The following Fedora 18 Security updates need testing: Age URL 26 https://admin.fedoraproject.org/updates/FEDORA-2013-21875/389-ds-base-1.3.0.9-1.fc18 12 https://admin.fedoraproject.org/updates/FEDORA-2013-22949/net-snmp-5.7.2-7.fc18 9 https://admin.fedoraproject.org/updates/FEDORA-2013-23122/firefox-26.0-2.fc18,xulrunner-26.0-1.fc18 9 https://admin.fedoraproject.org/updates/FEDORA-2013-23140/python-setuptools-0.6.49-1.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-23291/thunderbird-24.2.0-2.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-23299/libreswan-3.7-1.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-23378/openttd-1.3.3-1.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-23401/v8-3.14.5.10-3.fc18 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23466/xen-4.2.3-12.fc18 2 https://admin.fedoraproject.org/updates/FEDORA-2013-23504/quagga-0.99.21-6.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23591/seamonkey-2.23-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23646/perl-Proc-Daemon-0.14-9.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23575/ca-certificates-2013.1.95-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23662/rubygem-actionpack-3.2.8-4.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23663/ibus-chewing-1.4.4-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23678/gnupg-1.4.16-2.fc18 The following Fedora 18 Critical Path updates have yet to be approved: Age URL 313 https://admin.fedoraproject.org/updates/FEDORA-2013-2192/nautilus-3.6.3-5.fc18 12 https://admin.fedoraproject.org/updates/FEDORA-2013-22918/opus-1.1-1.fc18 12 https://admin.fedoraproject.org/updates/FEDORA-2013-22917/colord-1.0.5-1.fc18 9 https://admin.fedoraproject.org/updates/FEDORA-2013-23122/firefox-26.0-2.fc18,xulrunner-26.0-1.fc18 9 https://admin.fedoraproject.org/updates/FEDORA-2013-23140/python-setuptools-0.6.49-1.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-23291/thunderbird-24.2.0-2.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-23312/dracut-029-1.fc18.3 6 https://admin.fedoraproject.org/updates/FEDORA-2013-23306/abrt-2.1.10-1.fc18,libreport-2.1.10-1.fc18,satyr-0.12-1.fc18 6 https://admin.fedoraproject.org/updates/FEDORA-2013-23297/libfm-1.1.4-1.fc18 4 https://admin.fedoraproject.org/updates/FEDORA-2013-23381/cryptsetup-1.6.3-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23598/fedora-release-18-6 0 https://admin.fedoraproject.org/updates/FEDORA-2013-23575/ca-certificates-2013.1.95-1.fc18 The following builds have been pushed to Fedora 18 updates-testing caja-actions-1.6.2-2.fc18 fedora-release-18-6 g2clib-1.4.0-3.fc18 ghc-numbers-3000.2.0.0-1.fc18 gnupg-1.4.16-2.fc18 ibus-chewing-1.4.4-1.fc18 opendkim-2.9.0-2.fc18 perl-Proc-Daemon-0.14-9.fc18 python-caja-1.4.0-4.fc18 rubygem-actionpack-3.2.8-4.fc18 seamonkey-2.23-1.fc18 tuxcut-5.1-1.fc18 tzdata-2013i-1.fc18 vrq-1.0.97-1.fc18 youtube-dl-2013.12.17.2-1.fc18 Details about builds: ================================================================================ caja-actions-1.6.2-2.fc18 (FEDORA-2013-23649) Caja extension for customizing the context menu -------------------------------------------------------------------------------- Update Information: - update for rename caja in f21 -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Wolfgang Ulbrich <chat-to-me@xxxxxxxxx> - 1.6.2-2 - update for rename caja in f21 -------------------------------------------------------------------------------- ================================================================================ fedora-release-18-6 (FEDORA-2013-23598) Fedora release files -------------------------------------------------------------------------------- Update Information: - fix up urls - reenable 7d metadat cache expiry for fedora repo - add f20 gpgkeys and update symlinks -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Dennis Gilmore <dennis@xxxxxxxx> - 18-6 - actually commit all the changes * Wed Dec 18 2013 Dennis Gilmore <dennis@xxxxxxxx> - 18-5 - add to git the archmap file * Wed Dec 18 2013 Dennis Gilmore <dennis@xxxxxxxx> - 18-4 - fix up urls * Wed Dec 18 2013 Dennis Gilmore <dennis@xxxxxxxx> - 18-3 - reenable 7d metadat cache expiry for fedora repo * Wed Dec 18 2013 Dennis Gilmore <dennis@xxxxxxxx> - 18-2 - add f20 gpgkeys and update symlinks -------------------------------------------------------------------------------- References: [ 1 ] Bug #1040689 - GPG keys for F19 and F20 needed for upgrades https://bugzilla.redhat.com/show_bug.cgi?id=1040689 -------------------------------------------------------------------------------- ================================================================================ g2clib-1.4.0-3.fc18 (FEDORA-2013-23640) GRIB2 encoder/decoder and search/indexing routines in C -------------------------------------------------------------------------------- Update Information: - Update to 1.4.0 - Add patch to fix possible segfault after calling simunpack with 0 values to unpack -------------------------------------------------------------------------------- ChangeLog: * Thu Jan 10 2013 Orion Poplawski <orion@xxxxxxxxxxxxx> - 1.4.0-3 - Update to 1.4.0 - Rebase templates patch - Add patch to fix possible segfault after calling simunpack with 0 values to unpack -------------------------------------------------------------------------------- ================================================================================ ghc-numbers-3000.2.0.0-1.fc18 (FEDORA-2013-23651) Instances of numerical classes for numbers -------------------------------------------------------------------------------- Update Information: Updated to 3000.2.0.0 -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Shakthi Kannan <shakthimaan [AT] fedoraproject dot org> - 3000.2.0.0-1 - new upstream version 3000.2.0.0 * Sat Aug 3 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 3000.1.0.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Fri Jun 7 2013 Jens Petersen <petersen@xxxxxxxxxx> - 3000.1.0.3-2 - update to new simplified Haskell Packaging Guidelines -------------------------------------------------------------------------------- References: [ 1 ] Bug #1018672 - ghc-numbers-3000.2.0.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1018672 -------------------------------------------------------------------------------- ================================================================================ gnupg-1.4.16-2.fc18 (FEDORA-2013-23678) A GNU utility for secure communication and data storage -------------------------------------------------------------------------------- Update Information: What's New =========== * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See <http://www.cs.tau.ac.il/~tromer/acoustic/>.[CVE-2013-4576] * Put only the major version number by default into armored output. * Do not create a trustdb file if --trust-model=always is used. * Print the keyid for key packets with --list-packets. * Changed modular exponentiation algorithm to recover from a small performance loss due to a change in 1.4.14. Impact of the security problem ============================== CVE-2013-4576 has been assigned to this security bug. The paper describes two attacks.The first attack allows to distinguish keys: An attacker is able to notice which key is currently used for decryption.This is in general not a problem but may be used to reveal the information that a message, encrypted to a commonly not used key, has been received by the targeted machine.We do not have a software solution to mitigate this attack. The second attack is more serious. It is an adaptive chosen ciphertext attack to reveal the private key. A possible scenario is that the attacker places a sensor (for example a standard smartphone) in the vicinity of the targeted machine. That machine is assumed to do unattended RSA decryption of received mails, for example by using a mail client which speeds up browsing by opportunistically decrypting mails expected to be read soon.While listening to the acoustic emanations of the targeted machine, the smartphone will send new encrypted messages to that machine and re-construct the private key bit by bit.A 4096 bit RSA key used on a laptop can be revealed within an hour. GnuPG 1.4.16 avoids this attack by employing RSA blinding during decryption.GnuPG 2.x and current Gpg4win versions make use of Libgcrypt which employs RSA blinding anyway and are thus not vulnerable. For the highly interesting research on acoustic cryptanalysis and the details of the attack see http://www.cs.tau.ac.il/~tromer/acoustic/ . -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Peter Robinson <pbrobinson@xxxxxxxxxxxxxxxxx> 1.4.16-2 - New upstream v1.4.16 fixes for CVE-2013-4576 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1044402 - gnupg-1.4.16 is available https://bugzilla.redhat.com/show_bug.cgi?id=1044402 -------------------------------------------------------------------------------- ================================================================================ ibus-chewing-1.4.4-1.fc18 (FEDORA-2013-23663) The Chewing engine for IBus input platform -------------------------------------------------------------------------------- Update Information: - Resolves Bug 842856 - ibus-chewing 1.4.3-1 not built with $RPM_OPT_FLAGS - Resolves Bug 1027030 - CVE-2013-4509 ibus-chewing: ibus: visible password entry flaw [fedora-all] Thanks czchen for the GitHub pull request 39. - Added translations: fr_FR, ja_JP, ko_KR - Adopt cmake-fedora-1.2.0 -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Ding-Yi Chen <dchen at redhat.com> - 1.4.4-1 - Resolves Bug 842856 - ibus-chewing 1.4.3-1 not built with $RPM_OPT_FLAGS - Resolves Bug 1027030 - CVE-2013-4509 ibus-chewing: ibus: visible password entry flaw [fedora-all] Thanks czchen for the GitHub pull request 39. - Added translations: fr_FR, ja_JP, ko_KR - Adopt cmake-fedora-1.2.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #842856 - ibus-chewing 1.4.3-1 not built with $RPM_OPT_FLAGS https://bugzilla.redhat.com/show_bug.cgi?id=842856 [ 2 ] Bug #1027030 - CVE-2013-4509 ibus-chewing: ibus: visible password entry flaw [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1027030 -------------------------------------------------------------------------------- ================================================================================ opendkim-2.9.0-2.fc18 (FEDORA-2013-23672) A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail -------------------------------------------------------------------------------- Update Information: - Updating to new upstream 2.9.0 for all build version - Fixing some minor bugs for systemd users. * Sun Nov 3 2013 Steve Jenkins <steve stevejenkins com> - 2.8.4-4 - Rebuild of all release packages to sync version numbers * Sun Nov 3 2013 Ville Skytta <ville.skytta@xxxxxx> - 2.8.4-3 - Fix path to docs in sample config when doc dir is unversioned (#993997). * Sat Aug 03 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 2.8.4-2 - Perl 5.18 rebuild * Sun Nov 3 2013 Steve Jenkins <steve stevejenkins com> - 2.8.4-4 - Rebuild of all release packages to sync version numbers * Sun Nov 3 2013 Ville Skytta <ville.skytta@xxxxxx> - 2.8.4-3 - Fix path to docs in sample config when doc dir is unversioned (#993997). * Sat Aug 03 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 2.8.4-2 - Perl 5.18 rebuild * Sun Nov 3 2013 Steve Jenkins <steve stevejenkins com> - 2.8.4-4 - Rebuild of all release packages to sync version numbers * Sun Nov 3 2013 Ville Skytta <ville.skytta@xxxxxx> - 2.8.4-3 - Fix path to docs in sample config when doc dir is unversioned (#993997). * Sat Aug 03 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 2.8.4-2 - Perl 5.18 rebuild * Sun Nov 3 2013 Steve Jenkins <steve stevejenkins com> - 2.8.4-4 - Rebuild of all release packages to sync version numbers * Sun Nov 3 2013 Ville Skytta <ville.skytta@xxxxxx> - 2.8.4-3 - Fix path to docs in sample config when doc dir is unversioned (#993997). * Sat Aug 03 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 2.8.4-2 - Perl 5.18 rebuild * Sun Nov 3 2013 Steve Jenkins <steve stevejenkins com> - 2.8.4-4 - Rebuild of all release packages to sync version numbers * Sun Nov 3 2013 Ville Skytta <ville.skytta@xxxxxx> - 2.8.4-3 - Fix path to docs in sample config when doc dir is unversioned (#993997). * Sat Aug 03 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 2.8.4-2 - Perl 5.18 rebuild -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Steve Jenkins <steve stevejenkins com> - 2.9.0-2 - Patch adds user and group to systemd service file (Thx jcosta@xxxxxxxxxx) - Changed default ownership of /etc/opendkim/keys directory to opendkim user * Wed Dec 18 2013 Steve Jenkins <steve stevejenkins com> - 2.9.0-1 - Updated to use newer upstream 2.9.0 source code - Added libbsd-devel to Build Requires - Removed listrl references from libopendkim files section (handled by libbsd-devel) * Sun Nov 3 2013 Steve Jenkins <steve stevejenkins com> - 2.8.4-4 - Rebuild of all release packages to sync version numbers * Sun Nov 3 2013 Ville Skytta ville.skytta@xxxxxx> - 2.8.4-3 - Fix path to docs in sample config when doc dir is unversioned (#993997). * Sat Aug 3 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 2.8.4-2 - Perl 5.18 rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1041546 - opendkim.service needs user/group https://bugzilla.redhat.com/show_bug.cgi?id=1041546 [ 2 ] Bug #993997 - opendkim possibly affected by F-20 unversioned docdir change https://bugzilla.redhat.com/show_bug.cgi?id=993997 -------------------------------------------------------------------------------- ================================================================================ perl-Proc-Daemon-0.14-9.fc18 (FEDORA-2013-23646) Run Perl program as a daemon process -------------------------------------------------------------------------------- Update Information: Add patch from debian to fix pidfile with mode 666 CVE-2013-7135 -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Remi Collet <remi@xxxxxxxxxxxxxxxxx> 0.14-9 - fix pidfile with mode 666, patch from debian, CVE-2013-7135 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1043872 - CVE-2013-7135 perl-Proc-Daemon: writes pidfile with mode 666 https://bugzilla.redhat.com/show_bug.cgi?id=1043872 -------------------------------------------------------------------------------- ================================================================================ python-caja-1.4.0-4.fc18 (FEDORA-2013-23655) Python bindings for Caja -------------------------------------------------------------------------------- Update Information: - rebuild for caja rename in f21 - add python2 stacks -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Wolfgang Ulbrich <chat-to-me@xxxxxxxxx> - 1:1.4.0-4 - rebuild for caja rename in f21 - add python2 stacks -------------------------------------------------------------------------------- ================================================================================ rubygem-actionpack-3.2.8-4.fc18 (FEDORA-2013-23662) Web-flow and rendering framework putting the VC in MVC -------------------------------------------------------------------------------- Update Information: Includes security patches for: - CVE-2013-6417 - Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) - CVE-2013-4491 - Reflective XSS Vulnerability in Ruby on Rails - CVE-2013-6415 - XSS Vulnerability in number_to_currency - CVE-2013-6414 - Denial of Service Vulnerability in Action View -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 16 2013 Josef Stribny <jstribny@xxxxxxxxxx> - 1:3.2.8-4 - Fixes for CVE-2013-6417, CVE-2013-4491, CVE-2013-6415, CVE-2013-6414 -------------------------------------------------------------------------------- ================================================================================ seamonkey-2.23-1.fc18 (FEDORA-2013-23591) Web browser, e-mail, news, IRC client, HTML editor -------------------------------------------------------------------------------- Update Information: Update to 2.23 Fixes various security issues, see http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html for more info. -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Dmitry Butskoy <Dmitry@xxxxxxxxxxxx> 2.23-1 - update to 2.23 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1043100 - seamonkey-2.23 is available https://bugzilla.redhat.com/show_bug.cgi?id=1043100 -------------------------------------------------------------------------------- ================================================================================ tuxcut-5.1-1.fc18 (FEDORA-2013-23585) Arpspoof attacks protector -------------------------------------------------------------------------------- Update Information: Fix the remove issue. Fix delay time when closing the application sometimes. Enhance the application launcher. -------------------------------------------------------------------------------- ChangeLog: * Thu Dec 12 2013 Mosaab Alzoubi <moceap@xxxxxxxxxxx> - 5.1-1 - Update release. - New upstream URL method. - Tweak %prep for new release. - Use upstream icon. - Update bin/tuxcut. -------------------------------------------------------------------------------- ================================================================================ tzdata-2013i-1.fc18 (FEDORA-2013-23590) Timezone data -------------------------------------------------------------------------------- Update Information: - Rebase with early release of 2013i from Paul Eggert github. - Jordan switches back to standard time at 00:00 on December 20,2013. - The 2006-2011 transition schedule is planned to resume in 2014. - The compile-time flag NOSOLAR has been removed. - The files solar87, solar88, and solar89 are no longer distributed. - tz-link.htm now mentions Noda Time. -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Patsy Franklin <pfrankli@xxxxxxxxxx> 2013i-1 - Rebase with early release of 2013i from Paul Eggert github. - Jordan switches back to standard time at 00:00 on December 20,2013. - The 2006-2011 transition schedule is planned to resume in 2014. - The compile-time flag NOSOLAR has been removed. - The files solar87, solar88, and solar89 are no longer distributed. - tz-link.htm now mentions Noda Time. -------------------------------------------------------------------------------- ================================================================================ vrq-1.0.97-1.fc18 (FEDORA-2013-23643) Verilog tool framework with plugins for manipulating source code -------------------------------------------------------------------------------- Update Information: Updated to 1.0.97. -------------------------------------------------------------------------------- ChangeLog: * Wed Dec 18 2013 Shakthi Kannan <shakthimaan [AT] fedoraproject dot org> - 1.0.97-1 - Updated to 1.0.97 -------------------------------------------------------------------------------- References: [ 1 ] Bug #987435 - vrq-1.0.97 is available https://bugzilla.redhat.com/show_bug.cgi?id=987435 -------------------------------------------------------------------------------- ================================================================================ youtube-dl-2013.12.17.2-1.fc18 (FEDORA-2013-23679) A small command-line program to download online videos -------------------------------------------------------------------------------- Update Information: youtube-dl-2013.12.17.2 -------------------------------------------------------------------------------- ChangeLog: * Thu Dec 19 2013 Christopher Meng <rpm@xxxxxxxx> - 2013.12.17.2-1 - Update to 2013.12.17.2 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1039524 - youtube-dl-2013.12.17.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1039524 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test