[EPEL-devel] Fedora EPEL 6 updates-testing report
updates at fedoraproject.org
updates at fedoraproject.org
Thu Feb 5 19:02:54 UTC 2015
The following Fedora EPEL 6 Security updates need testing:
Age URL
1019 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5620/bugzilla-3.4.14-2.el6
109 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3434/pylint-1.3.1-1.el6,python-astroid-1.2.1-2.el6,python-logilab-common-0.62.1-2.el6
84 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4008/cross-binutils-2.23.51.0.3-1.el6.1
72 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4242/facter-1.6.18-8.el6
61 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4485/python-tornado-2.2.1-7.el6
43 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4884/mapserver-6.0.4-1.el6
40 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-4918/dokuwiki-0-0.23.20140929b.el6
22 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0232/chicken-4.9.0.1-2.el6
12 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0363/polarssl-1.3.2-4.el6
12 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0407/seamonkey-2.28-3.ESR_31.4.0.el6
9 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0436/privoxy-3.0.23-1.el6
6 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0557/clamav-0.98.6-1.el6
6 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0560/websvn-2.3.3-8.el6
5 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0566/pigz-2.3.3-1.el6
0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0631/puppetlabs-stdlib-4.5.1-2.20150121git7a91f20.el6
0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0644/perl-Gtk2-1.2495-1.el6
0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0630/roundcubemail-1.0.5-1.el6
0 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-0641/moodle-2.6.8-1.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
RackTables-0.20.10-1.el6
beakerlib-1.10-2.el6
minised-1.15-1.el6
moodle-2.6.8-1.el6
perl-Crypt-PasswdMD5-1.3-0.6.el6
perl-Gtk2-1.2495-1.el6
perl-MCE-1.600-1.el6
puppetlabs-stdlib-4.5.1-2.20150121git7a91f20.el6
python-networkx-1.8.1-12.el6
roundcubemail-1.0.5-1.el6
s3cmd-1.5.1.2-4.el6
Details about builds:
================================================================================
RackTables-0.20.10-1.el6 (FEDORA-EPEL-2015-0640)
A data-center asset management system
--------------------------------------------------------------------------------
Update Information:
Rebase to v0.20.10
Rebase to v0.20.9
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 5 2015 Colin Coe <colin.coe at gmail.com> - 0.20.10-1
- Rebase to v0.20.10
* Fri Jan 16 2015 Colin Coe <colin.coe at gmail.com> - 0.20.9-1
- Rebase to v0.20.9
* Fri Jun 6 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.20.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Aug 2 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.20.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Thu Jul 18 2013 Petr Pisar <ppisar at redhat.com> - 0.20.4-2
- Perl 5.18 rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1186291 - RackTables-0.20.10 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1186291
[ 2 ] Bug #977277 - RackTables-0.20.9 is available
https://bugzilla.redhat.com/show_bug.cgi?id=977277
--------------------------------------------------------------------------------
================================================================================
beakerlib-1.10-2.el6 (FEDORA-EPEL-2015-0642)
A shell-level integration testing library
--------------------------------------------------------------------------------
Update Information:
remount if mounting already mounted mount point with options,
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 4 2015 Dalibor Pospisil <dapospis at redhat.com> - 1.10-2
- remount if mounting already mounted mount point with options,
fixes bug 1173623
--------------------------------------------------------------------------------
================================================================================
minised-1.15-1.el6 (FEDORA-EPEL-2015-0629)
A smaller, cheaper, faster SED implementation
--------------------------------------------------------------------------------
Update Information:
The 1.15 version fixes some Kleene star operator relates bugs and
includes some code cleanups.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Jan 20 2015 Christopher Meng <rpm at cicku.me> - 1.15-1
- Update to 1.15
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1150999 - minised-1.15 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1150999
--------------------------------------------------------------------------------
================================================================================
moodle-2.6.8-1.el6 (FEDORA-EPEL-2015-0641)
A Course Management System
--------------------------------------------------------------------------------
Update Information:
The following security notifications have now been made public:
==============================================================================
MSA-15-0001: Insufficient access check in LTI module
Description: Absence of capability check in AJAX backend script could
allow any enrolled user to search the list of registered
tools
Issue summary: mod/lti/ajax.php security problems
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47920
CVE identifier: CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920
==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page
Description: Course summary on course request pending approval page was
displayed to the manager unescaped and could be used for
XSS attack
Issue summary: XSS in course request pending approval page (Privilege
Escalation?)
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Skylar Kelty
Issue no.: MDL-48368
Workaround: Grant permission moodle/course:request only to trusted
users
CVE identifier: CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368
==============================================================================
MSA-15-0003: CSRF possible in Glossary module
Description: Two files in the Glossary module lacked a session key check
potentially allowing cross-site request forgery
Issue summary: Multiple CSRF in mod glossary
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Ankit Agarwal
Issue no.: MDL-48106
CVE identifier: CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106
==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services
Description: Through web-services it was possible to access
messaging-related functions such as people search even if
messaging is disabled on the site
Issue summary: Messages external functions doesn't check if messaging is
enabled
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Juan Leyva
Issue no.: MDL-48329
Workaround: Disable web services or disable individual message-related
functions
CVE identifier: CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329
==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services
Description: Through web-services it was possible to get information
about calendar events which user did not have enough
permissions to see
Issue summary: calendar/externallib.php lacks
self::validate_context($context);
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-48017
CVE identifier: CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017
==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Description: Users with capability to grade in Lesson module were not
reported as users with XSS risk but their feedback was
displayed without cleaning
Issue summary: mod/lesson:grade capability missing RISK_XSS but essay
feedback is displayed with noclean=true
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1
Versions fixed: 2.8.2
Reported by: Damyon Wiese
Issue no.: MDL-48034
CVE identifier: CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034
==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter
Description: Not optimal regular expression in the filter could be
exploited to create extra server load or make particular
page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin
Description: It was possible to forge a request to logout users even
when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver
configuration
CVE identifier: CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
==============================================================================
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 5 2015 Jon Ciesla <limburgher at gmail.com> - 2.6.8-1
- 2.6.8, fix for security issues.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1183695 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1183695
[ 2 ] Bug #1183694 - CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1183694
--------------------------------------------------------------------------------
================================================================================
perl-Crypt-PasswdMD5-1.3-0.6.el6 (FEDORA-EPEL-2015-0646)
Provides interoperable MD5-based crypt() functions
--------------------------------------------------------------------------------
Update Information:
This is a clone of the RHEL-6 perl-Crypt-PasswdMD5 package (with a 0-prefixed release tag to ensure that EL-6 users will get the official EL-6 package rather than the EPEL-6 one). It is provided for the benefit of ppc64 users, as EL-6 does not include perl-Crypt-PasswdMD5 on that architecture.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #783740 - perl-Crypt-PasswdMD5 not available in RHEL 6 PPC64
https://bugzilla.redhat.com/show_bug.cgi?id=783740
--------------------------------------------------------------------------------
================================================================================
perl-Gtk2-1.2495-1.el6 (FEDORA-EPEL-2015-0644)
Perl interface to the 2.x series of the Gimp Toolkit library
--------------------------------------------------------------------------------
Update Information:
Update to 1.2495 to resolve an incorrect memory management issue in Gtk2::Gdk::Display::list_devices, which can potentially lead to arbitrary code execution.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 4 2015 Tom Callaway <spot at fedoraproject.org> - 1.2495-1
- update to 1.2495
* Mon Jan 5 2015 Tom Callaway <spot at fedoraproject.org> - 1.2494-1
- update to 1.2494
* Wed Dec 10 2014 Tom Callaway <spot at fedoraproject.org> - 1.2493-1
- update to 1.2493
* Mon Sep 1 2014 Jitka Plesnikova <jplesnik at redhat.com> - 1.2492-3
- Perl 5.20 rebuild
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.2492-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jul 8 2014 Tom Callaway <spot at fedoraproject.org> - 1.2492-1
- update to 1.2492
* Tue Jun 24 2014 Tom Callaway <spot at fedoraproject.org> - 1.2491-1
- update to 1.2491
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.249-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Dec 12 2013 Tom Callaway <spot at fedoraproject.org> - 1.249-1
- update to 1.249
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1188219 - perl-Gtk2: incorrect memory management in Gtk2::Gdk::Display::list_devices
https://bugzilla.redhat.com/show_bug.cgi?id=1188219
--------------------------------------------------------------------------------
================================================================================
perl-MCE-1.600-1.el6 (FEDORA-EPEL-2015-0636)
Many-core Engine for Perl providing parallel processing capabilities
--------------------------------------------------------------------------------
Update Information:
A new enhancement and bugfix release of MCE is available. See http://cpansearch.perl.org/src/MARIOROY/MCE-1.600/CHANGES for the summary of changes in this release.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 4 2015 Petr Ĺ abata <contyk at redhat.com> - 1.600-1
- 1.600 bump
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1188820 - perl-MCE-1.600 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1188820
--------------------------------------------------------------------------------
================================================================================
puppetlabs-stdlib-4.5.1-2.20150121git7a91f20.el6 (FEDORA-EPEL-2015-0631)
Puppet Labs Standard Library
--------------------------------------------------------------------------------
Update Information:
Install metadata.json for Puppet to pick stdlib release when "puppet module list" is called
Security fix for CVE-2015-1029
Security fix for CVE-2015-1029
Security fix for CVE-2015-1029
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 4 2015 Andrea Veri <averi at fedoraproject.org> - 4.5.1-2.20150121git7a91f20
- Make sure metadata.json gets installed correctly for Puppet to actually
recognize the module release version. Thanks Simon Lukasik for the patch.
* Wed Jan 21 2015 Andrea Veri <averi at fedoraproject.org> - 4.5.1-1.20150121git7a91f20
- New upstream release. (Fixes CVE-2015-1029, Red Hat's BZ #1182578)
* Sat Jun 7 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.2.1-2.20140510git08b00d9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1182578 - CVE-2015-1029 puppetlabs-stdlib: local information leakage and local privilege escalation vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=1182578
--------------------------------------------------------------------------------
================================================================================
python-networkx-1.8.1-12.el6 (FEDORA-EPEL-2015-0634)
Creates and Manipulates Graphs and Networks
--------------------------------------------------------------------------------
Update Information:
- First version without python-networkx-geo or python-networkx-drawing support
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1189066 - python-networkx EL-6 branch missing
https://bugzilla.redhat.com/show_bug.cgi?id=1189066
--------------------------------------------------------------------------------
================================================================================
roundcubemail-1.0.5-1.el6 (FEDORA-EPEL-2015-0630)
Round Cube Webmail is a browser-based multilingual IMAP client
--------------------------------------------------------------------------------
Update Information:
Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3
--------------------------------------------------------------------------------
ChangeLog:
* Thu Feb 5 2015 Jon Ciesla <limburgher at gmail.com> - 1.0.5-1
- Fix for security issues.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1188203 - CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1188203
[ 2 ] Bug #1188202 - CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1188202
--------------------------------------------------------------------------------
================================================================================
s3cmd-1.5.1.2-4.el6 (FEDORA-EPEL-2015-0645)
Tool for accessing Amazon Simple Storage Service
--------------------------------------------------------------------------------
Update Information:
upstream 1.5.1.2, mostly bug fixes
upstream 1.5.0 final
upstream 1.5.0-rc1
upstream 1.5.0-beta1 plus even newer upstream fixes
upstream 1.5.0-beta1 plus newer upstream fixes
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 4 2015 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.1.2-4
- upstream 1.5.1.2, mostly bug fixes
- remove ez_setup, add dependency on python-setuptools
* Mon Jan 12 2015 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-1
- upstream 1.5.0 final
* Tue Jul 1 2014 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-0.7.rc1
- put back dropped dist tag
* Tue Jul 1 2014 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-0.6.rc1
- upstream 1.5.0-rc1
* Sun Jun 8 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.5.0-0.5.gitb196faa5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sun Mar 23 2014 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-0.4.git
- upstream 1.5.0-beta1 plus even newer upstream fixes
* Sun Feb 2 2014 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-0.3.git
- upstream 1.5.0-beta1 plus newer upstream fixes
* Wed May 29 2013 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-0.2.gita122d97
- more upstream bugfixes
- drop pyxattr dep, that codepath got dropped in this release
* Mon May 20 2013 Matt Domsch <mdomsch at fedoraproject.org> - 1.5.0-0.1.gitb1ae0fbe
- upstream 1.5.0-alpha3 plus fixes
- add dep on pyxattr for the --xattr option
* Tue Jun 19 2012 Matt Domsch <mdomsch at fedoraproject.org> - 1.1.0-0.4.git11e5755e
- add local MD5 cache
* Mon Jun 18 2012 Matt Domsch <mdomsch at fedoraproject.org> - 1.1.0-0.3.git7de0789d
- parallelize local->remote syncs
* Mon Jun 18 2012 Matt Domsch <mdomsch at fedoraproject.org> - 1.1.0-0.2.gitf881b162
- add hardlink / duplicate file detection support
* Fri Mar 9 2012 Matt Domsch <mdomsch at fedoraproject.org> - 1.1.0-0.1.git2dfe4a65
- build from git for mdomsch patches to s3cmd sync
--------------------------------------------------------------------------------
More information about the epel-devel
mailing list