The following Fedora 23 Security updates need testing: Age URL 384 https://bodhi.fedoraproject.org/updates/FEDORA-2015-16240 nagios-4.0.8-1.fc23 342 https://bodhi.fedoraproject.org/updates/FEDORA-2015-81ded368fe miniupnpc-1.9-6.fc23 315 https://bodhi.fedoraproject.org/updates/FEDORA-2015-27392b3324 jbig2dec-0.12-2.fc23 265 https://bodhi.fedoraproject.org/updates/FEDORA-2015-dd52a54fa1 python-pymongo-3.0.3-1.fc23 265 https://bodhi.fedoraproject.org/updates/FEDORA-2015-06a7c972e8 thttpd-2.25b-37.fc23 230 https://bodhi.fedoraproject.org/updates/FEDORA-2016-637618fcd4 mingw-nsis-2.50-1.fc23 106 https://bodhi.fedoraproject.org/updates/FEDORA-2016-fcccb0a547 nodejs-0.10.46-1.fc23 84 https://bodhi.fedoraproject.org/updates/FEDORA-2016-70b5173c05 ecryptfs-utils-111-1.fc23 72 https://bodhi.fedoraproject.org/updates/FEDORA-2016-8d79ade826 flex-2.6.0-2.fc23 61 https://bodhi.fedoraproject.org/updates/FEDORA-2016-c2ec9c716e redis-3.2.3-1.fc23 54 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d6288f555c libarchive-3.2.1-3.fc23 python-libarchive-c-2.5-1.fc23 52 https://bodhi.fedoraproject.org/updates/FEDORA-2016-47dc2b203f firewalld-0.4.3.3-1.fc23 38 https://bodhi.fedoraproject.org/updates/FEDORA-2016-b3a6435b14 dhcpcd-6.11.3-1.fc23 29 https://bodhi.fedoraproject.org/updates/FEDORA-2016-ed1c402851 thunderbird-45.3.0-1.fc23 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-97454404fe openssl-1.0.2j-1.fc23 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-0551065fe0 irssi-0.8.20-2.fc23 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3795497354 python-django-1.8.15-1.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3af8b344f1 bind-9.10.4-2.P3.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-cbef6c8619 bind99-9.9.9-2.P3.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-1b9d24c2b6 zathura-pdf-mupdf-0.3.0-2.fc23 mujs-0-5.20160921git5c337af.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-7aa3c89e7b c-ares-1.12.0-1.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-f15168439d bash-4.3.42-5.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-bb007a4097 openssh-7.2p2-6.fc23 6 https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e4e733bef systemd-222-17.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-c0f589bd32 perl-DBD-MySQL-4.033-3.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-2e50862950 chromium-53.0.2785.143-1.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-5cbcad7a9a freeimage-3.17.0-7.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-cca868c95f mingw-freeimage-3.17.0-4.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-a29a0e8250 python-pillow-3.0.0-6.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-1649cc31e0 ca-certificates-2016.2.10-1.0.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-689f240960 xen-4.5.5-2.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-0e7694c456 libXfixes-5.0.3-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d045c2c7b3 libXrandr-1.5.1-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-7abdfc5a52 libXi-1.7.7-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-b26b497381 libXtst-1.2.3-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-49d560da23 libXrender-0.9.10-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d286ffb801 libXvMC-1.0.10-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b41a9eaa8 libXv-1.0.11-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-f8fd3891f8 perl-Image-Info-1.38-6.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-1c13825502 ghostscript-9.20-2.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-95407a836f libass-0.13.4-1.fc23 The following Fedora 23 Critical Path updates have yet to be approved: Age URL 81 https://bodhi.fedoraproject.org/updates/FEDORA-2016-98a7a1b6e0 abrt-2.8.0-6.fc23 libreport-2.6.4-3.fc23 54 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d6288f555c libarchive-3.2.1-3.fc23 python-libarchive-c-2.5-1.fc23 29 https://bodhi.fedoraproject.org/updates/FEDORA-2016-ed1c402851 thunderbird-45.3.0-1.fc23 15 https://bodhi.fedoraproject.org/updates/FEDORA-2016-79072fd70e python-virtkey-0.63.0-1.fc23 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-ab35400bb1 poppler-0.34.0-4.fc23 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-7aef55393a polkit-qt-0.112.0-8.fc23 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-97454404fe openssl-1.0.2j-1.fc23 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-6a3e81a5be linux-firmware-20160923-68.git42ad5367.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-bb007a4097 openssh-7.2p2-6.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-f15168439d bash-4.3.42-5.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d283ed227 python-2.7.11-11.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3af8b344f1 bind-9.10.4-2.P3.fc23 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d26923757a koji-1.10.1-13.fc23 6 https://bodhi.fedoraproject.org/updates/FEDORA-2016-8e4e733bef systemd-222-17.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-1649cc31e0 ca-certificates-2016.2.10-1.0.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-fdf15e65fd hwdata-0.293-1.fc23 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-c0f589bd32 perl-DBD-MySQL-4.033-3.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3646279587 libgdata-0.17.5-2.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b41a9eaa8 libXv-1.0.11-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d286ffb801 libXvMC-1.0.10-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-49d560da23 libXrender-0.9.10-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-b26b497381 libXtst-1.2.3-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-7abdfc5a52 libXi-1.7.7-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d045c2c7b3 libXrandr-1.5.1-1.fc23 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-0e7694c456 libXfixes-5.0.3-1.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-3da7667d60 sane-backends-1.0.25-3.fc23 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-95407a836f libass-0.13.4-1.fc23 The following builds have been pushed to Fedora 23 updates-testing fedfind-2.6.2-1.fc23 ghostscript-9.20-2.fc23 hgsvn-0.4.1-1.fc23 libass-0.13.4-1.fc23 opensmtpd-6.0.1p1-1.fc23 php-alcaeus-mongo-php-adapter-1.0.6-1.fc23 relval-2.1.4-1.fc23 relval-2.1.5-1.fc23 rsnapshot-1.4.2-1.fc23 sane-backends-1.0.25-3.fc23 twinkle-1.10.1-1.fc23 znc-1.6.3-5.fc23 Details about builds: ================================================================================ fedfind-2.6.2-1.fc23 (FEDORA-2016-ad81776bff) Fedora Finder finds Fedora -------------------------------------------------------------------------------- Update Information: The major change in this update is that fedfind now has the ability to effectively override the productmd-formatted metadata provided by Pungi in specific cases where it's problematic. There is a new helper function, `helpers.correct_image`, which applies these 'corrections', and the image dicts returned by the `Release.all_images` property - commonly used for getting a flat list of image dicts from the compose metadata - now have these corrections applied. This is intended to work around a [significant issue](https://pagure.io/pungi/issue/417) that's appeared along with the introduction of a Workstation ostree installer image for Fedora: pungi sets the `type` for ostree installer images to `boot`, but that means there is no way to distinguish a Workstation network install image from a Workstation ostree install image using the metadata. This is a major problem for several things which distinguish between images based on the metadata (openQA, fedora_nightlies, and wikitcms are all affected by this). For now, fedfind will 'correct' the `type` for these images from `boot` to `dvd-ostree`. fedfind will also use the `dvd-ostree` type for ostree installer images when synthesizing metadata for Releases that do not have it. Note you can get un'corrected' image dicts from the `Release.metadata` property, which always provides the original, entirely unmodified metadata. There is also a new helper, `fedfind.helpers.identify_image`, for constructing image identifiers from image dicts; this is something various fedfind consumers do, and were duplicating the code for, so let's let them share it. We also tweak and correct the `expected_images` definitions somewhat (there were inconsistencies between what fedfind was 'expecting' and what release engineering were actually intending to provide). The relval update adjusts `relval size-check` for the `dvd-ostree` change. -------------------------------------------------------------------------------- ================================================================================ ghostscript-9.20-2.fc23 (FEDORA-2016-1c13825502) A PostScript interpreter and renderer -------------------------------------------------------------------------------- Update Information: This is a rebase of **ghostscript** package, to address several security issues: * [CVE-2016-7977 ](https://bugzilla.redhat.com/show_bug.cgi?id=1380415) - *.libfile does not honor -dSAFER* * [CVE-2013-5653](https://bugzilla.redhat.com/show_bug.cgi?id=1380327) - *getenv and filenameforall ignore -dSAFER* * [CVE-2016-7976](https://bugzilla.redhat.com/show_bug.cgi?id=1382294) - *various userparams allow %pipe% in paths, allowing remote shell* * [CVE-2016-7978](https://bugzilla.redhat.com/show_bug.cgi?id=1382300) - *reference leak in .setdevice allows use-after-free and remote code* * [CVE-2016-7979](https://bugzilla.redhat.com/show_bug.cgi?id=1382305) - *Type confusion in .initialize_dsc_parser allows remote code execution* ----------- #### INFORMATION FOR FEDORA PACKAGERS & MAINTAINERS: **ghostscript** has been rebased to latest upstream version (9.20). Rebase notes: * **no API/ABI changes between versions 9.16 -> 9.20 according to upstream** * *OpenJPEG* support has been retained * *ijs-config* custom tool from upstream has been *removed* (by upstream) (*pkg-config* is used by default now instead, see [commit 0c176a9](http://git.ghostscript.com/?p=ghostpdl.git;h=0c176a91d53c85cda)) * some patches were updated to 'git format-patch' format & renamed * rest of the patches were deleted (irrelevant for current version), mostly because upstream has fixed those issues in some way -------------------------------------------------------------------------------- References: [ 1 ] Bug #1380415 - CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER https://bugzilla.redhat.com/show_bug.cgi?id=1380415 [ 2 ] Bug #1380327 - CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER https://bugzilla.redhat.com/show_bug.cgi?id=1380327 [ 3 ] Bug #1382294 - CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell https://bugzilla.redhat.com/show_bug.cgi?id=1382294 [ 4 ] Bug #1382300 - CVE-2016-7978 ghostscript: reference leak in .setdevice allows use-after-free and remote code execution https://bugzilla.redhat.com/show_bug.cgi?id=1382300 [ 5 ] Bug #1382305 - CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution https://bugzilla.redhat.com/show_bug.cgi?id=1382305 -------------------------------------------------------------------------------- ================================================================================ hgsvn-0.4.1-1.fc23 (FEDORA-2016-b18351b6c2) A set of scripts to work locally on subversion checkouts using mercurial -------------------------------------------------------------------------------- Update Information: Update to latest upstream release hgsvn 0.4.1. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1378869 - None https://bugzilla.redhat.com/show_bug.cgi?id=1378869 -------------------------------------------------------------------------------- ================================================================================ libass-0.13.4-1.fc23 (FEDORA-2016-95407a836f) Portable library for SSA/ASS subtitles rendering -------------------------------------------------------------------------------- Update Information: Fixes CVE-2016-7969, CVE-2016-7970 and CVE-2016-7972 ---- Update to 0.13.3. Contains various bugfixes. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1310363 - libass-0.13.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=1310363 [ 2 ] Bug #1381962 - CVE-2016-7969 CVE-2016-7970 CVE-2016-7971 CVE-2016-7972 libass: Multiple issues disclosed with 0.13.4 update [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1381962 [ 3 ] Bug #1381961 - CVE-2016-7969 CVE-2016-7970 CVE-2016-7971 CVE-2016-7972 libass: Multiple issues disclosed with 0.13.4 update [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1381961 [ 4 ] Bug #1382196 - libass-0.13.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1382196 -------------------------------------------------------------------------------- ================================================================================ opensmtpd-6.0.1p1-1.fc23 (FEDORA-2016-5d9cdf7f70) Free implementation of the server-side SMTP protocol as defined by RFC 5321 -------------------------------------------------------------------------------- Update Information: Changes in this release (since 6.0.0): --- - A bug in the smtp session logic can lead to a server crash. [1] [1] found and reported by Mickael Torres, thanks ! -------------------------------------------------------------------------------- References: [ 1 ] Bug #1381402 - None https://bugzilla.redhat.com/show_bug.cgi?id=1381402 -------------------------------------------------------------------------------- ================================================================================ php-alcaeus-mongo-php-adapter-1.0.6-1.fc23 (FEDORA-2016-89bb7c6864) Mongo PHP Adapter -------------------------------------------------------------------------------- Update Information: **Version 1.0.6** (2016-10-07) * [#126](https://github.com/alcaeus/mongo-php- adapter/pull/126) fixes a class name that was improperly capitalized. * [#130](https://github.com/alcaeus/mongo-php-adapter/pull/130) fixes JSON serialization of `MongoId` objects. -------------------------------------------------------------------------------- ================================================================================ relval-2.1.4-1.fc23 (FEDORA-2016-ad81776bff) Tool for interacting with Fedora QA wiki pages -------------------------------------------------------------------------------- Update Information: The major change in this update is that fedfind now has the ability to effectively override the productmd-formatted metadata provided by Pungi in specific cases where it's problematic. There is a new helper function, `helpers.correct_image`, which applies these 'corrections', and the image dicts returned by the `Release.all_images` property - commonly used for getting a flat list of image dicts from the compose metadata - now have these corrections applied. This is intended to work around a [significant issue](https://pagure.io/pungi/issue/417) that's appeared along with the introduction of a Workstation ostree installer image for Fedora: pungi sets the `type` for ostree installer images to `boot`, but that means there is no way to distinguish a Workstation network install image from a Workstation ostree install image using the metadata. This is a major problem for several things which distinguish between images based on the metadata (openQA, fedora_nightlies, and wikitcms are all affected by this). For now, fedfind will 'correct' the `type` for these images from `boot` to `dvd-ostree`. fedfind will also use the `dvd-ostree` type for ostree installer images when synthesizing metadata for Releases that do not have it. Note you can get un'corrected' image dicts from the `Release.metadata` property, which always provides the original, entirely unmodified metadata. There is also a new helper, `fedfind.helpers.identify_image`, for constructing image identifiers from image dicts; this is something various fedfind consumers do, and were duplicating the code for, so let's let them share it. We also tweak and correct the `expected_images` definitions somewhat (there were inconsistencies between what fedfind was 'expecting' and what release engineering were actually intending to provide). The relval update adjusts `relval size-check` for the `dvd-ostree` change. -------------------------------------------------------------------------------- ================================================================================ relval-2.1.5-1.fc23 (FEDORA-2016-4bdf8996e3) Tool for interacting with Fedora QA wiki pages -------------------------------------------------------------------------------- Update Information: This update adds `--since` and `--until` arguments for `relval user-stats`, making it easier to generate statistics covering the Alpha, Beta and Final periods now we have nightly validation events interspersed with the candidate compose events throughout the cycle. -------------------------------------------------------------------------------- ================================================================================ rsnapshot-1.4.2-1.fc23 (FEDORA-2016-82fdad481b) Local and remote filesystem snapshot utility -------------------------------------------------------------------------------- Update Information: Update to 1.4.2 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1375289 - None https://bugzilla.redhat.com/show_bug.cgi?id=1375289 -------------------------------------------------------------------------------- ================================================================================ sane-backends-1.0.25-3.fc23 (FEDORA-2016-3da7667d60) Scanner access software -------------------------------------------------------------------------------- Update Information: This updates adds support for socket activation of the network scanning daemon saned. Additionally, it is split off into its own package `sane-backends- daemon`. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1091566 - None https://bugzilla.redhat.com/show_bug.cgi?id=1091566 -------------------------------------------------------------------------------- ================================================================================ twinkle-1.10.1-1.fc23 (FEDORA-2016-87bde5a226) SIP-based VoIP client -------------------------------------------------------------------------------- Update Information: Update to 1.10.1, see https://github.com/LubosD/twinkle/releases/tag/v1.10.1 for details. -------------------------------------------------------------------------------- ================================================================================ znc-1.6.3-5.fc23 (FEDORA-2016-e04aca9df0) An advanced IRC bouncer -------------------------------------------------------------------------------- Update Information: Cleanup spec file, use upstream systemd unit file -------------------------------------------------------------------------------- References: [ 1 ] Bug #1367810 - None https://bugzilla.redhat.com/show_bug.cgi?id=1367810 -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
