The following Fedora 27 Security updates need testing: Age URL 269 https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3 bro-2.5.3-1.fc27 201 https://bodhi.fedoraproject.org/updates/FEDORA-2018-8dc6395408 dpdk-17.08.2-1.fc27 164 https://bodhi.fedoraproject.org/updates/FEDORA-2018-3b33f65b01 nodejs-brace-expansion-1.1.11-1.fc27 156 https://bodhi.fedoraproject.org/updates/FEDORA-2018-a748acc219 unrtf-0.21.9-8.fc27 132 https://bodhi.fedoraproject.org/updates/FEDORA-2018-f6ccdeb750 mailman-2.1.21-9.fc27 132 https://bodhi.fedoraproject.org/updates/FEDORA-2018-bc864bb9e1 openslp-2.0.0-15.fc27 90 https://bodhi.fedoraproject.org/updates/FEDORA-2018-21ffebf41c tomcat-8.0.53-1.fc27 90 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8533a3ef1 unixODBC-2.3.7-1.fc27 39 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fc2ba807a6 xerces-c27-2.7.0-28.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-4c0b99a9eb drupal7-7.60-2.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-60c74d2b16 php-Smarty2-2.6.31-2.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e9d1ec6dbc lldpad-1.0.1-9.git036e314.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fc3018b1bd NetworkManager-1.8.8-2.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-41320b315a python-requests-2.20.0-1.fc27 10 https://bodhi.fedoraproject.org/updates/FEDORA-2018-cca4732a99 thunderbird-60.3.0-1.fc27 6 https://bodhi.fedoraproject.org/updates/FEDORA-2018-91ba32a0ff subscription-manager-1.24.2-1.fc27 5 https://bodhi.fedoraproject.org/updates/FEDORA-2018-c73d257297 cabextract-1.9-1.fc27 libmspack-0.9.1-0.1.alpha.fc27 4 https://bodhi.fedoraproject.org/updates/FEDORA-2018-5a1e2759aa pdns-4.1.5-1.fc27 4 https://bodhi.fedoraproject.org/updates/FEDORA-2018-d05860129f suricata-4.0.6-1.fc27 3 https://bodhi.fedoraproject.org/updates/FEDORA-2018-f5ea6a9f81 postgresql-9.6.11-1.fc27 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fe24359b69 xen-4.9.3-3.fc27 1 https://bodhi.fedoraproject.org/updates/FEDORA-2018-5201a9c4dc kde-connect-1.3.3-1.fc27 The following Fedora 27 Critical Path updates have yet to be approved: Age URL 185 https://bodhi.fedoraproject.org/updates/FEDORA-2018-25d5c86330 libidn-1.34-2.fc27 mcabber-1.1.0-1.fc27.1 pidgin-2.13.0-1.fc27.1 python-slixmpp-1.3.0-5.fc27.1 145 https://bodhi.fedoraproject.org/updates/FEDORA-2018-200dba6b93 upower-0.99.8-1.fc27 109 https://bodhi.fedoraproject.org/updates/FEDORA-2018-05a68ea22e geoclue2-2.4.11-1.fc27 90 https://bodhi.fedoraproject.org/updates/FEDORA-2018-20c3deae24 iproute-4.17.0-1.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-653a7a63f1 pungi-4.1.30-1.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-41320b315a python-requests-2.20.0-1.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fc3018b1bd NetworkManager-1.8.8-2.fc27 12 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e9d1ec6dbc lldpad-1.0.1-9.git036e314.fc27 11 https://bodhi.fedoraproject.org/updates/FEDORA-2018-2a541500c4 pcre2-10.32-4.fc27 11 https://bodhi.fedoraproject.org/updates/FEDORA-2018-e093a9ce9c hwdata-0.317-1.fc27 10 https://bodhi.fedoraproject.org/updates/FEDORA-2018-553390b29e osinfo-db-20181101-1.fc27 10 https://bodhi.fedoraproject.org/updates/FEDORA-2018-cca4732a99 thunderbird-60.3.0-1.fc27 10 https://bodhi.fedoraproject.org/updates/FEDORA-2018-31e9aff03c pcre-8.42-5.fc27 5 https://bodhi.fedoraproject.org/updates/FEDORA-2018-60c60bb5ab kernel-tools-4.18.17-100.fc27 kernel-headers-4.18.17-100.fc27 kernel-4.18.17-100.fc27 5 https://bodhi.fedoraproject.org/updates/FEDORA-2018-6c6faa135b selinux-policy-3.13.1-284.38.fc27 4 https://bodhi.fedoraproject.org/updates/FEDORA-2018-9ead2a6776 firefox-63.0.1-5.fc27 3 https://bodhi.fedoraproject.org/updates/FEDORA-2018-ce9924c3ba libdnf-0.11.1-2.fc27 3 https://bodhi.fedoraproject.org/updates/FEDORA-2018-537a8330dc vim-8.1.513-2.fc27 2 https://bodhi.fedoraproject.org/updates/FEDORA-2018-fe24359b69 xen-4.9.3-3.fc27 The following builds have been pushed to Fedora 27 updates-testing chromium-70.0.3538.77-4.fc27 flatpak-1.0.5-2.fc27 kernel-4.18.18-100.fc27 kernel-headers-4.18.18-100.fc27 perl-Object-Tiny-1.09-1.fc27 perl-RT-Client-REST-0.54-1.fc27 rust-1.30.1-7.fc27 valgrind-3.14.0-1.fc27 Details about builds: ================================================================================ chromium-70.0.3538.77-4.fc27 (FEDORA-2018-0363fec36c) A WebKit (Blink) powered web browser -------------------------------------------------------------------------------- Update Information: Update to chromium 70.0.3538.77. Fixes CVE-2018-16435 CVE-2018-17462 CVE-2018-17463 CVE-2018-17464 CVE-2018-17465 CVE-2018-17466 CVE-2018-17467 CVE-2018-17468 CVE-2018-17469 CVE-2018-17470 CVE-2018-17471 CVE-2018-17473 CVE-2018-17474 CVE-2018-17475 CVE-2018-17476 CVE-2018-5179 CVE-2018-17477 -------------------------------------------------------------------------------- ChangeLog: * Wed Nov 7 2018 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 70.0.3538.77-4 - fix library requires filtering * Tue Nov 6 2018 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 70.0.3538.77-3 - fix build with harfbuzz2 in rawhide * Mon Nov 5 2018 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 70.0.3538.77-2 - drop jumbo_file_merge_limit to 8 to (hopefully) avoid OOMs on aarch64 * Fri Nov 2 2018 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 70.0.3538.77-1 - .77 came out while I was working on this. :/ * Fri Nov 2 2018 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 70.0.3538.67-1 - update to 70 * Tue Oct 16 2018 Tom Callaway <spot@xxxxxxxxxxxxxxxxx> - 69.0.3497.100-2 - do not play with fonts on freeworld builds -------------------------------------------------------------------------------- References: [ 1 ] Bug #1640118 - chromium-browser: Heap buffer overflow in lcms in PDFium https://bugzilla.redhat.com/show_bug.cgi?id=1640118 [ 2 ] Bug #1640115 - CVE-2018-17477 chromium-browser: UI spoof in Extensions https://bugzilla.redhat.com/show_bug.cgi?id=1640115 [ 3 ] Bug #1640114 - CVE-2018-5179 chromium-browser: Lack of limits on update() in ServiceWorker https://bugzilla.redhat.com/show_bug.cgi?id=1640114 [ 4 ] Bug #1640113 - CVE-2018-17476 chromium-browser: Security UI occlusion in full screen mode https://bugzilla.redhat.com/show_bug.cgi?id=1640113 [ 5 ] Bug #1640112 - CVE-2018-17475 chromium-browser: URL spoof in Omnibox https://bugzilla.redhat.com/show_bug.cgi?id=1640112 [ 6 ] Bug #1640111 - CVE-2018-17474 chromium-browser: Use after free in Blink https://bugzilla.redhat.com/show_bug.cgi?id=1640111 [ 7 ] Bug #1640110 - CVE-2018-17473 chromium-browser: URL spoof in Omnibox https://bugzilla.redhat.com/show_bug.cgi?id=1640110 [ 8 ] Bug #1640108 - CVE-2018-17472 chromium-browser: iframe sandbox escape on iOS https://bugzilla.redhat.com/show_bug.cgi?id=1640108 [ 9 ] Bug #1640107 - CVE-2018-17471 chromium-browser: Security UI occlusion in full screen mode https://bugzilla.redhat.com/show_bug.cgi?id=1640107 [ 10 ] Bug #1640106 - CVE-2018-17470 chromium-browser: Memory corruption in GPU Internals https://bugzilla.redhat.com/show_bug.cgi?id=1640106 [ 11 ] Bug #1640105 - CVE-2018-17469 chromium-browser: Heap buffer overflow in PDFium https://bugzilla.redhat.com/show_bug.cgi?id=1640105 [ 12 ] Bug #1640104 - CVE-2018-17468 chromium-browser: Cross-origin URL disclosure in Blink https://bugzilla.redhat.com/show_bug.cgi?id=1640104 [ 13 ] Bug #1640103 - CVE-2018-17467 chromium-browser: URL spoof in Omnibox https://bugzilla.redhat.com/show_bug.cgi?id=1640103 [ 14 ] Bug #1640102 - CVE-2018-17466 chromium-browser: Memory corruption in Angle https://bugzilla.redhat.com/show_bug.cgi?id=1640102 [ 15 ] Bug #1640101 - CVE-2018-17465 chromium-browser: Use after free in V8 https://bugzilla.redhat.com/show_bug.cgi?id=1640101 [ 16 ] Bug #1640100 - CVE-2018-17464 chromium-browser: URL spoof in Omnibox https://bugzilla.redhat.com/show_bug.cgi?id=1640100 [ 17 ] Bug #1640099 - CVE-2018-17463 chromium-browser: Remote code execution in V8 https://bugzilla.redhat.com/show_bug.cgi?id=1640099 [ 18 ] Bug #1640098 - CVE-2018-17462 chromium-browser: Sandbox escape in AppCache https://bugzilla.redhat.com/show_bug.cgi?id=1640098 -------------------------------------------------------------------------------- ================================================================================ flatpak-1.0.5-2.fc27 (FEDORA-2018-7daf712625) Application deployment framework for desktop apps -------------------------------------------------------------------------------- Update Information: flatpak 1.0.5 release. There was a sandbox bug in the previous version where parts of the runtime /etc was not mounted read-only. In case the runtime was installed as the user (not the default) this means that the app could modify files on the runtime. Nothing in the host uses the runtime files, so this is not a direct sandbox escape, but it is possible that an app can confuse a different app that has higher permissions and so gain privileges. Detailed changes: * Make the /etc -> /usr/etc bind-mounts read-only. * Make various app-specific configuration files read-only. * flatpak is more picky about remote names to avoid problems with storing weird names in the ostree config. * A segfault in libflatpak handling of bundles was fixed. * Updated translations * Fixed a regression in flatpak run that caused problems running user-installed apps when the system installation was broken. In addition to upstream changes, this update also fixes a packaging issue and adds a missing dependency on p11-kit- server to fix accessing host TLS certificates. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 12 2018 Kalev Lember <klember@xxxxxxxxxx> - 1.0.5-2 - Recommend p11-kit-server instead of just p11-kit (#1649049) * Mon Nov 12 2018 Kalev Lember <klember@xxxxxxxxxx> - 1.0.5-1 - Update to 1.0.5 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1649049 - missing dependency on p11-kit-server https://bugzilla.redhat.com/show_bug.cgi?id=1649049 -------------------------------------------------------------------------------- ================================================================================ kernel-4.18.18-100.fc27 (FEDORA-2018-f8cb49d9e2) The Linux kernel -------------------------------------------------------------------------------- Update Information: The 4.18.18 update contains a number of important fixes across the tree -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 12 2018 Laura Abbott <labbott@xxxxxxxxxx> - 4.18.18-100 - Linux v4.18.18 * Mon Nov 5 2018 Laura Abbott <labbott@xxxxxxxxxx> - 4.18.17-100 - Linux v4.18.17 * Tue Oct 23 2018 Laura Abbott <labbott@xxxxxxxxxx> - Add i915 eDP fixes -------------------------------------------------------------------------------- ================================================================================ kernel-headers-4.18.18-100.fc27 (FEDORA-2018-f8cb49d9e2) Header files for the Linux kernel for use by glibc -------------------------------------------------------------------------------- Update Information: The 4.18.18 update contains a number of important fixes across the tree -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 12 2018 Laura Abbott <labbott@xxxxxxxxxx> - 4.18.18-100 - Linux v4.18.18 * Mon Nov 5 2018 Laura Abbott <labbott@xxxxxxxxxx> - 4.18.17-100 - Linux v4.18.17 -------------------------------------------------------------------------------- ================================================================================ perl-Object-Tiny-1.09-1.fc27 (FEDORA-2018-89de4d1b01) Class building as simple as it gets -------------------------------------------------------------------------------- Update Information: This release improves a build script and a documentation. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 12 2018 Petr Pisar <ppisar@xxxxxxxxxx> - 1.09-1 - 1.09 bump -------------------------------------------------------------------------------- References: [ 1 ] Bug #1648875 - Upgrade perl-Object-Tiny to 1.09 https://bugzilla.redhat.com/show_bug.cgi?id=1648875 -------------------------------------------------------------------------------- ================================================================================ perl-RT-Client-REST-0.54-1.fc27 (FEDORA-2018-07f39a9c85) Talk to RT using REST protocol -------------------------------------------------------------------------------- Update Information: This release fixes white space handling in attachments and handling a 401 HTTP response. ---- This release exposes CC and Admin CC adresses on Queues. -------------------------------------------------------------------------------- ChangeLog: * Mon Nov 12 2018 Petr Pisar <ppisar@xxxxxxxxxx> - 0.54-1 - 0.54 bump * Tue Nov 6 2018 Petr Pisar <ppisar@xxxxxxxxxx> - 0.53-1 - 0.53 bump -------------------------------------------------------------------------------- References: [ 1 ] Bug #1648877 - Upgrade perl-RT-Client-REST to 0.54 https://bugzilla.redhat.com/show_bug.cgi?id=1648877 [ 2 ] Bug #1646997 - Upgrade perl-RT-Client-REST to 0.53 https://bugzilla.redhat.com/show_bug.cgi?id=1646997 -------------------------------------------------------------------------------- ================================================================================ rust-1.30.1-7.fc27 (FEDORA-2018-d730b3fff8) The Rust Programming Language -------------------------------------------------------------------------------- Update Information: Fixes a compiler panic in some cases of building documentation -- see the release notes for [1.30.1](https://blog.rust- lang.org/2018/11/08/Rust-1.30.1.html). -------------------------------------------------------------------------------- ChangeLog: * Thu Nov 8 2018 Josh Stone <jistone@xxxxxxxxxx> - 1.30.1-7 - Update to 1.30.1. -------------------------------------------------------------------------------- ================================================================================ valgrind-3.14.0-1.fc27 (FEDORA-2018-d509722832) Tool for finding memory management bugs in programs -------------------------------------------------------------------------------- Update Information: valgrind 3.14.0 final. -------------------------------------------------------------------------------- ChangeLog: * Tue Oct 9 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.14.0-1 - valgrind 3.14.0 final. * Thu Oct 4 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.14.0-0.2.RC2 - Upgrade to RC2. - Drop valgrind-3.14.0-add-vector-h.patch. * Fri Sep 14 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.14.0-0.1.GIT - New upstream (pre-)release. - Add valgrind-3.14.0-add-vector-h.patch. * Fri Aug 10 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-28 - Add valgrind-3.13.0-utime.patch * Fri Aug 3 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-27 - Add valgrind-3.13.0-ppc64-xsmaxcdp.patch * Fri Aug 3 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-26 - Use valgrind_arches for ExclusiveArch when defined. - Use restorecon for scl on rhel6 to work around rpm bug (#1610676). * Tue Jul 31 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-25 - Add valgrind-3.13.0-x86-arch_prctl.patch (#1610304) * Tue Jul 31 2018 Florian Weimer <fweimer@xxxxxxxxxx> - 3.13.0-24 - Rebuild with fixed binutils * Fri Jul 27 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-23 - Remove valgrind-3.13.0-arm-disable-vfp-test.patch * Thu Jul 26 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-22 - Add valgrind-3.13.0-arch_prctl.patch (#1608824) * Thu Jul 12 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-21 - Add valgrind-3.13.0-separate-code.patch (#1600034) - Add valgrind-3.13.0-arm-disable-vfp-test.patch * Thu Jul 5 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-20 - Don't try a full_regtest under scl, also don't adjust PATH. * Thu Apr 12 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-19 - Improved valgrind-3.13.0-arm64-hwcap.patch - Add valgrind-3.13.0-arm64-ptrace.patch * Thu Apr 12 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-18 - Add valgrind-3.13.0-build-id-phdrs.patch (#1566639) * Tue Feb 27 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-17 - Add valgrind-3.13.0-ppc64-mtfprwa-constraint.patch. * Fri Feb 9 2018 Fedora Release Engineering <releng@xxxxxxxxxxxxxxxxx> - 1:3.13.0-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Tue Jan 23 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-15 - Split valgrind-tools-devel from valgrind-devel. - Make building of libmpi wrapper explicit. * Mon Jan 22 2018 Mark Wielaard <mjw@xxxxxxxxxxxxxxxxx> - 3.13.0-14 - undefine _strict_symbol_defs_build. -------------------------------------------------------------------------------- _______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx
