The following Fedora 16 Security updates need testing: Age URL 6 https://admin.fedoraproject.org/updates/FEDORA-2013-0110/tcl-snack-2.2.10-17.fc16 28 https://admin.fedoraproject.org/updates/FEDORA-2012-20157/libproxy-0.4.11-1.fc16 28 https://admin.fedoraproject.org/updates/FEDORA-2012-20156/389-ds-base-1.2.10.24-1.fc16 109 https://admin.fedoraproject.org/updates/FEDORA-2012-14452/bacula-5.0.3-33.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2013-0468/proftpd-1.3.4b-4.fc16 28 https://admin.fedoraproject.org/updates/FEDORA-2012-20236/rssh-2.3.4-1.fc16 187 https://admin.fedoraproject.org/updates/FEDORA-2012-10314/revelation-0.4.14-1.fc16 107 https://admin.fedoraproject.org/updates/FEDORA-2012-14654/tor-0.2.2.39-1600.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0225/pl-5.10.2-9.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0244/rubygem-activerecord-3.0.10-4.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2013-0477/gnupg-1.4.13-2.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2012-19347/cups-1.5.4-12.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0222/gnupg2-2.0.19-7.fc16 70 https://admin.fedoraproject.org/updates/FEDORA-2012-17291/thunderbird-16.0.2-1.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0261/nss-3.14.1-3.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0269/drupal7-context-3.0-0.3.beta6.fc16 7 https://admin.fedoraproject.org/updates/FEDORA-2013-0061/php-ZendFramework-1.12.1-1.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2013-0270/qt-4.8.4-6.fc16 The following Fedora 16 Critical Path updates have yet to be approved: Age URL 0 https://admin.fedoraproject.org/updates/FEDORA-2013-0477/gnupg-1.4.13-2.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0230/selinux-policy-3.10.0-98.fc16 0 https://admin.fedoraproject.org/updates/FEDORA-2013-0270/qt-4.8.4-6.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0263/qtwebkit-2.2.2-5.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0261/nss-3.14.1-3.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0222/gnupg2-2.0.19-7.fc16 4 https://admin.fedoraproject.org/updates/FEDORA-2013-0238/mysql-5.5.29-1.fc16 12 https://admin.fedoraproject.org/updates/FEDORA-2012-20795/nss-3.14.1-2.fc16,nss-softokn-3.14.1-3.fc16,nss-util-3.14.1-1.fc16,nspr-4.9.4-1.fc16 The following builds have been pushed to Fedora 16 updates-testing WindowMaker-0.95.4-2.fc16 Xnee-3.14-1.fc16 cups-1.5.4-12.fc16 darktable-1.1.1-2.fc16 gnupg-1.4.13-2.fc16 googlecl-0.9.14-1.fc16 mkproject-0.4.6-3.fc16 proftpd-1.3.4b-4.fc16 qt-4.8.4-6.fc16 rednotebook-1.6.5-1.fc16 slrn-0.9.9p1-5.fc16 yap-6.2.0-7.fc16 Details about builds: ================================================================================ WindowMaker-0.95.4-2.fc16 (FEDORA-2013-0480) A fast, feature rich Window Manager -------------------------------------------------------------------------------- Update Information: New upstream version. -------------------------------------------------------------------------------- ChangeLog: * Mon Jan 7 2013 Andreas Bierfert <andreas.bierfert[AT]lowlatency.de> - 0.95.4-2 - fix incorrect fsf address - submit extra package for review so this is not updated each time we update windowmaker * Mon Jan 7 2013 Andreas Bierfert <andreas.bierfert[AT]lowlatency.de> - 0.95.4-1 - version upgrade - readd windowmaker extra stuff * Mon Jan 7 2013 Adam Tkac <atkac redhat com> - 0.95.3-4 - rebuild against new libjpeg * Wed Jul 18 2012 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.95.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ Xnee-3.14-1.fc16 (FEDORA-2013-0469) X11 environment recorder -------------------------------------------------------------------------------- Update Information: Update to 3.14 -------------------------------------------------------------------------------- ChangeLog: * Tue Jan 8 2013 Matthieu Saulnier <fantom@xxxxxxxxxxxxxxxxx> - 3.14-1 - Update to 3.14 -------------------------------------------------------------------------------- ================================================================================ cups-1.5.4-12.fc16 (FEDORA-2012-19347) Common Unix Printing System -------------------------------------------------------------------------------- Update Information: This update addresses two security issues: * CVE-2012-5519 (privilege escalation for users fo the CUPS SystemGroup group or via polkit) is fixed by moving certain configuration keywords into a separate file, cups-files.conf, which cannot be modified by cupsd. * CVE-2012-6094 (configuration issue with IPv4 vs IPv6) has been fixed by dropping support for systemd socket activation via IP sockets. -------------------------------------------------------------------------------- ChangeLog: * Fri Jan 4 2013 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-12 - Avoid misleading error message when configuration cannot be read. - Don't enable IP-based systemd socket activation by default (bug #842365, bug #891945, CVE-2012-6094). * Thu Dec 6 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-11 - Additional fix relating to CVE-2012-5519 to avoid misleading error message about actions to take to enable file device URIs. * Tue Dec 4 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-10 - Small error handling improvements in the configuration migration script. * Mon Dec 3 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-9 - Applied additional upstream patch for CVE-2012-5519 so that the RemoteRoot keyword is recognised in the correct configuration file. * Mon Dec 3 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-8 - Fixed patch for CVE-2012-5519 so that LogFilePerm and LPDConfigFile are recognised keywords for cups-files.conf (bug #882379). * Wed Nov 28 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-7 - Fixed paths in config migration %post script. - Set default cups-files.conf filename. * Mon Nov 26 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-6 - Apply upstream fix for CVE-2012-5519 (STR #4223, bug #875898). Migrate configuration keywords as needed. * Mon Oct 22 2012 Jiri Popelka <jpopelka@xxxxxxxxxx> 1:1.5.4-5 - Add quirk rule for Xerox Phaser 3124 (#867392) * Mon Oct 1 2012 Jiri Popelka <jpopelka@xxxxxxxxxx> 1:1.5.4-4 - improved usblp-quirks.patch (bug #847923, STR #4191) * Thu Sep 20 2012 Tim Waugh <twaugh@xxxxxxxxxx> 1:1.5.4-3 - The cups-libs subpackage contains code distributed under the zlib license (md5.c). * Thu Aug 23 2012 Jiri Popelka <jpopelka@xxxxxxxxxx> 1:1.5.4-2 - quirk handler for port reset done by new USB backend (bug #847923, STR #4155) * Thu Jul 26 2012 Jiri Popelka <jpopelka@xxxxxxxxxx> 1:1.5.4-1 - 1.5.4 * Mon May 28 2012 Jiri Popelka <jpopelka@xxxxxxxxxx> 1:1.5.3-2 - Buildrequire libusb1 (STR #3477) * Tue May 15 2012 Jiri Popelka <jpopelka@xxxxxxxxxx> 1:1.5.3-1 - 1.5.3 -------------------------------------------------------------------------------- References: [ 1 ] Bug #875898 - CVE-2012-5519 cups: privilege escalation for users of the CUPS SystemGroup group https://bugzilla.redhat.com/show_bug.cgi?id=875898 [ 2 ] Bug #891942 - CVE-2012-6094 cups: 'Listen localhost:631' option not honoured correctly on IPv6-enabled systems when systemd used for CUPS socket activation https://bugzilla.redhat.com/show_bug.cgi?id=891942 -------------------------------------------------------------------------------- ================================================================================ darktable-1.1.1-2.fc16 (FEDORA-2013-0454) Utility to organize and develop raw images -------------------------------------------------------------------------------- Update Information: adding map mode -------------------------------------------------------------------------------- ChangeLog: * Sun Jan 6 2013 Edouard Bourguignon <madko@xxxxxxxxxxx> - 1.1.1-2 - Add map mode -------------------------------------------------------------------------------- ================================================================================ gnupg-1.4.13-2.fc16 (FEDORA-2013-0477) A GNU utility for secure communication and data storage -------------------------------------------------------------------------------- Update Information: fix build on big endian arches, IDEA was buggy New upstream with CVE fix. New upstream with CVE fix. New upstream with CVE fix. -------------------------------------------------------------------------------- ChangeLog: * Mon Jan 7 2013 Dan Horák <dan[at]danny.cz> 1.4.13-2 - fix build on big-endian arches (gnupg bug #1461) * Wed Jan 2 2013 Brian C. Lane <bcl@xxxxxxxxxx> 1.4.13-1 - New upstream v1.4.13 fixes for CVE-2012-6085 (#891142) -------------------------------------------------------------------------------- References: [ 1 ] Bug #891142 - CVE-2012-6085 GnuPG: read_block() corrupt key input validation https://bugzilla.redhat.com/show_bug.cgi?id=891142 -------------------------------------------------------------------------------- ================================================================================ googlecl-0.9.14-1.fc16 (FEDORA-2013-0475) Command line tools for the Google Data APIs -------------------------------------------------------------------------------- Update Information: * new upstream bugfix release 0.9.14 -------------------------------------------------------------------------------- ChangeLog: * Sun Jan 6 2013 Christian Krause <chkr@xxxxxxxxxxxxxxxxx> - 0.9.14-1 - New upstream release, see http://code.google.com/p/googlecl/source/browse/trunk/changelog (BZ 890972) -------------------------------------------------------------------------------- References: [ 1 ] Bug #890972 - googlecl-0.9.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=890972 -------------------------------------------------------------------------------- ================================================================================ mkproject-0.4.6-3.fc16 (FEDORA-2013-0463) Make project skeletons -------------------------------------------------------------------------------- Update Information: New package for mkproject, which is a command that makes project skeletons. -------------------------------------------------------------------------------- References: [ 1 ] Bug #890733 - Review Request: mkproject - make project skeletons https://bugzilla.redhat.com/show_bug.cgi?id=890733 -------------------------------------------------------------------------------- ================================================================================ proftpd-1.3.4b-4.fc16 (FEDORA-2013-0468) Flexible, stable and highly-configurable FTP server -------------------------------------------------------------------------------- Update Information: Jann Horn reported that there is a possible race condition in the handling of the MKD/XMKD FTP commands, when the UserOwner directive is involved, and the attacker is on the same physical machine as a running proftpd. This race applies to mod_sftp and the handling of the MKDIR SFTP request as well. Note that using the DefaultRoot directive to restrict sessions mitigates this attack, since the symlinks created by the local attacker will point outside of the chroot(2) area within the FTP session, and thus the ownership change will fail. The default configuration in Fedora applies the DefaultRoot directive to all users except "adm". The upstream reference for this issue is: http://bugs.proftpd.org/show_bug.cgi?id=3841 This update includes upstream's backport to proftpd 1.3.4 of the fix for this issue. -------------------------------------------------------------------------------- ChangeLog: * Mon Jan 7 2013 Paul Howarth <paul@xxxxxxxxxxxx> 1.3.4b-4 - Fix possible symlink race when applying UserOwner to newly created directory (CVE-2012-6095, #892715, http://bugs.proftpd.org/show_bug.cgi?id=3841) * Sat Sep 22 2012 Remi Collet <remi@xxxxxxxxxxxxxxxxx> 1.3.4b-3 - Rebuild against libmemcached.so.11 without SASL * Thu Aug 30 2012 Paul Howarth <paul@xxxxxxxxxxxx> 1.3.4b-2 - Add support for systemd presets in Fedora 18+ (#850281) -------------------------------------------------------------------------------- References: [ 1 ] Bug #892715 - CVE-2012-6095 proftpd: Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory https://bugzilla.redhat.com/show_bug.cgi?id=892715 -------------------------------------------------------------------------------- ================================================================================ qt-4.8.4-6.fc16 (FEDORA-2013-0270) Qt toolkit -------------------------------------------------------------------------------- Update Information: This build fixes a security issues: * QSslSocket may report incorrect errors when certificate verification fails. For more information: http://lists.qt-project.org/pipermail/announce/2013-January/000020.html * blacklists unauthorized SSL certificates by Türktrust. For more information: http://lists.qt-project.org/pipermail/announce/2013-January/000021.html This build also produces a new qt-designer-plugin-webkit subpackage containing QtWebKit designer plugin. -------------------------------------------------------------------------------- ChangeLog: * Mon Jan 7 2013 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 4.8.4-6 - blacklist unauthorized SSL certificates by Türktrust * Fri Jan 4 2013 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:4.8.4-5 - QGtkStyle was unable to detect the current GTK+ theme (#702493, QTBUG-5545)) * Fri Jan 4 2013 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:4.8.4-4 - QSslSocket may report incorrect errors when certificate verification fails * Thu Jan 3 2013 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:4.8.4-3 - -x11: %exclude %{_qt4_plugindir}/designer/libqwebview.so * Sun Dec 16 2012 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:4.8.4-2 - -designer-plugin-webkit subpkg (#887501) - fix/prune/changelog -------------------------------------------------------------------------------- References: [ 1 ] Bug #891955 - CVE-2012-6093 qt: QSslSocket might report inappropriate errors when certificate verification fails https://bugzilla.redhat.com/show_bug.cgi?id=891955 -------------------------------------------------------------------------------- ================================================================================ rednotebook-1.6.5-1.fc16 (FEDORA-2013-0494) A desktop diary -------------------------------------------------------------------------------- Update Information: * Sun Jan 06 2013 Fabian Affolter <mail@xxxxxxxxxxxxxxxxxx> - 1.6.5-1 - Updated to new upstream version 1.6.5 -------------------------------------------------------------------------------- ChangeLog: * Sun Jan 6 2013 Fabian Affolter <mail@xxxxxxxxxxxxxxxxxx> - 1.6.5-1 - Updated to new upstream version 1.6.5 * Tue Dec 25 2012 Fabian Affolter <mail@xxxxxxxxxxxxxxxxxx> - 1.6.4-1 - Updated to new upstream version 1.6.4 * Sat Dec 8 2012 Fabian Affolter <mail@xxxxxxxxxxxxxxxxxx> - 1.6.3-1 - Updated to new upstream version 1.6.3 -------------------------------------------------------------------------------- ================================================================================ slrn-0.9.9p1-5.fc16 (FEDORA-2013-0461) A threaded Internet news reader -------------------------------------------------------------------------------- Update Information: Fix crash when editing line. -------------------------------------------------------------------------------- ChangeLog: * Tue Jan 8 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 0.9.9p1-5 - Fix NULL pointer dereference in rline_update call-backs (bug #847706) * Wed Feb 9 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.9.9p1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #847706 - [abrt] slrn-0.9.9p1-5.fc17: __wmemcmp_ssse3: Process /usr/bin/slrn was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=847706 -------------------------------------------------------------------------------- ================================================================================ yap-6.2.0-7.fc16 (FEDORA-2013-0450) High-performance Prolog Compiler -------------------------------------------------------------------------------- Update Information: Fix off-by-one error when initializing yap_flags. -------------------------------------------------------------------------------- ChangeLog: * Mon Jan 7 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 6.2.0-7 - Fix off-by-one error when initializing yap_flags -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test