The following Fedora EPEL 7 Security updates need testing: Age URL 13 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-c44d955770 prosody-0.11.9-1.el7 9 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-113abf45ca composer-1.10.22-1.el7 9 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-4ab96a9920 wordpress-5.1.10-1.el7 8 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-4b7c1b59f8 upx-3.96-9.el7 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-6cc996cdc4 opendmarc-1.4.1-1.el7 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-969456590e rxvt-unicode-9.21-4.el7 2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-0fec8057df python3-lxml-4.2.5-4.el7 2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-17f170d38c caribou0-0.4.21-26.el7 1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-7e9a7ecfb4 slurm-20.11.7-3.el7 1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-0402b44d82 chromium-90.0.4430.212-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-15abda18e1 singularity-3.7.4-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing audacious-plugins-4.0.5-4.el7 fluidsynth-2.1.8-4.el7 iotop-c-1.17-1.el7 netdata-1.31.0-1.el7 nginx-1.20.1-1.el7 openjpeg2-2.3.1-11.el7 perl-DateTime-Format-Flexible-0.33-1.el7 Details about builds: ================================================================================ audacious-plugins-4.0.5-4.el7 (FEDORA-EPEL-2021-9eaea6f65c) Plugins for the Audacious audio player -------------------------------------------------------------------------------- Update Information: Approved soname bump of fluidsynth-libs in epel7: https://meetbot.fedoraproject.org/fedora- meeting/2021-05-26/epel.2021-05-26-20.01.html -------------------------------------------------------------------------------- ChangeLog: * Fri May 7 2021 Carl George <carl@george.computer> - 4.0.5-4 - Rebuilt for fluidsynth soname bump rhbz#1958007 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1949538 - CVE-2021-28421 fluidsynth: use after free in sfloader/fluid_sffile.c could result in arbitrary code execution or a denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1949538 [ 2 ] Bug #1955613 - CVE-2021-21417 fluidsynth: A use after free via invalid SoundFont file [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1955613 [ 3 ] Bug #1958007 - fluidsynth-libs: incompatible upgrade from libfluidsynth.so.1 to libfluidsynth.so.2 (EPEL7) https://bugzilla.redhat.com/show_bug.cgi?id=1958007 -------------------------------------------------------------------------------- ================================================================================ fluidsynth-2.1.8-4.el7 (FEDORA-EPEL-2021-9eaea6f65c) Real-time software synthesizer -------------------------------------------------------------------------------- Update Information: Approved soname bump of fluidsynth-libs in epel7: https://meetbot.fedoraproject.org/fedora- meeting/2021-05-26/epel.2021-05-26-20.01.html -------------------------------------------------------------------------------- ChangeLog: * Tue May 4 2021 Christoph Karl <pampelmuse [AT] gmx [DOT] at> - 2.1.8-4 - Makes EPEL 7 build working * Fri Apr 16 2021 Christoph Karl <pampelmuse [AT] gmx [DOT] at> - 2.1.8-3 - Cleanup cmake * Fri Apr 16 2021 Christoph Karl <pampelmuse [AT] gmx [DOT] at> - 2.1.8-2 - Resolves: rhbz #1921265 * Sat Apr 10 2021 Christoph Karl <pampelmuse [AT] gmx [DOT] at> - 2.1.8-1 - Update to 2.1.8 * Tue Jan 26 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.1.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Mon Aug 3 2020 Erich Eickmeyer <erich@xxxxxxxxxxxxxxxxxx> - 2.1.1-4 - Rebuild with fixes for Fedora 33 - Resolves: rhbz #1863571 * Sat Aug 1 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.1.1-3 - Second attempt - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Jul 27 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.1.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Mon Feb 17 2020 Orcan Ogetbil <oget[dot]fedora[at]gmail[dot]com> - 2.1.1-1 - Update to 2.1.1 * Sun Feb 16 2020 Orcan Ogetbil <oget[dot]fedora[at]gmail[dot]com> - 2.1.0-1 - Update to 2.1.0 * Tue Jan 28 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.11-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Thu Jul 25 2019 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.11-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@xxxxxxxxxxxxxxxxx> - 1.1.11-5 - Rebuild for readline 8.0 * Thu Jan 31 2019 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.11-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Tue Sep 18 2018 Owen Taylor <otaylor@xxxxxxxxxx> - 1.1.11-3 - Disable hack for Flatpak builds - JACK isn't useful inside a sandbox, since there won't be enough privileges. * Fri Jul 13 2018 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.11-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Sun May 6 2018 Orcan Ogetbil <oget[dot]fedora[at]gmail[dot]com> - 1.1.11-1 - Update to 1.1.11 * Sun Feb 25 2018 Orcan Ogetbil <oget[dot]fedora[at]gmail[dot]com> - 1.1.10-1 - Update to 1.1.10 - Drop upstreamed patches - Drop ldconfig calls in post and postun * Wed Feb 7 2018 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Sat Jan 6 2018 Orcan Ogetbil <oget[dot]fedora[at]gmail[dot]com> - 1.1.9-1 - Update to 1.1.9 - Fix startup issue when an invalid soundfont file name is given as a command line argument RHBZ#1399896 * Mon Aug 14 2017 Pete Walter <pwalter@xxxxxxxxxxxxxxxxx> - 1.1.6-12 - Disable lash support * Wed Aug 2 2017 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.6-11 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Wed Jul 26 2017 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.6-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Fri Feb 10 2017 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.1.6-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Thu Jan 12 2017 Igor Gnatenko <ignatenko@xxxxxxxxxx> - 1.1.6-8 - Rebuild for readline 7.x -------------------------------------------------------------------------------- References: [ 1 ] Bug #1949538 - CVE-2021-28421 fluidsynth: use after free in sfloader/fluid_sffile.c could result in arbitrary code execution or a denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1949538 [ 2 ] Bug #1955613 - CVE-2021-21417 fluidsynth: A use after free via invalid SoundFont file [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1955613 [ 3 ] Bug #1958007 - fluidsynth-libs: incompatible upgrade from libfluidsynth.so.1 to libfluidsynth.so.2 (EPEL7) https://bugzilla.redhat.com/show_bug.cgi?id=1958007 -------------------------------------------------------------------------------- ================================================================================ iotop-c-1.17-1.el7 (FEDORA-EPEL-2021-4e7b20ca48) Simple top-like I/O monitor (implemented in C) -------------------------------------------------------------------------------- Update Information: Update to latest ver 1.17 -------------------------------------------------------------------------------- ChangeLog: * Sat Feb 6 2021 Boian Bonev <bbonev@xxxxxxxxxx> - 1.17-1 - Update to latest ver 1.17 * Thu Jan 28 2021 Boian Bonev <bbonev@xxxxxxxxxx> - 1.16-1 - Update to latest ver 1.16 * Tue Jan 26 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1.15-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ netdata-1.31.0-1.el7 (FEDORA-EPEL-2021-682a674ca9) Real-time performance monitoring -------------------------------------------------------------------------------- Update Information: Update from upstream -------------------------------------------------------------------------------- ChangeLog: * Wed May 19 2021 Didier Fabert <didier.fabert@xxxxxxxxx> 1.31.0-1 - Update from upstream -------------------------------------------------------------------------------- References: [ 1 ] Bug #1962419 - netdata-1.31.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1962419 -------------------------------------------------------------------------------- ================================================================================ nginx-1.20.1-1.el7 (FEDORA-EPEL-2021-c64b965c33) A high performance web server and reverse proxy server -------------------------------------------------------------------------------- Update Information: # nginx 1.20.1 for EPEL 7 ## Changes ### Log file ownership (potential user impact) **Note** that the ownership of log files has changed to `root:root` and the mode changed to `700` (from `770`) to address CVE-2016-1247. This should not affect general operation, as this is the default for log directories and also what httpd uses but if you use external tools to process the log files you may want to check continued operation after this update. ### OpenSSL 1.1 nginx in EPEL 7 is now built against OpenSSL 1.1 to allow the use of TLSv1.3. ### Default Config changes Dropped `default_server` and `location /` directives so that it can be overridden in `conf.d` without needing to touch the default config. Note that the first `server` (as defined in the default config) and `root` will continue to serve the default `index.html` as long as no other `server` is defined. ### Logrotate nginx now handles creation of new log files to ensure correct permissions. ### Installation nginx no longer requires `nginx-all-modules` to allow for a leaner install. ### Service start The systemd unit will now wait for the `network-online.target`. Previously, start up could fail if DNS names were used for some config options (such as `proxy_pass`) and these names were not resolvable at service start time. ### Service reload The systemd unit now uses `nginx -s` to only reload the service if the configuration is valid. In previous versions an invalid configuration could take down nginx upon reload. Please consult http://nginx.org/en/CHANGES-1.20 for all changes to nginx since the current EPEL 7 release of 1.16.1. -------------------------------------------------------------------------------- ChangeLog: * Tue May 25 2021 Felix Kaechele <heffer@xxxxxxxxxxxxxxxxx> - 1:1.20.1-1 - update to 1.20.1 (fixes CVE-2021-23017) * Fri May 21 2021 Jitka Plesnikova <jplesnik@xxxxxxxxxx> - 1:1.20.0-4 - Perl 5.34 rebuild * Fri Apr 30 2021 Lubos Uhliarik <luhliari@xxxxxxxxxx> - 1:1.20.0-3 - Related: #1636235 - centralizing default index.html on nginx * Wed Apr 21 2021 Felix Kaechele <heffer@xxxxxxxxxxxxxxxxx> - 1:1.20.0-2 - sync rawhide and EPEL7 spec files again - systemd service reload now checks config file (rhbz#1565377) - drop nginx requirement on nginx-all-modules (rhbz#1708799) - let nginx handle log creation on logrotate (rhbz#1683388) - have log directory owned by root (rhbz#1390183, CVE-2016-1247) - remove obsolete --with-ipv6 (src PR#8) - correction: pcre2 is actually not supported by nginx, reintroduce pcre * Wed Apr 21 2021 Felix Kaechele <heffer@xxxxxxxxxxxxxxxxx> - 1:1.20.0-1 - update to 1.20.0 - sync with mainline spec file - order configure options alphabetically for easier comparinggit - add --with-compat option (rhbz#1834452) - add patch to fix PIDFile race condition (rhbz#1869026) - use pcre2 instead of pcre (rhbz#1938984) - add Wants=network-online.target to systemd unit (rhbz#1943779) * Mon Feb 22 2021 Lubos Uhliarik <luhliari@xxxxxxxxxx> - 1:1.18.0-5 - Resolves: #1931402 - drop gperftools module * Tue Jan 26 2021 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1:1.18.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1964821 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1964821 -------------------------------------------------------------------------------- ================================================================================ openjpeg2-2.3.1-11.el7 (FEDORA-EPEL-2021-1f259a45ef) C-Library for JPEG 2000 -------------------------------------------------------------------------------- Update Information: Backport multiple security fixes from Fedora 33 branch. -------------------------------------------------------------------------------- ChangeLog: * Thu May 27 2021 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-11 - Apply proposed patches for CVE-2021-29338 and a heap buffer overflow (#1957616) * Thu Dec 17 2020 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-10 - Backport patches for CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27845 * Thu Dec 10 2020 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-9 - Backport patches for CVE-2020-27824 and CVE-2020-27823 * Sat Nov 28 2020 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-8 - Backport patch for CVE-2020-27814 * Tue Jul 28 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.3.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Thu Feb 13 2020 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-6 - Backport patch for CVE 2020-8112 * Wed Jan 29 2020 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.3.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Fri Jan 17 2020 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-4 - Backport patch for CVE 2020-6851 * Wed Oct 2 2019 Sandro Mani <manisandro@xxxxxxxxx> - 2.3.1-3 - Fix unbundling 3rd party libraries (#1757822) * Thu Jul 25 2019 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 2.3.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1790515 - CVE-2020-6851 openjpeg2: openjpeg: a heap-based buffer overflow in opj_t1_clbl_decode_processor in libopenjp2.so [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1790515 [ 2 ] Bug #1800537 - CVE-2020-8112 openjpeg2: openjpeg: heap based buffer overflow in pj_t1_clbl_decode_processor in openjp2/t1.c [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1800537 [ 3 ] Bug #1852870 - CVE-2020-15389 openjpeg2: openjpeg: use-after-free and double-free via a mix of valid and invalid files in a directory operated on by the decompressor [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1852870 [ 4 ] Bug #1901999 - CVE-2020-27814 openjpeg2: openjpeg: Heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1901999 [ 5 ] Bug #1905726 - CVE-2020-27824 openjpeg2: openjpeg: global-buffer-overflow read in lib-openjp2 [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1905726 [ 6 ] Bug #1906219 - CVE-2020-27823 openjpeg2: openjpeg: Heap-buffer-overflow write in lib-openjp2 [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1906219 [ 7 ] Bug #1907672 - CVE-2020-27841 openjpeg2: openjpeg: heap-based buffer overflows in lib/openjp2/pi.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1907672 [ 8 ] Bug #1907679 - CVE-2020-27842 openjpeg2: openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1907679 [ 9 ] Bug #1907685 - CVE-2020-27843 openjpeg2: openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1907685 [ 10 ] Bug #1907695 - CVE-2020-27844 openjpeg2: openjpeg: heap-based buffer overflow in opj_t2_encode_packet function in openjp2/t2.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1907695 [ 11 ] Bug #1907700 - CVE-2020-27845 openjpeg2: openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1907700 [ 12 ] Bug #1950102 - CVE-2021-29338 openjpeg2: out-of-bounds write due to an integer overflow in opj_compress.c [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1950102 [ 13 ] Bug #1957619 - openjpeg2: openjpeg: heap-buffer-overflow in color.c may lead to DoS or arbitrary code execution [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1957619 -------------------------------------------------------------------------------- ================================================================================ perl-DateTime-Format-Flexible-0.33-1.el7 (FEDORA-EPEL-2021-0b3e9518f1) Flexibly parse strings and turn them into DateTime objects -------------------------------------------------------------------------------- Update Information: This release fixes a memory leak. -------------------------------------------------------------------------------- ChangeLog: * Thu May 27 2021 Petr Pisar <ppisar@xxxxxxxxxx> - 0.33-1 - 0.33 bump - Package the tests -------------------------------------------------------------------------------- References: [ 1 ] Bug #1965188 - perl-DateTime-Format-Flexible-0.33 is available https://bugzilla.redhat.com/show_bug.cgi?id=1965188 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
