Fedora 20 updates-testing report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following Fedora 20 Security updates need testing:
 Age  URL
  92  https://admin.fedoraproject.org/updates/FEDORA-2014-5897/nrpe-2.15-2.fc20
  72  https://admin.fedoraproject.org/updates/FEDORA-2014-6551/chicken-4.8.0.6-2.fc20
  70  https://admin.fedoraproject.org/updates/FEDORA-2014-6615/drupal7-views-3.8-1.fc20
  41  https://admin.fedoraproject.org/updates/FEDORA-2014-7551/asterisk-11.10.2-2.fc20
  41  https://admin.fedoraproject.org/updates/FEDORA-2014-7613/perl-Email-Address-1.905-1.fc20
  32  https://admin.fedoraproject.org/updates/FEDORA-2014-7936/python3-3.3.2-16.fc20
  22  https://admin.fedoraproject.org/updates/FEDORA-2014-8065/rubygem-activerecord-4.0.0-4.fc20
  20  https://admin.fedoraproject.org/updates/FEDORA-2014-5497/openstack-keystone-2013.2.3-5.fc20
  18  https://admin.fedoraproject.org/updates/FEDORA-2014-8334/python-bottle-0.12.6-1.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2014-8412/mosquitto-1.3.2-1.fc20
  13  https://admin.fedoraproject.org/updates/FEDORA-2014-8458/gd-2.1.0-6.fc20
   9  https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-10.fc20
   7  https://admin.fedoraproject.org/updates/FEDORA-2014-8790/trafficserver-4.2.1.1-0.fc20
   6  https://admin.fedoraproject.org/updates/FEDORA-2014-8901/ansible-1.6.10-1.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2014-8976/libndp-1.4-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9112/wireshark-1.10.9-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9063/pixman-0.30.0-4.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9052/drupal7-date-2.8-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9092/libplist-1.11-2.fc20,libusbmuxd-1.0.9-2.fc20,libimobiledevice-1.1.6-2.fc20,usbmuxd-1.0.9-0.4.c24463e.fc20,ifuse-1.1.3-3.fc20,libgpod-0.8.3-2.fc20,upower-0.9.23-3.fc20,gvfs-1.18.3-3.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9082/tor-0.2.4.23-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9102/cockpit-0.18-2.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9114/tboot-1.8.2-1.fc20


The following Fedora 20 Critical Path updates have yet to be approved:
 Age URL
   9  https://admin.fedoraproject.org/updates/FEDORA-2014-8189/krb5-1.11.5-10.fc20
   4  https://admin.fedoraproject.org/updates/FEDORA-2014-8922/gnome-shell-3.10.4-8.fc20,mutter-3.10.4-3.fc20
   3  https://admin.fedoraproject.org/updates/FEDORA-2014-8949/ibus-1.5.8-1.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2014-9024/evolution-3.10.4-3.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2014-8976/libndp-1.4-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9103/emacs-24.3-19.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9092/libplist-1.11-2.fc20,libusbmuxd-1.0.9-2.fc20,libimobiledevice-1.1.6-2.fc20,usbmuxd-1.0.9-0.4.c24463e.fc20,ifuse-1.1.3-3.fc20,libgpod-0.8.3-2.fc20,upower-0.9.23-3.fc20,gvfs-1.18.3-3.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2014-9063/pixman-0.30.0-4.fc20


The following builds have been pushed to Fedora 20 updates-testing

    NetworkManager-l2tp-0.9.8.7-1.fc20
    cockpit-0.18-2.fc20
    docker-io-1.1.2-2.fc20
    emacs-24.3-19.fc20
    glusterfs-3.5.2-1.fc20
    golang-github-gorilla-context-0-0.27.git14f550f.fc20
    libreoffice-gallery-vrt-network-equipment-1.2.0-1.fc20
    libuv-0.10.28-1.fc20
    nodejs-0.10.30-1.fc20
    nuttcp-6.1.2-10.fc20
    pgpdump-0.29-1.fc20
    php-Smarty-3.1.19-1.fc20
    php-pecl-jsonc-1.3.6-1.fc20
    python-fiat-1.4.0-1.fc20
    python3-dugong-3.2-1.fc20
    seren-0.0.19-1.fc20
    tboot-1.8.2-1.fc20
    v8-3.14.5.10-11.fc20
    wireshark-1.10.9-1.fc20

Details about builds:


================================================================================
 NetworkManager-l2tp-0.9.8.7-1.fc20 (FEDORA-2014-9116)
 NetworkManager VPN plugin for l2tp
--------------------------------------------------------------------------------
Update Information:

updated to 0.9.8.7
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Ivan Romanov <drizt@xxxxxxx> - 0.9.8.7-1
- updated to 0.9.8.7
* Fri Jun  6 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.9.8.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Apr 11 2014 Ivan Romanov <drizt@xxxxxxx> - 0.9.8.6-2
- use ppp of any version
- dropped Groups tag
--------------------------------------------------------------------------------


================================================================================
 cockpit-0.18-2.fc20 (FEDORA-2014-9102)
 A user interface for Linux servers
--------------------------------------------------------------------------------
Update Information:

Distribute our own selinux policy in cockpit RPM
Update to 0.18 release
Update to 0.16 release
Update to 0.15 release
Update to 0.14 release
Update to 0.13 release
Update to upstream 0.12 release
Update to upstream 0.11 release
Update to upstream 0.10 release
Update to upstream 0.8
Update to upstream 0.5 release
Update to upstream 0.4 release
Update to upstream 0.3 release, including new UI look, and Docker container support
Primary package.
Update to upstream 0.9 release
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1061056 - Review Request: cockpit - A user interface for Linux servers
        https://bugzilla.redhat.com/show_bug.cgi?id=1061056
--------------------------------------------------------------------------------


================================================================================
 docker-io-1.1.2-2.fc20 (FEDORA-2014-9105)
 Automates deployment of containerized applications
--------------------------------------------------------------------------------
Update Information:

change %else if -> %else %if
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 1.1.2-2
- change %else if -> %else %if
* Thu Jul 31 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 1.1.2-1
- Resolves: rhbz#1124036 - update to upstream v1.1.2
* Mon Jul 28 2014 Vincent Batts <vbatts@xxxxxxxxxxxxxxxxx> - 1.0.0-10
- split out the github.com/docker/docker/pkg/... libraries, to avoid cyclic deps with libcontainer
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1124036 - docker-io-1.1.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1124036
--------------------------------------------------------------------------------


================================================================================
 emacs-24.3-19.fc20 (FEDORA-2014-9103)
 GNU Emacs text editor
--------------------------------------------------------------------------------
Update Information:

Provide /usr/bin/emacs-nox (#1123573)
Add patch to remove timstamp from .elc files (#1122157)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Petr Hracek <phracek@xxxxxxxxxx> - 1:24.3-19
- Provide /usr/bin/emacs-nox (#1123573)
* Tue Jul 29 2014 Petr Hracek <phracek@xxxxxxxxxx> - 1:24.3-18
- Add patch to remove timstamp from .elc files (#1122157)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1123573 - Please provide /usr/bin/emacs-nox
        https://bugzilla.redhat.com/show_bug.cgi?id=1123573
  [ 2 ] Bug #1122157 - [patch] don't add timestamps to .elc files
        https://bugzilla.redhat.com/show_bug.cgi?id=1122157
--------------------------------------------------------------------------------


================================================================================
 glusterfs-3.5.2-1.fc20 (FEDORA-2014-9096)
 Cluster File System
--------------------------------------------------------------------------------
Update Information:

GlusterFS 3.5.2 GA
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Lalatendu Mohanty <lmohanty[at]redhat.com> - 3.5.2-1
- GlusterFS 3.5.2 GA
* Mon Jul 21 2014 Lalatendu Mohanty <lmohanty[at]redhat.com> - 3.5.2-0.1.beta1
- GlusterFS 3.5.2 beta1
* Wed Jul  9 2014 Kaleb S. KEITHLEY <kkeithle[at]redhat.com> - 3.5.1-2
- glusterd.init, BZ 1073217
* Fri Jun 27 2014 Kaleb S. KEITHLEY <kkeithle@xxxxxxxxxx>
- killall --wait in %post server (#1113959, #1113745)
* Wed Jun 25 2014 Vikhyat Umrao <vumrao@xxxxxxxxxx>
- add nfs-utils package dependency for server package (#1113007)
--------------------------------------------------------------------------------


================================================================================
 golang-github-gorilla-context-0-0.27.git14f550f.fc20 (FEDORA-2014-9097)
 A golang registry for global request variables
--------------------------------------------------------------------------------
Update Information:

remove conditionals for arch specification (handle el6 separately)
disable debuginfo
update to commit 14f550f51a for docker 1.1.0 (and 1.1.1)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 0-0.27.git
- remove conditionals for arch specification (handle el6 separately)
- defattr only for el6
* Thu Jul 24 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 0-0.26.git
- disable debuginfo
* Mon Jul 21 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 0-0.25.git
- update to commit 14f550f51a for docker 1.1.0 (and 1.1.1)
- use golang packaging macros wherever applicable
- do not own directories owned by 'golang' package
* Sat Jun  7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0-0.24.gitb06ed15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------


================================================================================
 libreoffice-gallery-vrt-network-equipment-1.2.0-1.fc20 (FEDORA-2014-9117)
 A network equipment shape gallery for LibreOffice
--------------------------------------------------------------------------------
Update Information:

new upstream release
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 David Tardon <dtardon@xxxxxxxxxx> - 1.2.0-1
- new upstream release
--------------------------------------------------------------------------------


================================================================================
 libuv-0.10.28-1.fc20 (FEDORA-2014-9109)
 Platform layer for node.js
--------------------------------------------------------------------------------
Update Information:

### 2014.07.31, node.js Version 0.10.30 (Stable)

* Revert "stream: start old-mode read in a next tick" (Fedor Indutny)

* buffer: fix sign overflow in `readUIn32BE` (Fedor Indutny)

* buffer: improve {read,write}{U}Int* methods (Nick Apperson)

* child_process: handle writeUtf8String error (Fedor Indutny)

* lib: remove and restructure calls to isNaN() (cjihrig)

* module: eliminate double `getenv()` (Maciej Małecki)

* stream2: flush extant data on read of ended stream (Chris Dickinson)

* streams: remove unused require('assert') (Rod Vagg)

* timers: backport f8193ab (Julien Gilli)

### 2014.07.32, Version 0.10.28 (Stable)

* unix: return system error on EAI_SYSTEM (Saúl Ibarra Corretgé)

* unix: fix bogus structure field name (Saúl Ibarra Corretgé)

Please note that the v8 security fix shipped in the bundled copy of v8 in this upstream release is not included in this update.  Instead, this fix is applied in the [v8-3.14.5.10-11 update](https://admin.fedoraproject.org/updates/v8-3.14.5.10-11.fc20).
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:0.10.28-1
- new upstream release 0.10.28
  https://github.com/joyent/libuv/blob/v0.10.28/ChangeLog
* Thu Jul  3 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:0.10.27-3
- build static library for rust (RHBZ#1115975)
* Sat Jun  7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1:0.10.27-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1115975 - Add libuv-static package to prepare rust
        https://bugzilla.redhat.com/show_bug.cgi?id=1115975
--------------------------------------------------------------------------------


================================================================================
 nodejs-0.10.30-1.fc20 (FEDORA-2014-9109)
 JavaScript runtime
--------------------------------------------------------------------------------
Update Information:

### 2014.07.31, node.js Version 0.10.30 (Stable)

* Revert "stream: start old-mode read in a next tick" (Fedor Indutny)

* buffer: fix sign overflow in `readUIn32BE` (Fedor Indutny)

* buffer: improve {read,write}{U}Int* methods (Nick Apperson)

* child_process: handle writeUtf8String error (Fedor Indutny)

* lib: remove and restructure calls to isNaN() (cjihrig)

* module: eliminate double `getenv()` (Maciej Małecki)

* stream2: flush extant data on read of ended stream (Chris Dickinson)

* streams: remove unused require('assert') (Rod Vagg)

* timers: backport f8193ab (Julien Gilli)

### 2014.07.32, Version 0.10.28 (Stable)

* unix: return system error on EAI_SYSTEM (Saúl Ibarra Corretgé)

* unix: fix bogus structure field name (Saúl Ibarra Corretgé)

Please note that the v8 security fix shipped in the bundled copy of v8 in this upstream release is not included in this update.  Instead, this fix is applied in the [v8-3.14.5.10-11 update](https://admin.fedoraproject.org/updates/v8-3.14.5.10-11.fc20).
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 0.10.30-1
- new upstream release 0.10.30
  http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1115975 - Add libuv-static package to prepare rust
        https://bugzilla.redhat.com/show_bug.cgi?id=1115975
--------------------------------------------------------------------------------


================================================================================
 nuttcp-6.1.2-10.fc20 (FEDORA-2014-9094)
 Tool for testing TCP connections
--------------------------------------------------------------------------------
Update Information:

provide fix for crash when /proc/sys/net/ipv4/tcp_adv_win_scale didn't exist (#1088932)
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> - 6.1.2-10
- provide fix for crash when /proc/sys/net/ipv4/tcp_adv_win_scale didn't exist (#887173)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1088932 - nuttcp crashes if /proc/sys/net/ipv4/tcp_adv_win_scale does not exist
        https://bugzilla.redhat.com/show_bug.cgi?id=1088932
--------------------------------------------------------------------------------


================================================================================
 pgpdump-0.29-1.fc20 (FEDORA-2014-9110)
 PGP packet visualizer
--------------------------------------------------------------------------------
Update Information:

* GnuPG extensions in private/experimental S2K specifiers (type 101), and parsing of gnu-dummy (1001) (indicating absent secret key material), and gnu-divert-to-card (2002) (indicating key material tored on a smartcard).
* Ignore whitespace in Radix-64 input, per RFC 4880 section 6.4
* Makefile change
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Christopher Meng <rpm@xxxxxxxx> - 0.29-1
- Update to 0.29
--------------------------------------------------------------------------------


================================================================================
 php-Smarty-3.1.19-1.fc20 (FEDORA-2014-9118)
 Template/Presentation Framework for PHP
--------------------------------------------------------------------------------
Update Information:

New upstream release
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Johan Cwiklinski <johan AT x-tnd DOT be> - 3.1.19-1
- Last upstream release
- Add composer provides
--------------------------------------------------------------------------------


================================================================================
 php-pecl-jsonc-1.3.6-1.fc20 (FEDORA-2014-9107)
 Support for JSON serialization
--------------------------------------------------------------------------------
Update Information:

Upstream changelog

Version 1.3.6:
- apply fix for #66021 (Blank line inside empty array/object)
- fix #20 json_decode segfault when depth=0

Version 1.3.4
- Fixed bug #65753 JsonSerializeable couldn't implement on module extension

RPM changes:
- move documentation in /usr/share/test/pecl/json
- move tests in /usr/share/tests/pecl/json (devel)

--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Remi Collet <remi@xxxxxxxxxxxxxxxxx> - 1.3.6-1
- release 1.3.6 (stable, bugfix)
- always use libjson-c 0.11 (bundled copy on fedora 21+)
- move documentation in pecl_docdir
- move tests in pecl_testdir (devel)
--------------------------------------------------------------------------------


================================================================================
 python-fiat-1.4.0-1.fc20 (FEDORA-2014-9100)
 Generation of arbitrary order instances of the Lagrange elements
--------------------------------------------------------------------------------
Update Information:

Spec file update
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 Fabian Affolter <mail@xxxxxxxxxxxxxxxxxx> - 1.4.0.-1
- Spec file update
- Update to new upstream 1.4.0
* Sat Jun  7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1125049 - fiat needs cleanup
        https://bugzilla.redhat.com/show_bug.cgi?id=1125049
--------------------------------------------------------------------------------


================================================================================
 python3-dugong-3.2-1.fc20 (FEDORA-2014-9106)
 Python 3.x HTTP 1.1 client module
--------------------------------------------------------------------------------
Update Information:

Release 3.2 (2014-07-27)
========================

* A `HTTPConnection` instance can now be used as a context manager.
* If a connection is closed unexpectedly while request body data is being written to the server (i.e., during a call to `HTTPConnection.write` or `HTTPConnection.co_write`), dugong now pretends that the body has been sent to the server completely (while still raising `ConnectionClosed`). This makes it possible to catch the exception and nevertheless call `~HTTPConnection.read_response` (or `~HTTPConnection.co_read_response`) to try to read an error response that the server may have sent during the upload (if no response has been received, `ConnectionClosed` will be raised again).
* `is_temp_network_error` now actively tries to distinguish between permanent and temporary name resolution problems by attempting to resolve a number of test hostnames.
* `HTTPConnection` has a new `~HTTPConnection.timeout` attribute. Regular `HTTPConnection` methods (i.e., no coroutines) will now raise `ConnectionTimedOut` if no data could be send or received for *timeout* seconds.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Christopher Meng <rpm@xxxxxxxx> - 3.2-1
- Update to 3.2
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1124253 - python3-dugong-3.2 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1124253
--------------------------------------------------------------------------------


================================================================================
 seren-0.0.19-1.fc20 (FEDORA-2014-9115)
 Simple VoIP program to create conferences from the terminal
--------------------------------------------------------------------------------
Update Information:

Version bump
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Francesco Frassinelli <fraph24@xxxxxxxxx> - 0.0.19-1
- Version bump
* Sun Jun  8 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.0.18-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------


================================================================================
 tboot-1.8.2-1.fc20 (FEDORA-2014-9114)
 Performs a verified launch using Intel TXT
--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2014-5118 tboot: argument measurement vulnerability for GRUB2+ELF kernels.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Jul 30 2014 Gang Wei <gang.wei@xxxxxxxxx> - 1:1.8.2-1
- Upgrade to latest upstream version which provided security fix for:
  tboot:argument measurement vulnerablity for GRUB2+ELF kernels
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1124488 - CVE-2014-5118 tboot: argument measurement vulnerability for GRUB2+ELF kernels
        https://bugzilla.redhat.com/show_bug.cgi?id=1124488
--------------------------------------------------------------------------------


================================================================================
 v8-3.14.5.10-11.fc20 (FEDORA-2014-9095)
 JavaScript Engine
--------------------------------------------------------------------------------
Update Information:

TJ Fontaine of the Node.js project reports:

A memory corruption vulnerability, which results in a
denial-of-service, was identified in the versions of V8 that ship with
Node.js 0.8 and 0.10. In certain circumstances, a particularly deep
recursive workload that may trigger a GC and receive an interrupt may
overflow the stack and result in a segmentation fault. For instance,
if your work load involves successive `JSON.parse` calls and the
parsed objects are significantly deep, you may experience the process
aborting while parsing.

This issue was identified by Tom Steele of [^Lift
Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core
Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here:
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356

And has been released in the following versions:

 * [v0.10.30](http://nodejs.org/dist/v0.10.30)
http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/
 * [v0.8.28](http://nodejs.org/dist/v0.8.28)
http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenance/

### The Fix

[Applied in this update.]

### Remediation

The best course of action is to patch or upgrade Node.js.

### Mitigation

To mitigate against deep JSON parsing you can limit the size of the
string you parse against, or ban clients who trigger a `RangeError`
for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the
max to the size of your known message bodies is suggested. If your
message bodies cannot be over 20K, there's no reason to accept 1MB
bodies.

For web frameworks that do automatic JSON parsing, you may need to
configure the routes that accept JSON payloads to have a maximum body
size.

 * [expressjs](http://expressjs.com) and
[krakenjs](http://krakenjs.com) used with the
[body-parser](https://github.com/expressjs/body-parser#bodyparserjsonoptions)
plugin accepts a `limit` parameter in your JSON config
 * [Hapi.js](http://hapijs.com) has `payload.maxBytes`
https://github.com/spumko/hapi/blob/master/docs/Reference.md
 * [restify](http://mcavage.me/node-restify/#Bundled-Plugins) bundled
`bodyParser` accepts a `maxBodySize`

Source: https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:3.14.5.10-11
- backport security fix for memory corruption and stack overflow (RHBZ#1125464)
  https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ
- backport bug fix for x64 MathMinMax for negative untagged int32 arguments.
  https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1125464 - V8 Memory Corruption and Stack Overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=1125464
--------------------------------------------------------------------------------


================================================================================
 wireshark-1.10.9-1.fc20 (FEDORA-2014-9112)
 Network traffic analyzer
--------------------------------------------------------------------------------
Update Information:

Ver. 1.10.9; Security fix for CVE-2014-5164, CVE-2014-5165, CVE-2014-5163, CVE-2014-5161, CVE-2014-5162
--------------------------------------------------------------------------------
ChangeLog:

* Fri Aug  1 2014 Peter Hatina <phatina@xxxxxxxxxx> - 1.10.9-1
- Ver. 1.10.9
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1125761 - CVE-2014-5165 wireshark: ASN.1 BER dissector crash (wnpa-sec-2014-11)
        https://bugzilla.redhat.com/show_bug.cgi?id=1125761
  [ 2 ] Bug #1125763 - CVE-2014-5164 wireshark: RLC dissector crash (wnpa-sec-2014-10)
        https://bugzilla.redhat.com/show_bug.cgi?id=1125763
  [ 3 ] Bug #1125766 - CVE-2014-5163 wireshark: GTP and GSM Management dissectors crash (wnpa-sec-2014-09)
        https://bugzilla.redhat.com/show_bug.cgi?id=1125766
  [ 4 ] Bug #1125767 - CVE-2014-5161 CVE-2014-5162 wireshark: Catapult DCT2000 and IrDA dissectors buffer underrun (wnpa-sec-2014-08)
        https://bugzilla.redhat.com/show_bug.cgi?id=1125767
--------------------------------------------------------------------------------

-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test





[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux