The following Fedora 16 Security updates need testing:
Age URL
52
https://admin.fedoraproject.org/updates/FEDORA-2012-20157/libproxy-0.4.11...
0
https://admin.fedoraproject.org/updates/FEDORA-2013-1748/sssd-1.8.6-1.fc16
0
https://admin.fedoraproject.org/updates/FEDORA-2013-1713/libupnp-1.6.18-1...
9
https://admin.fedoraproject.org/updates/FEDORA-2013-1233/rhncfg-5.10.36-1...
51
https://admin.fedoraproject.org/updates/FEDORA-2012-20236/rssh-2.3.4-1.fc16
9
https://admin.fedoraproject.org/updates/FEDORA-2013-1257/libexif-0.6.21-2...
210
https://admin.fedoraproject.org/updates/FEDORA-2012-10314/revelation-0.4....
130
https://admin.fedoraproject.org/updates/FEDORA-2012-14654/tor-0.2.2.39-16...
6
https://admin.fedoraproject.org/updates/FEDORA-2013-1485/Zim-0.59-1.fc16
23
https://admin.fedoraproject.org/updates/FEDORA-2012-19347/cups-1.5.4-12.fc16
6
https://admin.fedoraproject.org/updates/FEDORA-2013-1494/gdal-1.7.3-15.fc...
0
https://admin.fedoraproject.org/updates/FEDORA-2013-1666/android-tools-20...
0
https://admin.fedoraproject.org/updates/FEDORA-2013-1716/samba-3.6.12-1.fc16
0
https://admin.fedoraproject.org/updates/FEDORA-2013-1745/rubygem-activesu...
13
https://admin.fedoraproject.org/updates/FEDORA-2013-0935/samba4-4.0.0-39....
2
https://admin.fedoraproject.org/updates/FEDORA-2013-1642/libvirt-0.9.6.4-...
0
https://admin.fedoraproject.org/updates/FEDORA-2013-1735/wordpress-3.5.1-...
The following Fedora 16 Critical Path updates have yet to be approved:
Age URL
6
https://admin.fedoraproject.org/updates/FEDORA-2013-1531/qrencode-3.4.1-1...
9
https://admin.fedoraproject.org/updates/FEDORA-2013-1257/libexif-0.6.21-2...
276
https://admin.fedoraproject.org/updates/FEDORA-2012-6994/upower-0.9.16-1....
The following builds have been pushed to Fedora 16 updates-testing
android-tools-20130123git98d0789-1.fc16
drupal7-date_ical-2.3-1.fc16
guacd-0.7.0-3.fc16
libupnp-1.6.18-1.fc16
lua-ldoc-1.3.3-1.fc16
mate-window-manager-1.5.3-3.fc16
rubygem-activesupport-3.0.10-6.fc16
samba-3.6.12-1.fc16
sssd-1.8.6-1.fc16
wordpress-3.5.1-1.fc16
Details about builds:
================================================================================
android-tools-20130123git98d0789-1.fc16 (FEDORA-2013-1666)
Android platform tools(adb, fastboot)
--------------------------------------------------------------------------------
Update Information:
- Update to upstream git commit 98d0789
- Resolves: rhbz 903074 Move udev rule to docs as example
- Resolves: rhbz 879585 Introduce adb.service with PrivateTmp
--------------------------------------------------------------------------------
ChangeLog:
* Mon Jan 28 2013 Ivan Afonichev <ivan.afonichev(a)gmail.com> - 20130123git98d0789-1
- Update to upstream git commit 98d0789
- Resolves: rhbz 903074 Move udev rule to docs as example
- Resolves: rhbz 879585 Introduce adb.service with PrivateTmp
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #879585 - CVE-2012-5564 android-tools (server): Insecure temporary file used
for logging [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=879585
[ 2 ] Bug #903074 - android-tools: please fix or remove (non useful) udev rule
https://bugzilla.redhat.com/show_bug.cgi?id=903074
--------------------------------------------------------------------------------
================================================================================
drupal7-date_ical-2.3-1.fc16 (FEDORA-2013-1688)
Allows creation of an iCal feed in Views
--------------------------------------------------------------------------------
Update Information:
Update to upstream 2.3 release
Update to upstream 2.2 release
--------------------------------------------------------------------------------
ChangeLog:
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #904736 - drupal7-date_ical-2.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=904736
[ 2 ] Bug #903583 - drupal7-date_ical-2.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=903583
--------------------------------------------------------------------------------
================================================================================
guacd-0.7.0-3.fc16 (FEDORA-2013-1694)
Proxy daemon for Guacamole
--------------------------------------------------------------------------------
Update Information:
Enable guacd user/group for daemon
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 30 2013 Simone Caronni <negativo17(a)gmail.com> - 0.7.0-3
- User creations is for all supported distributions.
* Wed Jan 30 2013 Simone Caronni <negativo17(a)gmail.com> - 0.7.0-2
- Updated init script according to Fedora template.
https://fedoraproject.org/wiki/Packaging:SysVInitScript?rd=Packaging/SysV...
- Run daemon as guacd user/group.
- Make sure $HOME is set before starting the daemon or the child crashes.
--------------------------------------------------------------------------------
================================================================================
libupnp-1.6.18-1.fc16 (FEDORA-2013-1713)
Universal Plug and Play (UPnP) SDK
--------------------------------------------------------------------------------
Update Information:
linupnp 1.6.18
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 29 2013 Adam Jackson <ajax(a)redhat.com> 1.6.18-1
- libupnp 1.6.18 (#905577)
* Tue Oct 16 2012 Adam Jackson <ajax(a)redhat.com> 1.6.17-1
- libupnp 1.6.17
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
1.6.13-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
1.6.13-3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #883790 - CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961
CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based
buffer overflows in unique_service_name() by processing specially-crafted SSDP request
(VU#922681)
https://bugzilla.redhat.com/show_bug.cgi?id=883790
--------------------------------------------------------------------------------
================================================================================
lua-ldoc-1.3.3-1.fc16 (FEDORA-2013-1768)
Lua documentation generator
--------------------------------------------------------------------------------
Update Information:
LDoc is a second-generation documentation tool that can be used as a replacement for
LuaDoc. It is mostly compatible with LuaDoc, except that certain workarounds are no longer
needed. For instance, it is not so married to the idea that Lua modules should be defined
using the module function.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #891996 - Review Request: lua-ldoc - Lua documentation generator
https://bugzilla.redhat.com/show_bug.cgi?id=891996
--------------------------------------------------------------------------------
================================================================================
mate-window-manager-1.5.3-3.fc16 (FEDORA-2013-1669)
MATE Desktop window manager
--------------------------------------------------------------------------------
Update Information:
update to latest upstream release
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 29 2013 Dan Mashal <dan.mashal(a)fedoraproject.org> - 1.5.3-3
- Add some configure flags
* Fri Jan 18 2013 Dan Mashal <dan.mashal(a)fedoraproject.org> - 1.5.3-2
- Sort BR's
- Remove unneeded obsoletes tag
* Mon Jan 14 2013 Dan Mashal <dan.mashal(a)fedoraproject.org> - 1.5.3-1
- Update to latest upstream release
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #896357 - [abrt] mate-window-manager-1.5.2-10.fc18: meta_bug: Process
/usr/bin/marco was killed by signal 6 (SIGABRT)
https://bugzilla.redhat.com/show_bug.cgi?id=896357
--------------------------------------------------------------------------------
================================================================================
rubygem-activesupport-3.0.10-6.fc16 (FEDORA-2013-1745)
Support and utility classes used by the Rails framework
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2013-0333.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 29 2013 Vít Ondruch <vondruch(a)redhat.com> - 1:3.0.10-6
- Fix for CVE-2013-0333.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #903440 - CVE-2013-0333 rubygem-activesupport: json to yaml parsing
https://bugzilla.redhat.com/show_bug.cgi?id=903440
--------------------------------------------------------------------------------
================================================================================
samba-3.6.12-1.fc16 (FEDORA-2013-1716)
Server and Client software to interoperate with Windows machines
--------------------------------------------------------------------------------
Update Information:
Update to 3.6.12 which fixes CVE-2013-0213 and CVE-2013-0214.
Update to 3.6.10.
Fix printing upgrade code.
--------------------------------------------------------------------------------
ChangeLog:
* Thu Jan 31 2013 - Andreas Schneider <asn(a)redhat.com> - 2:3.6.12-1
- Update to 3.6.12
- Fixes CVE-2013-0213 and CVE-2013-0214.
- resolves: #905700
- resolves: #906002
- resolves: #905704
* Mon Dec 10 2012 Guenther Deschner <gdeschner(a)redhat.com> - 2:3.6.10-94
- Update to 3.6.10
* Fri Nov 9 2012 Guenther Deschner <gdeschner(a)redhat.com> - 2:3.6.9-93
- Update to 3.6.9
* Fri Oct 26 2012 - Andreas Schneider <asn(a)redhat.com> -2:3.6.8-92
- Fix pam_winbind segfault in pam_sm_authenticate().
- resolves: #870493
* Mon Sep 17 2012 Guenther Deschner <gdeschner(a)redhat.com> - 2:3.6.8-91
- Update to 3.6.8
* Mon Aug 20 2012 Guenther Deschner <gdeschner(a)redhat.com> - 2:3.6.7-90
- Update to 3.6.7
* Thu Jul 19 2012 Guenther Deschner <gdeschner(a)redhat.com> - 2:3.6.6-89
- Fix printing tdb upgrade for 3.6.6
- resolves: #841609
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #905700 - CVE-2013-0213 samba: clickjacking vulnerability in SWAT
https://bugzilla.redhat.com/show_bug.cgi?id=905700
[ 2 ] Bug #905704 - CVE-2013-0214 samba: cross-site request forgery vulnerability in
SWAT
https://bugzilla.redhat.com/show_bug.cgi?id=905704
--------------------------------------------------------------------------------
================================================================================
sssd-1.8.6-1.fc16 (FEDORA-2013-1748)
System Security Services Daemon
--------------------------------------------------------------------------------
Update Information:
A rebase to the latest LTM upstream relase that fixes CVE-2013-0220 and CVE-2013-0219
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 29 2013 Jakub Hrozek <jhrozek(a)redhat.com> - 1.8.6-1
- New upstream release 1.8.6
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #884254 - CVE-2013-0219 sssd: TOCTOU race conditions by copying and removing
directory trees
https://bugzilla.redhat.com/show_bug.cgi?id=884254
[ 2 ] Bug #884601 - CVE-2013-0220 sssd: Out-of-bounds read flaws in autofs and ssh
services responders
https://bugzilla.redhat.com/show_bug.cgi?id=884601
--------------------------------------------------------------------------------
================================================================================
wordpress-3.5.1-1.fc16 (FEDORA-2013-1735)
Blog tool and publishing platform
--------------------------------------------------------------------------------
Update Information:
WordPress 3.5.1 is now available. Version 3.5.1 is the first maintenance release of 3.5,
fixing 37 bugs. It is also a security release for all previous WordPress versions. Which
include:
* Editor: Prevent certain HTML elements from being unexpectedly removed or modified in
rare cases.
* Media: Fix a collection of minor workflow and compatibility issues in the new media
manager.
* Networks: Suggest proper rewrite rules when creating a new network.
* Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when
they are published.
* Work around some misconfigurations that may have caused some JavaScript in the WordPress
admin area to fail.
* Suppress some warnings that could occur when a plugin misused the database or user
APIs.
WordPress 3.5.1 also addresses the following security issues:
* A server-side request forgery vulnerability and remote port scanning using pingbacks.
This vulnerability, which could potentially be used to expose information and compromise a
site, affects all previous WordPress versions. This was fixed by the WordPress security
team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for
reviewing our work.
* Two instances of cross-site scripting via shortcodes and post content. These issues were
discovered by Jon Cave of the WordPress security team.
* A cross-site scripting vulnerability in the external library Plupload. Thanks to the
Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address
this issue.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Jan 30 2013 Remi Collet <rcollet(a)redhat.com> - 3.5.1-1
- version 3.5.1, various bug and security fixes:
CVE-2013-0235, CVE-2013-0236 and CVE-2013-0237
- drop -f option from rm to break build if
upstream archive content change
- protect akismet content (from upstream .htaccess)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #904120 - CVE-2013-0235 wordpress: Server-side request forgery and remote port
scanning using pingbacks
https://bugzilla.redhat.com/show_bug.cgi?id=904120
[ 2 ] Bug #904121 - wordpress: XSS flaws via shortcodes and HTTP POST content
https://bugzilla.redhat.com/show_bug.cgi?id=904121
[ 3 ] Bug #904122 - wordpress: XSS in the external Plupload library
https://bugzilla.redhat.com/show_bug.cgi?id=904122
--------------------------------------------------------------------------------