The following Fedora 22 Security updates need testing: Age URL 430 https://bodhi.fedoraproject.org/updates/FEDORA-2015-5878 echoping-6.1-0.beta.r434svn.1.fc22 379 https://bodhi.fedoraproject.org/updates/FEDORA-2015-9185 ceph-deploy-1.5.25-1.fc22 312 https://bodhi.fedoraproject.org/updates/FEDORA-2015-12781 python-kdcproxy-0.3.2-1.fc22 266 https://bodhi.fedoraproject.org/updates/FEDORA-2015-16239 nagios-4.0.8-1.fc22 254 https://bodhi.fedoraproject.org/updates/FEDORA-2015-2d37e7dacf openstack-swift-2.2.0-6.fc22 224 https://bodhi.fedoraproject.org/updates/FEDORA-2015-9039c25f1d miniupnpc-1.9-6.fc22 206 https://bodhi.fedoraproject.org/updates/FEDORA-2015-7dfbe09bb4 libpng-1.6.16-4.fc22 206 https://bodhi.fedoraproject.org/updates/FEDORA-2015-6c07ab1fa6 libpng-1.6.16-5.fc22 173 https://bodhi.fedoraproject.org/updates/FEDORA-2015-b9e4c97ff1 sos-3.2-2.fc22 147 https://bodhi.fedoraproject.org/updates/FEDORA-2015-f683150aa0 thttpd-2.25b-37.fc22 123 https://bodhi.fedoraproject.org/updates/FEDORA-2016-560802e52b xdelta-3.0.7-7.fc22 112 https://bodhi.fedoraproject.org/updates/FEDORA-2016-24d134e494 mingw-nsis-2.50-1.fc22 99 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3cbe9ad765 python-pygments-2.1.3-1.fc22 60 https://bodhi.fedoraproject.org/updates/FEDORA-2016-a028331ebc poppler-0.30.0-4.fc22 31 https://bodhi.fedoraproject.org/updates/FEDORA-2016-73a5867050 squid-3.5.10-4.fc22 17 https://bodhi.fedoraproject.org/updates/FEDORA-2016-f5107c318e webkitgtk4-2.12.3-1.fc22 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-363d307082 gd-2.1.1-4.fc22 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-40ccaff4d1 GraphicsMagick-1.3.24-1.fc22 10 https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe9112a9ff sudo-1.8.15-2.fc22 9 https://bodhi.fedoraproject.org/updates/FEDORA-2016-c3bd6a3496 ntp-4.2.6p5-41.fc22 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-45402a6f3b iperf3-3.1.3-1.fc22 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3daf782dfa kernel-4.4.13-200.fc22 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b49c9aa49 nfdump-1.6.15-1.fc22 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-03c0ed3127 php-zendframework-zendxml-1.0.2-2.fc22 php-ZendFramework2-2.4.10-1.fc22 The following Fedora 22 Critical Path updates have yet to be approved: Age URL 305 https://bodhi.fedoraproject.org/updates/FEDORA-2015-13210 yum-3.4.3-508.fc22 224 https://bodhi.fedoraproject.org/updates/FEDORA-2015-2123de044f libgphoto2-2.5.8-1.fc22 206 https://bodhi.fedoraproject.org/updates/FEDORA-2015-6c07ab1fa6 libpng-1.6.16-5.fc22 206 https://bodhi.fedoraproject.org/updates/FEDORA-2015-7dfbe09bb4 libpng-1.6.16-4.fc22 60 https://bodhi.fedoraproject.org/updates/FEDORA-2016-a028331ebc poppler-0.30.0-4.fc22 57 https://bodhi.fedoraproject.org/updates/FEDORA-2016-027faabac4 libreport-2.6.4-2.fc22 abrt-2.6.1-11.fc22 55 https://bodhi.fedoraproject.org/updates/FEDORA-2016-af1f30412b pygtk2-2.24.0-14.fc22 51 https://bodhi.fedoraproject.org/updates/FEDORA-2016-41df7ccbc8 lldpad-1.0.1-4.git036e314.fc22 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-363d307082 gd-2.1.1-4.fc22 10 https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe9112a9ff sudo-1.8.15-2.fc22 7 https://bodhi.fedoraproject.org/updates/FEDORA-2016-2cdb5d5a7c vim-7.4.1868-1.fc22 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-409af1ecfd lua-5.3.3-1.fc22 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-22cdb97bb4 thunderbird-45.1.1-1.fc22 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-f4a2bc1983 mdadm-3.3.4-3.fc22 2 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3daf782dfa kernel-4.4.13-200.fc22 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-26df5bf249 nss-util-3.24.0-1.0.fc22 nss-softokn-3.24.0-1.0.fc22 nss-3.24.0-1.0.fc22 The following builds have been pushed to Fedora 22 updates-testing fuse-emulator-1.2.0-2.fc22 fuse-emulator-utils-1.2.0-3.fc22 glibc-arm-linux-gnu-2.23-4.fc22 libspectrum-1.2.0-2.fc22 lilypond-2.19.43-1.fc22 lilypond-doc-2.19.43-1.fc22 nfdump-1.6.15-1.fc22 nss-3.24.0-1.2.fc22 nss-softokn-3.24.0-1.0.fc22 nss-util-3.24.0-1.0.fc22 php-ZendFramework2-2.4.10-1.fc22 php-libvirt-0.5.2-1.fc22 php-zendframework-zendxml-1.0.2-2.fc22 Details about builds: ================================================================================ fuse-emulator-1.2.0-2.fc22 (FEDORA-2016-519e1fbbf9) The Free UNIX Spectrum Emulator -------------------------------------------------------------------------------- Update Information: Update to latest upstream. Use correct libspectrum version. ---- Updated to latest upstream. ---- Update to the latest upstream. -------------------------------------------------------------------------------- ================================================================================ fuse-emulator-utils-1.2.0-3.fc22 (FEDORA-2016-519e1fbbf9) Additional utils for the Fuse spectrum emulator -------------------------------------------------------------------------------- Update Information: Update to latest upstream. Use correct libspectrum version. ---- Updated to latest upstream. ---- Update to the latest upstream. -------------------------------------------------------------------------------- ================================================================================ glibc-arm-linux-gnu-2.23-4.fc22 (FEDORA-2016-19fabfc432) Cross Compiled GNU C Library targeted at arm-linux-gnu -------------------------------------------------------------------------------- Update Information: New package. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1312963 - Review Request: glibc-arm-linux-gnu - Cross Compiled GNU C Library targeted at arm-linux-gnu https://bugzilla.redhat.com/show_bug.cgi?id=1312963 -------------------------------------------------------------------------------- ================================================================================ libspectrum-1.2.0-2.fc22 (FEDORA-2016-519e1fbbf9) A library for reading spectrum emulator file formats -------------------------------------------------------------------------------- Update Information: Update to latest upstream. Use correct libspectrum version. ---- Updated to latest upstream. ---- Update to the latest upstream. -------------------------------------------------------------------------------- ================================================================================ lilypond-2.19.43-1.fc22 (FEDORA-2016-f52724ba1f) A typesetting system for music notation -------------------------------------------------------------------------------- Update Information: 2.19.43 -------------------------------------------------------------------------------- ================================================================================ lilypond-doc-2.19.43-1.fc22 (FEDORA-2016-f52724ba1f) HTML documentation for LilyPond -------------------------------------------------------------------------------- Update Information: 2.19.43 -------------------------------------------------------------------------------- ================================================================================ nfdump-1.6.15-1.fc22 (FEDORA-2016-3b49c9aa49) NetFlow collecting and processing tools -------------------------------------------------------------------------------- Update Information: nfdump 1.6.15 released. --- - Fix Security issue http://www.security-assessmen t.com/files/documents/advisory/Nfdump%20nfcapd%201.6.14%20-%20Multiple%20Vulnera bilities.pdf - Fix obyte, opps and obps output records - Fix wrong bps type case in cvs output. Fix opbs ipbs typos nfdump 1.6.14 released. --- - Create libnfdump for dynamic linking - Add -R to ModifyCompression - Add std sampler ID 4 Bytes and allow random sampler (tag 50) - Add BZ2 compression along existing LZ0 - Add direct write to flowtools converter ft2nfdump - Fix CentOS compile issues with flow-tools converter - Fix FreeBSD,OpenBSD build problems - Fix timestamp overflow in sflow.c - Fix IP Fragmentation in sflow collector - Fix compile errors on other platforms - Fix zero alignment bug, if only half of an extension is sent - Fix nfanon time window bug in subsequent files in -R list - Fix CommonRecordV0Type conversion bug - Fix nfexport bug, if only one single map exists -------------------------------------------------------------------------------- References: [ 1 ] Bug #1335204 - nfdump: multiple remote denial of service vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=1335204 -------------------------------------------------------------------------------- ================================================================================ nss-3.24.0-1.2.fc22 (FEDORA-2016-26df5bf249) Network Security Services -------------------------------------------------------------------------------- Update Information: Updates the nss family of packages to upstream NSS 3.24. For details about new functionality and a list of bugs fixed in this release please see the upstream releases notes https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes -------------------------------------------------------------------------------- ================================================================================ nss-softokn-3.24.0-1.0.fc22 (FEDORA-2016-26df5bf249) Network Security Services Softoken Module -------------------------------------------------------------------------------- Update Information: Updates the nss family of packages to upstream NSS 3.24. For details about new functionality and a list of bugs fixed in this release please see the upstream releases notes https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes -------------------------------------------------------------------------------- ================================================================================ nss-util-3.24.0-1.0.fc22 (FEDORA-2016-26df5bf249) Network Security Services Utilities Library -------------------------------------------------------------------------------- Update Information: Updates the nss family of packages to upstream NSS 3.24. For details about new functionality and a list of bugs fixed in this release please see the upstream releases notes https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.24_release_notes -------------------------------------------------------------------------------- ================================================================================ php-ZendFramework2-2.4.10-1.fc22 (FEDORA-2016-03c0ed3127) Zend Framework 2 -------------------------------------------------------------------------------- Update Information: ## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()` which used PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-explain- bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this should only apply to the latter): ```php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ``` where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and `$mode` argument defaults are `null` and `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.) We recommend re-encrypting any such values using the new defaults. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343990 [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289318 [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343995 [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289317 -------------------------------------------------------------------------------- ================================================================================ php-libvirt-0.5.2-1.fc22 (FEDORA-2016-466d863873) PHP language bindings for Libvirt -------------------------------------------------------------------------------- Update Information: Upgrade to 0.5.2 to support newer libvirt capabilities -------------------------------------------------------------------------------- ================================================================================ php-zendframework-zendxml-1.0.2-2.fc22 (FEDORA-2016-03c0ed3127) Zend Framework ZendXml component -------------------------------------------------------------------------------- Update Information: ## 2.4.10 (2016-05-09) - Fix HeaderValue throwing an exception on legal characters ## 2.4.9 (2015-11-23) ### SECURITY UPDATES - **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides better RNG. - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()` which used PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-explain- bleichenbachers-cca-attack-on-pkcs1-v1-5), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`. Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this should only apply to the latter): ```php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING); ``` where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`. (The `$key` and `$mode` argument defaults are `null` and `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.) We recommend re-encrypting any such values using the new defaults. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1343990 - [epel7][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343990 [ 2 ] Bug #1289318 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289318 [ 3 ] Bug #1343995 - [f23][f22][security] php-ZendFramework2-2.4.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1343995 [ 4 ] Bug #1289317 - CVE-2015-7503 php-ZendFramework2: Usage of vulnerable PKCS#1 v1.5 padding allows to recover RSA private key [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1289317 -------------------------------------------------------------------------------- -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://lists.fedoraproject.org/admin/lists/test@xxxxxxxxxxxxxxxxxxxxxxx
