The following Fedora EPEL 4 Security updates need testing:
https://admin.fedoraproject.org/updates/atop-1.26-1.el4.1
https://admin.fedoraproject.org/updates/puppet-0.25.6-1.el4
https://admin.fedoraproject.org/updates/ocsinventory-1.3.3-5.el4
https://admin.fedoraproject.org/updates/phpldapadmin-0.9.8.5-1.el4
https://admin.fedoraproject.org/updates/cherokee-1.2.101-1.el4
The following builds have been pushed to Fedora EPEL 4 updates-testing
crudminer-0.3.2-2.el4
iec16022-0.2.4-7.el4
ocsinventory-1.3.3-5.el4
phpldapadmin-0.9.8.5-1.el4
puppet-0.25.6-1.el4
ssldump-0.9-0.4.b3.el4
Details about builds:
================================================================================
crudminer-0.3.2-2.el4 (FEDORA-EPEL-2011-4754)
Find and report insecure web software in a web root
--------------------------------------------------------------------------------
Update Information:
New package.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #748446 - Review Request: crudminer - Find known-vulnerable software in a web
root
https://bugzilla.redhat.com/show_bug.cgi?id=748446
--------------------------------------------------------------------------------
================================================================================
iec16022-0.2.4-7.el4 (FEDORA-EPEL-2011-4781)
Generate ISO/IEC 16022 2D barcodes
--------------------------------------------------------------------------------
Update Information:
iec16022 is a program for producing ISO/IEC 16022 2D barcodes, also known as Data Matrix.
These barcodes are defined in the ISO/IEC 16022 standard.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #594844 - Review Request: iec16022 - Generate ISO/IEC 16022 2D barcodes
https://bugzilla.redhat.com/show_bug.cgi?id=594844
--------------------------------------------------------------------------------
================================================================================
ocsinventory-1.3.3-5.el4 (FEDORA-EPEL-2011-4755)
Open Computer and Software Inventory Next Generation
--------------------------------------------------------------------------------
Update Information:
Fix a XSS vulnerability
--------------------------------------------------------------------------------
ChangeLog:
* Tue Oct 25 2011 Remi Collet <Fedora(a)famillecollet.com> - 1.3.3-5
- fix XSS vulnerabity (Bug #748072, CVE-2011-4024)
- Don't require php-zip for F16 and up.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #748072 - CVE-2011-4024 ocsinventory: XSS flaw
https://bugzilla.redhat.com/show_bug.cgi?id=748072
--------------------------------------------------------------------------------
================================================================================
phpldapadmin-0.9.8.5-1.el4 (FEDORA-EPEL-2011-4759)
Web-based tool for managing LDAP servers
--------------------------------------------------------------------------------
Update Information:
Fix CVE-2011-4074 and CVE-2011-4075 (XSS and code injection vulnerabilities in versions
<= 1.2.1.1)
Update to version 0.9.8.5
--------------------------------------------------------------------------------
ChangeLog:
* Wed Oct 26 2011 Dmitry Butskoy <Dmitry(a)Butskoy.name> - 0.9.8.5-1
- fix #748539 (CVE-2011-4075)
- update to 0.9.8.5
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #748537 - CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection
vulnerabilities in <= 1.2.1.1
https://bugzilla.redhat.com/show_bug.cgi?id=748537
--------------------------------------------------------------------------------
================================================================================
puppet-0.25.6-1.el4 (FEDORA-EPEL-2011-4767)
A network tool for managing many disparate systems
--------------------------------------------------------------------------------
Update Information:
A bug in puppet's SSL certificate handling could allow nodes with a valid certificate
to impersonate the puppet master. To be vulnerable, a user would have had to set the
certdnsnames variable and generated certificates. This setting is not set by default in
the Fedora/EPEL packages.
This update closes the vulnerability in newly generated certificates, but cannot prevent
existing certificates from being used to exploit the vulnerability. Please refer to the
upstream documentation for more details on mitigation and remediation of this issue, if
you have generate certificates that are vulnerable to this issue:
http://puppetlabs.com/security/cve/cve-2011-3872/
--------------------------------------------------------------------------------
ChangeLog:
* Sat Oct 22 2011 Todd Zullinger <tmz(a)pobox.com> - 0.25.6-1
- Update to 0.25.6, fixes CVE-2011-3872
--------------------------------------------------------------------------------
================================================================================
ssldump-0.9-0.4.b3.el4 (FEDORA-EPEL-2011-4785)
An SSLv3/TLS network protocol analyzer
--------------------------------------------------------------------------------
Update Information:
Fixed wrong decoder table ends to avoid many segfaults
--------------------------------------------------------------------------------
ChangeLog:
* Mon Oct 24 2011 Robert Scheck <robert(a)fedoraproject.org> 0.9-0.4.b3
- Fixed wrong decoder table ends to avoid many segfaults (#747398)
* Wed Feb 9 2011 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> -
0.9-0.3.b3
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #747398 - ssldump segfaults within minutes after running it
https://bugzilla.redhat.com/show_bug.cgi?id=747398
--------------------------------------------------------------------------------