Hi,
This is entirely my fault, and I apologize. Will respond inline and
discuss potential workarounds below. Also cc:ing epel-devel which is
relevant.
On Thu, Nov 17, 2022 at 02:18:48PM +0100, Fabio Valentini wrote:
> On Thu, Nov 17, 2022 at 1:33 PM Bob Mauchin <zebob.m(a)gmail.com> wrote:
> >
> >
> >
> > On Thu, 17 Nov 2022, 10:09 Remi Collet, <Fedora(a)famillecollet.com> wrote:
> >>
> >>
> >> ** Please, manage EPEL-9 like a "stable" branch. **
> >>
> >> soname change should be avoid,
> >> if not possible (security exception ?) should be properly managed
> >> and, at least, announced
> >>
That is indeed the policy:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
and I should have posted an announcement before putting up an update.
> >
> > Those are my packages but I don't recall authoring such changes? I remember considering David 1.0.0 for EPEL9 but didn't do so because of the dependency nightmare.
>
> I assume the dav1d 1.0.0 update was accidentally merged from Fedora
> when building dependencies for rav1e.
> I've pinged salimma on IRC / Matrix about this, he pushed these changes.
>
Indeed. When bringing up rust-rav1e, I did not notice the strict version dependency between rust-dav1d and
dav1d until most of the rest have been built.
This is the first mistake, had that been caught earlier I would have
tried building an older version of rust-dav1d and other crates depending
on it.
In EPEL itself only libavif uses it, which is in turn is only used by
kf5-kimageformats, which has a planned update going out soon, so between
just rebuilding libavif or also rebasing it, it seems to be a good time
to also update it: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-385df27ee1
Now this brings up two questions; I'll start with the more immediate
one.
## Since dav1d update is already out though, what's the best path
forward?
- I can package a dav1d092 compatibility package to provide
libdav1d.so.5
- I can also package a compatibility libavif package, but against which
dav1d?
- rebuild rpmfusion dependents against dav1d 1.0 and libavif 0.11
## How do we better address (Fedora, EPEL) <=> RPM Fusion dependencies?
On the Fedora side there is nothing currently that officially considers
RPM Fusion (beyond the few allowlisted subsets like the Nvidia drivers).
Amending the incompatible update policy to mention RPM Fusion is
probably a no-go, but maybe mentioning "consider testing against
well-known and popular third party repos" is doable?
Best regards,
--
Michel Alexandre Salim
identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
The following Fedora EPEL 7 Security updates need testing:
Age URL
6 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-4d30ee90cd nginx-1.20.1-10.el7
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a06d5c7af1 js-jquery-ui-1.13.2-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-d6012d25d2 drupal7-link-1.11-1.el7
1 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-aa5b185b7b drupal7-context-3.11-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
heimdal-7.7.1-1.el7
ntfs-3g-2022.10.3-1.el7
rsnapshot-1.4.4-1.el7
Details about builds:
================================================================================
heimdal-7.7.1-1.el7 (FEDORA-EPEL-2022-30fd5a80a8)
A Kerberos 5 implementation without export restrictions
--------------------------------------------------------------------------------
Update Information:
This release fixes the following Security Vulnerabilities: * CVE-2022-42898 PAC
parse integer overflows * CVE-2022-3437 Overflows and non-constant time leaks in
DES{,3} and arcfour * CVE-2022-41916 Fix Unicode normalization read of 1 bytes
past end of array * CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors *
CVE-2021-3671 A null pointer de-reference when handling missing sname in TGS-REQ
* CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec Note that
CVE-2022-44640 is a severe vulnerability, possibly a 10.0 on the Common
Vulnerability Scoring System (CVSS) v3.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 16 2022 Alexander Bostr��m <abo(a)root.snowtree.se> - 7.7.1-1
- Update to 7.7.1
- Remove upstreamed patch
- Replace patch with sed command
* Thu Jul 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 7.7.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 7.7.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jul 22 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 7.7.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Apr 13 2021 Alexander Bostr��m <abo(a)root.snowtree.se> - 7.7.0-9
- Backport autoconf-2.70 fix
* Tue Jan 26 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 7.7.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 7.7.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Mar 31 2020 Alexander Bostr��m <abo(a)root.snowtree.se> - 7.7.0-6
- Do not buildrequire openldap-servers on RHEL8+
* Sat Mar 21 2020 Alexander Bostr��m <abo(a)root.snowtree.se> - 7.7.0-5
- Add Python 3 code patch
- Use Python 3 binary path
- BuildRequire Python 3
* Wed Jan 29 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 7.7.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jan 17 2020 Jeff Law <law(a)redhat.com> - 7.7.0-3
- Fix configure tests compromised by LTO
--------------------------------------------------------------------------------
================================================================================
ntfs-3g-2022.10.3-1.el7 (FEDORA-EPEL-2022-9e1d9b40a7)
Linux NTFS userspace driver
--------------------------------------------------------------------------------
Update Information:
Update to 2022.10.3. Fixes CVE-2022-40284
--------------------------------------------------------------------------------
ChangeLog:
* Thu Nov 3 2022 Gabriel Kihlman <gk(a)sysctl.se> - 2:2022.10.3-1
- New upstream version 2022.10.3
- Fixes: CVE-2022-40284
* Fri Jul 22 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 2:2022.5.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2090876 - ntfs-3g-2022.10.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2090876
[ 2 ] Bug #2140031 - CVE-2022-40284: buffer overflow in NTFS-3G
https://bugzilla.redhat.com/show_bug.cgi?id=2140031
--------------------------------------------------------------------------------
================================================================================
rsnapshot-1.4.4-1.el7 (FEDORA-EPEL-2022-29b37c6313)
Local and remote filesystem snapshot utility
--------------------------------------------------------------------------------
Update Information:
# rsnapshot 1.4.4 - Add sentence explaining rsync_long|short_args + sign to man
page - Fix rsnapreport problems (incorrect header, fail when `rsync` present,
fail with LVM) - Add notes about documentation, and link to the website repo -
Fix for '`rsync_cleanup_after_native_cp_al()` only works on directories' fail
when `sync_first on` and `cmd_cp` not set (#133), add test - Fix for `rm -rf`
failing when the path contains `./` - Suppress noisy error from non-GNU `cp` on
BSD-ish machines, including MacOS - Add CentOS 7 to successfully tested to docs
- Minor tidy up rel `configure` options `--with-test-(true|false)` - Update
travis build settings - Dont use `m4_esyscmd_s` in `configure.ac` - Update docs
to remove dangling refs to HOWTO on rsnapshot.org - Skip both SSH tests (rather
one) if SSH doesn't work - Use perl-5.30 for tests (used in Ubuntu 20.04 Focal)
- Lower verbose level of `rsync` output to 1.3.x equivalent to work with
`rsnapreport.pl` again - Fix location of true and false binaries on macOS
--------------------------------------------------------------------------------
ChangeLog:
* Wed Nov 16 2022 Robert Scheck <robert(a)fedoraproject.org> - 1.4.4-1
- Upgrade to 1.4.4 (#1974006, thanks to Todd Zullinger)
* Sat Jul 23 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.3-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jan 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.3-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Fri Jul 23 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.3-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jan 27 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Mar 31 2020 Jitka Plesnikova <jplesnik(a)redhat.com> - 1.4.3-3
- Specify all perl dependencies needed for tests
* Thu Jan 30 2020 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1974006 - rsnapshot 1.4.4 is available. Please build for EPEL8 and Fedora34
https://bugzilla.redhat.com/show_bug.cgi?id=1974006
--------------------------------------------------------------------------------