The following Fedora EPEL 7 Security updates need testing: Age URL 757 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087 dokuwiki-0-0.24.20140929c.el7 520 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f mcollective-2.8.4-1.el7 222 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e8f4ff76b3 chicken-4.11.0-3.el7 102 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-04bc9dd81d libbsd-0.8.3-1.el7 18 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-05ac8b1dc4 php-onelogin-php-saml-2.10.5-1.el7 12 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3d518cd4b9 libgit2-0.24.6-1.el7 12 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5794ee2486 moodle-3.1.5-1.el7 11 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7e4f45cad3 tcpreplay-4.2.1-1.el7 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e9e451db03 chromium-57.0.2987.133-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-99c7c2f382 xorgxrdp-0.2.1-1.el7 xrdp-0.9.2-3.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1ae79d206b ReviewBoard-2.5.10-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d9e3bfe77d php-horde-Horde-Crypt-2.7.6-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7889b3b509 libupnp-1.6.21-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d241156dfe mod_cluster-1.3.3-10.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing ReviewBoard-2.5.10-1.el7 apache-commons-fileupload-1.3.2-3.1.el7 colm-0.13.0.4-2.el7 geronimo-interceptor-1.0.1-16.el7 hibernate-commons-annotations-5.0.1-3.el7 hibernate-jpa-2.0-api-1.0.1-20.el7 hibernate-jpa-2.1-api-1.0.0-3.el7 jboss-logging-tools-2.0.1-5.el7 libglvnd-0.2.999-14.20170308git8e6e102.el7 libupnp-1.6.21-1.el7 maven-processor-plugin-2.2.4-8.el7 mod_cluster-1.3.3-10.el7 nodejs-6.10.1-2.el7 php-composer-spdx-licenses-1.1.6-1.el7 php-horde-Horde-Crypt-2.7.6-1.el7 python-xml2rfc-2.5.2-1.el7 xorgxrdp-0.2.1-1.el7 xrdp-0.9.2-3.el7 Details about builds: ================================================================================ ReviewBoard-2.5.10-1.el7 (FEDORA-EPEL-2017-1ae79d206b) Web-based code review tool -------------------------------------------------------------------------------- Update Information: * https://www.reviewboard.org/docs/releasenotes/reviewboard/2.5.10/ * Addresses an XSS vulnerability -------------------------------------------------------------------------------- ================================================================================ apache-commons-fileupload-1.3.2-3.1.el7 (FEDORA-EPEL-2017-a73d7e35e2) API to work with HTML file upload -------------------------------------------------------------------------------- Update Information: This update brings back obsoletes for jakarta-commons-fileupload. -------------------------------------------------------------------------------- ================================================================================ colm-0.13.0.4-2.el7 (FEDORA-EPEL-2017-d17ec283a8) Programming language designed for the analysis of computer languages -------------------------------------------------------------------------------- Update Information: Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ geronimo-interceptor-1.0.1-16.el7 (FEDORA-EPEL-2017-7e8558deda) Java EE: Interceptor API v3.0 -------------------------------------------------------------------------------- Update Information: Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ hibernate-commons-annotations-5.0.1-3.el7 (FEDORA-EPEL-2017-5a8f735a2e) Hibernate Annotations -------------------------------------------------------------------------------- Update Information: Disable doclint -------------------------------------------------------------------------------- ================================================================================ hibernate-jpa-2.0-api-1.0.1-20.el7 (FEDORA-EPEL-2017-26479d119f) Java Persistence 2.0 (JSR 317) API -------------------------------------------------------------------------------- Update Information: Disable doclint -------------------------------------------------------------------------------- ================================================================================ hibernate-jpa-2.1-api-1.0.0-3.el7 (FEDORA-EPEL-2017-76f9e631a1) Java Persistence 2.1 (JSR 338) API -------------------------------------------------------------------------------- Update Information: Disable doclint -------------------------------------------------------------------------------- ================================================================================ jboss-logging-tools-2.0.1-5.el7 (FEDORA-EPEL-2017-a9cb1f17d0) JBoss Logging I18n Annotation Processor -------------------------------------------------------------------------------- Update Information: Invocation of plugins for target configured to 1.7 and doclint disabling -------------------------------------------------------------------------------- ================================================================================ libglvnd-0.2.999-14.20170308git8e6e102.el7 (FEDORA-EPEL-2017-26a97d4743) The GL Vendor-Neutral Dispatch library -------------------------------------------------------------------------------- Update Information: * Fix conditionals for _without_mesa_glvnd_default * Fix other RHEL- conditionals, too * Update RPM filters for private libraries (includes GLX, fixes RHEL 6). * Update to latest snapshot, remove upstreamed patches. * Update release to packaging guidelines format. * Make sure that for Fedora 24 and RHEL the libraries are always private. -------------------------------------------------------------------------------- ================================================================================ libupnp-1.6.21-1.el7 (FEDORA-EPEL-2017-7889b3b509) Universal Plug and Play (UPnP) SDK -------------------------------------------------------------------------------- Update Information: Long standing security bugs fixed through update to version 1.6.21. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1437143 - Plans for EPEL 6 https://bugzilla.redhat.com/show_bug.cgi?id=1437143 [ 2 ] Bug #1388774 - CVE-2016-8863 libupnp: Heap buffer overflow in the create_url_list function [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1388774 [ 3 ] Bug #1358614 - CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1358614 [ 4 ] Bug #1358352 - libupnp: Upload arbitrary file via POST [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1358352 [ 5 ] Bug #1146033 - libupnp: security and critical bug fixes [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1146033 [ 6 ] Bug #905578 - CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681) [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=905578 -------------------------------------------------------------------------------- ================================================================================ maven-processor-plugin-2.2.4-8.el7 (FEDORA-EPEL-2017-1fe03ca888) Maven Processor Plugin -------------------------------------------------------------------------------- Update Information: Disable doclint -------------------------------------------------------------------------------- ================================================================================ mod_cluster-1.3.3-10.el7 (FEDORA-EPEL-2017-d241156dfe) Apache HTTP Server dynamic load balancer with Wildfly and Tomcat libraries -------------------------------------------------------------------------------- Update Information: Upgrade to 1.3.3 (current rawhide) and patch to change catalina deps -------------------------------------------------------------------------------- ================================================================================ nodejs-6.10.1-2.el7 (FEDORA-EPEL-2017-9d4f011d75) JavaScript runtime -------------------------------------------------------------------------------- Update Information: Fix a segfault with SSL and the placement of manpages ---- Update to 6.10.1 ---- https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V6.md# 2017-02-21-version-6100-boron-lts-mylesborins ---- Update to v6.9.5(security) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1436445 - Segfault with ssl with 6.10.1 el7 https://bugzilla.redhat.com/show_bug.cgi?id=1436445 [ 2 ] Bug #1433403 - npm man pages appearing in the nodejs package https://bugzilla.redhat.com/show_bug.cgi?id=1433403 -------------------------------------------------------------------------------- ================================================================================ php-composer-spdx-licenses-1.1.6-1.el7 (FEDORA-EPEL-2017-13087e70ed) SPDX licenses list and validation library -------------------------------------------------------------------------------- Update Information: **Version 1.1.6** - 2017-04-03 * Changed: updated licenses list. -------------------------------------------------------------------------------- ================================================================================ php-horde-Horde-Crypt-2.7.6-1.el7 (FEDORA-EPEL-2017-d9e3bfe77d) Horde Cryptography API -------------------------------------------------------------------------------- Update Information: **Horde_Crypt 2.7.6** * [mjr] SECURITY: Fix remote code execution vulnerability (**CVE-2017-7413**, and **CVE-2017-7414**). -------------------------------------------------------------------------------- ================================================================================ python-xml2rfc-2.5.2-1.el7 (FEDORA-EPEL-2017-60dfbde5b7) Convert IETF RFC-2629 XML into txt format -------------------------------------------------------------------------------- Update Information: Updated to 2.5.2 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1438375 - xml2rfc: incorrect dependencies https://bugzilla.redhat.com/show_bug.cgi?id=1438375 -------------------------------------------------------------------------------- ================================================================================ xorgxrdp-0.2.1-1.el7 (FEDORA-EPEL-2017-99c7c2f382) Implementation of xrdp backend as Xorg modules -------------------------------------------------------------------------------- Update Information: New upstream version of xorgxrdp and xrdp: New features in xrdp: - RemoteFX codec support is now enabled by default. - Bitmap updates support is now enabled by default. - TLS ciphers suites and version is now logged. - Connected computer name is now logged. - Switched to Xorg (xorgxrdp) as the default backend now. - Miscellaneous RemoteFX codec mode improvements. - Socket directory is configurable at the compile time. Bugfixes in xrdp: - Parallels client for MacOS / iOS can now connect (audio redirection must be disabled on client or xrdp server though). - MS RDP client for iOS can now connect using TLS security layer. - MS RDP client for Android can now connect to xrdp. - Large resolutions (4K) can be used with RemoteFX graphics. - Multiple RemoteApps can be opened throguh NeutrinoRDP proxy. - tls_ciphers in xrdp.ini is not limited to 63 chars anymore, it's variable-length. - Fixed an issue where tls_ciphers were ignored and rdp security layer could be used instead. - Kill disconnected sessions feature is working with Xorg (xorgxrdp) backend. - Miscellaneous code cleanup and memory issues fixes. Rebuild of xrdp requiring both xorgxrdp and tigervnc- minimal. VNC is still the default. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1433958 - CVE-2017-6967 xrdp: Incorrect placement of auth_start_session() [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1433958 -------------------------------------------------------------------------------- ================================================================================ xrdp-0.9.2-3.el7 (FEDORA-EPEL-2017-99c7c2f382) Open source remote desktop protocol (RDP) server -------------------------------------------------------------------------------- Update Information: New upstream version of xorgxrdp and xrdp: New features in xrdp: - RemoteFX codec support is now enabled by default. - Bitmap updates support is now enabled by default. - TLS ciphers suites and version is now logged. - Connected computer name is now logged. - Switched to Xorg (xorgxrdp) as the default backend now. - Miscellaneous RemoteFX codec mode improvements. - Socket directory is configurable at the compile time. Bugfixes in xrdp: - Parallels client for MacOS / iOS can now connect (audio redirection must be disabled on client or xrdp server though). - MS RDP client for iOS can now connect using TLS security layer. - MS RDP client for Android can now connect to xrdp. - Large resolutions (4K) can be used with RemoteFX graphics. - Multiple RemoteApps can be opened throguh NeutrinoRDP proxy. - tls_ciphers in xrdp.ini is not limited to 63 chars anymore, it's variable-length. - Fixed an issue where tls_ciphers were ignored and rdp security layer could be used instead. - Kill disconnected sessions feature is working with Xorg (xorgxrdp) backend. - Miscellaneous code cleanup and memory issues fixes. Rebuild of xrdp requiring both xorgxrdp and tigervnc- minimal. VNC is still the default. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1433958 - CVE-2017-6967 xrdp: Incorrect placement of auth_start_session() [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1433958 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
