Fedora 23 updates-testing report

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The following Fedora 23 Security updates need testing:
 Age  URL
 266  https://bodhi.fedoraproject.org/updates/FEDORA-2015-16240   nagios-4.0.8-1.fc23
 224  https://bodhi.fedoraproject.org/updates/FEDORA-2015-81ded368fe   miniupnpc-1.9-6.fc23
 197  https://bodhi.fedoraproject.org/updates/FEDORA-2015-27392b3324   jbig2dec-0.12-2.fc23
 147  https://bodhi.fedoraproject.org/updates/FEDORA-2015-dd52a54fa1   python-pymongo-3.0.3-1.fc23
 147  https://bodhi.fedoraproject.org/updates/FEDORA-2015-06a7c972e8   thttpd-2.25b-37.fc23
 112  https://bodhi.fedoraproject.org/updates/FEDORA-2016-637618fcd4   mingw-nsis-2.50-1.fc23
  67  https://bodhi.fedoraproject.org/updates/FEDORA-2016-b8f91621c7   optipng-0.7.6-1.fc23
  31  https://bodhi.fedoraproject.org/updates/FEDORA-2016-b3b9407940   squid-3.5.10-4.fc23
  11  https://bodhi.fedoraproject.org/updates/FEDORA-2016-7a878ed298   GraphicsMagick-1.3.24-1.fc23
   9  https://bodhi.fedoraproject.org/updates/FEDORA-2016-89e0874533   ntp-4.2.6p5-41.fc23
   7  https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f550603a5   xen-4.5.3-7.fc23
   2  https://bodhi.fedoraproject.org/updates/FEDORA-2016-9693e82a25   iperf3-3.1.3-1.fc23
   2  https://bodhi.fedoraproject.org/updates/FEDORA-2016-80edb9d511   kernel-4.5.7-200.fc23
   0  https://bodhi.fedoraproject.org/updates/FEDORA-2016-54dfd21f15   nfdump-1.6.15-1.fc23
   0  https://bodhi.fedoraproject.org/updates/FEDORA-2016-8952105d59   php-zendframework-zendxml-1.0.2-2.fc23 php-ZendFramework2-2.4.10-1.fc23


The following Fedora 23 Critical Path updates have yet to be approved:
 Age URL
   7  https://bodhi.fedoraproject.org/updates/FEDORA-2016-28873e4832   vim-7.4.1868-1.fc23
   7  https://bodhi.fedoraproject.org/updates/FEDORA-2016-fad11727bf   PackageKit-1.1.1-2.fc23 appstream-data-23-11.fc23 fwupd-0.7.1-1.fc23 gnome-software-3.20.3-1.fc23.1 json-glib-1.2.0-1.fc23 libappstream-glib-0.5.14-1.fc23 libgusb-0.2.9-1.fc23
   2  https://bodhi.fedoraproject.org/updates/FEDORA-2016-80edb9d511   kernel-4.5.7-200.fc23
   0  https://bodhi.fedoraproject.org/updates/FEDORA-2016-342d89590d   nss-3.24.0-1.3.fc23


The following builds have been pushed to Fedora 23 updates-testing

    docker-1.10.3-32.gitee81b72.fc23
    fuse-emulator-1.2.0-2.fc23
    fuse-emulator-utils-1.2.0-3.fc23
    glibc-arm-linux-gnu-2.23-4.fc23
    libmtp-1.1.11-1.fc23
    libspectrum-1.2.0-2.fc23
    lilypond-2.19.43-1.fc23
    lilypond-doc-2.19.43-1.fc23
    nfdump-1.6.15-1.fc23
    nitroshare-0.3.1-3.20160612git930c9b7.fc23
    nss-3.24.0-1.3.fc23
    openslide-python-1.1.1-1.fc23
    php-ZendFramework2-2.4.10-1.fc23
    php-libvirt-0.5.2-1.fc23
    php-zendframework-zendxml-1.0.2-2.fc23

Details about builds:


================================================================================
 docker-1.10.3-32.gitee81b72.fc23 (FEDORA-2016-0db55e627c)
 Automates deployment of containerized applications
--------------------------------------------------------------------------------
Update Information:

remove MountFlags=slave from docker.service
--------------------------------------------------------------------------------


================================================================================
 fuse-emulator-1.2.0-2.fc23 (FEDORA-2016-7ecfe10490)
 The Free UNIX Spectrum Emulator
--------------------------------------------------------------------------------
Update Information:

Update to latest upstream. Use correct libspectrum version.  ----  Updated to
latest upstream.  ----  Update to the latest upstream.
--------------------------------------------------------------------------------


================================================================================
 fuse-emulator-utils-1.2.0-3.fc23 (FEDORA-2016-7ecfe10490)
 Additional utils for the Fuse spectrum emulator
--------------------------------------------------------------------------------
Update Information:

Update to latest upstream. Use correct libspectrum version.  ----  Updated to
latest upstream.  ----  Update to the latest upstream.
--------------------------------------------------------------------------------


================================================================================
 glibc-arm-linux-gnu-2.23-4.fc23 (FEDORA-2016-91e8c1cf59)
 Cross Compiled GNU C Library targeted at arm-linux-gnu
--------------------------------------------------------------------------------
Update Information:

New package.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1312963 - Review Request: glibc-arm-linux-gnu - Cross Compiled GNU C Library targeted at arm-linux-gnu
        https://bugzilla.redhat.com/show_bug.cgi?id=1312963
--------------------------------------------------------------------------------


================================================================================
 libmtp-1.1.11-1.fc23 (FEDORA-2016-e292660489)
 A software library for MTP media players
--------------------------------------------------------------------------------
Update Information:

Update to 1.1.11
--------------------------------------------------------------------------------


================================================================================
 libspectrum-1.2.0-2.fc23 (FEDORA-2016-7ecfe10490)
 A library for reading spectrum emulator file formats
--------------------------------------------------------------------------------
Update Information:

Update to latest upstream. Use correct libspectrum version.  ----  Updated to
latest upstream.  ----  Update to the latest upstream.
--------------------------------------------------------------------------------


================================================================================
 lilypond-2.19.43-1.fc23 (FEDORA-2016-524b697689)
 A typesetting system for music notation
--------------------------------------------------------------------------------
Update Information:

2.19.43
--------------------------------------------------------------------------------


================================================================================
 lilypond-doc-2.19.43-1.fc23 (FEDORA-2016-524b697689)
 HTML documentation for LilyPond
--------------------------------------------------------------------------------
Update Information:

2.19.43
--------------------------------------------------------------------------------


================================================================================
 nfdump-1.6.15-1.fc23 (FEDORA-2016-54dfd21f15)
 NetFlow collecting and processing tools
--------------------------------------------------------------------------------
Update Information:

nfdump 1.6.15 released.  ---  - Fix Security issue http://www.security-assessmen
t.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnera
bilities.pdf - Fix obyte, opps and obps output records - Fix wrong bps type case
in cvs output. Fix opbs ipbs typos  nfdump 1.6.14 released.  ---  - Create
libnfdump for dynamic linking - Add -R to ModifyCompression - Add std sampler ID
4 Bytes and allow random sampler (tag 50) - Add BZ2 compression along existing
LZ0 - Add direct write to flowtools converter ft2nfdump - Fix CentOS compile
issues with flow-tools converter - Fix FreeBSD,OpenBSD build problems - Fix
timestamp overflow in sflow.c - Fix IP Fragmentation in sflow collector - Fix
compile errors on other platforms - Fix zero alignment bug, if only half of an
extension is sent - Fix nfanon time window bug in subsequent files in -R list -
Fix CommonRecordV0Type conversion bug - Fix nfexport bug, if only one single map
exists
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1335204 - nfdump: multiple remote denial of service vulnerabilities
        https://bugzilla.redhat.com/show_bug.cgi?id=1335204
--------------------------------------------------------------------------------


================================================================================
 nitroshare-0.3.1-3.20160612git930c9b7.fc23 (FEDORA-2016-62f9ce37df)
 Transfer files from one device to another made extremely simple
--------------------------------------------------------------------------------
Update Information:

initial package, rhbz#1338553   - use git snapshot with several bugfixes - add
Qt5Svg as dependency  ----  initial package, rhzb#1338553
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1338553 - Review Request: nitroshare - Transfer files from one device to another made extremely simple
        https://bugzilla.redhat.com/show_bug.cgi?id=1338553
--------------------------------------------------------------------------------


================================================================================
 nss-3.24.0-1.3.fc23 (FEDORA-2016-342d89590d)
 Network Security Services
--------------------------------------------------------------------------------
Update Information:

Restore support for sslkeylog file in optimized builds. This was lost with the
rebase to nss-3.24 which removed the support that allows to analyze TLS traffic.
The NSS_ALLOW_SSLKEYLOGFILE was introduced and set to zero by default and users
had to explicitly set it. With this update sslkeylog support is restored as it
was in nss-3.23.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1343239 - Update to nss 3.24.0 removes sslkeylogfile file support
        https://bugzilla.redhat.com/show_bug.cgi?id=1343239
--------------------------------------------------------------------------------


================================================================================
 openslide-python-1.1.1-1.fc23 (FEDORA-2016-ec27c04532)
 Python bindings for the OpenSlide library
--------------------------------------------------------------------------------
Update Information:

 * Change default Deep Zoom tile size to 254 pixels to improve viewer
performance  * Fix some "unclosed file" ResourceWarnings on Python 3  * Improve
object reprs
--------------------------------------------------------------------------------


================================================================================
 php-ZendFramework2-2.4.10-1.fc23 (FEDORA-2016-8952105d59)
 Zend Framework 2
--------------------------------------------------------------------------------
Update Information:

## 2.4.10 (2016-05-09)  - Fix HeaderValue throwing an exception on legal
characters  ## 2.4.9 (2015-11-23)  ### SECURITY UPDATES  - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge   by selecting a
sequence of random letters from a character set. Prior to this   vulnerability
announcement, the selection was performed using PHP's internal   `array_rand()`
function. This function does not generate sufficient entropy   due to its usage
of `rand()` instead of more cryptographically secure methods   such as
`openssl_pseudo_random_bytes()`. This could potentially lead to   information
disclosure should an attacker be able to brute force the random   number
generation. This release contains a patch that replaces the   `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides   better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()`   which used PHP's default `$padding` argument, which
specifies   `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding   has a known vulnerability, the   [Bleichenbacher's chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5),   which can be used to recover an RSA
private key. This release contains a patch   that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`.    Users upgrading to this version may have
issues decrypting previously stored   values, due to the change in padding. If
this occurs, you can pass the   constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in   `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this   should only apply to the latter):    ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);   ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`.    (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1343990
  [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1289318
  [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1343995
  [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1289317
--------------------------------------------------------------------------------


================================================================================
 php-libvirt-0.5.2-1.fc23 (FEDORA-2016-78932b5bee)
 PHP language bindings for Libvirt
--------------------------------------------------------------------------------
Update Information:

Upgrade to 0.5.2 to support newer libvirt capabilities
--------------------------------------------------------------------------------


================================================================================
 php-zendframework-zendxml-1.0.2-2.fc23 (FEDORA-2016-8952105d59)
 Zend Framework ZendXml component
--------------------------------------------------------------------------------
Update Information:

## 2.4.10 (2016-05-09)  - Fix HeaderValue throwing an exception on legal
characters  ## 2.4.9 (2015-11-23)  ### SECURITY UPDATES  - **ZF2015-09**:
`Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge   by selecting a
sequence of random letters from a character set. Prior to this   vulnerability
announcement, the selection was performed using PHP's internal   `array_rand()`
function. This function does not generate sufficient entropy   due to its usage
of `rand()` instead of more cryptographically secure methods   such as
`openssl_pseudo_random_bytes()`. This could potentially lead to   information
disclosure should an attacker be able to brute force the random   number
generation. This release contains a patch that replaces the   `array_rand()`
calls to use `Zend\Math\Rand::getInteger()`, which provides   better RNG. -
**ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to
`openssl_public_encrypt()`   which used PHP's default `$padding` argument, which
specifies   `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This
padding   has a known vulnerability, the   [Bleichenbacher's chosen-ciphertext
attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-
bleichenbachers-cca-attack-on-pkcs1-v1-5),   which can be used to recover an RSA
private key. This release contains a patch   that changes the padding argument
to use `OPENSSL_PKCS1_OAEP_PADDING`.    Users upgrading to this version may have
issues decrypting previously stored   values, due to the change in padding. If
this occurs, you can pass the   constant `OPENSSL_PKCS1_PADDING` to a new
`$padding` argument in   `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
(though typically this   should only apply to the latter):    ```php
$decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);   ```
where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`.    (The `$key` and
`$mode` argument defaults are `null` and
`Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)
We recommend re-encrypting any such values using the new defaults.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1343990
  [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1289318
  [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1343995
  [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1289317
--------------------------------------------------------------------------------
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://lists.fedoraproject.org/admin/lists/test@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux