As previously proposed on the epel-devel mailing list, and in accordance
with the EPEL Retirement Policy: Process: Security Reasons[1], I will be
retiring the flintqs package in EPEL7, EPEL8, and EPEL9 today.
When I took over maintenance of the flintqs package[2]—which contains
William Hart’s quadratic sieve implementation, as modified for
sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why
not? Someone might find it useful.”
It was recently pointed out[3][4] that the flintqs command-line tool
uses temporary files in unsafe ways[5], which could potentially
represent an exploitable security vulnerability; this has been assigned
CVE-2023-29465[6].
There is no immediate patch available; while one could surely be
constructed, the sagemath project plans to incorporate the factorization
algorithm directly in sagemath and discontinue support of the vulnerable
command-line tool rather than fixing it[7].
Since sagemath is not packaged in any of the EPEL releases, and flintqs
is therefore a leaf package, I am handling this security report by
retiring flintqs in all three EPELs.
Anyone who does need FlintQS on EL will need to consider their security
threat model, then build it from source—either by cloning the upstream
GitHub repository, or, for the time being, by rebuilding the Fedora
source RPM. Note, however, that the Fedora package will also be retired
as soon as it is no longer needed by sagemath.
[1]
https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_s…
[2] https://src.fedoraproject.org/rpms/flintqs
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2185301
[4] https://github.com/sagemath/FlintQS/issues/3
[5] https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
[6] https://nvd.nist.gov/vuln/detail/CVE-2023-29465
[7] https://github.com/sagemath/sage/pull/35419
The following Fedora EPEL 8 Security updates need testing:
Age URL
31 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1e00c3d01e cutter-re-2.2.0-1.el8 rizin-0.5.1-1.el8
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-8c1df52e87 chromium-112.0.5615.49-1.el8
3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-73a16276bd python-twisted-19.10.0-4.el8
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-78b54db021 rnp-0.16.3-1.el8
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-7f77917637 dr_libs-0-0.20.20230412git4b3d078.el8
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e5c5d6dbdb suricata-6.0.11-1.el8
The following builds have been pushed to Fedora EPEL 8 updates-testing
hstr-3.0-1.el8
python-backoff-2.2.1-1.el8
radicale-3.1.8-52.el8
Details about builds:
================================================================================
hstr-3.0-1.el8 (FEDORA-EPEL-2023-88450c5880)
Suggest box like shell history completion
--------------------------------------------------------------------------------
Update Information:
update to 3.0
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 16 2023 Jonathan Wright <jonathan(a)almalinux.org> - 3.0-1
- Update to 3.0
- update license to spdx
* Tue Jan 24 2023 Leigh Scott <leigh123linux(a)gmail.com> - 2.6-1
- Update to 2.6
* Thu Jan 19 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
--------------------------------------------------------------------------------
================================================================================
python-backoff-2.2.1-1.el8 (FEDORA-EPEL-2023-1fc58ffa71)
Python library providing function decorators for configurable backoff and retry
--------------------------------------------------------------------------------
Update Information:
Turn off tests for initial EPEL8 build
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 16 2023 Jiri Kyjovsky <j1.kyjovsky(a)gmail.com> - 2.2.1-1
- Turn off tests for initial EPEL8 build
--------------------------------------------------------------------------------
================================================================================
radicale-3.1.8-52.el8 (FEDORA-EPEL-2023-ee27f877a3)
A simple CalDAV (calendar) and CardDAV (contact) server
--------------------------------------------------------------------------------
Update Information:
Move bundled required modules to USER_SITE directory Disable bundled dateutil
(EPEL provides now 2.8.2) Remove cases for radicale major version 1 and 2 Move
binaries to libexec and create a wrapper script Align systemd unit file with f38
Fix __requires_exclude and fix/add "Requires" entries
--------------------------------------------------------------------------------
ChangeLog:
* Sat Apr 15 2023 Peter Bieringer <pb(a)bieringer.de> - 3.1.8-51
- Move bundled required modules to USER_SITE directory
- Disable bundled dateutil (EPEL provides now 2.8.2)
- Remove cases for radicale major version 1 and 2
- Move binaries to libexec and create a wrapper script
- Align systemd unit file with f38
- Fix __requires_exclude and fix/add "Requires" entries
--------------------------------------------------------------------------------
The following Fedora EPEL 9 Security updates need testing:
Age URL
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-97d6b10e34 rnp-0.16.3-1.el9
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-4894f94aaa dr_libs-0^20230324git4b3d078-0.1.el9
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-e5d244075e suricata-6.0.11-1.el9
The following builds have been pushed to Fedora EPEL 9 updates-testing
hstr-3.0-1.el9
lutris-0.5.12-3.el9
mycli-1.26.1-3.el9
perl-MooseX-Types-DateTime-MoreCoercions-0.15-23.el9
radicale-3.1.8-52.el9
ugrep-3.11.2-1.el9
Details about builds:
================================================================================
hstr-3.0-1.el9 (FEDORA-EPEL-2023-1a5ad72081)
Suggest box like shell history completion
--------------------------------------------------------------------------------
Update Information:
update to 3.0
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 16 2023 Jonathan Wright <jonathan(a)almalinux.org> - 3.0-1
- Update to 3.0
- update license to spdx
--------------------------------------------------------------------------------
================================================================================
lutris-0.5.12-3.el9 (FEDORA-EPEL-2023-fe093e16fe)
Install and play any video game easily
--------------------------------------------------------------------------------
Update Information:
Fix for build issues on epel9
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 16 2023 Steve Cossette <farchord(a)gmail.com> 0.5.12-3
- Fix for build issues on epel9
* Sun Feb 5 2023 Chris King <bunnyapocalypse(a)protonmail.com> 0.5.12-2
- Fix locale support by switching to meson
--------------------------------------------------------------------------------
================================================================================
mycli-1.26.1-3.el9 (FEDORA-EPEL-2023-918cd4c7d4)
Interactive CLI for MySQL Database with auto-completion and syntax highlighting
--------------------------------------------------------------------------------
Update Information:
Initial shipment of mycli in epel9.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 16 2023 Terje Rosten <terje.rosten(a)ntnu.no> - 1.26.1-3
- Switch from pyaes to pycryptodomex
* Thu Jan 19 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.26.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Sep 5 2022 Terje Rosten <terje.rosten(a)ntnu.no> - 1.26.1-1
- 1.26.1
* Fri Jul 22 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.25.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 29 2022 Terje Rosten <terje.rosten(a)ntnu.no> - 1.25.0-3
- Some strange 3.11 error in tests
* Mon Jun 27 2022 Python Maint <python-maint(a)redhat.com> - 1.25.0-2
- Rebuilt for Python 3.11
* Sat Apr 2 2022 Terje Rosten <terje.rosten(a)ntnu.no> - 1.25.0-1
- 1.25.0
* Sun Jan 23 2022 Terje Rosten <terje.rosten(a)ntnu.no> - 1.24.3-1
- 1.24.3
* Thu Jan 20 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.24.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sun Jan 16 2022 Terje Rosten <terje.rosten(a)ntnu.no> - 1.24.2-1
- 1.24.2
* Thu Jul 22 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 1.24.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 4 2021 Python Maint <python-maint(a)redhat.com> - 1.24.1-3
- Rebuilt for Python 3.10
* Sat May 8 2021 Dick Marinus <dick(a)mrns.nl> - 1.24.1-2
- Use pyproject-rpm-macros to eliminate error-prone manual BR���s
- Do not manually duplicate automatic Requires
- Do not use obsolete python_provide macro; use py_provides macro instead
- Add the Python extras metapackage for the keyring extra
- Use the pytest macro
- Switch to HTTPS URL
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2120151 - Please branch and build mycli in epel9
https://bugzilla.redhat.com/show_bug.cgi?id=2120151
--------------------------------------------------------------------------------
================================================================================
perl-MooseX-Types-DateTime-MoreCoercions-0.15-23.el9 (FEDORA-EPEL-2023-f755089c5f)
Extensions to MooseX::Types::DateTime
--------------------------------------------------------------------------------
Update Information:
This package contains the Perl module MooseX::Types::DateTime::MoreCoercions,
which builds on MooseX::Types::DateTime to add additional custom types and
coercions. Since it builds on an existing type, all coercions and constraints
are inherited.
--------------------------------------------------------------------------------
ChangeLog:
* Fri Jan 20 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.15-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Jul 22 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.15-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 1 2022 Jitka Plesnikova <jplesnik(a)redhat.com> - 0.15-21
- Perl 5.36 rebuild
* Fri Jan 21 2022 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.15-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jul 22 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.15-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sun May 23 2021 Jitka Plesnikova <jplesnik(a)redhat.com> - 0.15-18
- Perl 5.34 rebuild
* Wed Jan 27 2021 Fedora Release Engineering <releng(a)fedoraproject.org> - 0.15-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2178064 - Add perl-MooseX-Types-DateTime-MoreCoercions to EPEL 9
https://bugzilla.redhat.com/show_bug.cgi?id=2178064
--------------------------------------------------------------------------------
================================================================================
radicale-3.1.8-52.el9 (FEDORA-EPEL-2023-2bf534bcd4)
A simple CalDAV (calendar) and CardDAV (contact) server
--------------------------------------------------------------------------------
Update Information:
Move bundled required modules to USER_SITE directory Move bundled required
modules to USER_SITE directory Disable bundled dateutil (EPEL provides now
2.8.2) Remove cases for radicale major version 1 and 2 Move binaries to libexec
and create a wrapper script Align systemd unit file with f38 Fix
__requires_exclude and fix/add "Requires" entries
--------------------------------------------------------------------------------
ChangeLog:
* Sat Apr 15 2023 Peter Bieringer <pb(a)bieringer.de> - 3.1.8-51
- Move bundled required modules to USER_SITE directory
- Disable bundled dateutil (EPEL provides now 2.8.2)
- Remove cases for radicale major version 1 and 2
- Move binaries to libexec and create a wrapper script
- Align systemd unit file with f38
- Fix __requires_exclude and fix/add "Requires" entries
--------------------------------------------------------------------------------
================================================================================
ugrep-3.11.2-1.el9 (FEDORA-EPEL-2023-ba75c75a35)
Faster, user-friendly, and compatible grep replacement
--------------------------------------------------------------------------------
Update Information:
Update to version 3.11.2. Previously EPEL 9 had version 3.9.2. All the changes
appear to be compatible bugfixes and feature additions. All of the following
upstream release notes apply: -
https://github.com/Genivia/ugrep/releases/tag/v3.9.3 -
https://github.com/Genivia/ugrep/releases/tag/v3.9.4 -
https://github.com/Genivia/ugrep/releases/tag/v3.9.5 -
https://github.com/Genivia/ugrep/releases/tag/v3.9.6 -
https://github.com/Genivia/ugrep/releases/tag/v3.9.7 -
https://github.com/Genivia/ugrep/releases/tag/v3.10.0 -
https://github.com/Genivia/ugrep/releases/tag/v3.10.1 -
https://github.com/Genivia/ugrep/releases/tag/v3.11.0 -
https://github.com/Genivia/ugrep/releases/tag/v3.11.1 -
https://github.com/Genivia/ugrep/releases/tag/v3.11.2
--------------------------------------------------------------------------------
ChangeLog:
* Sun Apr 16 2023 Carl George <carl(a)george.computer> - 3.11.2-1
- Update to version 3.11.2, resolves rhbz#2179547
* Wed Mar 1 2023 Carl George <carl(a)george.computer> - 3.10.0-1
- Update to version 3.10.0, resolves rhbz#2174333
* Fri Feb 3 2023 Carl George <carl(a)george.computer> - 3.9.7-1
- Update to version 3.9.7, resolves rhbz#2157204
* Sat Jan 21 2023 Fedora Release Engineering <releng(a)fedoraproject.org> - 3.9.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Aug 23 2022 Carl George <carl(a)george.computer> - 3.9.2-2
- Disable NEON optimizations on 32bit ARM
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2179547 - ugrep-3.11.2 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2179547
--------------------------------------------------------------------------------