The following Fedora 19 Security updates need testing: Age URL 279 https://admin.fedoraproject.org/updates/FEDORA-2013-19963/openstack-glance-2013.1.4-1.fc19 92 https://admin.fedoraproject.org/updates/FEDORA-2014-5896/nrpe-2.15-2.fc19 72 https://admin.fedoraproject.org/updates/FEDORA-2014-6553/chicken-4.8.0.6-2.fc19 70 https://admin.fedoraproject.org/updates/FEDORA-2014-6597/drupal7-views-3.8-1.fc19 43 https://admin.fedoraproject.org/updates/FEDORA-2014-7496/readline-6.2-8.fc19 41 https://admin.fedoraproject.org/updates/FEDORA-2014-7570/asterisk-11.10.2-2.fc19 41 https://admin.fedoraproject.org/updates/FEDORA-2014-6774/claws-mail-3.10.1-1.fc19,claws-mail-plugins-3.10.0-1.fc19,libetpan-1.5-1.fc19 41 https://admin.fedoraproject.org/updates/FEDORA-2014-7610/perl-Email-Address-1.905-1.fc19 32 https://admin.fedoraproject.org/updates/FEDORA-2014-7939/lzo-2.08-1.fc19 27 https://admin.fedoraproject.org/updates/FEDORA-2014-8089/rubygem-activerecord-3.2.13-2.fc19 18 https://admin.fedoraproject.org/updates/FEDORA-2014-8328/python-bottle-0.12.6-1.fc19 18 https://admin.fedoraproject.org/updates/FEDORA-2014-8332/transmission-2.84-1.fc19 15 https://admin.fedoraproject.org/updates/FEDORA-2014-8443/mosquitto-1.3.2-1.fc19 12 https://admin.fedoraproject.org/updates/FEDORA-2014-8564/dpkg-1.16.15-1.fc19 9 https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-24.fc19 8 https://admin.fedoraproject.org/updates/FEDORA-2014-8352/cups-1.6.4-7.fc19 8 https://admin.fedoraproject.org/updates/FEDORA-2014-8771/ReviewBoard-1.7.27-1.fc19 7 https://admin.fedoraproject.org/updates/FEDORA-2014-8809/thunderbird-24.7.0-1.fc19 6 https://admin.fedoraproject.org/updates/FEDORA-2014-8904/ansible-1.6.10-1.fc19 4 https://admin.fedoraproject.org/updates/FEDORA-2014-8919/bugzilla-4.2.10-1.fc19 2 https://admin.fedoraproject.org/updates/FEDORA-2014-8972/libndp-1.4-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9057/httpd-2.4.10-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9087/drupal7-date-2.8-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9104/tboot-1.8.2-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9037/pixman-0.30.0-4.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9073/tor-0.2.4.23-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9113/v8-3.14.5.10-11.fc19 The following Fedora 19 Critical Path updates have yet to be approved: Age URL 228 https://admin.fedoraproject.org/updates/FEDORA-2013-22326/fedora-bookmarks-15-5.fc19 154 https://admin.fedoraproject.org/updates/FEDORA-2014-3245/testdisk-6.14-2.fc19.1,ntfs-3g-2014.2.15-1.fc19 9 https://admin.fedoraproject.org/updates/FEDORA-2014-8176/krb5-1.11.3-24.fc19 8 https://admin.fedoraproject.org/updates/FEDORA-2014-8761/systemd-204-20.fc19 8 https://admin.fedoraproject.org/updates/FEDORA-2014-8352/cups-1.6.4-7.fc19 7 https://admin.fedoraproject.org/updates/FEDORA-2014-8809/thunderbird-24.7.0-1.fc19 6 https://admin.fedoraproject.org/updates/FEDORA-2014-8910/qt5-qtbase-5.3.1-5.fc19,qt-4.8.6-10.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-8924/ibus-1.5.7-6.fc19 2 https://admin.fedoraproject.org/updates/FEDORA-2014-8970/koji-1.9.0-4.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-9037/pixman-0.30.0-4.fc19 The following builds have been pushed to Fedora 19 updates-testing docker-io-1.1.2-2.fc19 glusterfs-3.5.2-1.fc19 golang-github-docker-libcontainer-1.1.0-6.fc19 golang-github-gorilla-context-0-0.27.git14f550f.fc19 libreoffice-gallery-vrt-network-equipment-1.2.0-1.fc19 libuv-0.10.28-1.fc19 nodejs-0.10.30-1.fc19 php-Smarty-3.1.19-1.fc19 php-pecl-jsonc-1.3.6-1.fc19 seren-0.0.19-1.fc19 tboot-1.8.2-1.fc19 v8-3.14.5.10-11.fc19 Details about builds: ================================================================================ docker-io-1.1.2-2.fc19 (FEDORA-2014-9119) Automates deployment of containerized applications -------------------------------------------------------------------------------- Update Information: change %else if -> %else %if /etc/sysconfig/docker should be config(noreplace) clean up gopath, install devel package -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 1 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 1.1.2-2 - change %else if -> %else %if * Thu Jul 31 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 1.1.2-1 - Resolves: rhbz#1124036 - update to upstream v1.1.2 * Mon Jul 28 2014 Vincent Batts <vbatts@xxxxxxxxxxxxxxxxx> - 1.0.0-10 - split out the github.com/docker/docker/pkg/... libraries, to avoid cyclic deps with libcontainer * Thu Jul 24 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 1.0.0-9 - /etc/sysconfig/docker should be config(noreplace) * Wed Jul 23 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 1.0.0-8 - Resolves: rhbz#1119849 - Resolves: rhbz#1119413 - min delta between upstream and packaged unitfiles - devel package owns directories it creates - ensure min NVRs used for systemd contain fixes RE: CVE-2014-3499 * Wed Jul 16 2014 Vincent Batts <vbatts@xxxxxxxxxxxxxxxxx> - 1.0.0-7 - clean up gopath - add Provides for docker libraries - produce a -devel with docker source libraries - accomodate golang rpm macros -------------------------------------------------------------------------------- References: [ 1 ] Bug #1124036 - docker-io-1.1.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1124036 [ 2 ] Bug #1119849 - su - postgres Results in System Error inside Fedora 20/rawhide containers https://bugzilla.redhat.com/show_bug.cgi?id=1119849 [ 3 ] Bug #1119413 - docker-io systemd unit file specifies environment file. But, does not uses it. https://bugzilla.redhat.com/show_bug.cgi?id=1119413 -------------------------------------------------------------------------------- ================================================================================ glusterfs-3.5.2-1.fc19 (FEDORA-2014-9122) Cluster File System -------------------------------------------------------------------------------- Update Information: GlusterFS 3.5.2 GA -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 31 2014 Lalatendu Mohanty <lmohanty[at]redhat.com> - 3.5.2-1 - GlusterFS 3.5.2 GA * Mon Jul 21 2014 Lalatendu Mohanty <lmohanty[at]redhat.com> - 3.5.2-0.1.beta1 - GlusterFS 3.5.2 beta1 * Wed Jul 9 2014 Kaleb S. KEITHLEY <kkeithle[at]redhat.com> - 3.5.1-2 - glusterd.init, BZ 1073217 * Fri Jun 27 2014 Kaleb S. KEITHLEY <kkeithle@xxxxxxxxxx> - killall --wait in %post server (#1113959, #1113745) * Wed Jun 25 2014 Vikhyat Umrao <vumrao@xxxxxxxxxx> - add nfs-utils package dependency for server package (#1113007) -------------------------------------------------------------------------------- ================================================================================ golang-github-docker-libcontainer-1.1.0-6.fc19 (FEDORA-2014-9101) Configuration options for containers -------------------------------------------------------------------------------- Update Information: Resolves: rhbz#1111916 - package review request -------------------------------------------------------------------------------- References: [ 1 ] Bug #1111916 - Review Request: golang-github-docker-libcontainer - Configuration options for containers https://bugzilla.redhat.com/show_bug.cgi?id=1111916 -------------------------------------------------------------------------------- ================================================================================ golang-github-gorilla-context-0-0.27.git14f550f.fc19 (FEDORA-2014-9108) A golang registry for global request variables -------------------------------------------------------------------------------- Update Information: remove conditionals for arch specification (handle el6 separately) disable debuginfo update to commit 14f550f51a for docker 1.1.0 (and 1.1.1) -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 31 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 0-0.27.git - remove conditionals for arch specification (handle el6 separately) - defattr only for el6 * Thu Jul 24 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 0-0.26.git - disable debuginfo * Mon Jul 21 2014 Lokesh Mandvekar <lsm5@xxxxxxxxxxxxxxxxx> - 0-0.25.git - update to commit 14f550f51a for docker 1.1.0 (and 1.1.1) - use golang packaging macros wherever applicable - do not own directories owned by 'golang' package * Sat Jun 7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0-0.24.gitb06ed15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ libreoffice-gallery-vrt-network-equipment-1.2.0-1.fc19 (FEDORA-2014-9120) A network equipment shape gallery for LibreOffice -------------------------------------------------------------------------------- Update Information: new upstream release -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 1 2014 David Tardon <dtardon@xxxxxxxxxx> - 1.2.0-1 - new upstream release -------------------------------------------------------------------------------- ================================================================================ libuv-0.10.28-1.fc19 (FEDORA-2014-9099) Platform layer for node.js -------------------------------------------------------------------------------- Update Information: ### 2014.07.31, node.js Version 0.10.30 (Stable) * Revert "stream: start old-mode read in a next tick" (Fedor Indutny) * buffer: fix sign overflow in `readUIn32BE` (Fedor Indutny) * buffer: improve {read,write}{U}Int* methods (Nick Apperson) * child_process: handle writeUtf8String error (Fedor Indutny) * lib: remove and restructure calls to isNaN() (cjihrig) * module: eliminate double `getenv()` (Maciej Małecki) * stream2: flush extant data on read of ended stream (Chris Dickinson) * streams: remove unused require('assert') (Rod Vagg) * timers: backport f8193ab (Julien Gilli) ### 2014.07.32, Version 0.10.28 (Stable) * unix: return system error on EAI_SYSTEM (Saúl Ibarra Corretgé) * unix: fix bogus structure field name (Saúl Ibarra Corretgé) Please note that the v8 security fix shipped in the bundled copy of v8 in this upstream release is not included in this update. Instead, this fix is applied in the [v8-3.14.5.10-11 update](https://admin.fedoraproject.org/updates/v8-3.14.5.10-11.fc19). -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:0.10.28-1 - new upstream release 0.10.28 https://github.com/joyent/libuv/blob/v0.10.28/ChangeLog * Thu Jul 3 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:0.10.27-3 - build static library for rust (RHBZ#1115975) * Sat Jun 7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1:0.10.27-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1115975 - Add libuv-static package to prepare rust https://bugzilla.redhat.com/show_bug.cgi?id=1115975 -------------------------------------------------------------------------------- ================================================================================ nodejs-0.10.30-1.fc19 (FEDORA-2014-9099) JavaScript runtime -------------------------------------------------------------------------------- Update Information: ### 2014.07.31, node.js Version 0.10.30 (Stable) * Revert "stream: start old-mode read in a next tick" (Fedor Indutny) * buffer: fix sign overflow in `readUIn32BE` (Fedor Indutny) * buffer: improve {read,write}{U}Int* methods (Nick Apperson) * child_process: handle writeUtf8String error (Fedor Indutny) * lib: remove and restructure calls to isNaN() (cjihrig) * module: eliminate double `getenv()` (Maciej Małecki) * stream2: flush extant data on read of ended stream (Chris Dickinson) * streams: remove unused require('assert') (Rod Vagg) * timers: backport f8193ab (Julien Gilli) ### 2014.07.32, Version 0.10.28 (Stable) * unix: return system error on EAI_SYSTEM (Saúl Ibarra Corretgé) * unix: fix bogus structure field name (Saúl Ibarra Corretgé) Please note that the v8 security fix shipped in the bundled copy of v8 in this upstream release is not included in this update. Instead, this fix is applied in the [v8-3.14.5.10-11 update](https://admin.fedoraproject.org/updates/v8-3.14.5.10-11.fc19). -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 1 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 0.10.30-1 - new upstream release 0.10.30 http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/ -------------------------------------------------------------------------------- References: [ 1 ] Bug #1115975 - Add libuv-static package to prepare rust https://bugzilla.redhat.com/show_bug.cgi?id=1115975 -------------------------------------------------------------------------------- ================================================================================ php-Smarty-3.1.19-1.fc19 (FEDORA-2014-9111) Template/Presentation Framework for PHP -------------------------------------------------------------------------------- Update Information: New upstream release -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 31 2014 Johan Cwiklinski <johan AT x-tnd DOT be> - 3.1.19-1 - Last upstream release - Add composer provides -------------------------------------------------------------------------------- ================================================================================ php-pecl-jsonc-1.3.6-1.fc19 (FEDORA-2014-9121) Support for JSON serialization -------------------------------------------------------------------------------- Update Information: Upstream changelog Version 1.3.6: - apply fix for #66021 (Blank line inside empty array/object) - fix #20 json_decode segfault when depth=0 Version 1.3.4 - Fixed bug #65753 JsonSerializeable couldn't implement on module extension RPM changes: - move documentation in /usr/share/test/pecl/json - move tests in /usr/share/tests/pecl/json (devel) -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 1 2014 Remi Collet <remi@xxxxxxxxxxxxxxxxx> - 1.3.6-1 - release 1.3.6 (stable, bugfix) - always use libjson-c 0.11 (bundled copy on fedora 21+) - move documentation in pecl_docdir - move tests in pecl_testdir (devel) -------------------------------------------------------------------------------- ================================================================================ seren-0.0.19-1.fc19 (FEDORA-2014-9098) Simple VoIP program to create conferences from the terminal -------------------------------------------------------------------------------- Update Information: Version bump -------------------------------------------------------------------------------- ChangeLog: * Fri Aug 1 2014 Francesco Frassinelli <fraph24@xxxxxxxxx> - 0.0.19-1 - Version bump * Sun Jun 8 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.0.18-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ tboot-1.8.2-1.fc19 (FEDORA-2014-9104) Performs a verified launch using Intel TXT -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2014-5118 tboot: argument measurement vulnerability for GRUB2+ELF kernels. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 30 2014 Gang Wei <gang.wei@xxxxxxxxx> - 1:1.8.2-1 - Upgrade to latest upstream version which provided security fix for: tboot:argument measurement vulnerablity for GRUB2+ELF kernels * Wed Jun 18 2014 Gang Wei <gang.wei@xxxxxxxxx> - 1:1.8.1-1 - Upgrade to latest upstream version * Sun Jun 8 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1:1.7.3-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Sun Aug 4 2013 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1:1.7.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1124488 - CVE-2014-5118 tboot: argument measurement vulnerability for GRUB2+ELF kernels https://bugzilla.redhat.com/show_bug.cgi?id=1124488 -------------------------------------------------------------------------------- ================================================================================ v8-3.14.5.10-11.fc19 (FEDORA-2014-9113) JavaScript Engine -------------------------------------------------------------------------------- Update Information: TJ Fontaine of the Node.js project reports: A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive `JSON.parse` calls and the parsed objects are significantly deep, you may experience the process aborting while parsing. This issue was identified by Tom Steele of [^Lift Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution. The V8 issue is described here https://codereview.chromium.org/339883002 It has landed in the Node repository here: https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c9fa06356 And has been released in the following versions: * [v0.10.30](http://nodejs.org/dist/v0.10.30) http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/ * [v0.8.28](http://nodejs.org/dist/v0.8.28) http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenance/ ### The Fix [Applied in this update.] ### Remediation The best course of action is to patch or upgrade Node.js. ### Mitigation To mitigate against deep JSON parsing you can limit the size of the string you parse against, or ban clients who trigger a `RangeError` for parsing JSON. There is no specific maximum size of a JSON string, though keeping the max to the size of your known message bodies is suggested. If your message bodies cannot be over 20K, there's no reason to accept 1MB bodies. For web frameworks that do automatic JSON parsing, you may need to configure the routes that accept JSON payloads to have a maximum body size. * [expressjs](http://expressjs.com) and [krakenjs](http://krakenjs.com) used with the [body-parser](https://github.com/expressjs/body-parser#bodyparserjsonoptions) plugin accepts a `limit` parameter in your JSON config * [Hapi.js](http://hapijs.com) has `payload.maxBytes` https://github.com/spumko/hapi/blob/master/docs/Reference.md * [restify](http://mcavage.me/node-restify/#Bundled-Plugins) bundled `bodyParser` accepts a `maxBodySize` Source: https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ -------------------------------------------------------------------------------- ChangeLog: * Thu Jul 31 2014 T.C. Hollingsworth <tchollingsworth@xxxxxxxxx> - 1:3.14.5.10-11 - backport security fix for memory corruption and stack overflow (RHBZ#1125464) https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ - backport bug fix for x64 MathMinMax for negative untagged int32 arguments. https://github.com/joyent/node/commit/3530fa9cd09f8db8101c4649cab03bcdf760c434 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1125464 - V8 Memory Corruption and Stack Overflow https://bugzilla.redhat.com/show_bug.cgi?id=1125464 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
