The following Fedora EPEL 7 Security updates need testing: Age URL 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-28e58f443c python-PyMySQL-0.9.3-2.el7 1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-cf00df8d67 chromium-126.0.6478.126-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
partclone-0.3.31-1.el7 python-waitress-1.4.3-2.el7 rpkg-1.67-1.el7 rpki-client-9.1-1.el7
Details about builds:
================================================================================ partclone-0.3.31-1.el7 (FEDORA-EPEL-2024-028aee4eee) Utility to clone and restore a partition -------------------------------------------------------------------------------- Update Information:
partclone v0.3.31 Add option prog_second to display in seconds Fix tiny resource leak Add missing return in libvmfs_version() Fix get_exec_name(): when partclone is installed, there is no / in argv0 Include the NTFS Boot Record backup in the cloned image -------------------------------------------------------------------------------- ChangeLog:
* Mon Jun 24 2024 Robert Scheck robert@fedoraproject.org 0.3.31-1 - Upgrade to 0.3.31 (#2292376 #c1) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2292376 - partclone-0.3.31 is available https://bugzilla.redhat.com/show_bug.cgi?id=2292376 --------------------------------------------------------------------------------
================================================================================ python-waitress-1.4.3-2.el7 (FEDORA-EPEL-2024-1682369c61) Waitress WSGI server -------------------------------------------------------------------------------- Update Information:
Backport upstream fix for CVE-2022-24761. https://github.com/advisories/GHSA-4f7p-27jc-3c36 -------------------------------------------------------------------------------- ChangeLog:
* Wed Jun 26 2024 Carl George carlwgeorge@fedoraproject.org - 1.4.3-2 - Backport upstream fix for CVE-2022-24761 rhbz#2065791 - Run test suite -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2065791 - CVE-2022-24761 python-waitress: waitress: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2065791 --------------------------------------------------------------------------------
================================================================================ rpkg-1.67-1.el7 (FEDORA-EPEL-2024-12f86860ab) Python library for interacting with rpm+git -------------------------------------------------------------------------------- Update Information:
https://docs.pagure.org/rpkg/releases/1.67.html -------------------------------------------------------------------------------- ChangeLog:
* Tue Jun 25 2024 Ond��ej Nosek onosek@redhat.com - 1.67-1 - Include URL in upload/download (walters) - Use python-requests-gssapi instead of -kerberos (lsedlar) - man page generator: use $SOURCE_DATE_EPOCH if specified (zbyszek) - do not block tag --clog due autospec usage (msuchy) - Processing of another return message from lookaside cache (onosek) - Allow setting --force for sources command by env var (lsedlar) - Update docker image for Jenkinks tests (onosek) - '_set_token' method moved to a shared place (onosek) - Fix copr-build command with results_dir=subdir option (otto.liljalaakso) - mockbuild: use results/mock_* when results_dir=subdir (tmz) - Add option to mockbuild use default resultdir of mock (v3) (sergio) - Restrict completion to .src.rpm files for import - #706 (orion) - `remote add` command: create a non-anonymous remote - #599 (onosek) - `mockbuild`: new argument --extra-pkgs - 498 (onosek) - *pkg import: check specfile matches the repo name - 529 (onosek) - Fixes syntax issues reported by flake8 (onosek) - Unittests for "Undo rpmautospec processing" (onosek) - *pkg import: Undo rpmautospec processing - 527 (miro) - *pkg import: Don't delete changelog generated by `rpmautospec convert` (miro) - Make lookaside cache retries configurable (onosek) - Lookaside cache operations retries (onosek) - Prepare the lookaside cache code for retries (onosek) - Fix flake8 complaints (onosek) - Support for checking exploded sources before push (onosek) - Split git credential data on first = only - 694 (lsedlar) - `commit` command fails on 'containers' namespace (onosek) - `copr-build` passes extra_args to copr-cli command - 510 (onosek) - Do not require 'sources' file for all namespaces - #684 (onosek) - Use release's rpmdefines in unused sources check - #671 (otto.liljalaakso) - Pre-push hook won't check private branches - #683 (onosek) - Config file option to skip the hook script creation - 515 (onosek) - Allow empty commits when `uses_rpmautospec` - #677 (j1.kyjovsky) - Check remote file with correct hash (lsedlar) - Ignore missing spec file in pre-push hook (lsedlar) - import_srpm: allow pre-generated srpms - #655 (onosek) - Fix unittests for `clone` and pre-push hook script (onosek) - pre-push hook script contains a user's config - #667 (onosek) - A HEAD query into a lookaside cache - 513 (onosek) - `pre-push-check` have to use spectool with --define - #672 (onosek) - Add more information about pre-push hook (lsedlar) - Update to spec file presence checking - #663 (onosek) - More robust spec file presence checking - #663 (onosek) - Do not generate pre-push hook script in some cases - #665 (onosek) - Avoid calling repo_name from load_nameverrel - #657 (otto.liljalaakso) - Move warnings from missing Git repo to debug level - #659 (otto.liljalaakso) - Update docker image for Jenkinks tests (onosek) - container-build: update --signing-intent help for OSBS 2 (kdreyer) - Process source URLs with fragment in pre-push hook (lsedlar) * Sun Jun 9 2024 Python Maint python-maint@redhat.com - 1.66-19 - Rebuilt for Python 3.13 * Tue May 28 2024 Ond��ej Nosek onosek@redhat.com - 1.66-16 - Patch: Use python-requests-gssapi instead of -kerberos * Thu May 23 2024 Ond��ej Nosek onosek@redhat.com - 1.66-18 - Fix compatibility with Python 3.13+ - rhbz#2276896 * Fri Jan 26 2024 Fedora Release Engineering releng@fedoraproject.org - 1.66-17 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Mon Jan 22 2024 Fedora Release Engineering releng@fedoraproject.org - 1.66-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --------------------------------------------------------------------------------
================================================================================ rpki-client-9.1-1.el7 (FEDORA-EPEL-2024-7da0909da2) OpenBSD RPKI validator to support BGP Origin Validation -------------------------------------------------------------------------------- Update Information:
rpki-client 9.1 Impose same-origin policy for RRDP This addresses an oversight in the original RRDP specification (RFC8182) which allowed any publication server to cause load on another server by tricking RPs into making cross-origin requests. Imposing a same-origin policy in RRDP client/server communication isolates resources such as Delta and Snapshot files from different Repository Servers, reducing possible attack vectors. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin Introduce tiebreaking for trust anchors Instead of always using newly-retrieved trust anchors, compare a fetched TA with one stored in the cache. Later notBefore and earlier notAfter are used to identify a trust anchor certificate as newer. This prevents certain forms of replay attack. https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebre... Fix internal identification of CA resource certificates The rpki-client utility tracks CA certificates across privilege separation boundaries. The original design was to use the subject key identifier, which is problematic because the SKI is not guaranteed to be globally unique. On the one hand, operators could choose to reuse their keys for multiple CAs and on the other hand, publishing a CA cert in the RPKI requires no proof of possession: anyone can publish CA certificates with any public key they please. Verify self-signage for trust anchors In other PKIs, trust anchors come from a trusted source and contain little to no important information apart from the public key. Therefore, libcrypto's chain verifier does not check their signatures by default because this "doesn't add any security and just wastes time". None of this is true in the RPKI and therefore trust anchors need an extra verification step. Introduce a check for filenames as presented by publication points Filenames presented by publication points are unsigned data, they must match the location in the signed object's EE certificate SIA extension which is signed data. This prevents some forms of replay attack. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers Improved compliance with RFCs 6487 and 8209 for certificates and CRLs The issuer field of certificates and CRLs is checked to comply with section 4.4 of RFC 6487. Various aspects of URIs provided in SIA, AIA and CRL distribution points were improved. Criticality of key usage is now enforced and the extension is inspected for all certificate types. Presence of CMS signing-time is now enforced and presence of CMS binary-signing- time is disallowed, per RFC 9589. https://www.rfc-editor.org/rfc/rfc9589.html Lowered the maximum acceptable manifest number to 2^159 - 1, per https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers Limit number of validated ASPAs per customer ASID, per https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile Ignore the CRL Number extension in CRLs, per https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbe... Various minor bug fixes and improvements in logging and error reporting -------------------------------------------------------------------------------- ChangeLog:
* Wed Jun 26 2024 Robert Scheck robert@fedoraproject.org 9.1-1 - Upgrade to 9.1 (#2293864) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2293864 - rpki-client-9.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2293864 --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org