EPEL Fedora 5 updates-testing report

Tue May 28 19:38:48 UTC 2013

The following Fedora EPEL 5 Security updates need testing:
 Age  URL
 401  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5630/bugzilla-3.2.10-5.el5
 296  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6608/Django-1.1.4-2.el5
 102  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-0366/openconnect-4.08-1.el5
  35  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5517/git-1.8.2.1-1.el5
  14  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5799/python-virtualenv-1.9.1-1.el5
   3  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5968/transifex-client-0.9-1.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5990/mod_security-2.6.8-4.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5991/cgit-0.9.2-1.el5
   0  https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5996/socat-1.7.2.2-1.el5

The following builds have been pushed to Fedora EPEL 5 updates-testing

    cgit-0.9.2-1.el5
    mod_security-2.6.8-4.el5
    socat-1.7.2.2-1.el5

Details about builds:

================================================================================
 cgit-0.9.2-1.el5 (FEDORA-EPEL-2013-5991)
 A fast web interface for git
--------------------------------------------------------------------------------
Update Information:

A directory traversal vulnerability was discovered in cgit.  By default, cgit is not affected.  However, if cgit is configured to use a readme file from a filesystem path instead of from the git repo itself then files outside of the repository can be read.

Refer to the discussion on oss-security for further details:

http://www.openwall.com/lists/oss-security/2013/05/25/3
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 27 2013 Todd Zullinger <tmz at pobox.com> - 0.9.2-1
- Update to 0.9.2, fixes CVE-2013-2117
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.9.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Nov 21 2012 Kevin Fenzi <kevin at scrye.com> 0.9.1-3
- Fixed ldflags. Fixes bug 878611
* Sat Nov 17 2012 Kevin Fenzi <kevin at scrye.com> 0.9.1-2
- Add patch to use correct version of highlight for all branches except epel5
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #967346 - CVE-2013-2117 cgit: directory traversal
        https://bugzilla.redhat.com/show_bug.cgi?id=967346
--------------------------------------------------------------------------------

================================================================================
 mod_security-2.6.8-4.el5 (FEDORA-EPEL-2013-5990)
 Security module for the Apache HTTP Server
--------------------------------------------------------------------------------
Update Information:

Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765).
--------------------------------------------------------------------------------
ChangeLog:

* Tue May 28 2013 Athmane Madjoudj <athmane at fedoraproject.org> 2.6.8-4
- Fix NULL pointer dereference (DoS, crash) (CVE-2013-2765) (RHBZ #967615)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #967615 - mod_security: NULL pointer dereference (DoS, crash) when forceRequestBodyVariable action triggered and unknown Content-Type was used
        https://bugzilla.redhat.com/show_bug.cgi?id=967615
--------------------------------------------------------------------------------

================================================================================
 socat-1.7.2.2-1.el5 (FEDORA-EPEL-2013-5996)
 Bidirectional data relay between two data channels ('netcat++')
--------------------------------------------------------------------------------
Update Information:

Fix for CVE-2013-3571: Denial of service due to file descriptor leak
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 27 2013 Paul Wouters <pwouters at redhat.com> - 1.7.2.2-1
- Updated to 1.7.2.2 for CVE-2013-3571, rhbz#967540
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #967345 - CVE-2013-3571 socat: Denial of service due to file descriptor leak
        https://bugzilla.redhat.com/show_bug.cgi?id=967345
--------------------------------------------------------------------------------