The following Fedora 27 Security updates need testing: Age URL 41 https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3 bro-2.5.3-1.fc27 27 https://bodhi.fedoraproject.org/updates/FEDORA-2018-52d79f4f36 dovecot-2.2.34-1.fc27 23 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e38f759144 python-bleach-2.1.3-1.fc27 23 https://bodhi.fedoraproject.org/updates/FEDORA-2018-8ff86925c3 memcached-1.5.6-1.fc27 16 https://bodhi.fedoraproject.org/updates/FEDORA-2018-c923533479 webkitgtk4-2.20.0-1.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-7c2e0a998d acpica-tools-20180209-1.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-ad652798b8 mosquitto-1.4.15-1.fc27 10 https://bodhi.fedoraproject.org/updates/FEDORA-2018-50f0da5d38 tomcat-8.0.50-1.fc27 9 https://bodhi.fedoraproject.org/updates/FEDORA-2018-223d8fc52a java-1.8.0-openjdk-aarch32-1.8.0.161-1.180220.fc27 6 https://bodhi.fedoraproject.org/updates/FEDORA-2018-c442aad4dc exempi-2.4.5-1.fc27 3 https://bodhi.fedoraproject.org/updates/FEDORA-2018-2f9d3604d6 librelp-1.2.15-1.fc27 1 https://bodhi.fedoraproject.org/updates/FEDORA-2018-1217b02061 bchunk-1.2.2-1.fc27 1 https://bodhi.fedoraproject.org/updates/FEDORA-2018-12f92ff831 php-7.1.16-1.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-ecf73042e3 libuv-1.19.2-1.fc27 nodejs-8.11.0-1.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-143886fdbd drupal7-7.58-1.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-6e6d8c314b drupal8-8.4.6-1.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e06468b832 libid3tag-0.15.1b-25.fc27 The following Fedora 27 Critical Path updates have yet to be approved: Age URL 27 https://bodhi.fedoraproject.org/updates/FEDORA-2018-1c31f1eccd iptables-1.6.2-2.fc27 libnftnl-1.0.9-2.fc27 nftables-0.8.2-2.fc27 16 https://bodhi.fedoraproject.org/updates/FEDORA-2018-c923533479 webkitgtk4-2.20.0-1.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-55a6726164 PackageKit-1.1.9-2.fc27 gnome-software-3.28.0-4.fc27 libappstream-glib-0.7.7-2.fc27 9 https://bodhi.fedoraproject.org/updates/FEDORA-2018-95dac71a1c pcre-8.42-1.fc27 9 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e344a6d79b xfce4-settings-4.12.3-1.fc27 7 https://bodhi.fedoraproject.org/updates/FEDORA-2018-adbc1da28c pcre2-10.31-4.fc27 6 https://bodhi.fedoraproject.org/updates/FEDORA-2018-c442aad4dc exempi-2.4.5-1.fc27 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-3255279d3d satyr-0.25-2.fc27 1 https://bodhi.fedoraproject.org/updates/FEDORA-2018-4e2a6c0c93 libtirpc-1.0.3-1.fc27 1 https://bodhi.fedoraproject.org/updates/FEDORA-2018-7128949eb5 enca-1.19-1.fc27 1 https://bodhi.fedoraproject.org/updates/FEDORA-2018-26de7be74c libreport-2.9.3-3.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1858d4d1 passwd-0.80-1.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-6900d92768 publicsuffix-list-20180328-1.fc27 0 https://bodhi.fedoraproject.org/updates/FEDORA-2018-13dc9b1bf6 exo-0.12.0-3.fc27 xfce4-screenshooter-1.9.1-1.fc27 The following builds have been pushed to Fedora 27 updates-testing amarok-2.9.0-1.fc27 ansifilter-2.10-1.fc27 dmlite-1.10.1-3.fc27 highlight-3.42-1.fc27 httpd-2.4.33-1.fc27 jgoodies-common-1.8.1-1.fc27 kernel-4.15.14-300.fc27 krb5-1.15.2-8.fc27 lollypop-0.9.403-1.fc27 mariadb-10.2.14-1.fc27 mate-themes-3.22.16-1.fc27 mod_http2-1.10.16-1.fc27 openssl-1.1.0h-1.fc27 podman-0.3.5-1.gitdb6bf9e.fc27 python-entrypoints-0.2.3-5.fc27 python37-3.7.0-0.14.b3.fc27 salt-2017.7.5-1.fc27 selinux-policy-3.13.1-283.30.fc27 shotwell-0.28.1-1.fc27 skopeo-0.1.29-1.git7add6fc.fc27 sqlitebrowser-3.10.1-5.fc27 Details about builds: ================================================================================ amarok-2.9.0-1.fc27 (FEDORA-2018-3d0fab95b6) Media player -------------------------------------------------------------------------------- Update Information: New upstream release, includes many bugfixes and improvements, see also: https://amarok.kde.org/en/node/888 -------------------------------------------------------------------------------- ================================================================================ ansifilter-2.10-1.fc27 (FEDORA-2018-00436eefa8) ANSI terminal escape code converter -------------------------------------------------------------------------------- Update Information: - Updated to new 2.10 upstream version, fixes rhbz #1552957 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1552957 - ansifilter-2.10 is available https://bugzilla.redhat.com/show_bug.cgi?id=1552957 -------------------------------------------------------------------------------- ================================================================================ dmlite-1.10.1-3.fc27 (FEDORA-2018-0658b1d4ef) Lcgdm grid data management and storage framework -------------------------------------------------------------------------------- Update Information: dmlite 1.10 is a major update to DPM internals including Dome. ---- dmlite 1.10 is a major update to DPM internals including Dome. ---- dmlite 1.10 is a major update to DPM internals including Dome. ---- * new upstream release -------------------------------------------------------------------------------- ================================================================================ highlight-3.42-1.fc27 (FEDORA-2018-7df97ca3e3) Universal source code to formatted text converter -------------------------------------------------------------------------------- Update Information: - Updated to new 3.42 upstream version -------------------------------------------------------------------------------- ================================================================================ httpd-2.4.33-1.fc27 (FEDORA-2018-375e3244b6) Apache HTTP Server -------------------------------------------------------------------------------- Update Information: This update includes the latest upstream release of the Apache HTTP Server, version 2.4.33. A number of security vulnerabilities are fixed in this release: * *Low*: Possible out of bound read in mod_cache_socache (CVE-2018-1303) * *Low*: Possible out of bound access after failure in reading the HTTP request (CVE-2018-1301) * *Low*: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312) * *Low*: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715) * *Low*: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710) * *Moderate*: Tampering of mod_session data for CGI applications (CVE-2018-1283) For more information about changes in this release, see: https://www.apache.org/dist/httpd/CHANGES_2.4.33 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1560174 - httpd-2.4.33 is available https://bugzilla.redhat.com/show_bug.cgi?id=1560174 [ 2 ] Bug #1560618 - CVE-2017-15715 httpd: <FilesMatch> bypass with a trailing newline in the file name [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560618 [ 3 ] Bug #1560644 - CVE-2018-1301 httpd: Out of bound access after failure in reading the HTTP request [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560644 [ 4 ] Bug #1560635 - CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560635 [ 5 ] Bug #1560400 - CVE-2018-1303 httpd: http: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560400 [ 6 ] Bug #1560396 - CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560396 [ 7 ] Bug #1560616 - CVE-2017-15710 httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560616 -------------------------------------------------------------------------------- ================================================================================ jgoodies-common-1.8.1-1.fc27 (FEDORA-2018-12b3bd191c) Common library shared by JGoodies libraries and applications -------------------------------------------------------------------------------- Update Information: * Marked classes ArrayListModel and LinkedListModel as final. * Replaced files package.html by package-info.java. -------------------------------------------------------------------------------- ================================================================================ kernel-4.15.14-300.fc27 (FEDORA-2018-7802740586) The Linux kernel -------------------------------------------------------------------------------- Update Information: The 4.15.14 update contains a number of important fixes across the tree. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1558977 - NFS mounts failing when keytab present https://bugzilla.redhat.com/show_bug.cgi?id=1558977 -------------------------------------------------------------------------------- ================================================================================ krb5-1.15.2-8.fc27 (FEDORA-2018-04d2f01b78) The Kerberos network authentication system -------------------------------------------------------------------------------- Update Information: Fix issue with calling `kdestroy -A` when the ccache is KCM -------------------------------------------------------------------------------- References: [ 1 ] Bug #1561917 - kdestroy -A does not work with multiple principals when using KCM https://bugzilla.redhat.com/show_bug.cgi?id=1561917 -------------------------------------------------------------------------------- ================================================================================ lollypop-0.9.403-1.fc27 (FEDORA-2018-41027994c7) Music player for GNOME -------------------------------------------------------------------------------- Update Information: Update to 0.9.403 ---- - Update lollypop-portal to 0.9.7 ---- Update to 0.9.402 ---- Update to 0.9.401 ---- Update to 0.9.400 -------------------------------------------------------------------------------- ================================================================================ mariadb-10.2.14-1.fc27 (FEDORA-2018-dd7f4bd9d5) A community developed branch of MySQL -------------------------------------------------------------------------------- Update Information: **MariaDB 10.2.14** Release notes: https://mariadb.com/kb/en/library/mariadb-10214-release-notes/ Maintainer Update I do now consider Spider storage engine ready to use in Fedora, as I was finally able to run its testsuite successfully Upstream Warning Upgrading from earlier 10.2.x versions is highly recommended for all Galera users due to bug MDEV-12837 which caused serious stability issues with earlier versions. See the bug issue page for more information. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1561251 - mariadb-10.2.14 is available https://bugzilla.redhat.com/show_bug.cgi?id=1561251 -------------------------------------------------------------------------------- ================================================================================ mate-themes-3.22.16-1.fc27 (FEDORA-2018-f36a0bbffd) MATE Desktop themes -------------------------------------------------------------------------------- Update Information: - update to 3.22.16 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1559045 - gtk+ "Foreign drawing" broken under MATE https://bugzilla.redhat.com/show_bug.cgi?id=1559045 -------------------------------------------------------------------------------- ================================================================================ mod_http2-1.10.16-1.fc27 (FEDORA-2018-0a95bff197) module implementing HTTP/2 for Apache 2 -------------------------------------------------------------------------------- Update Information: This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302): When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1561570 - CVE-2018-1302 mod_http2: httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1561570 [ 2 ] Bug #1560627 - CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560627 -------------------------------------------------------------------------------- ================================================================================ openssl-1.1.0h-1.fc27 (FEDORA-2018-76afaf1961) Utilities from the general purpose cryptography library with TLS implementation -------------------------------------------------------------------------------- Update Information: Minor update to version 1.1.0h. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1561260 - CVE-2018-0733 openssl: Implementation bug in PA-RISC CRYPTO_memcmp function allows attackers to forge authenticated messages in a reduced number of attempts https://bugzilla.redhat.com/show_bug.cgi?id=1561260 [ 2 ] Bug #1561266 - CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service https://bugzilla.redhat.com/show_bug.cgi?id=1561266 -------------------------------------------------------------------------------- ================================================================================ podman-0.3.5-1.gitdb6bf9e.fc27 (FEDORA-2018-fcedb23729) Manage Pods, Containers and Container Images -------------------------------------------------------------------------------- Update Information: Upstream release 0.3.5 -------------------------------------------------------------------------------- ================================================================================ python-entrypoints-0.2.3-5.fc27 (FEDORA-2018-13b54a0aba) Discover and load entry points from installed packages -------------------------------------------------------------------------------- Update Information: provide dist-info -------------------------------------------------------------------------------- References: [ 1 ] Bug #1530098 - entrypoints version issue https://bugzilla.redhat.com/show_bug.cgi?id=1530098 -------------------------------------------------------------------------------- ================================================================================ python37-3.7.0-0.14.b3.fc27 (FEDORA-2018-5462c32db4) Version 3.7 of the Python interpreter -------------------------------------------------------------------------------- Update Information: Update to 3.7.0b3 -------------------------------------------------------------------------------- ================================================================================ salt-2017.7.5-1.fc27 (FEDORA-2018-c4cdd53a52) A parallel remote execution system -------------------------------------------------------------------------------- Update Information: Update to feature release 2017.7.5-1 for Python 2 ---- Update to feature release 2017.7.4 -------------------------------------------------------------------------------- ================================================================================ selinux-policy-3.13.1-283.30.fc27 (FEDORA-2018-b3791c3118) SELinux policy configuration -------------------------------------------------------------------------------- Update Information: More info: https://koji.fedoraproject.org/koji/buildinfo?buildID=1063903 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1561755 - SELinux is preventing sh from 'connectto' accesses on the unix_stream_socket /var/lib/sss/pipes/nss. https://bugzilla.redhat.com/show_bug.cgi?id=1561755 [ 2 ] Bug #1561295 - SELinux is preventing postmap from read, write access on the chr_file /dev/pts/6. https://bugzilla.redhat.com/show_bug.cgi?id=1561295 [ 3 ] Bug #1560816 - SELinux is preventing mdadm from 'read' accesses on the blk_file md0p1. https://bugzilla.redhat.com/show_bug.cgi?id=1560816 [ 4 ] Bug #1501331 - None https://bugzilla.redhat.com/show_bug.cgi?id=1501331 -------------------------------------------------------------------------------- ================================================================================ shotwell-0.28.1-1.fc27 (FEDORA-2018-4a0f4e66af) A photo organizer for the GNOME desktop -------------------------------------------------------------------------------- Update Information: shotwell 0.28.1 release, with a number of bug fixes and translation updates compared to the previous 0.27.x releases in Fedora 27. For details, see https://mail.gnome.org/archives/ftp-release-list/2018-March/msg00231.html -------------------------------------------------------------------------------- ================================================================================ skopeo-0.1.29-1.git7add6fc.fc27 (FEDORA-2018-e98514e9ae) Inspect Docker images and repositories on registries -------------------------------------------------------------------------------- Update Information: docker-archive generates docker legacy compatible images Do not create $DiffID subdirectories for layers with no configs Ensure the layer IDs in legacy docker/tarfile metadata are unique docker-archive: repeated layers are symlinked in the tar file sysregistries: remove all trailing slashes Improve docker/* error messages Fix failure to make auth directory Create a new slice in Schema1.UpdateLayerInfos Drop unused storageImageDestination.{image,systemContext} Load a *storage.Image only once in storageImageSource Support gzip for docker-archive files Remove .tar extension from blob and config file names ostree, src: support copy of compressed layers ostree: re-pull layer if it misses uncompressed_digest|uncompressed_size image: fix docker schema v1 -> OCI conversion Add /etc/containers/certs.d as default certs directory -------------------------------------------------------------------------------- ================================================================================ sqlitebrowser-3.10.1-5.fc27 (FEDORA-2018-94adafd7b5) Create, design, and edit SQLite database files -------------------------------------------------------------------------------- Update Information: This update fixes an issue where the sqlitebrowser application could not be minimized when using certain desktop environments, among which gnome shell. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1561976 - Unable to minimize and to switch workspaces https://bugzilla.redhat.com/show_bug.cgi?id=1561976 -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
