Fedora 20 updates-testing report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following Fedora 20 Security updates need testing:
 Age  URL
 130  https://admin.fedoraproject.org/updates/FEDORA-2014-15988/fail2ban-0.9.1-1.fc20
 118  https://admin.fedoraproject.org/updates/FEDORA-2014-16845/resteasy-3.0.6-3.fc20
 110  https://admin.fedoraproject.org/updates/FEDORA-2014-17089/aeskulap-0.2.2-0.20beta1.fc20,orthanc-0.8.5-2.fc20,dcmtk-3.6.1-1.fc20
  66  https://admin.fedoraproject.org/updates/FEDORA-2015-1648/lcms-1.19-13.fc20
  65  https://admin.fedoraproject.org/updates/FEDORA-2015-1718/389-admin-1.1.38-1.fc20
  63  https://admin.fedoraproject.org/updates/FEDORA-2015-1790/fcgi-2.4.0-26.fc20
  48  https://admin.fedoraproject.org/updates/FEDORA-2015-0951/xdg-utils-1.1.0-0.38.rc3.fc20
  33  https://admin.fedoraproject.org/updates/FEDORA-2015-3417/389-ds-base-1.3.2.27-1.fc20
  28  https://admin.fedoraproject.org/updates/FEDORA-2015-3738/ImageMagick-6.8.6.3-6.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4486/ca-certificates-2015.2.3-1.0.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4587/qt5-qtwebkit-5.4.1-4.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4551/qtwebkit-2.3.4-6.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4672/quassel-0.11.0-2.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4554/rest-0.7.93-1.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4556/libzip-0.11.2-5.fc20
  15  https://admin.fedoraproject.org/updates/FEDORA-2015-4693/owncloud-7.0.5-2.fc20
  13  https://admin.fedoraproject.org/updates/FEDORA-2015-4953/tcpdump-4.5.1-4.fc20
  10  https://admin.fedoraproject.org/updates/FEDORA-2015-5182/libtasn1-3.8-3.fc20
   8  https://admin.fedoraproject.org/updates/FEDORA-2015-5398/thunderbird-31.6.0-1.fc20
   8  https://admin.fedoraproject.org/updates/FEDORA-2015-5390/mingw-libtasn1-3.8-2.fc20
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5464/php-symfony-2.5.11-1.fc20
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5546/arj-3.10.22-22.fc20
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5569/mediawiki-1.23.9-1.fc20
   5  https://admin.fedoraproject.org/updates/FEDORA-2015-5601/perl-DBD-Firebird-1.19-1.fc20
   3  https://admin.fedoraproject.org/updates/FEDORA-2015-5723/firefox-37.0.1-1.fc20
   3  https://admin.fedoraproject.org/updates/FEDORA-2015-5732/tor-0.2.5.12-1.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2015-5809/chrony-1.31.1-1.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2015-5812/knot-1.6.3-1.fc20
   1  https://admin.fedoraproject.org/updates/FEDORA-2015-5840/perl-Test-Signature-1.11-1.fc20,perl-Module-Signature-0.78-1.fc20
   1  https://admin.fedoraproject.org/updates/FEDORA-2015-5864/zarafa-7.1.12-1.fc20
   1  https://admin.fedoraproject.org/updates/FEDORA-2015-5874/ntp-4.2.6p5-21.fc20
   1  https://admin.fedoraproject.org/updates/FEDORA-2015-5910/netcf-0.2.8-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-6006/python-virtualenv-12.0.7-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5997/openstack-neutron-2013.2.4-8.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5972/yourls-1.7-3.20150410gitabc7d6c.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5969/gnupg2-2.0.27-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5970/asterisk-11.17.1-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5978/krb5-1.11.5-20.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-6010/python-2.7.5-16.fc20


The following Fedora 20 Critical Path updates have yet to be approved:
 Age URL
  48  https://admin.fedoraproject.org/updates/FEDORA-2015-0951/xdg-utils-1.1.0-0.38.rc3.fc20
  13  https://admin.fedoraproject.org/updates/FEDORA-2015-4892/btrfs-progs-3.19.1-1.fc20
  10  https://admin.fedoraproject.org/updates/FEDORA-2015-5182/libtasn1-3.8-3.fc20
   8  https://admin.fedoraproject.org/updates/FEDORA-2015-5398/thunderbird-31.6.0-1.fc20
   8  https://admin.fedoraproject.org/updates/FEDORA-2015-5361/libidn-1.28-3.fc20
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5488/perl-5.18.4-293.fc20
   7  https://admin.fedoraproject.org/updates/FEDORA-2015-5448/ibus-1.5.10-2.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2015-5824/emacs-24.3-26.fc20
   2  https://admin.fedoraproject.org/updates/FEDORA-2015-5809/chrony-1.31.1-1.fc20
   1  https://admin.fedoraproject.org/updates/FEDORA-2015-5859/testdisk-6.14-4.fc20,ntfs-3g-2015.3.14-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-6008/linux-firmware-20150410-46.gitec89525b.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5969/gnupg2-2.0.27-1.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-6007/pcre-8.33-9.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-6010/python-2.7.5-16.fc20
   0  https://admin.fedoraproject.org/updates/FEDORA-2015-5978/krb5-1.11.5-20.fc20


The following builds have been pushed to Fedora 20 updates-testing

    arduino-1.0.6-1.fc20
    asterisk-11.17.1-1.fc20
    cross-gcc-4.9.2-5.fc20
    dovecot-2.2.16-1.fc20
    globus-gass-copy-9.15-1.fc20
    gnupg2-2.0.27-1.fc20
    krb5-1.11.5-20.fc20
    libzen-0.4.31-1.fc20
    linux-firmware-20150410-46.gitec89525b.fc20
    openstack-neutron-2013.2.4-8.fc20
    pcre-8.33-9.fc20
    perl-MCE-1.608-1.fc20
    phpMyAdmin-4.4.1.1-1.fc20
    pyotherside-1.4.0-4.fc20
    python-2.7.5-16.fc20
    python-virtualenv-12.0.7-1.fc20
    qterminal-0.6.0-2.fc20
    qtermwidget-0.6.0-2.fc20
    yourls-1.7-3.20150410gitabc7d6c.fc20

Details about builds:


================================================================================
 arduino-1.0.6-1.fc20 (FEDORA-2015-5999)
 An IDE for Arduino-compatible electronics prototyping platforms
--------------------------------------------------------------------------------
Update Information:

Update to 1.0.6.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Apr  6 2015 Peter Oliver <rpm@xxxxxxxxxxxx> - 1:1.0.6-1
- Update to 1.0.6.
--------------------------------------------------------------------------------


================================================================================
 asterisk-11.17.1-1.fc20 (FEDORA-2015-5970)
 The Open Source PBX
--------------------------------------------------------------------------------
Update Information:

The Asterisk Development Team has announced security releases for Certified
Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2015-003: TLS Certificate Common name NULL byte exploit

  When Asterisk registers to a SIP TLS device and and verifies the server,
  Asterisk will accept signed certificates that match a common name other than
  the one Asterisk is expecting if the signed certificate has a common name
  containing a null byte after the portion of the common name that Asterisk
  expected. This potentially allows for a man in the middle attack.

For more information about the details of this vulnerability, please read
security advisory AST-2015-003, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.2
http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.3.2

The security advisory is available at:

 * http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
The Asterisk Development Team has announced the release of Asterisk 11.17.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
 * ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
      (Reported by Dwayne Hubbard)

Bugs fixed in this release:
-----------------------------------
 * ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
      res_odbc (Reported by ibercom)
 * ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
      with replaces (Reported by Eelco Brolman)
 * ASTERISK-24479 - Enable REF_DEBUG for module references
      (Reported by Corey Farrell)
 * ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
      fully disconnect underlying socket, leading to events being
      dropped with no additional information (Reported by Matt Jordan)
 * ASTERISK-24772 - ODBC error in realtime sippeers when device
      unregisters under MariaDB (Reported by Richard Miller)
 * ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
      (Reported by Corey Farrell)
 * ASTERISK-24799 - [patch] make fails with undefined reference to
      SSLv3_client_method (Reported by Alexander Traud)
 * ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
      for playing back messages stored in IMAP - play_message: No
      origtime (Reported by Graham Barnett)
 * ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
      OSX with 64 bit integers (Reported by Corey Farrell)
 * ASTERISK-24796 - Codecs and bucket schema's prevent module
      unload (Reported by Corey Farrell)
 * ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
      (Reported by Ashley Sanders)
 * ASTERISK-24797 - bridge_softmix: G.729 codec license held
      (Reported by Kevin Harwell)
 * ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
      thread ID being passed to pthread_kill (Reported by JoshE)
 * ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
      fail (Reported by Terry Wilson)
 * ASTERISK-23214 - chan_sip WARNING message 'We are requesting
      SRTP for audio, but they responded without it' is ambiguous and
      wrong in some cases (Reported by Rusty Newton)
 * ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
      error response and BYE are sent to the caller (Reported by
      Makoto Dei)
 * ASTERISK-18105 - most of asterisk modules are unbuildable in
      cygwin environment (Reported by feyfre)
 * ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
 * ASTERISK-24838 - chan_sip: Locking inversion occurs when
      building a peer causes a peer poke during request handling
      (Reported by Richard Mudgett)
 * ASTERISK-24825 - Caller ID not recognized using
      Centrex/Distinctive dialing (Reported by Richard Mudgett)
 * ASTERISK-24739 - [patch] - Out of files -- call fails --
      numerous files with inodes from under /usr/share/zoneinfo,
      mostly posixrules (Reported by Ed Hynan)
 * ASTERISK-23390 - NewExten Event with application AGI shows up
      before and after AGI runs (Reported by Benjamin Keith Ford)
 * ASTERISK-24786 - [patch] - Asterisk terminates when playing a
      voicemail stored in LDAP (Reported by Graham Barnett)
 * ASTERISK-24808 - res_config_odbc: Improper escaping of
      backslashes occurs with MySQL (Reported by Javier Acosta)
 * ASTERISK-20850 - [patch]Nested functions aren't portable.
      Adapting RAII_VAR to use clang/llvm blocks to get the
      same/similar functionality. (Reported by Diederik de Groot)
 * ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
      by Frank DiGennaro)
 * ASTERISK-21038 - Bad command completion of "core set debug
      channel" (Reported by Richard Kenner)
 * ASTERISK-18708 - func_curl hangs channel under load (Reported by
      Dave Cabot)
 * ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
      Atis Lezdins)
 * ASTERISK-24876 - Investigate reference leaks from
      tests/channels/local/local_optimize_away (Reported by Corey
      Farrell)
 * ASTERISK-24817 - init_logger_chain: unreachable code block
      (Reported by Corey Farrell)
 * ASTERISK-24880 - [patch]Compilation under OpenBSD  (Reported by
      snuffy)
 * ASTERISK-24879 - [patch]Compilation fails due to 64bit time
      under OpenBSD (Reported by snuffy)

Improvements made in this release:
-----------------------------------
 * ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
      Couldn't find mailbox %s in context (Reported by Graham Barnett)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2014-019: Remote Crash Vulnerability in WebSocket Server

  When handling a WebSocket frame the res_http_websocket module dynamically
  changes the size of the memory used to allow the provided payload to fit. If a
  payload length of zero was received the code would incorrectly attempt to
  resize to zero. This operation would succeed and end up freeing the memory but
  be treated as a failure. When the session was subsequently torn down this
  memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2014-019: Remote Crash Vulnerability in WebSocket Server

  When handling a WebSocket frame the res_http_websocket module dynamically
  changes the size of the memory used to allow the provided payload to fit. If a
  payload length of zero was received the code would incorrectly attempt to
  resize to zero. This operation would succeed and end up freeing the memory but
  be treated as a failure. When the session was subsequently torn down this
  memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
The Asterisk Development Team has announced the release of Asterisk 11.17.0.
This release is available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk

The release of Asterisk 11.17.0 resolves several issues reported by the
community and would have not been possible without your participation.
Thank you!

The following are the issues resolved in this release:

New Features made in this release:
-----------------------------------
 * ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
      (Reported by Dwayne Hubbard)

Bugs fixed in this release:
-----------------------------------
 * ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
      res_odbc (Reported by ibercom)
 * ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
      with replaces (Reported by Eelco Brolman)
 * ASTERISK-24479 - Enable REF_DEBUG for module references
      (Reported by Corey Farrell)
 * ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
      fully disconnect underlying socket, leading to events being
      dropped with no additional information (Reported by Matt Jordan)
 * ASTERISK-24772 - ODBC error in realtime sippeers when device
      unregisters under MariaDB (Reported by Richard Miller)
 * ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
      (Reported by Corey Farrell)
 * ASTERISK-24799 - [patch] make fails with undefined reference to
      SSLv3_client_method (Reported by Alexander Traud)
 * ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
      for playing back messages stored in IMAP - play_message: No
      origtime (Reported by Graham Barnett)
 * ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
      OSX with 64 bit integers (Reported by Corey Farrell)
 * ASTERISK-24796 - Codecs and bucket schema's prevent module
      unload (Reported by Corey Farrell)
 * ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
      (Reported by Ashley Sanders)
 * ASTERISK-24797 - bridge_softmix: G.729 codec license held
      (Reported by Kevin Harwell)
 * ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
      thread ID being passed to pthread_kill (Reported by JoshE)
 * ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
      fail (Reported by Terry Wilson)
 * ASTERISK-23214 - chan_sip WARNING message 'We are requesting
      SRTP for audio, but they responded without it' is ambiguous and
      wrong in some cases (Reported by Rusty Newton)
 * ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
      error response and BYE are sent to the caller (Reported by
      Makoto Dei)
 * ASTERISK-18105 - most of asterisk modules are unbuildable in
      cygwin environment (Reported by feyfre)
 * ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
 * ASTERISK-24838 - chan_sip: Locking inversion occurs when
      building a peer causes a peer poke during request handling
      (Reported by Richard Mudgett)
 * ASTERISK-24825 - Caller ID not recognized using
      Centrex/Distinctive dialing (Reported by Richard Mudgett)
 * ASTERISK-24739 - [patch] - Out of files -- call fails --
      numerous files with inodes from under /usr/share/zoneinfo,
      mostly posixrules (Reported by Ed Hynan)
 * ASTERISK-23390 - NewExten Event with application AGI shows up
      before and after AGI runs (Reported by Benjamin Keith Ford)
 * ASTERISK-24786 - [patch] - Asterisk terminates when playing a
      voicemail stored in LDAP (Reported by Graham Barnett)
 * ASTERISK-24808 - res_config_odbc: Improper escaping of
      backslashes occurs with MySQL (Reported by Javier Acosta)
 * ASTERISK-20850 - [patch]Nested functions aren't portable.
      Adapting RAII_VAR to use clang/llvm blocks to get the
      same/similar functionality. (Reported by Diederik de Groot)
 * ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
      by Frank DiGennaro)
 * ASTERISK-21038 - Bad command completion of "core set debug
      channel" (Reported by Richard Kenner)
 * ASTERISK-18708 - func_curl hangs channel under load (Reported by
      Dave Cabot)
 * ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
      Atis Lezdins)
 * ASTERISK-24876 - Investigate reference leaks from
      tests/channels/local/local_optimize_away (Reported by Corey
      Farrell)
 * ASTERISK-24817 - init_logger_chain: unreachable code block
      (Reported by Corey Farrell)
 * ASTERISK-24880 - [patch]Compilation under OpenBSD  (Reported by
      snuffy)
 * ASTERISK-24879 - [patch]Compilation fails due to 64bit time
      under OpenBSD (Reported by snuffy)

Improvements made in this release:
-----------------------------------
 * ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
      Couldn't find mailbox %s in context (Reported by Graham Barnett)

For a full list of changes in this release, please see the ChangeLog:

http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2014-019: Remote Crash Vulnerability in WebSocket Server

  When handling a WebSocket frame the res_http_websocket module dynamically
  changes the size of the memory used to allow the provided payload to fit. If a
  payload length of zero was received the code would incorrectly attempt to
  resize to zero. This operation would succeed and end up freeing the memory but
  be treated as a failure. When the session was subsequently torn down this
  memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
The Asterisk Development Team has announced security releases for Certified
Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.

These releases are available for immediate download at
http://downloads.asterisk.org/pub/telephony/asterisk/releases

The release of these versions resolves the following security vulnerability:

* AST-2014-019: Remote Crash Vulnerability in WebSocket Server

  When handling a WebSocket frame the res_http_websocket module dynamically
  changes the size of the memory used to allow the provided payload to fit. If a
  payload length of zero was received the code would incorrectly attempt to
  resize to zero. This operation would succeed and end up freeing the memory but
  be treated as a failure. When the session was subsequently torn down this
  memory would get freed yet again causing a crash.

For more information about the details of this vulnerability, please read
security advisory AST-2014-019, which was released at the same time as this
announcement.

For a full list of changes in the current releases, please see the ChangeLogs:

http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2

The security advisory is available at:

 * http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.17.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28, 11.6, and 13.1 and Asterisk 1.8, 11, 12, and 13. The available
- security releases are released as versions 1.8.28.cert-5, 1.8.32.3, 11.6-cert11,
- 11.17.1, 12.8.2, 13.1-cert2, and 13.3.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerability:
-
- * AST-2015-003: TLS Certificate Common name NULL byte exploit
-
-   When Asterisk registers to a SIP TLS device and and verifies the server,
-   Asterisk will accept signed certificates that match a common name other than
-   the one Asterisk is expecting if the signed certificate has a common name
-   containing a null byte after the portion of the common name that Asterisk
-   expected. This potentially allows for a man in the middle attack.
-
- For more information about the details of this vulnerability, please read
- security advisory AST-2015-003, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert5
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.3
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert11
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.17.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.2
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-13.1-cert2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.3.2
-
- The security advisory is available at:
-
- * http://downloads.asterisk.org/pub/security/AST-2015-003.pdf
* Wed Apr  1 2015 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.17.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.17.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.17.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- New Features made in this release:
- -----------------------------------
-  * ASTERISK-17899 - Handle crypto lifetime in SDES-SRTP negotiation
-       (Reported by Dwayne Hubbard)
-
- Bugs fixed in this release:
- -----------------------------------
-  * ASTERISK-24742 - [patch] Fix ast_odbc_find_table function in
-       res_odbc (Reported by ibercom)
-  * ASTERISK-22436 - [patch] No BYE to masqueraded channel on INVITE
-       with replaces (Reported by Eelco Brolman)
-  * ASTERISK-24479 - Enable REF_DEBUG for module references
-       (Reported by Corey Farrell)
-  * ASTERISK-24701 - Stasis: Write timeout on WebSocket fails to
-       fully disconnect underlying socket, leading to events being
-       dropped with no additional information (Reported by Matt Jordan)
-  * ASTERISK-24772 - ODBC error in realtime sippeers when device
-       unregisters under MariaDB (Reported by Richard Miller)
-  * ASTERISK-24451 - chan_iax2: reference leak in sched_delay_remove
-       (Reported by Corey Farrell)
-  * ASTERISK-24799 - [patch] make fails with undefined reference to
-       SSLv3_client_method (Reported by Alexander Traud)
-  * ASTERISK-24787 - [patch] - Microsoft exchange incompatibility
-       for playing back messages stored in IMAP - play_message: No
-       origtime (Reported by Graham Barnett)
-  * ASTERISK-24814 - asterisk/lock.h: Fix syntax errors for non-gcc
-       OSX with 64 bit integers (Reported by Corey Farrell)
-  * ASTERISK-24796 - Codecs and bucket schema's prevent module
-       unload (Reported by Corey Farrell)
-  * ASTERISK-24724 - 'httpstatus' Web Page Produces Incomplete HTML
-       (Reported by Ashley Sanders)
-  * ASTERISK-24797 - bridge_softmix: G.729 codec license held
-       (Reported by Kevin Harwell)
-  * ASTERISK-24800 - Crash in __sip_reliable_xmit due to invalid
-       thread ID being passed to pthread_kill (Reported by JoshE)
-  * ASTERISK-17721 - Incoming SRTP calls that specify a key lifetime
-       fail (Reported by Terry Wilson)
-  * ASTERISK-23214 - chan_sip WARNING message 'We are requesting
-       SRTP for audio, but they responded without it' is ambiguous and
-       wrong in some cases (Reported by Rusty Newton)
-  * ASTERISK-15434 - [patch] When ast_pbx_start failed, both an
-       error response and BYE are sent to the caller (Reported by
-       Makoto Dei)
-  * ASTERISK-18105 - most of asterisk modules are unbuildable in
-       cygwin environment (Reported by feyfre)
-  * ASTERISK-24828 - Fix Frame Leaks (Reported by Kevin Harwell)
-  * ASTERISK-24838 - chan_sip: Locking inversion occurs when
-       building a peer causes a peer poke during request handling
-       (Reported by Richard Mudgett)
-  * ASTERISK-24825 - Caller ID not recognized using
-       Centrex/Distinctive dialing (Reported by Richard Mudgett)
-  * ASTERISK-24739 - [patch] - Out of files -- call fails --
-       numerous files with inodes from under /usr/share/zoneinfo,
-       mostly posixrules (Reported by Ed Hynan)
-  * ASTERISK-23390 - NewExten Event with application AGI shows up
-       before and after AGI runs (Reported by Benjamin Keith Ford)
-  * ASTERISK-24786 - [patch] - Asterisk terminates when playing a
-       voicemail stored in LDAP (Reported by Graham Barnett)
-  * ASTERISK-24808 - res_config_odbc: Improper escaping of
-       backslashes occurs with MySQL (Reported by Javier Acosta)
-  * ASTERISK-20850 - [patch]Nested functions aren't portable.
-       Adapting RAII_VAR to use clang/llvm blocks to get the
-       same/similar functionality. (Reported by Diederik de Groot)
-  * ASTERISK-19470 - Documentation on app_amd is incorrect (Reported
-       by Frank DiGennaro)
-  * ASTERISK-21038 - Bad command completion of "core set debug
-       channel" (Reported by Richard Kenner)
-  * ASTERISK-18708 - func_curl hangs channel under load (Reported by
-       Dave Cabot)
-  * ASTERISK-16779 - Cannot disallow unknown format '' (Reported by
-       Atis Lezdins)
-  * ASTERISK-24876 - Investigate reference leaks from
-       tests/channels/local/local_optimize_away (Reported by Corey
-       Farrell)
-  * ASTERISK-24817 - init_logger_chain: unreachable code block
-       (Reported by Corey Farrell)
-  * ASTERISK-24880 - [patch]Compilation under OpenBSD  (Reported by
-       snuffy)
-  * ASTERISK-24879 - [patch]Compilation fails due to 64bit time
-       under OpenBSD (Reported by snuffy)
-
- Improvements made in this release:
- -----------------------------------
-  * ASTERISK-24790 - Reduce spurious noise in logs from voicemail -
-       Couldn't find mailbox %s in context (Reported by Graham Barnett)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.17.0
* Wed Apr  1 2015 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.16.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.16.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.16.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- Bugs fixed in this release:
- -----------------------------------
-  * ASTERISK-24472 - Asterisk Crash in OpenSSL when calling over WSS
-       from JSSIP (Reported by Badalian Vyacheslav)
-  * ASTERISK-24614 - Deadlock when DEBUG_THREADS compiler flag
-       enabled (Reported by Richard Mudgett)
-  * ASTERISK-24449 - Reinvite for T.38 UDPTL fails if SRTP is
-       enabled (Reported by Andreas Steinmetz)
-  * ASTERISK-24619 - [patch]Gcc 4.10 fixes in r413589 (1.8) wrongly
-       casts char to unsigned int (Reported by Walter Doekes)
-  * ASTERISK-24337 - Spammy DEBUG message needs to be at a higher
-       level - 'Remote address is null, most likely RTP has been
-       stopped' (Reported by Rusty Newton)
-  * ASTERISK-23733 - 'reload acl' fails if acl.conf is not present
-       on startup (Reported by Richard Kenner)
-  * ASTERISK-24628 - [patch] chan_sip - CANCEL is sent to wrong
-       destination when 'sendrpid=yes' (in proxy environment) (Reported
-       by Karsten Wemheuer)
-  * ASTERISK-24672 - [PATCH] Memory leak in func_curl CURLOPT
-       (Reported by Kristian Høgh)
-  * ASTERISK-20744 - [patch] Security event logging does not work
-       over syslog (Reported by Michael Keuter)
-  * ASTERISK-23850 - Park Application does not respect Return
-       Context Priority (Reported by Andrew Nagy)
-  * ASTERISK-23991 - [patch]asterisk.pc file contains a small error
-       in the CFlags returned (Reported by Diederik de Groot)
-  * ASTERISK-24288 - [patch] - ODBC usage with app_voicemail -
-       voicemail is not deleted after review, hangup (Reported by LEI
-       FU)
-  * ASTERISK-24048 - [patch] contrib/scripts/install_prereq selects
-       32-bit packages on 64-bit hosts (Reported by Ben Klang)
-  * ASTERISK-24709 - [patch] msg_create_from_file used by MixMonitor
-       m() option does not queue an MWI event (Reported by Gareth
-       Palmer)
-  * ASTERISK-24355 - [patch] chan_sip realtime uses case sensitive
-       column comparison for 'defaultuser' (Reported by
-       HZMI8gkCvPpom0tM)
-  * ASTERISK-24719 - ConfBridge recording channels get stuck when
-       recording started/stopped more than once (Reported by Richard
-       Mudgett)
-  * ASTERISK-24715 - chan_sip: stale nonce causes failure (Reported
-       by Kevin Harwell)
-  * ASTERISK-24728 - tcptls: Bad file descriptor error when
-       reloading chan_sip (Reported by Kevin Harwell)
-  * ASTERISK-24676 - Security Vulnerability: URL request injection
-       in libCURL (CVE-2014-8150) (Reported by Matt Jordan)
-  * ASTERISK-24711 - DTLS handshake broken with latest OpenSSL
-       versions (Reported by Jared Biel)
-  * ASTERISK-24646 - PJSIP changeset 4899 breaks TLS (Reported by
-       Stephan Eisvogel)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.16.0
* Wed Apr  1 2015 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.15.1-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 1.8.28 and 11.6 and Asterisk 1.8, 11, 12, and 13. The available
- security releases are released as versions 1.8.28.cert-4, 1.8.32.2, 11.6-cert10,
- 11.15.1, 12.8.1, and 13.1.1.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerabilities:
-
- * AST-2015-001: File descriptor leak when incompatible codecs are offered
-
-                 Asterisk may be configured to only allow specific audio or
-                 video codecs to be used when communicating with a
-                 particular endpoint. When an endpoint sends an SDP offer
-                 that only lists codecs not allowed by Asterisk, the offer
-                 is rejected. However, in this case, RTP ports that are
-                 allocated in the process are not reclaimed.
-
-                 This issue only affects the PJSIP channel driver in
-                 Asterisk. Users of the chan_sip channel driver are not
-                 affected.
-
- * AST-2015-002: Mitigation for libcURL HTTP request injection vulnerability
-
-                 CVE-2014-8150 reported an HTTP request injection
-                 vulnerability in libcURL. Asterisk uses libcURL in its
-                 func_curl.so module (the CURL() dialplan function), as well
-                 as its res_config_curl.so (cURL realtime backend) modules.
-
-                 Since Asterisk may be configured to allow for user-supplied
-                 URLs to be passed to libcURL, it is possible that an
-                 attacker could use Asterisk as an attack vector to inject
-                 unauthorized HTTP requests if the version of libcURL
-                 installed on the Asterisk server is affected by
-                 CVE-2014-8150.
-
- For more information about the details of these vulnerabilities, please read
- security advisory AST-2015-001 and AST-2015-002, which were released at the same
- time as this announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-1.8.28-cert4
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-1.8.32.2
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert10
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.15.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.8.1
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.1.1
-
- The security advisories are available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2015-001.pdf
-  * http://downloads.asterisk.org/pub/security/AST-2015-002.pdf
* Wed Apr  1 2015 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.15.0-1
- The Asterisk Development Team has announced the release of Asterisk 11.15.0.
- This release is available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk
-
- The release of Asterisk 11.15.0 resolves several issues reported by the
- community and would have not been possible without your participation.
- Thank you!
-
- The following are the issues resolved in this release:
-
- Bugs fixed in this release:
- -----------------------------------
-  * ASTERISK-20127 - [Regression] Config.c config_text_file_load()
-       unescapes semicolons ("\;" -> ";") turning them into comments
-       (corruption) on rewrite of a config file (Reported by George
-       Joseph)
-  * ASTERISK-24307 - Unintentional memory retention in stringfields
-       (Reported by Etienne Lessard)
-  * ASTERISK-24492 - main/file.c: ast_filestream sometimes causes
-       extra calls to ast_module_unref (Reported by Corey Farrell)
-  * ASTERISK-24504 - chan_console: Fix reference leaks to pvt
-       (Reported by Corey Farrell)
-  * ASTERISK-24468 - Incoming UCS2 encoded SMS truncated if SMS
-       length exceeds 50 (roughly) national symbols (Reported by
-       Dmitriy Bubnov)
-  * ASTERISK-24500 - Regression introduced in chan_mgcp by SVN
-       revision r227276 (Reported by Xavier Hienne)
-  * ASTERISK-20402 - Unable to cancel (features.conf) attended
-       transfer (Reported by Matt Riddell)
-  * ASTERISK-24505 - manager: http connections leak references
-       (Reported by Corey Farrell)
-  * ASTERISK-24502 - Build fails when dev-mode, dont optimize and
-       coverage are enabled (Reported by Corey Farrell)
-  * ASTERISK-24444 - PBX: Crash when generating extension for
-       pattern matching hint (Reported by Leandro Dardini)
-  * ASTERISK-24522 - ConfBridge: delay occurs between kicking all
-       endmarked users when last marked user leaves (Reported by Matt
-       Jordan)
-  * ASTERISK-15242 - transmit_refer leaks sip_refer structures
-       (Reported by David Woolley)
-  * ASTERISK-24440 - Call leak in Confbridge (Reported by Ben Klang)
-  * ASTERISK-24469 - Security Vulnerability: Mixed IPv4/IPv6 ACLs
-       allow blocked addresses through (Reported by Matt Jordan)
-  * ASTERISK-24516 - [patch]Asterisk segfaults when playing back
-       voicemail under high concurrency with an IMAP backend (Reported
-       by David Duncan Ross Palmer)
-  * ASTERISK-24572 - [patch]App_meetme is loaded without its
-       defaults when the configuration file is missing (Reported by
-       Nuno Borges)
-  * ASTERISK-24573 - [patch]Out of sync conversation recording when
-       divided in multiple recordings (Reported by Nuno Borges)
-
- Improvements made in this release:
- -----------------------------------
-  * ASTERISK-24283 - [patch]Microseconds precision in the eventtime
-       column in the cel_odbc module (Reported by Etienne Lessard)
-  * ASTERISK-24530 - [patch] app_record stripping 1/4 second from
-       recordings (Reported by Ben Smithurst)
-  * ASTERISK-24577 - Speed up loopback switches by avoiding unneeded
-       lookups (Reported by Birger "WIMPy" Harzenetter)
-
- For a full list of changes in this release, please see the ChangeLog:
-
- http://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-11.15.0
* Wed Dec 10 2014 Jeffrey C. Ollie <jeff@xxxxxxxxxx> - 11.14.2-1
- The Asterisk Development Team has announced security releases for Certified
- Asterisk 11.6 and Asterisk 11, 12, and 13. The available security releases are
- released as versions 11.6-cert9, 11.14.2, 12.7.2, and 13.0.2.
-
- These releases are available for immediate download at
- http://downloads.asterisk.org/pub/telephony/asterisk/releases
-
- The release of these versions resolves the following security vulnerability:
-
- * AST-2014-019: Remote Crash Vulnerability in WebSocket Server
-
-   When handling a WebSocket frame the res_http_websocket module dynamically
-   changes the size of the memory used to allow the provided payload to fit. If a
-   payload length of zero was received the code would incorrectly attempt to
-   resize to zero. This operation would succeed and end up freeing the memory but
-   be treated as a failure. When the session was subsequently torn down this
-   memory would get freed yet again causing a crash.
-
- For more information about the details of this vulnerability, please read
- security advisory AST-2014-019, which was released at the same time as this
- announcement.
-
- For a full list of changes in the current releases, please see the ChangeLogs:
-
- http://downloads.asterisk.org/pub/telephony/certified-asterisk/releases/ChangeLog-11.6-cert9
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-11.14.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-12.7.2
- http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.0.2
-
- The security advisory is available at:
-
-  * http://downloads.asterisk.org/pub/security/AST-2014-019.pdf
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1210225 - CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit
        https://bugzilla.redhat.com/show_bug.cgi?id=1210225
  [ 2 ] Bug #1173002 - CVE-2014-9374 asterisk: Remote Crash Vulnerability in WebSocket Server (AST-2014-019)
        https://bugzilla.redhat.com/show_bug.cgi?id=1173002
--------------------------------------------------------------------------------


================================================================================
 cross-gcc-4.9.2-5.fc20 (FEDORA-2015-5993)
 Cross C compiler
--------------------------------------------------------------------------------
Update Information:

Rebase on gcc-4.9.2-6
--------------------------------------------------------------------------------
ChangeLog:

* Wed Apr  8 2015 David Howells <dhowells@xxxxxxxxxx> - 4.9.2-4
- Rebase on gcc-4.9.2-6 [BZ 1183401].
* Mon Feb  9 2015 David Howells <dhowells@xxxxxxxxxx> - 4.9.2-3
- Need to build-depend on isl-devel and cloog-devel.
* Tue Jan 13 2015 David Howells <dhowells@xxxxxxxxxx> - 4.9.2-2
- Rebase on gcc-4.9.2-5.
- Use binutils-2.25.
* Fri Dec 12 2014 David Howells <dhowells@xxxxxxxxxx> - 4.9.2-1
- Rebase on gcc-4.9.2-2.
* Fri Dec 12 2014 David Howells <dhowells@xxxxxxxxxx> - 4.9.1-3
- Enable libgcc building on sh64 [gcc BZ 61844].
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 4.9.1-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Aug 12 2014 Kyle McMartin <kyle@xxxxxxxxxxxxxxxxx> - 4.9.1-2
- Add --with-ld to ensure the cross-compiler can find the appropriate
  linker without having to search high and low. [BZ 1122003]
--------------------------------------------------------------------------------


================================================================================
 dovecot-2.2.16-1.fc20 (FEDORA-2015-5976)
 Secure imap and pop3 server
--------------------------------------------------------------------------------
Update Information:

- dovecot updated to 2.2.16
- auth: Don't crash if master user login is attempted without
  any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
  sometimes if buffering was split in the middle of a UTF-8 character.
  This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
  UTF-8 text could have been truncated wrongly or the truncation may
  not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
  physical mailboxes could have caused crashes.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 16 2015 Michal Hlavinka <mhlavink@xxxxxxxxxx> - 1:2.2.16-1
- dovecot updated to 2.2.16
- auth: Don't crash if master user login is attempted without
  any configured master=yes passdbs
- Parsing UTF-8 text for mails could have caused broken results
  sometimes if buffering was split in the middle of a UTF-8 character.
  This affected at least searching messages.
- String sanitization for some logged output wasn't done properly:
  UTF-8 text could have been truncated wrongly or the truncation may
  not have happened at all.
- fts-lucene: Lookups from virtual mailbox consisting of over 32
  physical mailboxes could have caused crashes.
--------------------------------------------------------------------------------


================================================================================
 globus-gass-copy-9.15-1.fc20 (FEDORA-2015-5984)
 Globus Toolkit - Globus Gass Copy
--------------------------------------------------------------------------------
Update Information:

Globus Toolkit update:

* globus-gass-copy (9.15)

--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Mattias Ellert <mattias.ellert@xxxxxxxxxxxx> - 9.15-1
- GT6 update (user-specified data channel stack handling, documentation)
--------------------------------------------------------------------------------


================================================================================
 gnupg2-2.0.27-1.fc20 (FEDORA-2015-5969)
 Utility for secure communication and data storage
--------------------------------------------------------------------------------
Update Information:

Updated package from upstream fixing minor security issues.

--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Tomáš Mráz <tmraz@xxxxxxxxxx> - 2.0.27-1
- new upstream release fixing minor security issues
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 2.0.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1178759 - gnupg2: double free in cmd_readkey()
        https://bugzilla.redhat.com/show_bug.cgi?id=1178759
--------------------------------------------------------------------------------


================================================================================
 krb5-1.11.5-20.fc20 (FEDORA-2015-5978)
 The Kerberos network authentication system
--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2014-5353
(this was fixed in an older build but the announcement was lost)
--------------------------------------------------------------------------------
ChangeLog:

* Thu Mar 19 2015 Roland Mainz <rmainz@xxxxxxxxxx> - 1.11.5-20
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
  denial of service in recvauth_common() and others"
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1174543 - CVE-2014-5353 krb5: NULL pointer dereference when using a ticket policy name as a password policy name
        https://bugzilla.redhat.com/show_bug.cgi?id=1174543
--------------------------------------------------------------------------------


================================================================================
 libzen-0.4.31-1.fc20 (FEDORA-2015-5977)
 Shared library for libmediainfo and medianfo*
--------------------------------------------------------------------------------
Update Information:

update to 0.4.31
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Vasiliy N. Glazov <vascom2@xxxxxxxxx> - 0.4.31-1
- update to 0.4.31
* Thu Jan 15 2015 Ivan Romanov <drizt@xxxxxxx> - 0.4.30-4
- added patch to fix building MediaInfo
--------------------------------------------------------------------------------


================================================================================
 linux-firmware-20150410-46.gitec89525b.fc20 (FEDORA-2015-6008)
 Firmware files used by the Linux kernel
--------------------------------------------------------------------------------
Update Information:

Update to the latest upstream git snapshot.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> 20150415-46.gitec89525b
- Update to the latest upstream git snapshot
* Thu Mar 19 2015 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
- Ship the cx18x firmware files (rhbz 1203385)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1203385 - Please include cx18 firmware in the linux-firmware package
        https://bugzilla.redhat.com/show_bug.cgi?id=1203385
--------------------------------------------------------------------------------


================================================================================
 openstack-neutron-2013.2.4-8.fc20 (FEDORA-2015-5997)
 OpenStack Networking Service
--------------------------------------------------------------------------------
Update Information:

2013.2.4 rebase; CVE-2014-7821 fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Apr  9 2015 Ihar Hrachyshka <ihrachys@xxxxxxxxxx> 2013.2.4-8
- CVE-2014-7821: Fix hostname validation for nameservers, rhbz#1165887
- CVE-2014-7821: Fix hostname regex pattern, rhbz#1165887
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1165887 - CVE-2014-7821 openstack-neutron: DoS via maliciously crafted dns_nameservers [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1165887
--------------------------------------------------------------------------------


================================================================================
 pcre-8.33-9.fc20 (FEDORA-2015-6007)
 Perl-compatible regular expression library
--------------------------------------------------------------------------------
Update Information:

This release fixes various bugs when compiling regular expressions or matching them which could lead to a process crash. Also infinite loop in pcretest(1) and pcregrep(1) tools when using \K in a lookbehind assertion was fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Petr Pisar <ppisar@xxxxxxxxxx> - 8.33-9
- Fix computing size for pattern with a negated special calss in on-UCP mode
  (bug #1210383)
- Fix compilation of a parenthesized comment (bug #1210410)
- Fix compliation of mutual recursion inside a lookbehind assertion
  (bug #1210417)
- Fix pcregrep loop when \K is used in a lookbehind assertion (bug #1210423)
- Fix pcretest loop when \K is used in a lookbehind assertion (bug #1210423)
- Fix backtracking for \C\X* in UTF-8 mode (bug #1210576)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1210383 - Crash when compiling /[\\S\\V\\H]/8
        https://bugzilla.redhat.com/show_bug.cgi?id=1210383
  [ 2 ] Bug #1210410 - Internal error when compiling /(?1)(?#?'){8}(a)/
        https://bugzilla.redhat.com/show_bug.cgi?id=1210410
  [ 3 ] Bug #1210417 - Crash when compiling /(?<=((?2))((?1)))/
        https://bugzilla.redhat.com/show_bug.cgi?id=1210417
  [ 4 ] Bug #1210423 - pcregrep -o '(?<=\\Ka)' does not halt
        https://bugzilla.redhat.com/show_bug.cgi?id=1210423
  [ 5 ] Bug #1210576 - Crash when matching /\\C\\X*/ in UTF-8 mode
        https://bugzilla.redhat.com/show_bug.cgi?id=1210576
--------------------------------------------------------------------------------


================================================================================
 perl-MCE-1.608-1.fc20 (FEDORA-2015-6009)
 Many-core Engine for Perl providing parallel processing capabilities
--------------------------------------------------------------------------------
Update Information:

A new version of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.608/CHANGES for details on changes in this release.
A new version of MCE is available. See http://search.cpan.org/src/MARIOROY/MCE-1.606/CHANGES for details on changes in this release.
A new version of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.605/CHANGES for details on changes in this release.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Petr Šabata <contyk@xxxxxxxxxx> - 1.608-1
- 1.608 bump
* Thu Apr  9 2015 Petr Šabata <contyk@xxxxxxxxxx> - 1.606-1
- 1.606 bump
* Wed Apr  8 2015 Petr Šabata <contyk@xxxxxxxxxx> - 1.605-1
- 1.605 bump
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1210734 - perl-MCE-1.608 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1210734
  [ 2 ] Bug #1210119 - perl-MCE-1.606 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1210119
  [ 3 ] Bug #1209148 - perl-MCE-1.605 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1209148
--------------------------------------------------------------------------------


================================================================================
 phpMyAdmin-4.4.1.1-1.fc20 (FEDORA-2015-5994)
 Handle the administration of MySQL over the World Wide Web
--------------------------------------------------------------------------------
Update Information:

phpMyAdmin 4.4.1.1 (2015-04-08)
===============================

Some debugging code slipped into the 4.4.1 codebase, producing messages in the web server's error log.


phpMyAdmin 4.4.1.0 (2015-04-07)
===============================

  - MySQL 5.7.6 and the Users menu tab
  - MySQL 5.7.6 and changing the password for another user
  - Request URI too large
  - MySQL 5.7.6 and Databases
  - Use 'server' parameter in console to work in multi server environments
  - Missing tooltip in monitor
  - Missing sort icons in monitor
  - Inline edit broken when using functions in query
  - Timed-out import fails to restart when file represented
  - pMA DB not detected properly
  - Datepicker missing when changing number of rows on Insert page
  - INNODB STATUS page is empty
  - JavaScript is loaded in wrong order
  - TEXT formatting doesn't work after inline editing
  - Compress when php.ini output_buffering is active
  - Sorting distinct values result loses links
  - Do not attach token to css requests to improve caching


phpMyAdmin 4.4.0 (2015-04-01)
=============================

Welcome to phpMyAdmin 4.4.0, an incremental feature release including many bug fixes.

A complete list of new features and bugs fixed is available in the ChangeLog file or changelog.php included with this release.

A few highlights:

  * Rename configuration directive from $cfg['NavigationTreeDisableDatabaseExpansion'] to $cfg['NavigationTreeEnableExpansion'] -- if used, please update your config.inc.php
  * Move the SQL scripts to create phpMyAdmin configuration storage from 'examples' to 'sql' directory
  * Upgrade Recaptcha to version 2 of the API
  * Added support for the SSL GRANT option
  * Improvements to the table structure and tracking pages
  * Improvements to the console feature
  * Improvements to the ZeroConf feature

There are many more; please refer to the ChangeLog for full details.

As always, downloads are available at http://www.phpmyadmin.net

The phpMyAdmin Team
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 4.4.1.1-1
- Upgrade to 4.4.1.1 (#1208320)

- Mon Apr 06 2015 Robert Scheck <robert@xxxxxxxxxxxxxxxxx> 4.4.0-1
- Upgrade to 4.4.0 (thanks to Remi Collet)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1208320 - phpMyAdmin-4.4.1.1 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1208320
--------------------------------------------------------------------------------


================================================================================
 pyotherside-1.4.0-4.fc20 (FEDORA-2015-5983)
 Asynchronous Python 3 Bindings for Qt 5
--------------------------------------------------------------------------------
Update Information:

Initial PyOtherSide package
--------------------------------------------------------------------------------


================================================================================
 python-2.7.5-16.fc20 (FEDORA-2015-6010)
 An interpreted, interactive, object-oriented programming language
--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2013-1752


                                                                                                  
multiple unbound readline() DoS flaws in python stdlib                                            
                                                                                  
following fixes (which all relates to this CVE) are in this patch:                                
* ftplib: Limit amount of data read by limiting the call to readline(). #16038                    
* imaplib: limit line length in imaplib readline calls. #16039                                    
* nntplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. #16040                                                 
* poplib: limit maximum line length that we read from the network #16041                          
* smtplib: limit amount read from the network #16042 
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Robert Kuska <rkuska@xxxxxxxxxx> - 2.7.5-16
- Fix CVE-2013-1752 multiple unbound readline() DoS flaws in python stdlib
Resolves: rhbz#1159200
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
        https://bugzilla.redhat.com/show_bug.cgi?id=1046174
--------------------------------------------------------------------------------


================================================================================
 python-virtualenv-12.0.7-1.fc20 (FEDORA-2015-6006)
 Tool to create isolated Python environments
--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2013-5123
--------------------------------------------------------------------------------
ChangeLog:

* Mon Mar 16 2015 Matej Stuchlik <mstuchli@xxxxxxxxxx> - 12.0.7-1
- Update to 12.0.7
* Thu Jan 15 2015 Matthias Runge <mrunge@xxxxxxxxxx> - 1.11.6-2
- add a python3-package, thanks to Matej Stuchlik (rhbz#1179150)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1066692 - CVE-2013-5123 python-pip: insecure software download with mirroring support
        https://bugzilla.redhat.com/show_bug.cgi?id=1066692
--------------------------------------------------------------------------------


================================================================================
 qterminal-0.6.0-2.fc20 (FEDORA-2015-5998)
 Advanced terminal emulator
--------------------------------------------------------------------------------
Update Information:

Rebuild with new qtermwidget
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 TI_Eugene <ti.eugene@xxxxxxxxx> - 0.6.0-2
- Rebuild with new qtermwidget
--------------------------------------------------------------------------------


================================================================================
 qtermwidget-0.6.0-2.fc20 (FEDORA-2015-5982)
 Qt4 terminal widget
--------------------------------------------------------------------------------
Update Information:

qt-virt-manager compatible patch added
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 TI_Eugene <ti.eugene@xxxxxxxxx> - 0.6.0-2
- qt-virt-manager compatible patch added
--------------------------------------------------------------------------------


================================================================================
 yourls-1.7-3.20150410gitabc7d6c.fc20 (FEDORA-2015-5972)
 Your Own URL Shortener
--------------------------------------------------------------------------------
Update Information:

Update to the latest master from git
--------------------------------------------------------------------------------
ChangeLog:

* Fri Apr 10 2015 Martin Krizek <mkrizek@xxxxxxxxxx> - 1.7-3.20150410gitabc7d6c
- Update to the latest master from git
- Fix bz #1157335
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1157335 - CVE-2014-8488 yourls: cross-site scripting (XSS) flaw
        https://bugzilla.redhat.com/show_bug.cgi?id=1157335
--------------------------------------------------------------------------------

-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test





[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux