The following Fedora EPEL 7 Security updates need testing: Age URL 960 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087 dokuwiki-0-0.24.20140929c.el7 722 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f mcollective-2.8.4-1.el7 304 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-04bc9dd81d libbsd-0.8.3-1.el7 202 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-d241156dfe mod_cluster-1.3.3-10.el7 199 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7ecb12e378 python-XStatic-jquery-ui-1.12.0.1-1.el7 33 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e27758bd23 libmspack-0.6-0.1.alpha.el7 31 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-52b8147c68 openvpn-auth-ldap-2.0.3-15.el7 17 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-3c06a7eecf nagios-4.3.4-3.el7 10 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-853d71e01b tnef-1.4.15-1.el7 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-f1c70fdfbd cacti-1.1.26-1.el7 5 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-1e541e27e9 nginx-1.12.2-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-37b21f1a51 seamonkey-2.49.1-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-7ce0091d73 lame-3.100-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-21fb9891af modulemd-1.3.2-1.el7

The following builds have been pushed to Fedora EPEL 7 updates-testing

RackTables-0.20.14-1.el7 ansible-lint-3.4.17-1.el7 carbon-c-relay-3.2-1.el7 globus-common-17.2-1.el7 globus-ftp-control-8.2-1.el7 globus-gram-job-manager-scripts-6.10-1.el7 globus-gss-assist-11.1-1.el7 globus-gssapi-gsi-13.2-1.el7 imapfilter-2.6.10-2.el7 lame-3.100-1.el7 lighttpd-1.4.47-1.el7 modulemd-1.3.2-1.el7 perl-Lingua-Translit-0.28-1.el7 php-justinrainbow-json-schema5-5.2.6-1.el7 php-phpseclib-2.0.7-1.el7 python-certifi-2016.9.26-6.el7 python-tinydb-3.6.0-1.el7 seamonkey-2.49.1-1.el7

Details about builds:

================================================================================ RackTables-0.20.14-1.el7 (FEDORA-EPEL-2017-7a30c12c58) A data-center asset management system -------------------------------------------------------------------------------- Update Information:

Rebase to v0.20.14 Address BZ1492171 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1492171 - PHP parse error with RackTables-0.20.13-1.el7.noarch https://bugzilla.redhat.com/show_bug.cgi?id=1492171 --------------------------------------------------------------------------------

================================================================================ ansible-lint-3.4.17-1.el7 (FEDORA-EPEL-2017-cfd6c1802b) Best practices checker for Ansible -------------------------------------------------------------------------------- Update Information:

Update to 3.4.17 version (#1505124) -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1505124 - ansible-lint-3.4.17 is available https://bugzilla.redhat.com/show_bug.cgi?id=1505124 --------------------------------------------------------------------------------

================================================================================ carbon-c-relay-3.2-1.el7 (FEDORA-EPEL-2017-126740aaf2) Enhanced C implementation of Carbon relay, aggregator and rewriter -------------------------------------------------------------------------------- Update Information:

Update to 3.2 ---- Update to 3.1 ---- Update to 3.0 -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1442052 - carbon-c-relay-3.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1442052 --------------------------------------------------------------------------------

================================================================================ globus-common-17.2-1.el7 (FEDORA-EPEL-2017-b1990eed4f) Globus Toolkit - Common Library -------------------------------------------------------------------------------- Update Information:

* globus-common 17.2 * globus-ftp-control 8.2 * globus-gram-job-manager-scripts 6.10 * globus-gssapi-gsi 13.2 * globus-gss-assist 11.1 --------------------------------------------------------------------------------

================================================================================ globus-ftp-control-8.2-1.el7 (FEDORA-EPEL-2017-b1990eed4f) Globus Toolkit - GridFTP Control Library -------------------------------------------------------------------------------- Update Information:

* globus-common 17.2 * globus-ftp-control 8.2 * globus-gram-job-manager-scripts 6.10 * globus-gssapi-gsi 13.2 * globus-gss-assist 11.1 --------------------------------------------------------------------------------

================================================================================ globus-gram-job-manager-scripts-6.10-1.el7 (FEDORA-EPEL-2017-b1990eed4f) Globus Toolkit - GRAM Job ManagerScripts -------------------------------------------------------------------------------- Update Information:

* globus-common 17.2 * globus-ftp-control 8.2 * globus-gram-job-manager-scripts 6.10 * globus-gssapi-gsi 13.2 * globus-gss-assist 11.1 --------------------------------------------------------------------------------

================================================================================ globus-gss-assist-11.1-1.el7 (FEDORA-EPEL-2017-b1990eed4f) Globus Toolkit - GSSAPI Assist library -------------------------------------------------------------------------------- Update Information:

* globus-common 17.2 * globus-ftp-control 8.2 * globus-gram-job-manager-scripts 6.10 * globus-gssapi-gsi 13.2 * globus-gss-assist 11.1 --------------------------------------------------------------------------------

================================================================================ globus-gssapi-gsi-13.2-1.el7 (FEDORA-EPEL-2017-b1990eed4f) Globus Toolkit - GSSAPI library -------------------------------------------------------------------------------- Update Information:

* globus-common 17.2 * globus-ftp-control 8.2 * globus-gram-job-manager-scripts 6.10 * globus-gssapi-gsi 13.2 * globus-gss-assist 11.1 --------------------------------------------------------------------------------

================================================================================ imapfilter-2.6.10-2.el7 (FEDORA-EPEL-2017-bb8a828061) A flexible client side mail filtering utility for IMAP servers -------------------------------------------------------------------------------- Update Information:

Update to the latest upstream release, fixing some ancient RHBZ bugs. -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1423737 - imapfilter: FTBFS in rawhide https://bugzilla.redhat.com/show_bug.cgi?id=1423737 [ 2 ] Bug #1331652 - [PATCH] Disable sslv3 in imapfilter https://bugzilla.redhat.com/show_bug.cgi?id=1331652 --------------------------------------------------------------------------------

================================================================================ lame-3.100-1.el7 (FEDORA-EPEL-2017-7ce0091d73) Free MP3 audio compressor -------------------------------------------------------------------------------- Update Information:

LAME 3.100 - October 13 2017 ============================ * Rog��rio Brito * Don't include the debian directory as one that is needed during builds. Patch taken from Debian's packaging of lame. * Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1. This was transplanted back from aclocal.m4 with a patch provided by Andres Mejia. This change makes it easy to regenerate autotools' files with a simple invocation of autoconf -vfi. * Fix possible race condition causing build failures in libmp3lame. Discovered in automated builds by the Debian project with patch provided by Andres Mejia. * Robert Hegemann * Improved detection of MPEG audio data in RIFF WAVE files. Tracker item [ 3545112 ] Invalid sampling detection * New switch --gain <decibel>, range -20.0 to +12.0, a more convenient way to apply Gain adjustment in decibels, than the use of --scale <factor>. * Fix for tracker item [ 3558466 ] Bug in path handling * Fix for tracker item [ 3567844 ] problem with Tag genre * Fix for tracker item [ 3565659 ] no progress indication with pipe input * Fix for tracker item [ 3544957 ] scale (empty) silent encode without warning * Fix for tracker item [ 3580176 ] environment variable LAMEOPT doesn't work anymore * Fix for tracker item [ 3608583 ] input file name displayed with wrong character encoding (on windows console with CP_UTF8) * Fix for bug ticket [ #447 ] Fix dereference NULL and Buffer not NULL terminated issues. Thanks to Surabhi Mishra * Fix for bug ticket [ #445 ] dereference of a null pointer possible in loop. Thanks to Renu Tyagi * Fix for bug ticket [ #449 ] Make sure functions with SSE instructions maintain their own properly aligned stack. Thanks to Fabian Greffrath * Fix for bug ticket [ #458 ] Multiple Stack and Heap Corruptions from Malicious File. Thanks to Gareth Evans and Elio Blanca * Fix for bug ticket [ #460 ] A division by zero vulnerability. Thanks to Wang Shiyang, Liu Bingchang * Fix for bug ticket [ #461 ] CVE-2017-9410 fill_buffer_resample function in libmp3lame/util.c heap-based buffer over-read and ap * Fix for bug ticket [ #462 ] CVE-2017-9411 fill_buffer_resample function in libmp3lame/util.c invalid memory read and application crash * Fix for bug ticket [ #463 ] CVE-2017-9412 unpack_read_samples function in frontend/get_audio.c invalid memory read and application crash * Fix for bug ticket [ #434 ] clip detect scale suggestion unaware of scale input value * HIP decoder bug fixed: decoding mixed blocks of lower sample frequency Layer3 data resulted in internal buffer overflow (write). Thanks to Henri Salo * Alexander Leidinger * Feature request, patch ticket [ #27 ] Add lame_encode_buffer_interleaved_int() by Michael Fink -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1470199 - CVE-2015-9099 CVE-2015-9100 CVE-2017-11720 CVE-2017-13712 CVE-2017-15018 CVE-2017-15019 CVE-2017-15045 CVE-2017-15046 CVE-2017-9410 CVE-2017-9411 CVE-2017-9412 CVE-2017-8419 lame: Multiple vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=1470199 --------------------------------------------------------------------------------

================================================================================ lighttpd-1.4.47-1.el7 (FEDORA-EPEL-2017-36c02b1e4f) Lightning fast webserver with light system requirements -------------------------------------------------------------------------------- Update Information:

https://www.lighttpd.net/2017/10/22/1.4.47/ -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1505128 - lighttpd-1.4.47 is available https://bugzilla.redhat.com/show_bug.cgi?id=1505128 --------------------------------------------------------------------------------

================================================================================ modulemd-1.3.2-1.el7 (FEDORA-EPEL-2017-21fb9891af) Module metadata manipulation library -------------------------------------------------------------------------------- Update Information:

This update fixes CVE-2017-1002157 -- possible arbitrary code execution when loading multiple documents with `load_all` / `loads_all`. --------------------------------------------------------------------------------

================================================================================ perl-Lingua-Translit-0.28-1.el7 (FEDORA-EPEL-2017-beac2c4b27) Transliterates text between writing systems -------------------------------------------------------------------------------- Update Information:

0.28 -- 2017-10-16 --- * Fixed wrong capitalised Cyrillic A in several context rules of both "BGN/PCGN RUS Standard" and "BGN/PCGN RUS Strict" - thanks to Nikola Le��i�� for providing the fix! * Spelling corrections in man page - thanks to Lucas Kanashiro for providing a patch! * Updated copyright (Netzum Sorglos Software GmbH). -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1503228 - perl-Lingua-Translit-0.28 is available https://bugzilla.redhat.com/show_bug.cgi?id=1503228 --------------------------------------------------------------------------------

================================================================================ php-justinrainbow-json-schema5-5.2.6-1.el7 (FEDORA-EPEL-2017-9e9d4a04e3) A library to validate a json schema -------------------------------------------------------------------------------- Update Information:

**Version 5.2.6** * 460 Backports for 5.2.6 * 459 (Add a path to the default internal URI - fixes #458) ---- **Version 5.2.5** * Backports for 5.2.5 * 452 (Don't add a file:// prefix to URI that already have a scheme) ---- **Version 5.2.4** * Fresh tag to rectify 5.2.3 mistag. ----- **Version 5.2.3** * 453 Backports for 5.2.3 * 452 (bugfix for id double-resolution introduced in 5.2.2) ---- **Version 5.2.2** * 431 Backports for 5.2.2 (Part 1) * 425 (bugfix for #424 - make uri splitting reversable) * 429 (adjust hhvm platform for Travis, remove phpdocumentor dependency) * 432 Added property name in draft-3 required error * 433 Backports for 5.2.2 (Part 2) * 432 (fix missing property in boolean required error) * 450 Backports for 5.2.2 (Part 3) * 449 (Update config for php-cs-fixer & travis) * 448 (add proper recursive handling for $ref - fixes #447) --------------------------------------------------------------------------------

================================================================================ php-phpseclib-2.0.7-1.el7 (FEDORA-EPEL-2017-daa70bdac5) PHP Secure Communications Library -------------------------------------------------------------------------------- Update Information:

**Version 2.0.7** - 2017-10-22 * **SSH2:** - add new READ_NEXT mode (#1140) - add sendIdentificationStringFirst() - add sendKEXINITFirst() - add sendIdentificationStringLast() - add sendKEXINITLast() (#1162) - assume any SSH server >= 1.99 supports SSH2 (#1170) - workaround for bad arcfour256 implementations (#1171) - don't choke when getting response from diff channel in exec() (#1167) * **SFTP:** - add enablePathCanonicalization() - add disablePathCanonicalization() (#1137) - fix put() with remote file stream resource (#1177) * ANSI: misc fixes (#1150, #1161) * X509: use DateTime instead of unix time (#1166) * Ciphers: use eval() instead of create_function() for >= 5.3 --------------------------------------------------------------------------------

================================================================================ python-certifi-2016.9.26-6.el7 (FEDORA-EPEL-2017-a59d8920c8) Python package for providing Mozilla's CA Bundle -------------------------------------------------------------------------------- Update Information:

Fix path of .pem file -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1411586 - Please build to epel7 https://bugzilla.redhat.com/show_bug.cgi?id=1411586 --------------------------------------------------------------------------------

================================================================================ python-tinydb-3.6.0-1.el7 (FEDORA-EPEL-2017-de9158c8f3) TinyDB is a tiny, document oriented database -------------------------------------------------------------------------------- Update Information:

Update to latest version -------------------------------------------------------------------------------- References:

[ 1 ] Bug #1504430 - python-tinydb-3.6.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=1504430 --------------------------------------------------------------------------------

================================================================================ seamonkey-2.49.1-1.el7 (FEDORA-EPEL-2017-37b21f1a51) Web browser, e-mail, news, IRC client, HTML editor -------------------------------------------------------------------------------- Update Information:

Update to 2.49.1 Based on the Firefox/Thunderbird ESR (extension support release) code version 52.4.0 Fixes various security issues, see https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ and https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/ for more info. Since the version of 2.48, SeaMonkey uses another disk cache implementation. It is preferable to clear the cache (even before the update) to avoid extra disk space usage by the old cache data. --------------------------------------------------------------------------------