The following Fedora 14 Security updates need testing:
https://admin.fedoraproject.org/updates/perl-FCGI-0.74-1.fc14
https://admin.fedoraproject.org/updates/drupal6-views_bulk_operations-1.11-1.fc14
https://admin.fedoraproject.org/updates/NetworkManager-0.8.5.92-1.git20110927.fc14
https://admin.fedoraproject.org/updates/bcfg2-1.1.3-1.fc14
https://admin.fedoraproject.org/updates/tomcat6-6.0.26-27.fc14
https://admin.fedoraproject.org/updates/kernel-2.6.35.14-97.fc14
https://admin.fedoraproject.org/updates/cyrus-imapd-2.3.17-1.fc14
https://admin.fedoraproject.org/updates/php-5.3.8-3.fc14
https://admin.fedoraproject.org/updates/thunderbird-3.1.15-1.fc14
https://admin.fedoraproject.org/updates/firefox-3.6.23-1.fc14,xulrunner-1.9.2.23-1.fc14,gnome-web-photo-0.9-24.fc14.1,perl-Gtk2-MozEmbed-0.08-6.fc14.30,gnome-python2-extras-2.25.3-34.fc14.1,galeon-2.0.7-44.fc14.1,mozvoikko-1.0-25.fc14.1
The following Fedora 14 Critical Path updates have yet to be approved:
https://admin.fedoraproject.org/updates/livecd-tools-14.4-1.fc14
https://admin.fedoraproject.org/updates/NetworkManager-0.8.5.92-1.git20110927.fc14
https://admin.fedoraproject.org/updates/kernel-2.6.35.14-97.fc14
https://admin.fedoraproject.org/updates/lldpad-0.9.41-4.fc14
https://admin.fedoraproject.org/updates/ModemManager-0.4.998-1.git20110706.fc14
https://admin.fedoraproject.org/updates/mash-0.5.22-1.fc14
https://admin.fedoraproject.org/updates/policycoreutils-2.0.85-30.3.fc14
https://admin.fedoraproject.org/updates/xorg-x11-drv-openchrome-0.2.904-8.fc14.2
https://admin.fedoraproject.org/updates/xorg-x11-drv-qxl-0.0.21-3.fc14
https://admin.fedoraproject.org/updates/xorg-x11-drv-nouveau-0.0.16-14.20101010git8c8f15c.fc14
https://admin.fedoraproject.org/updates/libconcord-0.23-5.fc14,udev-161-9.fc14,concordance-0.23-2.fc14
The following builds have been pushed to Fedora 14 updates-testing
389-ds-base-1.2.10-0.1.a1.fc14
RBTools-0.3.4-1.fc14
cups-1.4.8-5.fc14
firefox-3.6.23-1.fc14
galeon-2.0.7-44.fc14.1
gnome-python2-extras-2.25.3-34.fc14.1
gnome-web-photo-0.9-24.fc14.1
gscan2pdf-1.0.0-1.fc14
koffice-2.3.3-12.fc14
mozvoikko-1.0-25.fc14.1
perl-Gtk2-MozEmbed-0.08-6.fc14.30
php-5.3.8-3.fc14
polipo-1.0.4.1-4.fc14
thunderbird-3.1.15-1.fc14
tomcat6-6.0.26-27.fc14
xulrunner-1.9.2.23-1.fc14
Details about builds:
================================================================================
389-ds-base-1.2.10-0.1.a1.fc14 (FEDORA-2011-13440)
389 Directory Server (base)
--------------------------------------------------------------------------------
Update Information:
slapi_rwlock - transactions - account usability - bug fixes
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Rich Megginson <rmeggins@xxxxxxxxxx> - 1.2.10.a1-0.1
- Bug 739172 - Allow separate fractional attrs for incremental and total protocols
- 6120b3d Make all backend operations transaction aware
- 056cc35 Add support for pre/post db transaction plugins
- Bug 736712 - Modifying ruv entry deadlocks server
- Bug 590826 - Reloading database from ldif causes changelog to emit "data no longer matches" errors
- Bug 730387 - Add slapi_rwlock API and use POSIX rwlocks
- Bug 611438 - Add Account Usability Control support
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #739172 - Allow separate fractional attrs to be defined for incremental and total protocols
https://bugzilla.redhat.com/show_bug.cgi?id=739172
[ 2 ] Bug #736712 - Modifying ruv entry deadlocks server
https://bugzilla.redhat.com/show_bug.cgi?id=736712
[ 3 ] Bug #590826 - Reloading database from ldif causes changelog to emit "data no longer matches" errors
https://bugzilla.redhat.com/show_bug.cgi?id=590826
[ 4 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
https://bugzilla.redhat.com/show_bug.cgi?id=730387
[ 5 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Control '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
https://bugzilla.redhat.com/show_bug.cgi?id=611438
--------------------------------------------------------------------------------
================================================================================
RBTools-0.3.4-1.fc14 (FEDORA-2011-13471)
Tools for use with ReviewBoard
--------------------------------------------------------------------------------
Update Information:
* Tue Sep 27 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 0.3.4-1
- New upstream 0.3.4 release
- http://www.reviewboard.org/docs/releasenotes/dev/rbtools/0.3.4/
- New Features:
- post-review:
- Added a --change-description option for setting the Change Description
text on drafts
- Bugfixes:
- post-review:
- Newlines in summaries on Git are now converted to spaces, preventing
errors when using --guess-summary
- Fixed authentication failures when accessing a protected /api/info/
URL. This was problematic particularly on RBCommons
- Fixed diff upload problems on Python 2.7
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 0.3.4-1
- New upstream 0.3.4 release
- http://www.reviewboard.org/docs/releasenotes/dev/rbtools/0.3.4/
- New Features:
- post-review:
- Added a --change-description option for setting the Change Description
text on drafts
- Bugfixes:
- post-review:
- Newlines in summaries on Git are now converted to spaces, preventing
errors when using --guess-summary
- Fixed authentication failures when accessing a protected /api/info/
URL. This was problematic particularly on RBCommons
- Fixed diff upload problems on Python 2.7
--------------------------------------------------------------------------------
================================================================================
cups-1.4.8-5.fc14 (FEDORA-2011-13444)
Common Unix Printing System
--------------------------------------------------------------------------------
Update Information:
This update fixes a crash in the CUPS dbus notifier.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 28 2011 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.4.8-5
- Fixed string manipulation in the dbus notifier (STR #3947, bug #741833).
* Wed Sep 14 2011 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.4.8-4
- Prevent libcups crash in cups-get-classes patch (bug #736698).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #741833 - [abrt] cups-1.5.0-6.fc16: __GI_raise: Process /usr/lib/cups/notifier/dbus was killed by signal 6 (SIGABRT)
https://bugzilla.redhat.com/show_bug.cgi?id=741833
--------------------------------------------------------------------------------
================================================================================
firefox-3.6.23-1.fc14 (FEDORA-2011-13467)
Mozilla Firefox Web browser
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 3.6.23-1
- Update to 3.6.23
--------------------------------------------------------------------------------
================================================================================
galeon-2.0.7-44.fc14.1 (FEDORA-2011-13467)
GNOME2 Web browser based on Mozilla
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 2.0.7-44.1
- Rebuild against newer gecko
--------------------------------------------------------------------------------
================================================================================
gnome-python2-extras-2.25.3-34.fc14.1 (FEDORA-2011-13467)
Additional PyGNOME Python extension modules
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 2.25.3-34.1
- Rebuild against newer gecko
--------------------------------------------------------------------------------
================================================================================
gnome-web-photo-0.9-24.fc14.1 (FEDORA-2011-13467)
HTML pages thumbnailer
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 0.9-24.1
- Rebuild against newer gecko
--------------------------------------------------------------------------------
================================================================================
gscan2pdf-1.0.0-1.fc14 (FEDORA-2011-13449)
GUI for producing a multipage PDF from a scan
--------------------------------------------------------------------------------
Update Information:
* Deal with version information from PDF::API2
* Suppressed "End of file reached" message.
Closes Debian bug #622844
Thanks to Sebastian Schmidt for the patch
* Switch to OO interface for File::Temp, thus automatically clearing up
unneeded temporary files. Closes Debian bug #563461
* Removed all blocking progress dialogs
Closes Debian bug #577144
* + Spinbuttons to crop dialog
* + Edit/Select/No OCR
* + Edit/Clear OCR
Closes Debian bug #602578
* Combined Import and Open dialogs
Closes Debian bug #617886
* + Tesseract 3.01 support
* Fix embedding of UTF-8 OCR output
* Update to Catalan translation (thanks to Norbux)
* Update to Dutch translation (thanks to Tico)
* Update to Hungarian translation (thanks to Gábor Sepsi)
* Update to Italian translation (thanks to Milo Casagrande)
* Update to Polish translation (thanks to pp/bs)
* Update to Russian translation (thanks to Eugene Marshal)
* Update to Spanish translation (thanks to R120X)
* Update to Turkish translation (thanks to Utku BERBEROÄžLU)
* Update to Ukranian translation (thanks to Сергій Дубик)
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Bernard Johnson <bjohnson@xxxxxxxxxxxx> - 1.0.0-1
- v 1.0.0 (bz #740997)
- disable tests for now due to dependencies
* Fri Jun 17 2011 Marcela Mašláňová <mmaslano@xxxxxxxxxx> - 0.9.32-2
- Perl mass rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #740997 - gscan2pdf-1.0.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=740997
--------------------------------------------------------------------------------
================================================================================
koffice-2.3.3-12.fc14 (FEDORA-2011-13441)
An integrated office suite
--------------------------------------------------------------------------------
Update Information:
Include a couple new upstream crash fixes for kexi.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Sep 23 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 3:2.3.3-12
- upstream fix-form-color-properties-2.3.patch
- upstream fix-crash-in-kexidb-queries-2.3.patch
* Mon Sep 19 2011 Marek Kasik <mkasik@xxxxxxxxxx> - 3:2.3.3-11
- Rebuild (poppler-0.17.3)
* Thu Sep 8 2011 Jaroslav Reznik <jreznik@xxxxxxxxxx> - 3:2.3.3-10
- Qt 4.8 FTBFS (rhbz#736659)
* Fri Jul 15 2011 Marek Kasik <mkasik@xxxxxxxxxx> - 3:2.3.3-9
- Rebuild (poppler-0.17.0)
* Tue Jul 12 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 3:2.3.3-8
- BR: +pkgconfig(libkdcraw),pkgconfig(poppler-qt4)
* Tue Jul 5 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 3:2.3.3-7
- rebuild (libpqxx)
* Thu Jun 30 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 3:2.3.3-6
- rebuild (kdegraphics)
* Mon Jun 20 2011 ajax@xxxxxxxxxx - 3:2.3.3-5
- Rebuild for new glew soname
--------------------------------------------------------------------------------
================================================================================
mozvoikko-1.0-25.fc14.1 (FEDORA-2011-13467)
Finnish Voikko spell-checker extension for Mozilla programs
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 1.0-25.1
- Rebuild against newer gecko
--------------------------------------------------------------------------------
================================================================================
perl-Gtk2-MozEmbed-0.08-6.fc14.30 (FEDORA-2011-13467)
Interface to the Mozilla embedding widget
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 0.08-6.30
- Rebuild against newer gecko
--------------------------------------------------------------------------------
================================================================================
php-5.3.8-3.fc14 (FEDORA-2011-13458)
PHP scripting language for creating dynamic web sites
--------------------------------------------------------------------------------
Update Information:
Revert is_a() behavior to php <= 5.3.6 and add a new new option (allow_string) for the new behavior (accept string and raise autoload if needed)
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 28 2011 Remi Collet <remi@xxxxxxxxxxxxxxxxx> 5.3.8-3
- revert is_a() to php <= 5.3.6 behavior (from upstream)
with new option (allow_string) for new behavior
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #741020 - CVE-2011-3379 php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code
https://bugzilla.redhat.com/show_bug.cgi?id=741020
--------------------------------------------------------------------------------
================================================================================
polipo-1.0.4.1-4.fc14 (FEDORA-2011-13462)
Lightweight caching web proxy
--------------------------------------------------------------------------------
Update Information:
- take file / dir creation & testing out of initscript (bz #708814)
- remove log file / dir creation in spec too
- NetworkManager integration should use restart rather than reload (bz #699677)
- add support for tmpfiles.d (bz #656669)
- add support for systemd starting in F17
--------------------------------------------------------------------------------
ChangeLog:
* Mon Sep 26 2011 Bernard Johnson <bjohnson@xxxxxxxxxxxx> - 1.0.4.1-4
- take file / dir creation & testing out of initscript (bz #708814)
- remove log file / dir creation in spec too
- NetworkManager integration should use restart rather than reload (bz #699677)
- add support for tmpfiles.d (bz #656669)
- add support for systemd starting in F17
* Wed Feb 9 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.0.4.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #708814 - polipo init script issues
https://bugzilla.redhat.com/show_bug.cgi?id=708814
[ 2 ] Bug #699677 - polipo networkmanager integration doesnt reload dns
https://bugzilla.redhat.com/show_bug.cgi?id=699677
[ 3 ] Bug #656669 - Please Update Spec File to use %ghost on files in /var/run and /var/lock
https://bugzilla.redhat.com/show_bug.cgi?id=656669
--------------------------------------------------------------------------------
================================================================================
thunderbird-3.1.15-1.fc14 (FEDORA-2011-13450)
Mozilla Thunderbird mail/newsgroup client
--------------------------------------------------------------------------------
Update Information:
The latest version of Thunderbird has the following changes:
- Fixed several security issues
- Numerous platform fixes that improve speed, performance and stability
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 28 2011 Jan Horak <jhorak@xxxxxxxxxx> - 3.1.15-1
- Update to 3.1.15
--------------------------------------------------------------------------------
================================================================================
tomcat6-6.0.26-27.fc14 (FEDORA-2011-13457)
Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API
--------------------------------------------------------------------------------
Update Information:
Fixes for:
CVE-2011-3190 - authentication bypass and information disclosure
CVE-2011-2526 - send file validation
CVE-2011-2204 - password disclosure vulnerability
JAVA_HOME setting in tomcat6.conf
CVE-2011-0534, CVE-2011-0013, CVE-2010-3718
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-27
- Resolves CVE-2011-3190 rhbz 738502
* Mon Sep 26 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-26
- Resolves rhbz 640134 - JAVA_HOME setting
* Fri Sep 23 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-25
- Resolves CVE-2011-2526 rhbz 721087 sendfile validation and
- validation
* Wed Aug 10 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-24
- Resolves changed java R and BR so it does not specify a version
* Fri Jul 1 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-23
- Resolves rhbz 669969 - BasicDataSourceFactory in sysconfig
* Tue Jun 28 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-22
- Resolves rhbz 717016 CVE-2011-2204
* Sun May 1 2011 David Knox <dknox@xxxxxxxxxx> O:6.0.26-21
* Resolves rhbz 701037 - bad symbolic link to tomcat-juli
* Thu Apr 14 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-20
* Applied CVE-2010-3718, CVE-2011-0013, CVE-2011-0534
* Thu Feb 17 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-19
- Reversed changes in tomcat6.init so tomcat6.conf is read before
- the system configuration
* Thu Feb 3 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-18
- Resolves: rhbz 647601 - JDK Double.parseDouble DoS
* Mon Jan 17 2011 David Knox <dknox@xxxxxxxxxx> 0:6.0.26-17
- Resolves: rhbz# 669969 - tomcat.conf sets javax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory" as the default.
- Resolves issues running multiple instances on a single host. Logging
- directory points to ${CATALINA_HOME}/logs/
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #738502 - CVE-2011-3190 tomcat: authentication bypass and information disclosure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=738502
[ 2 ] Bug #640134 - Issues with setting JAVA_HOME
https://bugzilla.redhat.com/show_bug.cgi?id=640134
[ 3 ] Bug #721087 - CVE-2011-2526 tomcat5, tomcat6: Certain server files exposure and JVM crash via crafted web application running under security manager [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=721087
[ 4 ] Bug #717016 - CVE-2011-2204 tomcat: password disclosure vulnerability [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=717016
[ 5 ] Bug #701037 - bad symbolic links created for tomcat-juli jar
https://bugzilla.redhat.com/show_bug.cgi?id=701037
[ 6 ] Bug #675794 - CVE-2011-0013 CVE-2010-3718 CVE-2011-0534 tomcat6 various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=675794
--------------------------------------------------------------------------------
================================================================================
xulrunner-1.9.2.23-1.fc14 (FEDORA-2011-13467)
XUL Runtime for Gecko Applications
--------------------------------------------------------------------------------
Update Information:
Update to new upstream Firefox version 3.6.23, fixing multiple security issues detailed in the upstream advisories:
* http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.23
This update also includes all packages depending on gecko-libs rebuilt against the new version of Firefox / XULRunner.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Sep 27 2011 Jan Horak <jhorak@xxxxxxxxxx> - 1.9.2.23-1
- Update to 1.9.2.23
--------------------------------------------------------------------------------
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
