The following Fedora EPEL 4 Security updates need testing:
https://admin.fedoraproject.org/updates/phpPgAdmin-5.0.3-1.el4 https://admin.fedoraproject.org/updates/puppet-0.25.5-2.el4
The following builds have been pushed to Fedora EPEL 4 updates-testing
check_postgres-2.18.0-1.el4 phpPgAdmin-5.0.3-1.el4 puppet-0.25.5-2.el4
Details about builds:
================================================================================ check_postgres-2.18.0-1.el4 (FEDORA-EPEL-2011-4587) PostgreSQL monitoring script -------------------------------------------------------------------------------- Update Information:
Update to 2.18.0, per changes described at https://mail.endcrypt.com/pipermail/check_postgres-announce/2011-October/000...
-------------------------------------------------------------------------------- ChangeLog:
* Mon Oct 3 2011 - Devrim GUNDUZ devrim@gunduz.org 2.18.0-1 - Update to 2.18.0, per changes described at https://mail.endcrypt.com/pipermail/check_postgres-announce/2011-October/000... * Tue Feb 15 2011 - Devrim GUNDUZ devrim@gunduz.org 2.16.0-1 - Update to 2.16.0 * Wed Mar 10 2010 - Devrim GUNDUZ devrim@gunduz.org 2.14.3-1 - Update to 2.14.3 --------------------------------------------------------------------------------
================================================================================ phpPgAdmin-5.0.3-1.el4 (FEDORA-EPEL-2011-4594) Web-based PostgreSQL administration -------------------------------------------------------------------------------- Update Information:
* Update to 5.0.3, per changes described at: http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40fr...
which also fixes a security flaw: http://www.openwall.com/lists/oss-security/2011/10/04/1 -------------------------------------------------------------------------------- ChangeLog:
* Mon Oct 3 2011 Devrim Gunduz devrim@gunduz.org 5.0.3-1 - Update to 5.0.3, per changes described at: http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40fr... -------------------------------------------------------------------------------- References:
[ 1 ] Bug #743205 - phpPgAdmin: Multiple XSS flaws fixed in v5.0.3 https://bugzilla.redhat.com/show_bug.cgi?id=743205 --------------------------------------------------------------------------------
================================================================================ puppet-0.25.5-2.el4 (FEDORA-EPEL-2011-4581) A network tool for managing many disparate systems -------------------------------------------------------------------------------- Update Information:
The following vulnerabilities have been discovered and fixed:
* CVE-2011-3848, a directory traversal attack * CVE-2011-3870, a symlink attack via a user's SSH authorized_keys file * CVE-2011-3869, a symlink attack via a user's .k5login file * CVE-2011-3871, a privilege escalation attack via the temp file used by the puppet resource application * A low-risk file indirector injection attack
Further details can be found in the upstream announcements:
http://groups.google.com/group/puppet-users/browse_thread/thread/e57ce2740fe... http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d...
Additionally, fixes for several bugs are included:
* Yumrepo deprecation error (http://projects.puppetlabs.com/issues/4252) * Handle CR/LF in puppet.conf (http://projects.puppetlabs.com/issues/3514) * Capture stderr from exec resources (http://projects.puppetlabs.com/issues/2359) -------------------------------------------------------------------------------- ChangeLog:
* Mon Oct 3 2011 Todd Zullinger tmz@pobox.com - 0.25.5-2 - Apply upstream patches for CVE-2011-3848, CVE-2011-3869, CVE-2011-3870, CVE-2011-3871 - Create and own /usr/share/puppet/modules (#615432) - Silence deprecation warnings in yumrepo type (#615175, upstream #4252) - Handle CR/LF in puppet.conf (upstream #3514) - Capture stderr from exec resources (upstream #2359) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #742644 - CVE-2011-3870 puppet: SSH authorized_keys symlink attack https://bugzilla.redhat.com/show_bug.cgi?id=742644 [ 2 ] Bug #742645 - CVE-2011-3869 puppet: K5login content attack https://bugzilla.redhat.com/show_bug.cgi?id=742645 [ 3 ] Bug #742649 - CVE-2011-3871 puppet: predictable temporary file using RAL https://bugzilla.redhat.com/show_bug.cgi?id=742649 [ 4 ] Bug #742174 - CVE-2011-3848 puppet: Directory traversal attack by processing certain x509 certificate signing requests https://bugzilla.redhat.com/show_bug.cgi?id=742174 --------------------------------------------------------------------------------
epel-devel@lists.fedoraproject.org