The following Fedora EPEL 6 Security updates need testing:
Age URL
263
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-6828
chicken-4.9.0.1-4.el6
245
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7031
python-virtualenv-12.0.7-1.el6
239
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7168
rubygem-crack-0.3.2-2.el6
171
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8148 optipng-0.7.5-5.el6
171
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8156 nagios-4.0.8-1.el6
129
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-e2b4b5b2fb
mcollective-2.8.4-1.el6
101
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-35e240edd9
thttpd-2.25b-24.el6
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-00c45982f6
drupal6-6.38-1.el6
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6e0c318d91
libssh-0.5.5-5.el6
10
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6a812bd682
drupal7-7.43-1.el6
8
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-78096a43d9
php-htmLawed-1.1.21-1.el6
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-b14579b3db
websvn-2.3.3-12.el6
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-44de0606ef
python-tgcaptcha2-0.3.1-1.el6
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-a198786211
lcms2-2.7-3.el6
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-0ea6a62cb7
drupal6-emfield-2.7-1.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
check-mk-1.2.6p16-3.el6
drupal6-ctools-1.15-1.el6
drupal6-emfield-2.7-1.el6
drupal6-login_destination-2.13-1.el6
drupal6-pathauto-2.1-1.el6
fail2ban-0.9.4-2.el6
fasd-1.0.1-2.el6
lcgdm-dav-0.17.1-1.el6
lcms2-2.7-3.el6
libotr-4.1.1-1.el6
python-tgcaptcha2-0.3.1-1.el6
Details about builds:
================================================================================
check-mk-1.2.6p16-3.el6 (FEDORA-EPEL-2016-81182f0820)
A new general purpose Nagios-plugin for retrieving data
--------------------------------------------------------------------------------
Update Information:
Make sure the /etc/nagios/auth.serials,htpasswd.users files are not overwritten
at package update.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1316086 - check-mk: use %config(noreplace) for /etc/nagios/htpasswd.users
https://bugzilla.redhat.com/show_bug.cgi?id=1316086
--------------------------------------------------------------------------------
================================================================================
drupal6-ctools-1.15-1.el6 (FEDORA-EPEL-2016-c598e21815)
Primarily a set of APIs and tools to improve the developer experience
--------------------------------------------------------------------------------
Update Information:
### 6.x-1.15 This is an incremental bugfix release for ctools, particularly for
newer versions of php 5. (5.4+) ctools is now in bug and security only
maintenance mode. Any future feature requests should be made in the 7.x or
preferably, the 8.x branch. #### Changes since 6.x-1.14: * \#1334894 by
mikeytown2: Warning: Invalid argument supplied for foreach() in
views_content_views_content_type_render() * \#2599688 by jansete: Strict
warning: Declaration of
views_content_plugin_display_panel_pane::options_submit() should be compatible
with views_plugin_display::options_submit(&$form, &$form_state) * Fix 'Only
variables should be passed by reference' error
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1293745 - drupal6-ctools-1.15 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1293745
--------------------------------------------------------------------------------
================================================================================
drupal6-emfield-2.7-1.el6 (FEDORA-EPEL-2016-0ea6a62cb7)
An engine for modules to integrate various 3rd party media content providers
--------------------------------------------------------------------------------
Update Information:
### 6.x-2.7 Fixes [Embedded Media Field - Moderately Critical - Access Bypass -
DRUPAL-SA-CONTRIB-2016-004](https://www.drupal.org/node/2666446) #### Changes
since 6.x-2.6: * by dalin: Ensure that width and height are always numbers. *
\#1868588 by tangent: URL detection regex does not match hyphens / breaks HTML
markup
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1306475 - drupal6-emfield-2.7 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1306475
--------------------------------------------------------------------------------
================================================================================
drupal6-login_destination-2.13-1.el6 (FEDORA-EPEL-2016-d9c316129d)
Control where users are directed to once they login
--------------------------------------------------------------------------------
Update Information:
### 6.x-2.13 #### Changes since 6.x-2.12: NOTE: the upgrade will be seamless -
no db schema changes made ( D6 module version does not have its own db tables )
See [#2611674: Number of fixed issues - 9, feeling - priceless! 6.x version
issues
screenshot](https://www.drupal.org/node/2611674) for a screenshot with
all the bugs for D6 finally fixed! This release fixes all known bugs! NOTE2:
Added a new setting on login_destination's settings page:
"use_drupal_goto".
Here is some explanation: - turn on/off the drupal_goto invocation - OFF by
default - we need use_drupal_goto == ON, if we want to use absolute urls on
login redirect, at least until some better way is found - if we have it ON, it
will break modules like content_profile_registration from the content_profile
package. It's ok for you to leave it ON if you don't use that module. As always
test, and double test. We tried to make it as flexible as we can, giving you
control over the drupal_goto usage + sane defaults (its OFF by default).
Changes: * \#1508152 by rsvelko: add new setting: "use_drupal_goto" *
\#1793540
by stewart.adam, rsvelko: Should check if force_password_change module is
enabled when checking if redirection is valid * better function naming:
login_destination_apply_redirect -> __login_destination_should_we_redirect *
\#1577904 by rsvelko: Correct the onscreen PHP Snippet example rewrote
login_destination_redirect_to_path_and_query to make it handle array/string
queries and rawurlencode query/path only when needed settings page rearranged a
bit: move the destination fieldgroup to become first, and the condtition
fieldgroup -> second * better absolute url detection * \#1307478 by chriscohen,
rsvelko: Notice: Undefined property: stdClass::$force_password_change in
login_destination_apply_redirect() * minor edits like: better README language,
stripping CVS keywords, remove trailing whitespace
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1289080 - drupal6-login_destination-2.13 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1289080
--------------------------------------------------------------------------------
================================================================================
drupal6-pathauto-2.1-1.el6 (FEDORA-EPEL-2016-f2658d7321)
Provides a mechanism to automatically generate aliases
--------------------------------------------------------------------------------
Update Information:
### 6.x-2.1 #### Changes since 6.x-2.0: * Fixed pathauto_alias_uniquify() did
not use pathauto_truncate_utf8(). * \#2423077 by Dave Reid, TuWebO: Fixed wrong
parameters passed to truncate_utf8() from pathauto_alias_uniquify(). *
\#1899806: Fixed URL segments with empty tokens inbetween separator resulted in
duplicated backslashes in Pathauto alias. * \#1565850: Added
hook_pathauto_pattern_alter(). Simplify invocations of pathauto_cleanstring() by
both accepting $options['langauge'] and $options['langcode']. * Bug
#973908: Fix
pathauto_cleanstring() lacks language context. * Updated
PATHAUTO_PREG_CLASS_UNICODE_WORD_BOUNDARY to match the Drupal 7 value. *
\#1003490: Renamed 'Bulk update' tab to 'Bulk generate' to better reflect
actual
functionality. * \#1574700 by jgSnell, fletchgqc: Clarified transliteration help
text means US-ASCII instead of ASCII-96. * \#2174603: Added support for an
$options['force'] parameter in pathauto_*_update_alias() callbacks that ignores
the $object->path['pathauto'] value and will always perform aliasing. *
\#1834666 by greggles: Update README.txt maintainers * \#1796920: Fixed
pathauto_action_info() did not define the required 'hooks' property for each
action. * \#1189844: Added hook_action_info() support for bulk updating nodes,
terms, and users with Views Bulk Operations. * Prevent core bug #600836
(infinite batch errors) if new entities are added while the batch processes are
running.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1300492 - drupal6-pathauto-2.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1300492
--------------------------------------------------------------------------------
================================================================================
fail2ban-0.9.4-2.el6 (FEDORA-EPEL-2016-f2d0096c34)
Ban IPs that make too many password failures
--------------------------------------------------------------------------------
Update Information:
Update to 0.9.4: Fixes: roundcube-auth jail typo for logpath
Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164) filter.d
/apache-badbots.conf Updated useragent string regex adding escape
for + filter.d/mysqld-auth.conf Updated "Access denied ..."
regex for MySQL 5.6 and later (gh-1211, gh-1332) filter.d/sshd.conf
Updated "Auth fail" regex for OpenSSH 5.9 and later Treat failed and
killed execution of commands identically (only different log messages), which
addresses different behavior on different exit codes of dash and bash (gh-1155)
Fix jail.conf.5 man's section (gh-1226) Fixed default banaction for
allports jails like pam-generic, recidive, etc with new default variable
banaction_allports (gh-1216) Fixed fail2ban-regex stops working on
invalid (wrong encoded) character for python version < 3.x (gh-1248) Use
postfix_log logpath for postfix-rbl jail filters.d/postfix.conf - add
'Sender address rejected: Domain not found' failregex use fail2ban_agent
as user-agent in actions badips, blocklist_de, etc (gh-1271) Fix
ignoring the sender option by action_mw, action_mwl and action_c_mwl
Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
Removed compression and rotation count from logrotate (inherit them from the
global logrotate config) New Features: New interpolation feature
for definition config readers - <known/parameter> (means last known init
definition of filters or actions with name parameter). This interpolation makes
possible to extend a parameters of stock filter or action directly in jail
inside jail.local file, without creating a separately filter.d/*.local file. As
extension to interpolation %(known/parameter)s, that does not works for filter
and action init parameters New actions: nftables-multiport
and nftables-allports - filtering using nftables framework. Note: it requires a
pre-existing chain for the filtering rule. New filters:
openhab - domotic software authentication failure with the rest api and web
interface (gh-1223) nginx-limit-req - ban hosts, that were failed
through nginx by limit request processing rate (ngx_http_limit_req_module)
murmur - ban hosts that repeatedly attempt to connect to murmur/mumble-server
with an invalid server password or certificate. haproxy-http-auth -
filter to match failed HTTP Authentications against a HAProxy server New
jails: murmur - bans TCP and UDP from the bad host on the default
murmur port. sshd filter got new failregex to match "maximum
authentication attempts exceeded" (introduced in openssh 6.8) Added
filter for Mac OS screen sharing (VNC) daemon Enhancements: Do not
rotate empty log files Added new date pattern with year after day (e.g.
Sun Jan 23 2005 21:59:59)
http://bugs.debian.org/798923 Added openSUSE
path configuration (Thanks Johannes Weberhofer) Allow to split ignoreip
entries by ',' as well as by ' ' (gh-1197) Added a timeout (3 sec)
to
urlopen within badips.py action (Thanks M. Maraun) Added check against
atacker's Googlebot PTR fake records (Thanks Pablo Rodriguez Fernandez)
Enhance filter against atacker's Googlebot PTR fake records (gh-1226)
Nginx log paths extended (prefixed with "*" wildcard) (gh-1237) Added
filter for openhab domotic software authentication failure with the rest api and
web interface (gh-1223) Add *_backend options for services to allow
distros to set the default backend per service, set default to systemd for
Fedora as appropriate Performance improvements while monitoring large
number of files (gh-1265). Use associative array (dict) for monitored log files
to speed up lookup operations. Thanks @kshetragia Specified that
fail2ban is PartOf iptables.service firewalld.service in .service file -- would
reload fail2ban if those services are restarted Provides new default
fail2ban_version and interpolation variable fail2ban_agent in jail.conf
Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, and
to support multiple instances of postfix having varying suffix (gh-1331) (Thanks
Tom Hendrikx) files/gentoo-initd to use start-stop-daemon to robustify
restarting the service
--------------------------------------------------------------------------------
================================================================================
fasd-1.0.1-2.el6 (FEDORA-EPEL-2016-5762c2c812)
A command-line productivity booster
--------------------------------------------------------------------------------
Update Information:
Fasd (pronounced similar to "fast") is a command-line productivity booster.
Fasd
offers quick access to files and directories for POSIX shells. It is inspired by
tools like autojump, z and v. Fasd keeps track of files and directories you have
accessed, so that you can quickly reference them in the command line.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1316175 - Review Request: fasd - A command-line productivity booster
https://bugzilla.redhat.com/show_bug.cgi?id=1316175
--------------------------------------------------------------------------------
================================================================================
lcgdm-dav-0.17.1-1.el6 (FEDORA-EPEL-2016-a3123e0040)
HTTP/DAV front end to the DPM/LFC services
--------------------------------------------------------------------------------
Update Information:
New upstream release 0.17.1
--------------------------------------------------------------------------------
================================================================================
lcms2-2.7-3.el6 (FEDORA-EPEL-2016-a198786211)
Color Management Engine
--------------------------------------------------------------------------------
Update Information:
Update to recent stable release (free of known security vulterabilities, like
CVE-2013-4160).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #985137 - CVE-2013-4160 Little CMS: multiple potential flaws
https://bugzilla.redhat.com/show_bug.cgi?id=985137
--------------------------------------------------------------------------------
================================================================================
libotr-4.1.1-1.el6 (FEDORA-EPEL-2016-ec3dd67002)
Off-The-Record Messaging library and toolkit
--------------------------------------------------------------------------------
Update Information:
Updated to 4.1.1 for CVE-2016-2851
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1315247
https://bugzilla.redhat.com/show_bug.cgi?id=1315247
--------------------------------------------------------------------------------
================================================================================
python-tgcaptcha2-0.3.1-1.el6 (FEDORA-EPEL-2016-44de0606ef)
TurboGears captcha plugin
--------------------------------------------------------------------------------
Update Information:
Implemented nonces to prevent replay attack (DWF-2016-89000).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1316083 - tgcaptcha does not have any prevention against replay attacks
https://bugzilla.redhat.com/show_bug.cgi?id=1316083
--------------------------------------------------------------------------------