The following Fedora 14 Security updates need testing:
https://admin.fedoraproject.org/updates/telepathy-gabble-0.10.5-1.fc14
https://admin.fedoraproject.org/updates/q-7.11-8.fc14
https://admin.fedoraproject.org/updates/feh-1.10.1-1.fc14
https://admin.fedoraproject.org/updates/socat-1.7.1.3-1.fc14
https://admin.fedoraproject.org/updates/patch-2.6.1-8.fc14
https://admin.fedoraproject.org/updates/asterisk-1.6.2.16.2-1.fc14
https://admin.fedoraproject.org/updates/phpMyAdmin-3.3.9.2-1.fc14
https://admin.fedoraproject.org/updates/couchdb-1.0.2-1.fc14
https://admin.fedoraproject.org/updates/tor-0.2.1.29-1400.fc14
https://admin.fedoraproject.org/updates/exim-4.72-2.fc14
The following Fedora 14 Critical Path updates have yet to be approved:
https://admin.fedoraproject.org/updates/lua-5.1.4-7.fc14
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
https://admin.fedoraproject.org/updates/livecd-tools-14.2-1.fc14
https://admin.fedoraproject.org/updates/librsvg2-2.32.0-3.fc14
https://admin.fedoraproject.org/updates/mobile-broadband-provider-info-1.20110218-1.fc14
https://admin.fedoraproject.org/updates/elfutils-0.152-1.fc14
https://admin.fedoraproject.org/updates/dosfstools-3.0.9-5.fc14
https://admin.fedoraproject.org/updates/xorg-x11-drv-geode-2.11.11-4.fc14
https://admin.fedoraproject.org/updates/openldap-2.4.23-8.fc14
https://admin.fedoraproject.org/updates/dmidecode-2.11-1.fc14
The following builds have been pushed to Fedora 14 updates-testing
asterisk-1.6.2.16.2-1.fc14
cinepaint-0.25.0-0.1.fc14
erlang-cluster_info-0.1.0-0.3.20101229gitd077716.fc14
festival-1.96-18.fc14
kde-plasma-networkmanagement-0.9-0.35.20110221.fc14
libscs-1.4.1-4.fc14
libst2205-1.4.3-2.fc14
pidgin-2.7.10-1.fc14
q-7.11-8.fc14
rear-1.10.0-1.fc14
serdisplib-1.97.9-1.fc14
sssd-1.5.1-9.fc14
system-config-printer-1.2.7-2.fc14
Details about builds:
================================================================================
asterisk-1.6.2.16.2-1.fc14 (FEDORA-2011-1975)
The Open Source PBX
--------------------------------------------------------------------------------
Update Information:
Asterisk Project Security Advisory - AST-2011-002
Product Asterisk
Summary Multiple array overflow and crash vulnerabilities in
UDPTL code
Nature of Advisory Exploitable Stack and Heap Array Overflows
Susceptibility Remote Unauthenticated Sessions
Severity Critical
Exploits Known No
Reported On January 27, 2011
Reported By Matthew Nicholson
Posted On February 21, 2011
Last Updated On February 21, 2011
Advisory Contact Matthew Nicholson <mnicholson@xxxxxxxxxx>
CVE Name
Description When decoding UDPTL packets, multiple stack and heap based
arrays can be made to overflow by specially crafted packets.
Systems doing T.38 pass through or termination are vulnerable.
Resolution The UDPTL decoding routines have been modified to respect the
limits of exploitable arrays.
In asterisk versions not containing the fix for this issue,
disabling T.38 support will prevent this vulnerability from
being exploited. T.38 support can be disabled in chan_sip by
setting the t38pt_udptl option to "no" (it is off by default).
t38pt_udptl = no
The chan_ooh323 module should also be disabled by adding the
following line in modles.conf.
noload => chan_ooh323
Affected Versions
Product Release Series
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Business Edition C.x.x All versions
AsteriskNOW 1.5 All versions
s800i (Asterisk Appliance) 1.2.x All versions
Corrected In
Product Release
Asterisk Open Source 1.4.39.2, 1.6.1.22, 1.6.2.16.2, 1.8.2.4
Asterisk Business Edition C.3.6.3
Patches
URL Branch
http://downloads.asterisk.org/pub/security/AST-2011-002-1.4.diff 1.4
http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.1.diff 1.6.1
http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.2.diff 1.6.2
http://downloads.asterisk.org/pub/security/AST-2011-002-1.8.diff 1.8
Links
Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security
This document may be superseded by later versions; if so, the latest
version will be posted at
http://downloads.digium.com/pub/security/AST-2011-002.pdf and
http://downloads.digium.com/pub/security/AST-2011-002.html
Revision History
Date Editor Revisions Made
02/21/11 Matthew Nicholson Initial Release
Asterisk Project Security Advisory - AST-2011-002
Copyright (c) 2011 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 <jeff@xxxxxxxxxx> - 1.6.2.16.2-1
-
- Asterisk Project Security Advisory - AST-2011-002
-
- Product Asterisk
- Summary Multiple array overflow and crash vulnerabilities in
- UDPTL code
- Nature of Advisory Exploitable Stack and Heap Array Overflows
- Susceptibility Remote Unauthenticated Sessions
- Severity Critical
- Exploits Known No
- Reported On January 27, 2011
- Reported By Matthew Nicholson
- Posted On February 21, 2011
- Last Updated On February 21, 2011
- Advisory Contact Matthew Nicholson <mnicholson@xxxxxxxxxx>
- CVE Name
-
- Description When decoding UDPTL packets, multiple stack and heap based
- arrays can be made to overflow by specially crafted packets.
- Systems doing T.38 pass through or termination are vulnerable.
-
- Resolution The UDPTL decoding routines have been modified to respect the
- limits of exploitable arrays.
-
- In asterisk versions not containing the fix for this issue,
- disabling T.38 support will prevent this vulnerability from
- being exploited. T.38 support can be disabled in chan_sip by
- setting the t38pt_udptl option to "no" (it is off by default).
-
- t38pt_udptl = no
-
- The chan_ooh323 module should also be disabled by adding the
- following line in modles.conf.
-
- noload => chan_ooh323
-
- Affected Versions
- Product Release Series
- Asterisk Open Source 1.4.x All versions
- Asterisk Open Source 1.6.x All versions
- Asterisk Business Edition C.x.x All versions
- AsteriskNOW 1.5 All versions
- s800i (Asterisk Appliance) 1.2.x All versions
-
- Corrected In
- Product Release
- Asterisk Open Source 1.4.39.2, 1.6.1.22, 1.6.2.16.2, 1.8.2.4
- Asterisk Business Edition C.3.6.3
-
- Patches
- URL Branch
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.4.diff 1.4
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.1.diff 1.6.1
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.6.2.diff 1.6.2
- http://downloads.asterisk.org/pub/security/AST-2011-002-1.8.diff 1.8
-
- Links
-
- Asterisk Project Security Advisories are posted at
- http://www.asterisk.org/security
-
- This document may be superseded by later versions; if so, the latest
- version will be posted at
- http://downloads.digium.com/pub/security/AST-2011-002.pdf and
- http://downloads.digium.com/pub/security/AST-2011-002.html
-
- Revision History
- Date Editor Revisions Made
- 02/21/11 Matthew Nicholson Initial Release
-
- Asterisk Project Security Advisory - AST-2011-002
- Copyright (c) 2011 Digium, Inc. All Rights Reserved.
- Permission is hereby granted to distribute and publish this advisory in its
- original, unaltered form.
--------------------------------------------------------------------------------
================================================================================
cinepaint-0.25.0-0.1.fc14 (FEDORA-2011-1960)
CinePaint is a tool for manipulating images
--------------------------------------------------------------------------------
Update Information:
Lot of bug-fixes and enhancements.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Nicolas Chauvet <kwizart@xxxxxxxxx> - 0.25.0-0.1
- Update to pre 0.25
--------------------------------------------------------------------------------
================================================================================
erlang-cluster_info-0.1.0-0.3.20101229gitd077716.fc14 (FEDORA-2011-1965)
Cluster info/postmortem inspector for Erlang applications
--------------------------------------------------------------------------------
Update Information:
* Initial build
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #671884 - Review Request: erlang-cluster_info - Cluster info/postmortem inspector for Erlang applications
https://bugzilla.redhat.com/show_bug.cgi?id=671884
--------------------------------------------------------------------------------
================================================================================
festival-1.96-18.fc14 (FEDORA-2011-1966)
Speech synthesis and text-to-speech system
--------------------------------------------------------------------------------
Update Information:
Fix header paths.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 Tim Niemueller <tim@xxxxxxxxxxxxx> - 1.96-18
- Fix install paths of speech_tools includes (rhbz #242607)
* Tue Feb 8 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.96-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #242607 - Build with festival error.
https://bugzilla.redhat.com/show_bug.cgi?id=242607
--------------------------------------------------------------------------------
================================================================================
kde-plasma-networkmanagement-0.9-0.35.20110221.fc14 (FEDORA-2011-1969)
NetworkManager KDE 4 integration
--------------------------------------------------------------------------------
Update Information:
New snapshot includes translation fixes as well as many other small bug fixes.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.35.20110221
- 20110221 snapshot
* Thu Feb 17 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.34.20110217
- 20110217 snapshot (with translations)
* Mon Feb 7 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1:0.9-0.33.20110106
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Jan 6 2011 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.32.20110106
- 20110106 snapshot (sans translations for now)
* Wed Nov 17 2010 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.31.20101117
- 20101117 snapshot
- "Always ask for password" does not work (#582933,kde#244416)
* Tue Nov 9 2010 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.30.20101105
- move shared bits to main pkg
- -libs: Requires: %name
* Tue Nov 9 2010 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.29.20101105
- 20101105 snapshot
- use kde-plasma-networkmangement-* subpkg names
- drop monolithic/knm bits
* Fri Oct 22 2010 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> 1:0.9-0.28.20101011.2
- rebuild for kde-4.5
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #651223 - applet always says cable is unplugged, cannot update configuration
https://bugzilla.redhat.com/show_bug.cgi?id=651223
[ 2 ] Bug #651310 - kded4 always crashes on resume
https://bugzilla.redhat.com/show_bug.cgi?id=651310
[ 3 ] Bug #677339 - knetworkmanager lists garbage in the Connections-list (after suspend/resume)
https://bugzilla.redhat.com/show_bug.cgi?id=677339
--------------------------------------------------------------------------------
================================================================================
libscs-1.4.1-4.fc14 (FEDORA-2011-1976)
Software Carry-Save Multiple-Precision Library
--------------------------------------------------------------------------------
Update Information:
Initial package
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #678774 - Review Request: libscs - Software Carry-Save Multiple-Precision Library
https://bugzilla.redhat.com/show_bug.cgi?id=678774
--------------------------------------------------------------------------------
================================================================================
libst2205-1.4.3-2.fc14 (FEDORA-2011-1963)
Library for accessing the display of hacked st2205 photo frames
--------------------------------------------------------------------------------
Update Information:
libst2205 is a new Fedora package.
Description:
It is possible to flash digital photo frames with the st2205 chip-sets with a modified firmware, which allows one to display real time images on the display of the frame from a PC. This package contains a library for accessing the display from the PC, for st2205 frames with the hacked firmware.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #678887 - Review Request: libst2205 - Library for accessing the display of hacked st2205 photo frames
https://bugzilla.redhat.com/show_bug.cgi?id=678887
--------------------------------------------------------------------------------
================================================================================
pidgin-2.7.10-1.fc14 (FEDORA-2011-1959)
A Gtk+ based multiprotocol instant messaging client
--------------------------------------------------------------------------------
Update Information:
New release 2.7.10
Upstream ChangeLog:
http://developer.pidgin.im/wiki/ChangeLog
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 Stu Tomlinson <stu@xxxxxxxxxxxxx> 2.7.10-1
- 2.7.10
* Wed Feb 9 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 2.7.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Feb 1 2011 Milan Crha <mcrha@xxxxxxxxxx> 2.7.9-3
- Rebuild against newer evolution-data-server
* Wed Jan 12 2011 Milan Crha <mcrha@xxxxxxxxxx> 2.7.9-2
- Rebuild against newer evolution-data-server
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #676569 - pidgin-2.7.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=676569
--------------------------------------------------------------------------------
================================================================================
q-7.11-8.fc14 (FEDORA-2011-1967)
Equational programming language
--------------------------------------------------------------------------------
Update Information:
Rebuilt against system libltdl.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 GÃrard Milmeister <gemi@xxxxxxxxxx> - 7.11-8
- Rebuild against system libltdl
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #537941 - CVE-2009-3736 libtool: libltdl may load and execute code from a library in the current directory
https://bugzilla.redhat.com/show_bug.cgi?id=537941
--------------------------------------------------------------------------------
================================================================================
rear-1.10.0-1.fc14 (FEDORA-2011-1970)
Relax and Recover (ReaR) is a Linux Disaster Recovery framework
--------------------------------------------------------------------------------
Update Information:
release 1.10.0 fixes the upgrade problems from 1.7.26.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Gratien D'haese <gdha at sourceforge.net> - 1.10.0
- new release
--------------------------------------------------------------------------------
================================================================================
serdisplib-1.97.9-1.fc14 (FEDORA-2011-1974)
Library to drive serial displays with built-in controllers
--------------------------------------------------------------------------------
Update Information:
serdisplib is a new Fedora package.
Description:
serdisplib started as a library to drive serial displays with built-in controllers. beginning with version 1.95 support was added for parallel driven displays. anyhow: the name 'serdisplib' will not change.
The serial in "serial display" characterizes the way of how the data is transferred to the display controller: data is sent bit by bit using a single input line. several (few) other lines are controlling things like timing (clock), data or command, ...
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #678889 - Review Request: serdisplib - Library to drive serial displays with built-in controllers
https://bugzilla.redhat.com/show_bug.cgi?id=678889
--------------------------------------------------------------------------------
================================================================================
sssd-1.5.1-9.fc14 (FEDORA-2011-1962)
System Security Services Daemon
--------------------------------------------------------------------------------
Update Information:
Fixes a bug where initgroups() calls would sometimes not remove users from groups they no longer belonged to.
--------------------------------------------------------------------------------
ChangeLog:
* Mon Feb 21 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 1.5.1-9
- Fix build against older libldb
* Mon Feb 21 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 1.5.1-8
- Resolves: rhbz#677768 - name service caches names, so id command shows
- recently deleted users
* Fri Feb 11 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 1.5.1-7
- Ensure that SSSD builds against libldb-1.0.0 on F15 and later
- Remove .la for memberOf
* Fri Feb 11 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 1.5.1-6
- Fix memberOf install path
* Fri Feb 11 2011 Stephen Gallagher <sgallagh@xxxxxxxxxx> - 1.5.1-5
- Add support for libldb 1.0.0
* Wed Feb 9 2011 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 1.5.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
system-config-printer-1.2.7-2.fc14 (FEDORA-2011-1206)
A printer administration tool
--------------------------------------------------------------------------------
Update Information:
New upstream release that fixes several bugs.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Feb 22 2011 Tim Waugh <twaugh@xxxxxxxxxx> - 1.2.7-2
- Applied upstream fix for dnssdresolve traceback (bug #678961).
* Wed Feb 9 2011 Jiri Popelka <jpopelka@xxxxxxxxxx> 1.2.7-1
- 1.2.7:
- Handle failure to connect in PrinterURIIndex (bug #668568).
- Fixed bugs in gtk_label_autowrap.py (bug #637829).
- Improvements for DNS-SD support from Till Kamppeter
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #637829 - Display artifacts in PPD change confirmation dialog
https://bugzilla.redhat.com/show_bug.cgi?id=637829
[ 2 ] Bug #668568 - [abrt] system-config-printer-1.2.95-4.fc15: jobviewer.py:71:__init__:RuntimeError: failed to connect to server
https://bugzilla.redhat.com/show_bug.cgi?id=668568
[ 3 ] Bug #678961 - [abrt] system-config-printer-1.2.7-1.fc14: dnssdresolve.py:99:_reply:KeyError: (dbus.String(u'Canon iP90 @ Chris Hanes\u2019s iMac (625)'), dbus.String(u'_ipp._tcp'), dbus.String(u'local'))
https://bugzilla.redhat.com/show_bug.cgi?id=678961
--------------------------------------------------------------------------------
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
