The following Fedora EPEL 6 Security updates need testing:
Age URL
583
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7031
python-virtualenv-12.0.7-1.el6
577
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7168
rubygem-crack-0.3.2-2.el6
467
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-e2b4b5b2fb
mcollective-2.8.4-1.el6
439
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-35e240edd9
thttpd-2.25b-24.el6
170
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8594ed3a53
chicken-4.11.0-3.el6
50
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e3e50897ac
libbsd-0.8.3-2.el6
34
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-8c6c7bf06e
dbus-sharp-0.7.0-16.el6 dbus-sharp-glib-0.5.0-14.el6 mono-4.2.4-9.el6
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b17ae6b75a
viewvc-1.1.26-1.el6 viewvc-1.1.26-1.el6 viewvc-1.1.26-1.el6 viewvc-1.1.26-1.el6
11
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-2f6331df71
bitlbee-3.5.1-1.el6
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-acd2c2af0d
nagios-4.2.4-4.el6
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-2f218dd2b9
python-cjson-1.1.0-9.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
fedfind-3.4.3-1.el6
holland-1.0.14-3.el6
lynis-2.4.1-1.el6
nagios-4.2.4-4.el6
php-smbclient-0.9.0-1.el6
python-cached_property-1.3.0-7.el6
python-cjson-1.1.0-9.el6
python-defusedxml-0.4.1-9.el6
python-productmd-1.4-2.el6
xrootd-4.6.0-2.el6
Details about builds:
================================================================================
fedfind-3.4.3-1.el6 (FEDORA-EPEL-2017-0a935d4db5)
Fedora compose and image finder
--------------------------------------------------------------------------------
Update Information:
This update provides a new version of fedfind. The main change is that the
synthesized metadata for non-Pungi 4 composes has been enhanced to include a
`composeinfo` dict, and `disc_number` items in the image dicts. These changes
are necessary for `resultsdb_conventions` to work with the synthesized metadata.
Another change is that `fedfind.release.get_release(url='someurl')` will no
longer return generic `Pungi4Release` instances for URLs in unknown domains, as
Patrick van Uiterwijk suggested it may constitute a potential security problem
in some use cases. If this change causes you trouble, please report an issue or
contact me and it may be possible to restore the old behaviour as an option. On
EPEL 7, there is now a Python 3 build of the fedfind library (currently
`python34-fedfind`), and the `fedfind` CLI tool now uses the Python 3 library.
The other updated packages also gain Python 3 builds of their libraries (they
are all in fedfind's dependency chains). `freezegun` is updated to the last
release in the 0.1 series, 0.1.19, which should be compatible with the
previously-packaged version (0.1.12). On EPEL 6, the other packages don't
change significantly, but the package spec files were adjusted a bit so I went
ahead and built the packages.
--------------------------------------------------------------------------------
================================================================================
holland-1.0.14-3.el6 (FEDORA-EPEL-2017-b05651ba17)
Pluggable Backup Framework
--------------------------------------------------------------------------------
Update Information:
- Remove unneeded holland_version macro - Remove example, maatkit, and random
subpackages - Move holland.lib.mysql and holland.lib.lvm modules into their own
subpackages - Clean up requirements
--------------------------------------------------------------------------------
================================================================================
lynis-2.4.1-1.el6 (FEDORA-EPEL-2017-9b64b8d526)
Security and system auditing tool
--------------------------------------------------------------------------------
Update Information:
Update to 2.4.1
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1421133 - lynis-2.4.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1421133
--------------------------------------------------------------------------------
================================================================================
nagios-4.2.4-4.el6 (FEDORA-EPEL-2017-acd2c2af0d)
Host/service/network monitoring program
--------------------------------------------------------------------------------
Update Information:
We find out that RHEL-6 does not like non-UTF so removed German translation
---- Major update to Nagios to address outstanding Security needs. ----
nagios-4.0.8-1.fc21 nagios-4.0.8-1.fc22 nagios-4.0.8-1.el6 nagios-4.0.8-1.el7
nagios-4.0.8-1.fc23 - update to 4.0.8
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #469320 - CVE-2008-4796 snoopy: command execution via shell metacharacters
https://bugzilla.redhat.com/show_bug.cgi?id=469320
[ 2 ] Bug #958002 - CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary
file usage
https://bugzilla.redhat.com/show_bug.cgi?id=958002
[ 3 ] Bug #1046113 - CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to
off-by-one flaw in process_cgivars()
https://bugzilla.redhat.com/show_bug.cgi?id=1046113
--------------------------------------------------------------------------------
================================================================================
php-smbclient-0.9.0-1.el6 (FEDORA-EPEL-2017-7991082396)
PHP wrapper for libsmbclient
--------------------------------------------------------------------------------
Update Information:
**Version 0.9.0** - fix gh#47 Incorrect function definition for smbclient_read
- optimization: enable stream wrapper reusing connections
--------------------------------------------------------------------------------
================================================================================
python-cached_property-1.3.0-7.el6 (FEDORA-EPEL-2017-0a935d4db5)
A cached-property for decorating methods in Python classes
--------------------------------------------------------------------------------
Update Information:
This update provides a new version of fedfind. The main change is that the
synthesized metadata for non-Pungi 4 composes has been enhanced to include a
`composeinfo` dict, and `disc_number` items in the image dicts. These changes
are necessary for `resultsdb_conventions` to work with the synthesized metadata.
Another change is that `fedfind.release.get_release(url='someurl')` will no
longer return generic `Pungi4Release` instances for URLs in unknown domains, as
Patrick van Uiterwijk suggested it may constitute a potential security problem
in some use cases. If this change causes you trouble, please report an issue or
contact me and it may be possible to restore the old behaviour as an option. On
EPEL 7, there is now a Python 3 build of the fedfind library (currently
`python34-fedfind`), and the `fedfind` CLI tool now uses the Python 3 library.
The other updated packages also gain Python 3 builds of their libraries (they
are all in fedfind's dependency chains). `freezegun` is updated to the last
release in the 0.1 series, 0.1.19, which should be compatible with the
previously-packaged version (0.1.12). On EPEL 6, the other packages don't
change significantly, but the package spec files were adjusted a bit so I went
ahead and built the packages.
--------------------------------------------------------------------------------
================================================================================
python-cjson-1.1.0-9.el6 (FEDORA-EPEL-2017-2f218dd2b9)
Fast JSON encoder/decoder for Python
--------------------------------------------------------------------------------
Update Information:
This update prevents `python-cjson` from crashing when attempting to parse
heavily nested JSON structures (which could be exploited for denial of service
purposes, against any application that uses `python-cjson` to parse arbitrary
input).
--------------------------------------------------------------------------------
================================================================================
python-defusedxml-0.4.1-9.el6 (FEDORA-EPEL-2017-11db92ff83)
XML bomb protection for Python stdlib modules
--------------------------------------------------------------------------------
Update Information:
This updates `defusedxml` to the last upstream release which works with Python
2.6, 0.4.1. It also includes various package layout improvements. It renames the
package from `python-defusedxml` to `python2-defusedxml`; obsoletes and provides
are in place that should ensure a smooth transition.
--------------------------------------------------------------------------------
================================================================================
python-productmd-1.4-2.el6 (FEDORA-EPEL-2017-0a935d4db5)
Library providing parsers for metadata related to OS installation
--------------------------------------------------------------------------------
Update Information:
This update provides a new version of fedfind. The main change is that the
synthesized metadata for non-Pungi 4 composes has been enhanced to include a
`composeinfo` dict, and `disc_number` items in the image dicts. These changes
are necessary for `resultsdb_conventions` to work with the synthesized metadata.
Another change is that `fedfind.release.get_release(url='someurl')` will no
longer return generic `Pungi4Release` instances for URLs in unknown domains, as
Patrick van Uiterwijk suggested it may constitute a potential security problem
in some use cases. If this change causes you trouble, please report an issue or
contact me and it may be possible to restore the old behaviour as an option. On
EPEL 7, there is now a Python 3 build of the fedfind library (currently
`python34-fedfind`), and the `fedfind` CLI tool now uses the Python 3 library.
The other updated packages also gain Python 3 builds of their libraries (they
are all in fedfind's dependency chains). `freezegun` is updated to the last
release in the 0.1 series, 0.1.19, which should be compatible with the
previously-packaged version (0.1.12). On EPEL 6, the other packages don't
change significantly, but the package spec files were adjusted a bit so I went
ahead and built the packages.
--------------------------------------------------------------------------------
================================================================================
xrootd-4.6.0-2.el6 (FEDORA-EPEL-2017-85c437a7c5)
Extended ROOT file server
--------------------------------------------------------------------------------
Update Information:
New version 4.6.0, release notes are here:
https://github.com/xrootd/xrootd/blob/v4.6.0/docs/ReleaseNotes.txt
--------------------------------------------------------------------------------