Fedora EPEL 7 updates-testing report

updates@xxxxxxxxxxxxxxxxx · Wed, 22 Jan 2020 01:48:29 +0000 (UTC)

The following Fedora EPEL 7 Security updates need testing:
 Age  URL
 525  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-3c9292b62d   condor-8.6.11-1.el7
 267  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-c499781e80   python-gnupg-0.4.4-1.el7
 264  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-bc0182548b   bubblewrap-0.3.3-2.el7
  13  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-9ffdf25269   python-django-1.11.27-1.el7
  13  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-12cd208593   gnulib-0-31.20200107git.el7
  10  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-de388d4fd0   chromium-79.0.3945.117-1.el7
  10  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-35e87bab10   perl-Clipboard-0.21-1.el7.1
  10  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-a062204588   rubygem-rack-1.6.12-1.el7
   9  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-87fd65eed3   python3-pillow-6.2.2-1.el7
   7  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-345003feba   thunderbird-enigmail-2.1.5-1.el7
   7  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-348d34c4c6   elog-3.1.4-1.20190113git283534d97d5a.el7
   4  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-807cf11068   upx-3.95-5.el7
   1  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-a16a109471   links-2.20.2-1.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-d60f779676   python-pip-epel-8.1.2-11.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-43a3a1207a   ansible-2.9.3-1.el7

The following builds have been pushed to Fedora EPEL 7 updates-testing

    debbuild-19.11.0-1.el7
    fail2ban-0.10.5-2.el7
    java-latest-openjdk-13.0.2.8-1.rolling.el7
    munin-2.0.54-1.el7

Details about builds:

================================================================================
 debbuild-19.11.0-1.el7 (FEDORA-EPEL-2020-eef777e349)
 Build Debian-compatible .deb packages from RPM .spec files
--------------------------------------------------------------------------------
Update Information:

Rebased to version 19.11.0
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 21 2020 Neal Gompa <ngompa13@xxxxxxxxx> - 19.11.0-1
- Rebase to 19.11.0
- Update spec based on upstream spec
* Wed Jul 24 2019 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 18.6.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 30 2019 Jitka Plesnikova <jplesnik@xxxxxxxxxx> - 18.6.1-5
- Perl 5.30 rebuild
* Thu Mar  7 2019 Tim Landscheidt <tim@xxxxxxxxxxxxxxxxxx> - 18.6.1-4
- Remove obsolete requirement for %post scriptlet
* Thu Jan 31 2019 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 18.6.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jul 12 2018 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 18.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1609487 - debbuild-19.11.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1609487
--------------------------------------------------------------------------------

================================================================================
 fail2ban-0.10.5-2.el7 (FEDORA-EPEL-2020-fbdcb94857)
 Daemon to ban hosts that cause multiple authentication errors
--------------------------------------------------------------------------------
Update Information:

Move action.d/mail-whois-common.conf into fail2ban-server  ----  ver. 0.10.5
(2020/01/10) - deserve-more-respect-a-jedis-weapon-must -----------  Yes,
Hrrrm...  ### Fixes * [compatibility] systemd backend: default flags changed to
SYSTEM_ONLY(4), fixed in gh-2444 in order to ignore   user session files per
default, so could prevent "Too many open files" errors on a lot of user sessions
(see gh-2392) * [grave] fixed parsing of multi-line filters (`maxlines` > 1)
together with systemd backend,   now systemd-filter replaces newlines in message
from systemd journal with `\n` (otherwise    multi-line parsing may be broken,
because removal of matched string from multi-line buffer window   is confused by
such extra new-lines, so they are retained and got matched on every followed
message, see gh-2431) * [stability] prevent race condition - no unban if the
bans occur continuously (gh-2410);   now an unban-check will happen not later
than 10 tickets get banned regardless there are   still active bans available
(precedence of ban over unban-check is 10 now) * fixed read of included config-
files (`.local` overwrites options of `.conf` for config-files    included with
before/after) * `action.d/abuseipdb.conf`: switched to use AbuseIPDB API v2
(gh-2302) * `action.d/badips.py`: fixed start of banaction on demand (which may
be IP-family related), gh-2390 * `action.d/helpers-common.conf`: rewritten grep
arguments, now options `-wF` used to match only   whole words and fixed string
(not as pattern), gh-2298 * `filter.d/apache-auth.conf`:   - ignore errors from
mod_evasive in `normal` mode (mode-controlled now) (gh-2548);   - extended with
option `mode` - `normal` (default) and `aggressive` * `filter.d/sshd.conf`:   -
matches `Bad protocol version identification` in `ddos` and `aggressive` modes
(gh-2404).   - captures `Disconnecting ...: Change of username or service not
allowed` (gh-2239, gh-2279)   - captures `Disconnected from ... [preauth]`,
preauth phase only, different handling by `extra`     (with supplied user only)
and `ddos`/`aggressive` mode (gh-2115, gh-2239, gh-2279) * `filter.d/mysqld-
auth.conf`:    - MYSQL 8.0.13 compatibility (log-error-verbosity = 3), log-
format contains few additional words     enclosed in brackets after "[Note]"
(gh-2314) * `filter.d/sendmail-reject.conf`:   - `mode=extra` now captures port
IDs of `TLSMTA` and `MSA` (defaults for ports 465 and 587 on some distros) *
`files/fail2ban.service.in`: fixed systemd-unit template - missing nftables
dependency (gh-2313) * several `action.d/mail*`: fixed usage with multiple log
files (ultimate fix for gh-976, gh-2341) * `filter.d/sendmail-reject.conf`:
fixed journal usage for some systems (e. g. CentOS): if only identifier    set
to `sm-mta` (no unit `sendmail`) for some messages (gh-2385) *
`filter.d/asterisk.conf`: asterisk can log additional timestamp if logs into
systemd-journal   (regex extended with optional part matching this, gh-2383) *
`filter.d/postfix.conf`:     - regexp's accept variable suffix code in status of
postfix for precise messages (gh-2442)     - extended with new postfix filter
mode `errors` to match "too many errors" (gh-2439),       also included within
modes `normal`, `more` (`extra` and `aggressive`), since postfix       parameter
`smtpd_hard_error_limit` is default 20 (additionally consider `maxretry`) *
`filter.d/named-refused.conf`:     - support BIND 9.11.0 log format (includes an
additional field @0xXXX..., gh-2406);     - `prefregex` extended, more selective
now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)
* `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` :   - ID in
prefix can be longer as 14 characters (gh-2563); * all filters would accept
square brackets around IPv4 addresses also (e. g. monit-filter, gh-2494) *
avoids unhandled exception during flush (gh-2588) * fixes pass2allow-ftp jail -
due to inverted handling, action should prohibit access per default for any IP,
therefore reset start on demand parameter for this action (it will be started
immediately by repair); * auto-detection of IPv6 subsystem availability
(important for not on-demand actions or jails, like pass2allow);  ### New
Features * new replacement tags for failregex to match subnets in form of IP-
addresses with CIDR mask (gh-2559):   - `<CIDR>` - helper regex to match CIDR
(simple integer form of net-mask);   - `<SUBNET>` - regex to match sub-net
adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is
optional); * grouped tags (`<ADDR>`, `<HOST>`, `<SUBNET>`) recognize IP
addresses enclosed in square brackets * new failregex-flag tag `<F-MLFGAINED>`
for failregex, signaled that the access to service was gained   (ATM used
similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches,
gh-2279) * filters: introduced new configuration parameter `logtype` (default
`file` for file-backends, and    `journal` for journal-backends, gh-2387); can
be also set to `rfc5424` to force filters (which include common.conf)   to use
RFC 5424 conform prefix-line per default (gh-2467); * for better performance and
safety the option `logtype` can be also used to   select short prefix-line for
file-backends too for all filters using `__prefix_line` (`common.conf`),   if
message logged only with `hostname svc[nnnn]` prefix (often the case on several
systems): ```ini [jail] backend = auto filter = flt[logtype=short] ``` *
`filter.d/common.conf`: differentiate `__prefix_line` for file/journal logtype's
(speedup and fix parsing   of systemd-journal); * `filter.d/traefik-auth.conf`:
used to ban hosts, that were failed through traefik * `filter.d/znc-
adminlog.conf`: new filter for ZNC (IRC bouncer); requires the adminlog module
to be loaded  ### Enhancements * introduced new options: `dbmaxmatches`
(fail2ban.conf) and `maxmatches` (jail.conf) to contol   how many matches per
ticket fail2ban can hold in memory and store in database (gh-2402, gh-2118); *
fail2ban.conf: introduced new section `[Thread]` and option `stacksize` to
configure default size   of the stack for threads running in fail2ban (gh-2356),
it could be set in `fail2ban.local` to   avoid runtime error "can't start new
thread" (see gh-969); * jail-reader extended (amend to gh-1622): actions support
multi-line options now (interpolations   containing new-line); * fail2ban-
client: extended to ban/unban multiple tickets (see gh-2351, gh-2349);   Syntax:
- `fail2ban-client set <jain> banip <ip1> ... <ipN>`   - `fail2ban-client set
<jain> unbanip [--report-absent] <ip1> ... <ipN>` * fail2ban-client: extended
with new feature which allows to inform fail2ban about single or multiple
attempts (failure) for IP (resp. failure-ID), see gh-2351;   Syntax:   -
`fail2ban-client set <jail> attempt <ip> [<failure-message1> ... <failure-
messageN>]` * `action.d/nftables.conf`:   - isolate fail2ban rules into a
dedicated table and chain (gh-2254)   - `nftables-allports` supports multiple
protocols in single rule now   - combined nftables actions to single action
`nftables`:     * `nftables-common` is removed (replaced with single action
`nftables` now)     * `nftables-allports` is obsolete, superseded by
`nftables[type=allports]`     * `nftables-multiport` is obsolete, superseded by
`nftables[type=multiport]`   - allowed multiple protocols in
`nftables[type=multiport]` action (single set with multiple rules     in chain),
following configuration in jail would replace 3 separate actions, see
https://github.com/fail2ban/fail2ban/pull/2254#issuecomment-534684675 *
`action.d/badips.py`: option `loglevel` extended with level of summary message,
following example configuration logging summary with NOTICE and rest with DEBUG
log-levels:   `action = badips.py[loglevel="debug, notice"]` *
samplestestcase.py (testSampleRegexsFactory) extended:   - allow coverage of
journal logtype;   - new option `fileOptions` to set common filter/test options
for whole test-file; * large enhancement: auto-reban, improved invariant check
and conditional operations (gh-2588):   - improves invariant check and repair
(avoid unhandled exception, consider family on conditional operations, etc),
prepared for bulk re-ban in repair case (if bulk-ban becomes implemented);   -
automatic reban (repeat banning action) after repair/restore sane environment,
if already logged ticket causes     new failures (via new action operation
`actionreban` or `actionban` if still not defined in action);   * introduces
banning epoch for actions and tickets (to distinguish or recognize removed set
of the tickets);   * invariant check avoids repair by unban/stop (unless
parameter `actionrepair_on_unban` set to `true`);   * better handling for all
conditional operations (distinguish families for certain operations like
repair/flush/stop, prepared for other families, e. g. if different handling for
subnets expected, etc);   * partially implements gh-980 (more breakdown safe
handling);   * closes gh-1680 (better as large-scale banning implementation with
on-demand reban by failure,      at least unless a bulk-ban gets implemented); *
fail2ban-regex - several enhancements and fixes:   - improved usage output
(don't put a long help if an error occurs);   - new option `--no-check-all` to
avoid check of all regex's (first matched only);   - new option `-o`, `--out` to
set token only provided in output (disables check-all and outputs only expected
data).
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 21 2020 Orion Poplawski <orion@xxxxxxxx> - 0.10.5-2
- Move action.d/mail-whois-common.conf into fail2ban-server
* Tue Jan 14 2020 Orion Poplawski <orion@xxxxxxxx> - 0.10.5-1
- Update to 0.10.5
--------------------------------------------------------------------------------

================================================================================
 java-latest-openjdk-13.0.2.8-1.rolling.el7 (FEDORA-EPEL-2020-751a496bfa)
 OpenJDK Runtime Environment 13
--------------------------------------------------------------------------------
Update Information:

This is January 2020 OpenJDK security update for java-latest-openjdk packages.
The sources are updated to the 13.0.2+8 tag.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jan 17 2020 Petra Alice Mikova <pmikova@xxxxxxxxxx> - 1:13.0.2.8-1.rolling
- removed patch jdk8231405_guarantee_d_nonequals_null_failed_null_dominator_info.patch
- removed patch jdk8231583_fix_register_clash_in_sbsa_resolve_forwarding_pointer_borrowing.patch
- updated sources to the 13.0.2+8 tag
--------------------------------------------------------------------------------

================================================================================
 munin-2.0.54-1.el7 (FEDORA-EPEL-2020-4f1e1f376d)
 Network-wide resource monitoring tool
--------------------------------------------------------------------------------
Update Information:

Upstream update to 2.0.54. Also uses systemd hardening options for munin-node
and munin-asyncd.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Jan 21 2020 Kim B. Heino <b@xxxxxxxx> - 2.0.54-1
- Upgrade to 2.0.54
- Improve df's ignore list
- Use systemd hardening options for node and asyncd
--------------------------------------------------------------------------------

_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx