The following Fedora 20 Security updates need testing: Age URL 57 https://admin.fedoraproject.org/updates/FEDORA-2013-19198/quassel-0.9.1-1.fc20 49 https://admin.fedoraproject.org/updates/FEDORA-2013-19934/openstack-glance-2013.2-2.fc20 44 https://admin.fedoraproject.org/updates/FEDORA-2013-19507/openstack-keystone-2013.2-2.fc20 19 https://admin.fedoraproject.org/updates/FEDORA-2013-22042/varnish-3.0.4-2.fc20 17 https://admin.fedoraproject.org/updates/FEDORA-2013-22130/chicken-4.8.0.5-1.fc20 11 https://admin.fedoraproject.org/updates/FEDORA-2013-22575/subversion-1.8.5-2.fc20 9 https://admin.fedoraproject.org/updates/FEDORA-2013-22713/hdapsd-20090401.20131204git401ca60-1.fc20 8 https://admin.fedoraproject.org/updates/FEDORA-2013-22827/mingw-openjpeg-1.5.1-5.fc20 8 https://admin.fedoraproject.org/updates/FEDORA-2013-22809/net-snmp-5.7.2-16.fc20 7 https://admin.fedoraproject.org/updates/FEDORA-2013-22832/ufraw-0.19.2-10.fc20 7 https://admin.fedoraproject.org/updates/FEDORA-2013-22854/dcraw-9.19-4.fc20 5 https://admin.fedoraproject.org/updates/FEDORA-2013-22983/munin-2.0.18-2.fc20 5 https://admin.fedoraproject.org/updates/FEDORA-2013-22968/munin-2.0.19-1.fc20 4 https://admin.fedoraproject.org/updates/FEDORA-2013-23034/rubygem-i18n-0.6.4-3.fc20 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23116/python-swiftclient-1.8.0-1.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23177/samba-4.1.3-2.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23197/ack-2.12-1.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23164/php-5.5.7-1.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23192/devscripts-2.13.5-2.fc20 1 https://admin.fedoraproject.org/updates/FEDORA-2013-23251/xen-4.3.1-6.fc20 1 https://admin.fedoraproject.org/updates/FEDORA-2013-23260/libgadu-1.12.0-0.2.rc1.fc20 1 https://admin.fedoraproject.org/updates/FEDORA-2013-23250/libreswan-3.7-1.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23339/openttd-1.3.3-1.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23361/v8-3.14.5.10-3.fc20 The following Fedora 20 Critical Path updates have yet to be approved: Age URL 68 https://admin.fedoraproject.org/updates/FEDORA-2013-18447/createrepo-0.9.9-23.fc20 31 https://admin.fedoraproject.org/updates/FEDORA-2013-21163/libproxy-0.4.11-8.fc20 12 https://admin.fedoraproject.org/updates/FEDORA-2013-22527/libbluray-0.4.0-2.fc20 8 https://admin.fedoraproject.org/updates/FEDORA-2013-22805/gnutls-3.1.17-3.fc20 7 https://admin.fedoraproject.org/updates/FEDORA-2013-22837/opus-1.1-1.fc20 4 https://admin.fedoraproject.org/updates/FEDORA-2013-23052/iso-codes-3.49-1.fc20 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23100/sqlite-3.8.2-1.fc20 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23111/python-setuptools-1.4.2-1.fc20 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23099/qtwebkit-2.3.3-2.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23163/openssh-6.4p1-3.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23168/colord-1.1.5-1.fc20 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23177/samba-4.1.3-2.fc20 1 https://admin.fedoraproject.org/updates/FEDORA-2013-23234/abrt-2.1.10-1.fc20,libreport-2.1.10-1.fc20,satyr-0.12-1.fc20 1 https://admin.fedoraproject.org/updates/FEDORA-2013-23240/mash-0.6.02-1.fc20 1 https://admin.fedoraproject.org/updates/FEDORA-2013-23243/libfm-1.1.4-1.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23363/cryptsetup-1.6.3-1.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23364/gcc-4.8.2-7.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23343/yum-3.4.3-122.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23330/yum-utils-1.1.31-19.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23326/dracut-034-64.git20131205.fc20.1 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23359/xorg-x11-drv-synaptics-1.7.1-6.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23324/bluez-5.12-2.fc20 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23322/tar-1.26-30.fc20 The following builds have been pushed to Fedora 20 updates-testing certmonger-0.69-1.fc20 cryptsetup-1.6.3-1.fc20 gcc-4.8.2-7.fc20 gimp-separate+-0.5.8-10.fc20 gssntlmssp-0.2.0-2.fc20 knot-1.3.4-1.fc20 opensmtpd-5.4.1p1-1.fc20 python-moksha-hub-1.2.2-1.fc20 slic3r-1.0.0-0.2.RC1.fc20 v8-3.14.5.10-3.fc20 Details about builds: ================================================================================ certmonger-0.69-1.fc20 (FEDORA-2013-23360) Certificate status monitor and PKI enrollment client -------------------------------------------------------------------------------- Update Information: This update fixes crashes in the daemon when there are errors reading some of its data files or errors saving newly-obtained certificates to disk. -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 9 2013 Nalin Dahyabhai <nalin@xxxxxxxxxx> 0.69-1 - tweak how we decide whether we're on the master or a minion when we're told to use certmaster as a CA - clean up one of the tests so that it doesn't have to work around internal logging producing duplicate messages - when logging errors while setting up to contact xmlrpc servers, explicitly note that the error is client-side - don't abort() due to incorrect locking when an attempt to save an issued certificate to the designated location fails (part of #1032760/#1033333, ticket #22) - when reading an issued certificate from an enrollment helper, ignore noise before or after the certificate itself (more of #1032760/1033333, ticket #22) - run subprocesses in a cleaned-up environment (more of #1032760/1033333, ticket #22) - clear the ca-error that we saved when we had an error talking to the CA if we subsequently succeed in talking to the CA - various other static-analysis fixes -------------------------------------------------------------------------------- References: [ 1 ] Bug #995022 - certmonger coredumps when certificates cannot be created due to permissions https://bugzilla.redhat.com/show_bug.cgi?id=995022 [ 2 ] Bug #1043017 - [abrt] certmonger-0.67-1.fc19: strcmp: Process /usr/sbin/certmonger was killed by signal 11 (SIGSEGV) https://bugzilla.redhat.com/show_bug.cgi?id=1043017 -------------------------------------------------------------------------------- ================================================================================ cryptsetup-1.6.3-1.fc20 (FEDORA-2013-23363) A utility for setting up encrypted disks -------------------------------------------------------------------------------- Update Information: Update to cryptsetup 1.6.3. -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 13 2013 Milan Broz <gmazyland@xxxxxxxxx> - 1.6.3-1 - Update to cryptsetup 1.6.3. -------------------------------------------------------------------------------- ================================================================================ gcc-4.8.2-7.fc20 (FEDORA-2013-23364) Various compilers (C, C++, Objective-C, Java, ...) -------------------------------------------------------------------------------- Update Information: This fixes std::nth_element as well as lots of other bugs. -------------------------------------------------------------------------------- ChangeLog: * Thu Dec 12 2013 Jakub Jelinek <jakub@xxxxxxxxxx> 4.8.2-7 - update from the 4.8 branch - PRs libgomp/59467, rtl-optimization/58295, target/56807, testsuite/59442 - fix LRA coalescing for real (PR middle-end/59470) * Wed Dec 11 2013 Jakub Jelinek <jakub@xxxxxxxxxx> 4.8.2-6 - temporarily revert PR middle-end/58956 to avoid libstdc++ miscompilation on i?86 (PR middle-end/59470) * Mon Dec 9 2013 Jakub Jelinek <jakub@xxxxxxxxxx> 4.8.2-5 - update from the 4.8 branch - PRs ada/59382, bootstrap/57683, c++/58162, c++/59031, c++/59032, c++/59044, c++/59052, c++/59268, c++/59297, c/59280, c/59351, fortran/57445, fortran/58099, fortran/58471, fortran/58771, middle-end/58742, middle-end/58941, middle-end/58956, middle-end/59011, middle-end/59037, middle-end/59138, rtl-optimization/58726, target/50751, target/51244, target/56788, target/58854, target/58864, target/59021, target/59088, target/59101, target/59153, target/59163, target/59207, target/59343, target/59405, tree-optimization/57517, tree-optimization/58137, tree-optimization/58143, tree-optimization/58653, tree-optimization/58794, tree-optimization/59014, tree-optimization/59047, tree-optimization/59139, tree-optimization/59164, tree-optimization/59288, tree-optimization/59330, tree-optimization/59334, tree-optimization/59358, tree-optimization/59388 - aarch64 gcj enablement (#1023789) - look for libgfortran.spec and libitm.spec in %{_lib} rather than lib subdirs (#1023789) * Mon Nov 11 2013 Jakub Jelinek <jakub@xxxxxxxxxx> 4.8.2-4 - update from the 4.8 branch - PRs plugins/52872, regression/58985, target/59034 * Wed Nov 6 2013 Jakub Jelinek <jakub@xxxxxxxxxx> 4.8.2-3 - update from the 4.8 branch - PRs c++/58282, c++/58979, fortran/58355, fortran/58989, libstdc++/58839, libstdc++/58912, libstdc++/58952, lto/57084, middle-end/58789, rtl-optimization/58079, rtl-optimization/58831, rtl/58542, target/58690, target/58779, target/58792, target/58838, tree-optimization/57488, tree-optimization/58805, tree-optimization/58984 - fix ICEs in get_bit_range (PR middle-end/58970) - fix ICEs in RTL loop unswitching (PR rtl-optimization/58997) * Sun Oct 20 2013 Jakub Jelinek <jakub@xxxxxxxxxx> 4.8.2-2 - update from the 4.8 branch - PRs c++/58596, libstdc++/58800 - power8 TImode fix (#1014053, PR target/58673) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1025072 - libstdc++/58800 (the bug, not the fix) just got backported to Fedora 19 and 20 https://bugzilla.redhat.com/show_bug.cgi?id=1025072 -------------------------------------------------------------------------------- ================================================================================ gimp-separate+-0.5.8-10.fc20 (FEDORA-2013-23368) Rudimentary CMYK support for The GIMP -------------------------------------------------------------------------------- Update Information: New package containing rudimentary CMYK support for The GIMP. New package containing rudimentary CMYK support for The GIMP. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1038024 - Wrong directory for gimp-separate+ https://bugzilla.redhat.com/show_bug.cgi?id=1038024 [ 2 ] Bug #34 - wrong permissions of /usr/doc/gimp-manual* https://bugzilla.redhat.com/show_bug.cgi?id=34 [ 3 ] Bug #913289 - Review Request: gimp-separate+ - A plug-in providing rudimentary CMYK support for The GIMP https://bugzilla.redhat.com/show_bug.cgi?id=913289 [ 4 ] Bug #35 - Bugs in /etc/rc.d/init.d/gated script https://bugzilla.redhat.com/show_bug.cgi?id=35 -------------------------------------------------------------------------------- ================================================================================ gssntlmssp-0.2.0-2.fc20 (FEDORA-2013-23367) GSSAPI NTLMSSP Mechanism -------------------------------------------------------------------------------- Update Information: Memleak fixes from upstream -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 13 2013 Simo Sorce <simo@xxxxxxxxx> - 0.2.0-2 - Backport patches to fix memory leaks * Wed Dec 4 2013 Simo Sorce <simo@xxxxxxxxx> - 0.2.0-1 - Backport patch that fixes failures with gss_set_neg_mechs() calls. -------------------------------------------------------------------------------- ================================================================================ knot-1.3.4-1.fc20 (FEDORA-2013-23377) An authoritative DNS daemon -------------------------------------------------------------------------------- Update Information: update to 1.3.4 - improved zone loading error messages - correct control socket permissions - improved log syntax documentation - fixed wrong assertions in DDNS prerequisites checking - fixed processing of some malformed DNS packets - fixed notify messages being ignored in some cases - fix crash in particular additionals processing - race condition in event cancelation - journal corruption after failed transactions -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 13 2013 Jan Vcelak <jvcelak@xxxxxxxxxxxxxxxxx> 1.3.4-1 - update to 1.3.4 + improved zone loading error messages + correct control socket permissions + improved log syntax documentation + fixed wrong assertions in DDNS prerequisites checking + fixed processing of some malformed DNS packets + fixed notify messages being ignored in some cases + fix crash in particular additionals processing + race condition in event cancelation + journal corruption after failed transactions -------------------------------------------------------------------------------- ================================================================================ opensmtpd-5.4.1p1-1.fc20 (FEDORA-2013-23369) Free implementation of the server-side SMTP protocol as defined by RFC 5321 -------------------------------------------------------------------------------- Update Information: OpenSMTPD package initial submission -------------------------------------------------------------------------------- References: [ 1 ] Bug #1021719 - Review Request: opensmtpd - Minimalistic but powerful smtp server https://bugzilla.redhat.com/show_bug.cgi?id=1021719 -------------------------------------------------------------------------------- ================================================================================ python-moksha-hub-1.2.2-1.fc20 (FEDORA-2013-23376) Hub components for Moksha -------------------------------------------------------------------------------- Update Information: Fix memory leak in the websocket server. -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 13 2013 Ralph Bean <rbean@xxxxxxxxxx> - 1.2.2-1 - Latest upstream fixing a memory leak in the websocket server. -------------------------------------------------------------------------------- ================================================================================ slic3r-1.0.0-0.2.RC1.fc20 (FEDORA-2013-23371) G-code generator for 3D printers (RepRap, Makerbot, Ultimaker etc.) -------------------------------------------------------------------------------- Update Information: New release of Slic3r with plenty new features. -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 13 2013 Miro Hrončok <mhroncok@xxxxxxxxxx> - 1.0.0-0.2.RC1 - Backported several bugfixes * Wed Nov 20 2013 Miro Hrončok <mhroncok@xxxxxxxxxx> - 1.0.0-0.1.RC1 - 1.0.0RC1 version - refactor build and install - become arched - bundle admesh -------------------------------------------------------------------------------- References: [ 1 ] Bug #1032056 - Slic3r 1.0.0RC1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1032056 -------------------------------------------------------------------------------- ================================================================================ v8-3.14.5.10-3.fc20 (FEDORA-2013-23361) JavaScript Engine -------------------------------------------------------------------------------- Update Information: This update resolves multiple security vulnerabilities in the V8 JavaScript just-in-time compiler. -- Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6640 to the following vulnerability: Name: CVE-2013-6640 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6640 Assigned: 20131105 Reference: http://code.google.com/p/v8/source/detail?r=17801 Reference: http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html Reference: https://code.google.com/p/chromium/issues/detail?id=319860 The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of an array element with a crafted index. -- Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6639 to the following vulnerability: Name: CVE-2013-6639 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6639 Assigned: 20131105 Reference: http://code.google.com/p/v8/source/detail?r=17801 Reference: http://googlechromereleases.blogspot.com/2013/12/stable-channel-update.html Reference: https://code.google.com/p/chromium/issues/detail?id=319835 The DehoistArrayIndex function in hydrogen-dehoist.cc in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via JavaScript code that sets the value of an array element with a crafted index. -------------------------------------------------------------------------------- ChangeLog: * Fri Dec 13 2013 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:3.14.5.10-3 - backport fix for out-of-bounds read DoS (RHBZ#1039889; CVE-2013-6640) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1039888 - CVE-2013-6639 v8: DoS (out-of-bounds write) in DehoistArrayIndex function in hydrogen-dehoist.cc https://bugzilla.redhat.com/show_bug.cgi?id=1039888 [ 2 ] Bug #1039889 - CVE-2013-6640 v8: DoS (out-of-bounds read) in DehoistArrayIndex function in hydrogen-dehoist.cc https://bugzilla.redhat.com/show_bug.cgi?id=1039889 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
