The following Fedora 19 Security updates need testing: Age URL 395 https://admin.fedoraproject.org/updates/FEDORA-2013-19963/openstack-glance-2013.1.4-1.fc19 207 https://admin.fedoraproject.org/updates/FEDORA-2014-5896/nrpe-2.15-2.fc19 158 https://admin.fedoraproject.org/updates/FEDORA-2014-7496/readline-6.2-8.fc19 75 https://admin.fedoraproject.org/updates/FEDORA-2014-10640/libreoffice-4.1.6.2-8.fc19 53 https://admin.fedoraproject.org/updates/FEDORA-2014-12057/krb5-1.11.3-29.fc19 39 https://admin.fedoraproject.org/updates/FEDORA-2014-13018/deluge-1.3.10-1.fc19 29 https://admin.fedoraproject.org/updates/FEDORA-2014-13551/wpa_supplicant-2.0-12.fc19 20 https://admin.fedoraproject.org/updates/FEDORA-2014-14237/claws-mail-plugins-3.11.1-1.fc19,claws-mail-3.11.1-2.fc19,libetpan-1.6-1.fc19 13 https://admin.fedoraproject.org/updates/FEDORA-2014-14738/gnutls-3.1.20-6.fc19 11 https://admin.fedoraproject.org/updates/FEDORA-2014-12407/sddm-0.10.0-2.fc19 10 https://admin.fedoraproject.org/updates/FEDORA-2014-15079/mantis-1.2.17-4.fc19 10 https://admin.fedoraproject.org/updates/FEDORA-2014-14874/arm-none-eabi-binutils-cs-2014.05.28-3.fc19 10 https://admin.fedoraproject.org/updates/FEDORA-2014-14838/avr-binutils-2.24-3.fc19 10 https://admin.fedoraproject.org/updates/FEDORA-2014-15124/kwebkitpart-1.3.4-5.fc19 7 https://admin.fedoraproject.org/updates/FEDORA-2014-15248/kde-runtime-4.11.5-3.fc19 7 https://admin.fedoraproject.org/updates/FEDORA-2014-15307/python-django14-1.4.16-1.fc19 5 https://admin.fedoraproject.org/updates/FEDORA-2014-15373/lsyncd-2.1.4-4.fc19.1 5 https://admin.fedoraproject.org/updates/FEDORA-2014-15378/rubygem-actionpack-3.2.13-7.fc19 5 https://admin.fedoraproject.org/updates/FEDORA-2014-15390/nodejs-0.10.33-1.fc19,libuv-0.10.29-1.fc19 5 https://admin.fedoraproject.org/updates/FEDORA-2014-15405/wget-1.16-3.fc19 4 https://admin.fedoraproject.org/updates/FEDORA-2014-15466/rubygem-sprockets-2.8.2-4.fc19 4 https://admin.fedoraproject.org/updates/FEDORA-2014-15477/python-eyed3-0.7.4-4.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15526/wordpress-4.0.1-1.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15503/xen-4.2.5-5.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15549/tcpdump-4.4.0-4.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15515/drupal6-6.34-1.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15522/drupal7-7.34-1.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15535/phpMyAdmin-4.2.12-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15717/kernel-3.14.25-100.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15740/facter-1.6.18-8.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15730/asterisk-11.14.1-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15733/teeworlds-0.6.3-1.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15743/curl-7.29.0-26.fc19 The following Fedora 19 Critical Path updates have yet to be approved: Age URL 343 https://admin.fedoraproject.org/updates/FEDORA-2013-22326/fedora-bookmarks-15-5.fc19 269 https://admin.fedoraproject.org/updates/FEDORA-2014-3245/testdisk-6.14-2.fc19.1,ntfs-3g-2014.2.15-1.fc19 13 https://admin.fedoraproject.org/updates/FEDORA-2014-14738/gnutls-3.1.20-6.fc19 11 https://admin.fedoraproject.org/updates/FEDORA-2014-15032/man-db-2.6.3-9.fc19 11 https://admin.fedoraproject.org/updates/FEDORA-2014-15027/evolution-data-server-3.8.5-7.fc19 11 https://admin.fedoraproject.org/updates/FEDORA-2014-14807/device-mapper-persistent-data-0.4.1-2.fc19 11 https://admin.fedoraproject.org/updates/FEDORA-2014-14846/pciutils-3.3.0-1.fc19 5 https://admin.fedoraproject.org/updates/FEDORA-2014-15392/kde-workspace-4.11.14-2.fc19 5 https://admin.fedoraproject.org/updates/FEDORA-2014-15377/gvfs-1.16.4-3.fc19 3 https://admin.fedoraproject.org/updates/FEDORA-2014-15506/ca-certificates-2014.2.1-1.5.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15743/curl-7.29.0-26.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15717/kernel-3.14.25-100.fc19 0 https://admin.fedoraproject.org/updates/FEDORA-2014-15732/cups-1.6.4-12.fc19 The following builds have been pushed to Fedora 19 updates-testing asterisk-11.14.1-1.fc19 backupninja-1.0.1-5.fc19 cups-1.6.4-12.fc19 curl-7.29.0-26.fc19 easytag-2.2.5-1.fc19 facter-1.6.18-8.fc19 fedora-packager-0.5.10.5-1.fc19 ibus-table-others-1.3.6-1.fc19 kde-connect-0.7.3-1.fc19 kernel-3.14.25-100.fc19 lua-ldoc-1.4.3-1.fc19 owncloud-5.0.18-1.fc19 perl-String-Errf-0.007-1.fc19 python-husl-4.0.1-1.fc19 python-rhsm-1.13.8-1.fc19 skf-1.99.10-1.fc19 subscription-manager-1.13.9-1.fc19 teeworlds-0.6.3-1.fc19 ykpers-1.16.1-1.fc19 Details about builds: ================================================================================ asterisk-11.14.1-1.fc19 (FEDORA-2014-15730) The Open Source PBX -------------------------------------------------------------------------------- Update Information: * Fri Nov 21 2014 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.14.1-1 - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available - security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1, - 11.14.1, 12.7.1, and 13.0.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of these versions resolves the following security vulnerabilities: - - * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP - address families - - Many modules in Asterisk that service incoming IP traffic have ACL options - ("permit" and "deny") that can be used to whitelist or blacklist address - ranges. A bug has been discovered where the address family of incoming - packets is only compared to the IP address family of the first entry in the - list of access control rules. If the source IP address for an incoming - packet is not of the same address as the first ACL entry, that packet - bypasses all ACL rules. - - * AST-2014-018: Permission Escalation through DB dialplan function - - The DB dialplan function when executed from an external protocol, such as AMI, - could result in a privilege escalation. Users with a lower class authorization - in AMI can access the internal Asterisk database without the required SYSTEM - class authorization. - - In addition, the release of 11.6-cert8 and 11.14.1 resolves the following - security vulnerability: - - * AST-2014-014: High call load with ConfBridge can result in resource exhaustion - - The ConfBridge application uses an internal bridging API to implement - conference bridges. This internal API uses a state model for channels within - the conference bridge and transitions between states as different things - occur. Unload load it is possible for some state transitions to be delayed - causing the channel to transition from being hung up to waiting for media. As - the channel has been hung up remotely no further media will arrive and the - channel will stay within ConfBridge indefinitely. - - In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves - the following security vulnerability: - - * AST-2014-017: Permission Escalation via ConfBridge dialplan function and - AMI ConfbridgeStartRecord Action - - The CONFBRIDGE dialplan function when executed from an external protocol (such - as AMI) can result in a privilege escalation as certain options within that - function can affect the underlying system. Additionally, the AMI - ConfbridgeStartRecord action has options that would allow modification of the - underlying system, and does not require SYSTEM class authorization in AMI. - - Finally, the release of 12.7.1 and 13.0.1 resolves the following security - vulnerabilities: - - * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack - - The Asterisk module res_pjsip provides the ability to configure ACLs that may - be used to reject SIP requests from various hosts. However, the module - currently fails to create and apply the ACLs defined in its configuration - file on initial module load. - - * AST-2014-015: Remote crash vulnerability in PJSIP channel driver - - The chan_pjsip channel driver uses a queue approach for relating to SIP - sessions. There exists a race condition where actions may be queued to answer - a session or send ringing after a SIP session has been terminated using a - CANCEL request. The code will incorrectly assume that the SIP session is still - active and attempt to send the SIP response. The PJSIP library does not - expect the SIP session to be in the disconnected state when sending the - response and asserts. - - * AST-2014-016: Remote crash vulnerability in PJSIP channel driver - - When handling an INVITE with Replaces message the res_pjsip_refer module - incorrectly assumes that it will be operating on a channel that has just been - created. If the INVITE with Replaces message is sent in-dialog after a session - has been established this assumption will be incorrect. The res_pjsip_refer - module will then hang up a channel that is actually owned by another thread. - When this other thread attempts to use the just hung up channel it will end up - using a freed channel which will likely result in a crash. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015, - AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same - time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3 - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1 - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf * Fri Nov 21 2014 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.14.0-1 - The Asterisk Development Team has announced the release of Asterisk 11.14.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.14.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following are the issues resolved in this release: - - Bugs fixed in this release: - ----------------------------------- - * ASTERISK-24348 - Built-in editline tab complete segfault with - MALLOC_DEBUG (Reported by Walter Doekes) - * ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to - INVITE retransmissions of rejected calls (Reported by Torrey - Searle) - * ASTERISK-23768 - [patch] Asterisk man page contains a (new) - unquoted minus sign (Reported by Jeremy Lainé) - * ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits - (Reported by Jeremy Lainé) - * ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir - Cohen) - * ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with - realtime peers (Reported by ibercom) - * ASTERISK-24384 - chan_motif: format capabilities leak on module - load error (Reported by Corey Farrell) - * ASTERISK-24385 - chan_sip: process_sdp leaks on an error path - (Reported by Corey Farrell) - * ASTERISK-24378 - Release AMI connections on shutdown (Reported - by Corey Farrell) - * ASTERISK-24354 - AMI sendMessage closes AMI connection on error - (Reported by Peter Katzmann) - * ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with - ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell) - * ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are - incorrectly attempted (Reported by Joshua Colp) - * ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too - high on linux systems with lots of RAM (Reported by Michael - Myles) - * ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates - received for component (Reported by Kevin Harwell) - * ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE - results in a SIP channel leak (Reported by NITESH BANSAL) - * ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP - Re-INVITE results in a SIP channel leak (Reported by Torrey - Searle) - * ASTERISK-24406 - Some caller ID strings are parsed differently - since 11.13.0 (Reported by Etienne Lessard) - * ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30 - (Reported by Tzafrir Cohen) - * ASTERISK-13797 - [patch] relax badshell tilde test (Reported by - Tzafrir Cohen) - * ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE - (Reported by Paolo Compagnini) - * ASTERISK-18923 - res_fax_spandsp usage counter is wrong - (Reported by Grigoriy Puzankin) - * ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by - Corey Farrell) - * ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout - (Reported by Dmitry Melekhov) - * ASTERISK-23846 - Unistim multilines. Loss of voice after second - call drops (on a second line). (Reported by Rustam Khankishyiev) - * ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy - when sending qualify requests (Reported by Damian Ivereigh) - * ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of - SSLv3, security fix POODLE (CVE-2014-3566) (Reported by - abelbeck) - * ASTERISK-24436 - Missing header in res/res_srtp.c when compiling - against libsrtp-1.5.0 (Reported by Patrick Laimbock) - * ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing - leak (Reported by Corey Farrell) - * ASTERISK-24430 - missing letter "p" in word response in - OriginateResponse event documentation (Reported by Dafi Ni) - * ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by - Corey Farrell) - * ASTERISK-21721 - SIP Failed to parse multiple Supported: headers - (Reported by Olle Johansson) - * ASTERISK-24304 - asterisk crashing randomly because of unistim - channel (Reported by dhanapathy sathya) - * ASTERISK-24190 - IMAP voicemail causes segfault (Reported by - Nick Adams) - * ASTERISK-24466 - app_queue: fix a couple leaks to struct - call_queue (Reported by Corey Farrell) - * ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled - (Reported by Corey Farrell) - * ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream - leaks (Reported by Corey Farrell) - * ASTERISK-24307 - Unintentional memory retention in stringfields - (Reported by Etienne Lessard) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0 -------------------------------------------------------------------------------- ChangeLog: * Fri Nov 21 2014 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.14.1-1 - The Asterisk Development Team has announced security releases for Certified - Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available - security releases are released as versions 1.8.28-cert3, 11.6-cert8, 1.8.32.1, - 11.14.1, 12.7.1, and 13.0.1. - - These releases are available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk/releases - - The release of these versions resolves the following security vulnerabilities: - - * AST-2014-012: Unauthorized access in the presence of ACLs with mixed IP - address families - - Many modules in Asterisk that service incoming IP traffic have ACL options - ("permit" and "deny") that can be used to whitelist or blacklist address - ranges. A bug has been discovered where the address family of incoming - packets is only compared to the IP address family of the first entry in the - list of access control rules. If the source IP address for an incoming - packet is not of the same address as the first ACL entry, that packet - bypasses all ACL rules. - - * AST-2014-018: Permission Escalation through DB dialplan function - - The DB dialplan function when executed from an external protocol, such as AMI, - could result in a privilege escalation. Users with a lower class authorization - in AMI can access the internal Asterisk database without the required SYSTEM - class authorization. - - In addition, the release of 11.6-cert8 and 11.14.1 resolves the following - security vulnerability: - - * AST-2014-014: High call load with ConfBridge can result in resource exhaustion - - The ConfBridge application uses an internal bridging API to implement - conference bridges. This internal API uses a state model for channels within - the conference bridge and transitions between states as different things - occur. Unload load it is possible for some state transitions to be delayed - causing the channel to transition from being hung up to waiting for media. As - the channel has been hung up remotely no further media will arrive and the - channel will stay within ConfBridge indefinitely. - - In addition, the release of 11.6-cert8, 11.14.1, 12.7.1, and 13.0.1 resolves - the following security vulnerability: - - * AST-2014-017: Permission Escalation via ConfBridge dialplan function and - AMI ConfbridgeStartRecord Action - - The CONFBRIDGE dialplan function when executed from an external protocol (such - as AMI) can result in a privilege escalation as certain options within that - function can affect the underlying system. Additionally, the AMI - ConfbridgeStartRecord action has options that would allow modification of the - underlying system, and does not require SYSTEM class authorization in AMI. - - Finally, the release of 12.7.1 and 13.0.1 resolves the following security - vulnerabilities: - - * AST-2014-013: Unauthorized access in the presence of ACLs in the PJSIP stack - - The Asterisk module res_pjsip provides the ability to configure ACLs that may - be used to reject SIP requests from various hosts. However, the module - currently fails to create and apply the ACLs defined in its configuration - file on initial module load. - - * AST-2014-015: Remote crash vulnerability in PJSIP channel driver - - The chan_pjsip channel driver uses a queue approach for relating to SIP - sessions. There exists a race condition where actions may be queued to answer - a session or send ringing after a SIP session has been terminated using a - CANCEL request. The code will incorrectly assume that the SIP session is still - active and attempt to send the SIP response. The PJSIP library does not - expect the SIP session to be in the disconnected state when sending the - response and asserts. - - * AST-2014-016: Remote crash vulnerability in PJSIP channel driver - - When handling an INVITE with Replaces message the res_pjsip_refer module - incorrectly assumes that it will be operating on a channel that has just been - created. If the INVITE with Replaces message is sent in-dialog after a session - has been established this assumption will be incorrect. The res_pjsip_refer - module will then hang up a channel that is actually owned by another thread. - When this other thread attempts to use the just hung up channel it will end up - using a freed channel which will likely result in a crash. - - For more information about the details of these vulnerabilities, please read - security advisories AST-2014-012, AST-2014-013, AST-2014-014, AST-2014-015, - AST-2014-016, AST-2014-017, and AST-2014-018, which were released at the same - time as this announcement. - - For a full list of changes in the current releases, please see the ChangeLogs: - - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert3 - http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert8 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.1 - http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.1 - - The security advisories are available at: - - * http://downloads.asterisk.org/pub/security/AST-2014-012.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-013.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-014.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-015.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-016.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-017.pdf - * http://downloads.asterisk.org/pub/security/AST-2014-018.pdf * Fri Nov 21 2014 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.14.0-1 - The Asterisk Development Team has announced the release of Asterisk 11.14.0. - This release is available for immediate download at - http://downloads.asterisk.org/pub/telephony/asterisk - - The release of Asterisk 11.14.0 resolves several issues reported by the - community and would have not been possible without your participation. - Thank you! - - The following are the issues resolved in this release: - - Bugs fixed in this release: - ----------------------------------- - * ASTERISK-24348 - Built-in editline tab complete segfault with - MALLOC_DEBUG (Reported by Walter Doekes) - * ASTERISK-24335 - [PATCH] Asterisk incorrectly responds 503 to - INVITE retransmissions of rejected calls (Reported by Torrey - Searle) - * ASTERISK-23768 - [patch] Asterisk man page contains a (new) - unquoted minus sign (Reported by Jeremy Lainé) - * ASTERISK-24357 - [fax] Out of bounds error in update_modem_bits - (Reported by Jeremy Lainé) - * ASTERISK-20567 - bashism in autosupport (Reported by Tzafrir - Cohen) - * ASTERISK-22945 - [patch] Memory leaks in chan_sip.c with - realtime peers (Reported by ibercom) - * ASTERISK-24384 - chan_motif: format capabilities leak on module - load error (Reported by Corey Farrell) - * ASTERISK-24385 - chan_sip: process_sdp leaks on an error path - (Reported by Corey Farrell) - * ASTERISK-24378 - Release AMI connections on shutdown (Reported - by Corey Farrell) - * ASTERISK-24354 - AMI sendMessage closes AMI connection on error - (Reported by Peter Katzmann) - * ASTERISK-24390 - astobj2: REF_DEBUG reports false leaks with - ao2_callback with OBJ_MULTIPLE (Reported by Corey Farrell) - * ASTERISK-24326 - res_rtp_asterisk: ICE-TCP candidates are - incorrectly attempted (Reported by Joshua Colp) - * ASTERISK-24011 - [patch]safe_asterisk tries to set ulimit -n too - high on linux systems with lots of RAM (Reported by Michael - Myles) - * ASTERISK-24383 - res_rtp_asterisk: Crash if no candidates - received for component (Reported by Kevin Harwell) - * ASTERISK-20784 - Failure to receive an ACK to a SIP Re-INVITE - results in a SIP channel leak (Reported by NITESH BANSAL) - * ASTERISK-15879 - [patch] Failure to receive an ACK to a SIP - Re-INVITE results in a SIP channel leak (Reported by Torrey - Searle) - * ASTERISK-24406 - Some caller ID strings are parsed differently - since 11.13.0 (Reported by Etienne Lessard) - * ASTERISK-24325 - res_calendar_ews: cannot be used with neon 0.30 - (Reported by Tzafrir Cohen) - * ASTERISK-13797 - [patch] relax badshell tilde test (Reported by - Tzafrir Cohen) - * ASTERISK-22791 - asterisk sends Re-INVITE after receiving a BYE - (Reported by Paolo Compagnini) - * ASTERISK-18923 - res_fax_spandsp usage counter is wrong - (Reported by Grigoriy Puzankin) - * ASTERISK-24392 - res_fax: fax gateway sessions leak (Reported by - Corey Farrell) - * ASTERISK-24393 - rtptimeout=0 doesn't disable rtptimeout - (Reported by Dmitry Melekhov) - * ASTERISK-23846 - Unistim multilines. Loss of voice after second - call drops (on a second line). (Reported by Rustam Khankishyiev) - * ASTERISK-24063 - [patch]Asterisk does not respect outbound proxy - when sending qualify requests (Reported by Damian Ivereigh) - * ASTERISK-24425 - [patch] jabber/xmpp to use TLS instead of - SSLv3, security fix POODLE (CVE-2014-3566) (Reported by - abelbeck) - * ASTERISK-24436 - Missing header in res/res_srtp.c when compiling - against libsrtp-1.5.0 (Reported by Patrick Laimbock) - * ASTERISK-24454 - app_queue: ao2_iterator not destroyed, causing - leak (Reported by Corey Farrell) - * ASTERISK-24430 - missing letter "p" in word response in - OriginateResponse event documentation (Reported by Dafi Ni) - * ASTERISK-24457 - res_fax: fax gateway frames leak (Reported by - Corey Farrell) - * ASTERISK-21721 - SIP Failed to parse multiple Supported: headers - (Reported by Olle Johansson) - * ASTERISK-24304 - asterisk crashing randomly because of unistim - channel (Reported by dhanapathy sathya) - * ASTERISK-24190 - IMAP voicemail causes segfault (Reported by - Nick Adams) - * ASTERISK-24466 - app_queue: fix a couple leaks to struct - call_queue (Reported by Corey Farrell) - * ASTERISK-24432 - Install refcounter.py when REF_DEBUG is enabled - (Reported by Corey Farrell) - * ASTERISK-24476 - main/app.c / app_voicemail: ast_writestream - leaks (Reported by Corey Farrell) - * ASTERISK-24307 - Unintentional memory retention in stringfields - (Reported by Etienne Lessard) - - For a full list of changes in this release, please see the ChangeLog: - - http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.14.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1166692 - asterisk: AMI permission escalation through DB dialplan function [AST-2014-018] [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1166692 [ 2 ] Bug #1166690 - asterisk: Permission escalation through ConfBridge actions/dialplan functions [AST-2014-017] [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1166690 [ 3 ] Bug #1166684 - asterisk: High call load may result in hung channels in ConfBridge [AST-2014-014] [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1166684 [ 4 ] Bug #1166676 - asterisk: Mixed IP address families in access control lists may permit unwanted traffic [AST-2014-012] [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1166676 -------------------------------------------------------------------------------- ================================================================================ backupninja-1.0.1-5.fc19 (FEDORA-2014-15692) Lightweight, extensible backup system -------------------------------------------------------------------------------- Update Information: backupninja: added patch for RH-system specific -------------------------------------------------------------------------------- ChangeLog: * Fri Nov 21 2014 Denis Fateyev <denis@xxxxxxxxxxx> - 1.0.1-5 - Added patch for RH-system specific -------------------------------------------------------------------------------- References: [ 1 ] Bug #1155010 - References to apt-get and dpkg still present in build https://bugzilla.redhat.com/show_bug.cgi?id=1155010 -------------------------------------------------------------------------------- ================================================================================ cups-1.6.4-12.fc19 (FEDORA-2014-15732) CUPS printing system -------------------------------------------------------------------------------- Update Information: This update fixes a problem with unreadable PPD files when using cupsGetPPD3(). -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 23 2014 Tim Waugh <twaugh@xxxxxxxxxx> - 1:1.6.4-12 - Fix cupsGetPPD3() so it doesn't give the caller an unreadable file (bug #1150917, STR #4500). * Mon Sep 1 2014 Tim Waugh <twaugh@xxxxxxxxxx> - 1:1.6.4-11 - More STR #4461 fixes from upstream. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1150917 - [control-center] incomplete printer options for HP LaserJet 4000 https://bugzilla.redhat.com/show_bug.cgi?id=1150917 -------------------------------------------------------------------------------- ================================================================================ curl-7.29.0-26.fc19 (FEDORA-2014-15743) A utility for getting files from remote servers (FTP, HTTP, and others) -------------------------------------------------------------------------------- Update Information: - allow to use TLS 1.1 and TLS 1.2 (#1153814) - disable libcurl-level downgrade to SSLv3 (#1166567) - low-speed-limit: avoid timeout flood (#1166239) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 24 2014 Kamil Dudka <kdudka@xxxxxxxxxx> 7.29.0-26 - allow to use TLS 1.1 and TLS 1.2 (#1153814) - disable libcurl-level downgrade to SSLv3 (#1166567) - low-speed-limit: avoid timeout flood (#1166239) * Wed Nov 5 2014 Kamil Dudka <kdudka@xxxxxxxxxx> 7.29.0-25 - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1154941 - CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS https://bugzilla.redhat.com/show_bug.cgi?id=1154941 -------------------------------------------------------------------------------- ================================================================================ easytag-2.2.5-1.fc19 (FEDORA-2014-15714) Tag editor for MP3, Ogg, FLAC and other music files -------------------------------------------------------------------------------- Update Information: Update to 2.2.5 * Fix many memory leaks in the CDDB search dialog * Clear empty cover art and album artist fields in MP4 tags * Fix a memory leak and invalid read in the MP4 tagging code * Improve ID3v2 handling with Ogg files * Improve file list selection handling * Fix several memory leaks in the file browser * Åka Sikrom’s Norwegian bokmål translation -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 24 2014 David King <amigadave@xxxxxxxxxxxxx> 2.2.5-1 - Update to 2.2.5 -------------------------------------------------------------------------------- ================================================================================ facter-1.6.18-8.fc19 (FEDORA-2014-15740) Command and ruby library for gathering system information -------------------------------------------------------------------------------- Update Information: 1107891 - Enabled accidentally removed patch for CVE-2014-3248 -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 24 2014 Lukas Zapletal <lzap+rpm@xxxxxxxxxx> 1.6.18-8 - 1107891 - Enabled accidentally removed patch for CVE-2014-3248 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1107891 - CVE-2014-3248 facter: puppet: Ruby modules could be loaded from the current working directory [fedora-19] https://bugzilla.redhat.com/show_bug.cgi?id=1107891 -------------------------------------------------------------------------------- ================================================================================ fedora-packager-0.5.10.5-1.fc19 (FEDORA-2014-15742) Tools for setting up a fedora maintainer environment -------------------------------------------------------------------------------- Update Information: remove fedora-cvs script as the cvs server no longer exists (dennis) Make fas url configurable for fedora-server-ca.cert. (rbean) Remove unused imports. (rbean) Remove another unused import. (rbean) Conditionalize CRL checking for el6. (rbean) Remove unused imports. (rbean) Add CRL checking to fedora-cert. (rbean) fedoradev-pkgowners: Update pkgdb URL (opensource) -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 24 2014 Dennis Gilmore <dennis@xxxxxxxx> - 0.5.10.5-1 - remove fedora-cvs script as the cvs server no longer exists (dennis) - Make fas url configurable for fedora-server-ca.cert. (rbean) - Remove unused imports. (rbean) - Remove another unused import. (rbean) - Conditionalize CRL checking for el6. (rbean) - Remove unused imports. (rbean) - Add CRL checking to fedora-cert. (rbean) - fedoradev-pkgowners: Update pkgdb URL (opensource) * Sat Jun 7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.5.10.4-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Sun Mar 23 2014 Nick Bebout <nb@xxxxxxxxxxxxxxxxx> - 0.5.10.4-1 - fix fedora-burn-yubikey script to add -oserial-api-visible -------------------------------------------------------------------------------- ================================================================================ ibus-table-others-1.3.6-1.fc19 (FEDORA-2014-15697) Various tables for IBus-Table -------------------------------------------------------------------------------- Update Information: update to latest upstream 1.3.6; Fix typo in compose.txt: https://github.com/moebiuscurve/ibus-table-others/issues/12 -------------------------------------------------------------------------------- ChangeLog: * Sat Nov 22 2014 Mike FABIAN <mfabian@xxxxxxxxxx> - 1.3.6-1 - update to latest upstream 1.3.6 - Fix typo in compose.txt -------------------------------------------------------------------------------- ================================================================================ kde-connect-0.7.3-1.fc19 (FEDORA-2014-15738) KDE Connect client for communication with smartphones -------------------------------------------------------------------------------- Update Information: New stable release -------------------------------------------------------------------------------- ChangeLog: * Thu Oct 16 2014 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> - 0.7.3-1 - kde-connect-0.7.3 - BR: libfakekey-devel (and switch other BR's to pkgconfig style) * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.7.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ kernel-3.14.25-100.fc19 (FEDORA-2014-15717) The Linux kernel -------------------------------------------------------------------------------- Update Information: The 3.14.25 stable update contains a number of important fixes across the tree. The 3.14.24 stable update contains a number of important fixes across the tree. -------------------------------------------------------------------------------- ChangeLog: * Fri Nov 21 2014 Justin M. Forbes <jforbes@xxxxxxxxxxxxxxxxx> - 3.14.25-100 - Linux v3.14.25 * Fri Nov 14 2014 Justin M. Forbes <jforbes@xxxxxxxxxxxxxxxxx> - 3.14.24-100 - Linux v3.14.24 * Thu Nov 13 2014 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> - CVE-2014-7842 kvm: reporting emulation failures to userspace (rhbz 1163762 1163767) * Wed Nov 12 2014 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> - CVE-2014-7841 sctp: NULL ptr deref on malformed packet (rhbz 1163087 1163095) * Fri Nov 7 2014 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> - CVE-2014-7826 CVE-2014-7825 insufficient syscall number validation in perf and ftrace subsystems (rhbz 1161565 1161572) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1163762 - CVE-2014-7842 kernel: kvm: reporting emulation failures to userspace https://bugzilla.redhat.com/show_bug.cgi?id=1163762 [ 2 ] Bug #1163087 - CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet https://bugzilla.redhat.com/show_bug.cgi?id=1163087 [ 3 ] Bug #1161565 - CVE-2014-7825 CVE-2014-7826 kernel: insufficient syscall number validation in perf and ftrace subsystems https://bugzilla.redhat.com/show_bug.cgi?id=1161565 -------------------------------------------------------------------------------- ================================================================================ lua-ldoc-1.4.3-1.fc19 (FEDORA-2014-15724) Lua documentation generator -------------------------------------------------------------------------------- Update Information: Update to version 1.4.3 Features * @include tag for including Markdown documentation file directly into module docstring * `prettify_files` makes per-item links to prettified source. * link targets rendered in bright yellow to make referenced functions more obvious * add update time to footer of page * better C support: `global_lookup=true` - invoked when `parse_extra={C=true}` * `kind_names` can override names used in sidebar Fixes * `all=true` in `config.ld` did not work. * `dont_escape_underscore` logic fixed: do not use in prettified code blocks * check that `ldoc` config exists before checking field values * annotation rendering fixed * summary not dropped when using `type` sections * directory as argument case was broken * parameter names which were List methods causing mayhem * files are processed in fixed order across platforms -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 23 2014 Thomas Moschny <thomas.moschny@xxxxxx> - 1.4.3-1 - Update to 1.4.3. * Sat Jun 7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.4.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- ================================================================================ owncloud-5.0.18-1.fc19 (FEDORA-2014-15715) Private file sync and share server -------------------------------------------------------------------------------- Update Information: This update provides the latest upstream release of ownCloud, with various bugfixes - see https://owncloud.org/changelog/ . Nothing has changed in the Fedora package that should affect users, and the update should not require any special handling. -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 23 2014 Adam Williamson <awilliam@xxxxxxxxxx> - 5.0.18-1 - new upstream release 5.0.18, drop patch now merged upstream -------------------------------------------------------------------------------- ================================================================================ perl-String-Errf-0.007-1.fc19 (FEDORA-2014-15725) Simple sprintf-like dialect -------------------------------------------------------------------------------- Update Information: This release catches more invalid inputs. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 24 2014 Petr Pisar <ppisar@xxxxxxxxxx> - 0.007-1 - 0.007 bump -------------------------------------------------------------------------------- References: [ 1 ] Bug #1163299 - perl-String-Errf-0.007 is available https://bugzilla.redhat.com/show_bug.cgi?id=1163299 -------------------------------------------------------------------------------- ================================================================================ python-husl-4.0.1-1.fc19 (FEDORA-2014-15723) A Python implementation of HUSL -------------------------------------------------------------------------------- Update Information: A python implementation of HUSL -------------------------------------------------------------------------------- ================================================================================ python-rhsm-1.13.8-1.fc19 (FEDORA-2014-15746) A Python library to communicate with a Red Hat Unified Entitlement Platform -------------------------------------------------------------------------------- Update Information: Bug fixes and updated translations. -------------------------------------------------------------------------------- ChangeLog: * Fri Nov 21 2014 William Poteat <wpoteat@xxxxxxxxxx> 1.13.8-1 - * Fri Nov 7 2014 Unknown name <wpoteat@xxxxxxxxxx> 1.13.7-1 - -------------------------------------------------------------------------------- ================================================================================ skf-1.99.10-1.fc19 (FEDORA-2014-15729) Utility binary files in Simple Kanji Filter -------------------------------------------------------------------------------- Update Information: New version 1.99.10 is released. -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 23 2014 Mamoru TASAKA <mtasaka@xxxxxxxxxxxxxxxxx> - 1.99.10-1 - 1.99.10 -------------------------------------------------------------------------------- ================================================================================ subscription-manager-1.13.9-1.fc19 (FEDORA-2014-15746) Tools and libraries for subscription and repository management -------------------------------------------------------------------------------- Update Information: Bug fixes and updated translations. -------------------------------------------------------------------------------- ChangeLog: * Fri Nov 21 2014 William Poteat <wpoteat@xxxxxxxxxx> 1.13.9-1 - Move ostree config to /etc/ostree/remotes.d/redhat.conf (alikins@xxxxxxxxxx) - 1147463: Log py.warnings to shutup gobject warning (alikins@xxxxxxxxxx) - 1159266: rhsm-icon -i fails with "TypeError: 'NoneType' object has no attribute '__getitem__'" (wpoteat@xxxxxxxxxx) - 1145833: Do not package sat5to6 with subscription-manager. (awood@xxxxxxxxxx) - 1156627: Fix list consumed matching no service level to "". (dgoodwin@xxxxxxxxxx) - 1162331: Changed how debug_commands.py prints errors. (crog@xxxxxxxxxx) - 1160150: Repos --list leads to deletion of certificates imported to a system (wpoteat@xxxxxxxxxx) - 1162170: Added error output when --pool-only is used with --installed. (crog@xxxxxxxxxx) - 990183: Fix typos in the new man page (bkearney@xxxxxxxxxx) - 1161694: Modify the --pool-id-only to be --pool-only in bash completion and man page (bkearney@xxxxxxxxxx) - Use .format strings for --ondate example message (alikins@xxxxxxxxxx) - 1113741: Fix rhsmd traceback on 502 errors. (alikins@xxxxxxxxxx) - 1157387: Fix incorrect no installed products detected status in GUI. (dgoodwin@xxxxxxxxxx) * Fri Nov 7 2014 Unknown name <wpoteat@xxxxxxxxxx> 1.13.8-1 - Added support for attaching pools from a file/stdin. (crog@xxxxxxxxxx) - Revert "1046132: Makes rhsm-icon slightly less annoying." (dgoodwin@xxxxxxxxxx) - Further improved exit code standardization (crog@xxxxxxxxxx) - 1119688: Improved output of the status module (crog@xxxxxxxxxx) - Make repolib tag matching use model.find_content (alikins@xxxxxxxxxx) - Added the --pool-only option to subman's list command. (crog@xxxxxxxxxx) - 1157761: Fixed incorrect option usage in migration tool. (crog@xxxxxxxxxx) - 1157761: revert to "--servicelevel" (alikins@xxxxxxxxxx) - 1119688: Improved error code usage in subman. (crog@xxxxxxxxxx) * Mon Oct 27 2014 Devan Goodwin <dgoodwin@xxxxxxxx> 1.13.7-1 - Add content/product tag matching for content plugins. (alikins@xxxxxxxxxx) - Remove ostree 'unconfigured' after configuring. (alikins@xxxxxxxxxx) - Symlink to redhat-uep.pem if we seem to be syncing a CDN hostname cert dir. (dgoodwin@xxxxxxxxxx) - Add a test for removing 'unconfigured-state' from origin (alikins@xxxxxxxxxx) - Case insensitive content type searching. (dgoodwin@xxxxxxxxxx) - Added container plugin for configuring Docker. (dgoodwin@xxxxxxxxxx) -------------------------------------------------------------------------------- ================================================================================ teeworlds-0.6.3-1.fc19 (FEDORA-2014-15733) Online multi-player platform 2D shooter -------------------------------------------------------------------------------- Update Information: 0.6.3 (RHBZ #1167167,#1167168) -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 24 2014 Igor Gnatenko <i.gnatenko.brain@xxxxxxxxx> - 0.6.3-1 - 0.6.3 (RHBZ #1167167,#1167168) * Mon Aug 18 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.6.2-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Sun Jun 8 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 0.6.2-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1167167 - teeworlds: security issues fixed in the 0.6.3 release https://bugzilla.redhat.com/show_bug.cgi?id=1167167 -------------------------------------------------------------------------------- ================================================================================ ykpers-1.16.1-1.fc19 (FEDORA-2014-15737) Yubikey personalization program -------------------------------------------------------------------------------- Update Information: Update to 1.16.1. Fixes bugs #1167113 and #1157894 -------------------------------------------------------------------------------- ChangeLog: * Sun Nov 23 2014 Kevin Fenzi <kevin@xxxxxxxxx> 1.16.1-1 - Update to 1.16.1. Fixes bugs #1167113 and #1157894 * Mon Aug 18 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.15.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild * Sat Jun 7 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.15.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -------------------------------------------------------------------------------- References: [ 1 ] Bug #1167113 - Upgrade to 1.16.1 version in order to support 3.3.x firmware cards https://bugzilla.redhat.com/show_bug.cgi?id=1167113 [ 2 ] Bug #1157894 - F20 - Yubikey U2F (FIDO) Not Supported https://bugzilla.redhat.com/show_bug.cgi?id=1157894 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
