The following Fedora EPEL 8 Security updates need testing: Age URL 51 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1e00c3d01e cutter-re-2.2.0-1.el8 rizin-0.5.1-1.el8 11 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-44ff2475c4 apptainer-1.1.8-1.el8 4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ae97901b58 vtk-9.0.1-10.el8 1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-f44d817bc9 chromium-113.0.5672.63-1.el8 The following builds have been pushed to Fedora EPEL 8 updates-testing kiwi-9.24.59-1.el8 mate-power-manager-1.26.1-1.el8 tcpreplay-4.4.3-3.el8 unrealircd-6.1.0-1.el8 Details about builds: ================================================================================ kiwi-9.24.59-1.el8 (FEDORA-EPEL-2023-1c65f50148) Flexible operating system image builder -------------------------------------------------------------------------------- Update Information: Update to 9.24.59 -------------------------------------------------------------------------------- ChangeLog: * Sat May 6 2023 Igor Raits <igor.raits@xxxxxxxxx> - 9.24.59-1 - Update to 9.24.59 * Thu Jan 19 2023 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 9.24.52-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2152424 - kiwi-9.24.59 is available https://bugzilla.redhat.com/show_bug.cgi?id=2152424 -------------------------------------------------------------------------------- ================================================================================ mate-power-manager-1.26.1-1.el8 (FEDORA-EPEL-2023-0d5dbb854d) MATE power management service -------------------------------------------------------------------------------- Update Information: - update to 1.26.1 -------------------------------------------------------------------------------- ChangeLog: * Sat May 6 2023 Wolfgang Ulbrich <fedora@xxxxxxxxx> - 1.26.1-1 - update to 1.26.1 -------------------------------------------------------------------------------- ================================================================================ tcpreplay-4.4.3-3.el8 (FEDORA-EPEL-2023-6463a51c68) Replay captured network traffic -------------------------------------------------------------------------------- Update Information: Patch CVE-2023-27783 - CVE-2023-27789 - CVE-2023-27783 - CVE-2023-27784 - CVE-2023-27785 - CVE-2023-27786 - CVE-2023-27787 - CVE-2023-27788 - CVE-2023-27789 -------------------------------------------------------------------------------- ChangeLog: * Sat May 6 2023 Bojan Smojver <bojan@rexursive com> - 4.4.3-2 - CVE-2023-27783 CVE-2023-27784 CVE-2023-27785 CVE-2023-27786 CVE-2023-27787 CVE-2023-27788 CVE-2023-27789 * Sat Jan 21 2023 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 4.4.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #2193431 - CVE-2023-27783 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193431 [ 2 ] Bug #2193432 - CVE-2023-27783 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193432 [ 3 ] Bug #2193433 - CVE-2023-27784 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193433 [ 4 ] Bug #2193434 - CVE-2023-27784 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193434 [ 5 ] Bug #2193436 - CVE-2023-27785 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193436 [ 6 ] Bug #2193437 - CVE-2023-27785 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193437 [ 7 ] Bug #2193439 - CVE-2023-27786 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193439 [ 8 ] Bug #2193440 - CVE-2023-27786 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193440 [ 9 ] Bug #2193442 - CVE-2023-27787 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193442 [ 10 ] Bug #2193443 - CVE-2023-27787 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193443 [ 11 ] Bug #2193445 - CVE-2023-27788 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193445 [ 12 ] Bug #2193446 - CVE-2023-27788 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193446 [ 13 ] Bug #2193448 - CVE-2023-27789 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193448 [ 14 ] Bug #2193449 - CVE-2023-27789 tcpreplay: net-analyzer/tcpreplay: multiple vulnerabilities [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2193449 -------------------------------------------------------------------------------- ================================================================================ unrealircd-6.1.0-1.el8 (FEDORA-EPEL-2023-da44f7c7d3) Open Source IRC server -------------------------------------------------------------------------------- Update Information: # UnrealIRCd 6.1.0 This is UnrealIRCd 6.1.0 stable. It is the direct successor to 6.0.7, there will be no 6.0.8. This release contains several channel mode `+f` enhancements and introduces a new channel mode `+F` which works with flood profiles like `+F normal` and `+F strict`. It is much easier for users than the scary looking mode `+f`. UnrealIRCd 6.1.0 also contains lots of JSON-RPC improvements, which is used by the [UnrealIRCd admin panel](https://www.unrealircd.org/docs/UnrealIRCd_webpanel). Live streaming of logs has been added and the webpanel now communicates to UnrealIRCd which web user issued a command (e.g.: who issued a kill, who changed a channel mode, ..). Other improvements are whowasdb (persistent `WHOWAS` history) and a new guide on running a Tor Onion service. The release also fixes a crash bug related to remote includes and fixes multiple memory leaks. ## Enhancements * Channel flood protection improvements: * New [channel mode `+F`](https://www.unrealircd.org/docs/Channel_anti-flood_settings) (uppercase F). This allows the user to choose a "flood profile", which (behind the scenes) translates to something similar to an `+f` mode. This so end-users can simply choose an `+F` profile without having to learn the complex channel mode `+f`. * For example `+F normal` effectively results in `[7c#C15,30j#R10,10k#K15,40m#M10,8n#N15]:15` * Multiple profiles are available and changing them is possible, see [the documentation](https://www.unrealircd.org/docs/Channel_anti-flood_settings). * Any settings in mode `+f` will override the ones of the `+F` profile. To see the effective flood settings, use `MODE #channel F`. * You can optionally set a default profile via [`set::anti-flood::channel::default- profile`](https://www.unrealircd.org/docs/Channel_anti- flood_settings#Default_profile). This profile is used if the channel is `-F`. If the user does not want channel flood protection then they have to use an explicit `+F off`. * When channel mode `+f` or `+F` detect that a flood is caused by >75% of ["unknown-users"](https://www.unrealircd.org/docs/Security- group_block), the server will now set a temporary ban on `~security- group:unknown-users`. It will still set `+i` and other modes if the flood keeps on going (e.g. is caused by known-users). * Forced nick changes (e.g. by NickServ) are no longer counted in nick flood for channel mode `+f`/`+F`. * When a server splits on the network, UnrealIRCd now temporarily disables `+f`/`+F` join-flood protection for 75 seconds ([`set::anti- flood::channel::split-delay`](https://www.unrealircd.org/docs/Channel_anti- flood_settings#config)). This because a server splitting could mean that server has network problems or has died (or restarted), in which case the clients would typically reconnect to the remaining other servers, triggering an `+f`/`+F` join-flood and channels ending up being `+i` and such. That is not good because UnrealIRCd wants `+f`/`+F` to be as effortless as possible, with as little false positives as possible. * If your network has 5+ servers and the user load is spread evenly among them, then you could disable this feature by setting the amount of seconds to `0`. This because in such a scenario only 1/5th (20%) of the users would reconnect and hopefully don't trigger `+f`/`+F` join floods. * All these features only work properly if all servers are on 6.1.0-rc1 or later. * New module `whowasdb` (persistent `WHOWAS` history): this saves the `WHOWAS` history on disk periodically and when UnrealIRCd terminates, so next server boot still has the `WHOWAS` history. This module is currently not loaded by default. * New option [`listen::spoof- ip`](https://www.unrealircd.org/docs/Listen_block#spoof-ip), only valid when using UNIX domain sockets (so `listen::file`). This way you can override the IP address that users come online with when they use the socket (default was and still is `127.0.0.1`). * Add a new guide [Running Tor Onion service with UnrealI RCd](https://www.unrealircd.org/docs/Running_Tor_Onion_service_with_UnrealIRCd) which uses the new `listen::spoof-ip` and optionally requires a services account. * [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC): * Logging of JSON-RPC requests (e.g. via snomask `+R`) has been improved, it now shows: * The issuer, such as the user logged in to the admin panel (if known) * The parameters of the request * The JSON-RPC calls [`channel.list`](https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.list), [`channel.get`](https://www.unrealircd.org/docs/JSON-RPC:Channel#channel.get), [`user.list`](https://www.unrealircd.org/docs/JSON-RPC:User#user.list) and [`user.get`](https://www.unrealircd.org/docs/JSON-RPC:User#user.get) now support an optional argument `object_detail_level` which specifies how detailed the [Channel](https://www.unrealircd.org/docs/JSON- RPC:Channel#Structure_of_a_channel) and [User](https://www.unrealircd.org/docs/JSON- RPC:User#Structure_of_a_client_object) response object will be. Especially useful if you don't need all the details in the list calls. * New JSON-RPC methods [`log.subscribe`](https://www.unrealircd.org/docs/JSON- RPC:Log#log.subscribe) and [`log.unsubscribe`](https://www.unrealircd.org/docs/JSON- RPC:Log#log.unsubscribe) to allow real-time streaming of [JSON log events](https://www.unrealircd.org/docs/JSON_logging). * New JSON-RPC method [`rpc.set_issuer`](https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer) to indiciate who is actually issuing the requests. The admin panel uses this to communicate who is logged in to the panel so this info can be used in logging. * New JSON-RPC methods [`rpc.add_timer`](https://www.unrealircd.org/docs/JSON- RPC:Rpc#rpc.add_timer) and [`rpc.del_timer`](https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.del_timer) so you can schedule JSON-RPC calls, like stats.get, to be executed every xyz msec. * New JSON-RPC method [`whowas.get`](https://www.unrealircd.org/docs/JSON- RPC:Whowas#whowas.get) to fetch `WHOWAS` history. * Low ASCII is no longer filtered out in strings in JSON-RPC, only in JSON logging. * A new message tag `unrealircd.org/issued-by` which is IRCOp-only (and used intra-server) to communicate who actually issued a command. See [docs](https://www.unrealircd.org/issued-by). ## Changes * The RPC modules are enabled by default now. This so remote RPC works from other IRC servers for calls like `modules.list`. The default configuration does NOT enable the webserver nor does it cause listening on any socket for RPC, for that you need to follow the [JSON-RPC](https://www.unrealircd.org/docs/JSON-RPC) instructions. * The [blacklist-module](https://www.unrealircd.org/docs/Blacklist- module_directive) directive now accepts wildcards, e.g. `blacklist-module rpc/*;` * The setting set::modef-boot-delay has been moved to [`set::anti- flood::channel::boot-delay`](https://www.unrealircd.org/docs/Channel_anti- flood_settings#config). * UnrealIRCd now only exempts `127.0.0.1` and `::1` from banning by default (hardcoded in the source). Previously UnrealIRCd exempted whole `127.*` but that gets in the way if you want to allow Tor with a [require authentication](https://www.unrealircd.org/docs/Require_authentication_block) block or soft-ban. Now you can just tell Tor to bind to `127.0.0.2` so its not affected by the default exemption. ## Fixes * Crash if there is a parse error in an included file and there are other remote included files still being downloaded. * Memory leak in `WHOWAS` * Memory leak when connecting to a TLS server fails * Workaround a bug in some websocket implementations where the `WSOP_PONG` frame is unmasked (now permitted). ## Developers and protocol * The `cmode.free_param` definition changed. It now has an extra argument `int soft` and for return value you will normally `return 0` here. You can `return 1` if you resist freeing, which is rare and only used by `+F` with set::anti- flood::channel::default-profile. * New `cmode.flood_type_action` which can be used to indicate a channel mode can be used from +f/+F as an action. You need to specify for which flood type your mode is, e.g. `cmode.flood_type_action = 'j';` for joinflood. * JSON-RPC supports [UNIX domain sockets](https://www.unrealircd.org/docs/JSON- RPC:Technical_documentation#UNIX_domain_socket) for making RPC calls. If this is used, UnrealIRCd now splits on `\n` (newline) so multiple parallel requests can be handled properly. * Message tag `unrealircd.org/issued-by`, sent to IRCOps only. See [docs](https://www.unrealircd.org/issued-by). -------------------------------------------------------------------------------- ChangeLog: * Sat May 6 2023 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 6.1.0-1 - Upgrade to 6.1.0 (#2185257) -------------------------------------------------------------------------------- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
