The following Fedora 24 Security updates need testing: Age URL 190 https://bodhi.fedoraproject.org/updates/FEDORA-2016-26f9817b08 squid-3.5.23-1.fc24 183 https://bodhi.fedoraproject.org/updates/FEDORA-2016-eaaa9c4a08 exim-4.87.1-1.fc24 146 https://bodhi.fedoraproject.org/updates/FEDORA-2017-ece16ba6ba runc-1.0.0-5.rc2.gitc91b5be.fc24 82 https://bodhi.fedoraproject.org/updates/FEDORA-2017-8330a48ca2 python-XStatic-jquery-ui-1.12.0.1-1.fc24 21 https://bodhi.fedoraproject.org/updates/FEDORA-2017-5f1006afb1 libstaroffice-0.0.3-3.fc24 21 https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1f4c48c68 nodejs-brace-expansion-1.1.7-1.fc24 12 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbae64fdc2 libmwaw-0.3.11-3.fc24 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bff00a1c35 thunderbird-52.2.0-1.fc24 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8d76bef4e chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc24 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-4932c9b886 c-ares-1.13.0-1.fc24 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-5596f2f94d openvpn-2.3.17-1.fc24 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-2cfb239358 libsndfile-1.0.28-3.fc24 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-3159dd230a drupal8-8.3.4-1.fc24 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-b3bdaf58bc xen-4.6.5-7.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e0a9e51dd5 graphite2-1.3.10-1.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-d191fb7fce zabbix-3.0.9-1.fc24 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-5f8ebbd2b1 globus-xio-5.16-1.fc24 globus-net-manager-0.17-1.fc24 globus-gass-cache-program-6.7-1.fc24 globus-gass-copy-9.27-1.fc24 globus-gssapi-gsi-12.16-1.fc24 globus-gram-job-manager-14.36-1.fc24 globus-gridftp-server-12.2-1.fc24 globus-io-11.9-1.fc24 globus-xio-gsi-driver-3.11-1.fc24 globus-xio-pipe-driver-3.10-1.fc24 globus-xio-udt-driver-1.27-1.fc24 myproxy-6.1.28-1.fc24 globus-ftp-client-8.35-2.fc24 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e8a2017b3c drupal7-7.56-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-37f68e3534 webkitgtk4-2.16.5-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-299525e757 php-horde-Horde-Image-2.5.1-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b1f07acd9 flatpak-0.8.7-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-d26266eb32 libmtp-1.1.13-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-014d67fa9d libdb-5.3.28-24.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-56cf7067e7 irssi-1.0.3-1.fc24 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-72f0c1ea9c systemd-229-22.fc24 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-cf9599a306 httpd-2.4.26-1.fc24 The following Fedora 24 Critical Path updates have yet to be approved: Age URL 69 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e1905fd566 koji-1.12.0-2.fc24 14 https://bodhi.fedoraproject.org/updates/FEDORA-2017-07fed9b000 libteam-1.27-1.fc24 10 https://bodhi.fedoraproject.org/updates/FEDORA-2017-ce8c7053eb audit-2.7.7-1.fc24 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bff00a1c35 thunderbird-52.2.0-1.fc24 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-2cfb239358 libsndfile-1.0.28-3.fc24 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e0a9e51dd5 graphite2-1.3.10-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-014d67fa9d libdb-5.3.28-24.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bbfb70fc1d kernel-4.11.7-100.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6b1f07acd9 flatpak-0.8.7-1.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-3e62f0d34b perl-5.22.3-371.fc24 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-37f68e3534 webkitgtk4-2.16.5-1.fc24 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-72f0c1ea9c systemd-229-22.fc24 The following builds have been pushed to Fedora 24 updates-testing awscli-1.11.109-2.fc24 blueberry-1.1.15-1.fc24 dmlite-0.8.7-1.fc24 dovecot-2.2.31-1.fc24 httpd-2.4.26-1.fc24 php-gecko-packages-gecko-php-unit-2.1-1.fc24 purple-telegram-1.3.1-2.fc24 python-asn1crypto-0.22.0-2.fc24 python-botocore-1.5.72-1.fc24 python-cryptography-vectors-1.9-1.fc24 rubygem-gettext-3.2.3-1.fc24 rubygem-glu-8.3.0-1.fc24 salt-2016.11.6-1.fc24 snapd-glib-1.13-1.fc24 systemd-229-22.fc24 Details about builds: ================================================================================ awscli-1.11.109-2.fc24 (FEDORA-2017-2b8af77395) Universal Command Line Environment for AWS -------------------------------------------------------------------------------- Update Information: update -------------------------------------------------------------------------------- ================================================================================ blueberry-1.1.15-1.fc24 (FEDORA-2017-14b2b7ff56) Bluetooth configuration tool -------------------------------------------------------------------------------- Update Information: * New upstream release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465880 - blueberry-1.1.15 is available https://bugzilla.redhat.com/show_bug.cgi?id=1465880 -------------------------------------------------------------------------------- ================================================================================ dmlite-0.8.7-1.fc24 (FEDORA-2017-4ac21a7586) Lcgdm grid data management and storage framework -------------------------------------------------------------------------------- Update Information: * new upstream release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1449040 - Broken postun scriptlet https://bugzilla.redhat.com/show_bug.cgi?id=1449040 -------------------------------------------------------------------------------- ================================================================================ dovecot-2.2.31-1.fc24 (FEDORA-2017-eafd425833) Secure imap and pop3 server -------------------------------------------------------------------------------- Update Information: - dovecot updated to 2.2.31 - Various fixes to handling mailbox listing. Especially related to handling nonexistent autocreated/autosubscribed mailboxes and ACLs. - Global ACL file was parsed as if it was local ACL file. This caused some of the ACL rule interactions to not work exactly as intended. - Using mail_sort_max_read_count may have caused very high CPU usage. - Message address parsing could have crashed on invalid input. - imapc_features=fetch- headers wasn't always working correctly and caused the full header to be fetched. - imapc: Various bugfixes related to connection failure handling. - quota=count: quota_warning = -storage=.. was never executed - quota=count: Add support for "ns" parameter - dsync: Fix incremental syncing for mails that don't have Date or Message-ID headers. - imap: Fix hang when client sends pipelined SEARCH + EXPUNGE/CLOSE/LOGOUT. - oauth2: Token validation didn't accept empty server responses. - imap: NOTIFY command has been almost completely broken since the beginning. - pigeonhole updated to 0.4.19 - Fixed bug in handling of implicit keep in some cases. - include extension: Fixed segfault that (sometimes) occurred when the global script location was left unconfigured. ---- - auth: Multiple failed authentications within short time caused crashes - push-notification: OX driver crashed at deinit ---- - auth: Use timing safe comparisons for everything related to passwords. It's unlikely that these could have been used for practical attacks, especially because Dovecot delays and flushes all failed authentications in 2 second intervals. Also it could have worked only when passwords were stored in plaintext in the passdb. - master process sends SIGQUIT to all running children at shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time. - auth: Add passdb { mechanisms=none } to match separate passdb lookup - auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase - dsync: Add dsync_commit_msgs_interval setting. It attempts to commit the transaction after saving this many new messages. Because of the way dsync works, it may not always be possible if mails are copied or UIDs need to change. - imapc: Support imapc_features=search without ESEARCH extension. - imapc: Add imapc_features=fetch-bodystructure to pass through remote server's FETCH BODY and BODYSTRUCTURE. - imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the remote server. - passdb imap: Add allow_invalid_cert and ssl_ca_file parameters. - If dovecot.index.cache corruption is detected, reset only the one corrupted mail instead of the whole file. - doveadm mailbox status: Add "firstsaved" field. - director_flush_socket: Add old host's up/down and vhost count as parameters - More fixes to automatically fix corruption in dovecot.list.index - dsync-server: Fix support for dsync_features=empty-header-workaround - imapc: Various bugfixes, including infinite loops on some errors - IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't enabled modseq tracking via CONDSTORE/QRESYNC. - fts-lucene: Fix it to work again with mbox format - Some internal error messages may have contained garbage in v2.2.29 - mail-crypt: Re- encrypt when copying/moving mails and per-mailbox keys are used. Otherwise the copied mails can't be opened. -------------------------------------------------------------------------------- ================================================================================ httpd-2.4.26-1.fc24 (FEDORA-2017-cf9599a306) Apache HTTP Server -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread https://bugzilla.redhat.com/show_bug.cgi?id=1463207 [ 2 ] Bug #1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread https://bugzilla.redhat.com/show_bug.cgi?id=1463205 [ 3 ] Bug #1463199 - CVE-2017-7659 httpd: mod_http2 NULL pointer dereference https://bugzilla.redhat.com/show_bug.cgi?id=1463199 [ 4 ] Bug #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference https://bugzilla.redhat.com/show_bug.cgi?id=1463197 [ 5 ] Bug #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass https://bugzilla.redhat.com/show_bug.cgi?id=1463194 -------------------------------------------------------------------------------- ================================================================================ php-gecko-packages-gecko-php-unit-2.1-1.fc24 (FEDORA-2017-680a76483d) Additional PHPUnit tests -------------------------------------------------------------------------------- Update Information: **Version 2.1** * Add missing messages forwarding. -------------------------------------------------------------------------------- ================================================================================ purple-telegram-1.3.1-2.fc24 (FEDORA-2017-031ae7f806) Libpurple protocol plugin for Telegram support -------------------------------------------------------------------------------- Update Information: * Stability improvements * Support auto-loading for documents * Add support for "typing" in group chats (using group-typing-notifications plugin) * Add support for /kick command in group chats -------------------------------------------------------------------------------- References: [ 1 ] Bug #1442617 - Version 1.3.1 was released https://bugzilla.redhat.com/show_bug.cgi?id=1442617 [ 2 ] Bug #1424113 - purple-telegram: FTBFS in rawhide https://bugzilla.redhat.com/show_bug.cgi?id=1424113 [ 3 ] Bug #1317525 - tarballs commited to git https://bugzilla.redhat.com/show_bug.cgi?id=1317525 [ 4 ] Bug #1441011 - purple-telegram-v1.3.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1441011 -------------------------------------------------------------------------------- ================================================================================ python-asn1crypto-0.22.0-2.fc24 (FEDORA-2017-e38fabae68) Fast Python ASN.1 parser and serializer -------------------------------------------------------------------------------- Update Information: New dependency for python-cryptography 1.9+ -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465335 - Review Request: python-asn1crypto - Fast Python ASN.1 parser and serializer https://bugzilla.redhat.com/show_bug.cgi?id=1465335 -------------------------------------------------------------------------------- ================================================================================ python-botocore-1.5.72-1.fc24 (FEDORA-2017-2b8af77395) Low-level, data-driven core of boto 3 -------------------------------------------------------------------------------- Update Information: update -------------------------------------------------------------------------------- ================================================================================ python-cryptography-vectors-1.9-1.fc24 (FEDORA-2017-c2407d6816) Test vectors for the cryptography package -------------------------------------------------------------------------------- Update Information: Build dependency for python-cryptography 1.9 -------------------------------------------------------------------------------- ================================================================================ rubygem-gettext-3.2.3-1.fc24 (FEDORA-2017-e6397a75ae) RubyGem of Localization Library and Tools for Ruby -------------------------------------------------------------------------------- Update Information: New version 3.2.3 is released. -------------------------------------------------------------------------------- ================================================================================ rubygem-glu-8.3.0-1.fc24 (FEDORA-2017-ea488bbbcb) Glu bindings for the opengl gem -------------------------------------------------------------------------------- Update Information: New version 8.3.0 is released. -------------------------------------------------------------------------------- ================================================================================ salt-2016.11.6-1.fc24 (FEDORA-2017-88e8ad2dd7) A parallel remote execution system -------------------------------------------------------------------------------- Update Information: Update to feature release 2016.11.6 -------------------------------------------------------------------------------- ================================================================================ snapd-glib-1.13-1.fc24 (FEDORA-2017-829773d1d4) Library providing a GLib interface to snapd -------------------------------------------------------------------------------- Update Information: Update to 1.13 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1463243 - snapd-glib-1.13 is available https://bugzilla.redhat.com/show_bug.cgi?id=1463243 -------------------------------------------------------------------------------- ================================================================================ systemd-229-22.fc24 (FEDORA-2017-72f0c1ea9c) A System and Service Manager -------------------------------------------------------------------------------- Update Information: A fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465610 - resolved: an out-of-bounds write https://bugzilla.redhat.com/show_bug.cgi?id=1465610 -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
