Fedora EPEL 7 updates-testing report

updates@xxxxxxxxxxxxxxxxx · Sun, 7 May 2023 01:40:10 +0000 (UTC)

The following Fedora EPEL 7 Security updates need testing:
 Age  URL
  10  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-18a0e3fa23   apptainer-1.1.8-1.el7
   2  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-c1088e0644   tinyproxy-1.8.4-2.el7
   0  https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-0989e83e8a   chromium-113.0.5672.63-1.el7

The following builds have been pushed to Fedora EPEL 7 updates-testing

    tcpreplay-4.4.3-3.el7
    unrealircd-6.1.0-1.el7

Details about builds:

================================================================================
 tcpreplay-4.4.3-3.el7 (FEDORA-EPEL-2023-7f7029b90d)
 Replay captured network traffic
--------------------------------------------------------------------------------
Update Information:

Patch CVE-2023-27783 - CVE-2023-27789      - CVE-2023-27783 - CVE-2023-27784 -
CVE-2023-27785 - CVE-2023-27786 - CVE-2023-27787 - CVE-2023-27788 -
CVE-2023-27789
--------------------------------------------------------------------------------
ChangeLog:

* Sat May  6 2023 Bojan Smojver <bojan@rexursive com> - 4.4.3-2
- CVE-2023-27783 CVE-2023-27784 CVE-2023-27785 CVE-2023-27786
  CVE-2023-27787 CVE-2023-27788 CVE-2023-27789
* Sat Jan 21 2023 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 4.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2193431 - CVE-2023-27783 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193431
  [ 2 ] Bug #2193432 - CVE-2023-27783 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193432
  [ 3 ] Bug #2193433 - CVE-2023-27784 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193433
  [ 4 ] Bug #2193434 - CVE-2023-27784 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193434
  [ 5 ] Bug #2193436 - CVE-2023-27785 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193436
  [ 6 ] Bug #2193437 - CVE-2023-27785 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193437
  [ 7 ] Bug #2193439 - CVE-2023-27786 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193439
  [ 8 ] Bug #2193440 - CVE-2023-27786 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193440
  [ 9 ] Bug #2193442 - CVE-2023-27787 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193442
  [ 10 ] Bug #2193443 - CVE-2023-27787 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193443
  [ 11 ] Bug #2193445 - CVE-2023-27788 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193445
  [ 12 ] Bug #2193446 - CVE-2023-27788 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193446
  [ 13 ] Bug #2193448 - CVE-2023-27789 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193448
  [ 14 ] Bug #2193449 - CVE-2023-27789 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2193449
--------------------------------------------------------------------------------

================================================================================
 unrealircd-6.1.0-1.el7 (FEDORA-EPEL-2023-7665f08459)
 Open Source IRC server
--------------------------------------------------------------------------------
Update Information:

# UnrealIRCd 6.1.0 This is UnrealIRCd 6.1.0 stable. It is the direct successor
to 6.0.7, there will be no 6.0.8.  This release contains several channel mode
`+f` enhancements and introduces a new channel mode `+F` which works with flood
profiles like `+F normal` and `+F strict`. It is much easier for users than the
scary looking mode `+f`.  UnrealIRCd 6.1.0 also contains lots of JSON-RPC
improvements, which is used by the [UnrealIRCd admin
panel](https://www.unrealircd.org/docs/UnrealIRCd_webpanel). Live streaming of
logs has been added and the webpanel now communicates to UnrealIRCd which web
user issued a command (e.g.: who issued a kill, who changed a channel mode, ..).
Other improvements are whowasdb (persistent `WHOWAS` history) and a new guide on
running a Tor Onion service. The release also fixes a crash bug related to
remote includes and fixes multiple memory leaks.  ## Enhancements * Channel
flood protection improvements:   * New [channel mode
`+F`](https://www.unrealircd.org/docs/Channel_anti-flood_settings) (uppercase
F). This allows the user to choose a "flood profile", which (behind the scenes)
translates to something similar to an `+f` mode. This so end-users can simply
choose an `+F` profile without having to learn the complex channel mode `+f`.
* For example `+F normal` effectively results in
`[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15`     * Multiple profiles are
available and changing them is possible, see [the
documentation](https://www.unrealircd.org/docs/Channel_anti-flood_settings).
* Any settings in mode `+f` will override the ones of the `+F` profile. To see
the effective flood settings, use `MODE #channel F`.   * You can optionally set
a default profile via [`set::anti-flood::channel::default-
profile`](https://www.unrealircd.org/docs/Channel_anti-
flood_settings#Default_profile). This profile is used if the channel is `-F`. If
the user does not want channel flood protection then they have to use an
explicit `+F off`.   * When channel mode `+f` or `+F` detect that a flood is
caused by >75% of ["unknown-users"](https://www.unrealircd.org/docs/Security-
group_block), the server will now set a temporary ban on `~security-
group:unknown-users`. It will still set `+i` and other modes if the flood keeps
on going (e.g. is caused by known-users).   * Forced nick changes (e.g. by
NickServ) are no longer counted in nick flood for channel mode `+f`/`+F`.   *
When a server splits on the network, UnrealIRCd now temporarily disables
`+f`/`+F` join-flood protection for 75 seconds ([`set::anti-
flood::channel::split-delay`](https://www.unrealircd.org/docs/Channel_anti-
flood_settings#config)). This because a server splitting could mean that server
has network problems or has died (or restarted), in which case the clients would
typically reconnect to the remaining other servers, triggering an `+f`/`+F`
join-flood and channels ending up being `+i` and such. That is not good because
UnrealIRCd wants `+f`/`+F` to be as effortless as possible, with as little false
positives as possible.     * If your network has 5+ servers and the user load is
spread evenly among them, then you could disable this feature by setting the
amount of seconds to `0`. This because in such a scenario only 1/5th (20%) of
the users would reconnect and hopefully don't trigger `+f`/`+F` join floods.   *
All these features only work properly if all servers are on 6.1.0-rc1 or later.
* New module `whowasdb` (persistent `WHOWAS` history): this saves the `WHOWAS`
history on disk periodically and when UnrealIRCd terminates, so next server boot
still has the `WHOWAS` history. This module is currently not loaded by default.
* New option [`listen::spoof-
ip`](https://www.unrealircd.org/docs/Listen_block#spoof-ip), only valid when
using UNIX domain sockets (so `listen::file`). This way you can override the IP
address that users come online with when they use the socket (default was and
still is `127.0.0.1`). * Add a new guide [Running Tor Onion service with UnrealI
RCd](https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd)
which uses the new `listen::spoof-ip` and optionally requires a services
account. * [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC):   * Logging of
JSON-RPC requests (e.g. via snomask `+R`) has been improved, it now shows:     *
The issuer, such as the user logged in to the admin panel (if known)     * The
parameters of the request   * The JSON-RPC calls
[`channel.list`](https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list),
[`channel.get`](https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get),
[`user.list`](https://www.unrealircd.org/docs/JSON-RPC:User#user.list) and
[`user.get`](https://www.unrealircd.org/docs/JSON-RPC:User#user.get) now support
an optional argument `object_detail_level` which specifies how detailed the
[Channel](https://www.unrealircd.org/docs/JSON-
RPC:Channel#Structure_of_a_channel) and
[User](https://www.unrealircd.org/docs/JSON-
RPC:User#Structure_of_a_client_object) response object will be. Especially
useful if you don't need all the details in the list calls.   * New JSON-RPC
methods [`log.subscribe`](https://www.unrealircd.org/docs/JSON-
RPC:Log#log.subscribe) and
[`log.unsubscribe`](https://www.unrealircd.org/docs/JSON-
RPC:Log#log.unsubscribe) to allow real-time streaming of [JSON log
events](https://www.unrealircd.org/docs/JSON_logging).   * New JSON-RPC method
[`rpc.set_issuer`](https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer)
to indiciate who is actually issuing the requests. The admin panel uses this to
communicate who is logged in to the panel so this info can be used in logging.
* New JSON-RPC methods [`rpc.add_timer`](https://www.unrealircd.org/docs/JSON-
RPC:Rpc#rpc.add_timer) and
[`rpc.del_timer`](https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer) so
you can schedule JSON-RPC calls, like stats.get, to be executed every xyz msec.
* New JSON-RPC method [`whowas.get`](https://www.unrealircd.org/docs/JSON-
RPC:Whowas#whowas.get) to fetch `WHOWAS` history.   * Low ASCII is no longer
filtered out in strings in JSON-RPC, only in JSON logging. * A new message tag
`unrealircd.org/issued-by` which is IRCOp-only (and used intra-server) to
communicate who actually issued a command. See
[docs](https://www.unrealircd.org/issued-by).  ## Changes * The RPC modules are
enabled by default now. This so remote RPC works from other IRC servers for
calls like `modules.list`. The default configuration does NOT enable the
webserver nor does it cause listening on any socket for RPC, for that you need
to follow the [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC) instructions.
* The [blacklist-module](https://www.unrealircd.org/docs/Blacklist-
module_directive) directive now accepts wildcards, e.g. `blacklist-module
rpc/*;` * The setting set::modef-boot-delay has been moved to [`set::anti-
flood::channel::boot-delay`](https://www.unrealircd.org/docs/Channel_anti-
flood_settings#config). * UnrealIRCd now only exempts `127.0.0.1` and `::1` from
banning by default (hardcoded in the source). Previously UnrealIRCd exempted
whole `127.*` but that gets in the way if you want to allow Tor with a [require
authentication](https://www.unrealircd.org/docs/Require_authentication_block)
block or soft-ban. Now you can just tell Tor to bind to `127.0.0.2` so its not
affected by the default exemption.  ## Fixes * Crash if there is a parse error
in an included file and there are other remote included files still being
downloaded. * Memory leak in `WHOWAS` * Memory leak when connecting to a TLS
server fails * Workaround a bug in some websocket implementations where the
`WSOP_PONG` frame is unmasked (now permitted).  ## Developers and protocol * The
`cmode.free_param` definition changed. It now has an extra argument `int soft`
and for return value you will normally `return 0` here. You can `return 1` if
you resist freeing, which is rare and only used by `+F` with set::anti-
flood::channel::default-profile. * New `cmode.flood_type_action` which can be
used to indicate a channel mode can be used from +f/+F as an action. You need to
specify for which flood type your mode is, e.g. `cmode.flood_type_action = 'j';`
for joinflood. * JSON-RPC supports [UNIX domain
sockets](https://www.unrealircd.org/docs/JSON-
RPC:Technical_documentation#UNIX_domain_socket) for making RPC calls. If this is
used, UnrealIRCd now splits on `\n` (newline) so multiple parallel requests can
be handled properly. * Message tag `unrealircd.org/issued-by`, sent to IRCOps
only. See [docs](https://www.unrealircd.org/issued-by).
--------------------------------------------------------------------------------
ChangeLog:

* Sat May  6 2023 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 6.1.0-1
- Upgrade to 6.1.0 (#2185257)
--------------------------------------------------------------------------------

_______________________________________________
epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue