The following Fedora EPEL 6 Security updates need testing:
Age URL
108
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-6828
chicken-4.9.0.1-4.el6
91
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7031
python-virtualenv-12.0.7-1.el6
85
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-7168
rubygem-crack-0.3.2-2.el6
16
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8148 optipng-0.7.5-5.el6
16
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-8156 nagios-4.0.8-1.el6
4
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-68a2c2db36
python-pymongo-3.0.3-1.el6
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-d6cc67d0d6
opensmtpd-5.7.3p1-1.el6
The following builds have been pushed to Fedora EPEL 6 updates-testing
linux_logo-5.11-12.el6
ocaml-biniou-1.0.9-18.el6
ocaml-ounit-2.0.0-17.el6
opensmtpd-5.7.3p1-1.el6
preprocess-1.2.2-2.20150919gitd5ab9a.el6
viewvc-1.1.24-1.el6
vile-9.8q-1.el6
Details about builds:
================================================================================
linux_logo-5.11-12.el6 (FEDORA-EPEL-2015-409b04edfc)
Show a logo with some system info on the console
--------------------------------------------------------------------------------
Update Information:
linux_logo-5.11-12.el6 - Include patch to have a consistent default logo, the
banner logo (#1268065). linux_logo-5.11-12.fc23 - Include patch to have a
consistent default logo, the banner logo (#1268065). linux_logo-5.11-12.el7 -
Include patch to have a consistent default logo, the banner logo (#1268065).
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1268065 - linux_logo uses an arbitrary (possibly non-Linux) logo by default
https://bugzilla.redhat.com/show_bug.cgi?id=1268065
--------------------------------------------------------------------------------
================================================================================
ocaml-biniou-1.0.9-18.el6 (FEDORA-EPEL-2015-7d2e328541)
Safe and fast binary data format
--------------------------------------------------------------------------------
Update Information:
Exclude ppc64 for EPEL, as ocaml-findlib-devel is not available on it.
--------------------------------------------------------------------------------
================================================================================
ocaml-ounit-2.0.0-17.el6 (FEDORA-EPEL-2015-7326e51678)
Unit test framework for OCaml
--------------------------------------------------------------------------------
Update Information:
Exclude ppc64 for EPEL, as ocaml-findlib-devel is not available on it.
--------------------------------------------------------------------------------
================================================================================
opensmtpd-5.7.3p1-1.el6 (FEDORA-EPEL-2015-d6cc67d0d6)
Free implementation of the server-side SMTP protocol as defined by RFC 5321
--------------------------------------------------------------------------------
Update Information:
Issues fixed in this release (since 5.7.2): - fix an mda buffer truncation bug
which allows a user to create forward files that pass session checks but fail
delivery later down the chain, within the user mda; - fix remote buffer
overflow in unprivileged pony process; - reworked offline enqueue to better
protect against hardlink attacks. ---- Several vulnerabilities have been fixed
in OpenSMTPD 5.7.2: - an oversight in the portable version of fgetln() that
allows attackers to read and write out-of-bounds memory; - multiple denial-of-
service vulnerabilities that allow local users to kill or hang OpenSMTPD; - a
stack-based buffer overflow that allows local users to crash OpenSMTPD, or
execute arbitrary code as the non-chrooted _smtpd user; - a hardlink attack (or
race-conditioned symlink attack) that allows local users to unset the chflags()
of arbitrary files; - a hardlink attack that allows local users to read the
first line of arbitrary files (for example, root's hash from
/etc/master.passwd); - a denial-of-service vulnerability that allows remote
attackers to fill OpenSMTPD's queue or mailbox hard-disk partition; - an out-
of-bounds memory read that allows remote attackers to crash OpenSMTPD, or leak
information and defeat the ASLR protection; - a use-after-free vulnerability
that allows remote attackers to crash OpenSMTPD, or execute arbitrary code as
the non-chrooted _smtpd user; Further details can be found in Qualys' audit
report:
http://seclists.org/oss-sec/2015/q4/17 MITRE has assigned one CVE for
the use-after-free vulnerability; additional CVEs may be assigned:
http://seclists.org/oss-sec/2015/q4/23 External References:
https://www.opensmtpd.org/announces/release-5.7.2.txt http://seclists.org/oss-
sec/2015/q4/17
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1268837 - opensmtpd-5.7.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1268837
[ 2 ] Bug #1268509 - opensmtpd: 5.7.2 release available
https://bugzilla.redhat.com/show_bug.cgi?id=1268509
[ 3 ] Bug #1268795 - CVE-2015-7687 OpenSMTPD: multiple vulnerabilities fixed in 5.7.2
[epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1268795
[ 4 ] Bug #1268858 - opensmtpd: Remotely triggerable buffer overflow vulnerability in
filter_tx_io [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1268858
--------------------------------------------------------------------------------
================================================================================
preprocess-1.2.2-2.20150919gitd5ab9a.el6 (FEDORA-EPEL-2015-d194a77f7b)
A portable multi-language file Python2 preprocessor
--------------------------------------------------------------------------------
Update Information:
- Update to 1.2.2 - Added 'python-setuptools' as BR on EPEL
--------------------------------------------------------------------------------
================================================================================
viewvc-1.1.24-1.el6 (FEDORA-EPEL-2015-4e174f698c)
Browser interface for CVS and SVN version control repositories
--------------------------------------------------------------------------------
Update Information:
This is a maintenance release which includes all the bug fixes and enhancements
that we've made thus far to our 1.1.x line.
--------------------------------------------------------------------------------
================================================================================
vile-9.8q-1.el6 (FEDORA-EPEL-2015-2c5c5df40a)
VI Like Emacs
--------------------------------------------------------------------------------
Update Information:
upgrade to 9.8q (RHBZ#1260817)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1260817 - vile-9.8q is available
https://bugzilla.redhat.com/show_bug.cgi?id=1260817
--------------------------------------------------------------------------------