The following Fedora EPEL 7 Security updates need testing: Age URL 374 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3c9292b62d condor-8.6.11-1.el7 149 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-d2c1368294 cinnamon-3.6.7-5.el7 115 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c499781e80 python-gnupg-0.4.4-1.el7 113 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-bc0182548b bubblewrap-0.3.3-2.el7 50 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-12067fc897 dosbox-0.74.3-2.el7 12 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-26e64681f6 hostapd-2.9-1.el7 8 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-6e2a2d877a nfdump-1.6.18-1.el7 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-1a711333e8 nghttp2-1.31.1-2.el7 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-e1ddf9b607 sleuthkit-4.6.7-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing clamav-0.101.4-1.el7 python3-chardet-3.0.4-1.el7 Details about builds: ================================================================================ clamav-0.101.4-1.el7 (FEDORA-EPEL-2019-ae72f875d9) End-user tools for the Clam Antivirus scanner -------------------------------------------------------------------------------- Update Information: ClamAV 0.101.4 is a security patch release that addresses the following issues. - An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit. Thanks to Martin Simmons for reporting the issue here. - The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625. The default scan time limit is 2 minutes (120000 milliseconds). To customize the time limit: - use the clamscan --max-scantime option - use the clamd MaxScanTime config option Libclamav users may customize the time limit using the cl_engine_set_num function. For example: C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds) Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and reporting the issue. -------------------------------------------------------------------------------- ChangeLog: * Thu Aug 22 2019 Orion Poplawski <orion@xxxxxxxx> - 0.101.4-1 - Update to 0.101.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1744273 - clamav-0.101.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1744273 -------------------------------------------------------------------------------- ================================================================================ python3-chardet-3.0.4-1.el7 (FEDORA-EPEL-2019-25334ee372) Character encoding auto-detection in Python -------------------------------------------------------------------------------- Update Information: Update to 3.0.4 -------------------------------------------------------------------------------- ChangeLog: * Thu Aug 22 2019 Orion Poplawski <orion@xxxxxxxx> - 3.0.4-1 - Update to 3.0.4 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
