The following Fedora 14 Security updates need testing:
https://admin.fedoraproject.org/updates/gimp-2.6.11-14.fc14
https://admin.fedoraproject.org/updates/couchdb-1.0.2-4.fc14
https://admin.fedoraproject.org/updates/rssh-2.3.3-1.fc14
https://admin.fedoraproject.org/updates/php-ZendFramework-1.11.6-1.fc14
https://admin.fedoraproject.org/updates/avahi-0.6.27-6.fc14
https://admin.fedoraproject.org/updates/pure-ftpd-1.0.32-1.fc14
https://admin.fedoraproject.org/updates/dovecot-2.0.13-1.fc14
https://admin.fedoraproject.org/updates/apr-1.4.5-1.fc14
https://admin.fedoraproject.org/updates/kdenetwork-4.6.2-2.fc14
https://admin.fedoraproject.org/updates/unbound-1.4.8-2.fc14
https://admin.fedoraproject.org/updates/drupal7-7.2-1.fc14
https://admin.fedoraproject.org/updates/drupal-6.22-1.fc14
https://admin.fedoraproject.org/updates/cyrus-imapd-2.3.16-8.fc14
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-21.fc14
https://admin.fedoraproject.org/updates/openldap-2.4.23-10.fc14
https://admin.fedoraproject.org/updates/kernel-2.6.35.13-92.fc14
https://admin.fedoraproject.org/updates/viewvc-1.1.11-1.fc14
https://admin.fedoraproject.org/updates/mumble-1.2.3-2.fc14
The following Fedora 14 Critical Path updates have yet to be approved:
https://admin.fedoraproject.org/updates/libcgroup-0.36.2-7.fc14
https://admin.fedoraproject.org/updates/kernel-2.6.35.13-92.fc14
https://admin.fedoraproject.org/updates/dash-0.5.6-4.fc14
https://admin.fedoraproject.org/updates/PackageKit-0.6.12-3.fc14
https://admin.fedoraproject.org/updates/nspr-4.8.8-1.fc14,nss-util-3.12.10-1.fc14,nss-softokn-3.12.10-1.fc14,nss-3.12.10-1.fc14
https://admin.fedoraproject.org/updates/pcre-8.10-2.fc14
https://admin.fedoraproject.org/updates/lvm2-2.02.84-2.fc14
https://admin.fedoraproject.org/updates/libedit-3.0-3.20090923cvs.fc14
https://admin.fedoraproject.org/updates/libpcap-1.1.1-3.fc14
https://admin.fedoraproject.org/updates/xorg-x11-drv-qxl-0.0.21-3.fc14
https://admin.fedoraproject.org/updates/evolution-exchange-2.32.3-1.fc14,evolution-data-server-2.32.3-1.fc14,evolution-2.32.3-1.fc14
https://admin.fedoraproject.org/updates/xorg-x11-drv-nouveau-0.0.16-14.20101010git8c8f15c.fc14
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-6.fc14
https://admin.fedoraproject.org/updates/libimobiledevice-1.0.6-1.fc14
https://admin.fedoraproject.org/updates/libconcord-0.23-5.fc14,udev-161-9.fc14,concordance-0.23-2.fc14
https://admin.fedoraproject.org/updates/usbmuxd-1.0.7-1.fc14
https://admin.fedoraproject.org/updates/openldap-2.4.23-10.fc14
https://admin.fedoraproject.org/updates/avahi-0.6.27-6.fc14
https://admin.fedoraproject.org/updates/xorg-x11-drv-geode-2.11.11-4.fc14
The following builds have been pushed to Fedora 14 updates-testing
autoconf-archive-2011.04.12-1.fc14
drupal-6.22-1.fc14
drupal7-7.2-1.fc14
ecryptfs-utils-87-2.fc14
emacs-23.2-11.fc14
facter-1.5.9-1.fc14
fence-agents-3.1.4-1.fc14
ibus-1.3.9-4.fc14
kernel-2.6.35.13-92.fc14
libcgroup-0.36.2-7.fc14
libdeltacloud-0.8-1.fc14
libmygpo-qt-1.0.3-1.fc14
libqzeitgeist-0.7.0-1.fc14
prison-1.0-2.fc14
pyrenamer-0.6.0-7.fc14
systemtap-1.5-1.fc14
unbound-1.4.8-2.fc14
Details about builds:
================================================================================
autoconf-archive-2011.04.12-1.fc14 (FEDORA-2011-7537)
The Autoconf Macro Archive
--------------------------------------------------------------------------------
Update Information:
The GNU Autoconf Archive is a collection of more than 450 macros for GNU Autoconf that have been contributed as free software by friendly supporters of the cause from all over the Internet.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #663925 - Review Request: autoconf-archive - The Autoconf Macro Archive
https://bugzilla.redhat.com/show_bug.cgi?id=663925
--------------------------------------------------------------------------------
================================================================================
drupal-6.22-1.fc14 (FEDORA-2011-7578)
An open-source content-management platform
--------------------------------------------------------------------------------
Update Information:
* Advisory ID: DRUPAL-SA-CORE-2011-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2011-May-25
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Reflected cross site scripting vulnerability in error handler
A reflected cross site scripting vulnerability was discovered in Drupal's
error handler. Drupal displays PHP errors in the messages area, and a
specially crafted URL can cause malicious scripts to be injected into the
message. The issue can be mitigated by disabling on-screen error display at
admin/settings/error-reporting. This is the recommended setting for
production sites.
This issue affects Drupal 6.x only.
.... Cross site scripting vulnerability in Color module
When using re-colorable themes, color inputs are not sanitized. Malicious
color values can be used to insert arbitrary CSS and script code. Successful
exploitation requires the "Administer themes" permission.
This issue affects Drupal 6.x and 7.x.
.... Access bypass in File module
When using private files in combination with a node access module, the File
module allows unrestricted access to private files.
This issue affects Drupal 7.x only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 7.x before version 7.1.
* Drupal 6.x before version 6.21.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4].
* If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6]
The Security Team has released both a pure security update without other bug
fixes and a security update combined with other bug fixes and improvements.
You can choose to either only include the security update for an immediate
fix (which might require less quality assurance and testing) or more fixes
and improvements alongside the security fixes by choosing between Drupal 7.1
[7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10].
See the release announcement [11] for more information.
See also the Drupal core [12] project page.
-------- REPORTED BY
---------------------------------------------------------
* The reflected cross site scripting vulnerability was reported by Heine
Deelstra [13] (*).
* The Color module cross site scripting vulnerability was reported by Kasper
Lindgaard, Secunia Research.
* The File access bypass was reported by Hubert Lecorche, and Peter Bex
[14].
-------- FIXED BY
------------------------------------------------------------
* The reflected cross site scripting vulnerability was fixed by Alan
Smithee.
* The Color module cross site scripting vulnerability was fixed by StÃphane
Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*).
* The File access bypass was fixed by Heine Deelstra [18] (*).
(*) Member of the Drupal security team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [19].
Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and securing your site [22].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1168910
[4] http://drupal.org/node/1168946
[5] http://drupal.org/node/1168908
[6] http://drupal.org/node/1168950
[7] http://drupal.org/node/1168910
[8] http://drupal.org/node/1168946
[9] http://drupal.org/node/1168908
[10] http://drupal.org/node/1168950
[11] http://drupal.org/drupal-7.2
[12] http://drupal.org/project/drupal
[13] http://drupal.org/user/17943
[14] https://drupal.org/user/309898
[15] http://drupal.org/user/52142
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/17943
[19] http://drupal.org/contact
[20] http://drupal.org/security-team
[21] http://drupal.org/writing-secure-code
[22] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news@xxxxxxxxxx
http://lists.drupal.org/mailman/listinfo/security-news
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Jon Ciesla <limb@xxxxxxxxxxxx> - 6.22-1
- New upstream, SA-CORE-2011-001.
--------------------------------------------------------------------------------
================================================================================
drupal7-7.2-1.fc14 (FEDORA-2011-7588)
An open-source content-management platform
--------------------------------------------------------------------------------
Update Information:
* Advisory ID: DRUPAL-SA-CORE-2011-001
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2011-May-25
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Multiple vulnerabilities and weaknesses were discovered in Drupal.
.... Reflected cross site scripting vulnerability in error handler
A reflected cross site scripting vulnerability was discovered in Drupal's
error handler. Drupal displays PHP errors in the messages area, and a
specially crafted URL can cause malicious scripts to be injected into the
message. The issue can be mitigated by disabling on-screen error display at
admin/settings/error-reporting. This is the recommended setting for
production sites.
This issue affects Drupal 6.x only.
.... Cross site scripting vulnerability in Color module
When using re-colorable themes, color inputs are not sanitized. Malicious
color values can be used to insert arbitrary CSS and script code. Successful
exploitation requires the "Administer themes" permission.
This issue affects Drupal 6.x and 7.x.
.... Access bypass in File module
When using private files in combination with a node access module, the File
module allows unrestricted access to private files.
This issue affects Drupal 7.x only.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal 7.x before version 7.1.
* Drupal 6.x before version 6.21.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you are running Drupal 7.x then upgrade to Drupal 7.1 [3] or 7.2 [4].
* If you are running Drupal 6.x then upgrade to Drupal 6.21 [5] or 6.22. [6]
The Security Team has released both a pure security update without other bug
fixes and a security update combined with other bug fixes and improvements.
You can choose to either only include the security update for an immediate
fix (which might require less quality assurance and testing) or more fixes
and improvements alongside the security fixes by choosing between Drupal 7.1
[7] and Drupal 7.2 [8] or Drupal 6.21 [9] and Drupal 6.22 [10].
See the release announcement [11] for more information.
See also the Drupal core [12] project page.
-------- REPORTED BY
---------------------------------------------------------
* The reflected cross site scripting vulnerability was reported by Heine
Deelstra [13] (*).
* The Color module cross site scripting vulnerability was reported by Kasper
Lindgaard, Secunia Research.
* The File access bypass was reported by Hubert Lecorche, and Peter Bex
[14].
-------- FIXED BY
------------------------------------------------------------
* The reflected cross site scripting vulnerability was fixed by Alan
Smithee.
* The Color module cross site scripting vulnerability was fixed by StÃphane
Corlosquet [15] (*), Heine Deelstra [16] (*), and Peter Wolanin [17] (*).
* The File access bypass was fixed by Heine Deelstra [18] (*).
(*) Member of the Drupal security team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [19].
Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and securing your site [22].
[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1168910
[4] http://drupal.org/node/1168946
[5] http://drupal.org/node/1168908
[6] http://drupal.org/node/1168950
[7] http://drupal.org/node/1168910
[8] http://drupal.org/node/1168946
[9] http://drupal.org/node/1168908
[10] http://drupal.org/node/1168950
[11] http://drupal.org/drupal-7.2
[12] http://drupal.org/project/drupal
[13] http://drupal.org/user/17943
[14] https://drupal.org/user/309898
[15] http://drupal.org/user/52142
[16] http://drupal.org/user/17943
[17] http://drupal.org/user/49851
[18] http://drupal.org/user/17943
[19] http://drupal.org/contact
[20] http://drupal.org/security-team
[21] http://drupal.org/writing-secure-code
[22] http://drupal.org/security/secure-configuration
_______________________________________________
Security-news mailing list
Security-news@xxxxxxxxxx
http://lists.drupal.org/mailman/listinfo/security-news
Require php 5.3.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Jon Ciesla <limb@xxxxxxxxxxxx> - 7.2-1
- New upstream, SA-CORE-2011-001.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #704319 - drupal7 should require php53 instead of php (including php sub-packages)
https://bugzilla.redhat.com/show_bug.cgi?id=704319
--------------------------------------------------------------------------------
================================================================================
ecryptfs-utils-87-2.fc14 (FEDORA-2011-7558)
The eCryptfs mount helper and support libraries
--------------------------------------------------------------------------------
Update Information:
- auto-load ecryptfs module in ecryptfs-setup-private
- fix not working mount after umount
- confirm passphrases in interactive mode
- fix not working mount after umount
- confirm passphrases in interactive mode
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 87-2
- auto-load ecryptfs module in ecryptfs-setup-private
* Tue May 24 2011 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 87-1
- updated to v. 87
* Wed Mar 2 2011 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 86-2
- fix selinux context
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #707608 - Can not create Private Folder - No Kernelmodule?
https://bugzilla.redhat.com/show_bug.cgi?id=707608
--------------------------------------------------------------------------------
================================================================================
emacs-23.2-11.fc14 (FEDORA-2011-7554)
GNU Emacs text editor
--------------------------------------------------------------------------------
Update Information:
This is an update that fixes problems with handling the alternatives system between updates.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Karel KlÃÄ <kklic@xxxxxxxxxx> - 1:23.2-11
- Do not include /usr/bin/emacs in emacs-common
* Mon May 23 2011 Karel KlÃÄ <kklic@xxxxxxxxxx> - 1:23.2-10
- Fix the handling of alternatives
The current process loses alternatives preference on every upgrade,
but there seems to be no elegant way how to prevent this while
having versioned binaries (/bin/emacs-%{version}) at the same time.
* Mon Aug 16 2010 Karel Klic <kklic@xxxxxxxxxx> - 1:23.2-9
- Removed the png extension from the Icon entry in emacs.desktop (rhbz#507231)
* Mon Aug 2 2010 Karel Klic <kklic@xxxxxxxxxx> - 1:23.2-8
- Moved the terminal desktop menu item to a separate package (rhbz#617355)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #701048 - Emacs won't launch unless executed as emacs-23.2
https://bugzilla.redhat.com/show_bug.cgi?id=701048
[ 2 ] Bug #629401 - emacs package has /usr/bin/emacs as an empty file
https://bugzilla.redhat.com/show_bug.cgi?id=629401
--------------------------------------------------------------------------------
================================================================================
facter-1.5.9-1.fc14 (FEDORA-2011-7577)
Ruby module for collecting simple facts about a host operating system
--------------------------------------------------------------------------------
Update Information:
Facter 1.5.9 is a maintenance release containing fixes and updates.
This release contains several fixes, and updated facts, as well as adding some new facts. These include enhancements with Facter & EC2, additional memory facts for OS X, and better Ruby 1.9 support.
A patch from Orion Poplawski to address upstream issue 7682 (http://projects.puppetlabs.com/issues/7682) has been applied. This should improve support for EPEL users on Scientific Linux.
For the full list of changes refer to the upstream release announcement:
http://groups.google.com/group/puppet-announce/browse_thread/thread/b4eb40fa248d7b9b
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Todd Zullinger <tmz@xxxxxxxxx> - 1.5.9-1
- Update to 1.5.9
- Improve Scientific Linux support, courtesy of Orion Poplawski (upstream #7682)
* Tue Feb 8 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.5.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
fence-agents-3.1.4-1.fc14 (FEDORA-2011-7566)
Fence Agents for Red Hat Cluster
--------------------------------------------------------------------------------
Update Information:
This update fixes a few minor bugs and adds support for Citrix XenServer and XCP.
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Fabio M. Di Nitto <fdinitto@xxxxxxxxxx> - 3.1.4-1
- new upstream release
--------------------------------------------------------------------------------
================================================================================
ibus-1.3.9-4.fc14 (FEDORA-2011-7561)
Intelligent Input Bus for Linux OS
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Takao Fujiwara <tfujiwar@xxxxxxxxxx> - 1.3.9-4
- Updated ibus-541492-xkb.patch
Fixed Bug 696481 - no the variant maps without language codes
Fixed Bug 701202 - us(dvorak) does not show up in list
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #696481 - ibus does not show all the variant maps for any layout
https://bugzilla.redhat.com/show_bug.cgi?id=696481
[ 2 ] Bug #701202 - us(dvorak) does not show up in list
https://bugzilla.redhat.com/show_bug.cgi?id=701202
--------------------------------------------------------------------------------
================================================================================
kernel-2.6.35.13-92.fc14 (FEDORA-2011-7551)
The Linux kernel
--------------------------------------------------------------------------------
Update Information:
Some small but critical bug fixes and one security fix.
--------------------------------------------------------------------------------
ChangeLog:
* Fri May 20 2011 Chuck Ebbert <cebbert@xxxxxxxxxx> 2.6.35.13-92
- Add the rest of the fix for bug #704059
- dccp: handle invalid feature options length (CVE-2011-1770)
- Fix address wrapping in stack expansion code.
* Wed May 18 2011 Chuck Ebbert <cebbert@xxxxxxxxxx>
- Fix cifs bug in 2.6.35.13 with old Windows servers (#704125)
- Revert broken fixes for #704059, add proper partial fix.
* Fri May 13 2011 Kyle McMartin <kmcmartin@xxxxxxxxxx>
- [fabbione@] Fix a deadlock when using hp_sw with an HP san.
(7a1e9d82 upstream)
* Thu May 12 2011 Chuck Ebbert <cebbert@xxxxxxxxxx>
- Fix stalls on AMD machines with C1E caused by 2.6.35.13 (#704059)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #703011 - CVE-2011-1770 kernel: dccp: handle invalid feature options length
https://bugzilla.redhat.com/show_bug.cgi?id=703011
--------------------------------------------------------------------------------
================================================================================
libcgroup-0.36.2-7.fc14 (FEDORA-2011-7563)
Tools and libraries to control and monitor control groups
--------------------------------------------------------------------------------
ChangeLog:
* Thu May 26 2011 Ivana Hutarova Varekova <varekova@xxxxxxxxxx> 0.36.2-7
- Resolves: #683541
cgconfig fails to parse commas in the cgconfig.conf file
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #683541 - cgconfig fails to parse commas in the cgconfig.conf file
https://bugzilla.redhat.com/show_bug.cgi?id=683541
--------------------------------------------------------------------------------
================================================================================
libdeltacloud-0.8-1.fc14 (FEDORA-2011-7545)
A library for accessing deltacloud
--------------------------------------------------------------------------------
Update Information:
Update to libdeltacloud 0.8
--------------------------------------------------------------------------------
ChangeLog:
* Mon Apr 18 2011 Chris Lalancette <clalance@xxxxxxxxxx> - 0.8-1
- Update to latest upstream (0.8)
--------------------------------------------------------------------------------
================================================================================
libmygpo-qt-1.0.3-1.fc14 (FEDORA-2011-7552)
Qt Library that wraps the gpodder.net Web API
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #703488 - Review Request: libmygpo-qt - Qt Library that wraps the gpodder.net Web API
https://bugzilla.redhat.com/show_bug.cgi?id=703488
--------------------------------------------------------------------------------
================================================================================
libqzeitgeist-0.7.0-1.fc14 (FEDORA-2011-7576)
Qt Zeitgeist Library
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #706400 - Review Request: libqzeitgeist - Qt Zeitgeist Library
https://bugzilla.redhat.com/show_bug.cgi?id=706400
--------------------------------------------------------------------------------
================================================================================
prison-1.0-2.fc14 (FEDORA-2011-7581)
A Qt-based barcode abstraction library
--------------------------------------------------------------------------------
Update Information:
Prison is a Qt-based barcode abstraction layer/library that provides an uniform access to generation of barcodes with data.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #706409 - Review Request: prison - A Qt-based barcode abstraction library
https://bugzilla.redhat.com/show_bug.cgi?id=706409
--------------------------------------------------------------------------------
================================================================================
pyrenamer-0.6.0-7.fc14 (FEDORA-2011-7586)
A mass file renamer
--------------------------------------------------------------------------------
Update Information:
Un-orphaned.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #697976 - Review Request: pyrenamer - A mass file renamer
https://bugzilla.redhat.com/show_bug.cgi?id=697976
--------------------------------------------------------------------------------
================================================================================
systemtap-1.5-1.fc14 (FEDORA-2011-7544)
Instrumentation System
--------------------------------------------------------------------------------
ChangeLog:
* Mon May 23 2011 Stan Cox <scox@xxxxxxxxxx> - 1.5-1
- Upstream release.
--------------------------------------------------------------------------------
================================================================================
unbound-1.4.8-2.fc14 (FEDORA-2011-7555)
Validating, recursive, and caching DNS(SEC) resolver
--------------------------------------------------------------------------------
Update Information:
Denial of Service fix: CVE-2011-1922.
--------------------------------------------------------------------------------
ChangeLog:
* Wed May 25 2011 Paul Wouters <paul@xxxxxxxxxxxxx> - 1.4.8-2
- Applied patch for CVE-2011-1922 DoS vulnerability
--------------------------------------------------------------------------------
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
