The following Fedora EPEL 7 Security updates need testing:
Age URL
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-7f38c5da36
lib3mf-2.0.1-1.el7
9
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-7f980da66e
tor-0.3.5.14-1.el7
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-615589a3ad
zarafa-7.1.14-4.el7
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a650134f4f
exim-4.94-2.el7
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-b1d43d7b48
atasm-1.09-1.el7
1
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-a1ab6f9c4e
libmediainfo-21.03-1.el7 libzen-0.4.39-1.el7 mediainfo-21.03-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
chromium-89.0.4389.90-3.el7
openssl11-1.1.1g-3.el7
Details about builds:
================================================================================
chromium-89.0.4389.90-3.el7 (FEDORA-EPEL-2021-d0a9c2bf03)
A WebKit (Blink) powered web browser that Google doesn't want you to use
--------------------------------------------------------------------------------
Update Information:
Fix issue where chromium would crash upon accessing components/cast_*. Thanks to
Gentoo for the patch. It also fixes some security issues, because why not:
CVE-2021-21191 CVE-2021-21192 CVE-2021-21193
--------------------------------------------------------------------------------
ChangeLog:
* Thu Mar 25 2021 Tom Callaway <spot(a)fedoraproject.org> - 89.0.4389.90-3
- apply upstream fix for newer system libva
* Wed Mar 24 2021 Tom Callaway <spot(a)fedoraproject.org> - 89.0.4389.90-2
- fix crashes with components/cast_*
* Thu Mar 18 2021 Tom Callaway <spot(a)fedoraproject.org> - 89.0.4389.90-1
- update to 89.0.4389.90
- disable auto-download of widevine binary only blob
* Mon Mar 15 2021 Tom Callaway <spot(a)fedoraproject.org> - 89.0.4389.82-2
- add support for futex_time64
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1939460 - CVE-2021-21191 chromium-browser: Use after free in WebRTC
https://bugzilla.redhat.com/show_bug.cgi?id=1939460
[ 2 ] Bug #1939461 - CVE-2021-21192 chromium-browser: Heap buffer overflow in tab
groups
https://bugzilla.redhat.com/show_bug.cgi?id=1939461
[ 3 ] Bug #1939462 - CVE-2021-21193 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1939462
--------------------------------------------------------------------------------
================================================================================
openssl11-1.1.1g-3.el7 (FEDORA-EPEL-2021-857a9f7853)
Utilities from the general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:
- backport from 1.1.1g-15: version bump - backport from 1.1.1g-14: CVE-2021-3450
openssl: CA certificate check bypass with `X509_V_FLAG_X509_STRICT` - backport
from 1.1.1g-13: Fix CVE-2021-3449 `NULL` pointer deref in `signature_algorithms
processing`
--------------------------------------------------------------------------------
ChangeLog:
* Mon Mar 29 2021 Robert Scheck <robert(a)fedoraproject.org> 1.1.1g-3
- backport from 1.1.1g-15: version bump
- backport from 1.1.1g-14: CVE-2021-3450 openssl: CA certificate check bypass with
X509_V_FLAG_X509_STRICT
- backport from 1.1.1g-13: Fix CVE-2021-3449 NULL pointer deref in signature_algorithms
processing
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1941547 - CVE-2021-3450 openssl: CA certificate check bypass with
X509_V_FLAG_X509_STRICT
https://bugzilla.redhat.com/show_bug.cgi?id=1941547
[ 2 ] Bug #1941554 - CVE-2021-3449 openssl: NULL pointer dereference in
signature_algorithms processing
https://bugzilla.redhat.com/show_bug.cgi?id=1941554
--------------------------------------------------------------------------------