Hi,
This mail is in regards to WSA-2015-0002: http://webkitgtk.org/security
/WSA-2015-0002.html
In short, we have by my count:
* Zero CVEs affecting the webkitgtk4 package in F23
* 40 CVEs affecting the webkitgtk4 package in F22
* 129 CVEs affecting the webkitgtk and webkitgtk3 packages in F22/F23
The vast majority of these issues allow for "remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted web site."
My proposal is to update webkitgtk4 in F22 from 2.8.5 to 2.10.4 and
hope that not much breaks. This is probably relatively safe, since
2.10.4 has been in F23 for a while, I'm not aware of any issues related
to the upgrade, and it's API/ABI compatible. 2.8 -> 2.10 is a major
upgrade encompassing six months of development on WebKit trunk (from
February to August 2015). This means there will inevitably be
regressions. Normally I don't advocate large version updates for stable
Fedora releases, but web engines are special in that it's the only
practical way to provide security support. We can't backport 40 patches
to F22, so if we don't do this update, we should instead announce that
security support for webkitgtk4 is provided only to the latest Fedora
release.
Certainly it's not practical to provide security support for the
webkitgtk or webkitgtk3 packages going forward. We can either remove
them from the distro at some flag date (F25 branch point?), or ignore
the problem like we do for qtwebkit. Probably the later is a better
approach, since there is a lot that still depends on these packages.
'reqoquery --whatrequires webkitgtk' says:
atril-0:1.10.2-1.fc23.x86_64
atril-0:1.12.1-1.fc23.x86_64
atril-libs-0:1.10.2-1.fc23.i686
atril-libs-0:1.10.2-1.fc23.x86_64
atril-libs-0:1.12.1-1.fc23.i686
atril-libs-0:1.12.1-1.fc23.x86_64
banshee-0:2.6.2-12.fc23.x86_64
claws-mail-plugins-fancy-0:3.12.0-1.fc23.x86_64
compat-wxGTK3-gtk2-0:3.0.2-5.1.fc23.i686
compat-wxGTK3-gtk2-0:3.0.2-5.1.fc23.x86_64
compat-wxGTK3-gtk2-0:3.0.2-6.fc23.i686
compat-wxGTK3-gtk2-0:3.0.2-6.fc23.x86_64
eclipse-swt-1:4.5.1-1.fc23.x86_64
eclipse-swt-1:4.5.1-6.fc23.x86_64
geany-plugins-devhelp-0:1.24-6.fc23.x86_64
geany-plugins-devhelp-0:1.25-4.fc23.x86_64
geany-plugins-markdown-0:1.24-6.fc23.x86_64
geany-plugins-markdown-0:1.25-4.fc23.x86_64
geany-plugins-webhelper-0:1.24-6.fc23.x86_64
geany-plugins-webhelper-0:1.25-4.fc23.x86_64
ghc-webkit-0:0.13.1.3-1.fc23.x86_64
gimp-2:2.8.14-3.fc23.x86_64
gimp-2:2.8.16-1.fc23.x86_64
gimp-help-browser-2:2.8.14-3.fc23.x86_64
gimp-help-browser-2:2.8.16-1.fc23.x86_64
gmpc-0:11.8.16-9.fc23.x86_64
gnucash-0:2.6.9-1.fc23.x86_64
gphpedit-0:0.9.98-0.10.RC1.fc23.x86_64
guitarix-0:0.34.0-1.fc23.x86_64
gyachi-0:1.2.11-13.fc23.x86_64
jumanji-0:0-5.20111209git963b309.fc23.x86_64
kazehakase-webkit-0:0.5.8-19.svn3873_trunk.fc23.x86_64
lekhonee-gnome-0:0.12-8.fc23.x86_64
midori-0:0.5.10-2.fc23.i686
midori-0:0.5.10-2.fc23.x86_64
midori-0:0.5.11-1.fc23.i686
midori-0:0.5.11-1.fc23.x86_64
osmo-0:0.2.12-0.8.svn924.fc23.1.x86_64
perl-Gtk2-WebKit-0:0.09-13.fc23.x86_64
pywebkitgtk-0:1.1.8-10.fc23.x86_64
surf-0:0.6-5.fc23.x86_64
techne-0:0.2.3-15.fc23.x86_64
webkit-sharp-0:0.3-16.fc23.x86_64
webkitgtk-devel-0:2.4.9-3.fc23.i686
webkitgtk-devel-0:2.4.9-3.fc23.x86_64
webkitgtk-doc-0:2.4.9-3.fc23.noarch
xiphos-gtk2-0:4.0.3-1.fc23.x86_64
xiphos-gtk2-0:4.0.4-1.fc23.x86_64
'reqoquery --whatrequires webkitgtk3'
balsa-0:2.5.2-2.fc23.x86_64
bijiben-0:3.18.1-1.fc23.x86_64
bijiben-0:3.18.2-1.fc23.x86_64
cairo-dock-plug-ins-webkit-0:3.4.1-4.fc23.x86_64
dwb-0:2014.03.07-4.fc22.x86_64
empathy-0:3.12.11-1.fc23.x86_64
evolution-0:3.18.1-1.fc23.i686
evolution-0:3.18.1-1.fc23.x86_64
evolution-0:3.18.3-1.fc23.i686
evolution-0:3.18.3-1.fc23.x86_64
evolution-bogofilter-0:3.18.1-1.fc23.x86_64
evolution-bogofilter-0:3.18.3-1.fc23.x86_64
evolution-ews-0:3.18.1-1.fc23.x86_64
evolution-ews-0:3.18.3-1.fc23.x86_64
evolution-mapi-0:3.18.0-1.fc23.i686
evolution-mapi-0:3.18.0-1.fc23.x86_64
evolution-mapi-0:3.18.3-1.fc23.i686
evolution-mapi-0:3.18.3-1.fc23.x86_64
evolution-pst-0:3.18.1-1.fc23.x86_64
evolution-pst-0:3.18.3-1.fc23.x86_64
evolution-rss-1:0.3.95-4.fc23.x86_64
evolution-spamassassin-0:3.18.1-1.fc23.x86_64
evolution-spamassassin-0:3.18.3-1.fc23.x86_64
geary-0:0.10.0-3.fc23.x86_64
gnome-web-photo-0:0.10.5-8.fc23.x86_64
gphotoframe-0:2.0.2-1.hg2084299dffb6.fc23.1.noarch
libproxy-webkitgtk3-0:0.4.11-12.fc23.x86_64
liferea-1:1.10.16-1.fc23.x86_64
liferea-1:1.10.17-1.fc23.x86_64
nemo-preview-0:2.6.x-5.fc23.x86_64
nemo-preview-0:2.8.x-2.fc23.x86_64
nuvolaplayer-0:2.5-1.fc22.x86_64
rhythmbox-0:3.2.1-3.fc23.i686
rhythmbox-0:3.2.1-3.fc23.x86_64
rhythmbox-lirc-0:3.2.1-3.fc23.x86_64
rubygem-webkit-gtk-0:3.0.5-1.fc23.noarch
rubygem-webkit-gtk-0:3.0.7-1.fc23.noarch
seed-0:3.8.1-6.fc23.i686
seed-0:3.8.1-6.fc23.x86_64
shotwell-0:0.22.0-5.fc23.x86_64
sugar-browse-0:157.2-1.fc23.noarch
uzbl-core-0:0-0.38.20120514git228bc38cbd.fc23.x86_64
vfrnav-0:20150429-1.fc23.i686
vfrnav-0:20150429-1.fc23.x86_64
webkitgtk3-devel-0:2.4.9-3.fc23.i686
webkitgtk3-devel-0:2.4.9-3.fc23.x86_64
webkitgtk3-doc-0:2.4.9-3.fc23.noarch
wxGTK3-0:3.0.2-8.fc23.i686
wxGTK3-0:3.0.2-8.fc23.x86_64
wxGTK3-0:3.0.2-11.fc23.i686
wxGTK3-0:3.0.2-11.fc23.x86_64
xiphos-gtk3-0:4.0.3-1.fc23.x86_64
xiphos-gtk3-0:4.0.4-1.fc23.x86_64
yelp-2:3.17.2-3.fc23.x86_64
yelp-libs-2:3.17.2-3.fc23.i686
yelp-libs-2:3.17.2-3.fc23.x86_64
Michael
= Proposed Self Contained Change: sen - terminal user interface for
docker engine =
https://fedoraproject.org/wiki/Changes/sen--tui-for-docker
Change owner(s):
* Tomas Tomecek <ttomecek AT redhat DOT com>
sen enables you to manage your containers and images interactively
directly from command line. Interface is similar to htop, alot or tig.
== Detailed Description ==
* it can interactively manage your containers and images:
-- manage? start, stop, restart, kill, delete,...
* you are able to inspect containers and images
* sen can fetch logs of containers and even stream logs real-time
* all buffers support searching and filtering
* sen receives real-time updates from docker when anything changes
-- e.g. if you create a container in another terminal, sen will pick it up
* sen notifies you whenever something happens (and reports slow queries)
* supports a lot of vim-like keybindings (j, k, gg, /, ...)
== Scope ==
Proposal owners:
* package sen to Fedora
* provide an information it's available and documentation how to use
it (maybe via developer portal, or release notes)
Other developers: N/A (not a System Wide Change)
Release engineering: N/A (not a System Wide Change)
List of deliverables: N/A (not a System Wide Change)
Policies and guidelines: N/A (not a System Wide Change)
Trademark approval: N/A (not needed for this Change)
--
Jan Kuřík
Platform & Fedora Program Manager
Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic
_______________________________________________
devel-announce mailing list
devel-announce(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel-announce@lists.fedoraproje…
Planned Outage: Copr upgrade - 2016-01-04 08:00 UTC
There will be an outage starting at 2016-01-04 08:00 UTC, which will last approximately 4 hours.
To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run:
date -d 'YYYY-MM-DD HH:MM UTC'
Reason for outage: Upgrade of Copr backend and Copr frontend to Fedora 23.
Affected Services: copr.fedoraproject.orgcopr-be.cloud.fedoraproject.org
Services not listed are not affected by this outage.
Contact Information: msuchy(a)redhat.com
Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/5023
Please join #fedora-admin or #fedora-noc on irc.freenode.net or add comments to the ticket for this outage above.
--
Miroslav Suchy, RHCA
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
Greetings,
I've been using Fedora with a "simple" LVM setup with no problems for the least 3 years. Recently I've decided to set up my laptop with LVM on top of LUKS in F23. While migration from the previous setup was relatively painless, I've been noting issues with shutdown: I consistently observe logs stating failure to properly deactivate the logical volumes and the LUKS device (as reported by others in bug 1097322 [1], which unfortunately has been closed due to EOL). I don't know if they are spurious, which led me to investigate a bit about how things work, and I'm failing to make sense of it.
I've noticed the existence of `blk-availability.service` in systemd. It's a service that does nothing on start, and calls the `blkdeactivate` executable on system shutdown, after the "special block-device" services (LVM, iSCSI, etc) have stopped. `blkdeactivate` is called with the option to umount devices in use. But I don't see how it can ever succeed for the system root: other services will still be shutting down, and systemd's unmounting phase will not have been reached yet. The same might hold true for non-system-root mounts as well, if services that depend on them are in the same situation.
My understanding was that special block-device handling was a task performed by dracut in the initramfs. It does have a shutdown hook called `dm-shutdown.sh` that uses the `dmsetup` executable to remove any device-mapper devices still enabled. I don't see any shutdown hooks for the LVM module, so I assume the DM module also takes care of them. Is my understanding correct?
Wouldn't it be possible to replace the custom DM hook with a call to `blkdeactivate`, and remove the `blk-availability` service from the "normal root" shutdown? Could that possibly work better than the current setup, since `blkdeactivate` claims to be capable to handle nested device-mapper setups, and to be able to use LVM commands in a more intelligent way (for example, deactivating whole volume groups at once)? Shouldn't `blkactivate` at least be told not to unmount the root, as it will always fail?
Apologies if I said anything egregiously wrong, and I'd be glad to be corrected in that case.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1097322
Thanks and happy holidays,
Daniel Miranda
koschei it reporting build failures for octave with new nss/libsecret on i386
(works on x86_64):
https://apps.fedoraproject.org/koschei/package/octave
scripts/statistics/distributions/unidcdf.m ..................X I/O error
*** Error in `/builddir/build/BUILD/octave-4.0.0/src/.libs/lt-octave-gui':
corrupted double-linked list: 0xecd3bf58 ***
seems a weird error, so perhaps just a coincidence but I'm curious if there
are other issues.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com