Fedora EPEL 5 updates-testing report - epel-devel - Fedora mailing-lists

8 Apr 2011


      The following Fedora EPEL 5 Security updates need testing:
https://admin.fedoraproject.org/updates/proftpd-1.3.3e-1.el5
    https://admin.fedoraproject.org/updates/rt3-3.6.10-2.el5
    https://admin.fedoraproject.org/updates/loggerhead-1.18.1-1.el5
    https://admin.fedoraproject.org/updates/python-feedparser-5.0.1-1.el5
The following builds have been pushed to Fedora EPEL 5 updates-testing
certmaster-0.28-1.el5
    func-0.28-1.el5
    pam_shield-0.9.5-4.el5
    proftpd-1.3.3e-1.el5
Details about builds:
================================================================================
 certmaster-0.28-1.el5 (FEDORA-EPEL-2011-3014)
 Remote certificate distribution framework
--------------------------------------------------------------------------------
Update Information:
- working properly with python 2.7+ :)
- new cpu module
- new yumcmd module
- func-command, func-find-user, func-down-hosts, func-list-vms-per-host,
func-ps-compare, func-whatsmyname, func-yum
- fix hostname finding
- add 'allow_unknown_minions' option to overlord - let's us have minions we don't have the certs available for locally but we know the host exists. Func will attempt to make the connection based on just resolving the name. If it resolves and the cert the host offers is signed by our Certmaster/CA then it will continue as normal.
- getfile module added (opposite of putfile with sensible directory
ideas)
- lots of fixes to the grouping code with puppetminions
- when we  create dirs for our command dbs on the overlord side, don't
assume everyone is global and root - behave when run as a user.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr  7 2011 Seth Vidal <skvidal at fedoraproject.org> - 0.28-1
- 0.28
* Wed Aug 25 2010 Seth Vidal <skvidal at fedoraproject.org> - 0.27-1
- 0.27
* Thu Jun 11 2009 Adrian Likins alikins@redhat.com - 0.25-1
- add /etc/certmaster/func
* Tue May 26 2009 Adrian Likins alikins@redhat.com - 0.25-1
- add /var/lib/certmaster/certmaster* to spec and set perms
- add /var/log/certmaster/certmaster.log,audit.log to spec
  and set perms
* Wed Feb 18 2009 Adrian Likins alikins@redhat.com - 0.24.5
- remove version file
* Mon Jan 19 2009 Adrian Likins alikins@redhat.com - 0.24.4
- make inclusion of egginfo dependant on having python >= 2.5
- remove need for patch on rhel3+python2.4 cases (distutils should
  do all the /usr/bin/python renaming now)
- minor reformatting changes
* Tue Jan  6 2009 Greg Swift gregswift@gmail.com - 0.24-3x1
- Fixed spec because it was only building in rhel3
* Wed Dec 31 2008 Greg Swift gregswift@gmail.com - 0.24-2
- Patched SPEC to build on rhel3 with python2.3
- Added Patch0 to handle python2.3 if on rhel3
--------------------------------------------------------------------------------
================================================================================
 func-0.28-1.el5 (FEDORA-EPEL-2011-3014)
 Remote management framework
--------------------------------------------------------------------------------
Update Information:
- working properly with python 2.7+ :)
- new cpu module
- new yumcmd module
- func-command, func-find-user, func-down-hosts, func-list-vms-per-host,
func-ps-compare, func-whatsmyname, func-yum
- fix hostname finding
- add 'allow_unknown_minions' option to overlord - let's us have minions we don't have the certs available for locally but we know the host exists. Func will attempt to make the connection based on just resolving the name. If it resolves and the cert the host offers is signed by our Certmaster/CA then it will continue as normal.
- getfile module added (opposite of putfile with sensible directory
ideas)
- lots of fixes to the grouping code with puppetminions
- when we  create dirs for our command dbs on the overlord side, don't
assume everyone is global and root - behave when run as a user.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr  7 2011 Seth Vidal <skvidal at fedoraproject.org> - 0.28-1
- 0.28  - require newer certmaster
* Wed Aug 25 2010 Seth Vidal <skvidal at fedoraproject.org> - 0.27-1
- bump to 0.27
* Wed Sep  9 2009 Adrian Likins alikins@redhat.com - 0.26-1
- require smolt (should be there on most stuff we support, and
  hardware module is lame without it)
* Wed Aug 26 2009 Adrian Likins alikins@redhat.com - 0.26-1
- rev
* Thu Aug 20 2009 Adrian Likins alikins@redhat.com - 0.25-2
- add func-group
* Thu Jun 11 2009 Adrian Likins alikins@redhat.com - 0.25-1
- add /etc/func/version
* Wed Jun 10 2009 Adrian Likins alikins@redhat.com - 0.25-1
- add CHANGES to spec file
* Wed May 27 2009 Adrian Likins alikins@redhat.com - 0.25-1
- add /var/log/func/*.log files to spec
- add a post section to chmod any log files with bogus perms
* Thu Apr 16 2009 Adrian Likins alikins@redhat.com - 0.24-5
- add an overlord.conf file
* Wed Feb 18 2009 Adrian Likins alikins@redhat.com - 0.24-5
- remove version file
* Mon Jan 19 2009 Adrian Likins alikins@redhat.com - 0.24.4
- make inclusion of egginfo dependant on having python >= 2.5
- remove need for patch on rhel3+python2.4 cases (distutils should
  do all the /usr/bin/python renaming now)
- minor reformatting changes
* Tue Jan  6 2009 Greg Swift gregswift@gmail.com - 0.24-3
- Fixed spec because it was only building in rhel3
* Wed Dec 31 2008 Greg Swift gregswift@gmail.com - 0.24-2
- Patched SPEC to build on rhel3 with python2.3
- Added Patch0 to handle python2.3 if on rhel3
--------------------------------------------------------------------------------
================================================================================
 pam_shield-0.9.5-4.el5 (FEDORA-EPEL-2011-3013)
 Pam Shield - A pam module to counter brute force attacks
--------------------------------------------------------------------------------
Update Information:
added %{optflags}
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #694557 - pam_shield not built with $RPM_OPT_FLAGS
        https://bugzilla.redhat.com/show_bug.cgi?id=694557
  [ 2 ] Bug #691153 - Review Request: pam_shield - pam module to block brute force attacks
        https://bugzilla.redhat.com/show_bug.cgi?id=691153
--------------------------------------------------------------------------------
================================================================================
 proftpd-1.3.3e-1.el5 (FEDORA-EPEL-2011-3010)
 Flexible, stable and highly-configurable FTP server
--------------------------------------------------------------------------------
Update Information:
This update, to the current upstream maintenance release, fixes a large number of bugs (see NEWS for details), and also a couple of security issues:
* Plaintext command injection vulnerability in FTPS implementation (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for details.
* CVE-2011-1137 (badly formed SSH messages cause DoS). See http://bugs.proftpd.org/show_bug.cgi?id=3586 for details.
Other highlights include:
* Display messages work properly again.
* Performance improvements, especially during server startup/restarts.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr  4 2011 Paul Howarth paul@city-fan.org 1.3.3e-1
- Update to 1.3.3e, fixing a large number of bugs reported upstream:
  - Process privileges may not handled properly when --enable-autoshadow is
    used (bug 3757)
  - mod_sftp closes channel too early after scp download (bug 3544)
  - mod_sftp_pam may tell client to disable echoing erroneously (bug 3579)
  - mod_sftp behaves badly when receiving badly formed SSH messages (bug 3586,
    CVE-2011-1137)
  - Using "$shell $libtool" in prxs does not work for all shells (bug 3593)
  - WrapAllowMsg directive broken due to bug 3423 (bug 3538)
  - SocketOptions receive/send buffer size parameters no longer work (bug 3607)
  - mod_wrap2 needs to support netmask rules for IPv6 addresses (bug 3606)
  - APPE/STOU upload flags erroneously preserved across upload commands
    (bug 3612)
  - Malicious module can use sreplace() function to overflow buffer (bug 3614)
  - Exiting sessions don't seem to die properly (bug 3619)
  - mod_delay sometimes logs "unable to load DelayTable into memory" (bug 3622)
  - Plaintext command injection in FTPS support (bug 3624)
  - mod_ifsession rules using regular expressions do not work (bug 3625)
  - Truncated client name saved in ScoreboardFile (bug 3623)
  - %w variable populated with non-absolute path in SQLLog statement (bug 3627)
  - Unnecessarily verbose "warning: unable to throttle bandwidth: Interrupted
    system call" (bug 3628)
  - SSH DISCONNECT messages sent by mod_sftp even for FTP connections in some
    cases (bug 3630)
  - mod_sql should log "unrecoverable database error" at a higher priority
    (bug 3632)
  - Proftpd is eating CPU when reparsing configuration file on SIGHUP (bug 3610)
  - Incorrect generation of DSA signature for SSH sessions (bug 3634)
- Nobody else likes macros for commands
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #681718 - CVE-2011-1137 proftpd: integer overflow in mod_sftp
        https://bugzilla.redhat.com/show_bug.cgi?id=681718
--------------------------------------------------------------------------------