The following Fedora EPEL 5 Security updates need testing:
Age URL
885
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3....
339
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11893/libguestfs...
104
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1626/puppet-2.7....
94
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1696/perl-Email-...
88
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1747/mediawiki11...
47
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2153/drupal6-6.3...
47
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2150/drupal7-7.3...
17
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2424/389-ds-base...
12
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2558/qmmp-0.2.3-...
12
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2560/pdns-recurs...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2669/check-mk-1....
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2694/TeXmacs-1.0...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2686/putty-0.63-...
0
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2728/phpMyAdmin4...
The following builds have been pushed to Fedora EPEL 5 updates-testing
TeXmacs-1.0.7.2-3.el5
check-mk-1.2.4p5-1.el5
collectl-3.7.4-1.el5
lcmaps-1.6.5-2.el5
mozilla-https-everywhere-4.0.1-1.el5
php53-tcpdf-6.0.091-2.el5
phpMyAdmin4-4.0.10.3-2.el5
putty-0.63-3.el5
python-requests-1.1.0-5.el5
Details about builds:
================================================================================
TeXmacs-1.0.7.2-3.el5 (FEDORA-EPEL-2014-2694)
Structured wysiwyg scientific text editor
--------------------------------------------------------------------------------
Update Information:
CVE-2010-3394 TeXmacs: insecure library loading vulnerability
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 17 2014 Mark Chappell <tremble(a)tremble.org.uk> - 1.0.7.2-3
- Patch for CVE-2010-3394
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #638427 - CVE-2010-3394 TeXmacs: insecure library loading vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=638427
--------------------------------------------------------------------------------
================================================================================
check-mk-1.2.4p5-1.el5 (FEDORA-EPEL-2014-2669)
A new general purpose Nagios-plugin for retrieving data
--------------------------------------------------------------------------------
Update Information:
New upstream release providing many security fixes.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 17 2014 Andrea Veri <averi(a)fedoraproject.org> - 1.2.4p5-1
- New upstream release. Fixes CVEs:
- CVE-2014-5338
- CVE-2014-5339
- CVE-2014-5340 (BZ: #1132337, #1132339, #1132341)
- Stop shipping the j4p_performance plugin as it's deprecated. (BZ: #1133068)
- Turn Wato_Legacy_Eval as True as we want to prevent breakages
between machines running different Python and/or check-mk releases.
This is necessary after the 'ast' move from 'pickle' (that was
generating a insecure API call), however the 'ast' module is still
not available for RHEL / CentOS 5 machines. The patch is there to
avoid miscommunications between different distribution releases. More
information is available at:
http://mathias-kettner.com/check_mk_werks.php?werk_id=984.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1132337 - CVE-2014-5338 CVE-2014-5339 CVE-2014-5340 check-mk: multiple flaws
fixed in versions 1.2.4p4 and 1.2.5i4
https://bugzilla.redhat.com/show_bug.cgi?id=1132337
--------------------------------------------------------------------------------
================================================================================
collectl-3.7.4-1.el5 (FEDORA-EPEL-2014-2705)
A utility to collect various Linux performance data
--------------------------------------------------------------------------------
Update Information:
- update to upstream version 3.7.4
- upstream changelog at
http://collectl.sourceforge.net/Releases.html
--------------------------------------------------------------------------------
ChangeLog:
* Mon Sep 15 2014 Dan Horák <dan[at]danny.cz> - 3.7.4-1
- upgrade to upstream version 3.7.4 (#1140499)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1140499 - collectl-3.7.4 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1140499
--------------------------------------------------------------------------------
================================================================================
lcmaps-1.6.5-2.el5 (FEDORA-EPEL-2014-2746)
Grid (X.509) and VOMS credentials to local account mapping service
--------------------------------------------------------------------------------
Update Information:
Update to upstream version 1.6.5
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 17 2014 Dennis van Dok <dennisvd(a)nikhef.nl> 1.6.5-2
- Compounded the changelog entries of intermediate versions
* Wed Sep 17 2014 Mischa Salle <msalle(a)nikhef.nl> 1.6.5-1
- Do not install very old doc/INSTALL_WITH_WORKSPACE_SERVICE
- Install NEWS file
- Fix macro expansion for pkgconfig to include only rhel not fedora
- Add new interface files, Remove the unused patch
- Create empty plugin directory
- Do not remove lcmaps_plugin_example related files, as they are not installed
--------------------------------------------------------------------------------
================================================================================
mozilla-https-everywhere-4.0.1-1.el5 (FEDORA-EPEL-2014-2741)
HTTPS/HSTS enforcement extension for Mozilla Firefox and SeaMonkey
--------------------------------------------------------------------------------
Update Information:
4.0.0 changes
- Ruleset fixes to wikimedia, stanford-university, joyent, and gaytorrents.
- Merge Android Firefox branch, so Android now has the same release cycle
-- as the stable HTTPS Everywhere branch for Firefox.
- Remove old unused ContentPolicy code.
- FEDORA/RHEL SPECIFIC - Place version conditionals for GNOME Software
-- Center metadata in spec file.
4.0.1 changes
- Significant new coverage: Reddit, Quora
- Fixes include:
-- Frontier Networks, Hotmail / Live, Microsoft, Mozilla, Ohio State, Rackspace, SJ.se,
Timbo.se
--
https://github.com/EFForg/https-everywhere/issues/310
--
https://github.com/EFForg/https-everywhere/issues/500
--
https://trac.torproject.org/projects/tor/ticket/11402
--
https://trac.torproject.org/projects/tor/ticket/11418
--
https://trac.torproject.org/projects/tor/ticket/12583
--
https://trac.torproject.org/projects/tor/ticket/12104
--
https://trac.torproject.org/projects/tor/ticket/9466
--
https://github.com/EFForg/https-everywhere/issues/144
- Enhancements to MCB detection and subsequent ruleset fixes
--
https://github.com/EFForg/https-everywhere/issues/529
--------------------------------------------------------------------------------
ChangeLog:
* Sat Sep 13 2014 Russell Golden <niveusluna(a)niveusluna.org> - 4.0.1-1
- Significant new coverage: Reddit, Quora
- Fixes include:
-- Frontier Networks, Hotmail / Live, Microsoft, Mozilla, Ohio State, Rackspace, SJ.se,
Timbo.se
--
https://github.com/EFForg/https-everywhere/issues/310
--
https://github.com/EFForg/https-everywhere/issues/500
--
https://trac.torproject.org/projects/tor/ticket/11402
--
https://trac.torproject.org/projects/tor/ticket/11418
--
https://trac.torproject.org/projects/tor/ticket/12583
--
https://trac.torproject.org/projects/tor/ticket/12104
--
https://trac.torproject.org/projects/tor/ticket/9466
--
https://github.com/EFForg/https-everywhere/issues/144
- Enhancements to MCB detection and subsequent ruleset fixes
--
https://github.com/EFForg/https-everywhere/issues/529
* Thu Sep 4 2014 Russell Golden <niveusluna(a)niveusluna.org> - 4.0.0-1
- Ruleset fixes to wikimedia, stanford-university, joyent, and gaytorrents.
- Merge Android Firefox branch, so Android now has the same release cycle
-- as the stable HTTPS Everywhere branch for Firefox.
- Remove old unused ContentPolicy code.
- FEDORA/RHEL SPECIFIC - Place version conditionals for GNOME Software
-- Center metadata in spec file.
* Tue Aug 19 2014 Richard Hughes <richard(a)hughsie.com> - 3.5.3-2
- Add a MetaInfo file for GNOME Software and Apper.
--------------------------------------------------------------------------------
================================================================================
php53-tcpdf-6.0.091-2.el5 (FEDORA-EPEL-2014-2697)
PHP class for generating PDF documents and barcodes
--------------------------------------------------------------------------------
Update Information:
PHP class for generating PDF documents.
* no external libraries are required for the basic functions;
* all standard page formats, custom page formats, custom margins and units of measure;
* UTF-8 Unicode and Right-To-Left languages;
* TrueTypeUnicode, OpenTypeUnicode, TrueType, OpenType, Type1 and CID-0 fonts;
* font subsetting;
* methods to publish some XHTML + CSS code, Javascript and Forms;
* images, graphic (geometric figures) and transformation methods;
* supports JPEG, PNG and SVG images natively, all images supported by GD (GD, GD2,
GD2PART, GIF, JPEG, PNG, BMP, XBM, XPM) and all images supported via ImagMagick (http:
www.imagemagick.org/www/formats.html)
* 1D and 2D barcodes: CODE 39, ANSI MH10.8M-1983, USD-3, 3 of 9, CODE 93, USS-93,
Standard 2 of 5, Interleaved 2 of 5, CODE 128 A/B/C, 2 and 5 Digits UPC-Based Extention,
EAN 8, EAN 13, UPC-A, UPC-E, MSI, POSTNET, PLANET, RMS4CC (Royal Mail 4-state Customer
Code), CBC (Customer Bar Code), KIX (Klant index - Customer index), Intelligent Mail
Barcode, Onecode, USPS-B-3200, CODABAR, CODE 11, PHARMACODE, PHARMACODE TWO-TRACKS,
Datamatrix ECC200, QR-Code, PDF417;
* ICC Color Profiles, Grayscale, RGB, CMYK, Spot Colors and Transparencies;
* automatic page header and footer management;
* document encryption up to 256 bit and digital signature certifications;
* transactions to UNDO commands;
* PDF annotations, including links, text and file attachments;
* text rendering modes (fill, stroke and clipping);
* multiple columns mode;
* no-write page regions;
* bookmarks and table of content;
* text hyphenation;
* text stretching and spacing (tracking/kerning);
* automatic page break, line break and text alignments including justification;
* automatic page numbering and page groups;
* move and delete pages;
* page compression (requires php-zlib extension);
* XOBject templates;
* PDF/A-1b (ISO 19005-1:2005) support.
By default, TCPDF uses the GD library which is know as slower than ImageMagick solution.
You can optionally install php-pecl-imagick; TCPDF will use it.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1121745 - Review Request: php53-tcpdf - PHP class for generating PDF
documents
https://bugzilla.redhat.com/show_bug.cgi?id=1121745
--------------------------------------------------------------------------------
================================================================================
phpMyAdmin4-4.0.10.3-2.el5 (FEDORA-EPEL-2014-2728)
Handle the administration of MySQL over the World Wide Web
--------------------------------------------------------------------------------
Update Information:
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over
the World Wide Web. Most frequently used operations are supported by the user interface
(managing databases, tables, fields, relations, indexes, users, permissions), while you
still have the ability to directly execute any SQL statement.
Features include an intuitive web interface, support for most MySQL features (browse and
drop databases, tables, views, fields and indexes, create, copy, drop, rename and alter
databases, tables, fields and indexes, maintenance server, databases and tables, with
proposals on server configuration, execute, edit and bookmark any SQL-statement, even
batch-queries, manage MySQL users and privileges, manage stored procedures and triggers),
import data from CSV and SQL, export data to various formats: CSV, SQL, XML, PDF,
OpenDocument Text and Spreadsheet, Word, Excel, LATEX and others, administering multiple
servers, creating PDF graphics of your database layout, creating complex queries using
Query-by-example (QBE), searching globally in a database or a subset of it, transforming
stored data into any format using a set of predefined functions, like displaying BLOB-data
as image or download-link and much more...
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #989660 - CVE-2013-4998 CVE-2013-4999 CVE-2013-5000 phpMyAdmin: Multiple full
path disclosure flaws (PMASA-2013-12)
https://bugzilla.redhat.com/show_bug.cgi?id=989660
[ 2 ] Bug #989668 - CVE-2013-5003 phpMyAdmin: SQL injection leading to 'control
user' role privilege escalation (PMASA-2013-15)
https://bugzilla.redhat.com/show_bug.cgi?id=989668
[ 3 ] Bug #1067713 - CVE-2014-1879 phpMyAdmin: XSS in import.php
https://bugzilla.redhat.com/show_bug.cgi?id=1067713
[ 4 ] Bug #1117600 - CVE-2014-4348 phpMyAdmin: Self-XSS due to unescaped HTML output in
recent/favorite tables navigation
https://bugzilla.redhat.com/show_bug.cgi?id=1117600
[ 5 ] Bug #1117601 - CVE-2014-4349 phpMyAdmin: Self-XSS due to unescaped HTML output in
navigation items hiding feature
https://bugzilla.redhat.com/show_bug.cgi?id=1117601
[ 6 ] Bug #1130865 - CVE-2014-5273 phpMyAdmin: multiple cross-site scripting issues
(PMASA-2014-8)
https://bugzilla.redhat.com/show_bug.cgi?id=1130865
[ 7 ] Bug #1141635 - CVE-2014-6300 phpMyAdmin: XSS flaw possibly leading to root account
creation (PMASA-2014-10)
https://bugzilla.redhat.com/show_bug.cgi?id=1141635
--------------------------------------------------------------------------------
================================================================================
putty-0.63-3.el5 (FEDORA-EPEL-2014-2686)
SSH, Telnet and Rlogin client
--------------------------------------------------------------------------------
Update Information:
Various bug fixes and security updates
Including
CVE-2013-4852 Integer overflow, leading to heap-based buffer overflow during SSH
handshake
CVE-2011-4607 keyboard-interactive replies are not wiped from memory after authentication
--------------------------------------------------------------------------------
ChangeLog:
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.63-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.63-2
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon Aug 12 2013 Jaroslav Škarvada <jskarvad(a)redhat.com> - 0.63-1
- New version
Resolves: rhbz#995610
- Dropped perms, CVE-2013-4852, CVE-2013-4206, CVE-2013-4207,
CVE-2013-4208 patches (all in upstream)
* Thu Aug 8 2013 Jaroslav Škarvada <jskarvad(a)redhat.com> - 0.62-7
- Fixed a heap-corrupting buffer underrun bug in the modmul function
Resolves: CVE-2013-4206
- Fixed a buffer overflow vulnerability in the calculation of modular
inverses when verifying a DSA signature
Resolves: CVE-2013-4207
- Fixed problem when private keys are left in memory after being
used by PuTTY tools
Resolves: CVE-2013-4208
* Mon Aug 5 2013 Jaroslav Škarvada <jskarvad(a)redhat.com> - 0.62-6
- Fixed integer overflow
Resolves: CVE-2013-4852
- Fixed bogus dates in changelog (best estimated)
* Sun Aug 4 2013 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.62-5
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.62-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Sep 26 2012 Jaroslav Škarvada <jskarvad(a)redhat.com> - 0.62-3
- Added missing ImageMagick BuildRequires
* Wed Sep 19 2012 Jaroslav Škarvada <jskarvad(a)redhat.com> - 0.62-2
- Generated icon from sources
* Tue Aug 7 2012 Jaroslav Škarvada <jskarvad(a)redhat.com> - 0.62-1
- New version
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.60-9.20100910svn
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Dec 6 2011 Adam Jackson <ajax(a)redhat.com> - 0.60-8.20100910svn
- Rebuild for new libpng
* Wed Feb 9 2011 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.60-7.20100910svn
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
>>>>>> master
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #766868 - putty: keyboard-interactive replies are not wiped from memory after
authentication [epel-5]
https://bugzilla.redhat.com/show_bug.cgi?id=766868
[ 2 ] Bug #766869 - putty: keyboard-interactive replies are not wiped from memory after
authentication [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=766869
[ 3 ] Bug #993034 - CVE-2013-4852 putty: Integer overflow, leading to heap-based buffer
overflow during SSH handshake [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=993034
--------------------------------------------------------------------------------
================================================================================
python-requests-1.1.0-5.el5 (FEDORA-EPEL-2014-2723)
HTTP library, written in Python, for human beings
--------------------------------------------------------------------------------
Update Information:
Initial EL5 build
--------------------------------------------------------------------------------