The following Fedora 18 Security updates need testing: Age URL 37 https://admin.fedoraproject.org/updates/FEDORA-2013-21875/389-ds-base-1.3.0.9-1.fc18 23 https://admin.fedoraproject.org/updates/FEDORA-2013-22949/net-snmp-5.7.2-7.fc18 20 https://admin.fedoraproject.org/updates/FEDORA-2013-23140/python-setuptools-0.6.49-1.fc18 17 https://admin.fedoraproject.org/updates/FEDORA-2013-23291/thunderbird-24.2.0-2.fc18 11 https://admin.fedoraproject.org/updates/FEDORA-2013-23662/rubygem-actionpack-3.2.8-4.fc18 11 https://admin.fedoraproject.org/updates/FEDORA-2013-23663/ibus-chewing-1.4.4-1.fc18 5 https://admin.fedoraproject.org/updates/FEDORA-2013-23951/gitolite3-3.5.3.1-1.fc18 3 https://admin.fedoraproject.org/updates/FEDORA-2013-23988/varnish-3.0.5-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-24142/asterisk-11.7.0-1.fc18 0 https://admin.fedoraproject.org/updates/FEDORA-2013-24155/libsrtp-1.4.4-9.20101004cvs.fc18 The following Fedora 18 Critical Path updates have yet to be approved: Age URL 324 https://admin.fedoraproject.org/updates/FEDORA-2013-2192/nautilus-3.6.3-5.fc18 9 https://admin.fedoraproject.org/updates/FEDORA-2013-23716/selinux-policy-3.11.1-108.fc18 7 https://admin.fedoraproject.org/updates/FEDORA-2013-23882/libbluray-0.5.0-2.fc18 The following builds have been pushed to Fedora 18 updates-testing asterisk-11.7.0-1.fc18 gtk-gnutella-1.0.0-1.fc18 libsrtp-1.4.4-9.20101004cvs.fc18 php-Faker-1.3.0-1.fc18 php-Monolog-1.7.0-1.fc18 php-PhpCollection-0.3.1-1.fc18 php-Raven-0.8.0-2.20131209gitdac9333.fc18 php-scssphp-0.0.9-1.fc18 vcsh-1.20131229-1.fc18 Details about builds: ================================================================================ asterisk-11.7.0-1.fc18 (FEDORA-2013-24142) The Open Source PBX -------------------------------------------------------------------------------- Update Information: * Sat Dec 28 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.7.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.7.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.7.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- app_confbridge: Can now set the language used for announcements - to the conference. - (Closes issue ASTERISK-19983. Reported by Jonathan White) - - * --- app_queue: Fix CLI "queue remove member" queue_log entry. - (Closes issue ASTERISK-21826. Reported by Oscar Esteve) - - * --- chan_sip: Do not increment the SDP version between 183 and 200 - responses. - (Closes issue ASTERISK-21204. Reported by NITESH BANSAL) - - * --- chan_sip: Allow a sip peer to accept both AVP and AVPF calls - (Closes issue ASTERISK-22005. Reported by Torrey Searle) - - * --- chan_sip: Fix Realtime Peer Update Problem When Un-registering - And Expires Header In 200ok - (Closes issue ASTERISK-22428. Reported by Ben Smithurst) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0 * Sat Dec 28 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.6.1-1: - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security - releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4, - 10.12.4-digiumphones, and 11.6.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of these versions resolve the following issues: - - * A buffer overflow when receiving odd length 16 bit messages in app_sms. An - infinite loop could occur which would overwrite memory when a message is - received into the unpacksms16() function and the length of the message is an - odd number of bytes. - - * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk - now marks certain individual dialplan functions as 'dangerous', which will - inhibit their execution from external sources. - - A 'dangerous' function is one which results in a privilege escalation. For - example, if one were to read the channel variable SHELL(rm -rf /) Bad - Things(TM) could happen; even if the external source has only read - permissions. - - Execution from external sources may be enabled by setting 'live_dangerously' - to 'yes' in the [options] section of asterisk.conf. Although doing so is not - recommended. - - These issues and their resolutions are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2013-006 and AST-2013-007, which were - released at the same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4 - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1 - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf - * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf * Sat Dec 28 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.6.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.6.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.6.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Confbridge: empty conference not being torn down - (Closes issue ASTERISK-21859. Reported by Chris Gentle) - - * --- Let Queue wrap up time influence member availability - (Closes issue ASTERISK-22189. Reported by Tony Lewis) - - * --- Fix a longstanding issue with MFC-R2 configuration that - prevented users - (Closes issue ASTERISK-21117. Reported by Rafael Angulo) - - * --- chan_iax2: Fix saving the wrong expiry time in astdb. - (Closes issue ASTERISK-22504. Reported by Stefan Wachtler) - - * --- Fix segfault for certain invalid WebSocket input. - (Closes issue ASTERISK-21825. Reported by Alfred Farrugia) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0 -------------------------------------------------------------------------------- ChangeLog: * Sat Dec 28 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.7.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.7.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.7.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- app_confbridge: Can now set the language used for announcements - to the conference. - (Closes issue ASTERISK-19983. Reported by Jonathan White) - - * --- app_queue: Fix CLI "queue remove member" queue_log entry. - (Closes issue ASTERISK-21826. Reported by Oscar Esteve) - - * --- chan_sip: Do not increment the SDP version between 183 and 200 - responses. - (Closes issue ASTERISK-21204. Reported by NITESH BANSAL) - - * --- chan_sip: Allow a sip peer to accept both AVP and AVPF calls - (Closes issue ASTERISK-22005. Reported by Torrey Searle) - - * --- chan_sip: Fix Realtime Peer Update Problem When Un-registering - And Expires Header In 200ok - (Closes issue ASTERISK-22428. Reported by Ben Smithurst) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.7.0 * Sat Dec 28 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.6.1-1: - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.15, 11.2, and Asterisk 1.8, 10, and 11. The available security - releases are released as versions 1.8.15-cert4, 11.2-cert3, 1.8.24.1, 10.12.4, - 10.12.4-digiumphones, and 11.6.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of these versions resolve the following issues: - - * A buffer overflow when receiving odd length 16 bit messages in app_sms. An - infinite loop could occur which would overwrite memory when a message is - received into the unpacksms16() function and the length of the message is an - odd number of bytes. - - * Prevent permissions escalation in the Asterisk Manager Interface. Asterisk - now marks certain individual dialplan functions as 'dangerous', which will - inhibit their execution from external sources. - - A 'dangerous' function is one which results in a privilege escalation. For - example, if one were to read the channel variable SHELL(rm -rf /) Bad - Things(TM) could happen; even if the external source has only read - permissions. - - Execution from external sources may be enabled by setting 'live_dangerously' - to 'yes' in the [options] section of asterisk.conf. Although doing so is not - recommended. - - These issues and their resolutions are described in the security advisories. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2013-006 and AST-2013-007, which were - released at the same time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.15-cert4 - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.2-cert3 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.24.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-10.12.4-digiumphones - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.6.1 - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2013-006.pdf - * http://downloads.asterisk.org/pub/security/AST-2013-007.pdf * Sat Dec 28 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.6.0-1: - The Asterisk Development Team has announced the release of Asterisk 11.6.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.6.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following is a sample of the issues resolved in this release: - - * --- Confbridge: empty conference not being torn down - (Closes issue ASTERISK-21859. Reported by Chris Gentle) - - * --- Let Queue wrap up time influence member availability - (Closes issue ASTERISK-22189. Reported by Tony Lewis) - - * --- Fix a longstanding issue with MFC-R2 configuration that - prevented users - (Closes issue ASTERISK-21117. Reported by Rafael Angulo) - - * --- chan_iax2: Fix saving the wrong expiry time in astdb. - (Closes issue ASTERISK-22504. Reported by Stefan Wachtler) - - * --- Fix segfault for certain invalid WebSocket input. - (Closes issue ASTERISK-21825. Reported by Alfred Farrugia) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.6.0 * Mon Oct 21 2013 Jeffrey Ollie <jeff@xxxxxxxxxx> - 11.5.1-3: - Disable hardened build, as it's apparently causing problems loading modules. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1043917 - asterisk: asterisk manager user dialplan permission escalation https://bugzilla.redhat.com/show_bug.cgi?id=1043917 [ 2 ] Bug #1043918 - CVE-2013-7100 asterisk: buffer overflow when receiving odd length 16 bit SMS message https://bugzilla.redhat.com/show_bug.cgi?id=1043918 -------------------------------------------------------------------------------- ================================================================================ gtk-gnutella-1.0.0-1.fc18 (FEDORA-2013-24126) GUI based Gnutella Client -------------------------------------------------------------------------------- Update Information: Update to 1.0.0 -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 30 2013 Dmitry Butskoy <Dmitry@xxxxxxxxxxxx> - 1.0.0-1 - Upgrade to 1.0.0 * Sat Aug 3 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.98.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Tue Apr 23 2013 Jon Ciesla <limburgher@xxxxxxxxx> - 0.98.4-3 - Drop desktop vendor tag. * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.98.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ libsrtp-1.4.4-9.20101004cvs.fc18 (FEDORA-2013-24155) An implementation of the Secure Real-time Transport Protocol (SRTP) -------------------------------------------------------------------------------- Update Information: Fix CVE-2013-2139 - buffer overflow in application of crypto profiles -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 30 2013 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 1.4.4-9.20101004cvs - apply fix for CVE-2013-2139 from https://github.com/cisco/libsrtp/pull/27 * Sat Aug 3 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.4.4-8.20101004cvs - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.4.4-7.20101004cvs - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #970697 - CVE-2013-2139 libsrtp: buffer overflow in application of crypto profiles https://bugzilla.redhat.com/show_bug.cgi?id=970697 -------------------------------------------------------------------------------- ================================================================================ php-Faker-1.3.0-1.fc18 (FEDORA-2013-24111) A PHP library that generates fake data -------------------------------------------------------------------------------- Update Information: v1.3.0 (2013-12-16) New Features * Added unique() modifier * Added optional() modifier (weotch) * Added Image generation powered by LoremPixel (weotch) * Added IDE insights to allow better intellisense/phpStorm autocompletion (thallisphp) * Added IBAN generator for every currently known locale that uses it (nineinchnick) * Added Payment providers (creditCardType, creditCardNumber, creditCardExpirationDate, creditCardExpirationDateString) (pomaxa) * Added Color provider with hexColor, rgbColor, rgbColorAsArray, rgbCssColor, safeColorName, and colorName formatters (lsv) New / Improved Locales * Added English (South Africa) (en_ZA) person, address, Internet and phone number providers (dmfaux) * Added Spanish (es_ES) Internet provider (eusonlito) * Added English Philippines (en_PH) address provider (kamote) * Added Brazilian (pt_BR) email provider data (KennedyTedesco) * Added Peruvian (es_PE) person, address, phone number, and company providers (cslucano) * Added Ukrainian (uk_UA) color provider (ruden) * Fixed Ukrainian (uk_UA) namespace and email translitteration (ruden) * Added Romanian (Moldova) (ro_MD) person, address, and phone number providers (AlexanderC) * Added Romanian (ro_RO) address and person providers (calina-c) * Added Polish (pl_PL) address provider, personal identity number and pesel number generator (nineinchnick) * Added Turkish (tr_TR) address provider, and improved internet provider (hasandz) * Added Greek (el_GR) person, address, and phone number providers (georgeharito) * Added Australian (en_AU) address, Internet, and phone number providers (rcuddy) * Added French (fr_FR) phone number formats (vchabot) * Added Japanese (ja_JP) person, address, Internet, phone number, and company providers (kumamidori) * Added Russian (ru_RU) color providers, driver license and passport number formats (pomaxa) * Added Latvian (lv_LV) person, address, Internet, and phone number providers (pomaxa) * Added Brazilian (pt_BR) Internet provider (vjnrv) * Added more Czech (cs_CZ) lastnames (petrkle) * Added Chinese Simplified (zh_CN) person, address, Internet, and phone number providers (tlikai) Bug Fixes * Fixed state generator in Australian (en_AU) provider (sebklaus) * Fixed IDE insights for locale specific providers (ulrikjohansson) * Fixed integer values overflowing on signed INTEGER columns on Doctrine populator (Thinkscape) * Fixed spelling error in French (fr_FR) address provider (leihog) * Fixed Italian (it_IT) email provider (garak) * Fixed UK country code (pgscandeias) * Fixed missing timezone with dateTimeBetween (baldurrensch) * Fixed call to undefined method cardType in Payment (WMeldon) * Fixed Doctrine populator to use ObjectManager instead of EntityManagerInterface (mgiustiniani) * Fixed docblock for Provider\Base::unique() (pschultz) * Fixed Propel column number guesser to use signed range of values (gunnarlium) * Fixed phpDoc in Doctrine Entity populator (rogamoore) * Fixed typo in the Person provider documentation (jtreminio) * Fixed Russian (ru_RU) person format (alexshadow007) Miscellaneous * Added improvements based on SensioLabsInsights analysis * Fixed Typos (pborelli) * Added support for associative arrays in randomElement (aRn0D) -------------------------------------------------------------------------------- ChangeLog: * Sun Dec 29 2013 Shawn Iwinski <shawn.iwinski@xxxxxxxxx> 1.3.0-1 - Updated to 1.3.0 (BZ #1044436) - Spec cleanup * Sun Aug 4 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.2.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1044436 - php-Faker-1.3.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1044436 -------------------------------------------------------------------------------- ================================================================================ php-Monolog-1.7.0-1.fc18 (FEDORA-2013-24107) Sends your logs to files, sockets, inboxes, databases and various web services -------------------------------------------------------------------------------- Update Information: 1.7.0 (2013-11-14) * Added ElasticSearchHandler to send logs to an Elastic Search server * Added DynamoDbHandler and ScalarFormatter to send logs to Amazon's Dynamo DB * Added SyslogUdpHandler to send logs to a remote syslogd server * Added LogglyHandler to send logs to a Loggly account * Added $level to IntrospectionProcessor so it only adds backtraces when needed * Added $version to LogstashFormatter to allow using the new v1 Logstash format * Added $appName to NewRelicHandler * Added configuration of Pushover notification retries/expiry * Added $maxColumnWidth to NativeMailerHandler to change the 70 chars default * Added chainability to most setters for all handlers * Fixed RavenHandler batch processing so it takes the message from the record with highest priority * Fixed HipChatHandler batch processing so it sends all messages at once * Fixed issues with eAccelerator * Fixed and improved many small things -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 30 2013 Shawn Iwinski <shawn.iwinski@xxxxxxxxx> 1.7.0-1 - Updated to 1.7.0 (BZ #1030923) - Added dynamo sub-package - Spec cleanup -------------------------------------------------------------------------------- References: [ 1 ] Bug #1030923 - php-Monolog-1.7.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1030923 -------------------------------------------------------------------------------- ================================================================================ php-PhpCollection-0.3.1-1.fc18 (FEDORA-2013-24141) General purpose collection library for PHP -------------------------------------------------------------------------------- Update Information: Updated to 0.3.1 * Adds map() method -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 30 2013 Shawn Iwinski <shawn.iwinski@xxxxxxxxx> 0.3.1-1 - Updated to 0.3.1 (BZ #1045915) - Spec cleanup * Sun Aug 4 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.3.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1045915 - php-PhpCollection-0.3.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1045915 -------------------------------------------------------------------------------- ================================================================================ php-Raven-0.8.0-2.20131209gitdac9333.fc18 (FEDORA-2013-24081) A PHP client for Sentry -------------------------------------------------------------------------------- Update Information: Updated to snapshot 2013-12-09 commit dac93338d1fe17d665dfdea5f529c89b3a0df7df (0.8.0 + additional commits) Commits: https://github.com/getsentry/raven-php/commits/dac93338d1fe17d665dfdea5f529c89b3a0df7df -------------------------------------------------------------------------------- ChangeLog: * Mon Dec 30 2013 Shawn Iwinski <shawn.iwinski@xxxxxxxxx> 0.8.0-2.20131209gitdac9333 - Updated to latest snapshot * Sun Dec 29 2013 Shawn Iwinski <shawn.iwinski@xxxxxxxxx> 0.8.0-1 - Updated to 0.8.0 (BZ #1037543) - Spec cleanup -------------------------------------------------------------------------------- References: [ 1 ] Bug #1037543 - php-Raven-0.8.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1037543 -------------------------------------------------------------------------------- ================================================================================ php-scssphp-0.0.9-1.fc18 (FEDORA-2013-24151) A compiler for SCSS written in PHP -------------------------------------------------------------------------------- Update Information: v0.0.9 Bug fixes: * @for/@while inside @content block (@sergeylukin) * functions in mixin_content (@timonbaetz) * infinite loop when target extends itself (@oscherler) * function arguments are lost inside of @content block Enhancements: * allow setting number precision (@kasperisager) * public function helpers (toBool, get, findImport, assertList, assertColor, assertNumber, throwError) (@Burgov, @atdt) * add optional cache buster prefix to serve() method (@iMoses) -------------------------------------------------------------------------------- ChangeLog: * Sun Dec 29 2013 Shawn Iwinski <shawn.iwinski@xxxxxxxxx> 0.0.9-1 - Updated to 0.0.9 (BZ #1046671) - Spec cleanup -------------------------------------------------------------------------------- References: [ 1 ] Bug #1046671 - php-scssphp-0.0.9 is available https://bugzilla.redhat.com/show_bug.cgi?id=1046671 -------------------------------------------------------------------------------- ================================================================================ vcsh-1.20131229-1.fc18 (FEDORA-2013-24137) Version Control System for $HOME -------------------------------------------------------------------------------- Update Information: Bumped version to 1.20131229 -------------------------------------------------------------------------------- ChangeLog: -------------------------------------------------------------------------------- References: [ 1 ] Bug #1047227 - vcsh-1.20131229 is available https://bugzilla.redhat.com/show_bug.cgi?id=1047227 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
