The following Fedora 25 Security updates need testing: Age URL 183 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d79ba708cb exim-4.87.1-1.fc25 82 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e2d17af41e python-XStatic-jquery-ui-1.12.0.1-4.fc25 25 https://bodhi.fedoraproject.org/updates/FEDORA-2017-7dbbbafea6 runc-1.0.0-7.git6394544.fc25.2 21 https://bodhi.fedoraproject.org/updates/FEDORA-2017-ec3c82e64d libstaroffice-0.0.3-3.fc25 21 https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d7498559f nodejs-brace-expansion-1.1.7-1.fc25 12 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bcfa3569d6 libmwaw-0.3.11-3.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-a66e2c5b62 chromium-native_client-59.0.3071.86-1.20170607gitaac1de2.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-f68c93aaac kmail-16.12.3-2.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bb1ecba1bc kf5-messagelib-16.12.3-2.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-a11f853361 kdepim4-4.14.10-31.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-708adeb9b6 libsndfile-1.0.28-3.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-0d636042ef drupal8-8.3.4-1.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-c3149b5fcb xen-4.7.2-7.fc25 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-63aca509fb zabbix-3.0.9-1.fc25 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-7591a8e2c9 globus-xio-5.16-1.fc25 globus-net-manager-0.17-1.fc25 globus-gass-cache-program-6.7-1.fc25 globus-gass-copy-9.27-1.fc25 globus-gssapi-gsi-12.16-1.fc25 globus-gram-job-manager-14.36-1.fc25 globus-gridftp-server-12.2-1.fc25 globus-io-11.9-1.fc25 globus-xio-gsi-driver-3.11-1.fc25 globus-xio-pipe-driver-3.10-1.fc25 globus-xio-udt-driver-1.27-1.fc25 myproxy-6.1.28-1.fc25 globus-ftp-client-8.35-2.fc25 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-38113758e7 drupal7-7.56-1.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bff1b87765 webkitgtk4-2.16.5-1.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6f7d6fbccc php-horde-Horde-Image-2.5.1-1.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-4c57da6642 libmtp-1.1.13-1.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-372bb1edb3 libdb-5.3.28-24.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-75c571778e irssi-1.0.3-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-29d909f5ec systemd-231-17.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-620085cede httpd-2.4.26-1.fc25 The following Fedora 25 Critical Path updates have yet to be approved: Age URL 25 https://bodhi.fedoraproject.org/updates/FEDORA-2017-613a72e282 lorax-25.22-1.fc25 12 https://bodhi.fedoraproject.org/updates/FEDORA-2017-a83e0e61d6 fwupd-0.9.4-1.fc25 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bd92718a5a pungi-4.1.16-3.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-82f4a3afee storaged-2.6.2-6.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-c3149b5fcb xen-4.7.2-7.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-708adeb9b6 libsndfile-1.0.28-3.fc25 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-d90aa59a73 libguestfs-1.36.5-1.fc25 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-0187b2a605 selinux-policy-3.13.1-225.19.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-413688447e vim-8.0.679-1.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-372bb1edb3 libdb-5.3.28-24.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-65f852596f kernel-4.11.7-200.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-80862de14e perl-Scalar-List-Utils-1.48-1.fc25 1 https://bodhi.fedoraproject.org/updates/FEDORA-2017-bff1b87765 webkitgtk4-2.16.5-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-29d909f5ec systemd-231-17.fc25 The following builds have been pushed to Fedora 25 updates-testing awscli-1.11.109-2.fc25 blueberry-1.1.15-1.fc25 cloud-init-0.7.9-7.fc25 dmlite-0.8.7-1.fc25 dovecot-2.2.31-1.fc25 grip-3.4.2-2.fc25 httpd-2.4.26-1.fc25 metamath-0.145-1.fc25 php-gecko-packages-gecko-php-unit-2.1-1.fc25 purple-telegram-1.3.1-2.fc25 python-asn1crypto-0.22.0-2.fc25 python-botocore-1.5.72-1.fc25 python-cryptography-vectors-1.9-1.fc25 python-rpmfluff-0.5.3-1.fc25 python-yarl-0.11.0-1.fc25 reg-0.4.1-3.fc25 rubygem-gettext-3.2.3-1.fc25 rubygem-glu-8.3.0-1.fc25 salt-2016.11.6-1.fc25 snapd-glib-1.13-1.fc25 systemd-231-17.fc25 Details about builds: ================================================================================ awscli-1.11.109-2.fc25 (FEDORA-2017-bf1e8062ba) Universal Command Line Environment for AWS -------------------------------------------------------------------------------- Update Information: update -------------------------------------------------------------------------------- ================================================================================ blueberry-1.1.15-1.fc25 (FEDORA-2017-0bcb305066) Bluetooth configuration tool -------------------------------------------------------------------------------- Update Information: * New upstream release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465880 - blueberry-1.1.15 is available https://bugzilla.redhat.com/show_bug.cgi?id=1465880 -------------------------------------------------------------------------------- ================================================================================ cloud-init-0.7.9-7.fc25 (FEDORA-2017-faae58b0d0) Cloud instance init scripts -------------------------------------------------------------------------------- Update Information: This update fixes bugs that prevented the fs_setup.cmd and package statements in cloud-config configurations from working. It also stops NetworkManager from clobbering DNS resolver settings set by cloud-config configuration. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1461959 - cloud-init should configure networkmanager to not manage /etc/resolv.conf https://bugzilla.redhat.com/show_bug.cgi?id=1461959 [ 2 ] Bug #1447708 - cloud-init package module fails with python NameError exception https://bugzilla.redhat.com/show_bug.cgi?id=1447708 [ 3 ] Bug #1465440 - Cloud-init sysconifg.py called util.write_file incorrectly https://bugzilla.redhat.com/show_bug.cgi?id=1465440 -------------------------------------------------------------------------------- ================================================================================ dmlite-0.8.7-1.fc25 (FEDORA-2017-b87cfa1711) Lcgdm grid data management and storage framework -------------------------------------------------------------------------------- Update Information: * new upstream release -------------------------------------------------------------------------------- References: [ 1 ] Bug #1449040 - Broken postun scriptlet https://bugzilla.redhat.com/show_bug.cgi?id=1449040 -------------------------------------------------------------------------------- ================================================================================ dovecot-2.2.31-1.fc25 (FEDORA-2017-03849b6c69) Secure imap and pop3 server -------------------------------------------------------------------------------- Update Information: - dovecot updated to 2.2.31 - Various fixes to handling mailbox listing. Especially related to handling nonexistent autocreated/autosubscribed mailboxes and ACLs. - Global ACL file was parsed as if it was local ACL file. This caused some of the ACL rule interactions to not work exactly as intended. - Using mail_sort_max_read_count may have caused very high CPU usage. - Message address parsing could have crashed on invalid input. - imapc_features=fetch- headers wasn't always working correctly and caused the full header to be fetched. - imapc: Various bugfixes related to connection failure handling. - quota=count: quota_warning = -storage=.. was never executed - quota=count: Add support for "ns" parameter - dsync: Fix incremental syncing for mails that don't have Date or Message-ID headers. - imap: Fix hang when client sends pipelined SEARCH + EXPUNGE/CLOSE/LOGOUT. - oauth2: Token validation didn't accept empty server responses. - imap: NOTIFY command has been almost completely broken since the beginning. - pigeonhole updated to 0.4.19 - Fixed bug in handling of implicit keep in some cases. - include extension: Fixed segfault that (sometimes) occurred when the global script location was left unconfigured. ---- - auth: Multiple failed authentications within short time caused crashes - push-notification: OX driver crashed at deinit ---- - auth: Use timing safe comparisons for everything related to passwords. It's unlikely that these could have been used for practical attacks, especially because Dovecot delays and flushes all failed authentications in 2 second intervals. Also it could have worked only when passwords were stored in plaintext in the passdb. - master process sends SIGQUIT to all running children at shutdown, which instructs them to close all the socket listeners immediately. This way restarting Dovecot should no longer fail due to some processes keeping the listeners open for a long time. - auth: Add passdb { mechanisms=none } to match separate passdb lookup - auth: Add passdb { username_filter } to use passdb only if user matches the filter. See https://wiki2.dovecot.org/PasswordDatabase - dsync: Add dsync_commit_msgs_interval setting. It attempts to commit the transaction after saving this many new messages. Because of the way dsync works, it may not always be possible if mails are copied or UIDs need to change. - imapc: Support imapc_features=search without ESEARCH extension. - imapc: Add imapc_features=fetch-bodystructure to pass through remote server's FETCH BODY and BODYSTRUCTURE. - imapc: Add quota=imapc backend to use GETQUOTA/GETQUOTAROOT on the remote server. - passdb imap: Add allow_invalid_cert and ssl_ca_file parameters. - If dovecot.index.cache corruption is detected, reset only the one corrupted mail instead of the whole file. - doveadm mailbox status: Add "firstsaved" field. - director_flush_socket: Add old host's up/down and vhost count as parameters - More fixes to automatically fix corruption in dovecot.list.index - dsync-server: Fix support for dsync_features=empty-header-workaround - imapc: Various bugfixes, including infinite loops on some errors - IMAP NOTIFY wasn't working for non-INBOX if IMAP client hadn't enabled modseq tracking via CONDSTORE/QRESYNC. - fts-lucene: Fix it to work again with mbox format - Some internal error messages may have contained garbage in v2.2.29 - mail-crypt: Re- encrypt when copying/moving mails and per-mailbox keys are used. Otherwise the copied mails can't be opened. -------------------------------------------------------------------------------- ================================================================================ grip-3.4.2-2.fc25 (FEDORA-2017-c654fbb022) Front-end for CD rippers and Ogg Vorbis encoders -------------------------------------------------------------------------------- Update Information: Updated to 3.4.2 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1455353 - Update grip to 3.4.1 https://bugzilla.redhat.com/show_bug.cgi?id=1455353 -------------------------------------------------------------------------------- ================================================================================ httpd-2.4.26-1.fc25 (FEDORA-2017-620085cede) Apache HTTP Server -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1463207 - CVE-2017-7679 httpd: mod_mime buffer overread https://bugzilla.redhat.com/show_bug.cgi?id=1463207 [ 2 ] Bug #1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread https://bugzilla.redhat.com/show_bug.cgi?id=1463205 [ 3 ] Bug #1463199 - CVE-2017-7659 httpd: mod_http2 NULL pointer dereference https://bugzilla.redhat.com/show_bug.cgi?id=1463199 [ 4 ] Bug #1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference https://bugzilla.redhat.com/show_bug.cgi?id=1463197 [ 5 ] Bug #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass https://bugzilla.redhat.com/show_bug.cgi?id=1463194 -------------------------------------------------------------------------------- ================================================================================ metamath-0.145-1.fc25 (FEDORA-2017-da06f04bec) Construct mathematics from basic axioms -------------------------------------------------------------------------------- Update Information: Changes in version 0.145: - fix bug 1741 during MINIMIZE_WITH - make duplicate bug numbers unique - adjust to prevent lcc compiler "Function too big for the optimizer" - take out extraneous <HTML>...</HTML> markup tags in HTML output so w3c validator will pass -------------------------------------------------------------------------------- References: [ 1 ] Bug #1462574 - metamath-0.145 is available https://bugzilla.redhat.com/show_bug.cgi?id=1462574 -------------------------------------------------------------------------------- ================================================================================ php-gecko-packages-gecko-php-unit-2.1-1.fc25 (FEDORA-2017-effa0f7085) Additional PHPUnit tests -------------------------------------------------------------------------------- Update Information: **Version 2.1** * Add missing messages forwarding. -------------------------------------------------------------------------------- ================================================================================ purple-telegram-1.3.1-2.fc25 (FEDORA-2017-f777084028) Libpurple protocol plugin for Telegram support -------------------------------------------------------------------------------- Update Information: * Stability improvements * Support auto-loading for documents * Add support for "typing" in group chats (using group-typing-notifications plugin) * Add support for /kick command in group chats -------------------------------------------------------------------------------- References: [ 1 ] Bug #1442617 - Version 1.3.1 was released https://bugzilla.redhat.com/show_bug.cgi?id=1442617 [ 2 ] Bug #1424113 - purple-telegram: FTBFS in rawhide https://bugzilla.redhat.com/show_bug.cgi?id=1424113 [ 3 ] Bug #1317525 - tarballs commited to git https://bugzilla.redhat.com/show_bug.cgi?id=1317525 [ 4 ] Bug #1441011 - purple-telegram-v1.3.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1441011 -------------------------------------------------------------------------------- ================================================================================ python-asn1crypto-0.22.0-2.fc25 (FEDORA-2017-d8f8656eac) Fast Python ASN.1 parser and serializer -------------------------------------------------------------------------------- Update Information: New dependency for python-cryptography 1.9+ -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465335 - Review Request: python-asn1crypto - Fast Python ASN.1 parser and serializer https://bugzilla.redhat.com/show_bug.cgi?id=1465335 -------------------------------------------------------------------------------- ================================================================================ python-botocore-1.5.72-1.fc25 (FEDORA-2017-bf1e8062ba) Low-level, data-driven core of boto 3 -------------------------------------------------------------------------------- Update Information: update -------------------------------------------------------------------------------- ================================================================================ python-cryptography-vectors-1.9-1.fc25 (FEDORA-2017-222420e8ee) Test vectors for the cryptography package -------------------------------------------------------------------------------- Update Information: Build dependency for python-cryptography 1.9 -------------------------------------------------------------------------------- ================================================================================ python-rpmfluff-0.5.3-1.fc25 (FEDORA-2017-7e594f96bb) Lightweight way of building RPMs, and sabotaging them -------------------------------------------------------------------------------- Update Information: Support mixing noarch and archful packages in a yum repo build by Dan Callaghan <dcallagh@xxxxxxxxxx> ---- Lots of fixes by Dan Callaghan <dcallagh@xxxxxxxxxx> -------------------------------------------------------------------------------- ================================================================================ python-yarl-0.11.0-1.fc25 (FEDORA-2017-6f9474a494) Python module to handle URLs -------------------------------------------------------------------------------- Update Information: Update to latest upstream release 0.11.0 (rhbz#1465202) -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465202 - python-yarl-v0.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1465202 -------------------------------------------------------------------------------- ================================================================================ reg-0.4.1-3.fc25 (FEDORA-2017-5784d9e356) Docker registry v2 command line client -------------------------------------------------------------------------------- Update Information: Add an upstream'd patch to enable single-run mode of reg-server that will create static html files and then exit instead of serving the files with built-in http server. ---- New package for Fedora. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1432214 - Review Request: reg - Docker registry v2 command line client. https://bugzilla.redhat.com/show_bug.cgi?id=1432214 -------------------------------------------------------------------------------- ================================================================================ rubygem-gettext-3.2.3-1.fc25 (FEDORA-2017-ab246f0b73) RubyGem of Localization Library and Tools for Ruby -------------------------------------------------------------------------------- Update Information: New version 3.2.3 is released. -------------------------------------------------------------------------------- ================================================================================ rubygem-glu-8.3.0-1.fc25 (FEDORA-2017-ef0db6dd84) Glu bindings for the opengl gem -------------------------------------------------------------------------------- Update Information: New version 8.3.0 is released. -------------------------------------------------------------------------------- ================================================================================ salt-2016.11.6-1.fc25 (FEDORA-2017-179f6ea370) A parallel remote execution system -------------------------------------------------------------------------------- Update Information: Update to feature release 2016.11.6 ---- Add patch for Fix ipv6 nameserver grains #41244 ---- Commented out check for pycryptodomex on Fedora ---- Use python-crypto on fedora platforms till pycryptodomex becomes available -------------------------------------------------------------------------------- References: [ 1 ] Bug #41244 - None https://bugzilla.redhat.com/show_bug.cgi?id=41244 -------------------------------------------------------------------------------- ================================================================================ snapd-glib-1.13-1.fc25 (FEDORA-2017-2bcbc5e4ac) Library providing a GLib interface to snapd -------------------------------------------------------------------------------- Update Information: Update to 1.13 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1463243 - snapd-glib-1.13 is available https://bugzilla.redhat.com/show_bug.cgi?id=1463243 -------------------------------------------------------------------------------- ================================================================================ systemd-231-17.fc25 (FEDORA-2017-29d909f5ec) A System and Service Manager -------------------------------------------------------------------------------- Update Information: A fix for an out-of-bounds write in systemd-resolved after a crafted DNS packet (CVE-2017-9445). No need to reboot or log out. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1465610 - resolved: an out-of-bounds write https://bugzilla.redhat.com/show_bug.cgi?id=1465610 -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
