The following Fedora 16 Security updates need testing: Age URL 2 https://admin.fedoraproject.org/updates/FEDORA-2012-13665/blender-2.59-7.fc16 2 https://admin.fedoraproject.org/updates/FEDORA-2012-13656/mcrypt-2.6.8-9.fc16 2 https://admin.fedoraproject.org/updates/FEDORA-2012-13649/munin-2.0.6-2.fc16 12 https://admin.fedoraproject.org/updates/FEDORA-2012-12984/pcp-3.6.6-1.fc16 65 https://admin.fedoraproject.org/updates/FEDORA-2012-10402/bcfg2-1.2.3-1.fc16 20 https://admin.fedoraproject.org/updates/FEDORA-2012-12514/tor-0.2.2.38-1600.fc16 37 https://admin.fedoraproject.org/updates/FEDORA-2012-11526/dokuwiki-0-0.11.20120125.b.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2012-13839/ghostscript-9.05-2.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2012-13824/libxml2-2.7.8-8.fc16 10 https://admin.fedoraproject.org/updates/FEDORA-2012-13127/java-1.6.0-openjdk-1.6.0.0-68.1.11.4.fc16 8 https://admin.fedoraproject.org/updates/FEDORA-2012-13266/ypserv-2.29-1.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13437/asterisk-1.8.15.1-1.fc16 68 https://admin.fedoraproject.org/updates/FEDORA-2012-10314/revelation-0.4.14-1.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13400/moin-1.9.4-3.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13488/wordpress-3.4.2-2.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13443/xen-4.1.3-2.fc16 The following Fedora 16 Critical Path updates have yet to be approved: Age URL 0 https://admin.fedoraproject.org/updates/FEDORA-2012-13845/perl-5.14.2-200.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2012-13824/libxml2-2.7.8-8.fc16 1 https://admin.fedoraproject.org/updates/FEDORA-2012-13755/sane-backends-1.0.23-4.fc16 2 https://admin.fedoraproject.org/updates/FEDORA-2012-13681/python-alsa-1.0.26-1.fc16,alsa-plugins-1.0.26-1.fc16,alsa-tools-1.0.26.1-1.fc16,alsa-utils-1.0.26-1.fc16,alsa-lib-1.0.26-1.fc16 2 https://admin.fedoraproject.org/updates/FEDORA-2012-13616/fontconfig-2.8.0-8.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13481/livecd-tools-16.16-1.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13477/plymouth-0.8.4-0.20110822.6.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2012-13440/fedora-logos-16.0.2-2.fc16 7 https://admin.fedoraproject.org/updates/FEDORA-2012-13326/xorg-x11-drv-intel-2.20.6-1.fc16 8 https://admin.fedoraproject.org/updates/FEDORA-2012-13237/liboauth-0.9.7-1.fc16 The following builds have been pushed to Fedora 16 updates-testing ejabberd-2.1.11-5.fc16 erlang-R15B-02.1.fc16 ghostscript-9.05-2.fc16 libxml2-2.7.8-8.fc16 lm_sensors-3.3.2-4.fc16 mc-4.8.5-1.fc16 nut-2.6.5-3.fc16 perl-5.14.2-200.fc16 pki-core-9.0.23-1.fc16 python-qpid-0.18-1.fc16 Details about builds: ================================================================================ ejabberd-2.1.11-5.fc16 (FEDORA-2012-13837) A distributed, fault-tolerant Jabber/XMPP server -------------------------------------------------------------------------------- Update Information: - Cherry-picked three new patches from upstream trunk -------------------------------------------------------------------------------- ChangeLog: * Mon Sep 10 2012 Peter Lemenkov <lemenkov@xxxxxxxxx> - 2.1.11-5 - Cherry-picked three new patches from upstream trunk * Wed Jul 18 2012 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 2.1.11-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ erlang-R15B-02.1.fc16 (FEDORA-2012-13844) General-purpose programming language and runtime environment -------------------------------------------------------------------------------- Update Information: * Ver. R15B02 (bugfix release) -------------------------------------------------------------------------------- ChangeLog: * Mon Sep 10 2012 Peter Lemenkov <lemenkov@xxxxxxxxx> - R15B-02.1 - Ver. R15B02 * Wed Aug 15 2012 Karsten Hopp <karsten@xxxxxxxxxx> R15B-01.4.2 - set BASE_OPTIONS to -Xmx1536m on ppc* * Wed Jul 18 2012 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - R15B-01.4.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #855055 - erlang-15B02 is available https://bugzilla.redhat.com/show_bug.cgi?id=855055 -------------------------------------------------------------------------------- ================================================================================ ghostscript-9.05-2.fc16 (FEDORA-2012-13839) A PostScript interpreter and renderer -------------------------------------------------------------------------------- Update Information: This update removes some bundled libraries, notably icclib. This avoids security issue CVE-2012-4405. -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 11 2012 Tim Waugh <twaugh@xxxxxxxxxx> 9.05-2 - Removed more bundled packages (bug #816747). In particular, icclib is no longer bundled (bug #856060, CVE-2012-4405). * Thu Feb 9 2012 Tim Waugh <twaugh@xxxxxxxxxx> - Avoid mixed tabs and spaces in spec file. * Thu Feb 9 2012 Tim Waugh <twaugh@xxxxxxxxxx> 9.05-1 - 9.05. * Fri Jan 6 2012 Tim Waugh <twaugh@xxxxxxxxxx> 9.04-9 - Use %_cups_serverbin macro. * Fri Jan 6 2012 Tim Waugh <twaugh@xxxxxxxxxx> 9.04-8 - Rebuilt for GCC 4.7. -------------------------------------------------------------------------------- References: [ 1 ] Bug #854227 - CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based bufer OOB write https://bugzilla.redhat.com/show_bug.cgi?id=854227 -------------------------------------------------------------------------------- ================================================================================ libxml2-2.7.8-8.fc16 (FEDORA-2012-13824) Library providing XML and HTML support -------------------------------------------------------------------------------- Update Information: lot of security bug fixes Lots of security patches -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 11 2012 Daniel Veillard <veillard@xxxxxxxxxx> - 2.7.8-8 - previous build broken due to failure to use the versioning script rebuilding with automake and autoconf * Mon Sep 10 2012 Daniel Veillard <veillard@xxxxxxxxxx> - 2.7.8-7 - Fixes for CVE-2011-3919 CVE-2011-3905 CVE-2011-2834 (rhbz#772122) - Fixes for CVE-2012-2807 (843743) - Fixes for CVE-2012-0841 (795698) - Fix for CVE-2011-1944 (709750) - Fix for CVE-2011-0216 (755813) - Fix for CVE-2011-2821 (735715) - Fix for CVE-2011-3102 (822171) - Fix some potential problems on reallocation failures - Hardening of XPath evaluation - Fix an off by one error in encoding - Fix missing error status in XPath evaluation - Make sure the parser returns when getting a Stop order - Fix an allocation error when copying entities - Add hash randomization to hash and dict structures - Force randomization of dict and hash - Fix a failure to report xmlreader parsing failures - Fix parser local buffers size problems - Fix entities local buffers size problems - Fix an error in previous commit - Do not fetch external parsed entities - Impose a reasonable limit on attribute size - Impose a reasonable limit on comment size - Impose a reasonable limit on PI size - Cleanups and new limit APIs for dictionaries - Introduce some default parser limits - Implement some default limits in the XPath module - Fixup limits parser - Enforce XML_PARSER_EOF state handling through the parser - Avoid quadratic behaviour in some push parsing cases - More avoid quadratic behaviour - Strengthen behaviour of the push parser in problematic situations - More fixups on the push parser behaviour - Fix a segfault on XSD validation on pattern error - Fix an unimplemented part in RNG value validation - Fix an off by one pointer access - Change the XPath code to percolate allocation errors -------------------------------------------------------------------------------- References: [ 1 ] Bug #772122 - CVE-2011-3919 CVE-2011-3905 CVE-2011-2834 libxml2 various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=772122 [ 2 ] Bug #843743 - CVE-2012-2807 libxml2 (64-bit): Multiple integer overflows, leading to DoS or possibly other unspecified impact [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=843743 [ 3 ] Bug #709750 - CVE-2011-1944 libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=709750 [ 4 ] Bug #735715 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=735715 [ 5 ] Bug #822171 - CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=822171 [ 6 ] Bug #755813 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=755813 [ 7 ] Bug #795698 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=795698 -------------------------------------------------------------------------------- ================================================================================ lm_sensors-3.3.2-4.fc16 (FEDORA-2012-13825) Hardware monitoring tools -------------------------------------------------------------------------------- Update Information: #728583 - sensord doesn't start Native systemd file has been merged to f17 and f16 branches. everyone on arm must update new upstream version new upstream version -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 11 2012 Jaromir Capik <jcapik@xxxxxxxxxx> - 3.3.2-4 - Fixing missing sensord subpackage name in second postun scriptlet * Tue Sep 11 2012 Jaromir Capik <jcapik@xxxxxxxxxx> - 3.3.2-3 - #728583 - sensord doesn't start - merged from f18/f19 branch (commit 373ef7f2509bf59beeb5709272ed24148da54538) * Mon Apr 2 2012 Nikola Pajkovsky <npajkovs@xxxxxxxxxx> - 3.3.2-2 - rhbz#806364 - sensors-detect fails with "/sys/bus/pci/devices: No such file or directory at /usr/sbin/sensors-detect line 2895" PCI bus is always required even if it might be missing on some platforms. So don't choke is it is missing. Patch from Jaromir Capik * Thu Mar 15 2012 Nikola Pajkovsky <npajkovs@xxxxxxxxxx> - 3.3.2-1 - upstream lm-sensors-3.3.2 * Mon Feb 13 2012 Nikola Pajkovsky <npajkovs@xxxxxxxxxx> - 3.3.1-3 - 789761 - Provide native systemd service * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 3.3.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #728583 - sensord doesn't start https://bugzilla.redhat.com/show_bug.cgi?id=728583 [ 2 ] Bug #806364 - sensors-detect fails with "/sys/bus/pci/devices: No such file or directory at /usr/sbin/sensors-detect line 2895." https://bugzilla.redhat.com/show_bug.cgi?id=806364 [ 3 ] Bug #803285 - lm_sensors-3.3.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=803285 -------------------------------------------------------------------------------- ================================================================================ mc-4.8.5-1.fc16 (FEDORA-2012-13848) User-friendly text console file manager and visual shell -------------------------------------------------------------------------------- Update Information: Update to 4.8.5. -------------------------------------------------------------------------------- ChangeLog: * Mon Sep 10 2012 Jindrich Novy <jnovy@xxxxxxxxxx> 4.8.5-1 - update to 4.8.5 -------------------------------------------------------------------------------- References: [ 1 ] Bug #854876 - mc - Inconsistency between man page and help https://bugzilla.redhat.com/show_bug.cgi?id=854876 [ 2 ] Bug #844392 - File > Exit menu problem in mc-4.8.4-2.fc17 https://bugzilla.redhat.com/show_bug.cgi?id=844392 [ 3 ] Bug #844352 - Error dialog when opening archives https://bugzilla.redhat.com/show_bug.cgi?id=844352 [ 4 ] Bug #840382 - midnight commander doesn't panelize all files https://bugzilla.redhat.com/show_bug.cgi?id=840382 [ 5 ] Bug #840278 - [abrt] mc-4.8.3-1.fc17: cpio_read: Process /usr/bin/mc was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=840278 [ 6 ] Bug #838371 - [abrt] mc-4.8.3-1.fc17: __libc_message: Process /usr/bin/mc was killed by signal 6 (SIGABRT) https://bugzilla.redhat.com/show_bug.cgi?id=838371 [ 7 ] Bug #832963 - MC segfaults when executing 'relative symlink' https://bugzilla.redhat.com/show_bug.cgi?id=832963 [ 8 ] Bug #830069 - [abrt] mc-4.8.3-1.fc17: __GI_raise: Process /usr/bin/mc was killed by signal 6 (SIGABRT) https://bugzilla.redhat.com/show_bug.cgi?id=830069 [ 9 ] Bug #829347 - [abrt] mc-4.8.3-1.fc17: cpio_super_same: Process /usr/bin/mc was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=829347 [ 10 ] Bug #824837 - segfault https://bugzilla.redhat.com/show_bug.cgi?id=824837 [ 11 ] Bug #820381 - FTP link do not work as expected https://bugzilla.redhat.com/show_bug.cgi?id=820381 [ 12 ] Bug #809040 - [abrt] mc-4.8.1-2.fc16: strlen: Process /usr/bin/mc was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=809040 [ 13 ] Bug #803489 - MC seems to block itself on select https://bugzilla.redhat.com/show_bug.cgi?id=803489 [ 14 ] Bug #785706 - [abrt] mc-4.8.1-2.fc16: magazine_chain_pop_head: Process /usr/bin/mc was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=785706 [ 15 ] Bug #754165 - [abrt] mc-4.8.0-2.fc16: load_prompt: Process /usr/bin/mc was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=754165 [ 16 ] Bug #748763 - Cannot change ftp directory https://bugzilla.redhat.com/show_bug.cgi?id=748763 [ 17 ] Bug #532784 - mc don't uses default programs for opening files https://bugzilla.redhat.com/show_bug.cgi?id=532784 -------------------------------------------------------------------------------- ================================================================================ nut-2.6.5-3.fc16 (FEDORA-2012-13849) Network UPS Tools -------------------------------------------------------------------------------- Update Information: - do not forget to restart nut-driver.service in postun - fixed pthread issue - no longer requires devel files to run - fixed pthread issue - no longer requires devel files to run -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 11 2012 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 2.6.5-3 - do not forget to restart nut-driver.service in postun * Thu Sep 6 2012 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 2.6.5-2 - do not depend on devel files (#838139) -------------------------------------------------------------------------------- References: [ 1 ] Bug #837472 - nut-driver.service not restarted after package upgrade https://bugzilla.redhat.com/show_bug.cgi?id=837472 [ 2 ] Bug #838139 - nut relies on presence of /lib64/libusb.so for communication with USB-connected UPS https://bugzilla.redhat.com/show_bug.cgi?id=838139 -------------------------------------------------------------------------------- ================================================================================ perl-5.14.2-200.fc16 (FEDORA-2012-13845) Practical Extraction and Report Language -------------------------------------------------------------------------------- Update Information: This update fixes $@ value after "do" statement, syscall() return value on 64-bit platforms, matching starting byte in non-UTF-8 mode, and freeing hash entries on delete. Remove useless perl-devel dependency from perl-Test-Harness. Move App::Cpan from perl-Test-Harness to perl-CPAN. -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 11 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 4:5.14.2-200 - Clear $@ before `do' I/O error (bug #834226) - Do not truncate syscall() return value to 32 bits (bug #838551) - Match starting byte in non-UTF-8 mode (bug #801739) - Free hash entries before values on delete (bug #771303) * Wed Sep 5 2012 Petr Pisar <ppisar@xxxxxxxxxx> - 4:5.14.2-199 - Remove perl-devel dependency from perl-Test-Harness and perl-Test-Simple - Move App::Cpan from perl-Test-Harness to perl-CPAN (bug #854577) -------------------------------------------------------------------------------- References: [ 1 ] Bug #834226 - `do' does not clean $@ on success sometimes https://bugzilla.redhat.com/show_bug.cgi?id=834226 [ 2 ] Bug #838551 - syscall() truncates return value to 32 bits https://bugzilla.redhat.com/show_bug.cgi?id=838551 [ 3 ] Bug #801739 - Regression with /i, latin1 chars https://bugzilla.redhat.com/show_bug.cgi?id=801739 [ 4 ] Bug #771303 - Perl crashes on double free in void context when deleting hash entry that destroys value before https://bugzilla.redhat.com/show_bug.cgi?id=771303 [ 5 ] Bug #854577 - APP::Cpan bundled with perl-Test-Harness https://bugzilla.redhat.com/show_bug.cgi?id=854577 -------------------------------------------------------------------------------- ================================================================================ pki-core-9.0.23-1.fc16 (FEDORA-2012-13823) Certificate System - PKI Core Components -------------------------------------------------------------------------------- Update Information: Bugzilla Bug #852855 - rhcs81 - remove unexpected anonymous binds to internal db in cert status thread -------------------------------------------------------------------------------- ChangeLog: * Fri Sep 7 2012 Matthew Harmsen <mharmsen@xxxxxxxxxx> 9.0.23-1 - TRAC Ticket #301 - Need to modify init scripts to verify needed symlinks in an instance (support for non-default instance names) (mharmsen) - Bugzilla Bug #852855 - rhcs81 - remove unexpected anonymous binds to internal db in cert status thread. (jmagne) * Wed Aug 22 2012 Ade Lee <alee@xxxxxxxxxx> 9.0.22-1 - Reverted selinux changes that broke f16 selinux policy. - Reapplied those changes as a modified patch to f17 build. * Fri Jul 20 2012 Ade Lee <alee@xxxxxxxxxx> 9.0.21-1 - Bugzilla Bug #841996 - latest selinux policy fix breaks dogtag -------------------------------------------------------------------------------- ================================================================================ python-qpid-0.18-1.fc16 (FEDORA-2012-13850) Python client library for AMQP -------------------------------------------------------------------------------- Update Information: Rebased on Qpid 0.18. -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 11 2012 Darryl L. Pierce <dpierce@xxxxxxxxxx> - 0.18-1 - Rebased on Qpid 0.18 release. -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
