The following Fedora 24 Security updates need testing: Age URL 61 https://bodhi.fedoraproject.org/updates/FEDORA-2016-32eaf0c41e redis-3.2.3-1.fc24 45 https://bodhi.fedoraproject.org/updates/FEDORA-2016-0ef628998f chicken-4.11.0-3.fc24 12 https://bodhi.fedoraproject.org/updates/FEDORA-2016-a64716084e irssi-0.8.20-2.fc24 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-5706eeb875 python-django-1.9.10-1.fc24 10 https://bodhi.fedoraproject.org/updates/FEDORA-2016-861b8c46b7 nodejs-4.6.0-5.fc24 9 https://bodhi.fedoraproject.org/updates/FEDORA-2016-c75bdc394a zathura-pdf-mupdf-0.3.0-2.fc24 mujs-0-5.20160921git5c337af.fc24 6 https://bodhi.fedoraproject.org/updates/FEDORA-2016-e1d4972701 nsd-4.1.13-1.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-870236238e perl-DBD-MySQL-4.037-1.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d61c4f72da chromium-53.0.2785.143-1.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d07987265b freeimage-3.17.0-7.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-4529e034ca mingw-freeimage-3.17.0-4.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-294e0ed595 python-pillow-3.2.0-3.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-ae6d4b4c33 ca-certificates-2016.2.10-1.0.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-4c407cd849 xen-4.6.3-6.fc24 3 https://bodhi.fedoraproject.org/updates/FEDORA-2016-be779371b4 perl-Image-Info-1.38-6.fc24 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-53e8aa35f6 ghostscript-9.20-2.fc24 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-282507c3e9 libass-0.13.4-1.fc24 The following Fedora 24 Critical Path updates have yet to be approved: Age URL 11 https://bodhi.fedoraproject.org/updates/FEDORA-2016-229e5b4143 lorax-24.21-1.fc24 8 https://bodhi.fedoraproject.org/updates/FEDORA-2016-a300f36043 perl-Scalar-List-Utils-1.46-1.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2016-ae6d4b4c33 ca-certificates-2016.2.10-1.0.fc24 0 https://bodhi.fedoraproject.org/updates/FEDORA-2016-f00a05d7b9 pungi-4.1.10-1.fc24 The following builds have been pushed to Fedora 24 updates-testing f2fs-tools-1.7.0-1.fc24 fedfind-2.6.2-1.fc24 fuse-encfs-1.9.1-2.fc24 ghostscript-9.20-2.fc24 guayadeque-0.4.1-0.16.beta1git45a439f.fc24 hexchat-2.12.2-1.fc24 hgsvn-0.4.1-1.fc24 khal-0.8.4-1.fc24 khard-0.9.0-2.fc24 libass-0.13.4-1.fc24 lxc-2.0.5-1.fc24 mgarepo-1.13.1-2.fc24 ninja-build-1.7.1-2.fc24 opensmtpd-6.0.1p1-1.fc24 origin-1.3.0-2.fc24 ostree-2016.11-1.fc24 perl-Mock-Sub-1.07-1.fc24 php-alcaeus-mongo-php-adapter-1.0.6-1.fc24 pungi-4.1.10-1.fc24 python-dns-1.15.0-1.fc24 python-nss-1.0.0-2.fc24 relval-2.1.4-1.fc24 relval-2.1.5-1.fc24 rpm-ostree-2016.10-1.fc24 rsnapshot-1.4.2-1.fc24 sane-backends-1.0.25-3.fc24 twinkle-1.10.1-1.fc24 znc-1.6.3-5.fc24 Details about builds: ================================================================================ f2fs-tools-1.7.0-1.fc24 (FEDORA-2016-8d878e3848) Tools for Flash-Friendly File System (F2FS) -------------------------------------------------------------------------------- Update Information: Bumped to 1.7.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1318809 - None https://bugzilla.redhat.com/show_bug.cgi?id=1318809 -------------------------------------------------------------------------------- ================================================================================ fedfind-2.6.2-1.fc24 (FEDORA-2016-f1b14d2030) Fedora Finder finds Fedora -------------------------------------------------------------------------------- Update Information: The major change in this update is that fedfind now has the ability to effectively override the productmd-formatted metadata provided by Pungi in specific cases where it's problematic. There is a new helper function, `helpers.correct_image`, which applies these 'corrections', and the image dicts returned by the `Release.all_images` property - commonly used for getting a flat list of image dicts from the compose metadata - now have these corrections applied. This is intended to work around a [significant issue](https://pagure.io/pungi/issue/417) that's appeared along with the introduction of a Workstation ostree installer image for Fedora: pungi sets the `type` for ostree installer images to `boot`, but that means there is no way to distinguish a Workstation network install image from a Workstation ostree install image using the metadata. This is a major problem for several things which distinguish between images based on the metadata (openQA, fedora_nightlies, and wikitcms are all affected by this). For now, fedfind will 'correct' the `type` for these images from `boot` to `dvd-ostree`. fedfind will also use the `dvd-ostree` type for ostree installer images when synthesizing metadata for Releases that do not have it. Note you can get un'corrected' image dicts from the `Release.metadata` property, which always provides the original, entirely unmodified metadata. There is also a new helper, `fedfind.helpers.identify_image`, for constructing image identifiers from image dicts; this is something various fedfind consumers do, and were duplicating the code for, so let's let them share it. We also tweak and correct the `expected_images` definitions somewhat (there were inconsistencies between what fedfind was 'expecting' and what release engineering were actually intending to provide). The relval update adjusts `relval size-check` for the `dvd-ostree` change. -------------------------------------------------------------------------------- ================================================================================ fuse-encfs-1.9.1-2.fc24 (FEDORA-2016-c037b1c778) Encrypted pass-thru filesystem in userspace -------------------------------------------------------------------------------- Update Information: Fix exec permission. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1382894 - None https://bugzilla.redhat.com/show_bug.cgi?id=1382894 -------------------------------------------------------------------------------- ================================================================================ ghostscript-9.20-2.fc24 (FEDORA-2016-53e8aa35f6) A PostScript interpreter and renderer -------------------------------------------------------------------------------- Update Information: This is a rebase of **ghostscript** package, to address several security issues: * [CVE-2016-7977 ](https://bugzilla.redhat.com/show_bug.cgi?id=1380415) - *.libfile does not honor -dSAFER* * [CVE-2013-5653](https://bugzilla.redhat.com/show_bug.cgi?id=1380327) - *getenv and filenameforall ignore -dSAFER* * [CVE-2016-7976](https://bugzilla.redhat.com/show_bug.cgi?id=1382294) - *various userparams allow %pipe% in paths, allowing remote shell* * [CVE-2016-7978](https://bugzilla.redhat.com/show_bug.cgi?id=1382300) - *reference leak in .setdevice allows use-after-free and remote code* * [CVE-2016-7979](https://bugzilla.redhat.com/show_bug.cgi?id=1382305) - *Type confusion in .initialize_dsc_parser allows remote code execution* ----------- #### INFORMATION FOR FEDORA PACKAGERS & MAINTAINERS: **ghostscript** has been rebased to latest upstream version (9.20). Rebase notes: * **no API/ABI changes between versions 9.16 -> 9.20 according to upstream** * *OpenJPEG* support has been retained * *ijs-config* custom tool from upstream has been *removed* (by upstream) (*pkg-config* is used by default now instead, see [commit 0c176a9](http://git.ghostscript.com/?p=ghostpdl.git;h=0c176a91d53c85cda)) * some patches were updated to 'git format-patch' format & renamed * rest of the patches were deleted (irrelevant for current version), mostly because upstream has fixed those issues in some way -------------------------------------------------------------------------------- References: [ 1 ] Bug #1380415 - CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER https://bugzilla.redhat.com/show_bug.cgi?id=1380415 [ 2 ] Bug #1380327 - CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER https://bugzilla.redhat.com/show_bug.cgi?id=1380327 [ 3 ] Bug #1382294 - CVE-2016-7976 ghostscript: various userparams allow %pipe% in paths, allowing remote shell https://bugzilla.redhat.com/show_bug.cgi?id=1382294 [ 4 ] Bug #1382300 - CVE-2016-7978 ghostscript: reference leak in .setdevice allows use-after-free and remote code execution https://bugzilla.redhat.com/show_bug.cgi?id=1382300 [ 5 ] Bug #1382305 - CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution https://bugzilla.redhat.com/show_bug.cgi?id=1382305 -------------------------------------------------------------------------------- ================================================================================ guayadeque-0.4.1-0.16.beta1git45a439f.fc24 (FEDORA-2016-e3eea66415) Music player -------------------------------------------------------------------------------- Update Information: Update to 0.4.1-0.16.beta1git45a439f ---- Update to 0.4.1-0.15.beta1gitf3a156b -------------------------------------------------------------------------------- ================================================================================ hexchat-2.12.2-1.fc24 (FEDORA-2016-36d0ef1a23) A popular and easy to use graphical IRC (chat) client -------------------------------------------------------------------------------- Update Information: New upstream release: http://hexchat.readthedocs.io/en/latest/changelog.html -------------------------------------------------------------------------------- ================================================================================ hgsvn-0.4.1-1.fc24 (FEDORA-2016-10f4a0bf90) A set of scripts to work locally on subversion checkouts using mercurial -------------------------------------------------------------------------------- Update Information: Update to latest upstream release hgsvn 0.4.1. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1378869 - None https://bugzilla.redhat.com/show_bug.cgi?id=1378869 -------------------------------------------------------------------------------- ================================================================================ khal-0.8.4-1.fc24 (FEDORA-2016-3e0c24cc90) CLI calendar application -------------------------------------------------------------------------------- Update Information: * **IMPORTANT BUGFIX** fixed a bug that lead to imported events being erroneously shifted if they had a timezone identifier that wasn't an Olson database identifier. All users are advised to upgrade as soon as possible. To see if you are affected by this and how to resolve any issues, please see the release announcement (khal/doc/source/news/khal084.rst or http://lostpackets.de/khal/news/khal084.html). Thanks to Wayne Werner for finding and reporting this bug. * fixed a check for icalendar files containing RDATEs -------------------------------------------------------------------------------- References: [ 1 ] Bug #1371141 - None https://bugzilla.redhat.com/show_bug.cgi?id=1371141 -------------------------------------------------------------------------------- ================================================================================ khard-0.9.0-2.fc24 (FEDORA-2016-662052da94) An address book for the Linux console -------------------------------------------------------------------------------- Update Information: - Support for vobject library version >= 0.8.2 from https://github.com/tBaxter/vobject - Contact template syntax switched to yaml - alot and mutt actions summarized to new email action (please have a look into the readme file for configuration changes) - Support for extended name attributes - Create and modify contact from stdin or from template file - New action "export" to export data of existing contact in yaml format - New argument --open-editor to open the preferred text editor after successful creation of new contact from stdin or template file - New argument {-u, --uid} to select contact by uid - Added write support for categories attribute - Added wrapper script for sdiff - Fixed a bug, which prevented the creation of new contacts with the add- email action - Added support for multiple instances of one vcard attribute - Use of module atomicwrites to securely write vcards to disk - Cancel without further actions if the opened contacts editor is closed without saving (determined by modification date of template file) - Fixed uid dictionary creation - Sort contact table by first or last name (take note of changed behaviour of "sort" option) - New option -g, --group-by-addressbook to group contact table by address book - Changes in config file: - New group: contact table - new option: sort to sort contact table by first or last name - New option: group_by_addressbook to group contact table by address book - Moved show_nicknames option from group "general" to group "contact table" - New option "show_uids" in config file to disable uid column in contact table - Fully restructured command line interface for better usability: - general help with: khard -h - help for a specific action: khard action -h - Updated zsh completion function - New Action addressbooks - New option -p|--pretty for email and phone actions to get pretty formatted output - Fix: Only delete contact after modify, copy or move action was completed successfully -------------------------------------------------------------------------------- References: [ 1 ] Bug #1381668 - None https://bugzilla.redhat.com/show_bug.cgi?id=1381668 -------------------------------------------------------------------------------- ================================================================================ libass-0.13.4-1.fc24 (FEDORA-2016-282507c3e9) Portable library for SSA/ASS subtitles rendering -------------------------------------------------------------------------------- Update Information: Fixes CVE-2016-7969, CVE-2016-7970 and CVE-2016-7972 ---- Update to 0.13.3. Contains various bugfixes. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1310363 - libass-0.13.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=1310363 [ 2 ] Bug #1381962 - CVE-2016-7969 CVE-2016-7970 CVE-2016-7971 CVE-2016-7972 libass: Multiple issues disclosed with 0.13.4 update [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1381962 [ 3 ] Bug #1381961 - CVE-2016-7969 CVE-2016-7970 CVE-2016-7971 CVE-2016-7972 libass: Multiple issues disclosed with 0.13.4 update [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1381961 [ 4 ] Bug #1382196 - libass-0.13.4 is available https://bugzilla.redhat.com/show_bug.cgi?id=1382196 -------------------------------------------------------------------------------- ================================================================================ lxc-2.0.5-1.fc24 (FEDORA-2016-d39c8c06fc) Linux Resource Containers -------------------------------------------------------------------------------- Update Information: Update LXC to the latest stable version. See [here](https://linuxcontainers.org/lxc/news/) for the list of changes. -------------------------------------------------------------------------------- ================================================================================ mgarepo-1.13.1-2.fc24 (FEDORA-2016-26e3d0bc5d) Tools for Mageia repository access and management -------------------------------------------------------------------------------- Update Information: This update rebases mgarepo from 1.12.3 to 1.13.1, which adds significant improvements, such as: * Support for names and email addresses for authors in generated RPM changelogs * Support for running `rpmlint` on checked out packages * Support for cloning from SVN to Git, bidirectional sync between Git and SVN, as well as initial GitHub integration * Automatic fallback to anonymous checkout when authenticated checkout fails * Various fixes for Python 3, as well as using XML form SVN log for more reliable log parsing -------------------------------------------------------------------------------- ================================================================================ ninja-build-1.7.1-2.fc24 (FEDORA-2016-9e72363ae1) A small build system with a focus on speed -------------------------------------------------------------------------------- Update Information: Add RPM macro for easier life of maintainers -------------------------------------------------------------------------------- ================================================================================ opensmtpd-6.0.1p1-1.fc24 (FEDORA-2016-7eff27a476) Free implementation of the server-side SMTP protocol as defined by RFC 5321 -------------------------------------------------------------------------------- Update Information: Changes in this release (since 6.0.0): --- - A bug in the smtp session logic can lead to a server crash. [1] [1] found and reported by Mickael Torres, thanks ! -------------------------------------------------------------------------------- References: [ 1 ] Bug #1381402 - None https://bugzilla.redhat.com/show_bug.cgi?id=1381402 -------------------------------------------------------------------------------- ================================================================================ origin-1.3.0-2.fc24 (FEDORA-2016-53d23cb907) Open Source Container Management by Red Hat -------------------------------------------------------------------------------- Update Information: Update to latest upstreaem -------------------------------------------------------------------------------- ================================================================================ ostree-2016.11-1.fc24 (FEDORA-2016-cb5715aaca) Tool for managing bootable, immutable filesystem trees -------------------------------------------------------------------------------- Update Information: New upstream releases, with critical fixes for package layering. -------------------------------------------------------------------------------- ================================================================================ perl-Mock-Sub-1.07-1.fc24 (FEDORA-2016-e98145a14e) Mock package, object and standard subroutines, with unit testing in mind -------------------------------------------------------------------------------- Update Information: 1.07 2016-10-05 - POD fix (closes #20) - changed croak() to confess() - you can now add "no_warnings => 1" to the 'use Mock::Sub' line to disable warnings about mocking non-existent subs (closes #22) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1382191 - None https://bugzilla.redhat.com/show_bug.cgi?id=1382191 -------------------------------------------------------------------------------- ================================================================================ php-alcaeus-mongo-php-adapter-1.0.6-1.fc24 (FEDORA-2016-e4d040e09e) Mongo PHP Adapter -------------------------------------------------------------------------------- Update Information: **Version 1.0.6** (2016-10-07) * [#126](https://github.com/alcaeus/mongo-php- adapter/pull/126) fixes a class name that was improperly capitalized. * [#130](https://github.com/alcaeus/mongo-php-adapter/pull/130) fixes JSON serialization of `MongoId` objects. -------------------------------------------------------------------------------- ================================================================================ pungi-4.1.10-1.fc24 (FEDORA-2016-f00a05d7b9) Distribution compose tool -------------------------------------------------------------------------------- Update Information: - pungi: Replace kickstart repo url (mark) - ostree-installer: Reduce duplication in tests (lsedlar) - ostree-installer: Generate correct volume ID (lsedlar) - ostree-installer: Use ostree as type in filename (lsedlar) - ostree: Use $basearch in repo file (lsedlar) - config: Accept empty branch in SCM dict (lsedlar) - Remove duplicated version from pungi script (lsedlar) - use --new- chroot when making ostree's (dennis) - Create git tags without release (lsedlar) - Translate paths without double slash (lsedlar) - Remove shebangs from non- executable files (lsedlar) - Remove FSF address from comments (lsedlar) - Update contributing guide (lsedlar) - init: Remove keep_original_comps option (lsedlar) - tests: Use unittest2 consistently (lsedlar) ---- add patch to enable use of --new-chroot for ostree tasks -------------------------------------------------------------------------------- ================================================================================ python-dns-1.15.0-1.fc24 (FEDORA-2016-1857421df6) DNS toolkit for Python -------------------------------------------------------------------------------- Update Information: Latest Release ---- Latest Snapshot -------------------------------------------------------------------------------- References: [ 1 ] Bug #1340576 - None https://bugzilla.redhat.com/show_bug.cgi?id=1340576 [ 2 ] Bug #1004427 - None https://bugzilla.redhat.com/show_bug.cgi?id=1004427 [ 3 ] Bug #1379267 - None https://bugzilla.redhat.com/show_bug.cgi?id=1379267 -------------------------------------------------------------------------------- ================================================================================ python-nss-1.0.0-2.fc24 (FEDORA-2016-c93fd2726a) Python bindings for Network Security Services (NSS) -------------------------------------------------------------------------------- Update Information: - Offical 1.0.0 release, only minor tweaks from 1.0.0beta1 - Allow custom include root in setup.py as command line arg - Remove checks for whether a socket is open for reading. It's not possible for the binding to know in all cases, especially if the socket is created from an external socket passed in. * The following module functions were added: - nss.get_all_tokens ---- Offical 1.0.0 release, only minor tweaks from 1.0.0beta1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1379863 - None https://bugzilla.redhat.com/show_bug.cgi?id=1379863 [ 2 ] Bug #1367216 - None https://bugzilla.redhat.com/show_bug.cgi?id=1367216 -------------------------------------------------------------------------------- ================================================================================ relval-2.1.4-1.fc24 (FEDORA-2016-f1b14d2030) Tool for interacting with Fedora QA wiki pages -------------------------------------------------------------------------------- Update Information: The major change in this update is that fedfind now has the ability to effectively override the productmd-formatted metadata provided by Pungi in specific cases where it's problematic. There is a new helper function, `helpers.correct_image`, which applies these 'corrections', and the image dicts returned by the `Release.all_images` property - commonly used for getting a flat list of image dicts from the compose metadata - now have these corrections applied. This is intended to work around a [significant issue](https://pagure.io/pungi/issue/417) that's appeared along with the introduction of a Workstation ostree installer image for Fedora: pungi sets the `type` for ostree installer images to `boot`, but that means there is no way to distinguish a Workstation network install image from a Workstation ostree install image using the metadata. This is a major problem for several things which distinguish between images based on the metadata (openQA, fedora_nightlies, and wikitcms are all affected by this). For now, fedfind will 'correct' the `type` for these images from `boot` to `dvd-ostree`. fedfind will also use the `dvd-ostree` type for ostree installer images when synthesizing metadata for Releases that do not have it. Note you can get un'corrected' image dicts from the `Release.metadata` property, which always provides the original, entirely unmodified metadata. There is also a new helper, `fedfind.helpers.identify_image`, for constructing image identifiers from image dicts; this is something various fedfind consumers do, and were duplicating the code for, so let's let them share it. We also tweak and correct the `expected_images` definitions somewhat (there were inconsistencies between what fedfind was 'expecting' and what release engineering were actually intending to provide). The relval update adjusts `relval size-check` for the `dvd-ostree` change. -------------------------------------------------------------------------------- ================================================================================ relval-2.1.5-1.fc24 (FEDORA-2016-a597a3169c) Tool for interacting with Fedora QA wiki pages -------------------------------------------------------------------------------- Update Information: This update adds `--since` and `--until` arguments for `relval user-stats`, making it easier to generate statistics covering the Alpha, Beta and Final periods now we have nightly validation events interspersed with the candidate compose events throughout the cycle. -------------------------------------------------------------------------------- ================================================================================ rpm-ostree-2016.10-1.fc24 (FEDORA-2016-cb5715aaca) Client side upgrade program and server side compose tool -------------------------------------------------------------------------------- Update Information: New upstream releases, with critical fixes for package layering. -------------------------------------------------------------------------------- ================================================================================ rsnapshot-1.4.2-1.fc24 (FEDORA-2016-f1a4362a9f) Local and remote filesystem snapshot utility -------------------------------------------------------------------------------- Update Information: Update to 1.4.2 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1375289 - None https://bugzilla.redhat.com/show_bug.cgi?id=1375289 -------------------------------------------------------------------------------- ================================================================================ sane-backends-1.0.25-3.fc24 (FEDORA-2016-f828e34867) Scanner access software -------------------------------------------------------------------------------- Update Information: This updates adds support for socket activation of the network scanning daemon saned. Additionally, it is split off into its own package `sane-backends- daemon`. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1091566 - None https://bugzilla.redhat.com/show_bug.cgi?id=1091566 -------------------------------------------------------------------------------- ================================================================================ twinkle-1.10.1-1.fc24 (FEDORA-2016-d6dbfa6ba4) SIP-based VoIP client -------------------------------------------------------------------------------- Update Information: Update to 1.10.1, see https://github.com/LubosD/twinkle/releases/tag/v1.10.1 for details. -------------------------------------------------------------------------------- ================================================================================ znc-1.6.3-5.fc24 (FEDORA-2016-4a7381695e) An advanced IRC bouncer -------------------------------------------------------------------------------- Update Information: Cleanup spec file, use upstream systemd unit file -------------------------------------------------------------------------------- References: [ 1 ] Bug #1367810 - None https://bugzilla.redhat.com/show_bug.cgi?id=1367810 -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
