The following Fedora 18 Security updates need testing: Age URL 229 https://admin.fedoraproject.org/updates/FEDORA-2013-6117/eucalyptus-3.2.2-1.fc18 75 https://admin.fedoraproject.org/updates/FEDORA-2013-17195/spice-gtk-0.18-3.fc18 72 https://admin.fedoraproject.org/updates/FEDORA-2013-17431/thunderbird-17.0.9-1.fc18 70 https://admin.fedoraproject.org/updates/FEDORA-2013-17635/wireshark-1.10.2-4.fc18 68 https://admin.fedoraproject.org/updates/FEDORA-2013-17853/davfs2-1.4.7-3.fc18 11 https://admin.fedoraproject.org/updates/FEDORA-2013-21875/389-ds-base-1.3.0.9-1.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-22312/xen-4.2.3-10.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-22315/ruby-1.9.3.484-32.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-22313/subversion-1.7.14-1.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-22422/php-symfony2-Security-2.2.10-1.fc18,php-symfony2-Yaml-2.2.10-1.fc18,php-symfony2-Translation-2.2.10-1.fc18,php-symfony2-Finder-2.2.10-1.fc18,php-symfony2-Routing-2.2.10-1.fc18,php-symfony2-Console-2.2.10-1.fc18,php-symfony2-HttpFoundation-2.2.10-1.fc18,php-symfony2-Config-2.2.10-1.fc18,php-symfony2-Validator-2.2.10-1.fc18,php-symfony2-ClassLoader-2.2.10-1.fc18,php-symfony2-PropertyAccess-2.2.10-1.fc18,php-symfony2-Filesystem-2.2.10-1.fc18,php-symfony2-Templating-2.2.10-1.fc18,php-symfony2-DependencyInjection-2.2.10-1.fc18,php-symfony2-HttpKernel-2.2.10-1.fc18,php-symfony2-BrowserKit-2.2.10-1.fc18,php-symfony2-DomCrawler-2.2.10-1.fc18,php-symfony2-EventDispatcher-2.2.10-1.fc18,php-symfony2-Form-2.2.10-1.fc18,php-symfony2-CssSelector-2.2.10-1.fc18,php-symfony2-OptionsResolver-2.2.10-1.fc18,php-symfony2-Process-2.2.10-1.fc18,php-symfony2-Serializer-2.2.10-1.fc18,php-symfony2-Locale-2.2.10-1.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-22456/seamonkey-2.22.1-1.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-22497/ganglia-3.6.0-3.fc18 2 https://admin.fedoraproject.org/updates/FEDORA-2013-22607/nbd-3.5-1.fc18 2 https://admin.fedoraproject.org/updates/FEDORA-2013-22606/maradns-2.0.07d-1.fc18 1 https://admin.fedoraproject.org/updates/FEDORA-2013-22686/tuxcut-5.0-15.fc18 1 https://admin.fedoraproject.org/updates/FEDORA-2013-22695/kernel-3.11.10-100.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-22758/lynis-1.3.6-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-22771/gimp-2.8.10-4.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-22786/mod_nss-1.0.8-27.fc18 The following Fedora 18 Critical Path updates have yet to be approved: Age URL 298 https://admin.fedoraproject.org/updates/FEDORA-2013-2192/nautilus-3.6.3-5.fc18 11 https://admin.fedoraproject.org/updates/FEDORA-2013-21825/gvfs-1.14.2-5.fc18 11 https://admin.fedoraproject.org/updates/FEDORA-2013-21847/sane-backends-1.0.24-7.fc18 8 https://admin.fedoraproject.org/updates/FEDORA-2013-22215/taglib-1.9.1-2.fc18 8 https://admin.fedoraproject.org/updates/FEDORA-2013-22253/kde-settings-4.9-22.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-22299/fedora-bookmarks-15-4.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-22457/libbluray-0.4.0-2.fc18 1 https://admin.fedoraproject.org/updates/FEDORA-2013-22690/libfm-1.1.3-1.fc18 1 https://admin.fedoraproject.org/updates/FEDORA-2013-22695/kernel-3.11.10-100.fc18 The following builds have been pushed to Fedora 18 updates-testing dropbear-2013.62-1.fc18 gimp-2.8.10-4.fc18 lynis-1.3.6-1.fc18 mod_nss-1.0.8-27.fc18 pythia8-8.1.80-1.fc18 qmidiarp-0.5.3-1.fc18 root-5.34.13-1.fc18 xrootd-3.3.5-1.fc18 Details about builds: ================================================================================ dropbear-2013.62-1.fc18 (FEDORA-2013-22788) A lightweight SSH server and client -------------------------------------------------------------------------------- Update Information: 2013.62 - Tuesday 3 December 2013 - Disable "interactive" QoS connection options when a connection doesn't have a PTY (eg scp, rsync). Thanks to Catalin Patulea for the patch. - Log when a hostkey is generated with -R, fix some bugs in handling server hostkey commandline options - Fix crash in Dropbearconvert and 521 bit key, reported by NiLuJe - Update config.guess and config.sub again 2013.61test - Thursday 14 November 2013 - ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to be generated) and ECDH for setting up encryption keys (no intervention required). This is significantly faster. - curve25519-sha256@xxxxxxxxxx support for setting up encryption keys. This is another elliptic curve mode with less potential of NSA interference in algorithm parameters. curve25519-donna code thanks to Adam Langley - -R option to automatically generate hostkeys. This is recommended for embedded platforms since it allows the system random number device /dev/urandom a longer startup time to generate a secure seed before the hostkey is required. - Compile fixes for old vendor compilers like Tru64 from Daniel Richard G. - Make authorized_keys handling more robust, don't exit encountering malformed lines. Thanks to Lorin Hochstein and Mark Stillwell 2013.60 - Wednesday 16 October 2013 - Fix "make install" so that it doesn't always install to /bin and /sbin - Fix "make install MULTI=1", installing manpages failed - Fix "make install" when scp is included since it has no manpage - Make --disable-bundled-libtom work -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 4 2013 Christopher Meng <rpm@xxxxxxxx> - 2013.62-1 - Update to 2013.62 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1020251 - dropbear-2013.60 is available https://bugzilla.redhat.com/show_bug.cgi?id=1020251 -------------------------------------------------------------------------------- ================================================================================ gimp-2.8.10-4.fc18 (FEDORA-2013-22771) GNU Image Manipulation Program -------------------------------------------------------------------------------- Update Information: Overview of Changes from GIMP 2.8.8 to GIMP 2.8.10 ================================================== GUI: - Indicate if a file was exported in the Quit dialog - Add shortcuts and hint labels to the close and quit dialogs that make closing and quitting easier and more consistent - Rename the File->Export menu labels to match Save/Save as - Fix keyboard shortcuts on OSX Mavericks - Don't open lots of progress popups when opening many files - Correctly restore the hidden state of docks in single window mode Libgimp: - Fix exporting an image consisting of a single layer group - Don't attempt to pick transparent colors Plug-ins: - Fix crash in LCMS plugin if RGB profile was missing General: - Bug fixes - Translation updates Overview of Changes from GIMP 2.8.8 to GIMP 2.8.10 ================================================== GUI: - Indicate if a file was exported in the Quit dialog - Add shortcuts and hint labels to the close and quit dialogs that make closing and quitting easier and more consistent - Rename the File->Export menu labels to match Save/Save as - Fix keyboard shortcuts on OSX Mavericks - Don't open lots of progress popups when opening many files - Correctly restore the hidden state of docks in single window mode Libgimp: - Fix exporting an image consisting of a single layer group - Don't attempt to pick transparent colors Plug-ins: - Fix crash in LCMS plugin if RGB profile was missing General: - Bug fixes - Translation updates Additionally, this update fixes buffer overflows in the XWD loader. -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 4 2013 Nils Philippsen <nils@xxxxxxxxxx> - 2:2.8.10-4 - avoid buffer overflows in file-xwd plug-in (CVE-2013-1913, CVE-2013-1978) * Fri Nov 29 2013 Nils Philippsen <nils@xxxxxxxxxx> - 2:2.8.10-1 - version 2.8.10 * Tue Nov 26 2013 Nils Philippsen <nils@xxxxxxxxxx> - 2:2.8.10-1 - use grep -E instead of egrep -------------------------------------------------------------------------------- References: [ 1 ] Bug #1037720 - CVE-2013-1913 CVE-2013-1978 gimp: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1037720 -------------------------------------------------------------------------------- ================================================================================ lynis-1.3.6-1.fc18 (FEDORA-2013-22758) Security and system auditing tool -------------------------------------------------------------------------------- Update Information: * 1.3.6 (2013-12-03) New: - Support for the dntpd time daemon - New Apache test for modules [HTTP-6632] - Apache test for mod_evasive [HTTP-6640] - Apache test for mod_qos [HTTP-6641] - Apache test for mod_spamhaus [HTTP-6642] - Apache test for ModSecurity [HTTP-6643] - Check for installed package audit tool [PKGS-7398] - Added initial support for new pkgng and related tools [PKGS-7381] - Check for ssh-keyscan binary - ZFS support for FreeBSD [FILE-6330] - Test for passwordless accounts [AUTH-9283] - Initial OS support for DragonFly BSD - Initial OS support for TrueOS (FreeBSD based) - Initial OS support for elementary OS (Luna) - GetHostID for DragonFly, FreeBSD, NetBSD and OpenBSD - Check for DHCP client [NETW-3030] - Initial support for OSSEC (system integrity) [FINT-4328] - New parameter --log-file to adjust log file location - New function IsRunning() to check status of processes - New function RealFilename() to determine file name - New function CheckItem() for parsing files - New function ReportManual() and ReportException() to simplify code - New function DirectoryExists() to check existence of a directory - Support for dntpd [TIME-3104] Changes: - Extended pf checks for FreeBSD/OpenBSD and others [FIRE-4518] - Extended test to gather listening network ports for Linux [NETW-3012] - Adjusted lsof statement to ignore warnings (e.g. fuse) [LOGG-2180] [LOGG-2190] - Added suggestion for discovered shells on FreeBSD [AUTH-9218] - Extended core dump test with additional details [KRNL-5820] - Properly display suggestion if portaudit is not installed [PKGS-7382] - Ignore message if no packages are installed (pkg_info) [PKGS-7320] - Also try using apt-check on Debian systems [PKGS-7392] - Adjusted logging for RPM binary on systems not using it [PKGS-7308] - Extended search in cron directories for rdate/ntpdate [TIME-3104] - Adjusted PHP check to find ini files [PHP-2211] - Skip Apache test for NetBSD [HTTP-6622] - Skip test http version check for NetBSD [HTTP-6624] - Additional check to surpress sort error [HTTP-6626] - Improved the way binaries are checked (less disk reads) - Adjusted ReportWarning() function to skip impact rating - Improved report on screen by leaving out date/time and type - Redirect errors while checking for OpenSSL version - Extended reporting with firewall status and software - Adjusted naming of some operating systems to make them more consistent - Extended update check by using host binary if dig is not installed - Count number of installed binaries/packages and report them - Report about log rotation tool and status - Updated man page Belated update after 4 years. Belated update after 4 years. Belated update after 4 years. Update. -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 4 2013 Christopher Meng <rpm@xxxxxxxx> - 1.3.6-1 - Update to 1.3.6 * Tue Nov 26 2013 Christopher Meng <rpm@xxxxxxxx> - 1.3.5-1 - Update to 1.3.5 * Sat Aug 3 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.2.9-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.2.9-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #469317 - Review request: lynis - Security and system auditing tool https://bugzilla.redhat.com/show_bug.cgi?id=469317 [ 2 ] Bug #1037866 - lynis-1.3.5-1.fc19.noarch: broken permissions https://bugzilla.redhat.com/show_bug.cgi?id=1037866 -------------------------------------------------------------------------------- ================================================================================ mod_nss-1.0.8-27.fc18 (FEDORA-2013-22786) SSL/TLS module for the Apache HTTP server -------------------------------------------------------------------------------- Update Information: A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive). If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication. Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories. -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 3 2013 Rob Crittenden <rcritten@xxxxxxxxxx> - 1.0.8-27 - Resolves: CVE-2013-4566 - [mod_nss-nssverifyclient.patch] - Bugzilla Bug #1037722 - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context [fedora-all] - Bugzilla Bug #1037761 - mod_nss does not respect `NSSVerifyClient` in Directory -------------------------------------------------------------------------------- References: [ 1 ] Bug #1016832 - CVE-2013-4566 mod_nss: incorrect handling of NSSVerifyClient in directory context https://bugzilla.redhat.com/show_bug.cgi?id=1016832 -------------------------------------------------------------------------------- ================================================================================ pythia8-8.1.80-1.fc18 (FEDORA-2013-22790) Pythia Event Generator for High Energy Physics -------------------------------------------------------------------------------- Update Information: * root 5.34.13 ** See http://root.cern.ch/drupal/content/root-version-v5-34-00-patch-release-notes for a list of changes * xrootd 3.3.5 ** See https://github.com/xrootd/xrootd/blob/v3.3.5/docs/ReleaseNotes.txt for a list of changes * pythia8 8.1.80 ** See http://home.thep.lu.se/~torbjorn/pythia81html/UpdateHistory.html (scroll to the bottom) for a list of changes -------------------------------------------------------------------------------- ChangeLog: * Wed Oct 30 2013 Mattias Ellert <mattias.ellert@xxxxxxxxxxxx> - 8.1.80-1 - Update to version 8.1.80 - Use full version in soname * Sun Aug 4 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 8.1.76-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ qmidiarp-0.5.3-1.fc18 (FEDORA-2013-22780) An arpeggiator, sequencer and MIDI LFO for ALSA -------------------------------------------------------------------------------- Update Information: New Features o Random functions for sequencer and LFO steps and arp repeat mode (feature request #5 Keith Milner) Improvements o NSM support now handles import/export/clear to facilitate getting started (Roy Vegard Ovesen) o Tempo is now MIDI-controllable (MIDI-learn) o Sequencer transpose slider is now MIDI controllable (MIDI-learn) (feature request #7) o Sequencer pattern maximum length extended to 32 bars (feature request #6) Fixed Bugs o LFO offset jumped back to fixed value when MIDI controlled (bug #6 distrozapper) o Arp trigger behavior was not practical with chords pressed on keyboard (bug #7 Burkhard Ritter) o JACK Transport no longer worked when no JT Master tempo was present (bug #5 Barney Holmes) o Deleting an arp pattern in text window while running caused crash o Note lengths were not consistent between alsa and jack backends o Note lengths did not account for current tempo o Sequencer did not honor "D" button when MIDI controlled o Seq note length is now a 16th at half slider scale -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 4 2013 Brendan Jones <brendan.jones.it@xxxxxxxxx> 0.5.3-1 - Update to 0.5.3 * Sun Aug 4 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.5.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ root-5.34.13-1.fc18 (FEDORA-2013-22790) Numerical data analysis framework -------------------------------------------------------------------------------- Update Information: * root 5.34.13 ** See http://root.cern.ch/drupal/content/root-version-v5-34-00-patch-release-notes for a list of changes * xrootd 3.3.5 ** See https://github.com/xrootd/xrootd/blob/v3.3.5/docs/ReleaseNotes.txt for a list of changes * pythia8 8.1.80 ** See http://home.thep.lu.se/~torbjorn/pythia81html/UpdateHistory.html (scroll to the bottom) for a list of changes -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 3 2013 Mattias Ellert <mattias.ellert@xxxxxxxxxxxx> - 5.34.13-1 - Update to 5.34.13 - Remove java-devel build dependency (not needed with Fedora's libhdfs) - Adapt to pythia8 >= 8.1.80 * Mon Nov 25 2013 Orion Poplawski <orion@xxxxxxxxxxxxx> - 5.34.10-3 - Fix hadoop lib location * Mon Nov 18 2013 Dave Airlie <airlied@xxxxxxxxxx> - 5.34.10-2 - rebuilt for GLEW 1.10 -------------------------------------------------------------------------------- ================================================================================ xrootd-3.3.5-1.fc18 (FEDORA-2013-22790) Extended ROOT file server -------------------------------------------------------------------------------- Update Information: * root 5.34.13 ** See http://root.cern.ch/drupal/content/root-version-v5-34-00-patch-release-notes for a list of changes * xrootd 3.3.5 ** See https://github.com/xrootd/xrootd/blob/v3.3.5/docs/ReleaseNotes.txt for a list of changes * pythia8 8.1.80 ** See http://home.thep.lu.se/~torbjorn/pythia81html/UpdateHistory.html (scroll to the bottom) for a list of changes -------------------------------------------------------------------------------- ChangeLog: * Tue Dec 3 2013 Mattias Ellert <mattias.ellert@xxxxxxxxxxxx> - 1:3.3.5-1 - Update to version 3.3.5 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
