The following Fedora EPEL 7 Security updates need testing:
Age URL
53
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-f005e1b879
debmirror-2.35-1.el7
The following builds have been pushed to Fedora EPEL 7 updates-testing
openssl11-1.1.1k-1.el7
rpki-client-7.5-1.el7
Details about builds:
================================================================================
openssl11-1.1.1k-1.el7 (FEDORA-EPEL-2021-39d32447db)
Utilities from the general purpose cryptography library with TLS implementation
--------------------------------------------------------------------------------
Update Information:
- backport from 1.1.1k-4: Fixes bugs in s390x AES code - backport from 1.1.1k-4:
Uses the first detected address family if IPv6 is not available - backport from
1.1.1k-4: Reverts the changes in
https://github.com/openssl/openssl/pull/13305
as it introduces a regression if server has a DSA key pair, the handshake fails
when the protocol is not explicitly set to TLS 1.2. However, if the patch is
reverted, it has an effect on the "ssl_reject_handshake" feature in nginx.
Although, this feature will continue to work, TLS 1.3 protocol becomes
unavailable/disabled. This is already known -
https://trac.nginx.org/nginx/ticket/2071#comment:1 and as per
https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
could early callback instead of servername callback. Resolves: rhbz#197821,
related: rhbz#1934534 - backport from 1.1.1k-3: Cleansup the peer point formats
on renegotiation. Resolves rhbz#1965362 - backport from 1.1.1k-2: Fixes
FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085 - backport from
1.1.1k-2: Using safe primes for FIPS DH self-test - backport from 1.1.1k-1:
Update to version 1.1.1k - backport from 1.1.1g-16: Use AI_ADDRCONFIG only when
explicit host name is given - backport from 1.1.1g-16: Allow only curves defined
in RFC 8446 in TLS 1.3
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 9 2021 Robert Scheck <robert(a)fedoraproject.org> 1.1.1k-1
- backport from 1.1.1k-4: Fixes bugs in s390x AES code
- backport from 1.1.1k-4: Uses the first detected address family if IPv6 is not available
- backport from 1.1.1k-4: Reverts the changes in
https://github.com/openssl/openssl/pull/13305
as it introduces a regression if server has a DSA key pair, the handshake fails
when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted,
it has an effect on the "ssl_reject_handshake" feature in nginx. Although,
this feature
will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already
known -
https://trac.nginx.org/nginx/ticket/2071#comment:1
As per
https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
could
early callback instead of servername callback. Resolves: rhbz#197821, related:
rhbz#1934534
- backport from 1.1.1k-3: Cleansup the peer point formats on renegotiation. Resolves
rhbz#1965362
- backport from 1.1.1k-2: Fixes FIPS_selftest to work in FIPS mode. Resolves:
rhbz#1940085
- backport from 1.1.1k-2: Using safe primes for FIPS DH self-test
- backport from 1.1.1k-1: Update to version 1.1.1k
- backport from 1.1.1g-16: Use AI_ADDRCONFIG only when explicit host name is given
- backport from 1.1.1g-16: Allow only curves defined in RFC 8446 in TLS 1.3
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1930310 - CVE-2021-23841 openssl: NULL pointer dereference in
X509_issuer_and_serial_hash()
https://bugzilla.redhat.com/show_bug.cgi?id=1930310
[ 2 ] Bug #1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate
https://bugzilla.redhat.com/show_bug.cgi?id=1930324
--------------------------------------------------------------------------------
================================================================================
rpki-client-7.5-1.el7 (FEDORA-EPEL-2021-05dd12001e)
RPKI validator to support BGP Origin Validation
--------------------------------------------------------------------------------
Update Information:
rpki-client 7.5 =============== * Make rpki-client more resilient regarding
untrusted input: - Fail repository synchronisation after 15min runtime.
- Limit the number of repositories per TAL. - Don't allow `DOCTYPE`
definitions in RRDP XML files. - Fix detection of HTTP redirect loops. *
Limit the number of concurrent `rsync` processes. * Fix `CRLF` in TAL files.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Nov 9 2021 Robert Scheck <robert(a)fedoraproject.org> 7.5-1
- Upgrade to 7.5 (#2021523)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2021523 - rpki-client-7.5 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2021523
--------------------------------------------------------------------------------