Fedora 22 updates-testing report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following Fedora 22 Security updates need testing:
 Age  URL
  13  https://admin.fedoraproject.org/updates/FEDORA-2015-4531/quassel-0.11.0-2.fc22
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5279/strongswan-5.3.0-1.fc22
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5308/mingw-gnutls-3.3.14-1.fc22,mingw-libtasn1-4.4-1.fc22
   6  https://admin.fedoraproject.org/updates/FEDORA-2015-5430/jffi-1.2.7-5.fc22,jenkins-1.606-1.fc22,jenkins-executable-war-1.29-4.fc22
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5504/php-symfony-2.5.11-1.fc22
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5541/qemu-2.3.0-0.3.rc2.fc22
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5510/postgis-2.1.7-1.fc22
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5511/mediawiki-1.24.2-1.fc22
   2  https://admin.fedoraproject.org/updates/FEDORA-2015-5643/groovy-sandbox-1.8-1.fc22,jenkins-script-security-plugin-1.13-2.fc22,jenkins-matrix-project-plugin-1.4.1-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5904/perl-Test-Signature-1.11-1.fc22,perl-Module-Signature-0.78-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5878/echoping-6.1-0.beta.r434svn.1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5761/ntp-4.2.6p5-29.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5748/chrony-2.0-0.3.pre2.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5786/knot-1.6.3-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5885/netcf-0.2.8-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5766/python-django-1.8-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5890/tor-0.2.5.12-1.fc22


The following Fedora 22 Critical Path updates have yet to be approved:
 Age URL
   8  https://admin.fedoraproject.org/updates/FEDORA-2015-5077/ModemManager-1.4.6-1.fc22
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5310/bluez-5.29-2.fc22
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5259/ca-certificates-2015.2.3-1.1.fc22
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5323/libidn-1.29-3.fc22
   6  https://admin.fedoraproject.org/updates/FEDORA-2015-5418/gmp-6.0.0-9.fc22
   3  https://admin.fedoraproject.org/updates/FEDORA-2015-5620/cryptsetup-1.6.7-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5880/python-bugzilla-1.2.0-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5882/libhif-0.2.0-1.fc22,PackageKit-1.0.6-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5902/colord-1.2.10-1.fc22
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5763/testdisk-6.14-6.fc22,ntfs-3g-2015.3.14-1.fc22


The following builds have been pushed to Fedora 22 updates-testing

    PackageKit-1.0.6-1.fc22
    asciinema-1.0.0-2.fc22
    aspell-pt_BR-20090702-8.fc22
    bpython-0.14.1-1.fc22
    clufter-0.10.4-1.fc22
    collectl-4.0.0-1.fc22
    colord-1.2.10-1.fc22
    darcs-2.8.5-2.fc22
    dnssec-trigger-0.12-20.fc22
    echoping-6.1-0.beta.r434svn.1.fc22
    hwloc-1.10.1-2.fc22
    libgovirt-0.3.3-1.fc22
    libhif-0.2.0-1.fc22
    libinput-0.13.0-4.fc22
    liblouis-2.6.2-1.fc22
    netcf-0.2.8-1.fc22
    perl-MCE-1.606-1.fc22
    perl-MetaCPAN-Client-1.012000-1.fc22
    perl-Mixin-Linewise-0.108-1.fc22
    perl-Module-Signature-0.78-1.fc22
    perl-Test-Signature-1.11-1.fc22
    python-bugzilla-1.2.0-1.fc22
    python-colour-runner-0.0.4-1.fc22
    python-keystoneclient-kerberos-0.1.4-1.fc22
    python-modernize-0.4-1.fc22
    python-netaddr-0.7.14-1.fc22
    python-pelican-3.5.0-2.fc22
    qpid-proton-0.9-3.fc22
    roxterm-2.9.7-1.fc22
    rpm-ostree-2015.3-7.fc22
    samba-4.2.0-3.fc22
    setroubleshoot-3.2.23-1.fc22
    tor-0.2.5.12-1.fc22
    vertica-python-0.3.5-1.fc22

Details about builds:


================================================================================
 PackageKit-1.0.6-1.fc22 (FEDORA-2015-5882)
 Package management service
--------------------------------------------------------------------------------
Update Information:

- Update to new upstream versions
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr  7 2015 Richard Hughes <rhughes@xxxxxxxxxx> - 1.0.6-1
- New upstream release
- Add dbus method for returning prepared packages
- Don't recursive lock the debug mutex when using --verbose without a tty
- Make "reboot" the default action for no action file
--------------------------------------------------------------------------------


================================================================================
 asciinema-1.0.0-2.fc22 (FEDORA-2015-5896)
 Command line client (terminal recorder) for asciinema.org service
--------------------------------------------------------------------------------
Update Information:

Update to version 1.0.0
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 23 2015 Jakub Jedelsky <jakub.jedelsky@xxxxxxxxx> - 1.0.0-2
- Patch: support locale which ends with utf8
- Patch: edit some details in man page
* Tue Mar 17 2015 Jakub Jedelsky <jakub.jedelsky@xxxxxxxxx> - 1.0.0-1
- Update to new version
- Add Godeps to docs
* Fri Mar  6 2015 Jakub Jedelsky <jakub.jedelsky@xxxxxxxxx> - 0.9.9-1
- Update to new version
- Rewritten to Go
- License changed to GPLv3
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1176859 - asciinema-1.0.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1176859
--------------------------------------------------------------------------------


================================================================================
 aspell-pt_BR-20090702-8.fc22 (FEDORA-2015-5903)
 Brazilian Portuguese dictionaries for Aspell
--------------------------------------------------------------------------------
Update Information:

Don't provide aspell-pt
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 jchaloup <jchaloup@xxxxxxxxxx> - 50:20090702-8
- Don't provide aspell-pt
  resolves: #1206898
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1206898 - Drop the virtual provides aspell-pt
        https://bugzilla.redhat.com/show_bug.cgi?id=1206898
--------------------------------------------------------------------------------


================================================================================
 bpython-0.14.1-1.fc22 (FEDORA-2015-5894)
 Fancy curses interface to the Python interactive interpreter
--------------------------------------------------------------------------------
Update Information:

Update to latest upstream release bpython 0.14.1.

With this release gtk frontend is gone, while curtsies frontend is new default version. Old default is now known as bpython-cures.

--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 26 2015 Terje Rosten <terje.rosten@xxxxxxx> - 0.14.1-1
- 0.14.1
- gtk gone upstream, remove sub package and add obsolete
- appdata, desktop file and png upstream
- new deps
- curtsies now default
* Thu Mar 26 2015 Richard Hughes <rhughes@xxxxxxxxxx> - 0.13.2-2
- Add an AppData file for the software center
--------------------------------------------------------------------------------


================================================================================
 clufter-0.10.4-1.fc22 (FEDORA-2015-5895)
 Tool/library for transforming/analyzing cluster configuration formats
--------------------------------------------------------------------------------
Update Information:

bump upstream package (incl. several bugfixes, e.g., rhbz#1207345)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Jan Pokorný <jpokorny+rpm-clufter@xxxxxxxxxxxxxxxxx> - 0.10.4-1
- bump upstream package
--------------------------------------------------------------------------------


================================================================================
 collectl-4.0.0-1.fc22 (FEDORA-2015-5891)
 A utility to collect various Linux performance data
--------------------------------------------------------------------------------
Update Information:

- update to upstream version 4.0.0
- upstream changelog at http://collectl.sourceforge.net/Releases.html

--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Dan Horák <dan[at]danny.cz> - 4.0.0-1
- upgrade to upstream version 4.0.0 (#1201069)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1201069 - collectl-4.0.0.src is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1201069
--------------------------------------------------------------------------------


================================================================================
 colord-1.2.10-1.fc22 (FEDORA-2015-5902)
 Color daemon
--------------------------------------------------------------------------------
Update Information:

New upstream version
- Add a vendor quirk for Google
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Richard Hughes <richard@xxxxxxxxxxx> 1.2.10-1
- New upstream version
- Add a vendor quirk for Google
--------------------------------------------------------------------------------


================================================================================
 darcs-2.8.5-2.fc22 (FEDORA-2015-5877)
 Distributed Advanced Revision Control System
--------------------------------------------------------------------------------
Update Information:

do not own /etc/bash_completion.d
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr  6 2015 Jens Petersen <petersen@xxxxxxxxxx> - 2.8.5-2
- do not own bash_completion.d/ (#1192805)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1192805 - darcs shouldn't own /etc/bash_completion.d
        https://bugzilla.redhat.com/show_bug.cgi?id=1192805
--------------------------------------------------------------------------------


================================================================================
 dnssec-trigger-0.12-20.fc22 (FEDORA-2015-3864)
 NetworkManager plugin to update/reconfigure DNSSEC resolving
--------------------------------------------------------------------------------
Update Information:

several bugs fixed
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Tomas Hozza <thozza@xxxxxxxxxx> - 0.12-20
- Fix issue when installing private address range zone without global forwarders (#1205864)
- Fix configuration of private address range zones (#1128310#c20)
* Fri Mar 13 2015 Tomas Hozza <thozza@xxxxxxxxxx> - 0.12-19
- Fix typo in the dnssec-trigger-script (#1187371)
- Use Python3 by default
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1187371 - [abrt] dnssec-trigger: dnssec-trigger-script:60:Config:NameError: name 'TRUE' is not defined
        https://bugzilla.redhat.com/show_bug.cgi?id=1187371
  [ 2 ] Bug #1185796 - fix switching between secure and insecure forward zones
        https://bugzilla.redhat.com/show_bug.cgi?id=1185796
  [ 3 ] Bug #1130502 - search domains are not tried out for name resolution with dnssec-trigger
        https://bugzilla.redhat.com/show_bug.cgi?id=1130502
  [ 4 ] Bug #1105685 - privacy: add an option to /etc/dnssec.conf to avoid flushing positive answers
        https://bugzilla.redhat.com/show_bug.cgi?id=1105685
  [ 5 ] Bug #1128310 - in-addr.arpa queries for private IP ranges doesn't work if fallback servers are used
        https://bugzilla.redhat.com/show_bug.cgi?id=1128310
  [ 6 ] Bug #1183975 - [abrt] dnssec-trigger: subprocess.py:1327:_execute_child:OSError: [Errno 2] No such file or directory
        https://bugzilla.redhat.com/show_bug.cgi?id=1183975
  [ 7 ] Bug #1165126 - dnssec-trigger: publish the list of nameservers trusted for DNSSEC validation
        https://bugzilla.redhat.com/show_bug.cgi?id=1165126
  [ 8 ] Bug #1125267 - turn /etc/resolv.conf into a symlink to dnssec-trigger's temporary file
        https://bugzilla.redhat.com/show_bug.cgi?id=1125267
  [ 9 ] Bug #1089766 - option to prefer VPN DNS servers over default connection ones
        https://bugzilla.redhat.com/show_bug.cgi?id=1089766
  [ 10 ] Bug #1112248 - dnssec-trigger-script fails to configure unbound on dnssec-triggerd restart
        https://bugzilla.redhat.com/show_bug.cgi?id=1112248
  [ 11 ] Bug #824219 - dnssec: unbound fails to validate wildcard records when dnssec-trigger uses a broken bind as forwarder
        https://bugzilla.redhat.com/show_bug.cgi?id=824219
  [ 12 ] Bug #1205864 - [abrt] dnssec-trigger: dnssec-trigger-script:278:_commit:KeyError: 'c.f.ip6.arpa'
        https://bugzilla.redhat.com/show_bug.cgi?id=1205864
--------------------------------------------------------------------------------


================================================================================
 echoping-6.1-0.beta.r434svn.1.fc22 (FEDORA-2015-5878)
 TCP performance test to measure response time of network hosts
--------------------------------------------------------------------------------
Update Information:

Updated to latest SVN, fixing various bugs.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 25 2015 Andreas Thienemann <andreas@xxxxxxxxx> - 6.1-0.beta.r434svn.1
- Updated to latest SVN, fixing #705174 and #1007031
- Removed so versioning and fixed module loading, fixing #460557 and #1032547
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #705174 - echoping: boundary error in SSL-related functions can lead to buffer overflow [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=705174
  [ 2 ] Bug #1007031 - echoping segfaults all the time
        https://bugzilla.redhat.com/show_bug.cgi?id=1007031
  [ 3 ] Bug #460557 - echoping : Package and software are in a desolate state
        https://bugzilla.redhat.com/show_bug.cgi?id=460557
  [ 4 ] Bug #1032547 - echoping doesn't seem to work (cannot open shared object file)
        https://bugzilla.redhat.com/show_bug.cgi?id=1032547
--------------------------------------------------------------------------------


================================================================================
 hwloc-1.10.1-2.fc22 (FEDORA-2015-5897)
 Portable Hardware Locality - portable abstraction of hierarchical architectures
--------------------------------------------------------------------------------
Update Information:

Update to 1.10.1
Fix hwloc issue on arm

--------------------------------------------------------------------------------
ChangeLog:

* Sat Apr  4 2015 Orion Poplwski <orion@xxxxxxxxxxxxx> - 1.10.1-2
- Fix hwloc issue on arm
* Wed Apr  1 2015 Orion Poplwski <orion@xxxxxxxxxxxxx> - 1.10.1-1
- Update to version 1.10.1
--------------------------------------------------------------------------------


================================================================================
 libgovirt-0.3.3-1.fc22 (FEDORA-2015-5899)
 A GObject library for interacting with oVirt REST API
--------------------------------------------------------------------------------
Update Information:

Update to upstream release 0.3.3
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Christophe Fergeau <cfergeau@xxxxxxxxxx> 0.3.3-1
- Update to upstream release 0.3.3
--------------------------------------------------------------------------------


================================================================================
 libhif-0.2.0-1.fc22 (FEDORA-2015-5882)
 Simple package library built on top of hawkey and librepo
--------------------------------------------------------------------------------
Update Information:

- Update to new upstream versions
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Richard Hughes <richard@xxxxxxxxxxx> 0.2.0-1
- Update to new upstream version
- Add new API required for ostree
* Sat Mar 28 2015 Kalev Lember <kalevlember@xxxxxxxxx> - 0.1.8-7
- Fix broken -devel package requires
* Mon Mar 16 2015 Than Ngo <than@xxxxxxxxxx> - 0.1.8-6
- bump release and rebuild so that koji-shadow can rebuild it
  against new gcc on secondary arch
--------------------------------------------------------------------------------


================================================================================
 libinput-0.13.0-4.fc22 (FEDORA-2015-5900)
 Input device library
--------------------------------------------------------------------------------
Update Information:

Fix finger miscounts on single-touch touchpads (#1209151)
Fix mouse slowdown (#1208992)
Fix crasher triggered by fake MT devices without ABS_X/Y (#1207574)
libinput 0.13.0
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Peter Hutterer <peter.hutterer@xxxxxxxxxx> 0.13.0-4
- Fix finger miscounts on single-touch touchpads (#1209151)
* Wed Apr  8 2015 Peter Hutterer <peter.hutterer@xxxxxxxxxx> 0.13.0-3
- Fix mouse slowdown (#1208992)
* Wed Apr  8 2015 Peter Hutterer <peter.hutterer@xxxxxxxxxx> 0.13.0-2
- Fix crasher triggered by fake MT devices without ABS_X/Y (#1207574)
* Tue Mar 24 2015 Peter Hutterer <peter.hutterer@xxxxxxxxxx> 0.13.0-1
- libinput 0.13.0
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1209151 - one finger tap registers as two or three finger tap
        https://bugzilla.redhat.com/show_bug.cgi?id=1209151
  [ 2 ] Bug #1207574 - libinput makes X crash when connecting Logitech G600 mouse
        https://bugzilla.redhat.com/show_bug.cgi?id=1207574
  [ 3 ] Bug #1206564 - libinput-0.13.0-1.fc22 slows down the mousepointer extremely
        https://bugzilla.redhat.com/show_bug.cgi?id=1206564
  [ 4 ] Bug #1208992 - Mouse cursor doesn't move when moving the physical mouse slowly.
        https://bugzilla.redhat.com/show_bug.cgi?id=1208992
--------------------------------------------------------------------------------


================================================================================
 liblouis-2.6.2-1.fc22 (FEDORA-2015-5883)
 Braille translation and back-translation library
--------------------------------------------------------------------------------
Update Information:

This release fixes a long standing emphasis bug, adds more functionality to the harness test suite and improves, as usual, on Braille tables. Notably there is a brand new finish table backed by Celia.

Braille table improvements:
* Correction to comments in Norwegian generic tables
* Corrections to dot patterns in no-no-g0.utb
* Corrections and additional test cases for Hungarian grade 1
* New 6-dot table for Finnish. The existing tables for Finnish were 8-dot, but there is an official specification only for 6-dot braille in Finnish.

--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Martin Gieseking <martin.gieseking@xxxxxx> 2.6.2-1
- Updated to new upstream release.
--------------------------------------------------------------------------------


================================================================================
 netcf-0.2.8-1.fc22 (FEDORA-2015-5885)
 Cross-platform network configuration library
--------------------------------------------------------------------------------
Update Information:

Security fix for CVE 2014-8119, as well as adding a few other minor bugfixes and enhancements (support for multiple IPv4 addresses, simultaneous static & dhcp for  IPv4)
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Laine Stump <laine@xxxxxxxxxx> - 0.2.8-1
- rebase to netcf-0.2.8
 - resolve CVE-2014-8119
 - Fix build on systems with newer libnl3 that doesn't
    - support multiple IPv4 addresses in interface config (redhat driver)
 - allow static IPv4 config simultaneous with DHCPv4 (redhat driver)
 - recognize IPADDR0/NETMASK0/PREFIX0
 - remove extra quotes from IPV6ADDR_SECONDARIES (redhat+suse drivers)
 - miscellaneous systemd service fixes
 - use git to apply patches in rpm specfile
 - revert the 0.2.6-2 specfile patch mentioned below (now fixed properly)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1172176 - CVE-2014-8119 netcf: augeas path expression injection via interface name
        https://bugzilla.redhat.com/show_bug.cgi?id=1172176
--------------------------------------------------------------------------------


================================================================================
 perl-MCE-1.606-1.fc22 (FEDORA-2015-5889)
 Many-core Engine for Perl providing parallel processing capabilities
--------------------------------------------------------------------------------
Update Information:

A new version of MCE is available. See http://search.cpan.org/src/MARIOROY/MCE-1.606/CHANGES for details on changes in this release.
A new version of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.605/CHANGES for details on changes in this release.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Petr Šabata <contyk@xxxxxxxxxx> - 1.606-1
- 1.606 bump
* Wed Apr  8 2015 Petr Šabata <contyk@xxxxxxxxxx> - 1.605-1
- 1.605 bump
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1210119 - perl-MCE-1.606 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1210119
  [ 2 ] Bug #1209148 - perl-MCE-1.605 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1209148
--------------------------------------------------------------------------------


================================================================================
 perl-MetaCPAN-Client-1.012000-1.fc22 (FEDORA-2015-5886)
 A comprehensive, DWIM-featured client to the MetaCPAN API
--------------------------------------------------------------------------------
Update Information:

Current upstream maintenance release.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 1.012000-1
- Update to 1.012000
  - Added Mirror type and support for mirrors search in 'all' queries (GH#33)
  - Support 'ratings' search in 'all' queries (GH#33)
  - More example scripts: facets, top favorites, all authors blogs
  - Clean-up and documentation updates
--------------------------------------------------------------------------------


================================================================================
 perl-Mixin-Linewise-0.108-1.fc22 (FEDORA-2015-5879)
 Write your linewise code for handles; this does the rest
--------------------------------------------------------------------------------
Update Information:

Current upstream maintenance release.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 0.108-1
- Update to 0.108
  - First argument can be options only if there are two arguments
* Wed Apr  8 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 0.107-1
- Update to 0.107
  - Add leading hashref arg for passing binmode to read_string, write_string
  - Do not modify references of args passed to read_file, write_file
- Remove redundant %{?perl_default_filter}
- Use %license
- Make %files list more explicit
--------------------------------------------------------------------------------


================================================================================
 perl-Module-Signature-0.78-1.fc22 (FEDORA-2015-5904)
 CPAN signature management utilities and modules
--------------------------------------------------------------------------------
Update Information:

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behaviour is included in this update.

Security issues:

 * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.

 * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute
automatically during "make test".

 * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.

 * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the '.' path in @INC.

--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 0.78-1
- Update to 0.78
  - Fix verify() use from cpanm and CPAN.pm
* Wed Apr  8 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 0.77-1
- Update to 0.77
  - Include the latest public keys of PAUSE, ANDK and AUDREYT
  - Clarify scripts/cpansign copyright to CC0 (#965126, CPAN RT#85466)
* Wed Apr  8 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 0.76-1
- Update to 0.76
  - Fix signature tests by defaulting to verify(skip=>1) when
    $ENV{TEST_SIGNATURE} is true
* Tue Apr  7 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 0.75-1
- Update to 0.75
  - Fix GPG signature parsing logic
  - MANIFEST.SKIP is no longer consulted unless --skip is given
  - Properly use open() modes to avoid injection attacks
  - More protection of @INC from relative paths
- Don't try to run the signature test, which needs the network
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as signed in some circumstances
        https://bugzilla.redhat.com/show_bug.cgi?id=1209911
  [ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during test phase
        https://bugzilla.redhat.com/show_bug.cgi?id=1209915
  [ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when verifying module signatures
        https://bugzilla.redhat.com/show_bug.cgi?id=1209917
  [ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some circumstances
        https://bugzilla.redhat.com/show_bug.cgi?id=1209918
--------------------------------------------------------------------------------


================================================================================
 perl-Test-Signature-1.11-1.fc22 (FEDORA-2015-5904)
 Automated SIGNATURE testing
--------------------------------------------------------------------------------
Update Information:

This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a "skip" parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behaviour is included in this update.

Security issues:

 * Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.

 * When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute
automatically during "make test".

 * Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.

 * Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the '.' path in @INC.

--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Paul Howarth <paul@xxxxxxxxxxxx> - 1.11-1
- Update to 1.11
  - Compatibility with Module::Signature 0.75+
- Classify buildreqs by usage
- Don't use macros for commands
- Avoid clobbering ~/.gnupg for local builds
- Make %files list more explicit
- Drop %defattr, redundant since rpm 4.4
- Import upstream's GPG key in %prep so we don't need to fetch it from a
  keyserver when running the signature test
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1209911 - perl-Module-Signature: unsigned files interpreted as signed in some circumstances
        https://bugzilla.redhat.com/show_bug.cgi?id=1209911
  [ 2 ] Bug #1209915 - perl-Module-Signature: arbitrary code execution during test phase
        https://bugzilla.redhat.com/show_bug.cgi?id=1209915
  [ 3 ] Bug #1209917 - perl-Module-Signature: arbitrary code execution when verifying module signatures
        https://bugzilla.redhat.com/show_bug.cgi?id=1209917
  [ 4 ] Bug #1209918 - perl-Module-Signature: arbitrary modules loading in some circumstances
        https://bugzilla.redhat.com/show_bug.cgi?id=1209918
--------------------------------------------------------------------------------


================================================================================
 python-bugzilla-1.2.0-1.fc22 (FEDORA-2015-5880)
 A python library and tool for interacting with Bugzilla
--------------------------------------------------------------------------------
Update Information:

* Rebased to version 1.2.0
* Add bugzilla new/query/modify --field flag (Arun Babu Neelicattu)
* API support for ExternalBugs (Arun Babu Neelicattu, Brian Bouterse)
* Add new/modify --alias support (Adam Williamson)
* Bugzilla.logged_in now returns live state (Arun Babu Neelicattu)
* Fix getbugs API with latest Bugzilla releases
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Cole Robinson <crobinso@xxxxxxxxxx> - 1.2.0-1
- Rebased to version 1.2.0
- Add bugzilla new/query/modify --field flag (Arun Babu Neelicattu)
- API support for ExternalBugs (Arun Babu Neelicattu, Brian Bouterse)
- Add new/modify --alias support (Adam Williamson)
- Bugzilla.logged_in now returns live state (Arun Babu Neelicattu)
- Fix getbugs API with latest Bugzilla releases
--------------------------------------------------------------------------------


================================================================================
 python-colour-runner-0.0.4-1.fc22 (FEDORA-2015-5901)
 Colour formatting for unittest tests
--------------------------------------------------------------------------------
Update Information:

Initial import of package
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1202303 - Review Request: python-colour-runner - Colour formatting for unittest test output
        https://bugzilla.redhat.com/show_bug.cgi?id=1202303
--------------------------------------------------------------------------------


================================================================================
 python-keystoneclient-kerberos-0.1.4-1.fc22 (FEDORA-2015-5881)
 Kerberos authentication for the OpenStack clients
--------------------------------------------------------------------------------
Update Information:

Update with new upstream package.
Initial release
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1200672 - Review Request: python-keystoneclient-kerberos - Kerberos authentication for the OpenStack clients
        https://bugzilla.redhat.com/show_bug.cgi?id=1200672
--------------------------------------------------------------------------------


================================================================================
 python-modernize-0.4-1.fc22 (FEDORA-2015-5875)
 Modernizes Python code for eventual Python 3 migration
--------------------------------------------------------------------------------
Update Information:

Latest upstream.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Ralph Bean <rbean@xxxxxxxxxx> - 0.4-1
- new version
--------------------------------------------------------------------------------


================================================================================
 python-netaddr-0.7.14-1.fc22 (FEDORA-2015-5888)
 A pure Python network address representation and manipulation library
--------------------------------------------------------------------------------
Update Information:

New upstream release 0.7.14
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  1 2015 John Eckersberg <eck@xxxxxxxxxx> - 0.7.14-1
- New upstream release 0.7.14
--------------------------------------------------------------------------------


================================================================================
 python-pelican-3.5.0-2.fc22 (FEDORA-2015-5876)
 A tool to generate a static blog from reStructuredText or Markdown input files
--------------------------------------------------------------------------------
Update Information:

add runtime requirement python-dateutil(rhbz#1204791)
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 23 2015 Matthias Runge <mrunge@xxxxxxxxxx> - 3.5.0-2
- add runtime requirement python-dateutil(rhbz#1204791)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1204791 - python-pelican should depend on python-dateutil
        https://bugzilla.redhat.com/show_bug.cgi?id=1204791
--------------------------------------------------------------------------------


================================================================================
 qpid-proton-0.9-3.fc22 (FEDORA-2015-5893)
 A high performance, lightweight messaging library
--------------------------------------------------------------------------------
Update Information:

Added a global excludes macro to fix EL6 issues with example Perl modules.
Marked the examples in -c-devel as doc.
Rebased on Proton 0.9.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Darryl L. Pierce <dpierce@xxxxxxxxxx> - 0.9-3
- Added a global excludes macro to fix EL6 issues with example Perl modules.
* Wed Apr  8 2015 Darryl L. Pierce <dpierce@xxxxxxxxxx> - 0.9-2
- Marked the examples in -c-devel as doc.
- Turned off the executable flag on all files under examples.
* Mon Apr  6 2015 Darryl L. Pierce <dpierce@xxxxxxxxxx> - 0.9-1
- Rebased on Proton 0.9.
- Removed the proton binary from qpid-proton-c.
- Added the perl-qpid-proton subpackage.
--------------------------------------------------------------------------------


================================================================================
 roxterm-2.9.7-1.fc22 (FEDORA-2015-5892)
 A fast terminal emulator
--------------------------------------------------------------------------------
Update Information:

 * Fixed scheme CLI switches (ticket #110)
 * --tab tries to use most recently focused win
 * Fix maximise and full screen buttons in profile
 * Fade text in unselected tabs
 * Recognise _NET_WM_DESKTOP value 0xffffffff
 * Check for unset $EDITOR when editing shortcuts
--------------------------------------------------------------------------------
ChangeLog:

* Sun Apr  5 2015 Christopher Meng <rpm@xxxxxxxx> - 2.9.7-1
- Update to 2.9.7
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1207456 - roxterm-2.9.7 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1207456
--------------------------------------------------------------------------------


================================================================================
 rpm-ostree-2015.3-7.fc22 (FEDORA-2015-5905)
 Client side upgrade program and server side compose tool
--------------------------------------------------------------------------------
Update Information:

Add patch to use yum-deprecated
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Colin Walters <walters@xxxxxxxxxx> - 2015.3-7
- Add patch to use yum-deprecated
  Resolves: #1209695
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1209695 - yum/dnf changes break composoing ostree trees
        https://bugzilla.redhat.com/show_bug.cgi?id=1209695
--------------------------------------------------------------------------------


================================================================================
 samba-4.2.0-3.fc22 (FEDORA-2015-5898)
 Server and Client software to interoperate with Windows machines
--------------------------------------------------------------------------------
Update Information:

Fix libsystemd detection.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Andreas Schneider <asn@xxxxxxxxxx> - 4.2.0-3
- resolves: #1207381 - Fix libsystemd detection.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1207381 - regression: smbd startup fails after update to 4.2.0-2.fc22
        https://bugzilla.redhat.com/show_bug.cgi?id=1207381
--------------------------------------------------------------------------------


================================================================================
 setroubleshoot-3.2.23-1.fc22 (FEDORA-2015-5884)
 Helps troubleshoot SELinux problems
--------------------------------------------------------------------------------
Update Information:

setroubleshootd is set to be run as setroubleshoot user instead of root user, plugin fix commands are not execeted using shell anymore, bugfixes/
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Petr Lautrbach <plautrba@xxxxxxxxxx> 3.2.23-1
- setroubleshootd is set to be run as setroubleshoot user instead of root user
- several bugfixes
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1144580 - sealert prints error to stdout
        https://bugzilla.redhat.com/show_bug.cgi?id=1144580
  [ 2 ] Bug #1144555 - `sealert -a` False behaves as `sealert -a -`
        https://bugzilla.redhat.com/show_bug.cgi?id=1144555
  [ 3 ] Bug #1174230 - [abrt] setroubleshoot-server: ConfigParser.py:743:set:TypeError: option values must be strings
        https://bugzilla.redhat.com/show_bug.cgi?id=1174230
--------------------------------------------------------------------------------


================================================================================
 tor-0.2.5.12-1.fc22 (FEDORA-2015-5890)
 Anonymizing overlay network for TCP (The onion router)
--------------------------------------------------------------------------------
Update Information:

Update to upstream release 0.2.5.12.
Update to upstream release 0.2.5.11.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Apr  7 2015 Jamie Nguyen <jamielinux@xxxxxxxxxxxxxxxxx> - 0.2.5.12-1
- update to upstream release 0.2.5.12
* Mon Mar 23 2015 Jamie Nguyen <jamielinux@xxxxxxxxxxxxxxxxx> - 0.2.5.11-1
- update to upstream release 0.2.5.11
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1209804 - CVE-2015-2928 CVE-2015-2929 tor: multiple issues fixed in the new upstream releases
        https://bugzilla.redhat.com/show_bug.cgi?id=1209804
  [ 2 ] Bug #1204773 - CVE-2015-2688 CVE-2015-2689 tor: security fixes in 0.2.4.26 and 0.2.5.11
        https://bugzilla.redhat.com/show_bug.cgi?id=1204773
--------------------------------------------------------------------------------


================================================================================
 vertica-python-0.3.5-1.fc22 (FEDORA-2015-5887)
 A native Python adapter for the Vertica database
--------------------------------------------------------------------------------
Update Information:

update to version 0.3.5
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 Jakub Jedelsky <jakub.jedelsky@xxxxxxxxx> - 0.3.5-1
- update to version 0.3.5
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1209692 - vertica-python-v0.3.5 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1209692
--------------------------------------------------------------------------------

-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test





[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux