The following Fedora EPEL 5 Security updates need testing:

https://admin.fedoraproject.org/updates/bugzilla-3.2.10-1.el5 https://admin.fedoraproject.org/updates/atop-1.26-1.el5.1 https://admin.fedoraproject.org/updates/couchdb-1.0.2-8.el5,erlang-ibrowse-2... https://admin.fedoraproject.org/updates/ocsinventory-1.3.3-5.el5 https://admin.fedoraproject.org/updates/phpldapadmin-1.0.2-1.el5 https://admin.fedoraproject.org/updates/awstats-6.95-3.el5 https://admin.fedoraproject.org/updates/clamav-0.97.3-1.el5 https://admin.fedoraproject.org/updates/cacti-0.8.7h-1.el5 https://admin.fedoraproject.org/updates/puppet-2.6.12-1.el5 https://admin.fedoraproject.org/updates/cherokee-1.2.101-1.el5

The following builds have been pushed to Fedora EPEL 5 updates-testing

bodhi-0.8.3-1.el5 cacti-0.8.7h-1.el5 collectl-3.6.0-1.el5 crudminer-0.3.2-3.el5 freetds-0.91-1.el5 iec16022-0.2.4-7.el5 libguestfs-1.2.14-7.el5 nordugrid-arc-1.1.0-2.el5 nordugrid-arc-doc-1.1.0-1.el5 ocsinventory-1.3.3-5.el5 perl-Devel-PatchPerl-0.58-1.el5 phpldapadmin-1.0.2-1.el5 puppet-2.6.12-1.el5 samtools-0.1.18-2.el5 ssldump-0.9-0.4.b3.el5 unbound-1.4.13-2.el5

Details about builds:

================================================================================ bodhi-0.8.3-1.el5 (FEDORA-EPEL-2011-4764) A modular framework that facilitates publishing software updates -------------------------------------------------------------------------------- Update Information:

Latest bodhi release containing a variety of bugfixes, mostly server-side. -------------------------------------------------------------------------------- ChangeLog:

* Mon Oct 24 2011 Luke Macken lmacken@redhat.com - 0.8.3-1 - Update to 0.8.3 * Fri Aug 12 2011 Luke Macken lmacken@redhat.com - 0.8.1-1 - Update our build requirements to make the test suite happy. - Pull in the new python-fedora-turbogears subpackage * Thu Jun 9 2011 Luke Macken lmacken@redhat.com - 0.8.0-1 - Update to 0.8.0 * Thu Mar 24 2011 Luke Macken lmacken@redhat.com - 0.7.15-1 - Update to 0.7.15 * Fri Mar 11 2011 Luke Macken lmacken@redhat.com - 0.7.14-1 - Update to 0.7.14 * Fri Mar 4 2011 Luke Macken lmacken@redhat.com - 0.7.13-1 - Update to 0.7.13 * Mon Feb 28 2011 Luke Macken lmacken@redhat.com - 0.7.12-1 - Update to 0.7.12 * Thu Feb 24 2011 Luke Macken lmacken@redhat.com - 0.7.11-1 - Update to 0.7.11 * Mon Feb 7 2011 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.7.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Mon Jan 10 2011 Luke Macken lmacken@redhat.com - 0.7.10-1 - 0.7.10 release * Mon Sep 20 2010 Luke Macken lmacken@redhat.com - 0.7.9-1 - 0.7.9 release * Thu Aug 12 2010 Luke Macken lmacken@redhat.com - 0.7.8-1 - 0.7.8 release - Require python-kitchen * Wed Aug 4 2010 Orcan Ogetbil <oget[dot]fedora[at]gmail[dot]com> - 0.7.7-2 - Reenable the TurboGears bits * Tue Aug 3 2010 Luke Macken lmacken@redhat.com - 0.7.7-1 - 0.7.7 release * Sat Jul 31 2010 Toshio Kuratomi toshio@fedoraproject.org - 0.7.5-4 - A little strange, the tarball changed on us.... * Tue Jul 27 2010 Toshio Kuratomi toshio@fedoraproject.org - 0.7.5-3 - Disable Requirements that are necessary for operation of hte server. This is a temporary change to get the package building on python-2.7. Need to revert this once the TG stack is rebuilt * Wed Jul 21 2010 David Malcolm dmalcolm@redhat.com - 0.7.5-2 - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild -------------------------------------------------------------------------------- References:

[ 1 ] Bug #746780 - [abrt] bodhi-client-0.8.0-1.fc16: bodhi:374:<lambda>:IndexError: list index out of range https://bugzilla.redhat.com/show_bug.cgi?id=746780 --------------------------------------------------------------------------------

================================================================================ cacti-0.8.7h-1.el5 (FEDORA-EPEL-2011-4760) An rrd based graphing tool -------------------------------------------------------------------------------- Update Information:

Update to latest upstream release. Fixes SQL injection and XSS. Upstream release notes are at http://www.cacti.net/release_notes_0_8_7h.php -------------------------------------------------------------------------------- ChangeLog:

* Mon Oct 24 2011 Ken Dreyer ktdreyer@ktdreyer.com - 0.8.7h-1 - Upstream released new version (#748451) -------------------------------------------------------------------------------- References:

[ 1 ] Bug #748451 - update cacti to latest upstream (0.8.7h) https://bugzilla.redhat.com/show_bug.cgi?id=748451 --------------------------------------------------------------------------------

================================================================================ collectl-3.6.0-1.el5 (FEDORA-EPEL-2011-4757) A utility to collect various Linux performance data -------------------------------------------------------------------------------- Update Information:

update to upstream version 3.6.0 -------------------------------------------------------------------------------- ChangeLog:

* Thu Oct 20 2011 Dan Horák <dan[at]danny.cz> 3.6.0-1 - upgrade to upstream version 3.6.0 --------------------------------------------------------------------------------

================================================================================ crudminer-0.3.2-3.el5 (FEDORA-EPEL-2011-4769) Find and report insecure web software in a web root -------------------------------------------------------------------------------- Update Information:

New package. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #748446 - Review Request: crudminer - Find known-vulnerable software in a web root https://bugzilla.redhat.com/show_bug.cgi?id=748446 --------------------------------------------------------------------------------

================================================================================ freetds-0.91-1.el5 (FEDORA-EPEL-2011-4771) Implementation of the TDS (Tabular DataStream) protocol -------------------------------------------------------------------------------- Update Information:

Update to 0.91

Note, that instead of tds version numbers 8.0 and 9.0, you should use now 7.1 and 7.2 respectively (8.0 is still allowed for compatibility). -------------------------------------------------------------------------------- ChangeLog:

* Wed Oct 26 2011 Dmitry Butskoy Dmitry@Butskoy.name - 0.91-1 - Upgrade to 0.91 - Drop shared-libtds support * Wed Mar 9 2011 Dmitry Butskoy Dmitry@Butskoy.name - 0.82.1-0.3.20110306dev - update to the latest stable snapshot 0.82.1.dev.20110306 - make build with shared-libtds conditional - disable shared-libtds patch by default (seems noone uses it for now) * Mon Feb 14 2011 Dmitry Butskoy Dmitry@Butskoy.name - 0.82.1-0.2.20100810dev - fix again shared-libtds patch to provide increased library version * Thu Feb 10 2011 Dmitry Butskoy Dmitry@Butskoy.name - 0.82.1-0.1.20100810dev - update to the latest stable snapshot 0.82.1.dev.20100810 - fix shared-libtds patch to provide properly library names * Tue Feb 8 2011 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.82-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Fri Jul 24 2009 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.82-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Thu Mar 26 2009 Dmitry Butskoy Dmitry@Butskoy.name - 0.82-5 - add upstream patch cspublic.BLK_VERSION_150.patch (#492393) * Tue Feb 24 2009 Dmitry Butskoy Dmitry@Butskoy.name - 0.82-4 - fix autoconf data for libtool2 (patch by Tom Lane tgl@redhat.com) * Fri Jan 30 2009 Karsten Hopp karsten@redhat.com 0.82-3 - add s390x to 64 bit archs * Sun Jan 11 2009 Dmitry Butskoy Dmitry@Butskoy.name - 0.82-3 - Use gnutls for SSL (#479148) * Tue Jun 17 2008 Dmitry Butskoy Dmitry@Butskoy.name - 0.82-2 - Continue to provide an internal libtds library as public (patch from Hans de Goede, #451021). This shared library is needed for some existing applications (libgda etc.), which still use it directly. * Mon Jun 9 2008 Dmitry Butskoy Dmitry@Butskoy.name - 0.82-1 - Upgrade to 0.82 * Tue Feb 26 2008 Dmitry Butskoy Dmitry@Butskoy.name - 0.64-11 - fix "64 or 32 bit" test (#434975) * Mon Feb 18 2008 Fedora Release Engineering rel-eng@fedoraproject.org - 0.64-10 - Autorebuild for GCC 4.3 * Mon Jan 28 2008 Dmitry Butskoy Dmitry@Butskoy.name - 0.64-9 - drop "Obsoletes:" from -doc subpackage to avoid extra complexity. * Fri Jan 25 2008 Dmitry Butskoy Dmitry@Butskoy.name - 0.64-8 - resolve multiarch conflicts (#341181): - split references to separate freetds-doc subpackage - add arch-specific suffixes for arch-specific filenames in -devel - add wrapper for tds_sysdep_public.h - add readline support (#430196) * Tue Aug 28 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 0.64-7 - Rebuild for selinux ppc32 issue. * Thu Aug 16 2007 Dmitry Butskoy Dmitry@Butskoy.name - Change License tag to "LGPLv2+ and GPLv2+" --------------------------------------------------------------------------------

================================================================================ iec16022-0.2.4-7.el5 (FEDORA-EPEL-2011-4762) Generate ISO/IEC 16022 2D barcodes -------------------------------------------------------------------------------- Update Information:

iec16022 is a program for producing ISO/IEC 16022 2D barcodes, also known as Data Matrix. These barcodes are defined in the ISO/IEC 16022 standard. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #594844 - Review Request: iec16022 - Generate ISO/IEC 16022 2D barcodes https://bugzilla.redhat.com/show_bug.cgi?id=594844 --------------------------------------------------------------------------------

================================================================================ libguestfs-1.2.14-7.el5 (FEDORA-EPEL-2011-4770) Access and modify virtual machine disk images -------------------------------------------------------------------------------- Update Information:

Rebuild against RHEL 5.7. -------------------------------------------------------------------------------- ChangeLog:

* Mon Oct 24 2011 Richard W.M. Jones rjones@redhat.com - 1:1.2.14-7 - Bump and rebuild - zlib moved the libraries around in RHEL 5.7. resolves: rhbz#748370. - Make tests unconditional, but only run 'make quickcheck'. EPEL 5 is unsupported so we want to put minimum effort into testing and fixing this obsolete version of libguestfs. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #748370 - guestfish fails to read disk images after os upgrade https://bugzilla.redhat.com/show_bug.cgi?id=748370 --------------------------------------------------------------------------------

================================================================================ nordugrid-arc-1.1.0-2.el5 (FEDORA-EPEL-2011-4761) Advanced Resource Connector Grid Middleware -------------------------------------------------------------------------------- Update Information:

Update to NorduGrid ARC 11.05 update 2

http://www.nordugrid.org/arc/releases/11.05u2/

-------------------------------------------------------------------------------- ChangeLog:

* Mon Oct 24 2011 Mattias Ellert mattias.ellert@fysast.uu.se - 1.1.0-2 - Backport fixes for endian independent md5 checksum * Mon Oct 3 2011 Mattias Ellert mattias.ellert@fysast.uu.se - 1.1.0-1 - 1.1.0 Final Release - Drop patches accepted upstream: nordugrid-arc-perl-switch.patch and nordugrid-arc-run-full.patch * Mon Oct 3 2011 Rex Dieter rdieter@fedoraproject.org - 1.0.1-3.1 - rebuild (java), rel-eng#4932 --------------------------------------------------------------------------------

================================================================================ nordugrid-arc-doc-1.1.0-1.el5 (FEDORA-EPEL-2011-4761) Advanced Resource Connector Documentation -------------------------------------------------------------------------------- Update Information:

Update to NorduGrid ARC 11.05 update 2

http://www.nordugrid.org/arc/releases/11.05u2/

-------------------------------------------------------------------------------- ChangeLog:

* Wed Oct 19 2011 Mattias Ellert mattias.ellert@fysast.uu.se - 1.1.0-1 - 1.1.0 Final Release --------------------------------------------------------------------------------

================================================================================ ocsinventory-1.3.3-5.el5 (FEDORA-EPEL-2011-4765) Open Computer and Software Inventory Next Generation -------------------------------------------------------------------------------- Update Information:

Fix a XSS vulnerability -------------------------------------------------------------------------------- ChangeLog:

* Tue Oct 25 2011 Remi Collet Fedora@famillecollet.com - 1.3.3-5 - fix XSS vulnerabity (Bug #748072, CVE-2011-4024) - Don't require php-zip for F16 and up. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #748072 - CVE-2011-4024 ocsinventory: XSS flaw https://bugzilla.redhat.com/show_bug.cgi?id=748072 --------------------------------------------------------------------------------

================================================================================ perl-Devel-PatchPerl-0.58-1.el5 (FEDORA-EPEL-2011-4775) Patch perl source à la Devel::PPPort's buildperl.pl -------------------------------------------------------------------------------- Update Information:

This update adds patching of make_ext.pl for virtualisation fixes. -------------------------------------------------------------------------------- ChangeLog:

* Sat Oct 22 2011 Iain Arnell iarnell@gmail.com 0.58-1 - update to latest upstream version - rebase el5-versions.patch * Sat Sep 24 2011 Iain Arnell iarnell@gmail.com 0.52-1 - update to latest upstream version --------------------------------------------------------------------------------

================================================================================ phpldapadmin-1.0.2-1.el5 (FEDORA-EPEL-2011-4782) Web-based tool for managing LDAP servers -------------------------------------------------------------------------------- Update Information:

Fix CVE-2011-4074 and CVE-2011-4075 (XSS and code injection vulnerabilities in versions <= 1.2.1.1)

Update to version 1.0.2

-------------------------------------------------------------------------------- ChangeLog:

* Wed Oct 26 2011 Dmitry Butskoy Dmitry@Butskoy.name - 1.0.2-1 - fix #748539 (CVE-2011-4075) - update to 1.0.2 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #748537 - CVE-2011-4074 CVE-2011-4075 phpldapadmin: XSS and code injection vulnerabilities in <= 1.2.1.1 https://bugzilla.redhat.com/show_bug.cgi?id=748537 --------------------------------------------------------------------------------

================================================================================ puppet-2.6.12-1.el5 (FEDORA-EPEL-2011-4772) A network tool for managing many disparate systems -------------------------------------------------------------------------------- Update Information:

A bug in puppet's SSL certificate handling could allow nodes with a valid certificate to impersonate the puppet master. To be vulnerable, a user would have had to set the certdnsnames variable and generated certificates. This setting is not set by default in the Fedora/EPEL packages.

This update closes the vulnerability in newly generated certificates, but cannot prevent existing certificates from being used to exploit the vulnerability. Please refer to the upstream documentation for more details on mitigation and remediation of this issue, if you have generate certificates that are vulnerable to this issue:

http://puppetlabs.com/security/cve/cve-2011-3872/ -------------------------------------------------------------------------------- ChangeLog:

* Sun Oct 23 2011 Todd Zullinger tmz@pobox.com - 2.6.12-1 - Update to 2.6.12, fixes CVE-2011-3872 - Add upstream patch to restore Mongrel XMLRPC functionality (upstream #10244) - Apply partial fix for upstream #9167 (tagmail report sends email when nothing happens) --------------------------------------------------------------------------------

================================================================================ samtools-0.1.18-2.el5 (FEDORA-EPEL-2011-4753) Tools for nucleotide sequence alignments in the SAM format -------------------------------------------------------------------------------- Update Information:

Ensure new seqtk tool is includedc -------------------------------------------------------------------------------- ChangeLog:

* Wed Oct 26 2011 Adam Huffman verdurin@fedoraproject.org - 0.1.18-2 - make sure new seqtk tool included --------------------------------------------------------------------------------

================================================================================ ssldump-0.9-0.4.b3.el5 (FEDORA-EPEL-2011-4790) An SSLv3/TLS network protocol analyzer -------------------------------------------------------------------------------- Update Information:

Fixed wrong decoder table ends to avoid many segfaults -------------------------------------------------------------------------------- ChangeLog:

* Mon Oct 24 2011 Robert Scheck robert@fedoraproject.org 0.9-0.4.b3 - Fixed wrong decoder table ends to avoid many segfaults (#747398) * Wed Feb 9 2011 Fedora Release Engineering rel-eng@lists.fedoraproject.org - 0.9-0.3.b3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild -------------------------------------------------------------------------------- References:

[ 1 ] Bug #747398 - ssldump segfaults within minutes after running it https://bugzilla.redhat.com/show_bug.cgi?id=747398 --------------------------------------------------------------------------------

================================================================================ unbound-1.4.13-2.el5 (FEDORA-EPEL-2011-4778) Validating, recursive, and caching DNS(SEC) resolver -------------------------------------------------------------------------------- Update Information:

Rebuild for python and unbound-libs <-> unbound dependancies -------------------------------------------------------------------------------- ChangeLog:

* Mon Oct 24 2011 Paul Wouters paul@xelerance.com - 1.4.13-2 - unbound daemon staticly links unbound-libs (added Requires:) - Rebuilt for new python --------------------------------------------------------------------------------