The following Fedora 25 Security updates need testing: Age URL 340 https://bodhi.fedoraproject.org/updates/FEDORA-2016-d79ba708cb exim-4.87.1-1.fc25 178 https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d7498559f nodejs-brace-expansion-1.1.7-1.fc25 128 https://bodhi.fedoraproject.org/updates/FEDORA-2017-2232fe97b4 docker-distribution-2.6.2-1.git48294d9.fc25 43 https://bodhi.fedoraproject.org/updates/FEDORA-2017-7089c6e789 suricata-3.2.4-1.fc25 35 https://bodhi.fedoraproject.org/updates/FEDORA-2017-51f49ebbce apr-1.6.3-1.fc25 35 https://bodhi.fedoraproject.org/updates/FEDORA-2017-f563b201ba apr-util-1.5.4-4.fc25 35 https://bodhi.fedoraproject.org/updates/FEDORA-2017-45ed341e61 httpd-2.4.29-1.fc25 20 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e67e4e45b poppler-0.45.0-10.fc25 20 https://bodhi.fedoraproject.org/updates/FEDORA-2017-481e4f6f8c ldns-1.6.17-22.fc25 20 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e5bbb657c5 chromium-62.0.3202.89-1.fc25 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-78f0991378 openssh-7.4p1-5.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-f2577f2108 xen-4.7.4-1.fc25 6 https://bodhi.fedoraproject.org/updates/FEDORA-2017-7e5afe777a docker-1.12.6-8.gitbe5610c.fc25 6 https://bodhi.fedoraproject.org/updates/FEDORA-2017-4994d364de rb_libtorrent-1.1.5-1.fc25 qbittorrent-4.0.1-1.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6722f0b3c linux-firmware-20171126-80.git17e62881.fc25 4 https://bodhi.fedoraproject.org/updates/FEDORA-2017-832dbdac75 python-dulwich-0.18.6-1.fc25 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-d7ab32cc23 collectd-5.8.0-2.fc25 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-62f44716bb fedora-arm-installer-2.1-1.fc25 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f8abb1866 ca-certificates-2017.2.20-1.0.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e584e3c8a3 thunderbird-52.5.0-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-9015553e3d qt5-qtwebengine-5.9.3-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-9ae6e39bde mupdf-1.11-9.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-81fe39ad9f pdns-recursor-4.0.7-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-2c15e19fb5 firefox-57.0.1-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6be762ea64 python-2.7.13-3.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-ca05b30e86 rubygem-yard-0.8.7.6-4.fc25 The following Fedora 25 Critical Path updates have yet to be approved: Age URL 182 https://bodhi.fedoraproject.org/updates/FEDORA-2017-613a72e282 lorax-25.22-1.fc25 61 https://bodhi.fedoraproject.org/updates/FEDORA-2017-3fc5429e7e iproute-4.12.0-1.fc25 30 https://bodhi.fedoraproject.org/updates/FEDORA-2017-b89e9f62d8 bind99-9.9.10-3.P3.fc25 28 https://bodhi.fedoraproject.org/updates/FEDORA-2017-dbf347055a hwdata-0.306-1.fc25 20 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6e67e4e45b poppler-0.45.0-10.fc25 10 https://bodhi.fedoraproject.org/updates/FEDORA-2017-4ac58bd7e5 groff-1.22.3-9.fc25 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-78f0991378 openssh-7.4p1-5.fc25 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-5c8aaa03b5 man-db-2.7.5-7.fc25 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-ebe7851cb1 pungi-4.1.20-3.fc25 9 https://bodhi.fedoraproject.org/updates/FEDORA-2017-1524498243 sssd-1.16.0-3.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-f2577f2108 xen-4.7.4-1.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-cf1dd0bb89 libtiff-4.0.9-1.fc25 7 https://bodhi.fedoraproject.org/updates/FEDORA-2017-779d5b7efb pcre2-10.23-11.fc25 5 https://bodhi.fedoraproject.org/updates/FEDORA-2017-c6722f0b3c linux-firmware-20171126-80.git17e62881.fc25 3 https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f8abb1866 ca-certificates-2017.2.20-1.0.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-6be762ea64 python-2.7.13-3.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-2c15e19fb5 firefox-57.0.1-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-06c5efa39f glusterfs-3.10.8-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-c0f2ceb7bc mariadb-10.1.29-1.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e0501e729c appstream-data-25-23.fc25 0 https://bodhi.fedoraproject.org/updates/FEDORA-2017-e584e3c8a3 thunderbird-52.5.0-1.fc25 The following builds have been pushed to Fedora 25 updates-testing appstream-data-25-23.fc25 cinnamon-3.6.6-10.fc25 cool-retro-term-1.0.1-5.fc25 firefox-57.0.1-1.fc25 glusterfs-3.10.8-1.fc25 hedgewars-0.9.23-1.fc25 liblxi-1.7-1.fc25 lxi-tools-1.12-1.fc25 mame-0.192-1.fc25 mariadb-10.1.29-1.fc25 module-build-service-1.5.2-1.fc25 mupdf-1.11-9.fc25 nsd-4.1.18-1.fc25 pdns-recursor-4.0.7-1.fc25 perl-File-Fetch-0.56-1.fc25 perl-experimental-0.018-1.fc25 python-2.7.13-3.fc25 qt5-qtwebengine-5.9.3-1.fc25 redis-4.0.4-1.fc25 rubygem-yard-0.8.7.6-4.fc25 slick-greeter-1.1.3-1.fc25 spatialindex-1.8.5-8.fc25 thunderbird-52.5.0-1.fc25 tio-1.27-1.fc25 torrent-file-editor-0.3.8-1.fc25 unbound-1.6.7-1.fc25 Details about builds: ================================================================================ appstream-data-25-23.fc25 (FEDORA-2017-e0501e729c) Fedora AppStream metadata -------------------------------------------------------------------------------- Update Information: New metadata version -------------------------------------------------------------------------------- ================================================================================ cinnamon-3.6.6-10.fc25 (FEDORA-2017-1f2967a418) Window management and application launching for GNOME -------------------------------------------------------------------------------- Update Information: - Switch to libnm on all Fedora releases and EPEL7 - Fix a wifi connection issue -------------------------------------------------------------------------------- References: [ 1 ] Bug #1413610 - Don't use NetworkManager-glib https://bugzilla.redhat.com/show_bug.cgi?id=1413610 -------------------------------------------------------------------------------- ================================================================================ cool-retro-term-1.0.1-5.fc25 (FEDORA-2017-813b682539) Terminal emulator mimicking a CRT display -------------------------------------------------------------------------------- Update Information: Add missing runtime dependencies ---- New package - initial build & update -------------------------------------------------------------------------------- References: [ 1 ] Bug #1509590 - Review Request: cool-retro-term - Terminal emulator mimicking a CRT display https://bugzilla.redhat.com/show_bug.cgi?id=1509590 -------------------------------------------------------------------------------- ================================================================================ firefox-57.0.1-1.fc25 (FEDORA-2017-2c15e19fb5) Mozilla Firefox Web browser -------------------------------------------------------------------------------- Update Information: Update to latest upstream version. -------------------------------------------------------------------------------- ================================================================================ glusterfs-3.10.8-1.fc25 (FEDORA-2017-06c5efa39f) Distributed File System -------------------------------------------------------------------------------- Update Information: 3.10.8 GA -------------------------------------------------------------------------------- ================================================================================ hedgewars-0.9.23-1.fc25 (FEDORA-2017-ad24a89ef5) Funny turn-based artillery game, featuring fighting Hedgehogs! -------------------------------------------------------------------------------- Update Information: Update to latest upstream release. For complete changelog see: https://hg.hedgewars.org/hedgewars/raw-file/8610462e3d33/ChangeLog.txt -------------------------------------------------------------------------------- References: [ 1 ] Bug #1517404 - hedgewars 0.9.23 is available https://bugzilla.redhat.com/show_bug.cgi?id=1517404 -------------------------------------------------------------------------------- ================================================================================ liblxi-1.7-1.fc25 (FEDORA-2017-b4c2ae341e) Library with simple API for communication with LXI devices -------------------------------------------------------------------------------- Update Information: liblxi v1.7 =========== * Update to new URL * Update README * Update AUTHORS * Use HTTPS in the configure script * Jakub Wilk: Fix typos liblxi v1.6 =========== * Update README * Add authors section in README * Add README.md to prettify GitHub page liblxi v1.5 =========== * Add support for mDNS/DNS-SD discovery * Add parameter to lxi_discover() so it is possible to select discovery using VXI-11 or mDNS/DNS-SD. * If detected available, Avahi is used as the mDNS/DNS-SD backend implementation. * Print errors to stderr * Update README liblxi v1.4 =========== * Fix discover output strings * Discovery of multiple LXI instruments revealed a bug in the id string handling which results in garbled output strings. Adding missing string termination fixes this. * Add timeout handling for raw/TCP * Update examples * Cleanup * Update README * Add support for configurable protocol backends * Reworked the code to support configurable protocol backends. Currently supported protocols include VXI11 and raw TCP. In the future support for HiSlip can be added. -------------------------------------------------------------------------------- ================================================================================ lxi-tools-1.12-1.fc25 (FEDORA-2017-f745eb909c) Tools collection to control LXI enabled instruments -------------------------------------------------------------------------------- Update Information: lxi-tools v1.12 =============== * Update to new URL * Add snap status * Fix redirection of output to file * Update README * Cleanup configure.ac * Jakub Wilk: Use HTTPS in the configure script lxi-tools v1.11 =============== * Update README * Update man page * Update AUTHORS * Expand tested instruments list * Rename screenshot plugin rigol-1000 -> rigol-1000z * Add various Rigol screenshot plugins * Add the following Rigol screenshot plugins: * rigol-dg4000 Rigol DG4000 series function generator * rigol-dm3000 Rigol DM3000 series digital multimeter * rigol-dp800 Rigol DP800 series power supply * rigol-dsa800 Rigol DSA800 series spectrum analyzer * rigol- dsa700 Rigol DSA700 series spectrum analyzer The code is added on behalf of PeDre from the EEVBlog forum. * Add authors section in README * Add README.md to prettify GitHub page * The original README is still preserved because it is more readable when not reading it via GitHub. * Jakub Wilk: Strip trailing spaces * Fix typo * Fix grammar and typos lxi-tools v1.10 =============== * Add support for mDNS/DNS-SD discovery * Add "--mdns" option which enables the discover command to search for LXI devices/services using mDNS/DNS-SD. * Fix Siglent screenshot plugins * Write correct response buffer to file. Improve .regex match expression. lxi-tools v1.9 ============== * Update README * Fix newlines when redirecting to file or terminal * Rename --dump-hex to --hex * Fix missing error message when no SCPI command defined * Update man page * Remove --dump-file option * The correct way to dump response to file is to use pipe output redirection. For example: * lxi scpi --address 192.168.1.210 "*IDN?" > response.txt * This way it is possible to dump any binary reponse to file. * Fix missing error message when no IP address defined * Print errors to stderr * Cleanup Siglent SDS1000 plugin name * Add Siglent SSA 3000X screenshot plugin * Cleanup script examples * Correct default SCPI raw/TCP port * By default use port 5025 as described here: http://www.lxistandard.org/About/LXI-Protocols.aspx * If a different port is needed use the '--raw-port' option. * Apparently Rigol is not using the recommended port for raw SCPI commands. * Update descriptions of the plugin options lxi-tools v1.8 ============== * Update README * Add Siglent SDS 1000 screenshot plugin lxi-tools v1.7 ============== * Update README * Cleanup * Update .regex for Tektronix plugin * Update .regex for R&S plugin * Update .regex for Keysight plugin * Update man page * Embed instrument IP address in screenshot filename * This helps identify screenshot files when capturing screenshots from multiple instruments. * It also allows to simplify the APIs used by the screenshot plugins. * Change option '--model' to '--plugin' * Lets remove any model vs. plugin confusion and only deal with plugin names. Each plugin includes support for one or more instruments models as described in the plugin description. * Add automatic loading of screenshot plugin feature * If no screenshot plugin is specified the tool will automatically try to select the best plugin by matching the instruments ID string against the regular expressions defined in each plugin. * Each screenshot plugin defines a .regex string entry containing space separated regular expressions. Each regular expression is matched against the instrument ID string. The plugin with most matches is selected. * Note: This mechanism is slightly slower than manually specifying which screenshot plugin because it needs to retrieve the instruments ID string first. * Improve description of Rigol plugins * Fix Rigol 2000 screenshot plugin * Remove trailing newline in received image data. * Add screenshot plugin for Rigol 2000 series * Also, make existing Rigol plugin only apply for 1000z series. lxi-tools v1.6 ============== * Add date-time stamp to screenshot filename * Improve command handling * In case of a misspelled command the tool would misleadingly respond: "Error: No IP address specified" * With this fix, it now responds: "Error: Unknown command" * Update README * Added screenshot plugin for Tektronix 2000 series scopes * Improve scpi response output * Add --raw and --raw-port options to scpi command * One can now use choose to use raw/TCP instead of VXI11 when firing SCPI commands. Simply append the --raw option like so: * lxi scpi --raw --address 192.168.0.42 "*IDN?" * By default raw/TCP port 5555 is used but it can be changed using the --raw-port option. * Warning: Using raw/TCP is faster than VXI11 but does not provide any timeout/control mechanisms so if your command somehow stalls it will stall forever. * Use new lxi_connect() function * Cleanup * Make screenshot filename optional * In case no screenshot filename is provided the tool will write the screenshot image to an automatically resolved and incremented filename on the form screenshot-###.. For example, screenshot-000.png, screenshot-001.png, etc.. * Improve screenshot model listing * Increase default timeout for screenshot command * Transferring screenshot image data takes time so lets increase the timeout so we do not easily interrupt a good but slow transfer. * Collapse Rigol screenshot plugin * Support all Rigol oscilloscope models via one model name. * Add screenshot support for Keysight IV 2000 X * Cleanup plugins * Add screenshot support for R&S HMO1000 series * Add screenshot support for Rigol 2000/4000 * Create directory for screenshot plugins -------------------------------------------------------------------------------- ================================================================================ mame-0.192-1.fc25 (FEDORA-2017-57b8d3d3d8) Multiple Arcade Machine Emulator -------------------------------------------------------------------------------- Update Information: An update to the latest mame release: * http://mamedev.org/?p=450 -------------------------------------------------------------------------------- ================================================================================ mariadb-10.1.29-1.fc25 (FEDORA-2017-c0f2ceb7bc) A community developed branch of MySQL -------------------------------------------------------------------------------- Update Information: MariaDB 10.1.29 https://mariadb.com/kb/en/library/mariadb-10129-release-notes/ CVE's fixed: CVE-2017-10378, CVE-2017-10268 -------------------------------------------------------------------------------- ================================================================================ module-build-service-1.5.2-1.fc25 (FEDORA-2017-7d43059e94) The Module Build Service for Modularity -------------------------------------------------------------------------------- Update Information: Changes: * Schedule components based on the weight in Koji (takes into account all arches) instead of build duration * Support git+https:// git URLs * Honor custom RPM %_sourcedir (local builds) * Fix filtering component builds by state name (component-builds API) * Fix "instant complete" builds * Allow filtering on all table columns * Return a friendly error when the 'id' is provided as a query parameter * Print a deprecation error when a user tries to use mbs-build * Don't try to untag stale module builds that don't have any completed components * Copr: install modules into the buildroot -------------------------------------------------------------------------------- ================================================================================ mupdf-1.11-9.fc25 (FEDORA-2017-9ae6e39bde) A lightweight PDF viewer and toolkit -------------------------------------------------------------------------------- Update Information: CVE-2017-15369 CVE-2017-15587 CVE-2017-9216 CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1456731 - CVE-2017-9216 mupdf: jbig2dec: Null pointer dereference in jbig2_huffman_get() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1456731 [ 2 ] Bug #1500016 - CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15369 CVE-2017-15587 mupdf: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1500016 -------------------------------------------------------------------------------- ================================================================================ nsd-4.1.18-1.fc25 (FEDORA-2017-7c17b02a53) Fast and lean authoritative DNS Name Server -------------------------------------------------------------------------------- Update Information: Updated to 4.1.18 -------------------------------------------------------------------------------- ================================================================================ pdns-recursor-4.0.7-1.fc25 (FEDORA-2017-81fe39ad9f) Modern, advanced and high performance recursing/non authoritative name server -------------------------------------------------------------------------------- Update Information: Update to latest version. Contains security fixes for CVE-2017-15090, CVE-2017-15092, CVE-2017-15093 and CVE-2017-15094 -------------------------------------------------------------------------------- ================================================================================ perl-File-Fetch-0.56-1.fc25 (FEDORA-2017-5f1cc0ebc3) Generic file fetching mechanism -------------------------------------------------------------------------------- Update Information: This blacklists lftp tool on HPUX. We deliver it only to provide an up-to-date version string. -------------------------------------------------------------------------------- ================================================================================ perl-experimental-0.018-1.fc25 (FEDORA-2017-873701e2a9) Experimental features made easy -------------------------------------------------------------------------------- Update Information: This release fixes execution when warnings are enabled. -------------------------------------------------------------------------------- ================================================================================ python-2.7.13-3.fc25 (FEDORA-2017-6be762ea64) An interpreted, interactive, object-oriented programming language -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2017-1000158 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1519595 - CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow https://bugzilla.redhat.com/show_bug.cgi?id=1519595 -------------------------------------------------------------------------------- ================================================================================ qt5-qtwebengine-5.9.3-1.fc25 (FEDORA-2017-9015553e3d) Qt5 - QtWebEngine components -------------------------------------------------------------------------------- Update Information: An update of QtWebEngine to the security and bugfix release 5.9.3, including: * Security fixes from Chromium up to version 62.0.3202.89. Including: CVE-2017-5124, CVE-2017-5126, CVE-2017-5127, CVE-2017-5128, CVE-2017-5129, CVE-2017-5132, CVE-2017-5133, CVE-2017-15386, CVE-2017-15387, CVE-2017-15388, CVE-2017-15390, CVE-2017-15392, CVE-2017-15394, CVE-2017-15396, CVE-2017-15398. * QtWebEngineCore: [QTBUG-64032] Fix crash after resizing view to be empty. * QtWebEngine[QML]: Fix loading some favicons including qt.io's * QtWebEngineWidgets: [QTBUG-62147] Fix crash on shutdown if a QWebEngineProfile was child of QApplication. -------------------------------------------------------------------------------- ================================================================================ redis-4.0.4-1.fc25 (FEDORA-2017-9c179d4157) A persistent key-value database -------------------------------------------------------------------------------- Update Information: Upstream 4.0.4 release. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1513594 - man pages in unexpected package https://bugzilla.redhat.com/show_bug.cgi?id=1513594 [ 2 ] Bug #1515417 - file /usr/share/doc/redis is not owned by any package https://bugzilla.redhat.com/show_bug.cgi?id=1515417 -------------------------------------------------------------------------------- ================================================================================ rubygem-yard-0.8.7.6-4.fc25 (FEDORA-2017-ca05b30e86) Documentation tool for consistent and usable documentation in Ruby -------------------------------------------------------------------------------- Update Information: Fix to directory traversal attacks (CVE-2017-17042). -------------------------------------------------------------------------------- References: [ 1 ] Bug #1519065 - CVE-2017-17042 rubygem-yard: (lib/yard/core_ext/file.rb) is vulnerable to directory traversal attacks https://bugzilla.redhat.com/show_bug.cgi?id=1519065 -------------------------------------------------------------------------------- ================================================================================ slick-greeter-1.1.3-1.fc25 (FEDORA-2017-c63a3ac4cf) A slick-looking LightDM greeter -------------------------------------------------------------------------------- Update Information: - New upstream release - Match initial background color with default plymouth theme - General cleanup -------------------------------------------------------------------------------- ================================================================================ spatialindex-1.8.5-8.fc25 (FEDORA-2017-2a1f3330d6) Spatial index library -------------------------------------------------------------------------------- Update Information: Fix array allocation in Index_GetLeaves https://github.com/libspatialindex/libspatialindex/pull/108 -------------------------------------------------------------------------------- ================================================================================ thunderbird-52.5.0-1.fc25 (FEDORA-2017-e584e3c8a3) Mozilla Thunderbird mail/newsgroup client -------------------------------------------------------------------------------- Update Information: Update to the latest upstream stable version. -------------------------------------------------------------------------------- ================================================================================ tio-1.27-1.fc25 (FEDORA-2017-755feb55d1) Simple TTY terminal I/O application -------------------------------------------------------------------------------- Update Information: tio v1.27 ========= * Update man page * Add support for setting non- standard baudrates * Support for non-standard baudrate settings will be automatically enabled if the termios2 interface is detected available. However, to play it safe, the old and widely supported termios interface will still be used when setting standard baudrates. * Cleanup * Update AUTHORS tio v1.26 ========= * Reconfigure stdin * Make stdin behave more raw'ish. In particular, don't translate CR -> NL on input. * Add special character map feature * Add a --map option which allows to map special characters, in particular CR and NL characters which are used in various combinations on varios platforms. * Cleanup * Update AUTHORS * Update README * Mention website * Update man page -------------------------------------------------------------------------------- ================================================================================ torrent-file-editor-0.3.8-1.fc25 (FEDORA-2017-bf3dfc623b) Qt based GUI tool designed to create and edit .torrent files -------------------------------------------------------------------------------- Update Information: Bump to v0.3.8 -------------------------------------------------------------------------------- ================================================================================ unbound-1.6.7-1.fc25 (FEDORA-2017-0695fc434e) Validating, recursive, and caching DNS(SEC) resolver -------------------------------------------------------------------------------- Update Information: Updated to 1.6.7 (minor bugfixes) -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
