The following Fedora EPEL 7 Security updates need testing:
Age URL
362
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-1087
dokuwiki-0-0.24.20140929c.el7
124
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-dac7ed832f
mcollective-2.8.4-1.el7
12
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8c727601c5
libebml-1.3.3-3.el7
6
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-6dc46a554e
libssh-0.6.5-2.el7
5
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-b23b791a7e
drupal7-7.43-1.el7
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-1613bc2a80
php-htmLawed-1.1.21-1.el7
2
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-07b9ae23da
qpid-cpp-0.34-6.el7
1
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-e79091a3b8
ReviewBoard-2.5.3-1.el7 python-djblets-0.9.2-1.el7
1
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-60ae263220
exim-4.84.2-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-04e0db37c1
phpMyAdmin-4.4.15.5-1.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-8fd1e13dd2
python-django-1.6.11-5.el7
0
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-0fc6ac67c6
websvn-2.3.3-12.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
am-utils-6.2.0-10.el7
bugyou_plugins-0.1.1-1.el7
composer-1.0.0-0.21.beta1.el7
davix-0.6.0-1.el7
fedfind-2.1.1-1.el7
fedmsg-0.16.4-1.el7
gdl-0.9.6-1.el7
mousepad-0.4.0-5.el7
phpMyAdmin-4.4.15.5-1.el7
python-bugzilla2fedmsg-0.3.0-1.el7
python-cached_property-1.3.0-4.el7
python-django-1.6.11-5.el7
python-pg8000-1.10.4-2.el7
python-wikitcms-2.0.0-1.el7
python3-numpy-1.10.4-4.el7
relval-2.0.2-1.el7
rubygem-bcrypt-3.1.10-5.el7
websvn-2.3.3-12.el7
Details about builds:
================================================================================
am-utils-6.2.0-10.el7 (FEDORA-EPEL-2016-542ea69cd6)
Automount utilities including an updated version of Amd
--------------------------------------------------------------------------------
Update Information:
- fix Linux NFS recognition of umounts. - add systemd dependency on nfs-
lock.service. - add get_nfs_xprt() and put_nfs_xprt() functions. - use new
get_nfs_xprt() and put_nfs_xprt() functions. - add NFSv3 nfs_quick_reply()
functionality. - add NFSv3 rpc request validation. - fix wcc attr usage in
unlink3_or_rmdir3(). - use Linux libtirpc if present.
--------------------------------------------------------------------------------
================================================================================
bugyou_plugins-0.1.1-1.el7 (FEDORA-EPEL-2016-f428dc2eda)
Plugins for Bugyou
--------------------------------------------------------------------------------
Update Information:
Update setup.py script, remove sample configuration files ---- Add missing
dependency, python-libpagure ---- Initial packaging.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1309782 - Review Request: bugyou_plugins - Plugins and Services for Bugyou
https://bugzilla.redhat.com/show_bug.cgi?id=1309782
--------------------------------------------------------------------------------
================================================================================
composer-1.0.0-0.21.beta1.el7 (FEDORA-EPEL-2016-4ef9716ead)
Dependency Manager for PHP
--------------------------------------------------------------------------------
Update Information:
**Version 1.0.0-beta1** * Break: By default we now disable any non-secure
protocols (http, git, svn). This may lead to issues if you rely on those. See
secure-http config option. * Break: show / list command now only show
installed packages by default. An --all option is added to show all packages. *
Added VCS repo support for the GitLab API, see also gitlab-oauth and gitlab-
domains config options * Added prohibits / why-not command to show what
blocks an upgrade to a given package:version pair * Added --tree / -t to the
show command to see all your installed packages in a tree view * Added
--interactive / -i to the update command, which lets you pick packages to update
interactively * Added exec command to run binaries while having bin-dir in
the PATH for convenience * Added --root-reqs to the update command to update
only your direct, first degree dependencies * Added cafile and capath config
options to control HTTPS certificate authority * Added pubkey verification of
composer.phar when running self-update * Added possibility to configure per-
package preferred-install types for more flexibility between prefer-source and
prefer-dist * Added unpushed-changes detection when updating dependencies and
in the status command * Added COMPOSER_AUTH env var that lets you pass a json
configuration like the auth.json file * Added secure-http and disable-tls
config options to control HTTPS/HTTP * Added warning when Xdebug is enabled
as it reduces performance quite a bit, hide it with
COMPOSER_DISABLE_XDEBUG_WARN=1 if you must * Added duplicate key detection
when loading composer.json * Added sort-packages config option to force
sorting of the requirements when using the require command * Added support
for the XDG Base Directory spec on linux * Added XzDownloader for xz file
support * Fixed SSL support to fully verify peers in all PHP versions,
unsecure HTTP is also disabled by default * Fixed stashing and cleaning up of
untracked files when updating packages * Fixed plugins being enabled after
installation even when --no-plugins * Many small bug fixes and additions
--------------------------------------------------------------------------------
================================================================================
davix-0.6.0-1.el7 (FEDORA-EPEL-2016-2281552a58)
Toolkit for Http-based file management
--------------------------------------------------------------------------------
Update Information:
davix 0.6.0 release, see RELEASE-NOTES for changes
--------------------------------------------------------------------------------
================================================================================
fedfind-2.1.1-1.el7 (FEDORA-EPEL-2016-610daf5f3f)
Fedora Finder finds Fedora
--------------------------------------------------------------------------------
Update Information:
This update provides the latest releases of fedfind, python-wikitcms and relval.
The updated python-cached_property (a dependency of fedfind and python-wikitcms)
fixes the package naming and provisions to be consistent between Python 2 and
Python 3 and avoid dependency issues. This new 2.x series involves major changes
to all three packages to adapt to the [new Fedora compose
process](https://www.happyassassin.net/2016/02/15/pungi-4-the-new-generat...
the-fedora-compose-tools-and-what-it-means-for-qa/). fedfind, in particular, is
more incompatible than not with its 1.x series. The interface for python-
wikitcms has changed much less (just some additions; there should be no
incompatible changes). The `nightly` and `report-auto` subcommands have been
removed from relval and the `compose` subcommand can now handle nightly events
(without any of the checking the `nightly` subcommand used to do; unattended
creation of nightly commands is being moved to a separate fedmsg consumer
daemon). `relval` now runs under Python 3 rather than Python 2. All remaining
subcommands should be fully compatible with invocations that worked earlier.
These major changes are disruptive, but are vital to keep the tools working with
the changed compose process. Please see the project pages (and the changelogs
included on them) for more details: *
[
fedfind](https://www.happyassassin.net/fedfind) * [python-
wikitcms](https://www.happyassassin.net/wikitcms) *
[
relval](https://www.happyassassin.net/relval)
--------------------------------------------------------------------------------
================================================================================
fedmsg-0.16.4-1.el7 (FEDORA-EPEL-2016-d0fee9d19a)
Tools for Fedora Infrastructure real-time messaging
--------------------------------------------------------------------------------
Update Information:
https://github.com/fedora-infra/fedmsg/blob/develop/CHANGELOG.rst#0164 ----
https://github.com/fedora-infra/fedmsg/blob/develop/CHANGELOG.rst#0163
--------------------------------------------------------------------------------
================================================================================
gdl-0.9.6-1.el7 (FEDORA-EPEL-2016-3c544656aa)
GNU Data Language
--------------------------------------------------------------------------------
Update Information:
Update to 0.9.6
--------------------------------------------------------------------------------
================================================================================
mousepad-0.4.0-5.el7 (FEDORA-EPEL-2016-bb657d5e44)
Simple text editor for Xfce desktop environment
--------------------------------------------------------------------------------
Update Information:
build Mousepad for epel7
--------------------------------------------------------------------------------
================================================================================
phpMyAdmin-4.4.15.5-1.el7 (FEDORA-EPEL-2016-04e0db37c1)
Handle the administration of MySQL over the World Wide Web
--------------------------------------------------------------------------------
Update Information:
phpMyAdmin 4.4.15.5 (2016-02-29) ================================ This release
fixes multiple XSS vulnerabilities, see PMASA-2016-11 and PMASA-2016-12 for more
details.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1313696 - CVE-2016-2562 phpMyAdmin: man-in-the-middle attack on API call to
GitHub (PMASA-2016-13)
https://bugzilla.redhat.com/show_bug.cgi?id=1313696
[ 2 ] Bug #1313695 - CVE-2016-2559 phpMyAdmin: XSS vulnerability in SQL parser
(PMASA-2016-10)
https://bugzilla.redhat.com/show_bug.cgi?id=1313695
[ 3 ] Bug #1313224 - CVE-2016-2561 phpMyAdmin: multiple XSS vulnerabilities
(PMASA-2016-12)
https://bugzilla.redhat.com/show_bug.cgi?id=1313224
[ 4 ] Bug #1313221 - CVE-2016-2560 phpMyAdmin: multiple XSS vulnerabilities
(PMASA-2016-11)
https://bugzilla.redhat.com/show_bug.cgi?id=1313221
--------------------------------------------------------------------------------
================================================================================
python-bugzilla2fedmsg-0.3.0-1.el7 (FEDORA-EPEL-2016-136f64f64b)
Consume BZ messages over STOMP and republish to fedmsg
--------------------------------------------------------------------------------
Update Information:
Ignore any non-Fedora components, and adjust for our new queue.
--------------------------------------------------------------------------------
================================================================================
python-cached_property-1.3.0-4.el7 (FEDORA-EPEL-2016-610daf5f3f)
A cached-property for decorating methods in Python classes
--------------------------------------------------------------------------------
Update Information:
This update provides the latest releases of fedfind, python-wikitcms and relval.
The updated python-cached_property (a dependency of fedfind and python-wikitcms)
fixes the package naming and provisions to be consistent between Python 2 and
Python 3 and avoid dependency issues. This new 2.x series involves major changes
to all three packages to adapt to the [new Fedora compose
process](https://www.happyassassin.net/2016/02/15/pungi-4-the-new-generat...
the-fedora-compose-tools-and-what-it-means-for-qa/). fedfind, in particular, is
more incompatible than not with its 1.x series. The interface for python-
wikitcms has changed much less (just some additions; there should be no
incompatible changes). The `nightly` and `report-auto` subcommands have been
removed from relval and the `compose` subcommand can now handle nightly events
(without any of the checking the `nightly` subcommand used to do; unattended
creation of nightly commands is being moved to a separate fedmsg consumer
daemon). `relval` now runs under Python 3 rather than Python 2. All remaining
subcommands should be fully compatible with invocations that worked earlier.
These major changes are disruptive, but are vital to keep the tools working with
the changed compose process. Please see the project pages (and the changelogs
included on them) for more details: *
[
fedfind](https://www.happyassassin.net/fedfind) * [python-
wikitcms](https://www.happyassassin.net/wikitcms) *
[
relval](https://www.happyassassin.net/relval)
--------------------------------------------------------------------------------
================================================================================
python-django-1.6.11-5.el7 (FEDORA-EPEL-2016-8fd1e13dd2)
A high-level Python Web framework
--------------------------------------------------------------------------------
Update Information:
Security fix for CVE-2016-2512 and CVE-2016-2513
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1311431 - CVE-2016-2512 python-django: Malicious redirect and possible XSS
attack via user-supplied redirect URLs containing basic auth
https://bugzilla.redhat.com/show_bug.cgi?id=1311431
--------------------------------------------------------------------------------
================================================================================
python-pg8000-1.10.4-2.el7 (FEDORA-EPEL-2016-af60a0ba51)
Pure Python PostgreSQL Driver
--------------------------------------------------------------------------------
Update Information:
Update to 1.10.4
--------------------------------------------------------------------------------
================================================================================
python-wikitcms-2.0.0-1.el7 (FEDORA-EPEL-2016-610daf5f3f)
Fedora QA wiki test management Python library
--------------------------------------------------------------------------------
Update Information:
This update provides the latest releases of fedfind, python-wikitcms and relval.
The updated python-cached_property (a dependency of fedfind and python-wikitcms)
fixes the package naming and provisions to be consistent between Python 2 and
Python 3 and avoid dependency issues. This new 2.x series involves major changes
to all three packages to adapt to the [new Fedora compose
process](https://www.happyassassin.net/2016/02/15/pungi-4-the-new-generat...
the-fedora-compose-tools-and-what-it-means-for-qa/). fedfind, in particular, is
more incompatible than not with its 1.x series. The interface for python-
wikitcms has changed much less (just some additions; there should be no
incompatible changes). The `nightly` and `report-auto` subcommands have been
removed from relval and the `compose` subcommand can now handle nightly events
(without any of the checking the `nightly` subcommand used to do; unattended
creation of nightly commands is being moved to a separate fedmsg consumer
daemon). `relval` now runs under Python 3 rather than Python 2. All remaining
subcommands should be fully compatible with invocations that worked earlier.
These major changes are disruptive, but are vital to keep the tools working with
the changed compose process. Please see the project pages (and the changelogs
included on them) for more details: *
[
fedfind](https://www.happyassassin.net/fedfind) * [python-
wikitcms](https://www.happyassassin.net/wikitcms) *
[
relval](https://www.happyassassin.net/relval)
--------------------------------------------------------------------------------
================================================================================
python3-numpy-1.10.4-4.el7 (FEDORA-EPEL-2016-3fc19e2025)
A fast multidimensional array facility for Python 3
--------------------------------------------------------------------------------
Update Information:
numpy module for python 3.4
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1297514 - Review Request: python3-numpy - A fast multidimensional array
facility for Python 3
https://bugzilla.redhat.com/show_bug.cgi?id=1297514
--------------------------------------------------------------------------------
================================================================================
relval-2.0.2-1.el7 (FEDORA-EPEL-2016-610daf5f3f)
Tool for interacting with Fedora QA wiki pages
--------------------------------------------------------------------------------
Update Information:
This update provides the latest releases of fedfind, python-wikitcms and relval.
The updated python-cached_property (a dependency of fedfind and python-wikitcms)
fixes the package naming and provisions to be consistent between Python 2 and
Python 3 and avoid dependency issues. This new 2.x series involves major changes
to all three packages to adapt to the [new Fedora compose
process](https://www.happyassassin.net/2016/02/15/pungi-4-the-new-generat...
the-fedora-compose-tools-and-what-it-means-for-qa/). fedfind, in particular, is
more incompatible than not with its 1.x series. The interface for python-
wikitcms has changed much less (just some additions; there should be no
incompatible changes). The `nightly` and `report-auto` subcommands have been
removed from relval and the `compose` subcommand can now handle nightly events
(without any of the checking the `nightly` subcommand used to do; unattended
creation of nightly commands is being moved to a separate fedmsg consumer
daemon). `relval` now runs under Python 3 rather than Python 2. All remaining
subcommands should be fully compatible with invocations that worked earlier.
These major changes are disruptive, but are vital to keep the tools working with
the changed compose process. Please see the project pages (and the changelogs
included on them) for more details: *
[
fedfind](https://www.happyassassin.net/fedfind) * [python-
wikitcms](https://www.happyassassin.net/wikitcms) *
[
relval](https://www.happyassassin.net/relval)
--------------------------------------------------------------------------------
================================================================================
rubygem-bcrypt-3.1.10-5.el7 (FEDORA-EPEL-2016-4714419388)
Wrapper around bcrypt() password hashing algorithm
--------------------------------------------------------------------------------
Update Information:
Enabling tests
--------------------------------------------------------------------------------
================================================================================
websvn-2.3.3-12.el7 (FEDORA-EPEL-2016-0fc6ac67c6)
Online subversion repository browser
--------------------------------------------------------------------------------
Update Information:
- Fix CVE-2016-2511 ---- Install missing javascript directory.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1310760 - CVE-2016-2511 websvn: reflected cross-site scripting [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1310760
[ 2 ] Bug #1218590 - javascript dir is missing from RPM
https://bugzilla.redhat.com/show_bug.cgi?id=1218590
--------------------------------------------------------------------------------