The following Fedora EPEL 7 Security updates need testing: Age URL 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-981e9f53ff chromium-117.0.5938.92-2.el7 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ffb6e04eb7 drupal7-7.98-1.el7 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-c283911e27 ckeditor-4.22.1-1.el7 2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-97dd2d11b6 xrdp-0.9.23.1-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
clustershell-1.9.2-1.el7 composer-1.10.27-1.el7 fedora-license-data-1.31-1.el7 libptytty-2.0-4.el7 rxvt-unicode-9.31-1.el7
Details about builds:
================================================================================ clustershell-1.9.2-1.el7 (FEDORA-EPEL-2023-c1b3279c59) Python framework for efficient cluster administration -------------------------------------------------------------------------------- Update Information:
Update to upstream release 1.9.2 -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 29 2023 Stephane Thiell sthiell@stanford.edu 1.9.2-1 - update to 1.9.2 --------------------------------------------------------------------------------
================================================================================ composer-1.10.27-1.el7 (FEDORA-EPEL-2023-3ee7f851c6) Dependency Manager for PHP -------------------------------------------------------------------------------- Update Information:
**Version 1.10.27** - 2023-09-29 * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP, and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / **CVE-2023-43655**) -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 29 2023 Remi Collet remi@remirepo.net - 1.10.27-1 - update to 1.10.27 --------------------------------------------------------------------------------
================================================================================ fedora-license-data-1.31-1.el7 (FEDORA-EPEL-2023-2dfb1ec616) Fedora Linux license data -------------------------------------------------------------------------------- Update Information:
Automatic update for fedora-license-data-1.31-1.el7. ##### **Changelog for fedora-license-data** ``` * Fri Sep 29 2023 Miroslav Such�� msuchy@redhat.com 1.31-1 - new license: GPL-2.0-or-later WITH Autoconf-exception-macro - new license: LGPL-3.0-or-later WITH Autoconf-exception-macro - new license: HPND- export-US-modify - Add a public domain dedication from the SWORD Project - Add LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed - new license: LGPL-2.1-only WITH Qt-LGPL-exception-1.1 - new license: SGI-OpenGL - Add jhash public domain dedication for QEMU - Add QEMU to the rijndael (AES) public domain license reference - new license: SSH-short - new license: GPL-2.0-or-later WITH UBDL- exception - new license: McPhee-slideshow - new license: HPND-DEC - new license: magaz - new license: ulem - new license: fwlw - new license: Kastrup - Fix names of Linux-syscall-note TOML files - Add reference to EDK2 package public domain code - new license: HPND-sell-regexpr - new license: Cronyx - new license: Lucida-Bitmap-Fonts - new license: LPPL-1.3c - new license: swrule - new license: BSD-Inferno-Nettverk - Some code in OpenSSH has a Public Domain license - new license: ssh-keyscan - new license: HPND-Pbmplus - Add public domain text from mingw-headers/mingw-winpthreads packages - Add public domain test from Augeas project - new license: BSD-Attribution-HPND-disclaimer - new not allowed license: LicenseRef-Tyrian - Add public domain entry for squid ``` -------------------------------------------------------------------------------- ChangeLog:
* Fri Sep 29 2023 Miroslav Such�� msuchy@redhat.com 1.31-1 - new license: GPL-2.0-or-later WITH Autoconf-exception-macro - new license: LGPL-3.0-or-later WITH Autoconf-exception-macro - new license: HPND-export-US-modify - Add a public domain dedication from the SWORD Project - Add LPPL-1.2 as not-allowed, add LPPL-1.3a+ as allowed - new license: LGPL-2.1-only WITH Qt-LGPL-exception-1.1 - new license: SGI-OpenGL - Add jhash public domain dedication for QEMU - Add QEMU to the rijndael (AES) public domain license reference - new license: SSH-short - new license: GPL-2.0-or-later WITH UBDL-exception - new license: McPhee-slideshow - new license: HPND-DEC - new license: magaz - new license: ulem - new license: fwlw - new license: Kastrup - Fix names of Linux-syscall-note TOML files - Add reference to EDK2 package public domain code - new license: HPND-sell-regexpr - new license: Cronyx - new license: Lucida-Bitmap-Fonts - new license: LPPL-1.3c - new license: swrule - new license: BSD-Inferno-Nettverk - Some code in OpenSSH has a Public Domain license - new license: ssh-keyscan - new license: HPND-Pbmplus - Add public domain text from mingw-headers/mingw-winpthreads packages - Add public domain test from Augeas project - new license: BSD-Attribution-HPND-disclaimer - new not allowed license: LicenseRef-Tyrian - Add public domain entry for squid --------------------------------------------------------------------------------
================================================================================ libptytty-2.0-4.el7 (FEDORA-EPEL-2023-a99c56df6a) OS independent and secure pty/tty and utmp/wtmp/lastlog handling -------------------------------------------------------------------------------- Update Information:
The last update for rxvt-unicode stripped it down to just the rxvt-unicode- terminfo subpackage, leaving the rxvt-unicode package empty with no files. This disruptive change was against EPEL policy. This new update restores the full rxvt-unicode package. It also updates the package to version 9.31 to match the version in EPEL 8, which correctly fixes CVE-2022-4170. It also introduces the libptytty dependency to EPEL 7. -------------------------------------------------------------------------------- ChangeLog:
* Wed Sep 27 2023 Carl George carlwgeorge@fedoraproject.org - 2.0-4 - Enable EPEL 7 build with devtoolset-8 and cmake3 * Wed Jan 4 2023 David Cantrell dcantrell@redhat.com - 2.0-3 - Convert license to SPDX format: GPL-2.0-or-later * Fri Dec 16 2022 Robbie Harwood rharwood@redhat.com - 2.0-2 - Bump spec due to bodhi failures * Fri Dec 16 2022 Robbie Harwood rharwood@redhat.com - 2.0-1 - Initial import (2.0) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2151598 - CVE-2022-4170 rxvt-unicode: remote code execution via background OSC [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2151598 [ 2 ] Bug #2160952 - rxvt-unicode-9.30-2.el7.x86_64 contains NO FILES https://bugzilla.redhat.com/show_bug.cgi?id=2160952 [ 3 ] Bug #2165151 - rxvt-unicode-9.30-2 RPM on Epel7 repository is an invalid RPM https://bugzilla.redhat.com/show_bug.cgi?id=2165151 [ 4 ] Bug #2170550 - EPEL7 - rxvt-unicode package contains no data https://bugzilla.redhat.com/show_bug.cgi?id=2170550 --------------------------------------------------------------------------------
================================================================================ rxvt-unicode-9.31-1.el7 (FEDORA-EPEL-2023-a99c56df6a) Unicode version of rxvt -------------------------------------------------------------------------------- Update Information:
The last update for rxvt-unicode stripped it down to just the rxvt-unicode- terminfo subpackage, leaving the rxvt-unicode package empty with no files. This disruptive change was against EPEL policy. This new update restores the full rxvt-unicode package. It also updates the package to version 9.31 to match the version in EPEL 8, which correctly fixes CVE-2022-4170. It also introduces the libptytty dependency to EPEL 7. -------------------------------------------------------------------------------- ChangeLog:
* Thu Sep 28 2023 Carl George carlwgeorge@fedoraproject.org - 9.31-1 - Update to version 9.31 - Restore full package - Build with devtoolset-8 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2151598 - CVE-2022-4170 rxvt-unicode: remote code execution via background OSC [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2151598 [ 2 ] Bug #2160952 - rxvt-unicode-9.30-2.el7.x86_64 contains NO FILES https://bugzilla.redhat.com/show_bug.cgi?id=2160952 [ 3 ] Bug #2165151 - rxvt-unicode-9.30-2 RPM on Epel7 repository is an invalid RPM https://bugzilla.redhat.com/show_bug.cgi?id=2165151 [ 4 ] Bug #2170550 - EPEL7 - rxvt-unicode package contains no data https://bugzilla.redhat.com/show_bug.cgi?id=2170550 --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org