designed for speed, usability, and consistency
--------------------------------------------------------------------------------
Update Information:
Update to 2.1.1 ---- Update to latest version
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 25 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 2.1.1-1
- build(update): 2.1.1
* Sat Jan 23 2021 Artem Polishchuk <ego.cordatus(a)gmail.com> - 2.1.0-1
- build(update): 2.1.0
--------------------------------------------------------------------------------
================================================================================
lua-rpm-macros-1-3.el8 (FEDORA-EPEL-2021-85d639bb48)
The common Lua RPM macros
--------------------------------------------------------------------------------
Update Information:
- Modify several conditionals to support RHEL 9+ and drop ancient Fedora 17 -
Add explicit conflict with older lua-devel - Require rpm, not redhat-rpm-config
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 1 2020 Miro Hron��ok <mhroncok(a)redhat.com> - 1-3
- Modify several conditionals to support RHEL 9+ and drop ancient Fedora 17
- Add explicit conflict with older lua-devel
- Require rpm, not redhat-rpm-config
--------------------------------------------------------------------------------
================================================================================
perl-LWP-Online-1.08-29.el8 (FEDORA-EPEL-2021-279e83be5c)
Check whether your process has an access to the web
--------------------------------------------------------------------------------
Update Information:
This release provides a new perl-LWP-Online package which checks whether a host
is connected to the Internet.
--------------------------------------------------------------------------------
ChangeLog:
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1919732 - Please build perl-LWP-Online for EPEL 8
https://bugzilla.redhat.com/show_bug.cgi?id=1919732
--------------------------------------------------------------------------------