The following Fedora 23 Security updates need testing: Age URL 266 https://bodhi.fedoraproject.org/updates/FEDORA-2015-16240 nagios-4.0.8-1.fc23 224 https://bodhi.fedoraproject.org/updates/FEDORA-2015-81ded368fe miniupnpc-1.9-6.fc23 197 https://bodhi.fedoraproject.org/updates/FEDORA-2015-27392b3324 jbig2dec-0.12-2.fc23 147 https://bodhi.fedoraproject.org/updates/FEDORA-2015-dd52a54fa1 python-pymongo-3.0.3-1.fc23 147 https://bodhi.fedoraproject.org/updates/FEDORA-2015-06a7c972e8 thttpd-2.25b-37.fc23 112 https://bodhi.fedoraproject.org/updates/FEDORA-2016-637618fcd4 mingw-nsis-2.50-1.fc23 67 https://bodhi.fedoraproject.org/updates/FEDORA-2016-b8f91621c7 optipng-0.7.6-1.fc23 31 https://bodhi.fedoraproject.org/updates/FEDORA-2016-b3b9407940 squid-3.5.10-4.fc23 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-7a878ed298 GraphicsMagick-1.3.24-1.fc23 9 https://bodhi.fedoraproject.org/updates/FEDORA-2016-89e0874533 ntp-4.2.6p5-41.fc23 7 https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f550603a5 xen-4.5.3-7.fc23 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-9693e82a25 iperf3-3.1.3-1.fc23 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-80edb9d511 kernel-4.5.7-200.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-54dfd21f15 nfdump-1.6.15-1.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-8952105d59 php-zendframework-zendxml-1.0.2-2.fc23 php-ZendFramework2-2.4.10-1.fc23 The following Fedora 23 Critical Path updates have yet to be approved: Age URL 7 https://bodhi.fedoraproject.org/updates/FEDORA-2016-28873e4832 vim-7.4.1868-1.fc23 7 https://bodhi.fedoraproject.org/updates/FEDORA-2016-fad11727bf PackageKit-1.1.1-2.fc23 appstream-data-23-11.fc23 fwupd-0.7.1-1.fc23 gnome-software-3.20.3-1.fc23.1 json-glib-1.2.0-1.fc23 libappstream-glib-0.5.14-1.fc23 libgusb-0.2.9-1.fc23 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-80edb9d511 kernel-4.5.7-200.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-342d89590d nss-3.24.0-1.3.fc23 The following builds have been pushed to Fedora 23 updates-testing docker-1.10.3-32.gitee81b72.fc23 fuse-emulator-1.2.0-2.fc23 fuse-emulator-utils-1.2.0-3.fc23 glibc-arm-linux-gnu-2.23-4.fc23 libmtp-1.1.11-1.fc23 libspectrum-1.2.0-2.fc23 lilypond-2.19.43-1.fc23 lilypond-doc-2.19.43-1.fc23 nfdump-1.6.15-1.fc23 nitroshare-0.3.1-3.20160612git930c9b7.fc23 nss-3.24.0-1.3.fc23 openslide-python-1.1.1-1.fc23 php-ZendFramework2-2.4.10-1.fc23 php-libvirt-0.5.2-1.fc23 php-zendframework-zendxml-1.0.2-2.fc23 Details about builds: ================================================================================ docker-1.10.3-32.gitee81b72.fc23 (FEDORA-2016-0db55e627c) Automates deployment of containerized applications -------------------------------------------------------------------------------- Update Information: remove MountFlags=slave from docker.service -------------------------------------------------------------------------------- ================================================================================ fuse-emulator-1.2.0-2.fc23 (FEDORA-2016-7ecfe10490) The Free UNIX Spectrum Emulator -------------------------------------------------------------------------------- Update Information: Update to latest upstream. Use correct libspectrum version. ---- Updated to latest upstream. ---- Update to the latest upstream. -------------------------------------------------------------------------------- ================================================================================ fuse-emulator-utils-1.2.0-3.fc23 (FEDORA-2016-7ecfe10490) Additional utils for the Fuse spectrum emulator -------------------------------------------------------------------------------- Update Information: Update to latest upstream. Use correct libspectrum version. ---- Updated to latest upstream. ---- Update to the latest upstream. -------------------------------------------------------------------------------- ================================================================================ glibc-arm-linux-gnu-2.23-4.fc23 (FEDORA-2016-91e8c1cf59) Cross Compiled GNU C Library targeted at arm-linux-gnu -------------------------------------------------------------------------------- Update Information: New package. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1312963 - Review Request: glibc-arm-linux-gnu - Cross Compiled GNU C Library targeted at arm-linux-gnu https://bugzilla.redhat.com/show_bug.cgi?id=1312963 -------------------------------------------------------------------------------- ================================================================================ libmtp-1.1.11-1.fc23 (FEDORA-2016-e292660489) A software library for MTP media players -------------------------------------------------------------------------------- Update Information: Update to 1.1.11 -------------------------------------------------------------------------------- ================================================================================ libspectrum-1.2.0-2.fc23 (FEDORA-2016-7ecfe10490) A library for reading spectrum emulator file formats -------------------------------------------------------------------------------- Update Information: Update to latest upstream. Use correct libspectrum version. ---- Updated to latest upstream. ---- Update to the latest upstream. -------------------------------------------------------------------------------- ================================================================================ lilypond-2.19.43-1.fc23 (FEDORA-2016-524b697689) A typesetting system for music notation -------------------------------------------------------------------------------- Update Information: 2.19.43 -------------------------------------------------------------------------------- ================================================================================ lilypond-doc-2.19.43-1.fc23 (FEDORA-2016-524b697689) HTML documentation for LilyPond -------------------------------------------------------------------------------- Update Information: 2.19.43 -------------------------------------------------------------------------------- ================================================================================ nfdump-1.6.15-1.fc23 (FEDORA-2016-54dfd21f15) NetFlow collecting and processing tools -------------------------------------------------------------------------------- Update Information: nfdump 1.6.15 released. --- - Fix Security issue http://www.security-assessmen t.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnera bilities.pdf - Fix obyte, opps and obps output records - Fix wrong bps type case in cvs output. Fix opbs ipbs typos nfdump 1.6.14 released. --- - Create libnfdump for dynamic linking - Add -R to ModifyCompression - Add std sampler ID 4 Bytes and allow random sampler (tag 50) - Add BZ2 compression along existing LZ0 - Add direct write to flowtools converter ft2nfdump - Fix CentOS compile issues with flow-tools converter - Fix FreeBSD,OpenBSD build problems - Fix timestamp overflow in sflow.c - Fix IP Fragmentation in sflow collector - Fix compile errors on other platforms - Fix zero alignment bug, if only half of an extension is sent - Fix nfanon time window bug in subsequent files in -R list - Fix CommonRecordV0Type conversion bug - Fix nfexport bug, if only one single map exists -------------------------------------------------------------------------------- References: [ 1 ] Bug #1335204 - nfdump: multiple remote denial of service vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=1335204 -------------------------------------------------------------------------------- ================================================================================ nitroshare-0.3.1-3.20160612git930c9b7.fc23 (FEDORA-2016-62f9ce37df) Transfer files from one device to another made extremely simple -------------------------------------------------------------------------------- Update Information: initial package, rhbz#1338553 - use git snapshot with several bugfixes - add Qt5Svg as dependency ---- initial package, rhzb#1338553 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1338553 - Review Request: nitroshare - Transfer files from one device to another made extremely simple https://bugzilla.redhat.com/show_bug.cgi?id=1338553 -------------------------------------------------------------------------------- ================================================================================ nss-3.24.0-1.3.fc23 (FEDORA-2016-342d89590d) Network Security Services -------------------------------------------------------------------------------- Update Information: Restore support for sslkeylog file in optimized builds. This was lost with the rebase to nss-3.24 which removed the support that allows to analyze TLS traffic. The NSS_ALLOW_SSLKEYLOGFILE was introduced and set to zero by default and users had to explicitly set it. With this update sslkeylog support is restored as it was in nss-3.23. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1343239 - Update to nss 3.24.0 removes sslkeylogfile file support https://bugzilla.redhat.com/show_bug.cgi?id=1343239 -------------------------------------------------------------------------------- ================================================================================ openslide-python-1.1.1-1.fc23 (FEDORA-2016-ec27c04532) Python bindings for the OpenSlide library -------------------------------------------------------------------------------- Update Information: * Change default Deep Zoom tile size to 254 pixels to improve viewer performance * Fix some "unclosed file" ResourceWarnings on Python 3 * Improve object reprs -------------------------------------------------------------------------------- ================================================================================ php-ZendFramework2-2.4.10-1.fc23 (FEDORA-2016-8952105d59) Zend Framework 2 -------------------------------------------------------------------------------- Update Information: ## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()` which used PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-explain- bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this should only apply to the latter): ```php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ``` where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and `$mode` argument defaults are `null` and `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.) We recommend re-encrypting any such values using the new defaults. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343990 [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289318 [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343995 [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289317 -------------------------------------------------------------------------------- ================================================================================ php-libvirt-0.5.2-1.fc23 (FEDORA-2016-78932b5bee) PHP language bindings for Libvirt -------------------------------------------------------------------------------- Update Information: Upgrade to 0.5.2 to support newer libvirt capabilities -------------------------------------------------------------------------------- ================================================================================ php-zendframework-zendxml-1.0.2-2.fc23 (FEDORA-2016-8952105d59) Zend Framework ZendXml component -------------------------------------------------------------------------------- Update Information: ## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()` which used PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-explain- bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this should only apply to the latter): ```php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ``` where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and `$mode` argument defaults are `null` and `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.) We recommend re-encrypting any such values using the new defaults. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343990 [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289318 [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343995 [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289317 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@xxxxxxxxxxxxxxxxxxxxxxx