The following Fedora EPEL 7 Security updates need testing: Age URL 53 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879 debmirror-2.35-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing openssl11-1.1.1k-1.el7 rpki-client-7.5-1.el7 Details about builds: ================================================================================ openssl11-1.1.1k-1.el7 (FEDORA-EPEL-2021-39d32447db) Utilities from the general purpose cryptography library with TLS implementation -------------------------------------------------------------------------------- Update Information: - backport from 1.1.1k-4: Fixes bugs in s390x AES code - backport from 1.1.1k-4: Uses the first detected address family if IPv6 is not available - backport from 1.1.1k-4: Reverts the changes in https://github.com/openssl/openssl/pull/13305 as it introduces a regression if server has a DSA key pair, the handshake fails when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted, it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already known - https://trac.nginx.org/nginx/ticket/2071#comment:1 and as per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx could early callback instead of servername callback. Resolves: rhbz#197821, related: rhbz#1934534 - backport from 1.1.1k-3: Cleansup the peer point formats on renegotiation. Resolves rhbz#1965362 - backport from 1.1.1k-2: Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085 - backport from 1.1.1k-2: Using safe primes for FIPS DH self-test - backport from 1.1.1k-1: Update to version 1.1.1k - backport from 1.1.1g-16: Use AI_ADDRCONFIG only when explicit host name is given - backport from 1.1.1g-16: Allow only curves defined in RFC 8446 in TLS 1.3 -------------------------------------------------------------------------------- ChangeLog: * Tue Nov 9 2021 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 1.1.1k-1 - backport from 1.1.1k-4: Fixes bugs in s390x AES code - backport from 1.1.1k-4: Uses the first detected address family if IPv6 is not available - backport from 1.1.1k-4: Reverts the changes in https://github.com/openssl/openssl/pull/13305 as it introduces a regression if server has a DSA key pair, the handshake fails when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted, it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already known - https://trac.nginx.org/nginx/ticket/2071#comment:1 As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx could early callback instead of servername callback. Resolves: rhbz#197821, related: rhbz#1934534 - backport from 1.1.1k-3: Cleansup the peer point formats on renegotiation. Resolves rhbz#1965362 - backport from 1.1.1k-2: Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085 - backport from 1.1.1k-2: Using safe primes for FIPS DH self-test - backport from 1.1.1k-1: Update to version 1.1.1k - backport from 1.1.1g-16: Use AI_ADDRCONFIG only when explicit host name is given - backport from 1.1.1g-16: Allow only curves defined in RFC 8446 in TLS 1.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() https://bugzilla.redhat.com/show_bug.cgi?id=1930310 [ 2 ] Bug #1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate https://bugzilla.redhat.com/show_bug.cgi?id=1930324 -------------------------------------------------------------------------------- ================================================================================ rpki-client-7.5-1.el7 (FEDORA-EPEL-2021-05dd12001e) RPKI validator to support BGP Origin Validation -------------------------------------------------------------------------------- Update Information: rpki-client 7.5 =============== * Make rpki-client more resilient regarding untrusted input: - Fail repository synchronisation after 15min runtime. - Limit the number of repositories per TAL. - Don't allow `DOCTYPE` definitions in RRDP XML files. - Fix detection of HTTP redirect loops. * Limit the number of concurrent `rsync` processes. * Fix `CRLF` in TAL files. -------------------------------------------------------------------------------- ChangeLog: * Tue Nov 9 2021 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 7.5-1 - Upgrade to 7.5 (#2021523) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2021523 - rpki-client-7.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2021523 -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
