EPEL Fedora 5 updates-testing report

Sat Jun 8 18:40:39 UTC 2013

The following Fedora EPEL 5 Security updates need testing:
 Age  URL
 412  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
 307  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2.el5
 113  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0366/openconnect-4.08-1.el5
  46  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5517/git-1.8.2.1-1.el5
  14  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5968/transifex-client-0.9-1.el5
  10  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5990/mod_security-2.6.8-4.el5
  10  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5991/cgit-0.9.2-1.el5
  10  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5996/socat-1.7.2.2-1.el5
   6  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6047/nrpe-2.14-3.el5
   3  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6086/libguestfs-1.20.8-1.el5
   2  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-6089/ssmtp-2.61-20.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10388/perl-Module-Signature-0.73-1.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-10389/rrdtool-1.2.27-4.el5

The following builds have been pushed to Fedora EPEL 5 updates-testing

    perl-Module-Signature-0.73-1.el5
    python-virtualenv-1.7.2-2.el5
    rrdtool-1.2.27-4.el5

Details about builds:

================================================================================
 perl-Module-Signature-0.73-1.el5 (FEDORA-EPEL-2013-10388)
 CPAN signature management utilities and modules
--------------------------------------------------------------------------------
Update Information:

This update ensures that digest modules are only loaded from absolute paths in @INC, avoiding a potential arbitrary code execution problem (CVE-2013-2145).

There are also a variety of internal package clean-ups.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Jun  7 2013 Paul Howarth <paul at city-fan.org> - 0.73-1
- Update to 0.73
  - Support for gpg under these alternate names: gpg gpg2 gnupg gnupg2
  - Don't check gpg version if gpg does not exist
  - Constrain the user-specified digest name to /^\w+\d+$/
  - Only allow loading Digest::* from absolute paths in @INC (CVE-2013-2145)
- This release by AUDREYT -> update source URL
- Include Andreas Koenig's GPG key in the SRPM and import it in %prep so
  that we don't need to get it from a keyserver in %check
- Make building non-interactive
- Specify all dependencies
- Don't need to remove empty directories from the buildroot
- Drop %defattr, redundant since rpm 4.4
- Use %{_fixperms} macro rather than our own chmod incantation
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #971096 - CVE-2013-2145 perl-Module-Signature: arbitrary code execution when verifying SIGNATURE
        https://bugzilla.redhat.com/show_bug.cgi?id=971096
--------------------------------------------------------------------------------

================================================================================
 python-virtualenv-1.7.2-2.el5 (FEDORA-EPEL-2013-10396)
 Tool to create isolated Python environments
--------------------------------------------------------------------------------
Update Information:

* Switch to an older version of virtualenv because the 1.9.x branch doesn't work with python-2.4
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #969395 - virtualenv does not work anymore because Python 2.4 support was dropped in virtualenv 1.9
        https://bugzilla.redhat.com/show_bug.cgi?id=969395
--------------------------------------------------------------------------------

================================================================================
 rrdtool-1.2.27-4.el5 (FEDORA-EPEL-2013-10389)
 Round Robin Database Tool to store and display time-series data
--------------------------------------------------------------------------------
Update Information:

This is an update that adds explicit check to the imginfo format. It may prevent crash/exploit of user space applications which pass user supplied format to the library call without checking. 
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #969311 - CVE-2013-2131 rrdtool: crashes on format string exploit [epel-5]
        https://bugzilla.redhat.com/show_bug.cgi?id=969311
--------------------------------------------------------------------------------